"It may take ages":understanding human-centred lateral phishing attack detection in organisations

Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes

Exploiting behavioral biometrics for user security enhancements

As online business has been very popular in the past decade, the tasks of providing user authentication and verification have become more important than before to protect user sensitive information from malicious hands. The most common approach to user authentication and verification is the use of password. However, the dilemma users facing in traditional passwords becomes more and more evident: users tend to choose easy-to-remember passwords, which are often weak passwords that are easy to crack. Meanwhile, behavioral biometrics have promising potentials in meeting both security and usability demands, since they authenticate users by who you are , instead of what you have . In this dissertation, we first develop two such user verification applications based on behavioral biometrics: the first one is via mouse movements, and the second via tapping behaviors on smartphones; then we focus on modeling user web browsing behaviors by Fitts\u27 Law.;Specifically, we develop a user verification system by exploiting the uniqueness of people\u27s mouse movements. The key feature of our system lies in using much more fine-grained (point-by-point) angle-based metrics of mouse movements for user verification. These new metrics are relatively unique from person to person and independent of the computing platform. We conduct a series of experiments to show that the proposed system can verify a user in an accurate and timely manner, and induced system overhead is minor. Similar to mouse movements, the tapping behaviors of smartphone users on touchscreen also vary from person to person. We propose a non-intrusive user verification mechanism to substantiate whether an authenticating user is the true owner of the smartphone or an impostor who happens to know the passcode. The effectiveness of the proposed approach is validated through real experiments. to further understand user pointing behaviors, we attempt to stress-test Fitts\u27 law in the wild , namely, under natural web browsing environments, instead of restricted laboratory settings in previous studies. Our analysis shows that, while the averaged pointing times follow Fitts\u27 law very well, there is considerable deviations from Fitts\u27 law. We observe that, in natural browsing, a fast movement has a different error model from the other two movements. Therefore, a complete profiling on user pointing performance should be done in more details, for example, constructing different error models for slow and fast movements. as future works, we plan to exploit multiple-finger tappings for smartphone user verification, and evaluate user privacy issues in Amazon wish list

Guest Editorial Special Issue on: Big Data Analytics in Intelligent Systems

The amount of information that is being created, every day, is quickly growing. As such, it is now more common than ever to deal with extremely large datasets. As systems develop and become more intelligent and adaptive, analysing their behaviour is a challenge. The heterogeneity, volume and speed of data generation are increasing rapidly. This is further exacerbated by the use of wireless networks, sensors, smartphones and the Internet. Such systems are capable of generating a phenomenal amount of information and the need to analyse their behaviour, to detect security anomalies or predict future demands for example, is becoming harder. Furthermore, securing such systems is a challenge. As threats evolve, so should security measures develop and adopt increasingly intelligent security techniques. Adaptive systems must be employed and existing methods built upon to provide well-structured defence in depth. Despite the clear need to develop effective protection methods, the task is a difficult one, as there are significant weaknesses in the existing security currently in place. Consequently, this special issue of the Journal of Computer Sciences and Applications discusses big data analytics in intelligent systems. The specific topics of discussion include the Internet of Things, Web Services, Cloud Computing, Security and Interconnected Systems

Enhancing Energy Efficiency and Privacy Protection of Smart Devices

Smart devices are experiencing rapid development and great popularity. Various smart products available nowadays have largely enriched people’s lives. While users are enjoying their smart devices, there are two major user concerns: energy efficiency and privacy protection. In this dissertation, we propose solutions to enhance energy efficiency and privacy protection on smart devices. First, we study different ways to handle WiFi broadcast frames during smartphone suspend mode. We reveal the dilemma of existing methods: either receive all of them suffering high power consumption, or receive none of them sacrificing functionalities. to address the dilemma, we propose Software Broadcast Filter (SBF). SBF is smarter than the “receive-none” method as it only blocks useless broadcast frames and does not impair application functionalities. SBF is also more energy efficient than the “receive-all” method. Our trace driven evaluation shows that SBF saves up to 49.9% energy consumption compared to the “receive-all” method. Second, we design a system, namely HIDE, to further reduce smartphone energy wasted on useless WiFi broadcast frames. With the HIDE system, smartphones in suspend mode do not receive useless broadcast frames or wake up to process use- less broadcast frames. Our trace-driven simulation shows that the HIDE system saves 34%-75% energy for the Nexus One phone when 10% of the broadcast frames are useful to the smartphone. Our overhead analysis demonstrates that the HIDE system has negligible impact on network capacity and packet round-trip time. Third, to better protect user privacy, we propose a continuous and non-invasive authentication system for wearable glasses, namely GlassGuard. GlassGuard discriminates the owner and an imposter with biometric features from touch gestures and voice commands, which are all available during normal user interactions. With data collected from 32 users on Google Glass, we show that GlassGuard achieves a 99% detection rate and a 0.5% false alarm rate after 3.5 user events on average when all types of user events are available with equal probability. Under five typical usage scenarios, the system has a detection rate above 93% and a false alarm rate below 3% after less than 5 user events

Dual channel-based network traffic authentication

In a local network or the Internet in general, data that is transmitted between two computers (also known as network traffic or simply, traffic) in that network is usually classified as being of a malicious or of a benign nature by a traffic authentication system employing databases of previously observed malicious or benign traffic signatures, i.e., blacklists or whitelists, respectively. These lists typically consist of either the destinations (i.e., IP addresses or domain names) to which traffic is being sent or the statistical properties of the traffic, e.g., packet size, rate of connection establishment, etc. The drawback with the list-based approach is its inability to offer a fully comprehensive solution since the population of the list is likely to go on indefinitely. This implies that at any given time, there is a likelihood of some traffic signatures not being present in the list, leading to false classification of traffic. From a security standpoint, whitelists are a safer bet than blacklists since their underlying philosophy is to block anything that is unknown hence in the worst case, are likely to result in high false rejects with no false accepts. On the other hand, blacklists block only what is known and therefore are likely to result in high false accepts since unknown malicious traffic will be accepted, e.g., in the case of zero-day attacks (i.e., new attacks whose signatures have not yet been analyzed by the security community). Despite this knowledge, the most commonly used traffic authentication solutions, e.g., antivirus or antimalware solutions, have predominantly employed blacklists rather than whitelists in their solutions. This can perhaps be attributed to the fact that the population of a blacklist typically requires less user involvement than that of a whitelist. For instance, malicious traffic signatures (i.e., behavior or destinations) are usually the same across a population of users; hence, by observing malicious activity from a few users, a global blacklist that is applicable to all users can be created. Whitelist generation, on the other hand, tends to be more user-specific as what may be considered acceptable or benign traffic to one user may not be considered the same to a different user. As a result, users are likely to find whitelist-based solutions that require their participation to be both cumbersome and inconveniencing. This dissertation offers a whitelist-based traffic authentication solution that reduces the active participation of users in whitelist population. By relying on activity that users regularly engage in while interacting with their computers (i.e., typing), we are able to identify legitimate destinations to which users direct their traffic and use these to populate the whitelist, without requiring the users to deviate from their normal behavior. Our solution requires users to type the destinations of their outgoing traffic requests only once, after which any subsequent requests to that destination are authenticated without the need for them to be typed again. Empirical results from testing our solution in a real time traffic analysis scenario showed that relatively low false reject rates for legitimate traffic with no false accepts for illegitimate traffic are achievable. Additionally, an investigation into the level of inconvenience that the typing requirement imposes on the users revealed that, since users are likely to engage in this (typing) activity during the course of utilizing their computer\u27s resources, this requirement did not pose a significant deterrent to them from using the system

From Understanding Telephone Scams to Implementing Authenticated Caller ID Transmission

abstract: The telephone network is used by almost every person in the modern world. With the rise of Internet access to the PSTN, the telephone network today is rife with telephone spam and scams. Spam calls are significant annoyances for telephone users, unlike email spam, spam calls demand immediate attention. They are not only significant annoyances but also result in significant financial losses in the economy. According to complaint data from the FTC, complaints on illegal calls have made record numbers in recent years. Americans lose billions to fraud due to malicious telephone communication, despite various efforts to subdue telephone spam, scam, and robocalls. In this dissertation, a study of what causes the users to fall victim to telephone scams is presented, and it demonstrates that impersonation is at the heart of the problem. Most solutions today primarily rely on gathering offending caller IDs, however, they do not work effectively when the caller ID has been spoofed. Due to a lack of authentication in the PSTN caller ID transmission scheme, fraudsters can manipulate the caller ID to impersonate a trusted entity and further a variety of scams. To provide a solution to this fundamental problem, a novel architecture and method to authenticate the transmission of the caller ID is proposed. The solution enables the possibility of a security indicator which can provide an early warning to help users stay vigilant against telephone impersonation scams, as well as provide a foundation for existing and future defenses to stop unwanted telephone communication based on the caller ID information.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Creating Network Attack Priority Lists by Analyzing Email Traffic Using Predefined Profiles

Networks can be vast and complicated entities consisting of both servers and workstations that contain information sought by attackers. Searching for specific data in a large network can be a time consuming process. Vast amounts of data either passes through or is stored by various servers on the network. However, intermediate work products are often kept solely on workstations. Potential high value targets can be passively identified by comparing user email traffic against predefined profiles. This method provides a potentially smaller footprint on target systems, less human interaction, and increased efficiency of attackers. Collecting user email traffic and comparing each word in an email to a predefined profile, or a list of key words of interest to the attacker, can provide a prioritized list of systems containing the most relevant information. This research uses two experiments. The functionality experiment uses randomly generated emails and profiles, demonstrating MAPS (Merritt\u27s Adaptive Profiling System)ability to accurately identify matches. The utility experiment uses an email corpus and meaningful profiles, further demonstrating MAPS ability to accurately identify matches with non-random input. A meaningful profile is a list of words bearing a semantic relationship to a topic of interest to the attacker. Results for the functionality experiment show MAPS can parse randomly generated emails and identify matches with an accuracy of 99 percent or above. The utility experiment using an email corpus with meaningful profiles, shows slightly lower accuracies of 95 percent or above. Based upon the match results, network attack priority lists are generated. A network attack priority list is an ordered list of systems, where the potentially highest value systems exhibit the greatest fit to the profile. An attacker then uses the list when searching for target information on the network to prioritize the systems most likely to contain useful data

User Authentication and Supervision in Networked Systems

This thesis considers the problem of user authentication and supervision in networked systems. The issue of user authentication is one of on-going concern in modem IT systems with the increased use of computer systems to store and provide access to sensitive information resources. While the traditional username/password login combination can be used to protect access to resources (when used appropriately), users often compromise the security that these methods can provide. While alternative (and often more secure) systems are available, these alternatives usually require expensive hardware to be purchased and integrated into IT systems. Even if alternatives are available (and financially viable), they frequently require users to authenticate in an intrusive manner (e.g. forcing a user to use a biometric technique relying on fingerprint recognition). Assuming an acceptable form of authentication is available, this still does not address the problem of on-going confidence in the users’ identity - i.e. once the user has logged in at the beginning of a session, there is usually no further confirmation of the users' identity until they logout or lock the session in which they are operating. Hence there is a significant requirement to not only improve login authentication but to also introduce the concept of continuous user supervision. Before attempting to implement a solution to the problems outlined above, a range of currently available user authentication methods are identified and evaluated. This is followed by a survey conducted to evaluate user attitudes and opinions relating to login and continuous authentication. The results reinforce perceptions regarding the weaknesses of the traditional username/password combination, and suggest that alternative techniques can be acceptable. This provides justification for the work described in the latter part o f the thesis. A number of small-scale trials are conducted to investigate alternative authentication techniques, using ImagePIN's and associative/cognitive questions. While these techniques are of an intrusive nature, they offer potential improvements as either initial login authentication methods or, as a challenge during a session to confirm the identity of the logged-in user. A potential solution to the problem of continuous user authentication is presented through the design and implementation o f a system to monitor user activity throughout a logged-in session. The effectiveness of this system is evaluated through a series of trials investigating the use of keystroke analysis using digraph, trigraph and keyword-based metrics (with the latter two methods representing novel approaches to the analysis of keystroke data). The initial trials demonstrate the viability of these techniques, whereas later trials are used to demonstrate the potential for a composite approach. The final trial described in this thesis was conducted over a three-month period with 35 trial participants and resulted in over five million samples. Due to the scope, duration, and the volume of data collected, this trial provides a significant contribution to the domain, with the use of a composite analysis method representing entirely new work. The results of these trials show that the technique of keystroke analysis is one that can be effective for the majority of users. Finally, a prototype composite authentication and response system is presented, which demonstrates how transparent, non-intrusive, continuous user authentication can be achieved