Private blockchain-based access control mechanism for unauthorized UAV detection and mitigation in Internet of Drones environment

Artificial intelligence (AI) has taken us by storm, helping us to make decisions in everything we do, even in finding our "true love" and the "significant other". While 5G promises us high-speed mobile internet, 6G pledges to support ubiquitous AI services through next-generation softwarization, heterogeneity, and configurability of networks. The work on 6G is in its infancy and requires the community to conceptualize and develop its design, implementation, deployment, and use cases. Towards this end, this paper proposes a framework for Distributed AI as a Service (DAIaaS) provisioning for Internet of Everything (IoE) and 6G environments. The AI service is "distributed" because the actual training and inference computations are divided into smaller, concurrent, computations suited to the level and capacity of resources available with cloud, fog, and edge layers. Multiple DAIaaS provisioning configurations for distributed training and inference are proposed to investigate the design choices and performance bottlenecks of DAIaaS. Specifically, we have developed three case studies (e.g., smart airport) with eight scenarios (e.g., federated learning) comprising nine applications and AI delivery models (smart surveillance, etc.) and 50 distinct sensor and software modules (e.g., object tracker). The evaluation of the case studies and the DAIaaS framework is reported in terms of end-to-end delay, network usage, energy consumption, and financial savings with recommendations to achieve higher performance. DAIaaS will facilitate standardization of distributed AI provisioning, allow developers to focus on the domain-specific details without worrying about distributed training and inference, and help systemize the mass-production of technologies for smarter environments.

https://www.mdpi.com/1424-8220/20/20/5796/pdf

Distributed Artificial Intelligence-as-a-Service (DAIaaS) for Smarter IoE and 6G Environments.

There has been a a significant increase in the popularity of using Unmanned Aerial Vehicles (UAVs), popularly known as drones, in several applications. In many application scenarios, UAVs are deployed in missions where sensitive data is collected, such as monitoring critical infrastructure, industrial facilities, crops, and public safety. Due to the sensitive and/or safety critical nature of the data collected in these applications, it is imperative to consider the security, and privacy aspects of the UAVs used in these scenarios. In this article, we propose an efficient privacy aware authenticated key agreement scheme for edge-assisted UAVs (Internet of Drones). Unlike the existing security solutions for UAVs, the proposed scheme does not need to store any secret keys in the devices but still can provide the desired security features. To the best of our knowledge, this is the first work where physical security of the UAV has been taken into account. The proposed system allows third-party communication, and mobile edge computing service providers to authenticate the UAVs without any loss of provacy, and outperforms existing methods in terms of computational complexity.

/pdf/an-efficient-privacy-preserving-authenticated-key-agreement-34v1dygxxw.pdf

An Efficient Privacy-Preserving Authenticated Key Agreement Scheme for Edge-Assisted Internet of Drones

An ensemble learning based approach for impression fraud detection in mobile advertising

We study the market for fake product reviews on Amazon.com. These reviews are purchased in large private internet groups on Facebook and other sites. We hand-collect data on these markets to characterize the types of products that buy fake reviews and then collect large amounts of data on the ratings and reviews posted on Amazon for these products, as well as their sales rank, advertising, and pricing behavior. We use this data to assess the costs and benefits of fake reviews to sellers and evaluate the degree to which they harm consumers. The theoretical literature on review fraud shows conditions when they harm consumers and conditions where they function as simply another type of advertising. Using detailed data on product outcomes before and after they buy fake reviews we can directly determine if these are low-quality products using fake reviews to deceive and harm consumers or if they are high-quality products that solicit reviews to establish reputations. We find that a wide array of products purchase fake reviews, including products with many reviews and high average ratings. Buying fake reviews on Facebook leads to a significant increase in average rating and sales rank, but the effect disappears after roughly one month. After firms stop buying fake reviews their average ratings fall significantly and the share of one-star reviews increases significantly, indicating fake reviews are mostly used by low quality products and are deceiving and harming consumers. Finally, we observe that Amazon deletes large numbers of reviews and we document their deletion policy.

https://dl.acm.org/doi/pdf/10.1145/3465456.3467589

The Market for Fake Reviews

Extensive use of unmanned aerial vehicles (commonly referred to as a “drone”) has posed security and safety challenges. To mitigate security threats caused by flights of unauthorized drones, we present a framework called SENTINEL (Secure and Efficient autheNTIcation for uNmanned aErial vehicLes) under the Internet of Drones (IoD) infrastructure. SENTINEL is specifically designed to minimize the computational and traffic overheads caused by certificate exchanges and asymmetric cryptography computations that are typically required for authentication protocols. SENTINEL initially generates a flight session key for a drone having a flight plan and registers the flight session key and its flight plan into a centralized database that can be accessed by ground stations. The registered flight session key is then used as the message authentication code key to authenticate the drone by any ground station while the drone is flying. To demonstrate the feasibility of the proposed scheme, we implemented a prototype of SENTINEL with ECDSA, PBKDF2 and HMAC-SHA256. The experiment results demonstrated that the average execution time of the authentication protocol in SENTINEL was about 3.1 times faster than the “TLS for IoT” protocol. We also formally proved the security of SENTINEL using ProVerif that is an automatic cryptographic protocol verifier.

SENTINEL: A Secure and Efficient Authentication Framework for Unmanned Aerial Vehicles

To improve the security of user-chosen Android screen lock patterns, we propose a novel system-guided pattern lock scheme called "SysPal" that mandates the use of a small number of randomly selected points while selecting a pattern. Users are given the freedom to use those mandated points at any position. We conducted a large-scale online study with 1,717 participants to evaluate the security and usability of three SysPal policies, varying the number of mandatory points that must be used (upon selecting a pattern) from one to three. Our results suggest that the two SysPal policies that mandate the use of one and two points can help users select significantly more secure patterns compared to the current Android policy: 22.58% and 23.19% fewer patterns were cracked. Those two SysPal policies, however, did not show any statistically significant inferiority in pattern recall success rate (the percentage of participants who correctly recalled their pattern after 24 hours). In our lab study, we asked participants to install our screen unlock application on their own Android device, and observed their real-life phone unlock behaviors for a day. Again, our lab study did not show any statistically significant difference in memorability for those two SysPal policies compared to the current Android policy.

/pdf/syspal-system-guided-pattern-locks-for-android-bmkpt1misb.pdf

SysPal: System-Guided Pattern Locks for Android

Smartphone advertisement is increasingly used among many applications and allows developers to obtain revenue through in-app advertising. Our study aims at identifying potential security risks of a type of mobile advertisement where advertisers are charged for their advertisements only when a user clicks (or touches) on the advertisements in their applications. In the Android platform, we design an automated click generation attack and empirically evaluate eight popular advertising networks by performing real attacks on them. Our experimental results show that six advertising networks (75%) out of eight (Millennial Media, App Lovin, Ad Fit, Mdot M, Rev Mob and Cauly Ads) are vulnerable to our attacks. We also discuss how to develop effective defense mechanisms to mitigate such automated click fraud attacks.

An Empirical Study of Click Fraud in Mobile Advertising Networks

Smartwatches support access to a wide range of private information but little is known about the security and usability of existing smartwatch screen lock mechanisms. Prior studies suggest that smartwatch authentication via standard techniques such as 4-digit PINs is challenging and error-prone. We conducted interviews to shed light on current practices, revealing that smartwatch users consider the ten-key keypad required for PIN entry to be hard to use due to its small button sizes. To address this issue, we propose the Personal Identification Chord (PIC), an authentication system based on a four-button chorded keypad that enables users to enter ten different inputs via taps to one or two larger buttons. Two studies assessing usability and security of our technique indicate PICs lead to increases in setup and (modestly) recall time, but can be entered accurately while maintaining high recall rates and may improve guessing entropy compared to PINs.

The Personal Identification Chord: A Four ButtonAuthentication System for Smartwatches

The Internet of Things interconnects a mass of billions devices, from smartphones to cars, to provide convenient services to people. This gives immediate access to various data about the objects and the environmental context -- leading to smart services and increased efficiency. A number of retail stores have started to adopt IoT enabled services to attract customers. In particular, thanks to indoor proximity technologies, it is possible to introduce location-based smart services to customers, for example, transmitting identifiable signals that represent the locations of stores. In this article, we investigate a potential security risk involved in such technologies: physical signals used as identifiers can be captured and forged easily with today's widely available IoT software for implementing location spoofing attacks. We highlight this security risk by providing a case study: an in-depth security analysis of the recently launched Starbucks service called Siren Order.

Junsung Cho

Papers

SENTINEL: A Secure and Efficient Authentication Framework for Unmanned Aerial Vehicles

SysPal: System-Guided Pattern Locks for Android

An Empirical Study of Click Fraud in Mobile Advertising Networks

The Personal Identification Chord: A Four ButtonAuthentication System for Smartwatches

Wrong Siren! A Location Spoofing Attack on Indoor Positioning Systems: The Starbucks Case Study