Longfei Wu

MobiFish: A lightweight anti-phishing scheme for mobile phones

Recent years have witnessed the increasing threat of phishing attacks on mobile platforms. In fact, mobile phishing is more dangerous due to the limitations of mobile phones and mobile user habits. Existing schemes designed for phishing attacks on computers/laptops cannot effectively address phishing attacks on mobile devices. This paper presents MobiFish, a novel automated lightweight anti-phishing scheme for mobile platforms. MobiFish verifies the validity of web pages and applications (Apps) by comparing the actual identity to the identity claimed by the web pages and Apps. MobiFish has been implemented on the Nexus 4 smartphone running the Android 4.2 operating system. We experimentally evaluate the performance of MobiFish with 100 phishing URLs and corresponding legitimate URLs, as well as fake Facebook Apps. The result shows that MobiFish is very effective in detecting phishing attacks on mobile phones.

Security threats to mobile multimedia applications: Camera-based attacks on mobile phones

Todays mobile smartphones are very powerful, and many smartphone applications use wireless multimedia communications. Mobile phone security has become an important aspect of security issues in wireless multimedia communications. As the most popular mobile operating system, Android security has been extensively studied by researchers. However, few works have studied mobile phone multimedia security. In this article, we focus on security issues related to mobile phone cameras. Specifically, we discover several new attacks that are based on the use of phone cameras. We implement the attacks on real phones, and demonstrate the feasibility and effectiveness of the attacks. Furthermore, we propose a lightweight defense scheme that can effectively detect these attacks.

A Survey on Security and Privacy Issues in Internet-of-Things

Internet-of-Things (IoT) are everywhere in our daily life. They are used in our homes, in hospitals, deployed outside to control and report the changes in environment, prevent fires, and many more beneficial functionality. However, all those benefits can come of huge risks of privacy loss and security issues. To secure the IoT devices, many research works have been conducted to countermeasure those problems and find a better way to eliminate those risks, or at least minimize their effects on the user’s privacy and security requirements. The survey consists of four segments. The first segment will explore the most relevant limitations of IoT devices and their solutions. The second one will present the classification of IoT attacks. The next segment will focus on the mechanisms and architectures for authentication and access control. The last segment will analyze the security issues in different layers.

Effective Defense Schemes for Phishing Attacks on Mobile Computing Platforms

Recent years have witnessed the increasing threat of phishing attacks on mobile computing platforms. In fact, mobile phishing is particularly dangerous due to the hardware limitations of mobile devices and the habits of mobile users. In this paper, we did a comprehensive study on the security vulnerabilities caused by mobile phishing attacks, including web page phishing attacks, application phishing attacks, and account registry phishing attacks. Existing schemes designed for web phishing attacks on personal computers (PCs) cannot effectively address the various phishing attacks on mobile devices. Hence, we propose MobiFish, which is a novel automated lightweight antiphishing scheme for mobile platforms. MobiFish verifies the validity of web pages, applications, and persistent accounts by comparing the actual identity to the claimed identity. MobiFish has been implemented on a Nexus 4 smartphone running the Android 4.2 operating system. We experimentally evaluate the performance of MobiFish with 100 phishing URLs and corresponding legitimate URLs, as well as phishing apps. The results show that MobiFish is very effective in detecting phishing attacks on mobile phones.

An effective access control scheme for preventing permission leak in Android

In the Android system, each application runs in its own sandbox, and the permission mechanism is used to enforce access control to the system APIs and applications. However, permission leak could happen when an application without certain permission illegally gain access to protected resources through other privileged applications. We propose SPAC, a component-level system permission based access control scheme that can help developers better secure the public components of their applications. In the SPAC scheme, obscure custom permissions are replaced by explicit system permissions. We extend current permission checking mechanism so that multiple permissions are supported on component level. SPAC has been implemented on a Nexus 4 smartphone, and our evaluation demonstrates its effectiveness in mitigating permission leak vulnerabilities.

Analysis of clickjacking attacks and an effective defense scheme for Android devices

Smartphones bring users lots of convenience by integrating all useful functions people may need. While users are spending more time on their phones, have they ever questioned of being spoofed by the phone they are interacting with? This paper conducts a thorough study of the mobile clickjacking attacks. We first present how the clickjacking attack works and the key points to remain undiscovered. Then, we evaluate its potential threats by exploring the feasibility of launching clickjacking attacks on various UIs, including system app windows, 3rd-party app windows, and other system UIs. Finally, we propose a system-level defense scheme against clickjacking attacks on Android platform, which requires no user or developer effort and is compatible with existing apps. The performance of the countermeasure is evaluated with extensive experiments. The results show that our scheme can effectively prevent clickjacking attacks with only a minor impact to the system.

Access Control Schemes for Implantable Medical Devices: A Survey

Implantable medical devices (IMDs) are electronic devices implanted within human body for diagnostic, monitoring, and therapeutic purposes. It is imperative to guarantee that IMDs are completely secured since the patient’s life is closely bound to the robustness and effectiveness of IMDs. Intuitively, we have to ensure that only the authorized medical personnel and IMD programmer can access the IMD. However, in recent years, several attacks have been reported which can successfully compromise a number of IMD products, e.g., stealing the sensitive health data and issuing fake commands. Up to now, there is no commonly agreed and well-recognized security standards and the protection of IMD is still an open problem. In this paper, we present a comprehensive survey of the existing literature on IMD security, with a focus on the access control schemes to prevent unauthorized access. Specifically, we first reviewed the security incidents, IMD threat model and the development of regulations for IMD security. Next, we classified existing IMD access control schemes based on architecture, type of keys used, access control channel, and logic. We also analyzed how different access control models can be adopted to secure IMD. Besides, we particularly discussed the viability of online authentication and low/zero power authentication in the IMD context.

Effective task scheduling in proximate mobile device based communication systems

Despite the increasing capabilities, mobile devices still cannot satisfy the computation requirement of many applications. Intuitively, this can be solved by outsourcing tasks to external resources such as a remote server, cloud, or closely deployed cloudlet. However, all of them require extra infrastructures. In this paper, we consider a proximate-mobile-device based communication system in which all tasks and resources are under the control of a central scheduler. We propose a friendship-based task scheduling algorithm to address the contentions when resources are not sufficient. We also present two attack models including the denial-of-service (DoS) attack and the collusion attack. We evaluate the performance of the proposed algorithm along with another contribution-based task scheduling algorithm through extensive experiments.

Achieving differential privacy against non-intrusive load monitoring in smart grid: A fog computing approach

Fog computing, a non‐trivial extension of cloud computing to the edge of the network, has great advantage in providing services with a lower latency. In smart grid, the application of fog computing can greatly facilitate the collection of consumers fine‐grained energy consumption data, which can then be used to draw the load curve and develop a plan or model for power generation. However, such data may also reveal customers daily activities. Non‐intrusive load monitoring (NILM) can monitor an electrical circuit that powers a number of appliances switching on and off independently. If an adversary analyzes the meter readings together with the data measured by an NILM device, the customers privacy will be disclosed. In this paper, we propose an effective privacy‐preserving scheme for electric load monitoring, which can guarantee differential privacy of data disclosure in smart grid. In the proposed scheme, an energy consumption behavior model based on Factorial Hidden Markov Model (FHMM) is established. In addition, noise is added to the behavior parameter, which is different from the traditional methods that usually add noise to the energy consumption data. The analysis shows that the proposed scheme can get a better trade‐off between utility and privacy compared with other popular methods.

VDAS: Verifiable data aggregation scheme for Internet of Things

Along with the miniaturization of various types of sensors, a mass of intelligent terminals are gaining stronger sensing capability, which raises a deeper perception and better prospect of Internet of Things (IoT). With big sensing data, IoT provides lots of convenient services for the monitoring and management of smart cities and peoples daily lives. However, there are still many security challenges influencing the further development of IoT, one of which is how to quickly verify the big data obtained from IoT terminals. Aggregate signature is an efficient approach to perform big data authentication. It can effectively reduce the computation and communication overheads. In this paper, utilizing these features, we construct a verifiable data aggregation scheme for Internet of Things, named VDAS, based on an improved certificateless aggregate signature algorithm. In VDAS, the length of the aggregated authentication message is independent of the number of IoT terminals. Then, we prove that VDAS is existentially unforgeable under adaptive chosen message attacks assuming that the computational Diffie-Hellman problem is hard. Additionally, the proposed VDAS achieves a better trade-off on the computation overheads between the resource-constrained IoT terminals and the data center.