Publications

A Model Specification for the Design of Trust Negotiations

Trust negotiation is a type of trust management model for establishing trust between entities by a mutual exchange of credentials. This approach was designed for online environments, where the attributes of users, such as skills, habits, behaviour and experience are unknown. Required criteria of trust negotiation must be supported by a trust negotiation model in order to provide a functional, adequately robust and efficient application. Such criteria were identified previously.

Authors: 
M. Kolar, C. Fernandez-Gago and J. Lopez
Author (ESR): 
Martin Kolar (Universidad De Malaga)

TrUStAPIS: A Trust Requirements Elicitation Method for IoT
[21/May/2019]

The Internet of Things (IoT) is an environment of interconnected entities, which are identifiable, usable and controllable via the Internet. Trust is useful for a system such as the IoT as the entities involved would like to know how the other entities they have to interact with are going to perform.
When developing an IoT entity, it will be desirable to guarantee trust during its whole life cycle. Trust domain is strongly dependent on other domains such as security and privacy.

Authors: 
Davide Ferraris
Carmen Fernandez-Gago
Author (ESR): 
Davide Ferraris (Universidad De Malaga)

SmartHandle: A Novel Behavioral Biometric-based Authentication Scheme for Smart Lock Systems
[29/May/2019]

Over recent years, smart locks have evolved as cyber-physical devices that can be operated by digital keypads, physiological biometrics sensors, smart-card readers, or mobile devices pairing, to secure door access. However, the underlying authentication schemes, i.e., knowledge-based (e.g., PIN/passwords), possession-based (e.g., smartphones, smart cards), or physiological biometric-based (e.g., fingerprint, face), utilized in smart locks, have shown several drawbacks. Studies have determined that these authentication schemes are vulnerable to various attacks as well as lack usability.

Authors: 
Sandeep Gupta
Attaullah Buriro
Bruno Crispo
Author (ESR): 
Sandeep Gupta (Universita Degli Studi Di Trento)

GDPR Privacy Implications for the Internet of Things
[4/Dec/2018]

Starting on May 25th of 2018 all EU countries begin to apply the General Data Protection Regulation (GDPR). This aims to protect and regulate data privacy and applies to any organization that holds or processes data on EU citi-zens, regardless of where it is headquartered. The penalties for non-compliance can be as high as 4% of global revenue for companies. As a result, compliance with GDPR is a must for companies who deal with users’ data. The hallmark for data collection nowadays is Internet of Things devices.

Authors: 
Daniel Bastos (ESR11)
Fabio Giubilo (ESR9)
Mark Shackleton
Fadi El-Moussa
Author (ESR): 
Daniel Bastos (British Telecommunications Public Limited Company)

A Segregated Architecture for a Trust-based Network of Internet of Things
[12/Jan/2019]

With the ever-increasing number of smart home devices, the issues related to these environments are also growing. With an ever-growing attack surface, there is no standard way to protect homes and their inhabitants from new threats. The inhabitants are rarely aware of the increased security threats that they are exposed to and how to manage them. To tackle this problem, we propose a solution based on segmented architectures similar to the ones used in industrial systems.

Authors: 
Carmen Fernandez-Gago
Joshua Daniel
Javier Lopez
Author (ESR): 
Davide Ferraris (Universidad De Malaga)

DriverAuth: A Risk-based Multi-modal Biometric-based Driver Authentication Scheme for Ride-sharing Platforms
[23/Jan/2019]

On-demand ride and ride-sharing services have revolutionized the point-to-point transportation market and they are rapidly gaining acceptance among customers worldwide. Alone, Uber and Lyft are providing over 11 million rides per day. These services are provided using a client-server infrastructure. The client is a smartphone-based application used for: i) registering riders and drivers, ii) connecting drivers with riders, iii) car-sharing to share the expenses, minimize traffic congestion and saving traveling time, iv) allowing customers to book their rides.

Authors: 
A Buriro
Bruno Crispo
Author (ESR): 
Sandeep Gupta (Universita Degli Studi Di Trento)

Protecting Cloud-based CIs: Covert Channel Vulnerabilities at the Resource Level

Core-private caches represent a convenient and practical way for exfiltrating secret information and endanger ICT systems, including CIs. Attacks abusing the caches as covert channels are hard to be detected, as the caches are easily accessible without any privileges. To address this threat and enhance the security in CIs and other ICT systems, we proposed the usage of feasibility metrics to assess the probability of a covert channel exploit happening in the system or, to conduct post mortem analysis.

Authors: 
Tsvetoslava Vateva-Gurova
Ruben Trapero
Neeraj Suri
Author (ESR): 
Salman Manzoor (Technische Universitaet Darmstadt)

Threat Modeling the Cloud: An Ontology Based Approach

In this paper, we have explored the relation among different actors involved in the Cloud ecosystem to develop an ontology. This ontology is further mapped to a design structure matrix for evaluating threats from varied actors’ perspectives. Our DSM-based threat analysis can be utilized to identify the most critical/influential as well as least critical/influential actor in the Cloud. However, our DSM-based approach is flexible and thus, it can be used to reveal other critical information such as classifying vulnerabilities that achieve a common goal.

Authors: 
Tsvetoslava Vateva-Gurova
Ruben Trapero
Neeraj Suri
Author (ESR): 
Salman Manzoor (Technische Universitaet Darmstadt)

SNAPAUTH: A Gesture-based Unobtrusive Smartwatch User Authentication Scheme

In this paper, we present a novel motion-based unobtrusive behavioral biometric-based user authentication solution-SnapAuth, for Android-based smartwatch. SnapAuth requires the user to perform a fingersnapping action, while wearing the smartwatch (in the gesture performing arm), to perform the authentication. SnapAuth profiles the arm-movements by collecting data from smartwatch’s built-in accelerometer and gyroscope sensors, while the user performs this action. We implemented and evaluated SnapAuth on Motorolla Moto 3G smartwatch.

Authors: 
Attaullah Buriro
Bruno Crispo
Mojtaba Eskandri
Athar Mahboob
Rutger Van Acker
Author (ESR): 
Sandeep Gupta (Universita Degli Studi Di Trento)

Risks of Sharing Cyber Incident Information
[27/Aug/2018]

Incident information sharing is being encouraged and mandated as a way of improving overall cyber intelligence and defense, but its take up is slow. Organisations may well be justified in perceiving risks in sharing and disclosing cyber incident information, but they tend to express such worries in broad and vague terms. This paper presents a specific and granular analysis of the risks in cyber incident information sharing, looking in detail at what information may be contained in incident reports and which specific risks are associated with its disclosure.

Authors: 
Adham Albakri, Eerke Boiten, Rogério De Lemos
Author (ESR): 
Adham Albakri (University of Kent)

Pages