39 research outputs found
Data ethics : building trust : how digital technologies can serve humanity
Data is the magic word of the 21st century. As oil in the 20th century and electricity in the 19th century:
For citizens, data means support in daily life in almost all activities, from watch to laptop, from kitchen to car,
from mobile phone to politics. For business and politics, data means power, dominance, winning the race. Data can be used for good and bad,
for services and hacking, for medicine and arms race. How can we build trust in this complex and ambiguous data world?
How can digital technologies serve humanity? The 45 articles in this book represent a broad range of ethical reflections and recommendations
in eight sections: a) Values, Trust and Law, b) AI, Robots and Humans, c) Health and Neuroscience, d) Religions for Digital Justice, e) Farming, Business, Finance, f) Security, War, Peace, g) Data Governance, Geopolitics, h) Media, Education, Communication.
The authors and institutions come from all continents.
The book serves as reading material for teachers, students, policy makers, politicians, business, hospitals, NGOs and religious organisations alike. It is an invitation for dialogue, debate and building trust!
The book is a continuation of the volume “Cyber Ethics 4.0” published in 2018 by the same editors
Software Usability
This volume delivers a collection of high-quality contributions to help broaden developers’ and non-developers’ minds alike when it comes to considering software usability. It presents novel research and experiences and disseminates new ideas accessible to people who might not be software makers but who are undoubtedly software users
Development of a Social Engineering eXposure Index (SEXI) using Open-Source Personal Information
Millions of people willingly expose their lives via Internet technologies every day, and even the very few ones who refrain from the use of the Internet find themselves exposed through data breaches. Billions of private information records are exposed through the Internet. Marketers gather personal preferences to influence shopping behavior. Providers gather personal information to deliver enhanced services, and underground hacker networks contain repositories of immense data sets. Few users of Internet technologies have considered where their information is going or who has access to it. Even fewer are aware of how decisions made in their own lives expose significant pieces of information, which can be used by cyber hackers to harm the very organizations with whom they are affiliated. While this threat can affect any person holding any position at an organization, upper management poses a significantly higher risk due to their level of access to critical data and finances targeted by cybercrime.
The goal of this research was to develop and validate a Social Engineering eXposure Index (SEXI)™ using Open-Source Personal Information (OSPI) to assist in identifying and classifying social engineering vulnerabilities. This study combined an expert panel using the Delphi method, developmental research, and quantitative data collection. The expert panel categorized and assessed information privacy components into three identifiability groups, subsequently used to develop an algorithm that formed the basis for a SEXI. Validation of the algorithm used open-source personal information found on the Internet for 50 executives of Fortune 500 organizations and 50 Hollywood celebrities. The exposure of each executive and persona was quantified and the collected data were evaluated, analyzed, and presented in an anonymous aggregated form.
Phase 1 of this study developed and evaluated the SEXI benchmarking instrument via an expert panel using the Delphi expert methodology. During the first round, 3,531 data points were collected with 1,530 having to do with the demographics, qualifications, experience, and working environments of the panel members as well as 2,001 attributing levels of exposure to personal information. The second Delphi round presented the panel members with the feedback of the first-round tasking them with categorizing personal information, resulting in 1,816 data points. Phase 2 of this study used the composition, weights, and categories of personal information from Phase 1 in the development of a preliminary SEXI benchmarking instrument comprised of 105 personal information items. Simulated data was used to validate the instrument prior to the data collection. Before initiating Phase 3, the preliminary SEXI benchmarking instrument was fully tested to verify the accuracy of recorded data. Phase 3 began with discovering, evaluating, and validating repositories of publicly available data sources of personal information. Approximately two dozen sources were used to collect 11,800 data points with the SEXI benchmarking index. Upon completion of Phase 3, data analysis of the Fortune 500 executives and Hollywood personas used to validate the SEXI benchmarking index.
Data analysis was conducted in Phase 3 by one-way Analysis of Variance (ANOVA). The results of the ANOVA data analysis from Phase 3 revealed that age, gender, marital status, and military/police experience were not significant in showing SEXI differences. Additionally, income, estimated worth, industry, organization position, philanthropic contributions are significant, showing differences in SEXI. The most significant differences in SEXI in this research study were found with writers and chief information officers. A t-test was performed to compare the Fortune 500 executives and the Hollywood personas. The results of the t-test data analysis showed a significant difference between the two groups in that Hollywood Personas had a higher SEXI than the Fortune 500 Executives suggesting increased exposure due to OSPI.
The results of this research study established, categorized, and validated a quantifiable measurement of personal information. Moreover, the results of this research study validated that the SEXI benchmarking index could be used to assess an individual’s exposure to social engineering due to publicly available personal information. As organizations and public figures rely on Internet technologies understanding the level of personal information exposure is critical is protecting against social engineering attacks. Furthermore, assessing personal information exposure could provide an organization insight into exposed personal information facilitating further mitigation of threats or potential social engineering attack vectors. Discussions and implications for future research are provided
Lessons Learnt on Reproducibility in Machine Learning Based Android Malware Detection
A well-known curse of computer security research is that it often produces systems that, while technically sound, fail operationally. To overcome this curse, the community generally seeks to assess proposed systems under a variety of settings in order to make explicit every potential bias. In this respect, recently, research achievements on machine learning based malware detection are being considered for thorough evaluation by the community. Such an effort of comprehensive evaluation supposes first and foremost the possibility to perform an independent reproduction study in order to sharpen evaluations presented by approaches’ authors. The question Can published approaches actually be reproduced? thus becomes paramount despite the little interest such mundane and practical aspects seem to attract in the malware detection field. In this paper, we attempt a complete reproduction of five Android Malware Detectors from the literature and discuss to what extent they are “reproducible”. Notably, we provide insights on the implications around the guesswork that may be required to finalise a working implementation. Finally, we discuss how barriers to reproduction could be lifted, and how the malware detection field would benefit from stronger reproducibility standards—like many various fields already have
Undergraduate Student Catalog 2020-2021
The central pillars of Qatar University’s mission are highlighted through this document, namely the provision of high-quality education and the pursuit of an active role in the development of Qatari society. The courses described here have been designed, reviewed and assessed to meet the highest educational standards, with a strong focus on the knowledge and skill-based learning that is needed for a graduate to be competitive in today’s labor market and in graduate education pursuits. The many of the academic programs have attained independent external accreditation from internationally recognized associations, to cater to the needs of the country’s ambitious development course
ICTERI 2020: ІКТ в освіті, дослідженнях та промислових застосуваннях. Інтеграція, гармонізація та передача знань 2020: Матеріали 16-ї Міжнародної конференції. Том II: Семінари. Харків, Україна, 06-10 жовтня 2020 р.
This volume represents the proceedings of the Workshops co-located with the 16th International Conference on ICT in Education, Research, and Industrial Applications, held in Kharkiv, Ukraine, in October 2020. It comprises 101 contributed papers that were carefully peer-reviewed and selected from 233 submissions for the five workshops: RMSEBT, TheRMIT, ITER, 3L-Person, CoSinE, MROL. The volume is structured in six parts, each presenting the contributions for a particular workshop. The topical scope of the volume is aligned with the thematic tracks of ICTERI 2020: (I) Advances in ICT Research; (II) Information Systems: Technology and Applications; (III) Academia/Industry ICT Cooperation; and (IV) ICT in Education.Цей збірник представляє матеріали семінарів, які були проведені в рамках 16-ї Міжнародної конференції з ІКТ в освіті, наукових дослідженнях та промислових застосуваннях, що відбулася в Харкові, Україна, у жовтні 2020 року. Він містить 101 доповідь, які були ретельно рецензовані та відібрані з 233 заявок на участь у п'яти воркшопах: RMSEBT, TheRMIT, ITER, 3L-Person, CoSinE, MROL. Збірник складається з шести частин, кожна з яких представляє матеріали для певного семінару. Тематична спрямованість збірника узгоджена з тематичними напрямками ICTERI 2020: (I) Досягнення в галузі досліджень ІКТ; (II) Інформаційні системи: Технології і застосування; (ІІІ) Співпраця в галузі ІКТ між академічними і промисловими колами; і (IV) ІКТ в освіті
Modélisation formelle des systèmes de détection d'intrusions
L’écosystème de la cybersécurité évolue en permanence en termes du nombre, de la diversité, et de la complexité des attaques. De ce fait, les outils de détection deviennent inefficaces face à certaines attaques. On distingue généralement trois types de systèmes de détection d’intrusions : détection par anomalies, détection par signatures et détection hybride. La détection par anomalies est fondée sur la caractérisation du comportement habituel du système, typiquement de manière statistique. Elle permet de détecter des attaques connues ou inconnues, mais génère aussi un très grand nombre de faux positifs. La détection par signatures permet de détecter des attaques connues en définissant des règles qui décrivent le comportement connu d’un attaquant. Cela demande une bonne connaissance du comportement de l’attaquant. La détection hybride repose sur plusieurs méthodes de détection incluant celles sus-citées. Elle présente l’avantage d’être plus précise pendant la détection. Des outils tels que Snort et Zeek offrent des langages de bas niveau pour l’expression de règles de reconnaissance d’attaques. Le nombre d’attaques potentielles étant très grand, ces bases de règles deviennent rapidement difficiles à gérer et à maintenir. De plus, l’expression de règles avec état dit stateful est particulièrement ardue pour reconnaître une séquence d’événements. Dans cette thèse, nous proposons une approche stateful basée sur les diagrammes d’état-transition algébriques (ASTDs) afin d’identifier des attaques complexes. Les ASTDs permettent de représenter de façon graphique et modulaire une spécification, ce qui facilite la maintenance et la compréhension des règles. Nous étendons la notation ASTD avec de nouvelles fonctionnalités pour représenter des attaques complexes. Ensuite, nous spécifions plusieurs attaques avec la notation étendue et exécutons les spécifications obtenues sur des flots d’événements à l’aide d’un interpréteur pour identifier des attaques. Nous évaluons aussi les performances de l’interpréteur avec des outils industriels tels que Snort et Zeek. Puis, nous réalisons un compilateur afin de générer du code exécutable à partir d’une spécification ASTD, capable d’identifier de façon efficiente les séquences d’événements.Abstract : The cybersecurity ecosystem continuously evolves with the number, the diversity,
and the complexity of cyber attacks. Generally, we have three types of Intrusion
Detection System (IDS) : anomaly-based detection, signature-based detection, and
hybrid detection. Anomaly detection is based on the usual behavior description of
the system, typically in a static manner. It enables detecting known or unknown attacks
but also generating a large number of false positives. Signature based detection
enables detecting known attacks by defining rules that describe known attacker’s behavior.
It needs a good knowledge of attacker behavior. Hybrid detection relies on
several detection methods including the previous ones. It has the advantage of being
more precise during detection. Tools like Snort and Zeek offer low level languages to
represent rules for detecting attacks. The number of potential attacks being large,
these rule bases become quickly hard to manage and maintain. Moreover, the representation
of stateful rules to recognize a sequence of events is particularly arduous. In this thesis, we propose a stateful approach based on algebraic state-transition
diagrams (ASTDs) to identify complex attacks. ASTDs allow a graphical and modular
representation of a specification, that facilitates maintenance and understanding of
rules. We extend the ASTD notation with new features to represent complex attacks.
Next, we specify several attacks with the extended notation and run the resulting specifications
on event streams using an interpreter to identify attacks. We also evaluate
the performance of the interpreter with industrial tools such as Snort and Zeek. Then,
we build a compiler in order to generate executable code from an ASTD specification,
able to efficiently identify sequences of events
Don’t click : towards an effective anti-phishing training. A comparative literature review
Email is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be designed sustainably and effectively to minimize the vulnerability of employees to phishing attacks. In this paper, we survey and categorize works that consider different elements of such programs via a clearly laid-out methodology, and identify key findings in the technical literature. Overall, we find that researchers agree on the answers to many relevant questions regarding the utility and effectiveness of anti-phishing training. However, we identified influencing factors, such as the impact of age on the success of anti-phishing training programs, for which mixed findings are available. Finally, based on our comprehensive analysis, we describe how a well-founded anti-phishing training program should be designed and parameterized with a set of proposed research directions