5,543 research outputs found
User Authentication and Supervision in Networked Systems
This thesis considers the problem of user authentication and supervision in networked
systems. The issue of user authentication is one of on-going concern in modem IT systems
with the increased use of computer systems to store and provide access to sensitive
information resources. While the traditional username/password login combination can be
used to protect access to resources (when used appropriately), users often compromise the
security that these methods can provide. While alternative (and often more secure)
systems are available, these alternatives usually require expensive hardware to be
purchased and integrated into IT systems. Even if alternatives are available (and
financially viable), they frequently require users to authenticate in an intrusive manner (e.g.
forcing a user to use a biometric technique relying on fingerprint recognition). Assuming
an acceptable form of authentication is available, this still does not address the problem of
on-going confidence in the users’ identity - i.e. once the user has logged in at the
beginning of a session, there is usually no further confirmation of the users' identity until
they logout or lock the session in which they are operating. Hence there is a significant
requirement to not only improve login authentication but to also introduce the concept of
continuous user supervision.
Before attempting to implement a solution to the problems outlined above, a range of
currently available user authentication methods are identified and evaluated. This is
followed by a survey conducted to evaluate user attitudes and opinions relating to login
and continuous authentication. The results reinforce perceptions regarding the weaknesses
of the traditional username/password combination, and suggest that alternative techniques
can be acceptable. This provides justification for the work described in the latter part o f
the thesis.
A number of small-scale trials are conducted to investigate alternative authentication
techniques, using ImagePIN's and associative/cognitive questions. While these techniques
are of an intrusive nature, they offer potential improvements as either initial login
authentication methods or, as a challenge during a session to confirm the identity of the
logged-in user.
A potential solution to the problem of continuous user authentication is presented through
the design and implementation o f a system to monitor user activity throughout a logged-in
session. The effectiveness of this system is evaluated through a series of trials
investigating the use of keystroke analysis using digraph, trigraph and keyword-based
metrics (with the latter two methods representing novel approaches to the analysis of
keystroke data). The initial trials demonstrate the viability of these techniques, whereas
later trials are used to demonstrate the potential for a composite approach. The final trial
described in this thesis was conducted over a three-month period with 35 trial participants
and resulted in over five million samples. Due to the scope, duration, and the volume of
data collected, this trial provides a significant contribution to the domain, with the use of a
composite analysis method representing entirely new work. The results of these trials
show that the technique of keystroke analysis is one that can be effective for the majority
of users. Finally, a prototype composite authentication and response system is presented,
which demonstrates how transparent, non-intrusive, continuous user authentication can be
achieved
SECMACE: Scalable and Robust Identity and Credential Management Infrastructure in Vehicular Communication Systems
Several years of academic and industrial research efforts have converged to a
common understanding on fundamental security building blocks for the upcoming
Vehicular Communication (VC) systems. There is a growing consensus towards
deploying a special-purpose identity and credential management infrastructure,
i.e., a Vehicular Public-Key Infrastructure (VPKI), enabling pseudonymous
authentication, with standardization efforts towards that direction. In spite
of the progress made by standardization bodies (IEEE 1609.2 and ETSI) and
harmonization efforts (Car2Car Communication Consortium (C2C-CC)), significant
questions remain unanswered towards deploying a VPKI. Deep understanding of the
VPKI, a central building block of secure and privacy-preserving VC systems, is
still lacking. This paper contributes to the closing of this gap. We present
SECMACE, a VPKI system, which is compatible with the IEEE 1609.2 and ETSI
standards specifications. We provide a detailed description of our
state-of-the-art VPKI that improves upon existing proposals in terms of
security and privacy protection, and efficiency. SECMACE facilitates
multi-domain operations in the VC systems and enhances user privacy, notably
preventing linking pseudonyms based on timing information and offering
increased protection even against honest-but-curious VPKI entities. We propose
multiple policies for the vehicle-VPKI interactions, based on which and two
large-scale mobility trace datasets, we evaluate the full-blown implementation
of SECMACE. With very little attention on the VPKI performance thus far, our
results reveal that modest computing resources can support a large area of
vehicles with very low delays and the most promising policy in terms of privacy
protection can be supported with moderate overhead.Comment: 14 pages, 9 figures, 10 tables, IEEE Transactions on Intelligent
Transportation System
Policy based roles for distributed systems security
Distributed systems are increasingly being used in commercial environments necessitating the development of trustworthy and reliable security mechanisms. There is often no clear informal or formal specification of enterprise authorisation policies and no tools to translate policy specifications to access control implementation mechanisms such as capabilities or Access Control Lists. It is thus difficult to analyse the policy to detect conflicts or flaws and it is difficult to verify that the implementation corresponds to the policy specification. We present in this paper a framework for the specification of management policies. We are concerned with two types of policies: obligations which specify what activities a manager or agent must or must not perform on a set of target objects and authorisations which specify what activities a subject (manager or agent) can or can not perform on the set of target objects. Management policies are then grouped into roles reflecting the organisation..
First experiences with Personal Networks as an enabling platform for service providers
By developing demonstrators and performing small-scale user trials, we found various opportunities and pitfalls for deploying personal networks (PNs) on a commercial basis. The demonstrators were created using as many as possible legacy devices and proven technologies. They deal with applications in the health sector, home services, tourism, and the transportation sector. This paper describes the various architectures and our experiences with the end users and the technology. We conclude that context awareness, service discovery, and content management are very important in PNs and that a personal network provider role is necessary to realize these functions under the assumptions we made. The PNPay Travel demonstrator suggests that PN service platforms provide an opportunity to develop true trans-sector services
IREEL: remote experimentation with real protocols and applications over emulated network
This paper presents a novel e-learning platform called IREEL. IREEL is a virtual laboratory allowing students to drive experiments with real Internet applications and end-to-end protocols in the context of networking courses. This platform consists in a remote network emulator offering a set of predefined applications and protocol mechanisms. Experimenters configure and control the emulation and the end-systems behavior in order to perform tests, measurements and observations on protocols or applications operating under controlled specific networking conditions. A set of end-to-end mechanisms, mainly focusing on transport and application level protocols, are currently available. IREEL is scalable and easy to use thanks to an ergonomic web interface
A Middleware for the Internet of Things
The Internet of Things (IoT) connects everyday objects including a vast array
of sensors, actuators, and smart devices, referred to as things to the
Internet, in an intelligent and pervasive fashion. This connectivity gives rise
to the possibility of using the tracking capabilities of things to impinge on
the location privacy of users. Most of the existing management and location
privacy protection solutions do not consider the low-cost and low-power
requirements of things, or, they do not account for the heterogeneity,
scalability, or autonomy of communications supported in the IoT. Moreover,
these traditional solutions do not consider the case where a user wishes to
control the granularity of the disclosed information based on the context of
their use (e.g. based on the time or the current location of the user). To fill
this gap, a middleware, referred to as the Internet of Things Management
Platform (IoT-MP) is proposed in this paper.Comment: 20 pages, International Journal of Computer Networks & Communications
(IJCNC) Vol.8, No.2, March 201
A Correlation Framework for Continuous User Authentication Using Data Mining
Merged with duplicate records: 10026.1/572, 10026.1/334 and 10026.1/724 on 01.02.2017 by CS (TIS)The increasing security breaches revealed in recent surveys and security threats reported in the media reaffirms the lack of current security measures in IT systems. While most reported work in this area has focussed on enhancing the initial login stage in order to counteract against unauthorised access, there is still a problem detecting when an intruder has compromised the front line controls. This could pose a senous threat since any subsequent indicator of an intrusion in progress could be quite subtle and may remain hidden to the casual observer. Having passed the frontline controls and having the appropriate access privileges, the intruder may be in the position to do virtually anything without further challenge. This has caused interest'in the concept of continuous authentication, which inevitably involves the analysis of vast amounts of data. The primary objective of the research is to develop and evaluate a suitable correlation engine in order to automate the processes involved in authenticating and monitoring users in a networked system environment. The aim is to further develop the Anoinaly Detection module previously illustrated in a PhD thesis [I] as part of the conceptual architecture of an Intrusion Monitoring System (IMS) framework
- …