EAI Endorsed Transactions on Security and Safety https://publications.eai.eu/index.php/sesa <div> <div class="abstract"> <p>Growing threats and increasingly also failures due to complexity may compromise the security and resilience of network and service infrastructures. Applications and services require the security of data handling and we need new security architectures and scalable and interoperable security policies for this. There is a need to guarantee end-to-end security in data communications and storage, including identity management and authentication.</p> <p>Moreover, we need technology to enable network security monitoring and tracing and to assess the trustworthiness of infrastructures and services. It must ensure the protection of personal data and privacy and properly assign liability and risks, together with the appropriate governance models needed to do so. Furthermore, this is applied to the settings of Public Safety in general.</p> </div> </div> en-US <p>This is an open-access article distributed under the terms of the Creative Commons Attribution <a href="https://creativecommons.org/licenses/by/3.0/" target="_blank" rel="noopener">CC BY 3.0</a> license, which permits unlimited use, distribution, and reproduction in any medium so long as the original work is properly cited.</p> publications@eai.eu (EAI Publications Department) publications@eai.eu (EAI Support) Fri, 05 Aug 2022 08:48:44 +0000 OJS http://blogs.law.harvard.edu/tech/rss 60 Dynamic Risk Assessment and Analysis Framework for Large-Scale Cyber-Physical Systems https://publications.eai.eu/index.php/sesa/article/view/22 <p>Cyberspace is growing at full tilt creating an amalgamation of disparate systems. This heterogeneity leads to increased system complexity and security flaws. It is crucial to understand and identify these flaws to prevent catastrophic events. However, the current state-of-the-art solutions are threat-specific and focus on either risk, vulnerabilities, or adversary emulation. In this work, we present a scalable Cyber-threats and Vulnerability Information Analyzer (CyVIA) framework. CyVIA analyzes cyber risks and abnormalities in real-time using multi-formatted knowledge bases derived from open-source vulnerability databases. CyVIA achieves the following goals: 1) assess the target network for risk and vulnerabilities, 2) map services and policies to network nodes, 3) classify nodes based on severity, and 4) provide consequences, mitigation, and relationships for the found vulnerabilities. We use CyVIA and other tools to examine a simulated network for threats and compare the results.</p> Adeel A. Malik, Deepak K. Tosh Copyright (c) 2022 EAI Endorsed Transactions on Security and Safety https://creativecommons.org/licenses/by/3.0/ https://publications.eai.eu/index.php/sesa/article/view/22 Tue, 25 Jan 2022 00:00:00 +0000 Comparing Online Surveys for Cybersecurity: SONA and MTurk https://publications.eai.eu/index.php/sesa/article/view/24 <p>People have many accounts and usually need to create a password for each. They tend to create insecure passwords and re-use passwords, which can lead to compromised data. This research examines if there is a link between personality type and password security among a variety of participants in two groups of participants: SONA and MTurk. Each participant in both surveys answered questions based on password security and their personality type. Our results show that participants in the MTurk survey were more likely to choose a strong password and to exhibit better security behaviors and knowledge than participants in the SONA survey. This is mostly attributed to the age difference. However, the distribution of the results was similar for both MTurk and SONA. In the second part of our study, we found that security behaviors actually went down – this could be due to the pandemic or indicative of a need for more regular messaging/training.</p> Anne Wagner, Anna Bakas, Shelia Kennison, Eric Chan-Tin Copyright (c) 2022 EAI Endorsed Transactions on Security and Safety https://creativecommons.org/licenses/by/3.0/ https://publications.eai.eu/index.php/sesa/article/view/24 Mon, 14 Mar 2022 00:00:00 +0000 How data-sharing nudges influence people's privacy preferences: A machine learning-based analysis https://publications.eai.eu/index.php/sesa/article/view/25 <p>INTRODUCTION: Many online services use data-sharing nudges to solicit personal data from their customers for personalized services.</p> <p>OBJECTIVES: This study aims to study people’s privacy preferences in sharing different types of personal data under different nudging conditions, how digital nudging can change their data sharing willingness, and if people’s data sharing preferences can be predicted using their responses to a questionnaire.</p> <p>METHODS: This paper reports a machine learning-based analysis on people’s privacy preference patterns under four different data-sharing nudging conditions (without nudging, monetary incentives, non-monetary incentives, and privacy assurance). The analysis is based on data collected from 685 UK residents who participated in a panel survey. Their self-reported willingness levels towards sharing 23 different types of personal data were analyzed by using both unsupervised (clustering) and supervised (classification) machine learning algorithms.</p> <p>RESULTS: The results led to a better understanding of people’s privacy preference patterns across different data-sharing nudging conditions, e.g., our participants’ preferences are distributed in a space of 48 possible profiles more sparsely than we expected, and the unexpected observation that all the three data-sharing nudging strategies led to an overall negative effect: they led to a reduced level of self-reported willingness for more participants, comparing with the case of no nudging at all. Our experiments with supervised machine learning models also showed that people’s privacy (data-sharing) preference profiles can be automatically predicted with a good accuracy, even when a small questionnaire with just seven questions is used.</p> <p>CONCLUSION: Our work revealed a more complicated structure of people’s privacy preference profiles, which have some dependencies on the type of data nudging and the type of personal data shared. Such complicated privacy preference profiles can be effectively analyzed using machine learning methods, including automatic prediction based on a small questionnaire. The negative results on the overall effect of different data-sharing nudges imply that service providers should consider if and how to use such mechanisms to incentivise their consumers to share personal data. We believe that more consumer-centric and transparent methods and tools should be used to help improve trust between consumers and service providers.</p> Yang Lu, Shujun Li, Alex Freitas, Athina Ioannou Copyright (c) 2022 EAI Endorsed Transactions on Security and Safety https://creativecommons.org/licenses/by/3.0/ https://publications.eai.eu/index.php/sesa/article/view/25 Mon, 14 Mar 2022 00:00:00 +0000 Mitigating Vulnerabilities in Closed Source Software https://publications.eai.eu/index.php/sesa/article/view/253 <p>Many techniques have been proposed to harden programs with protection mechanisms to defend against vulnerability exploits. Unfortunately the vast majority of them cannot be applied to closed source software because they require access to program source code. This paper presents our work on automatically hardening binary code with security workarounds, a protection mechanism that prevents vulnerabilities from being triggered by disabling vulnerable code. By working solely with binary code, our approach is applicable to closed source software. To automatically synthesize security workarounds, we develop binary program analysis techniques to identify existing error handling code in binary code, synthesize security workarounds in the form of binary code, and instrument security workarounds into binary programs. We designed and implemented a prototype or our approach for Windows and Linux binary programs. Our evaluation shows that our approach can apply security workarounds to an average of 69.3% of program code and the security workarounds successfully prevents exploits to trigger real-world vulnerabilities.</p> Zhen Huang, Gang Tan, Xiaowei Yu Copyright (c) 2022 EAI Endorsed Transactions on Security and Safety https://creativecommons.org/licenses/by/3.0/ https://publications.eai.eu/index.php/sesa/article/view/253 Thu, 04 Aug 2022 00:00:00 +0000 A Systemic Security and Privacy Review: Attacks and Prevention Mechanisms over IOT Layers https://publications.eai.eu/index.php/sesa/article/view/590 <p>In this contemporary era internet of things are used in every realm of life. Recent software’s (e.g., vehicle networking, smart grid, and wearable) are established in result of its use: furthermore, as development, consolidation, and revolution of varied ancient areas (e.g., medical and automotive). The number of devices connected in conjunction with the ad-hoc nature of the system any exacerbates the case. Therefore, security and privacy has emerged as a big challenge for the IoT. This paper provides an outline of IoT security attacks on Three-Layer Architecture: Three-layer such as application layer, network layer, perception layer/physical layer and attacks that are associated with these layers will be discussed. Moreover, this paper will provide some possible solution mechanisms for such attacks. The aim is to produce a radical survey associated with the privacy and security challenges of the IoT. This paper addresses these challenges from the attitude of technologies and design used. The objective of this paper is to rendering possible solution for various attacks on different layers of IoT architecture. It also presents comparison based on reviewing multiple solutions and defines the best one solution for a specific attack on particular layer.</p> Muhammad Shoaib Akhtar, Tao Feng Copyright (c) 2022 EAI Endorsed Transactions on Security and Safety https://creativecommons.org/licenses/by/3.0/ https://publications.eai.eu/index.php/sesa/article/view/590 Fri, 05 Aug 2022 00:00:00 +0000