Towards an effective recognition graphical password mechanism based on cultural familiarity

Text-based passwords for authentication are exposed to the dictionary attack as users tend to create weak passwords for easy memorability. When dealing with user’s authentication, pictures are more likely to be simply remembered in comparison with words. Hence, this study aimed to determine the types of pictures in accordance to users’ cultural background. It also investigated the relationship between the choices of password and the cultural familiarity along with the effect of Graphical Password (GP) on security and usability. A list of guidelines was proposed for the recognition of graphical passwords. This is believed to increase the security as well as usability. A total of 40 students were recruited to build a GP database. Further, an evaluation was conducted to investigate users’ familiarity and recognition of the GP from the database using 30 other respondents. The results showed that the 30 participants positively responded to the familiar pictures in accordance to their cultures. The result of successful login rate was 79.51% which indicates that cultural-based GP has increased the respondents’ familiarity by promoting their memorability. Further, the respondents who chose familiar GP had higher guessing attack rate than the unfamiliar GP. Finally, a total of 8 guidelines were established based on the aspects that correspond to the users’ preferences for choosing and processing GP. These guidelines can be used by graphical password system designers to develop effective GP system

Image-based Authentication

Mobile and wearable devices are popular platforms for accessing online services. However, the small form factor of such devices, makes a secure and practical experience for user authentication, challenging. Further, online fraud that includes phishing attacks, has revealed the importance of conversely providing solutions for usable authentication of remote services to online users. In this thesis, we introduce image-based solutions for mutual authentication between a user and a remote service provider. First, we propose and develop Pixie, a two-factor, object-based authentication solution for camera-equipped mobile and wearable devices. We further design ai.lock, a system that reliably extracts from images, authentication credentials similar to biometrics. Second, we introduce CEAL, a system to generate visual key fingerprint representations of arbitrary binary strings, to be used to visually authenticate online entities and their cryptographic keys. CEAL leverages deep learning to capture the target style and domain of training images, into a generator model from a large collection of sample images rather than hand curated as a collection of rules, hence provides a unique capacity for easy customizability. CEAL integrates a model of the visual discriminative ability of human perception, hence the resulting fingerprint image generator avoids mapping distinct keys to images which are not distinguishable by humans. Further, CEAL deterministically generates visually pleasing fingerprint images from an input vector where the vector components are designated to represent visual properties which are either readily perceptible to human eye, or imperceptible yet are necessary for accurately modeling the target image domain. We show that image-based authentication using Pixie is usable and fast, while ai.lock extracts authentication credentials that exceed the entropy of biometrics. Further, we show that CEAL outperforms state-of-the-art solution in terms of efficiency, usability, and resilience to powerful adversarial attacks

WHIDE—a web tool for visual data mining colocation patterns in multivariate bioimages

Motivation: Bioimaging techniques rapidly develop toward higher resolution and dimension. The increase in dimension is achieved by different techniques such as multitag fluorescence imaging, Matrix Assisted Laser Desorption / Ionization (MALDI) imaging or Raman imaging, which record for each pixel an N-dimensional intensity array, representing local abundances of molecules, residues or interaction patterns. The analysis of such multivariate bioimages (MBIs) calls for new approaches to support users in the analysis of both feature domains: space (i.e. sample morphology) and molecular colocation or interaction. In this article, we present our approach WHIDE (Web-based Hyperbolic Image Data Explorer) that combines principles from computational learning, dimension reduction and visualization in a free web application

ERINYES: A CONTINUOUS AUTHENTICATION PROTOCOL

The need for user authentication in the digital domain is paramount as the number of digital interactions that involve sensitive data continues to increase. Advances in the fields of machine learning (ML) and biometric encryption have enabled the development of technologies that can provide fully remote continuous user authentication services. This thesis introduces the Erinyes protocol. The protocol leverages state of the art ML models, biometric encryption of asymmetric cryptographic keys, and a trusted third-party client-server architecture to continuously authenticate users through their behavioral biometrics. The goals in developing the protocol were to identify if biometric encryption using keystroke timing and mouse cursor movement sequences were feasible and to measure the performance of a continuous authentication system that utilizes biometric encryption. Our research found that with a combined keystroke and mouse cursor movement dataset, the biometric encryption system can perform with a 0.93% False Acceptance Rate (FAR), 0.00% False Reject Rate (FRR), and 99.07% accuracy. Using a similar dataset, the overall integrated system averaged 0% FAR, 2% FRR and 98% accuracy across multiple users. These metrics demonstrate that the Erinyes protocol can achieve continuous user authentication with minimal user intrusion.Lieutenant, United States NavyLieutenant, United States NavyApproved for public release. Distribution is unlimited

Usability, Efficiency and Security of Personal Computing Technologies

New personal computing technologies such as smartphones and personal fitness trackers are widely integrated into user lifestyles. Users possess a wide range of skills, attributes and backgrounds. It is important to understand user technology practices to ensure that new designs are usable and productive. Conversely, it is important to leverage our understanding of user characteristics to optimize new technology efficiency and effectiveness. Our work initially focused on studying older users, and personal fitness tracker users. We applied the insights from these investigations to develop new techniques improving user security protections, computational efficiency, and also enhancing the user experience. We offer that by increasing the usability, efficiency and security of personal computing technology, users will enjoy greater privacy protections along with experiencing greater enjoyment of their personal computing devices. Our first project resulted in an improved authentication system for older users based on familiar facial images. Our investigation revealed that older users are often challenged by traditional text passwords, resulting in decreased technology use or less than optimal password practices. Our graphical password-based system relies on memorable images from the user\u27s personal past history. Our usability study demonstrated that this system was easy to use, enjoyable, and fast. We show that this technique is extendable to smartphones. Personal fitness trackers are very popular devices, often worn by users all day. Our personal fitness tracker investigation provides the first quantitative baseline of usage patterns with this device. By exploring public data, real-world user motivations, reliability concerns, activity levels, and fitness-related socialization patterns were discerned. This knowledge lends insight to active user practices. Personal user movement data is captured by sensors, then analyzed to provide benefits to the user. The dynamic time warping technique enables comparison of unequal data sequences, and sequences containing events at offset times. Existing techniques target short data sequences. Our Phase-aware Dynamic Time Warping algorithm focuses on a class of sinusoidal user movement patterns, resulting in improved efficiency over existing methods. Lastly, we address user data privacy concerns in an environment where user data is increasingly flowing to manufacturer remote cloud servers for analysis. Our secure computation technique protects the user\u27s privacy while data is in transit and while resident on cloud computing resources. Our technique also protects important data on cloud servers from exposure to individual users

A New Heuristic Based Phishing Detection Approach Utilizing Selenium Webdriver

Õngitsemine on oluline probleem, mis hõlmab endas petlike meilide ja veebilehtede kasutamist, tüssates pahaaimamatuid kasutajad vabatahtlikult avaldama konfidentsiaalset informatsiooni. Antud uurimustöö põhifookuseks on avastada õngitsemise veebilehti, mis kasutavad identifitseerimiseks meili ja salasõna, et pääseda ligi personaalsele või piiratud sisule. Töös esitletakse SeleniumPhishGuard-i rakenduse kasutusmugavust ning analüüsitakse selle uudse heuristilise lähenemisega programmi võimalusi ja tulemusi õngitsemise lehekülgede tuvastamisel. Esmalt hinnatakse ning diskuteeritakse olemasolevate parimate tehnoloogiliste lahenduste ning meetodite üle, mis kasutavad sarnast heuristikat. Selles magistritöös on kasutatud metoodikat, mis identifitseerib võltsveebilehed, sisestades vormi vigased andmed ning analüüsides saadud vastust. Lisaks serverist saadud andmevahetusele pakume metoodikat, mis määrab veebilehe legitiimsuse teiste põhimõtete järgi. Rakendus on realiseeritud Pythoni programmeerimiskeeles kasutades Selenium veebi testimise raamatukogu. Sellest tulenevalt on ka programmi nimes viidatud Seleniumile. Rakenduse testimiseks on kasutatud Alexa top 500 ja Phistank andmebaase. Kõiki sisselogimise vormiga veebilehti Alexa 500 ja Phistank andmebaasides töödeldi ja analüüsiti kasutades antud rakendust. Rakendus töötab kõikide identifitseerimistehnoloogiatega, mis põhinevad isikuandmete vahendamisel. Praegune prototüüp on välja töötatud lehtedele, mis toetavad nii HTTP kui ka HTTPS audentimist ning aktsepteerivad isikuandmetena meili ja parooli. Algoritm on välja töötatud iseseisva moodulina ning tulevikus on võimalik seda integreerida veebilehitseja lisana läbi API. Lisaks olemasolevale metoodikale on hinnatud ja uuritud erinevate URL analüüside tehnikaid, mida kasutati vale positiivse info vähendamiseks ning soorituse parandamiseks. Katsetused näitasid, et SeleniumPhishGuard rakendus on hiilgav tööriist avastamaks õngitsemise vorme. Rakendus suutis tuvastada ligikaudu 96% sisselogimisega õngitsemislehtedest.Phishing is a nontrivial problem involving deceptive emails and webpages that trick unsuspecting users into willingly revealing their confidential information. In this paper, we focus on detecting login phishing pages, pages that contain forms with email and password fields to allow for authorization to personal/restricted content. We present the design, implementation,and evaluation of our phishing detection tool “SeleniumPhishGuard”, a novel heuristic-based approach to detect phishing login pages. First, the finest existing technologies or techniques that have used similar heuristics we will be discussed and evaluated. The methodology introduced in our paper identifies fraudulent websites by submitting incorrect credentials and analyzing the response. We have also proposed a mechanism for analyzing the responses from server against the submissions of all those credentials to determine thelegitimacy of a given website. The application was implemented in python programming language by utilizing Selenium web testing library, hence “Selenium” is used in the name of our tool. To test the application, a dataset from Alexa top 500 and Phishtank was collected.All pages with login forms from the Alexa 500 and Phishtank were analyzed. The application works with any authentication technologies which are based on exchange of credentials. Our current prototype is developed for sites supporting both HTTP and HTTPS authentication and accepting email and password pair as login credential. Our algorithm is developed as a separate module which in future can be integrated with browser pluginsthrough an API. We also discuss the design and evaluation of several URL analysis techniques we utilized to reduce false positives and improve the overall performance. Our experiments show that SeleniumPhishGuard is excellent at detecting login phishing forms, correctly classifying approximately 96% of login phishing pages

BioIMAX : a Web2.0 approach to visual data mining in bioimage data

Loyek C. BioIMAX : a Web2.0 approach to visual data mining in bioimage data. Bielefeld: Universität Bielefeld; 2012

Topic driven testing

Modern interactive applications offer so many interaction opportunities that automated exploration and testing becomes practically impossible without some domain specific guidance towards relevant functionality. In this dissertation, we present a novel fundamental graphical user interface testing method called topic-driven testing. We mine the semantic meaning of interactive elements, guide testing, and identify core functionality of applications. The semantic interpretation is close to human understanding and allows us to learn specifications and transfer knowledge across multiple applications independent of the underlying device, platform, programming language, or technology stack—to the best of our knowledge a unique feature of our technique. Our tool ATTABOY is able to take an existing Web application test suite say from Amazon, execute it on ebay, and thus guide testing to relevant core functionality. Tested on different application domains such as eCommerce, news pages, mail clients, it can trans- fer on average sixty percent of the tested application behavior to new apps—without any human intervention. On top of that, topic-driven testing can go with even more vague instructions of how-to descriptions or use-case descriptions. Given an instruction, say “add item to shopping cart”, it tests the specified behavior in an application–both in a browser as well as in mobile apps. It thus improves state-of-the-art UI testing frame- works, creates change resilient UI tests, and lays the foundation for learning, transfer- ring, and enforcing common application behavior. The prototype is up to five times faster than existing random testing frameworks and tests functions that are hard to cover by non-trained approaches.Moderne interaktive Anwendungen bieten so viele Interaktionsmöglichkeiten, dass eine vollständige automatische Exploration und das Testen aller Szenarien praktisch unmöglich ist. Stattdessen muss die Testprozedur auf relevante Kernfunktionalität ausgerichtet werden. Diese Arbeit stellt ein neues fundamentales Testprinzip genannt thematisches Testen vor, das beliebige Anwendungen u ̈ber die graphische Oberfläche testet. Wir untersuchen die semantische Bedeutung von interagierbaren Elementen um die Kernfunktionenen von Anwendungen zu identifizieren und entsprechende Tests zu erzeugen. Statt typischen starren Testinstruktionen orientiert sich diese Art von Tests an menschlichen Anwendungsfällen in natürlicher Sprache. Dies erlaubt es, Software Spezifikationen zu erlernen und Wissen von einer Anwendung auf andere zu übertragen unabhängig von der Anwendungsart, der Programmiersprache, dem Testgerät oder der -Plattform. Nach unserem Kenntnisstand ist unser Ansatz der Erste dieser Art. Wir präsentieren ATTABOY, ein Programm, das eine existierende Testsammlung für eine Webanwendung (z.B. für Amazon) nimmt und in einer beliebigen anderen Anwendung (sagen wir ebay) ausführt. Dadurch werden Tests für Kernfunktionen generiert. Bei der ersten Ausführung auf Anwendungen aus den Domänen Online Shopping, Nachrichtenseiten und eMail, erzeugt der Prototyp sechzig Prozent der Tests automatisch. Ohne zusätzlichen manuellen Aufwand. Darüber hinaus interpretiert themen- getriebenes Testen auch vage Anweisungen beispielsweise von How-to Anleitungen oder Anwendungsbeschreibungen. Eine Anweisung wie "Fügen Sie das Produkt in den Warenkorb hinzu" testet das entsprechende Verhalten in der Anwendung. Sowohl im Browser, als auch in einer mobilen Anwendung. Die erzeugten Tests sind robuster und effektiver als vergleichbar erzeugte Tests. Der Prototyp testet die Zielfunktionalität fünf mal schneller und testet dabei Funktionen die durch nicht spezialisierte Ansätze kaum zu erreichen sind