Julien Freudiger

Ecole polytechnique fédérale de Lausanne, Lausanne, Vaud, Switzerland

Are you Julien Freudiger?

Claim your profile

Publications (30)7.09 Total impact

  • Source
    Julien Freudiger, Emiliano De Cristofaro, Alex Brito
    [Show abstract] [Hide abstract]
    ABSTRACT: Although sharing data across organizational boundaries has often been advocated as a promising way to enhance security, collaborative initiatives are rarely put into practice owing to confidentiality, trust, and liability challenges. In this paper, we investigate whether collaborative threat mitigation can be realized via a controlled data sharing approach, whereby organizations make informed decisions as to whether or not, and how much, to share. Using appropriate cryptographic tools, entities can estimate the benefits of collaborating and agree on what to share in a privacy-preserving way, without having to disclose their entire datasets. We focus on collaborative predictive blacklisting, i.e., forecasting attack sources also based on logs contributed by other organizations and study the impact of different sharing strategies by experimenting on a real-world dataset of two billion suspicious IP addresses collected from Dshield over two months. We find that controlled data sharing yields up to an average 105% accuracy improvement, while also reducing the false positive rate.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Online service providers gather increasingly large amounts of personal data into user profiles and monetize them with advertisers and data brokers. Users have little control of what information is processed and face an all-or-nothing decision between receiving free services or refusing to be profiled. This paper explores an alternative approach where users only disclose an aggregate model -- the "gist" -- of their data. The goal is to preserve data utility and simultaneously provide user privacy. We show that this approach is practical and can be realized by letting users contribute encrypted and differentially-private data to an aggregator. The aggregator combines encrypted contributions and can only extract an aggregate model of the underlying data. In order to dynamically assess the value of data aggregates, we use an information-theoretic measure to compute the amount of "valuable" information provided to advertisers and data brokers. We evaluate our framework on an anonymous dataset of 100,000 U.S. users obtained from the U.S. Census Bureau and show that (i) it provides accurate aggregates with as little as 100 users, (ii) it generates revenue for both users and data brokers, and (iii) its overhead is appreciably low.
  • Source
    Julien Freudiger, Emiliano De Cristofaro, Alex Brito
    [Show abstract] [Hide abstract]
    ABSTRACT: A new generation of security solutions is attempting to actively predict future cyber-attacks by profiling offensive practices. Since prediction accuracy can improve with more information about attackers, data sharing among organizations is often advocated. Unfortunately, collaborative approaches are rarely implemented due to related legal and privacy concerns. This paper investigates a novel approach to collaborative threat mitigation where organizations identify suitable partners for data sharing in a privacy-preserving way. Data sharing then occurs within coalitions of allied organizations. We propose a framework that allows organizations to estimate the benefits of collaboration without disclosing their actual datasets, and supports limited information sharing among collaborators. We focus on collaborative predictive blacklisting, and consider organizations that predict future attacks based on their own data, and that of a few selected partners. We study how collaboration strategies affect prediction accuracy on a real-world dataset of suspicious IP addresses, and observe up to a 105% prediction improvement in blacklisting.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Decades of research and numerous incidents have demonstrated the weaknesses of text passwords and prompted the need for more secure alternatives. In recent years, two-factor authentication (2F) has emerged as the most used solution to strengthen passwords. By requiring users to provide more than one authentication factor -- e.g., a code generated by a security token, along with the password -- 2F aims to enhance resilience against guessing attacks and breaches of password databases. Alas, it also introduces non-negligible costs for service providers and requires users to carry out additional actions during the authentication process, nevertheless, little research has focused on its usability. This paper presents a comparative usability study of two-factor authentication. First, we report on a preliminary interview-based study involving 9 participants, identifying the most popular 2F technologies as well as the contexts and motivations in which they are used. Then, we design and administer a survey to 219 Mechanical Turk users, aiming to explore the landscape of 2F technologies and measure the usability of three popular solutions: codes generated by security tokens, one-time PINs received via email or SMS, and dedicated smartphone apps (e.g., Google Authenticator). We record contexts and motivations, and study their impact on perceived usability. We also present an exploratory factor analysis that captures some key factors affecting usability of 2F and highlight interesting findings that call for further research in the field.
  • Julien Freudiger, M.H. Manshaei, J.-P. Hubaux, D.C. Parkes
    [Show abstract] [Hide abstract]
    ABSTRACT: In mobile networks, authentication is a required primitive for most security protocols. Unfortunately, an adversary can monitor pseudonyms used for authentication to track the location of mobile nodes. A frequently proposed solution to protect location privacy suggests that mobile nodes collectively change their pseudonyms in regions called mix zones. This approach is costly. Self-interested mobile nodes might, thus, decide not to cooperate and jeopardize the achievable location privacy. In this paper, we analyze non-cooperative behavior of mobile nodes by using a game-theoretic model, where each player aims at maximizing its location privacy at a minimum cost. We obtain Nash equilibria in static n-player complete information games. As in practice mobile nodes do not know their opponents' payoffs, we then consider static incomplete information games. We establish that symmetric Bayesian-Nash equilibria exist with simple threshold strategies. By means of numerical results, we predict behavior of selfish mobile nodes. We then investigate dynamic games where players decide to change their pseudonym one after the other and show how this affects strategies at equilibrium. Finally, we design protocols-PseudoGame protocols-based on the results of our analysis and simulate their performance in vehicular network scenarios.
    IEEE Transactions on Dependable and Secure Computing 03/2013; 10(2):84-98. DOI:10.1109/TDSC.2012.85 · 1.14 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Wireless networks offer novel means to enhance social interactions. In particular, peer-to-peer wireless communications enable direct and real-time interaction with nearby devices and communities and could extend current online social networks by providing complementary services including real-time friend and community detection and localized data sharing without infrastructure requirement. After years of research, the deployment of such peer-to-peer wireless networks is finally being considered. A fundamental primitive is the ability to discover geographic proximity of specific communities of people (e.g, friends or neighbors). To do so, mobile devices must exchange some community identifiers or messages. We investigate privacy threats introduced by such communications, in particular, adversarial community detection. We use the general concept of community pseudonyms to abstract anonymous community identification mechanisms and define two distinct notions of community privacy by using a challenge-response methodology. An extensive cost analysis and simulation results throw further light on the feasibility of these mechanisms in the upcoming generation of wireless peer-to-peer networks.
    Mobile Networks and Applications 01/2013; 18(3). DOI:10.1007/s11036-012-0406-y · 1.50 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Pervasive social networks extend traditional social networking by enabling users to share information in a peer-to-peer fashion using their wireless mobile devices. Contrary to traditional online social networks, privacy protection in such networks depends heavily on users' context (time, location, activity, etc.) and their sensitivity to the shared data and context. Existing privacy-preserving mechanisms do not adapt well to different data, context and user sensitivities. In this work, we follow a fresh approach for privacy preservation, called privacy-triggered communications; it allows users in such pervasive networks to dynamically regulate their communications based on their context and on the evolution of their privacy in that context. Our initial results show that this is a feasible strategy for privacy management in pervasive social networking scenarios.
    World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2011 IEEE International Symposium on a; 07/2011
  • Source
    Julien Freudiger, Reza Shokri, Jean-Pierre Hubaux
    [Show abstract] [Hide abstract]
    ABSTRACT: In modern mobile networks, users increasingly share their location with third-parties in return for location-based services. In this way, users obtain services customized to their location. Yet, such communications leak location information about users. Even if users make use of pseudonyms, the operators of location-based services may be able to identify them and thus affect their privacy. In this paper, we provide an analysis of the erosion of privacy caused by the use of location-based services. To do so, we experiment with real mobility traces and measure the dynamics of user privacy. This paper thus details and quantifies the privacy risks induced by the use of location-based services.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Users of mobile networks can change their identifier in regions called mix zones in order to defeat the tracking of their location by third parties. Mix zones must be carefully deployed in the network to reduce the cost induced on mobile users and to provide high location privacy. Unlike most previous work that considers a global adversary, we consider a local adversary equipped with multiple eavesdropping stations. We study the interaction between the local adversary deploying eavesdropping stations to track mobile users and mobile users deploying mix zones to protect their location privacy. We use a game-theoretic model to predict the strategies of both players. We derive the strategies at equilibrium in complete and incomplete information scenarios and propose an algorithm to converge to the equilibrium. Finally, based on real road traffic information, we numerically quantify the effect of complete and incomplete information on the strategies of mobile users and of the adversary. In complete information scenarios, mobile users and the adversary tend to adopt complementary strategies: users place mix zones where there is no eavesdropping station, and vice versa. In incomplete information scenarios, the location privacy level achieved by mobile users depends on their level of uncertainty about the strategy of the adversary.
  • Source
    Reza Shokri, Julien Freudiger, Jean-Pierre Hubaux
    [Show abstract] [Hide abstract]
    ABSTRACT: We introduce a novel framework that provides a logical structure for classifying and organizing fundamental components and concepts of location privacy. Our framework models mobile networks and applications, threats, location-privacy preserving mechanisms, and metrics. We demonstrate the relevance of our framework by showing how the existing proposals in the field of location privacy are embodied appropriately in the framework. Our framework provides "the big picture" of research on location privacy and hence aims at paving the way for future research. It helps researchers to better understand this field of research, identify open problems, appropriately design new schemes, and position their work with respect to other efforts. The terminology proposed in this framework also facilitates establishing an inter-disciplinary research community on location privacy.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Online advertising is a major source of revenues in the Internet. In this paper, we identify a number of vulnerabilities of current ad serving systems. We describe how an adversary can exploit these vulnerabilities to divert part of the ad revenue stream for its own benefit. We propose a collaborative secure scheme to fix this problem. The solution relies on the fact that most of online advertising networks own digital authentication certificates and can become a source of trust. We also explain why the deployment of this solution would benefit the Web browsing security in general.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In many envisioned mobile ad hoc networks, nodes are expected to periodically beacon to advertise their presence. In this way, they can receive messages addressed to them or participate in routing operations. Yet, these beacons leak information about the nodes and thus hamper their privacy. A classic remedy consists of each node making use of (certified) pseudonyms and changing its pseudonym in specific locations called mix zones. Of course, privacy is then higher if the pseudonyms are short-lived (i.e., nodes have a short distance-to-confusion), but pseudonyms can be costly, as they are usually obtained from an external authority. In this paper, we provide a detailed analytical evaluation of the age of pseudonyms based on differential equations. We corroborate this model by a set of simulations. This paper thus provides a detailed quantitative framework for selecting the parameters of a pseudonym-based privacy system in peer-to-peer wireless networks.
    INFOCOM, 2010 Proceedings IEEE; 04/2010
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Wireless Sensor Networks (WSNs) allow the monitoring of activity or environmental conditions over a large area, from homes to industrial plants, from agriculture fields to forests and glaciers. They can support a variety of applications, from assisted living to natural disaster prevention. WSNs can, however, be challenging to setup and maintain, reducing the potential for real-world adoption. To address this limitation, this paper introduces SensorTune, a novel mobile interface to support non-expert users in iteratively setting up a WSN. SensorTune uses non-speech audio to present to its users information regarding the connectivity of the network they are setting up, allowing them to decide how to extend it. To simplify the interpretation of the data presented, the system adopts the metaphor of tuning a consumer analog radio, a very common and well known operation. A user study was conducted in which 20 subjects setup real multi-hop networks inside a large building using a limited number of wireless nodes. Subjects repeated the task with SensorTune and with a comparable mobile GUI interface. Experimental results show a statistically significant difference in the task completion time and a clear preference of users for the auditory interface.
    Proceedings of the SIGCHI Conference on Human Factors in Computing Systems; 04/2010
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: There is a rich collection of literature that aims at protecting the privacy of users querying location-based services. One of the most popular location privacy techniques consists in cloaking users' locations such that k users appear as potential senders of a query, thus achieving k-anonymity. This paper analyzes the effectiveness of k-anonymity approaches for protecting location privacy in the presence of various types of adversaries. The unraveling of the scheme unfolds the inconsistency between its components, mainly the cloaking mechanism and the k-anonymity metric. We show that constructing cloaking regions based on the users' locations does not reliably relate to location privacy, and argue that this technique may even be detrimental to users' location privacy. The uncovered flaws imply that existing k-anonymity scheme is a tattered cloak for protecting location privacy.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We propose a novel framework for measuring and evaluating location privacy preserving mechanisms in mobile wireless networks. Within this framework, we first present a formal model of the system, which provides an efficient representation of the network users, the adversaries, the location privacy preserving mechanisms and the resulting location privacy of the users. This model is general enough to accurately express and analyze a variety of location privacy metrics that were proposed earlier. We provide formal representations of four among the most relevant categories of location privacy metrics, by using the proposed model. We also present a detailed comparative analysis of these metrics based on a set of criteria for location privacy measurement. Finally, we propose a novel and effective metric for measuring location privacy, called distortion-based metric, which satisfies these criteria for privacy measurement and is capable of capturing the mobile users' location privacy more precisely than the existing metrics. Our metric measures location privacy as the expected level of distortion of the adversary's hypothesized trajectories of the users, considering the adversary's knowledge and also the observed parts of the users' trajectories.
  • Source
    Julien Freudiger, Maxim Raya, Jean-Pierre Hubaux
    [Show abstract] [Hide abstract]
    ABSTRACT: Pervasive communications bring along new privacy challenges, fueled by the capability of mobile devices to communicate with, and thus "sniff on", each other directly. We design a new mechanism that aims at achieving location privacy in these forthcoming mobile networks, whereby mobile nodes collect the pseudonyms of the nodes they encounter to generate their own privacy cloaks. Thus, privacy emerges from the mobile network and users gain control over the disclosure of their locations. We call this new paradigm self- organized location privacy. In this work, we focus on the problem of self- organized anonymous authentication that is a necessary prerequisite for location privacy. We investigate, using graph theory, the optimality of different cloak constructions and evaluate with simulations the achievable anonymity in various network topologies. We show that peer-to-peer wireless communications and mobility help in the establishment of self- organized anonymous authentication in mobile networks.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In mobile networks, authentication is a required primitive of the majority of security protocols. However, an adversary can track the location of mobile nodes by monitoring pseudonyms used for authentication. A frequently proposed solution to protect location privacy suggests that mobile nodes collectively change their pseudonyms in regions called mix zones. Because this approach is costly, self-interested mobile nodes might decide not to cooperate and could thus jeopardize the achievable location privacy. In this paper, we analyze the non-cooperative behavior of mobile nodes with a game-theoretic model, where each player aims at maximizing its location privacy at a minimum cost. We first analyze the Nash equilibria in $n$-player complete information games. Because mobile nodes in a privacy-sensitive system do not know their opponents' payoffs, we then consider incomplete information games. We establish that symmetric Bayesian-Nash equilibria exist with simple threshold strategies in $n$-player games and derive the equilibrium strategies. By means of numerical results, we show that mobile nodes become selfish when the cost of changing pseudonym is small, whereas they cooperate more when the cost of changing pseudonym increases. Finally, we design a protocol - the PseudoGame protocol - based on the results of our analysis.
  • Source
    Julien Freudiger, Reza Shokri, Jean-Pierre Hubaux
    [Show abstract] [Hide abstract]
    ABSTRACT: In mobile wireless networks, third parties can track the location of mobile nodes by monitoring the pseudonyms used for identification. A frequently proposed solution to protect the location privacy of mobile nodes suggests to change pseudonyms in regions called mix zones. In this paper, we propose a novel metric based on the mobility profiles of mobile nodes to evaluate the mixing effectiveness of possible mix zone locations. Then, as the location privacy achieved with mix zones depends on their placement in the network, we analyze the optimal placement of mix zones with combinatorial optimization techniques. The proposed algorithm maximizes the achieved location privacy in the system and takes into account the cost on mobile nodes induced by mix zones. By means of simulations, we show that the placement recommended by our algorithm significantly reduces the tracking success by the adversary.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Significant developments have taken place over the past few years in the area of vehicular communication systems. Now, it is well understood in the community that security and protection of private user information are a prerequisite for the deployment of the technology. This is so precisely because the benefits of VC systems, with the mission to enhance transportation safety and efficiency, are at stake. Without the integration of strong and practical security and privacy enhancing mechanisms, VC systems can be disrupted or disabled, even by relatively unsophisticated attackers. We address this problem within the SeVeCom project, having developed a security architecture that provides a comprehensive and practical solution. We present our results in a set of two articles in this issue. In this first one, we analyze threats and types of adversaries, identify security and privacy requirements, and present a spectrum of mechanisms to secure VC systems. We provide a solution that can be quickly adopted and deployed. In the second article we present our progress toward the implementation of our architecture and results on the performance of the secure VC system, along with a discussion of upcoming research challenges and our related current results.
    IEEE Communications Magazine 12/2008; 46(11-46):100 - 109. DOI:10.1109/MCOM.2008.4689252 · 4.46 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Wireless social community networks formed by users with a WiFi access point have been created as an alternative to traditional wireless networks that operate in the licensed spectrum. By relying on access points owned by users for access, wireless community networks provide a wireless infrastructure in an inexpensive way. However, the coverage of such a network is limited by the set of users who open their access points to the social community. Currently, it is not clear to what degree this paradigm can serve as a replacement, or a complimentary service, of existing centralized networks operating in licensed bands. In this paper, we study the dynamics of wireless social community networks using, as well as the situation where a wireless social community networks co-exists with a traditional wireless network operating in the licensed spectrum.
    Communications, 2008 IEEE International Zurich Seminar on; 04/2008