Towards a development of a users’ ratified acceptance of multi-biometrics intentions model (RAMIM): Initial empirical results

User authentication is a continuous balance between the level of invasiveness and system security. Password protection has been the most widely user authentication approach used, however, it is easily compromised. Biometrics authentication devices have been implemented as less compromised approach. This paper reports on initial results of user perceptions about their acceptance of a multi-biometrics authentication approach in the context of elearning systems. Specifically, this paper reports on the initial empirical results on the development of a learners’ Ratified Acceptance of Multibiometrics Intentions Model (RAMIM). The model proposed look at the contributions of learners’ code of conduct awareness, perceived ease-of-use, perceived usefulness, and ethical decision making to their intention to use multi-biometrics for authentication during e-learning exams. The study participants included 97 managers from service oriented organization and government agencies who attended e-learning courses. Results demonstrated high reliability for all constructs measured and indicated that perceived easeof-use and perceived usefulness are significant contributors to learners’ intention to use multi-biometrics. Conversely, code of conduct awareness appears to have little or no contribution on learners’ intention to use multibiometrics, while learners’ ethical decision making appears to have marginal contribution

Formal security analysis of registration protocols for interactive systems: a methodology and a case of study

In this work we present and formally analyze CHAT-SRP (CHAos based Tickets-Secure Registration Protocol), a protocol to provide interactive and collaborative platforms with a cryptographically robust solution to classical security issues. Namely, we focus on the secrecy and authenticity properties while keeping a high usability. In this sense, users are forced to blindly trust the system administrators and developers. Moreover, as far as we know, the use of formal methodologies for the verification of security properties of communication protocols isn't yet a common practice. We propose here a methodology to fill this gap, i.e., to analyse both the security of the proposed protocol and the pertinence of the underlying premises. In this concern, we propose the definition and formal evaluation of a protocol for the distribution of digital identities. Once distributed, these identities can be used to verify integrity and source of information. We base our security analysis on tools for automatic verification of security protocols widely accepted by the scientific community, and on the principles they are based upon. In addition, it is assumed perfect cryptographic primitives in order to focus the analysis on the exchange of protocol messages. The main property of our protocol is the incorporation of tickets, created using digests of chaos based nonces (numbers used only once) and users' personal data. Combined with a multichannel authentication scheme with some previous knowledge, these tickets provide security during the whole protocol by univocally linking each registering user with a single request. [..]Comment: 32 pages, 7 figures, 8 listings, 1 tabl

Initial development of a learners’ ratified acceptance of multibiometrics intentions model (RAMIM)

Authenticating users is a continuous tradeoff between the level of invasiveness and the degree of system security. Password protection has been the most widely authentication approach used, however, it is easily compromised. Biometric authentication devices have been implemented as a more robust approach. This paper reports on initial results of student perceptions about their acceptance of a multibiometrics authentication approach in the context of e-learning systems. Specifically, this paper reports on the initial empirical development of a learners’ Ratified Acceptance of Multibiometrics Intentions Model (RAMIM). The model proposed investigates the impact of students’ code of conduct awareness, perceived ease-of-use, perceived usefulness, and ethical decision making on learners’ intention to use multibiometrics for authentication during elearning exams. The study’s participants included 97 non-information technology (IT) students who attended e-learning courses. Additionally, results of a path analysis using Partial Least Square (PLS) indicate that perceived usefulness has the most significant impact on learners’ intention to use multibiometrics during e-learning exams. Students’ ethical decision making and perceived usefulness demonstrated significant impact on their intention to use multibiometrics. Additionally, students’ code of conduct awareness appears to have a positive impact on their ethical decision making. Conclusions are discussed including recommendations for future research on extending this initial research into applied experiments to address e-learning security issues

Authentication in mobile cloud computing by combining the tow factor Authentication and one time password token

The Cloud has become a popular business transaction platform nowadays. Unfortunately, this powerful and pervasive network somehow is overshadowed by the growing security threat emerging from the various attacks Authentication is One of the major security issues in mobile cloud computing. Combinig the Two-factor Authentication (2FA) technology with One-time Password (OTP), has emerged as a popular protection system. The 2FA system employs two user specific factors for authentication. It can significantly enhance the network security. We used a dynamic one time password as a second factor. These otp codes provide strong security and resist MITM-seed tracing and shoulder surfing attacks

Tutorial and Critical Analysis of Phishing Websites Methods

The Internet has become an essential component of our everyday social and financial activities. Internet is not important for individual users only but also for organizations, because organizations that offer online trading can achieve a competitive edge by serving worldwide clients. Internet facilitates reaching customers all over the globe without any market place restrictions and with effective use of e-commerce. As a result, the number of customers who rely on the Internet to perform procurements is increasing dramatically. Hundreds of millions of dollars are transferred through the Internet every day. This amount of money was tempting the fraudsters to carry out their fraudulent operations. Hence, Internet users may be vulnerable to different types of web threats, which may cause financial damages, identity theft, loss of private information, brand reputation damage and loss of customers’ confidence in e-commerce and online banking. Therefore, suitability of the Internet for commercial transactions becomes doubtful. Phishing is considered a form of web threats that is defined as the art of impersonating a website of an honest enterprise aiming to obtain user’s confidential credentials such as usernames, passwords and social security numbers. In this article, the phishing phenomena will be discussed in detail. In addition, we present a survey of the state of the art research on such attack. Moreover, we aim to recognize the up-to-date developments in phishing and its precautionary measures and provide a comprehensive study and evaluation of these researches to realize the gap that is still predominating in this area. This research will mostly focus on the web based phishing detection methods rather than email based detection methods

A engenharia social e os perigos do phishing

A Engenharia Social e a técnica do phishing são temas que têm evoluído cada mais ao longo dos anos, principalmente através do email, uma das ferramentas mais utilizadas no mundo. Os emails de phishing normalmente estão relacionadas com Engenharia Social e podem-se propagar através de links e/ou anexos contidos neste tipo de email. O utilizador quando faz download de um anexo, pode estar automaticamente a descarregar software malicioso e dar ao atacante (hacker), o controlo total do computador, sem que se aperceba. Através dos links, o utilizador pode divulgar as suas credenciais ou outro tipo de informação pessoal/confidencial, uma vez que pode não perceber que está a ser redirecionado para um remetente malicioso. Diversos estudos já realizados indicam que existem cada vez mais ataques deste tipo e cada vez com mais impacto na população. Por seu lado, a população não está ciente dos perigos que poderá encontrar ao carregar neste tipo de emails ou noutra forma de propagação de phishing. A presente dissertação aborda o tema do phishing através do email e pretende definir métodos de prevenção para este tipo de crime informático. Numa primeira fase foram realizadas entrevistas a profissionais da área de Segurança Informática, com intuito de perceber mais sobre este tema. Posteriormente, realizou-se um questionário online, de forma a averiguar o conhecimento dos inquiridos em relação a este tema e identificar medidas que são usadas por eles antes e após um ataque informático. No final serão feitas as conclusões de forma a atingir os objetivos desta investigação.Social Engineering and phishing technique are subjects that have been evolving as the years pass, mainly through email, which is one of the most used communication tools in the world. Phishing emails are usually related to Social Engineering and can be propagated through links and/or attachments contained in this type of email. When downloading an attachment, the user can automatically activate the malicious software and allow the attacker (hacker), the complete control of the computer, without being aware of it. Through the links, you may disclose your credentials or other personal/confidential information, as you may not notice that you are being redirected to a malicious sender. Several studies already carried out indicate that there are more and more attacks of this kind and with increasing impact on the population. On the other hand, the population is not aware of the dangers they may encounter when uploading this type of emails or other form of phishing propagation. The present dissertation addresses the theme of phishing through email and aims to define prevention methods for this type of computer crime. Initially, interviews were conducted professionals in the area of Computer Security, in order to understand more about this topic. Subsequently, an online questionnaire was conducted to ascertain the respondents' knowledge of this topic and to identify measures that are used by them before and after a computer attack. In the end the conclusions will be made in order to reach the objectives of this investigation

An Ensemble Self-Structuring Neural Network Approach to Solving Classification Problems with Virtual Concept Drift and its Application to Phishing Websites

Classification in data mining is one of the well-known tasks that aim to construct a classification model from a labelled input data set. Most classification models are devoted to a static environment where the complete training data set is presented to the classification algorithm. This data set is assumed to cover all information needed to learn the pertinent concepts (rules and patterns) related to how to classify unseen examples to predefined classes. However, in dynamic (non-stationary) domains, the set of features (input data attributes) may change over time. For instance, some features that are considered significant at time Ti might become useless or irrelevant at time Ti+j. This situation results in a phenomena called Virtual Concept Drift. Yet, the set of features that are dropped at time Ti+j might return to become significant again in the future. Such a situation results in the so-called Cyclical Concept Drift, which is a direct result of the frequently called catastrophic forgetting dilemma. Catastrophic forgetting happens when the learning of new knowledge completely removes the previously learned knowledge. Phishing is a dynamic classification problem where a virtual concept drift might occur. Yet, the virtual concept drift that occurs in phishing might be guided by some malevolent intelligent agent rather than occurring naturally. One reason why phishers keep changing the features combination when creating phishing websites might be that they have the ability to interpret the anti-phishing tool and thus they pick a new set of features that can circumvent it. However, besides the generalisation capability, fault tolerance, and strong ability to learn, a Neural Network (NN) classification model is considered as a black box. Hence, if someone has the skills to hack into the NN based classification model, he might face difficulties to interpret and understand how the NN processes the input data in order to produce the final decision (assign class value). In this thesis, we investigate the problem of virtual concept drift by proposing a framework that can keep pace with the continuous changes in the input features. The proposed framework has been applied to phishing websites classification problem and it shows competitive results with respect to various evaluation measures (Harmonic Mean (F1-score), precision, accuracy, etc.) when compared to several other data mining techniques. The framework creates an ensemble of classifiers (group of classifiers) and it offers a balance between stability (maintaining previously learned knowledge) and plasticity (learning knowledge from the newly offered training data set). Hence, the framework can also handle the cyclical concept drift. The classifiers that constitute the ensemble are created using an improved Self-Structuring Neural Networks algorithm (SSNN). Traditionally, NN modelling techniques rely on trial and error, which is a tedious and time-consuming process. The SSNN simplifies structuring NN classifiers with minimum intervention from the user. The framework evaluates the ensemble whenever a new data set chunk is collected. If the overall accuracy of the combined results from the ensemble drops significantly, a new classifier is created using the SSNN and added to the ensemble. Overall, the experimental results show that the proposed framework affords a balance between stability and plasticity and can effectively handle the virtual concept drift when applied to phishing websites classification problem. Most of the chapters of this thesis have been subject to publicatio