Physical Sciences and Mathematics Commons^™

Performance Characterization Of Deep Learning Models For Breathing-Based Authentication On Resource-Constrained Devices, Jagmohan Chauhan, Jathusan Rajasegaran, Surang Seneviratne, Archan Misra, Aruan Seneviratne, Youngki Lee

Research Collection School Of Computing and Information Systems

Providing secure access to smart devices such as mobiles, wearables and various other IoT devices is becoming increasinglyimportant, especially as these devices store a range of sensitive personal information. Breathing acoustics-based authentication offers a highly usable and possibly a secondary authentication mechanism for such authorized access, especially as it canbe readily applied to small form-factor devices. Executing sophisticated machine learning pipelines for such authenticationon such devices remains an open problem, given their resource limitations in terms of storage, memory and computational power. To investigate this possibility, we compare the performance of an end-to-end system for both user identification anduser verification …

Malware For Macintosh, Nathan C. Shinabarger, Josiah E. Bills, Richard W. Lively, Noah S. Shinabarger

The Research and Scholarship Symposium (2013-2019)

Technology is a cornerstone of modern society. Unfortunately, it seems that every new piece of technology is accompanied by five computer-security breaches elsewhere. Most people associate hacks with Windows computers. This is a problem because Apple computers, and other non-Windows systems, are also extremely vulnerable to attacks and risk being compromised. Dolos is a piece of malware we developed intended to exploit the macOS Sierra operating system. It provides a framework for running exploits and comes built in with certain control and data exfiltration capabilities. Dolos also helps destroy the misconception of "the impenetrable Macintosh computer" by showing that Apple …

Security And Privacy In Ubiquitous Sensor Networks, Alfredo J. Perez, Sherali Zeadally, Nafaa Jabeur

Computer Science Faculty Publications

The availability of powerful and sensor-enabled mobile and Internet-connected devices have enabled the advent of the ubiquitous sensor network (USN) paradigm. USN provides various types of solutions to the general public in multiple sectors, including environmental monitoring, entertainment, transportation, security, and healthcare. Here, we explore and compare the features of wireless sensor networks and USN. Based on our extensive study, we classify the security- and privacy-related challenges of USNs. We identify and discuss solutions available to address these challenges. Finally, we briefly discuss open challenges for designing more secure and privacy-preserving approaches in next-generation USNs.

Exploring The Use Of Hierarchal Statistical Analysis And Deep Neural Networks To Detect And Mitigate Covert Timing Channels, Omar Darwish

Dissertations

Covert timing channels provide a mechanism to transmit unauthorized information across different processes. It utilizes the inter-arrival times between the transmitted packets to hide the communicated data. It can be exploited in a variety of malevolent scenarios such as leaking military secrets, trade secrets, and other forms of Intellectual Property (IP). They can be also used as a vehicle to attack existing computing systems to disseminate software viruses or worms while bypassing firewalls, intrusion detection and protection systems, and application filters. Therefore, the detection and mitigation of covert channels is a key issue in modern Information Technology (IT) infrastructure. Many …

Simulations And Queueing Theory: The Effects Of Priority And Vip Thresholds, Laura Schuck

Masters Theses & Doctoral Dissertations

Everyone has experienced waiting in lines, whether it is at the airport, the grocery store, or somewhere in-between. By developing queueing simulations based on mathematical models of airport security and customs, we explore a variety of questions related to optimal queue design with respect to efficiency, feasibility, priority, and other prescribed/variable constraints.

Simulations And Queueing Theory: The Effects Of Randomly Bypassing Security, Emily Ortmann

Masters Theses & Doctoral Dissertations

We discuss queueing theory in the setting of airport security and customs. By developing queueing simulations based on mathematical models, we explore a variety of questions related to optimal queue design with respect to efficiency, feasibility, priority, and other prescribed/variable constraints.

Securing Critical Infrastructure: A Ransomware Study, Blaine M. Jeffries

Theses and Dissertations

This thesis reviews traditional ransomware attack trends in order to present a taxonomy for ransomware targeting industrial control systems. After reviewing a critical infrastructure ransomware attack methodology, a corresponding response and recovery plan is described. The plan emphasizes security through redundancy, specifically the incorporation of standby programmable logic controllers. This thesis goes on to describe a set of experiments conducted to test the viability of defending against a specialized ransomware attack with a redundant controller network. Results support that specific redundancy schemes are effective in recovering from a successful attack. Further experimentation is conducted to test the feasibility of industrial …

Https://Onlinelibrary.Wiley.Com/Doi/10.1002/Spy2.15#:~:Text=A%20review%20and%20an%20empirical%20analysis%20of%20privacy%20policy%20and%20notices%20for%20consumer%20internet%20of%20things, Alfredo J. Perez, Sherali Zeadally, Jonathan Cochran

Computer Science Faculty Publications

The privacy policies and practices of six consumer Internet of things (IoT) devices were reviewed and compared. In addition, an empirical verification of the compliance of privacy policies for data collection practices on two voice-activated intelligent assistant devices, namely the Amazon Echo Dot and Google Home devices was performed. The review shows that IoT privacy policies may not be usable from the human-computer interaction perspective because IoT policies are included as part of the manufacturers' general privacy policy (which may include policies unrelated to the device), or the IoT policy requires to read (in addition to the IoT policies) the …

An Overview Of The Usage Of Default Passwords, Brandon Knierem, Xiaolu Zhang, Philip Levine, Frank Breitinger, Ibrahim Baggili

Electrical & Computer Engineering and Computer Science Faculty Publications

The recent Mirai botnet attack demonstrated the danger of using default passwords and showed it is still a major problem. In this study we investigated several common applications and their password policies. Specifically, we analyzed if these applications: (1) have default passwords or (2) allow the user to set a weak password (i.e., they do not properly enforce a password policy). Our study shows that default passwords are still a significant problem: 61% of applications inspected initially used a default or blank password. When changing the password, 58% allowed a blank password, 35% allowed a weak password of 1 character.

How Much Should We Spend To Protect Privacy?: Data Breaches And The Need For Information We Do Not Have, Richard Warner, Robert Sloan

All Faculty Scholarship

A cost/benefit approach to privacy confronts two tradeoff issues. One is making appropriate tradeoffs between privacy and many goals served by the collection, distribution, and use of information. The other is making tradeoffs between investments in preventing unauthorized access to information and the variety of other goals that also make money, time, and effort demands. Much has been written about the first tradeoff. We focus on the second. The issue is critical. Data breaches occur at the rate of over three a day, and the aggregate social cost is extremely high. The puzzle is that security experts have long explained …

Bringing Defensive Artificial Intelligence Capabilities To Mobile Devices, Kevin Chong, Ahmed Ibrahim

Australian Information Security Management Conference

Traditional firewalls are losing their effectiveness against new and evolving threats today. Artificial intelligence (AI) driven firewalls are gaining popularity due to their ability to defend against threats that are not fully known. However, a firewall can only protect devices in the same network it is deployed in, leaving mobile devices unprotected once they leave the network. To comprehensively protect a mobile device, capabilities of an AI-driven firewall can enhance the defensive capabilities of the device. This paper proposes porting AI technologies to mobile devices for defence against today’s ever-evolving threats. A defensive AI technique providing firewall-like capability is being …

Mitigating Man-In-The-Middle Attacks On Mobile Devices By Blocking Insecure Http Traffic Without Using Vpn, Kevin Chong, Muhammad Imran Malik, Peter Hannay

Australian Information Security Management Conference

Mobile devices are constantly connected to the Internet, making countless connections with remote services. Unfortunately, many of these connections are in cleartext, visible to third-parties while in transit. This is insecure and opens up the possibility for man-in-the-middle attacks. While there is little control over what kind of connection running apps can make, this paper presents a solution in blocking insecure HTTP packets from leaving the device. Specifically, the proposed solution works on the device, without the need to tunnel packets to a remote VPN server, and without special privileges such as root access. Speed tests were performed to quantify …

Construction Of A Custom Network Security Appliance, Jacob Rickerd

Senior Honors Theses and Projects

Over the last three semesters, I worked toward my final goal to develop a custom network security appliance. I first began by completing a comparison analysis of network intrusion detection systems which are devices that read traffic from the network and determine if network packets should go through or be dropped. Second, I conducted a feasibility study of a custom framework to profile attackers in a network; this yielded positive results. Finally, I worked on creating a custom network security appliance; it uses the profiles I created in my framework to more efficiently block malicious attackers in comparison to other …

Vulnerability Analysis: Protecting Information In The Iot, Brian Cusack, Feiqiu Zhuang

Australian Information Security Management Conference

The research was designed to study IoT security vulnerabilities and how to better protect IoT communications. By researching the system a Fitbit uses for communications, this research analyzes and reveals security defects in the IoT architecture. The research first uses a man-in the middle (MITM) attack to intercept and analyze the Fitbit system traffic to identify security weakness. Then uses a replay attack to further validate these flaws. Finally, countermeasures against these security threats are proposed. The research findings show the Fitbit’s IoT communication architecture has serious information security risks. Firstly, the Fitbit tested does not encrypt the raw data …

Examining The Influence Of Technology Acceptance, Self-Efficacy, And Locus Of Control On Information Security Behavior Of Social Media Users, Abdullah Almuqrin

Master's Theses and Doctoral Dissertations

Due to recent advances in online communication technology, social networks have become a vital avenue for human interaction. At the same time, they have been exploited as a target for viruses, attacks, and security threats. The first line of defense against such attacks and threats— as well as their primary cause—are social media users themselves. This study investigated the relationship between certain personality factors among social media users—i.e., technology acceptance of security protection technologies, self-efficacy of information security, and locus of control—and their information security behavior. Quantitative methods were used to examine this relationship. The population consisted of all students …

Smartphone User Privacy Preserving Through Crowdsourcing, Bahman Rashidi

Theses and Dissertations

In current Android architecture, users have to decide whether an app is safe to use or not. Expert users can make savvy decisions to avoid unnecessary private data breach. However, the majority of regular users are not technically capable or do not care to consider privacy implications to make safe decisions. To assist the technically incapable crowd, we propose a permission control framework based on crowdsourcing. At its core, our framework runs new apps under probation mode without granting their permission requests up-front. It provides recommendations on whether to accept or not the permission requests based on decisions from peer …

Strategies Used By Cloud Security Managers To Implement Secure Access Methods, Eric Harmon

Walden Dissertations and Doctoral Studies

Cloud computing can be used as a way to access services and resources for many organizations; however, hackers have created security concerns for users that incorporate cloud computing in their everyday functions. The purpose of this qualitative multiple case study was to explore strategies used by cloud security managers to implement secure access methods to protect data on the cloud infrastructure. The population for this study was cloud security managers employed by 2 medium size businesses in the Atlanta, Georgia metropolitan area and that have strategies to implement secure access methods to protect data on the cloud infrastructure. The technology …

Comparing Training Methodologies On Employee’S Cybersecurity Countermeasures Awareness And Skills In Traditional Vs. Socio-Technical Programs, Jodi Goode

CCE Theses and Dissertations

Organizations, which have established an effective technical layer of security, continue to experience difficulties triggered by cyber threats. Ultimately, the cybersecurity posture of an organization depends on appropriate actions taken by employees whose naive cybersecurity practices have been found to represent 72% to 95% of cybersecurity threats and vulnerabilities to organizations. However, employees cannot be held responsible for cybersecurity practices if they are not provided the education and training to acquire skills, which allow for identification of security threats along with the proper course of action to mitigate such threats. In addition, awareness of the importance of cybersecurity, the responsibility …

An Approach For Formal Analysis Of The Security Of A Water Treatment Testbed, Sai Sidharth Patlolla

Masters Theses

"This thesis focuses on securing critical infrastructures such as chemical plants, manufacturing units, and power generating plants against attacks that disrupt the information flow from one component to another. Such systems are controlled by an Industrial Control System (ICS) that includes controllers communicating with each other, and with physical sensors and actuators, using a communications network.

Traditional security models partition the security universe into two worlds, secure and insecure, but in the real world the partitions often overlap and information is leaked even through the physical observation which makes it much harder to analyze a Cyber physical system (CPS). To …

Genetic Programming-Based Pseudorandom Number Generator For Wireless Identification And Sensing Platform, Cem Kösemen, Gökhan Dalkiliç, Ömer Aydin

Turkish Journal of Electrical Engineering and Computer Sciences

The need for security in lightweight devices such as radio frequency identification tags is increasing and a pseudorandom number generator (PRNG) constitutes an essential part of the authentication protocols that provide security. The main aim of this research is to produce a lightweight PRNG for cryptographic applications in wireless identification and sensing platform family devices, and other related lightweight devices. This PRNG is produced with genetic programming methods using entropy calculation as the fitness function, and it is tested with the NIST statistical test suite. Moreover, it satisfies the requirements of the EPCGen2 standards.

Multiple Security Domain Non Deducibility In The Freedm Smart Grid Infrastructure, Manish Jaisinghani

Masters Theses

"The building block of today's world are not materials, but, computers and algorithms with communication networks between physical entities. A cyber physical system (CPS) is a system in which the cyber and physical entities of the system work together towards a common goal, for example a water treatment facility or an electricity distribution system. These cyber physical infrastructures affect day to day lives of people and hence become target point for the attackers to disrupt normal daily life. Owing to the complexity of a cyber physical system, the attacks have themselves become sophisticated and harder to detect. These sophisticated attacks …

An Investigation Into Trust And Security In The Mandatory And Imposed Use Of Financial Icts Upon Older People, David Michael Cook

Theses: Doctorates and Masters

Care needs to be taken to reduce the number of people who are fearful and mistrustful of using ICT where that usage is forced upon them without choice or alternative. The growing incidence of mandatory and imposed online systems can result in confusion, misuse, fear, and rejection by people with only rudimentary ICT skills. A cohort where a high percentage of such people occur is older people, defined in this study as people over the age of 60 Examples of compulsory ICT interactions include some banks limiting bank statement access through online rather than paper-based options. Other examples include the …

Security Assessment Of Web Applications, Renelada Kushe

UBT International Conference

A web application is an application that is accessed by users over a network such as the internet or intranet. The term also refers an application that is coded in a browser-supported programming language and reliant on a common web browser to render the application executable. Web applications are vulnerable to varies exploits from those which manipulate the application via its graphical web interface (HTTP exploits), to tampering the Uniform Resource Identifier (URI) or tampering HTTPS elements not contained in the URI. Getting started from the accessibility and the variety of exploits, the security assessment is a necessity for providing …

Simple Implementation Of An Elgamal Digital Signature And A Brute Force Attack On It, Valeriia Laryoshyna

Student Works

This study is an attempt to show a basic mathematical usage of the concepts behind digital signatures and to provide a simple approach and understanding to cracking basic digital signatures. The approach takes on simple C programming of the ElGamal digital signature to identify some limits that can be encountered and provide considerations for making more complex code. Additionally, there is a literature review of the ElGamal digital signature and the brute force attack.

The research component of this project provides a list of possible ways to crack the basic implementations and classifies the different approaches that could be taken …

Analysis Of Security In Big Data Related To Healthcare, Isabel De La Torre, Begoña García-Zapirain, Miguel López-Coronado

Journal of Digital Forensics, Security and Law

Big data facilitates the processing and management of huge amounts of data. In health, the main information source is the electronic health record with others being the Internet and social media. Health-related data refers to storage in big data based on and shared via electronic means. Why are criminal organisations interested in this data? These organisations can blackmail people with information related to their health condition or sell the information to marketing companies, etc. This article analyses healthcare-related big data security and proposes different solutions. There are different techniques available to help preserve privacy such as data modification techniques, cryptographic …

Secure And Efficient Delegation Of A Single And Multiple Exponentiations To A Single Malicious Server, Matluba Khodjaeva

Dissertations, Theses, and Capstone Projects

Group exponentiation is an important operation used in many cryptographic protocols, specifically public-key cryptosystems such as RSA, Diffie Hellman, ElGamal, etc. To expand the applicability of group exponentiation to computationally weaker devices, procedures were established by which to delegate this operation from a computationally weaker client to a computationally stronger server. However, solving this problem with a single, possibly malicious, server, has remained open since a formal cryptographic model was introduced by Hohenberger and Lysyanskaya in 2005. Several later attempts either failed to achieve privacy or only achieved constant security probability.

In this dissertation, we study and solve this problem …

Breaking Into The Vault: Privacy, Security And Forensic Analysis Of Android Vault Applications, Xiaolu Zhang, Ibrahim Baggili, Frank Breitinger

Electrical & Computer Engineering and Computer Science Faculty Publications

In this work we share the first account for the forensic analysis, security and privacy of Android vault applications. Vaults are designed to be privacy enhancing as they allow users to hide personal data but may also be misused to hide incriminating files. Our work has already helped law enforcement in the state of Connecticut to reconstruct 66 incriminating images and 18 videos in a single criminal case. We present case studies and results from analyzing 18 Android vault applications (accounting for nearly 220 million downloads from the Google Play store) by reverse engineering them and examining the forensic artifacts …

Development And Implementation Of An Optimization Model To Improve Airport Security., Kassandra Guajardo, Angela Waterworth, Robert Brigantic Ph.D.

STAR Program Research Presentations

What if airport security teams across the world could quantify and then minimize the amount of risk throughout areas of an airport? The Operations Research Team at the Pacific Northwest National Laboratory is developing and implementing an optimization model called ARAM (Airport Risk Analysis Model) for the Seattle-Tacoma International Airport. ARAM will provide a recommended optimal deployment of security assets to reduce risk in areas of an airport. The model is based on a risk equation that considers consequences, vulnerabilities, and threat magnitudes at airports. ARAM will also provide the estimated risk buy down percentage, which is how much risk …

On The Security Of Information Dissemination In The Internet-Of-Vehicles, Danda B. Rawat, Moses Garuba, Lei Chen, Qing Yang

Department of Information Technology Faculty Publications

Internet of Vehicles (IoV) is regarded as an emerging paradigm for connected vehicles to exchange their information with other vehicles using vehicle-to-vehicle (V2V) communications by forming a vehicular ad hoc networks (VANETs), with roadside units using vehicle-to-roadside (V2R) communications. IoV offers several benefits such as road safety, traffic efficiency, and infotainment by forwarding up-to-date traffic information about upcoming traffic. For instance, IoV is regarded as a technology that could help reduce the number of deaths caused by road accidents, and reduce fuel costs and travel time on the road. Vehicles could rapidly learn about the road condition and promptly respond …

Enforcing Database Security On Cloud Using A Trusted Third Party Based Model, Victor Fuentes Tello

Graduate Theses and Dissertations

Cloud computing offers a considerable number of advantages to clients and organizations that use several capabilities to store sensitive data, interact with applications, or use technology infrastructure to perform daily activities. The development of new models in cloud computing brings with it a series of elements that must be considered by companies, particularly when the sensitive data needs to be protected. There are some concerns related to security that need to be taken into consideration when a service provider manage and store the data in a location outside the company. In this research, a model that uses a trusted third …