Stefanos Gritzalis

Survey of security vulnerabilities in session initiation protocol

The open architecture of the Internet and the use of open standards like Session Initiation Protocol (SIP) constitute the provisioning of services (e.g., Internet telephony, instant messaging, presence, etc.) vulnerable to known Internet attacks, while at the same time introducing new security problems based on these standards that cannot been tackled with current security mechanisms. This article identifies and describes security problems in the SIP protocol that may lead to denial of service. Such security problems include flooding attacks, security vulnerabilities in parser implementations, and attacks exploiting vulnerabilities at the signaling-application level. A qualitative analysis of these security flaws and their impacts on SIP systems is presented.

Addressing privacy requirements in system design: the PriS method

A major challenge in the field of software engineering is to make users trust the software that they use in their every day activities for professional or recreational reasons. Trusting software depends on various elements, one of which is the protection of user privacy. Protecting privacy is about complying with user’s desires when it comes to handling personal information. Users’ privacy can also be defined as the right to determine when, how and to what extend information about them is communicated to others. Current research stresses the need for addressing privacy issues during the system design rather than during the system implementation phase. To this end, this paper describes PriS, a security requirements engineering method, which incorporates privacy requirements early in the system development process. PriS considers privacy requirements as organisational goals that need to be satisfied and adopts the use of privacy-process patterns as a way to: (1) describe the effect of privacy requirements on business processes; and (2) facilitate the identification of the system architecture that best supports the privacy-related business processes. In this way, PriS provides a holistic approach from ‘high-level’ goals to ‘privacy-compliant’ IT systems. The PriS way-of-working is formally defined thus, enabling the development of automated tools for assisting its application.

Effective identification of source code authors using byte-level information

Source code author identification deals with the task of identifying the most likely author of a computer program, given a set of predefined author candidates. This is usually .based on the analysis of other program samples of undisputed authorship by the same programmer. There are several cases where the application of such a method could be of a major benefit, such as authorship disputes, proof of authorship in court, tracing the source of code left in the system after a cyber attack, etc. We present a new approach, called the SCAP (Source Code Author Profiles) approach, based on byte-level n-gram profiles in order to represent a source code authors style. Experiments on data sets of different programming-language (Java or C++) and varying difficulty (6 to 30 candidate authors) demonstrate the effectiveness of the proposed approach.A comparison with a previous source code authorship identification study based on more complicated information shows that the SCAP approach is language independent and that n-gram author profiles are better able to capture the idiosyncrasies of the source code authors. Moreover, the SCAP approach is able to deal surprisingly well with cases where only a limited amount of very short programs per programmer is available for training. It is also demonstrated that the effectiveness of the proposed model is not affected by the absence of comments in the source code, a condition usually met in cyber-crime cases.

Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification

Formal methods, theory, and supporting tools can aid the design, analysis, and verification of the security-related and cryptographic protocols used over open networks and distributed systems. The most commonly followed techniques for the application of formal methods for the ex-post analysis and verification of cryptographic protocols, as the analysis approach, are reviewed, followed by the examination of robustness principles and application limitations. Modern high-level specification languages and tools can be used for automatically analysing cryptographic protocols. Recent research work focuses on the ex-ante use of formal methods in the design state of new security protocols, as the synthesis approach. Finally, an outline is presented on current trends for the utilisation of formal methods for the analysis and verification of modern complicated protocols and protocol suites for the real commercial world.

Security requirements, risks and recommendations for small enterprise and home‐office environments

The pervasive use of information technology in enterprises of every size and the emergence of widely deployed ubiquitous networking technologies have brought with them a widening need for security. Information system security policy development must begin with a thorough analysis of sensitivity and criticality. Risk analysis methodologies, like CRAMM, provide the ability to analyse and manage the associated risks. By performing a risk analysis on a typical small enterprise and a home‐office set‐up the article identifies the risks associated with availability, confidentiality, and integrity requirements. Although both environments share weaknesses and security requirements with larger enterprises, the risk management approaches required are different in nature and scale. Their implementation requires co‐operation between end users, network service providers, and software vendors.

A framework for protecting a SIP-based infrastructure against malformed message attacks

This paper presents a framework that can be utilized for the protection of session initiation protocol (SIP)-based infrastructures from malformed message attacks. Its main characteristic is that it is lightweight and that it can be easily adapted to heterogeneous SIP implementations. The paper analyzes several real-life attacks on VoIP services and proposes a novel detection and protection mechanism that is validated through an experimental test-bed under different test scenarios. Furthermore, it is demonstrated that the employment of such a mechanism for the detection of malformed messages imposes negligible overheads in terms of the overall SIP system performance.

Security analysis of the song-mitchell authentication protocol for low-cost RFID tags

In this paper, we describe an attack against one of the most efficient authentication protocols for low-cost RFID tags recently proposed by Song and Mitchell. A weak attacker, i.e. an attacker that has no access to the internal data of a tag, is able to impersonate a legitimate reader/server, and to desynchronize a tag. The attack is very efficient and has minimal computational complexity. Finally, we propose a simple solution to fix the flaw.

Source code authorship analysis for supporting the cybercrime investigation process

Cybercrime has increased in severity and frequency in the recent years and because of this, it has become a major concern for companies, universities and organizations. The anonymity offered by the Internet has made the task of tracing criminal identity difficult. One study field that has contributed in tracing criminals is authorship analysis on e-mails, messages and programs. This paper contains a study on source code authorship analysis. The aim of the research efforts in this area is to identify the author of a particular piece of code by examining its programming style characteristics. Borrowing extensively from the existing fields of linguistics and software metrics, this field attempts to investigate various aspects of computer program authorship. Source code authorship analysis could be implemented in cases of cyber attacks, plagiarism and computer fraud. In this paper we present the set of tools and techniques used to achieve the goal of authorship identification, a review of the research efforts in the area and a new taxonomy on source code authorship analysis.

Evaluation of anomaly‐based IDS for mobile devices using machine learning classifiers

Mobile devices have evolved and experienced an immense popularity over the last few years. This growth however has exposed mobile devices to an increasing number of security threats. Despite the variety of peripheral protection mechanisms described in the literature, authentication and access control cannot provide integral protection against intrusions. Thus, a need for more intelligent and sophisticated security controls such as intrusion detection systems (IDSs) is necessary. Whilst much work has been devoted to mobile device IDSs, research on anomaly-based or behaviour-based IDS for such devices has been limited leaving several problems unsolved. Motivated by this fact, in this paper, we focus on anomaly-based IDS for modern mobile devices. A dataset consisting of iPhone users data logs has been created, and various classification and validation methods have been evaluated to assess their effectiveness in detecting misuses. Specifically, the experimental procedure includes and cross-evaluates four machine learning algorithms (i.e. Bayesian networks, radial basis function, K-nearest neighbours and random Forest), which classify the behaviour of the end-user in terms of telephone calls, SMS and Web browsing history. In order to detect illegitimate use of service by a potential malware or a thief, the experimental procedure examines the aforementioned services independently as well as in combination in a multimodal fashion. The results are very promising showing the ability of at least one classifier to detect intrusions with a high true positive rate of 99.8%. Copyright

Digital privacy : theory, technologies, and practices

THE PRIVACY SPACE Privacy Enhancing Technologies for the Internet III: Ten Years Later, I. Goldberg Communication Privacy, A. Pfitzmann, A. Juschka, A.-K. Stange, S. Steinbrecher, and S. Kopsell, and Privacy-Preserving Cryptographic Protocols, M.J. Atallah and K.B. Frikken PRIVACY ATTACKS Byzantine Attacks on Anonymity Systems, N. Borisov, G. Danezis, and P. Tabriz Introducing Traffic Analysis, G. Danezis and R. Clayton Privacy, Profiling, Targeted Marketing, and Data Mining, J. Vaidya and V. Atluri PRIVACY ENHANCING TECHNOLOGIES Enterprise Privacy Policies and Languages, M. Backes and M. Durmuth Uncircumventable Enforcement of Privacy Policies via Cryptographic Obfuscation, A. Narayanan and V. Shmatikov Privacy Protection with Uncertainty and Indistinguishability, X.S. Wang and S. Jajodia Privacy-Preserving Techniques in Data Mining, C. Su, J. Zhou, F. Bao, G. Wang, and K. Sakurai USER PRIVACY HCI Designs for Privacy-Enhancing Identity Management, S. Fischer-Hubner, J. Soren Pettersson, M. Bergmann, M. Hansen, S. Pearson, and M. Casassa Mont Privacy Perceptions among Members of Online Communities, M. Karyda and S. Kokolakis Perceived Control: Scales for Privacy in Ubiquitous Computing, S. Spiekermann PRIVACY UBIQUITOUS COMPUTING RFID: Technological Issues and Privacy Concerns, P. Najera and J. Lopez Privacy of Location Information, C.A. Ardagna, M. Cremonini, E. Damiani, S. De Capitani di Vimercati, and P. Samarati Beyond Consent: Privacy in Ubiquitous Computing (Ubicomp), J. Camp and K. Connelly THE ECONOMICS OF PRIVACY A Risk Model for Privacy Insurance, A.N. Yannacopoulos, S. Katsikas, S. Gritzalis, C. Lambrinoudakis, and S.Z. Xanthopoulos What Can Behavioral Economics Teach Us About Privacy? A. Acquisti and J. Grossklags PRIVACY AND POLICY Privacy of Outsourced Data, S. De Capitani di Vimercati, S. Foresti, S. Paraboschi, and P. Samarati Communications Data Retention: A Pandoras Box for Rights and Liberties? L. Mitrou Surveillance of Emergent Associations: Freedom of Association in a Network Society, K.J. Strandburg