Publications

GDPR Privacy Implications for the Internet of Things
[4/Dec/2018]

Starting on May 25th of 2018 all EU countries begin to apply the General Data Protection Regulation (GDPR). This aims to protect and regulate data privacy and applies to any organization that holds or processes data on EU citi-zens, regardless of where it is headquartered. The penalties for non-compliance can be as high as 4% of global revenue for companies. As a result, compliance with GDPR is a must for companies who deal with users’ data. The hallmark for data collection nowadays is Internet of Things devices.

Authors: 
Daniel Bastos (ESR11)
Fabio Giubilo (ESR9)
Mark Shackleton
Fadi El-Moussa
Author (ESR): 
Daniel Bastos (British Telecommunications Public Limited Company)

A Segregated Architecture for a Trust-based Network of Internet of Things
[12/Jan/2019]

With the ever-increasing number of smart home devices, the issues related to these environments are also growing. With an ever-growing attack surface, there is no standard way to protect homes and their inhabitants from new threats. The inhabitants are rarely aware of the increased security threats that they are exposed to and how to manage them. To tackle this problem, we propose a solution based on segmented architectures similar to the ones used in industrial systems.

Authors: 
Carmen Fernandez-Gago
Joshua Daniel
Javier Lopez
Author (ESR): 
Davide Ferraris (Universidad De Malaga)

DriverAuth: A Risk-based Multi-modal Biometric-based Driver Authentication Scheme for Ride-sharing Platforms
[23/Jan/2019]

On-demand ride and ride-sharing services have revolutionized the point-to-point transportation market and they are rapidly gaining acceptance among customers worldwide. Alone, Uber and Lyft are providing over 11 million rides per day. These services are provided using a client-server infrastructure. The client is a smartphone-based application used for: i) registering riders and drivers, ii) connecting drivers with riders, iii) car-sharing to share the expenses, minimize traffic congestion and saving traveling time, iv) allowing customers to book their rides.

Authors: 
A Buriro
Bruno Crispo
Author (ESR): 
Sandeep Gupta (Universita Degli Studi Di Trento)

Protecting Cloud-based CIs: Covert Channel Vulnerabilities at the Resource Level

Core-private caches represent a convenient and practical way for exfiltrating secret information and endanger ICT systems, including CIs. Attacks abusing the caches as covert channels are hard to be detected, as the caches are easily accessible without any privileges. To address this threat and enhance the security in CIs and other ICT systems, we proposed the usage of feasibility metrics to assess the probability of a covert channel exploit happening in the system or, to conduct post mortem analysis.

Authors: 
Tsvetoslava Vateva-Gurova
Ruben Trapero
Neeraj Suri
Author (ESR): 
Salman Manzoor (Technische Universitaet Darmstadt)

Threat Modeling the Cloud: An Ontology Based Approach

In this paper, we have explored the relation among different actors involved in the Cloud ecosystem to develop an ontology. This ontology is further mapped to a design structure matrix for evaluating threats from varied actors’ perspectives. Our DSM-based threat analysis can be utilized to identify the most critical/influential as well as least critical/influential actor in the Cloud. However, our DSM-based approach is flexible and thus, it can be used to reveal other critical information such as classifying vulnerabilities that achieve a common goal.

Authors: 
Tsvetoslava Vateva-Gurova
Ruben Trapero
Neeraj Suri
Author (ESR): 
Salman Manzoor (Technische Universitaet Darmstadt)

SNAPAUTH: A Gesture-based Unobtrusive Smartwatch User Authentication Scheme

In this paper, we present a novel motion-based unobtrusive behavioral biometric-based user authentication solution-SnapAuth, for Android-based smartwatch. SnapAuth requires the user to perform a fingersnapping action, while wearing the smartwatch (in the gesture performing arm), to perform the authentication. SnapAuth profiles the arm-movements by collecting data from smartwatch’s built-in accelerometer and gyroscope sensors, while the user performs this action. We implemented and evaluated SnapAuth on Motorolla Moto 3G smartwatch.

Authors: 
Attaullah Buriro
Bruno Crispo
Mojtaba Eskandri
Athar Mahboob
Rutger Van Acker
Author (ESR): 
Sandeep Gupta (Universita Degli Studi Di Trento)

Risks of Sharing Cyber Incident Information
[27/Aug/2018]

Incident information sharing is being encouraged and mandated as a way of improving overall cyber intelligence and defense, but its take up is slow. Organisations may well be justified in perceiving risks in sharing and disclosing cyber incident information, but they tend to express such worries in broad and vague terms. This paper presents a specific and granular analysis of the risks in cyber incident information sharing, looking in detail at what information may be contained in incident reports and which specific risks are associated with its disclosure.

Authors: 
Adham Albakri, Eerke Boiten, Rogério De Lemos
Author (ESR): 
Adham Albakri (University of Kent)

Policy Languages and Their Suitability for Trust Negotiation
[16/Jul/2018]

Entities, such as people, companies, institutions, authorities and web sites live and exist in a conjoined world. In order to live and enjoy social benefits, entities need to share knowledge, resources and to cooperate together. The cooperation brings with it many new challenges and problems, among which one is the problem of trust. This area is also important for the Computer Science. When unfamiliar entities wish to cooperate, they do not know what to expect nor whether they can trust each other.

Authors: 
Martin Kolar, Carmen Fernandez-Gago, Javier Lopez
Author (ESR): 
Martin Kolar (Universidad De Malaga)

Towards General scheme for Data Sharing Agreements empowering Privacy-Preserving Data Analysis of structured CTI
[3/Sep/2018]

This paper proposes an extension to the standard STIX representation for Cyber Threat Information (CTI) which couples specific data attributes with privacy-preserving conditions expressed through Data Sharing Agreements (DSA). The proposed scheme allows, in fact, to define sharing and anonymization policies in the form of a human-readable DSA, bound to the specific CTI. The whole scheme is designed to be completely compatible with the STIX 2.0 standard for CTI representation.

Authors: 
Fabio Martinelli
Oleksii Osliak
Andrea Saracino
Author (ESR): 
Oleksii Osliak (Consiglio Nazionale Delle Ricerche)

Enhancing Usage Control for Performance: A Proposal for Systems of Systems
[16/Jul/2018]

Modern interconnected systems of systems, such as the Internet of Things (IoT), demand the presence of access and usage control mechanisms which will be able to manage the right of access to the corresponding services, and the plethora of information being generated in a daily basis. The Usage Control (UCON) model offers the means for fine-grained dynamic control of access to specific resources, by monitoring and evaluating the attributes defined within a dedicated security policy.

Authors: 
Athanasios Rizos
Vasileios Gkioulos
Paolo Mori
Andrea Saracino
Author (ESR): 
Christina Michailidou (Consiglio Nazionale Delle Ricerche)

Pages