[Show abstract][Hide abstract] ABSTRACT: Although sharing data across organizational boundaries has often been
advocated as a promising way to enhance security, collaborative initiatives are
rarely put into practice owing to confidentiality, trust, and liability
challenges. In this paper, we investigate whether collaborative threat
mitigation can be realized via a controlled data sharing approach, whereby
organizations make informed decisions as to whether or not, and how much, to
share. Using appropriate cryptographic tools, entities can estimate the
benefits of collaborating and agree on what to share in a privacy-preserving
way, without having to disclose their entire datasets. We focus on
collaborative predictive blacklisting, i.e., forecasting attack sources also
based on logs contributed by other organizations and study the impact of
different sharing strategies by experimenting on a real-world dataset of two
billion suspicious IP addresses collected from Dshield over two months. We find
that controlled data sharing yields up to an average 105% accuracy improvement,
while also reducing the false positive rate.
[Show abstract][Hide abstract] ABSTRACT: Online service providers gather increasingly large amounts of personal data
into user profiles and monetize them with advertisers and data brokers. Users
have little control of what information is processed and face an all-or-nothing
decision between receiving free services or refusing to be profiled. This paper
explores an alternative approach where users only disclose an aggregate model
-- the "gist" -- of their data. The goal is to preserve data utility and
simultaneously provide user privacy. We show that this approach is practical
and can be realized by letting users contribute encrypted and
differentially-private data to an aggregator. The aggregator combines encrypted
contributions and can only extract an aggregate model of the underlying data.
In order to dynamically assess the value of data aggregates, we use an
information-theoretic measure to compute the amount of "valuable" information
provided to advertisers and data brokers. We evaluate our framework on an
anonymous dataset of 100,000 U.S. users obtained from the U.S. Census Bureau
and show that (i) it provides accurate aggregates with as little as 100 users,
(ii) it generates revenue for both users and data brokers, and (iii) its
overhead is appreciably low.
[Show abstract][Hide abstract] ABSTRACT: A new generation of security solutions is attempting to actively predict
future cyber-attacks by profiling offensive practices. Since prediction
accuracy can improve with more information about attackers, data sharing among
organizations is often advocated. Unfortunately, collaborative approaches are
rarely implemented due to related legal and privacy concerns. This paper
investigates a novel approach to collaborative threat mitigation where
organizations identify suitable partners for data sharing in a
privacy-preserving way. Data sharing then occurs within coalitions of allied
organizations. We propose a framework that allows organizations to estimate the
benefits of collaboration without disclosing their actual datasets, and
supports limited information sharing among collaborators. We focus on
collaborative predictive blacklisting, and consider organizations that predict
future attacks based on their own data, and that of a few selected partners. We
study how collaboration strategies affect prediction accuracy on a real-world
dataset of suspicious IP addresses, and observe up to a 105% prediction
improvement in blacklisting.
[Show abstract][Hide abstract] ABSTRACT: Decades of research and numerous incidents have demonstrated the weaknesses
of text passwords and prompted the need for more secure alternatives. In recent
years, two-factor authentication (2F) has emerged as the most used solution to
strengthen passwords. By requiring users to provide more than one
authentication factor -- e.g., a code generated by a security token, along with
the password -- 2F aims to enhance resilience against guessing attacks and
breaches of password databases. Alas, it also introduces non-negligible costs
for service providers and requires users to carry out additional actions during
the authentication process, nevertheless, little research has focused on its
This paper presents a comparative usability study of two-factor
authentication. First, we report on a preliminary interview-based study
involving 9 participants, identifying the most popular 2F technologies as well
as the contexts and motivations in which they are used. Then, we design and
administer a survey to 219 Mechanical Turk users, aiming to explore the
landscape of 2F technologies and measure the usability of three popular
solutions: codes generated by security tokens, one-time PINs received via email
or SMS, and dedicated smartphone apps (e.g., Google Authenticator). We record
contexts and motivations, and study their impact on perceived usability. We
also present an exploratory factor analysis that captures some key factors
affecting usability of 2F and highlight interesting findings that call for
further research in the field.
[Show abstract][Hide abstract] ABSTRACT: Wireless networks offer novel means to enhance social interactions. In particular, peer-to-peer wireless communications enable direct and real-time interaction with nearby devices and communities and could extend current online social networks by providing complementary services including real-time friend and community detection and localized data sharing without infrastructure requirement. After years of research, the deployment of such peer-to-peer wireless networks is finally being considered. A fundamental primitive is the ability to discover geographic proximity of specific communities of people (e.g, friends or neighbors). To do so, mobile devices must exchange some community identifiers or messages. We investigate privacy threats introduced by such communications, in particular, adversarial community detection. We use the general concept of community pseudonyms to abstract anonymous community identification mechanisms and define two distinct notions of community privacy by using a challenge-response methodology. An extensive cost analysis and simulation results throw further light on the feasibility of these mechanisms in the upcoming generation of wireless peer-to-peer networks.
Mobile Networks and Applications 06/2013; 18(3). DOI:10.1007/s11036-012-0406-y · 1.05 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: In mobile networks, authentication is a required primitive for most security protocols. Unfortunately, an adversary can monitor pseudonyms used for authentication to track the location of mobile nodes. A frequently proposed solution to protect location privacy suggests that mobile nodes collectively change their pseudonyms in regions called mix zones. This approach is costly. Self-interested mobile nodes might, thus, decide not to cooperate and jeopardize the achievable location privacy. In this paper, we analyze non-cooperative behavior of mobile nodes by using a game-theoretic model, where each player aims at maximizing its location privacy at a minimum cost. We obtain Nash equilibria in static n-player complete information games. As in practice mobile nodes do not know their opponents' payoffs, we then consider static incomplete information games. We establish that symmetric Bayesian-Nash equilibria exist with simple threshold strategies. By means of numerical results, we predict behavior of selfish mobile nodes. We then investigate dynamic games where players decide to change their pseudonym one after the other and show how this affects strategies at equilibrium. Finally, we design protocols-PseudoGame protocols-based on the results of our analysis and simulate their performance in vehicular network scenarios.
IEEE Transactions on Dependable and Secure Computing 03/2013; 10(2):84-98. DOI:10.1109/TDSC.2012.85 · 1.35 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: HTTPS is vastly deployed to secure Internet communications. Yet, the provided security is dubious, notably because of the obscure management of digital certificates. We investigate this problem and provide a large-scale empirical analysis of the current deployment of certificate-based authentication. Our study considers the digital certificates of the top one million most popular websites and shows that very few websites use certificates properly. In most cases, domain mismatches between certificates and websites are observed. We study the legal, economic and social aspects of the problem. We identify problems with the profit-oriented attitude of CAs and show how the current economic model leads to the distribution of cheap certificates for cheap security. Finally, we suggest possible changes to improve certificate-based authentication.
[Show abstract][Hide abstract] ABSTRACT: Pervasive social networks extend traditional social networking by enabling users to share information in a peer-to-peer fashion using their wireless mobile devices. Contrary to traditional online social networks, privacy protection in such networks depends heavily on users' context (time, location, activity, etc.) and their sensitivity to the shared data and context. Existing privacy-preserving mechanisms do not adapt well to different data, context and user sensitivities. In this work, we follow a fresh approach for privacy preservation, called privacy-triggered communications; it allows users in such pervasive networks to dynamically regulate their communications based on their context and on the evolution of their privacy in that context. Our initial results show that this is a feasible strategy for privacy management in pervasive social networking scenarios.
World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2011 IEEE International Symposium on a; 07/2011
[Show abstract][Hide abstract] ABSTRACT: In modern mobile networks, users increasingly share their location with third-parties in return for location-based services. In this way, users obtain services customized to their location. Yet, such communications leak location information about users. Even if users make use of pseudonyms, the operators of location-based services may be able to identify them and thus affect their privacy. In this paper, we provide an analysis of the erosion of privacy caused by the use of location-based services. To do so, we experiment with real mobility traces and measure the dynamics of user privacy. This paper thus details and quantiﬁes the privacy risks induced by the use of location-based services.
[Show abstract][Hide abstract] ABSTRACT: Modern mobile devices are fast, programmable and feature localization and wireless capabilities. These technological advances notably facilitate mobile access to Internet, development of mobile applications and sharing of personal information, such as location information. Cell phone users can for example share their whereabouts with friends on online social networks. Following this trend, the field of ubiquitous computing foresees communication networks composed of increasingly inter-connected wireless devices offering new ways to collect and share information in the future. It also becomes harder to control the spread of personal information. Privacy is a critical challenge of ubiquitous computing as sharing personal information exposes users' private lives. Traditional techniques to protect privacy in wired networks may be inadequate in mobile networks because users are mobile, have short-lived encounters and their communications can be easily eavesdropped upon. These characteristics introduce new privacy threats related to location information: a malicious entity can track users' whereabouts and learn aspects of users' private lives that may not be apparent at first. In this dissertation, we focus on three important aspects of location privacy: location privacy threats, location-privacy preserving mechanisms, and privacy-preservation in pervasive social networks. Considering the recent surge of mobile applications, we begin by investigating location privacy threats of location-based services. We push further the understanding of the privacy risk by identifying the type and quantity of location information that statistically reveals users' identities and points of interest to third parties. Our results indicate that users are at risk even if they access location-based services episodically. This highlights the need to design privacy into location-based services. In the second part of this thesis, we delve into the subject of privacy-preserving mechanisms for mobile ad hoc networks. First, we evaluate a privacy architecture that relies on the concept of mix zones to engineer anonymity sets. Second, we identify the need for protocols to coordinate the establishment of mix zones and design centralized and distributed approaches. Because individuals may have different privacy requirements, we craft a game-theoretic model of location privacy to analyze distributed protocols. This model predicts strategic behavior of rational devices that protects their privacy at a minimum cost. This prediction leads to the design of efficient privacy-preserving protocols. Finally, we develop a dynamic model of interactions between mobile devices in order to analytically evaluate the level of privacy provided by mix zones. Our results indicate the feasibility and limitations of privacy protection based on mix zones. In the third part, we extend the communication model of mobile ad hoc networks to explore social aspects: users form groups called "communities" based on interests, proximity, or social relations and rely on these communities to communicate and discover their context. We analyze using challenge-response methodology the privacy implications of this new communication primitive. Our results indicate that, although repeated interactions between members of the same community leak community memberships, it is possible to design efficient schemes to preserve privacy in this setting. This work is part of the recent trend of designing privacy protocols to protect individuals. In this context, the author hopes that the results obtained, with both their limitations and their promises, will inspire future work on the preservation of privacy.
[Show abstract][Hide abstract] ABSTRACT: Users of mobile networks can change their identifier in regions called mix zones in order to defeat the tracking of their location by third parties. Mix zones must be carefully deployed in the network to reduce the cost induced on mobile users and to provide high location privacy. Unlike most previous work that considers a global adversary, we consider a local adversary equipped with multiple eavesdropping stations. We study the interaction between the local adversary deploying eavesdropping stations to track mobile users and mobile users deploying mix zones to protect their location privacy. We use a game-theoretic model to predict the strategies of both players. We derive the strategies at equilibrium in complete and incomplete information scenarios and propose an algorithm to converge to the equilibrium. Finally, based on real road traffic information, we numerically quantify the effect of complete and incomplete information on the strategies of mobile users and of the adversary. In complete information scenarios, mobile users and the adversary tend to adopt complementary strategies: users place mix zones where there is no eavesdropping station, and vice versa. In incomplete information scenarios, the location privacy level achieved by mobile users depends on their level of uncertainty about the strategy of the adversary.
[Show abstract][Hide abstract] ABSTRACT: Online social networks increasingly allow mobile users to share their location with their friends. Much to the detriment of users’ privacy, this also means that social network operators collect users’ lo- cation. Similarly, third parties can learn users’ location from localization and location visualization services. Ideally, third-parties should not be given complete access to users’ location. To protect location privacy, we design and implement a platform-independent solution for users to share their location in a private fashion over online social networks. Our so- lution relies on encryption to enforce access control and uses dummy queries and caching to protect localization and location visualization.
[Show abstract][Hide abstract] ABSTRACT: There is a rich collection of literature that aims at protecting the privacy of users querying location-based services. One of the most popular location privacy techniques consists in cloaking users' locations such that k users appear as potential senders of a query, thus achieving k-anonymity. This paper analyzes the effectiveness of k-anonymity approaches for protecting location privacy in the presence of various types of adversaries. The unraveling of the scheme unfolds the inconsistency between its components, mainly the cloaking mechanism and the k-anonymity metric. We show that constructing cloaking regions based on the users' locations does not reliably relate to location privacy, and argue that this technique may even be detrimental to users' location privacy. The uncovered flaws imply that existing k-anonymity scheme is a tattered cloak for protecting location privacy.
[Show abstract][Hide abstract] ABSTRACT: We introduce a novel framework that provides a logical structure for classifying and organizing fundamental components and concepts of location privacy. Our framework models mobile networks and applications, threats, location-privacy preserving mechanisms, and metrics. We demonstrate the relevance of our framework by showing how the existing proposals in the field of location privacy are embodied appropriately in the framework. Our framework provides "the big picture" of research on location privacy and hence aims at paving the way for future research. It helps researchers to better understand this field of research, identify open problems, appropriately design new schemes, and position their work with respect to other efforts. The terminology proposed in this framework also facilitates establishing an inter-disciplinary research community on location privacy.
[Show abstract][Hide abstract] ABSTRACT: Online advertising is a major source of revenues in the Internet. In this paper, we identify a number of vulnerabilities of current ad serving systems. We describe how an adversary can exploit these vulnerabilities to divert part of the ad revenue stream for its own benefit. We propose a collaborative secure scheme to fix this problem. The solution relies on the fact that most of online advertising networks own digital authentication certificates and can become a source of trust. We also explain why the deployment of this solution would benefit the Web browsing security in general.
[Show abstract][Hide abstract] ABSTRACT: In many envisioned mobile ad hoc networks, nodes are expected to periodically beacon to advertise their presence. In this way, they can receive messages addressed to them or participate in routing operations. Yet, these beacons leak information about the nodes and thus hamper their privacy. A classic remedy consists of each node making use of (certified) pseudonyms and changing its pseudonym in specific locations called mix zones. Of course, privacy is then higher if the pseudonyms are short-lived (i.e., nodes have a short distance-to-confusion), but pseudonyms can be costly, as they are usually obtained from an external authority. In this paper, we provide a detailed analytical evaluation of the age of pseudonyms based on differential equations. We corroborate this model by a set of simulations. This paper thus provides a detailed quantitative framework for selecting the parameters of a pseudonym-based privacy system in peer-to-peer wireless networks.
[Show abstract][Hide abstract] ABSTRACT: Wireless Sensor Networks (WSNs) allow the monitoring of activity or environmental conditions over a large area, from homes to industrial plants, from agriculture fields to forests and glaciers. They can support a variety of applications, from assisted living to natural disaster prevention. WSNs can, however, be challenging to setup and maintain, reducing the potential for real-world adoption. To address this limitation, this paper introduces SensorTune, a novel mobile interface to support non-expert users in iteratively setting up a WSN. SensorTune uses non-speech audio to present to its users information regarding the connectivity of the network they are setting up, allowing them to decide how to extend it. To simplify the interpretation of the data presented, the system adopts the metaphor of tuning a consumer analog radio, a very common and well known operation. A user study was conducted in which 20 subjects setup real multi-hop networks inside a large building using a limited number of wireless nodes. Subjects repeated the task with SensorTune and with a comparable mobile GUI interface. Experimental results show a statistically significant difference in the task completion time and a clear preference of users for the auditory interface.
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems; 04/2010
[Show abstract][Hide abstract] ABSTRACT: We propose a novel framework for measuring and evaluating location privacy preserving mechanisms in mobile wireless networks. Within this framework, we first present a formal model of the system, which provides an efficient representation of the network users, the adversaries, the location privacy preserving mechanisms and the resulting location privacy of the users. This model is general enough to accurately express and analyze a variety of location privacy metrics that were proposed earlier. We provide formal representations of four among the most relevant categories of location privacy metrics, by using the proposed model. We also present a detailed comparative analysis of these metrics based on a set of criteria for location privacy measurement. Finally, we propose a novel and effective metric for measuring location privacy, called distortion-based metric, which satisfies these criteria for privacy measurement and is capable of capturing the mobile users' location privacy more precisely than the existing metrics. Our metric measures location privacy as the expected level of distortion of the adversary's hypothesized trajectories of the users, considering the adversary's knowledge and also the observed parts of the users' trajectories.
[Show abstract][Hide abstract] ABSTRACT: Pervasive communications bring along new privacy challenges, fueled by the capability of mobile devices to communicate with, and thus "sniff on", each other directly. We design a new mechanism that aims at achieving location privacy in these forthcoming mobile networks, whereby mobile nodes collect the pseudonyms of the nodes they encounter to generate their own privacy cloaks. Thus, privacy emerges from the mobile network and users gain control over the disclosure of their locations. We call this new paradigm self- organized location privacy. In this work, we focus on the problem of self- organized anonymous authentication that is a necessary prerequisite for location privacy. We investigate, using graph theory, the optimality of different cloak constructions and evaluate with simulations the achievable anonymity in various network topologies. We show that peer-to-peer wireless communications and mobility help in the establishment of self- organized anonymous authentication in mobile networks.
[Show abstract][Hide abstract] ABSTRACT: In mobile networks, authentication is a required primitive of the majority of security protocols. However, an adversary can track the location of mobile nodes by monitoring pseudonyms used for authentication. A frequently proposed solution to protect location privacy suggests that mobile nodes collectively change their pseudonyms in regions called mix zones. Because this approach is costly, self-interested mobile nodes might decide not to cooperate and could thus jeopardize the achievable location privacy. In this paper, we analyze the non-cooperative behavior of mobile nodes with a game-theoretic model, where each player aims at maximizing its location privacy at a minimum cost. We first analyze the Nash equilibria in $n$-player complete information games. Because mobile nodes in a privacy-sensitive system do not know their opponents' payoffs, we then consider incomplete information games. We establish that symmetric Bayesian-Nash equilibria exist with simple threshold strategies in $n$-player games and derive the equilibrium strategies. By means of numerical results, we show that mobile nodes become selfish when the cost of changing pseudonym is small, whereas they cooperate more when the cost of changing pseudonym increases. Finally, we design a protocol - the PseudoGame protocol - based on the results of our analysis.