Showing papers on "Internet security published in 2018"
TL;DR: A novel method that used deep learning to improve the detection of malware variants using a convolutional neural network that could extract the features of the malware images automatically was proposed.
Abstract: With the development of the Internet, malicious code attacks have increased exponentially, with malicious code variants ranking as a key threat to Internet security. The ability to detect variants of malicious code is critical for protection against security breaches, data theft, and other dangers. Current methods for recognizing malicious code have demonstrated poor detection accuracy and low detection speeds. This paper proposed a novel method that used deep learning to improve the detection of malware variants. In prior research, deep learning demonstrated excellent performance in image recognition. To implement our proposed detection method, we converted the malicious code into grayscale images. Then, the images were identified and classified using a convolutional neural network (CNN) that could extract the features of the malware images automatically. In addition, we utilized a bat algorithm to address the data imbalance among different malware families. To test our approach, we conducted a series of experiments on malware image data from Vision Research Lab. The experimental results demonstrated that our model achieved good accuracy and speed as compared with other malware detection models.
444 citations
TL;DR: The design of a new secure lightweight three-factor remote user authentication scheme for HIoTNs, called the user authenticated key management protocol (UAKMP), which is comparable in computation and communication costs as compared to other existing schemes.
Abstract: In recent years, the research in generic Internet of Things (IoT) attracts a lot of practical applications including smart home, smart city, smart grid, industrial Internet, connected healthcare, smart retail, smart supply chain and smart farming. The hierarchical IoT network (HIoTN) is a special kind of the generic IoT network, which is composed of the different nodes, such as the gateway node, cluster head nodes, and sensing nodes organized in a hierarchy. In HIoTN, there is a need, where a user can directly access the real-time data from the sensing nodes for a particular application in generic IoT networking environment. This paper emphasizes on the design of a new secure lightweight three-factor remote user authentication scheme for HIoTNs, called the user authenticated key management protocol (UAKMP). The three factors used in UAKMP are the user smart card, password, and personal biometrics. The security of the scheme is thoroughly analyzed under the formal security in the widely accepted real-or-random model, the informal security as well as the formal security verification using the widely accepted automated validation of Internet security protocols and applications tool. UAKMP offers several functionality features including offline sensing node registration, freely password and biometric update facility, user anonymity, and sensing node anonymity compared to other related existing schemes. In addition, UAKMP is also comparable in computation and communication costs as compared to other existing schemes.
310 citations
TL;DR: Security and performance analysis show that the proposed authentication scheme based on ECC for IoT and cloud servers is more powerful, efficient, and secure with respect to various known attacks.
Abstract: The Internet of Things (IoT) is now a buzzword for Internet connectivity which extends to embedded devices, sensors and other objects connected to the Internet. Rapid development of this technology has led to the usage of various embedded devices in our daily life. However, for resource sharing and communication among these devices, there is a requirement for connecting these embedded devices to a large pool of resources like a cloud. The promising applications of IoT in Government and commercial sectors are possible by integrating cloud servers with these embedded devices. But such an integration of technologies involves security issues like data privacy and authentication of devices whenever information is exchanged between them. Recently, Kalra and Sood proposed an authentication scheme based on elliptic curve cryptography (ECC) for IoT and cloud servers and claimed that their scheme satisfies all security requirements and is immune to various types of attacks. However, in this paper, we show that Kalra and Sood scheme is susceptible to offline password guessing and insider attacks and it does not achieve device anonymity, session key agreement, and mutual authentication. Keeping in view of the shortcomings of Kalra and Sood’s scheme, we have proposed an authentication scheme based on ECC for IoT and cloud servers. In the proposed scheme in this paper, we have formally analyzed the security properties of the designed scheme by the most widely accepted and used Automated Validation of Internet Security Protocols and Applications tool. Security and performance analysis show that when compared with other related schemes, the proposed scheme is more powerful, efficient, and secure with respect to various known attacks.
172 citations
TL;DR: A new lightweight authentication scheme suitable for wearable device deployment that allows a user to mutually authenticate his/her wearable device(s) and the mobile terminal and establish a session key among these devices (worn and carried by the same user) for secure communication between the wearable device and theMobile terminal.
Abstract: Wearable devices are used in various applications to collect information including step information, sleeping cycles, workout statistics, and health-related information. Due to the nature and richness of the data collected by such devices, it is important to ensure the security of the collected data. This paper presents a new lightweight authentication scheme suitable for wearable device deployment. The scheme allows a user to mutually authenticate his/her wearable device(s) and the mobile terminal (e.g., Android and iOS device) and establish a session key among these devices (worn and carried by the same user) for secure communication between the wearable device and the mobile terminal. The security of the proposed scheme is then demonstrated through the broadly accepted real-or-random model, as well as using the popular formal security verification tool, known as the Automated validation of Internet security protocols and applications. Finally, we present a comparative summary of the proposed scheme in terms of the overheads such as computation and communication costs, security and functionality features of the proposed scheme and related schemes, and also the evaluation findings from the NS2 simulation.
149 citations
TL;DR: It is concluded that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.
Abstract: The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing the GDPR's impact on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites - 6,579 in total - for the presence of and updates to their privacy policy. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 16 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.
134 citations
TL;DR: A comparative analysis of the proposed scheme with existing related schemes reveals that it generates low overhead and latency, and high reliability during messages exchange between vehicles and the $\text{CA}$
Abstract: Secure messages exchange among different vehicles is one of the most challenging tasks in future smart cities. Any malicious activity has the potential to compromise the confidentiality, integrity, and authenticity of messages exchanged between different vehicles. To ensure secure message communication among the vehicles in a smart city environment, a novel scheme using elliptic curve cryptographic (ECC) technique has been presented in this paper. For this purpose, a two-level authentication key exchange scheme has been designed. In the first level authentication, $\text{CH}$ s are verified by series of messages exchanged between $\text{CH}$ s and the $\text{CA}$ . The verified $\text{CH}$ s are responsible for authentication of vehicles in the second level authentication, followed by exchange of messages between $\text{CH}$ and vehicle. The security analysis using widely accepted Burrows–Abadi–Needham logic, formal security analysis using random oracle model and verification using the widely known automated validation of Internet security protocols and applications (AVISPA) tool, and also the informal security analysis have been done with respect to various types of attacks. Moreover, a comparative analysis of the proposed scheme with existing related schemes reveals that it generates low overhead and latency, and high reliability during messages exchange between vehicles and the $\text{CA}$ .
132 citations
TL;DR: A new secure remote user authentication scheme for IMDs communication environment to overcome security and privacy issues in existing schemes and provides additional functionality features, such as anonymity, untraceability, and dynamic implantable medical device addition.
Abstract: Implantable medical devices (IMDs) are man-made devices, which can be implanted in the human body to improve the functioning of various organs. The IMDs monitor and treat physiological condition of the human being (for example, monitoring of blood glucose level by insulin pump). The advancement of information and communication technology enhances the communication capabilities of IMDs. In healthcare applications, after mutual authentication, a user (for example, doctor) can access the health data from the IMDs implanted in a patient's body. However, in this kind of communication environment, there are always security and privacy issues, such as leakage of health data and malfunctioning of IMDs by an unauthorized access. To mitigate these issues, in this paper, we propose a new secure remote user authentication scheme for IMDs communication environment to overcome security and privacy issues in existing schemes. We provide the formal security verification using the widely accepted Automated Validation of Internet Security Protocols and Applications tool. We also provide the informal security analysis of the proposed scheme. The formal security verification and informal security analysis prove that the proposed scheme is secure against known attacks. The practical demonstration of the proposed scheme is performed using the broadly accepted NS2 simulation tool. The computation and communication costs of the proposed scheme are also comparable with the existing schemes. Moreover, the scheme provides additional functionality features, such as anonymity, untraceability, and dynamic implantable medical device addition.
120 citations
TL;DR: A NIDS based on a feature selection method called Recursive Feature Addition (RFA) and bigram technique and a new evaluation metric called (combined) that combines accuracy, detection rate and false alarm rate in a way that helps in comparing different systems and selecting the best among them are proposed.
90 citations
TL;DR: This paper reviews and critically analyses legal, training, educational and intelligent anti-phishing approaches and ways to combat phishing by intelligent and conventional approaches, besides revealing these approaches differences, similarities and positive and negative aspects from the user and performance prospective.
75 citations
TL;DR: A hybrid anonymous authentication and key agreement scheme using the physiological signal to overcome the shortcomings in Li et al.
72 citations
03 Sep 2018
TL;DR: A method of detecting and interrupting unauthorized, browser-based cryptomining, based on semantic signature-matching, is proposed, which is more robust than current static code analysis defenses, which are susceptible to code obfuscation attacks.
Abstract: A method of detecting and interrupting unauthorized, browser-based cryptomining is proposed, based on semantic signature-matching. The approach addresses a new wave of cryptojacking attacks, including XSS-assisted, web gadget-exploiting counterfeit mining. Evaluation shows that the approach is more robust than current static code analysis defenses, which are susceptible to code obfuscation attacks. An implementation based on in-lined reference monitoring offers a browser-agnostic deployment strategy that is applicable to average end-user systems without specialized hardware or operating systems.
19 Dec 2018
TL;DR: This work intended to produce a safer system by creating an authentication using the honey words in the password database, which contains a combination of both the imitated passwords and the original passwords in order to detect whether the attack is happened or not.
Abstract: The purpose of the password is to protect the user account from unauthorized usage by the hacker. But in the current situation the field of security also realizes lot of threat to the password even in case if it is hashed. With the rise of hacking technology even the hashed password doesn’t provide the required security and also provides the hacker to misuse or exploit the user account without being noticed. The most vulnerable part in this is the misuse of account can be realized only after the user logs and sees the changes in their account usage. And so, the system doesn’t yet been improved in safeguarding or detecting the attacks against the database of password which are hashed. Ari Juels and et al. in 2013 [10] discovered the method using honeywords for detecting the password cracking. Honey words are the imitated passwords which are connected with the account of each user. We intended to produce a safer system by creating an authentication using the honey words in the password database. The newly created database contains a combination of both the imitated ones and the original passwords in order to detect whether the attack is happened or not. And hence when the hacker has the password database, he might get confused with the real and fake passwords. Here we make the hacker to fall into our trap by confusing him. Once he tries to enter a false password the administrator will get a notification and the hacker gets identified.
TL;DR: The proposed security enhanced group-based (SEGB) AKA protocol for M2M communication in an IoT-enabled LTE/LTE-A network solves the problem of the single key during the authentication process and achieves the key forward/backward secrecy.
Abstract: Nowadays machine to machine (M2M) communication and its applications are growing tremendously around the globe as millions of devices are communicating with each other in an Internet of Things (IoT)-enabled long term evolution (LTE)/LTE-advanced (LTE-A) network. These applications are effective and secure only after the successful verification of machine type communication devices (MTCDs). Hence, various group-based authentication and key agreement (AKA) protocols were proposed in the literature to achieve the authentication. These protocols fulfill all the security requirements such as privacy preservation, mutual authentication, integrity, and confidentiality. But, none of them have the credential to overcome the single key problem in the communication network. In addition, they do not have the efficacy to maintain the group key unlink-ability and are susceptible to the identified attacks. In some of the protocols, each MTCD needs to authenticate independently to simultaneously access the communication network that generates network congestion overhead. In view of these problems, we propose the security enhanced group-based (SEGB) AKA protocol for M2M communication in an IoT-enabled LTE/LTE-A network. The SEGB-AKA protocol solves the problem of the single key during the authentication process and achieves the key forward/backward secrecy. The protocol overcomes the problem of signaling congestion and high bandwidth consumption. The formal security analysis of the protocol is carried out by the automated Internet security protocols and applications tool. The security analysis shows that the protocol achieves the security goals and is free from various known attacks. Moreover, the performance of the proposed SEGB-AKA protocol is analyzed with the existing group-based AKA protocols. The analysis shows that the protocol has better results in terms of network overheads and fulfills all the security requirements of M2M communication.
08 Jun 2018
TL;DR: This work is concerned with designing an Intrusion Detection System (IDS) for protecting IoT networks from external threats as well as internal compromised devices and adopts a signature-based intrusion detection approach and involves both certralised and distributed IDS modules.
Abstract: Internet of Things (IoT) is envisioned as a transformative approach with a wide range of applications in various sectors such as home automation, industrial control, and agriculture. It promises innovative business models and improved user experience. However, as evidenced by recent attacks such as the Mirai botnet, IoT networks and systems remain very vulnerable and require stronger protection mechanisms. Furthermore, due to processing, memory, and power constraints of typical IoT devices, traditional Internet security mechanisms are not always feasible or appropriate. In this work, we are concerned with designing an Intrusion Detection System (IDS) for protecting IoT networks from external threats as well as internal compromised devices. Our proposed design adopts a signature-based intrusion detection approach and involves both certralised and distributed IDS modules. Using the Cooja simulator, we have implemented a Denial of Service (DoS) attack scenario on IoT devices. This scenario exploits the RPL protocol, which is widely used for routing in low-power networks, including IoT networks. In particular, we have implemented two variants of DoS attacks, namely “Hello” flooding and version number modification. As shown by simulation results, these attacks may impact the reachability of certain IoT devices and their power consumption.
TL;DR: An enhanced LoRaWAN security protocol is proposed, which not only provides the basic functions of connectivity between the application server and the end device, but additionally averts these listed security issues.
Abstract: The Internet of Things (IoT) utilizes algorithms to facilitate intelligent applications across cities in the form of smart-urban projects. As the majority of devices in IoT are battery operated, their applications should be facilitated with a low-power communication setup. Such facility is possible through the Low-Power Wide-Area Network (LPWAN), but at a constrained bit rate. For long-range communication over LPWAN, several approaches and protocols are adopted. One such protocol is the Long-Range Wide Area Network (LoRaWAN), which is a media access layer protocol for long-range communication between the devices and the application servers via LPWAN gateways. However, LoRaWAN comes with fewer security features as a much-secured protocol consumes more battery because of the exorbitant computational overheads. The standard protocol fails to support end-to-end security and perfect forward secrecy while being vulnerable to the replay attack that makes LoRaWAN limited in supporting applications where security (especially end-to-end security) is important. Motivated by this, an enhanced LoRaWAN security protocol is proposed, which not only provides the basic functions of connectivity between the application server and the end device, but additionally averts these listed security issues. The proposed protocol is developed with two options, the Default Option (DO) and the Security-Enhanced Option (SEO). The protocol is validated through Burrows–Abadi–Needham (BAN) logic and the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. The proposed protocol is also analyzed for overheads through system-based and low-power device-based evaluations. Further, a case study on a smart factory-enabled parking system is considered for its practical application. The results, in terms of network latency with reliability fitting and signaling overheads, show paramount improvements and better performance for the proposed protocol compared with the two handshake options, Pre-Shared Key (PSK) and Elliptic Curve Cryptography (ECC), of Datagram Transport Layer Security (DTLS).
TL;DR: This paper proposes a new anonymity preserving mobile user authentication scheme for the global mobility networks (GLOMONETs) that meets the extended anonymity requirement without compromising any standard security requirements and performs well as compared to other techniques.
Abstract: Remote user authentication without compromising user anonymity is an emerging area in the last few years. In this paper, we propose a new anonymity preserving mobile user authentication scheme for the global mobility networks (GLOMONETs). We also propose a new anonymity preserving group formation phase for roaming services in GLOMONETs that meets the extended anonymity requirement without compromising any standard security requirements. We provide the security analysis using the widely-accepted Burrows-Abadi-Needham logic and informal analysis for the proposed scheme to show that it is secure against possible well-known attacks, such as replay, man-in-the-middle, impersonation, privileged-insider, stolen smart card, ephemeral secret leakage, and password guessing attacks. In addition, the formal security verification with the help of the broadly accepted automated validation of internet security protocols and applications software simulation tool is tested on the proposed scheme and the simulation results confirm that the proposed scheme is safe. Moreover, the comparative study of the proposed scheme with other relevant schemes reveals that it performs well as compared to other techniques.
TL;DR: This paper proposes a secure authentication protocol for WSNs in vehicular communications to resolve the security weaknesses of Mohit et al.
Abstract: With wireless sensor networks (WSNs), a driver can access various useful information for convenient driving, such as traffic congestion, emergence, vehicle accidents, and speed. However, a driver and traffic manager can be vulnerable to various attacks because such information is transmitted through a public channel. Therefore, secure mutual authentication has become an important security issue, and many authentication schemes have been proposed. In 2017, Mohit et al. proposed an authentication protocol for WSNs in vehicular communications to ensure secure mutual authentication. However, their scheme cannot resist various attacks such as impersonation and trace attacks, and their scheme cannot provide secure mutual authentication, session key security, and anonymity. In this paper, we propose a secure authentication protocol for WSNs in vehicular communications to resolve the security weaknesses of Mohit et al.'s scheme. Our authentication protocol prevents various attacks and achieves secure mutual authentication and anonymity by using dynamic parameters that are changed every session. We prove that our protocol provides secure mutual authentication by using the Burrows⁻Abadi⁻Needham logic, which is a widely accepted formal security analysis. We perform a formal security verification by using the well-known Automated Validation of Internet Security Protocols and Applications tool, which shows that the proposed protocol is safe against replay and man-in-the-middle attacks. We compare the performance and security properties of our protocol with other related schemes. Overall, the proposed protocol provides better security features and a comparable computation cost. Therefore, the proposed protocol can be applied to practical WSNs-based vehicular communications.
TL;DR: A new anonymous mutual authentication scheme for three-tier mobile healthcare systems with wearable sensors is proposed and shows that the scheme outperforms the previous schemes and provides more complete and integrated anonymous authentication services.
Abstract: The mobility and openness of wireless communication technologies make Mobile Healthcare Systems (mHealth) potentially exposed to a number of potential attacks, which significantly undermines their utility and impedes their widespread deployment. Attackers and criminals, even without knowing the context of the transmitted data, with simple eavesdropping on the wireless links, may benefit a lot from linking activities to the identities of patient’s sensors and medical staff members. These vulnerabilities apply to all tiers of the mHealth system. A new anonymous mutual authentication scheme for three-tier mobile healthcare systems with wearable sensors is proposed in this paper. Our scheme consists of three protocols: Protocol-1 allows the anonymous authentication nodes (mobile users and controller nodes) and the HSP medical server in the third tier, while Protocol-2 realizes the anonymous authentication between mobile users and controller nodes in the second tier, and Protocol-3 achieves the anonymous authentication between controller nodes and the wearable body sensors in the first tier. In the design of our protocols, the variation in the resource constraints of the different nodes in the mHealth system are taken into consideration so that our protocols make a better trade-off among security, efficiency and practicality. The security of our protocols are analyzed through rigorous formal proofs using BAN logic tool and informal discussions of security features, possible attacks and countermeasures. Besides, the efficiency of our protocols are concretely evaluated and compared with related schemes. The comparisons show that our scheme outperforms the previous schemes and provides more complete and integrated anonymous authentication services. Finally, the security of our protocols are evaluated by using the Automated Validation of Internet Security Protocols and Applications and the SPAN animator software. The simulation results show that our scheme is secure and satisfy all the specified privacy and authentication goals.
TL;DR: An enhanced biometric-based anonymous user authentication and the key agreement scheme that is also embedded with symmetric cryptosystem for WSNs and can withstand various possible attacks on authentication protocols over the insecure channel is devised.
Abstract: Wireless sensor networks (WSNs) are progressive ad hoc networks that comprise of distributed sensors that are typically and randomly deployed over the target region. The valuable information from the sensor nodes is allowed to access with the help of gateway node by the registered user. To ensure secure communication, a session key is exchanged between the participants over the insecure channel. In this paper, we identified some deficiencies in Jung et al.’s scheme and then devised an enhanced biometric-based anonymous user authentication and the key agreement scheme that is also embedded with symmetric cryptosystem for WSNs. The advantage of using biometric login is to ensure the legal user’s efficient login. We conferred about preserving the security of our proposed scheme, we primarily applied formal verification BAN-logic method to check the exactness of mutual authentication. Furthermore, used automated validation of internet security protocols and applications software that is widely accepted and its results confirm that our scheme is secure against active and passive attacks, including forgery, replay, and man-in-the-middle attack. In addition, an informal analysis proves our scheme can withstand various possible attacks on authentication protocols over the insecure channel. Furthermore, our scheme is more appropriate for WSNs based upon the comparison of computational efficiency and security requirements with recent results.
TL;DR: A privacy preserving security for LTE-based V2X service is proposed, which is scalable while fulfilling basic wireless message security requirements and seamlessly integrate with the specified LTE security architecture.
Abstract: Internet of Things (IoT) is the reality of a new and powerful ubiquitous technology. One of its main driving forces is the 3rd Generation Partnership Project (3GPP) Long-Term Evolution (LTE), seeking to encompass all the applications of IoT. With this trend, 3GPP has finally made the Release 14 for LTE-based vehicle to everything (V2X) service. In this proposed paper, we evaluated the new LTE-based V2X architecture in regards to V2X message delivery and security requirements. We showed that a proper resource allocation and reference point (channel) selection could accommodate all types of V2X message deliveries. However, focusing more on security, we deemed that LTE-based V2X security falls short of meeting adequate security requirements, especially, to well preserve the privacy. Hence, we proposed a privacy preserving security for LTE-based V2X service. Considering the privacy as the top security requirement, we seamlessly integrate our security scheme with the specified LTE security architecture. Our scheme is scalable while fulfilling basic wireless message security requirements. We also provide the security and performance analysis to show the robustness and effectiveness of our proposed schemes.
TL;DR: This paper designs an anti-phishing model to transparently monitor and protect fog users from phishing attacks and uses uniform resource locator features and Web traffic features to detect phishing websites based on a designed neuro-fuzzy framework (dubbed Fi-NFN).
Abstract: Phishing detection is recognized as a criminal issue of Internet security. By deploying a gateway anti-phishing in the networks, these current hardware-based approaches provide an additional layer of defense against phishing attacks. However, such hardware devices are expensive and inefficient in operation due to the diversity of phishing attacks. With promising technologies of virtualization in fog networks, an anti-phishing gateway can be implemented as software at the edge of the network and embedded robust machine learning techniques for phishing detection. In this paper, we use uniform resource locator features and Web traffic features to detect phishing websites based on a designed neuro-fuzzy framework (dubbed Fi-NFN). Based on the new approach, fog computing as encouraged by Cisco, we design an anti-phishing model to transparently monitor and protect fog users from phishing attacks. The experiment results of our proposed approach, based on a large-scale dataset collected from real phishing cases, have shown that our system can effectively prevent phishing attacks and improve the security of the network.
TL;DR: This work proposes a new three-factor authenticated key agreement scheme using a fuzzy commitment approach that can resist other known attacks, and a comparative study of the proposed scheme with the existing related schemes is conducted.
Abstract: Remote user authentication is a cryptographic mechanism through which a remote server verifies the legitimacy of an authorized user over an insecure communication channel. Most of the existing authentication schemes consider single-server environments and require multiple registrations of the same user for multiple servers. Moreover, most of these schemes do not consider biometric template revocation and error correction for noisy biometric signals. In addition, the existing schemes have several weaknesses, including stolen smart card attack, lack of user anonymity, user impersonation attack, and non-diversification of biometric data. To overcome these disadvantages, we propose a new three-factor authenticated key agreement scheme using a fuzzy commitment approach. The three factors used in the proposed scheme are the user’s password, smart card, and personal biometrics. The security of the proposed scheme is verified using a formal security analysis under the broadly accepted Real-Or-Random model for the session key security. The widely accepted Burrows-Abadi-Needham logic is also applied for mutual authentication between a legally registered user and a server, and formal security verification using the broadly accepted Automated Validation of Internet Security Protocols and Applications is performed for the proposed scheme through simulation to show that it is secure. In addition, the informal security analysis of the proposed scheme shows that the scheme can resist other known attacks. Finally, a comparative study of the proposed scheme with the existing related schemes is conducted to measure the tradeoff among the security and functionality features and the communication and computation costs.
TL;DR: A secure and efficient two-party authentication key exchange protocol, called 2PAKEP, that hides user’s real identity from an adversary using a secret parameter and also withstands various attacks, guarantees anonymity, and provides efficient password change mechanism and secure mutual authentication.
Abstract: With the increasing use of mobile devices, a secure communication and key exchange become the significant security issues in mobile environments. However, because of open network environments, mobile user can be vulnerable to various attacks. Therefore, the numerous authentication and key exchange schemes have been proposed to provide the secure communication and key exchange. Recently, Qi and Chen proposed an efficient two-party authentication key exchange protocol for mobile environments in order to overcome the security weaknesses of the previous authentication and key exchange schemes. However, we demonstrate that Qi and Chen’s scheme is vulnerable to various attacks such as impersonation, offline password guessing, password change, and privileged insider attacks. We also show that Qi and Chen’s scheme does not provide anonymity, efficient password change mechanism, and secure mutual authentication. In this paper, to overcome the outlined abovementioned security vulnerabilities, we propose a secure and efficient two-party authentication key exchange protocol, called 2PAKEP, that hides user’s real identity from an adversary using a secret parameter. 2PAKEP also withstands various attacks, guarantees anonymity, and provides efficient password change mechanism and secure mutual authentication. In addition, we prove that 2PAKEP provides the secure mutual authentication using the broadly accepted Burrows–Abadi–Needham logic and the session key security using the formal security analysis under the widely accepted real-or-random model. Moreover, the formal security verification using the popular simulated software tool, Automated Validation of Internet Security Protocols and Applications, on 2PAKEP shows that the replay and man-in-the-middle attacks are protected. In addition, we also analyze the performance and security and functionality properties of 2PAKEP and compare these with the related existing schemes. Overall, 2PAKEP provides better security and functionality features, and also the communication and computational overheads are comparable with the related schemes. Therefore, 2PAKEP is applicable to mobile environment efficiently.
TL;DR: A discussion of the difference between the aforementioned mechanisms categorizations based on characteristics of the way of detection, defense, and response as well as orientations for future researches is provided.
TL;DR: This paper presents a two-level authentication approach, which not only detects phishing attacks accurately in real time environment but also does not depend on the textual language of the webpage.
Abstract: Nowadays, the phishing attack is emerging as serious Internet security threat, which causes massive financial losses every year. There are various approaches available to detect phishing attack, e.g., blacklist, machine learning, visual similarity, etc. However, most of these approaches have various limitations, as they are complicated, produce high false positive rate, language dependent, slow in nature, and not fit for the real-time environment. In this paper, we present a two-level authentication approach, which not only detects phishing attacks accurately in real time environment but also does not depend on the textual language of the webpage. Proposed approach execute two authentications before declaring a webpage as phishing, which makes it more accurate, reliable, and fast. In the first level authentication, the search engine based mechanism is proposed which use a simple, reliable and language independent query to authenticate the webpage. The second level authentication processes different hyperlinks within the source code of the webpage for the detection of phishing webpages. Performance of the proposed approach is evaluated, and it achieved the significantly higher true negative rate of 99.95%. Comparison with other existing methods also proves the supremacy of our proposed approach.
TL;DR: An enhanced three-factor based remote user authentication protocol in WMSNs environment is proposed that is validated using Burrows–Abadi–Needham logic and then simulated using Automated Validation of Internet Security Protocols and Applications tool.
Abstract: With the rapid growth of wireless medical sensor networks (WMSNs) based healthcare applications, protecting both the privacy and security from illegitimate users, are major concern issues since patient’s precise information is vital for the proper diagnosis procedure. So, authentication protocol is one of the efficient mechanisms to deal with trustworthy and authentic users. Several authentication protocols have been proposed in WMSNs environment. However, the most of these protocols are so susceptible to security threats and not suitable for practical use. In this article, recently proposed Amin et al.’s authentication scheme is reviewed and some vulnerabilities like off-line password guessing attack, user impersonation attack, known session-key temporary information attack, the revelation of secret parameters, and identity guessing attack are pointed out. To overcome all the above mentioned vulnerabilities, we have proposed an enhanced three-factor based remote user authentication protocol in WMSNs environment. Further, the proposed protocol is validated using Burrows–Abadi–Needham logic and then simulated using Automated Validation of Internet Security Protocols and Applications tool. Moreover, the security analysis ensures that the proposed protocol is well protected from various types of malicious attacks. In addition, the performance evaluation shows better efficiency and suitability of our protocol over other related protocols.
01 Dec 2018
TL;DR: This paper compares the performances of some open source web vulnerability scanners of their careful choice by running them against the OWASP benchmark, which is developed by the Open Web Application Security Project (OWASP), a well-known non-profit web security organization.
Abstract: The widespread adoption of web vulnerability scanners and their differences in effectiveness make it necessary to benchmark these scanners. Moreover, the literature lacks the comparison of the results of scanners effectiveness from different benchmarks. In this paper, we first compare the performances of some open source web vulnerability scanners of our careful choice by running them against the OWASP benchmark, which is developed by the Open Web Application Security Project (OWASP), a well-known non-profit web security organization. Furthermore, we compare our results from the OWASP benchmark with the existing results from the Web Application Vulnerability Security Evaluation Project (WAVSEP) benchmark, another popular benchmark used to evaluate scanner effectiveness. We are the first to make a comparison between these two benchmarks in literature. Our evaluation results allow us to make some valuable recommendations for the practice of benchmarking web scanners.
TL;DR: In this paper, a new dynamic password-based two-server authentication and key exchange mechanism is proposed with the help of both public and private key cryptography and a new multi-factor authentication scheme with identity preservation has been introduced.
20 May 2018
TL;DR: WARDroid is presented, which implements a static analysis-based web API reconnaissance approach to uncover inconsistencies on real world API services that can lead to attacks with severe consequences for potentially millions of users throughout the world.
Abstract: Modern mobile apps use cloud-hosted HTTP-based API services and heavily rely on the Internet infrastructure for data communication and storage. To improve performance and leverage the power of the mobile device, input validation and other business logic required for interfacing with web API services are typically implemented on the mobile client. However, when a web service implementation fails to thoroughly replicate input validation, it gives rise to inconsistencies that could lead to attacks that can compromise user security and privacy. Developing automatic methods of auditing web APIs for security remains challenging. In this paper, we present a novel approach for automatically analyzing mobile app-to-web API communication to detect inconsistencies in input validation logic between apps and their respective web API services. We present our system, WARDroid, which implements a static analysis-based web API reconnaissance approach to uncover inconsistencies on real world API services that can lead to attacks with severe consequences for potentially millions of users throughout the world. Our system utilizes program analysis techniques to automatically extract HTTP communication templates from Android apps that encode the input validation constraints imposed by the apps on outgoing web requests to web API services. WARDroid is also enhanced with blackbox testing of server validation logic to identify inconsistencies that can lead to attacks. We evaluated our system on a set of 10,000 popular free apps from the Google Play Store. We detected problematic logic in APIs used in over 4,000 apps, including 1,743 apps that use unencrypted HTTP communication. We further tested 1,000 apps to validate web API hijacking vulnerabilities that can lead to potential compromise of user privacy and security and found that millions of users are potentially affected from our sample set of tested apps.
03 Dec 2018
TL;DR: The results demonstrate the applicability of detection mechanisms as a server-side approach, e.g., to support the enhancement of existing blacklists, and the feasibility of deploying prototypes of some detection mechanisms directly on the browser.
Abstract: Direct access to the system's resources such as the GPU, persistent storage and networking has enabled in-browser crypto-mining. Thus, there has been a massive response by rogue actors who abuse browsers for mining without the user's consent. This trend has grown steadily for the last months until this practice, i.e., CryptoJacking, has been acknowledged as the number one security threat by several antivirus companies. Considering this, and the fact that these attacks do not behave as JavaScript malware or other Web attacks, we propose and evaluate several approaches to detect in-browser mining. To this end, we collect information from the top 330.500 Alexa sites. Mainly, we used real-life browsers to visit sites while monitoring resourcerelated API calls and the browser's resource consumption, e.g., CPU. Our detection mechanisms are based on dynamic monitoring, so they are resistant to JavaScript obfuscation. Furthermore, our detection techniques can generalize well and classify previously unseen samples with up to 99.99% precision and recall for the benign class and up to 96% precision and recall for the mining class. These results demonstrate the applicability of detection mechanisms as a server-side approach, e.g., to support the enhancement of existing blacklists. Last but not least, we evaluated the feasibility of deploying prototypical implementations of some detection mechanisms directly on the browser. Specifically, we measured the impact of in-browser API monitoring on page-loading time and performed micro-benchmarks for the execution of some classifiers directly within the browser. In this regard, we ascertain that, even though there are engineering challenges to overcome, it is feasible and bene!cial for users to bring the mining detection to the browser.