Nilesh Chakraborty

Bio: Nilesh Chakraborty is an academic researcher from Shenzhen University. The author has contributed to research in topics: Password & Authentication. The author has an hindex of 6, co-authored 23 publications receiving 108 citations. Previous affiliations of Nilesh Chakraborty include Indian Institute of Technology Patna.

On designing a modified-UI based honeyword generation approach for overcoming the existing limitations

Abstract: Inverting hashed passwords by performing brute force computation is one of the latest security threats on password based authentication technique. New technologies are being developed for reducing complexity of brute force computation and these increase the success rate of inversion attack. Honeyword base authentication protocol can successfully mitigate this threat by making password cracking detectable. However, existing honeyword based methods have several limitations likeMultiple System Vulnerability, Weak DoS Resistivity, Storage Overhead, etc. In this paper, we have proposed a new modified-UI based honeyword generation approach, identified as Paired Distance Protocol (PDP), which overcomes most of the drawbacks of previously proposed honeyword generation approaches. The comprehensive analysis shows that PDP not only attains a high detection rate of 97.23%, but also reduces the storage overhead to a great extent.

Color Pass: An intelligent user interface to resist shoulder surfing attack

Abstract: Classical PIN entry mechanism is widely used for authenticating a user. It is a popular scheme because it nicely balances the usability and security aspects of a system. However, if this scheme is to be used in a public system then the scheme may suffer from shoulder surfing attack. In this attack, an unauthorized user can fully or partially observe the login session. Even the activities of the login session can be recorded which the attacker can use it later to get the actual PIN. In this paper, we propose an intelligent user interface, known as Color Pass to resist the shoulder surfing attack so that any genuine user can enter the session PIN without disclosing the actual PIN. The Color Pass is based on a partially observable attacker model. The experimental analysis shows that the Color Pass interface is safe and easy to use even for novice users.

Few notes towards making honeyword system more secure and usable

Abstract: Traditionally the passwords are stored in hashed format. However, if the password file is compromised then by using the brute force attack there is a high chance that the original passwords can be leaked. False passwords -- also known as honeywords, are used to protect the original passwords from such leak. A good honeyword system is dependent on effective honeyword generation techniques. In this paper, the risk and limitations of some of the existing honeyword generation techniques have been identified as different notes. Three concepts -- modified tails, close number formation and caps key are introduced to address the existing issues. The experimental analysis shows that the proposed techniques with some preprocessing can protect high percentage of passwords. Finally a comparative analysis is presented to show how the proposed approaches stand with respect to the existing honeyword generation approaches.

A hybrid machine learning approach for hypertension risk prediction

Abstract: Hypertension is a primary or contributing cause for premature death in the entire world. As a matter of fact, there is a high prevalence and low control rates in low- and middle-income countries, such that the prevention and treatment of hypertension should remain a top priority in global health. In the recent years, the awareness, treatment, and control rates of hypertension patients in China have been significantly improved to 51.6%, 45.8%, and 16.8%, respectively. However, those rates are still far from a satisfactory level. Clinical studies suggest that for people in the pre-clinical stage of hypertension or having the risk of hypertension, the progression of the disease may be significanly reduced through a change in lifestyle, or by an effective drug therapy. In this paper, we address risk prediction for hypertension in the next five years, and put forward a model merging KNN and LightGBM. Our approach allows us to predict the hypertension risk for a specific individual using features such as the age of the subject and blood indicators. Results shows that our model is reliable and achieves accuracy and recall rate over 86% and 92%, respectively.

MobSecure: A Shoulder Surfing Safe Login Approach Implemented on Mobile Device☆

Abstract: Shoulder surfing attack is a great threat on password based authentication technique. As today's world has seen a rapid growth of mobile users thus, latest methodologies which are developed to address this attack preferably should support mobile users. In this paper we have proposed a new shoulder surfing resilient technique, MobSecure, which is designed to be used in smartphone and acts in a partially observable environment (where an auxiliary device is required for authentication). Additionally the proposed method is also capable of avoiding recording based attack for infinite number of authentication sessions. Allowing alphanumeric characters as password is one of the key properties of the proposed scheme here. Finally, we show that MobSecure attains highest security standard with moderate usability scores compared to existing partially observable approaches.

Computer security - ESORICS 2010 : 15th European Symposium on Research in Computer Security, Athens, Greece, September 20-22, 2010 : proceedings

Abstract: RFID and Privacy.- A New Framework for RFID Privacy.- Readers Behaving Badly.- Privacy-Preserving, Taxable Bank Accounts.- Formal Analysis of Privacy for Vehicular Mix-Zones.- Software Security.- IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time.- A Theory of Runtime Enforcement, with Results.- Enforcing Secure Object Initialization in Java.- Flexible Scheduler-Independent Security.- Cryptographic Protocols.- Secure Multiparty Linear Programming Using Fixed-Point Arithmetic.- A Certifying Compiler for Zero-Knowledge Proofs of Knowledge Based on ?-Protocols.- Short Generic Transformation to Strongly Unforgeable Signature in the Standard Model.- DR@FT: Efficient Remote Attestation Framework for Dynamic Systems.- Traffic Analysis.- Website Fingerprinting and Identification Using Ordered Feature Sequences.- Web Browser History Detection as a Real-World Privacy Threat.- On the Secrecy of Spread-Spectrum Flow Watermarks.- Traffic Analysis against Low-Latency Anonymity Networks Using Available Bandwidth Estimation.- End-User Security.- A Hierarchical Adaptive Probabilistic Approach for Zero Hour Phish Detection.- Kamouflage: Loss-Resistant Password Management.- Formal Analysis.- Sequential Protocol Composition in Maude-NPA.- Verifying Security Property of Peer-to-Peer Systems Using CSP.- Modeling and Analyzing Security in the Presence of Compromising Adversaries.- On Bounding Problems of Quantitative Information Flow.- E-voting and Broadcast.- On E-Vote Integrity in the Case of Malicious Voter Computers.- Election Verifiability in Electronic Voting Protocols.- Pretty Good Democracy for More Expressive Voting Schemes.- Efficient Multi-dimensional Key Management in Broadcast Services.- Authentication, Access Control, Authorization and Attestation.- Caught in the Maze of Security Standards.- User-Role Reachability Analysis of Evolving Administrative Role Based Access Control.- An Authorization Framework Resilient to Policy Evaluation Failures.- Optimistic Fair Exchange with Multiple Arbiters.- Anonymity and Unlinkability.- Speaker Recognition in Encrypted Voice Streams.- Evaluating Adversarial Partitions.- Providing Mobile Users' Anonymity in Hybrid Networks.- Complexity of Anonymity for Security Protocols.- Network Security and Economics.- k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks.- Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information.- RatFish: A File Sharing Protocol Provably Secure against Rational Users.- A Service Dependency Model for Cost-Sensitive Intrusion Response.- Secure Update, DOS and Intrustion Detection.- Secure Code Update for Embedded Devices via Proofs of Secure Erasure.- D(e|i)aling with VoIP: Robust Prevention of DIAL Attacks.- Low-Cost Client Puzzles Based on Modular Exponentiation.- Expressive, Efficient and Obfuscation Resilient Behavior Based IDS.

An improved data stream summary: The Count-Min Sketch and its applications

Abstract: We introduce a new sublinear space data structure--the count-min sketch--for summarizing data streams. Our sketch allows fundamental queries in data stream summarization such as point, range, and inner product queries to be approximately answered very quickly; in addition, it can be applied to solve several important problems in data streams such as finding quantiles, frequent items, etc. The time and space bounds we show for using the CM sketch to solve these problems significantly improve those previously known--typically from 1/e2 to 1/e in factor.

A Security Analysis of Honeywords.

Abstract: Honeywords are decoy passwords associated with each user account, and they contribute a promising approach to detecting password leakage. This approach was first proposed by Juels and Rivest at CCS’13, and has been covered by hundreds of medias and also adopted in various research domains. The idea of honeywords looks deceptively simple, but it is a deep and sophisticated challenge to automatically generate honeywords that are hard to differentiate from real passwords. In JuelsRivest’s work, four main honeyword-generation methods are suggested but only justified by heuristic security arguments. In this work, we for the first time develop a series of practical experiments using 10 large-scale datasets, a total of 104 million real-world passwords, to quantitatively evaluate the security that these four methods can provide. Our results reveal that they all fail to provide the expected security: real passwords can be distinguished with a success rate of 29.29%∼32.62% by our basic trawling-guessing attacker, but not the expected 5%, with just one guess (when each user account is associated with 19 honeywords as recommended). This figure reaches 34.21%∼49.02% under the advanced trawling-guessing attackers who make use of various state-of-the-art probabilistic password models. We further evaluate the security of Juels-Rivest’s methods under a targeted-guessing attacker who can exploit the victim’ personal information, and the results are even more alarming: 56.81%∼67.98%. Overall, our work resolves three open problems in honeyword research, as defined by Juels and Rivest.

Authentication systems: A literature review and classification

Abstract: One of the most important parts of any system is authentication. Appreciated as the first and the last line of defense in the great majority of cases, authentication systems can usually prevent the kleptomaniac from unauthorized accessing to users’ data. However, the traditional text-based password is still used in many websites and applications which are vulnerable to different kinds of attacks. Accordingly, there exist some other alternative ways to boost this traditional method. In this study, we classified and identified different types of authentication systems in a variety of platforms. Their usage, similarity, usability, performance and drawbacks were discussed. The goal of this study is to provide useful, classified information with the aim of understanding of how different authentication systems work and of what their usability and drawbacks are to the readers.

THP: A Novel Authentication Scheme to Prevent Multiple Attacks in SDN-Based IoT Network

Abstract: SDN has provided significant convenience for network providers and operators in cloud computing. Such a great advantage is extending to the Internet of Things network. However, it also increases the risk if the security of an SDN network is compromised. For example, if the network operator’s permission is illegally obtained by a hacker, he/she can control the entry of the SDN network. Therefore, an effective authentication scheme is needed to fit various application scenarios with high-security requirements. In this article, we design, implement, and evaluate a new authentication scheme called the hidden pattern (THP), which combines graphics password and digital challenge value to prevent multiple types of authentication attacks at the same time. We examined THP in the perspectives of both security and usability, with a total number of 694 participants in 63 days. Our evaluation shows that THP can provide better performance than the existing schemes in terms of security and usability.