Dimitris Gritzalis

Athens University of Economics and Business, Athínai, Attica, Greece

Are you Dimitris Gritzalis?

Claim your profile

Publications (135)50.95 Total impact

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Recent advances in static and dynamic program analysis resulted in tools capable to detect various types of security bugs in the Applications under Test (AUTs). However, any such analysis is designed for a priori specified types of bugs and it is characterized by some rate of false positives or even false negatives and certain scalability limitations. We present a new analysis and source code classification technique, and a prototype tool aiming to aid code reviews in the detection of general information flow dependent bugs. Our approach is based on classifying the criticality of likely exploits in the source code using two measuring functions , namely Severity and Vulnerability. For an AUT, we analyze every single pair of input vector and program sink in an execution path, which we call an Information Block (IB). A classification technique is introduced for quantifying the Severity (danger level) of an IB by static analysis and computation of its Entropy Loss. An IB's Vulnerability is quantified using a tainted object propagation analysis along with a Fuzzy Logic system. Possible exploits are then characterized with respect to their Risk by combining the computed Severity and Vulnerability measurements through an aggregation operation over two fuzzy sets. An IB is characterized of a high risk, when both its Severity and Vulnerability rankings have been found to be above the low zone. In this case, a detected code exploit is reported by our prototype tool, called Entroine. The effectiveness of our approach has been tested by analyzing 45 Java programs of NIST's Juliet Test Suite, which implement three different common weakness exploits. All existing code exploits were detected without any false positive.
    12th International Conference on Security and Cryptography (SECRYPT), Colmar, Alsace, France; 07/2015
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Dependency risk graphs have been proposed as a tool for analyzing cascading failures due to critical infrastructure dependency chains. However, dependency chain analysis is not by itself adequate to develop an efficient risk mitigation strategy – one that specifies which critical infrastructures should have high priority for applying mitigation controls in order to achieve an optimal reduction in the overall risk. This paper extends previous dependency risk analysis research to implement efficient risk mitigation. This is accomplished by exploring the relation between dependency risk paths and graph centrality characteristics. Graph centrality metrics are applied to design and evaluate the effectiveness of alternative risk mitigation strategies. The experimental evaluations are based on random graphs that simulate common critical infrastructure dependency characteristics as identified by recent empirical studies. The experimental results are used to specify an algorithm that prioritizes critical infrastructure nodes for applying controls in order to achieve efficient risk mitigation.
    International Journal of Critical Infrastructure Protection 05/2015; DOI:10.1016/j.ijcip.2015.05.003 · 0.43 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: URL blacklists are used by the majority of modern web browsers as a means to protect users from rogue web sites, i.e. those serving malware and/or hosting phishing scams. There is a plethora of URL blacklists/reputation services, out of which Google’s Safe Browsing and Microsoft’s SmartScreen stand out as the two most commonly used ones. Frequently, such lists are the only safeguard web browsers implement against such threats. In this paper, we examine the level of protection that is offered by popular web browsers on iOS, Android and desktop (Windows) platforms, against a large set of phishing and malicious URL. The results reveal that most browsers – especially those for mobile devices - offer limited protection against such threats. As a result, we propose and evaluate a countermeasure, which can be used to significantly improve the level of protection offered to the users, regardless of the web browser or platform they are using.
    Computers & Security 04/2015; DOI:10.1016/j.cose.2015.04.009 · 1.17 Impact Factor
  • George Stergiopoulos, Dimitris Gritzalis
    Computers & Security 01/2015; 49. DOI:10.1016/j.cose.2015.01.001 · 1.17 Impact Factor
  • Lecture Notes (CCIS) edited by M. Obaidad and A. Holzinger, 01/2015; Springer.
  • 11th International Conference on Security and Cryptography (SECRYPT-2014), Austria; 08/2014
  • George Stergiopoulos, Dimitris Gritzalis
    Computers & Security 06/2014; 43:188. DOI:10.1016/j.cose.2014.02.001 · 1.17 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Spam over Internet Telephony SPIT is a potential source of disruption in Voice over IP VoIP systems. The use of anti-SPIT mechanisms, such as filters and audio CAPTCHA Completely Automated Public Turing Test to Tell Computer and Humans Apart can prevent unsolicited calls and lead to less unwanted traffic. In this paper, we present a game-theoretic model, in which the game is played between SPIT senders and internet telephony users. The game includes call filters and audio CAPTCHA, so as to classify incoming calls as legitimate or malicious. We show how the resulting model can be used to decide upon the trade-offs present in this problem and help us predict the SPIT sender's behavior. We also highlight the advantages in terms of SPIT call reduction of merely introducing CAPTCHA, and provide experimental verification of our results.
  • George Stergiopoulos, Dimitris Gritzalis
    Computers & Security 01/2014; · 1.17 Impact Factor
  • Nikolaos Tsalis, Dimitris Gritzalis
    Computers & Security 01/2014; · 1.17 Impact Factor
  • Vasilis Stavrou, Dimitris Gritzalis
    Computers & Security 01/2014; · 1.17 Impact Factor
  • Nikos Virvilis, Dimitris Gritzalis
    Computers & Security 01/2014; · 1.17 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: As both the number and the complexity of cyber attacks continuously increase, it is becoming evident that traditional security mechanisms have limited success in detecting sophisticated threats. Stuxnet, Duqu, Flame, Red October and, more recently, Miniduke, have troubled the security community due to their severe complexity and their ability to evade detection in some cases for several years, while exfiltrating gigabytes of data or sabotaging critical infrastructures. The significant technical and financial resources needed for orchestrating such complex attacks are a clear indication that perpetrators are well organized and, likely, working under a state umbrella. In this paper we perform a technical analysis of these advanced persistent threats, highlighting particular characteristics and identifying common patterns and techniques. We also focus on the issues that enabled the malware to evade detection from a wide range of security solutions and propose technical countermeasures for strengthening our defenses against similar threats.
    Proceedings of the 2013 IEEE 10th International Conference on Ubiquitous Intelligence & Computing and 2013 IEEE 10th International Conference on Autonomic & Trusted Computing; 12/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Migrating data, applications or services to the cloud exposes a business to a number of new threats and vulnerabilities, which need to be properly assessed. Assessing privacy risk in cloud environments remains a complex challenge, mitigation of this risk requires trusting a cloud service provider to implement suitable privacy controls. Furthermore, auditors and authorities need to be able to hold service providers accountable for their actions, enforcing rules and regulations through penalties and other mechanisms, and ensuring that any problems are remedied promptly and adequately. This paper examines privacy risk assessment for cloud, and identifies threats, vulnerabilities and countermeasures that clients and providers should implement in order to achieve privacy compliance and accountability.
    Proceedings of the 2013 IEEE International Conference on Cloud Computing Technology and Science - Volume 01; 12/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Addressing the insider threat is a major issue in cyber and corporate security in order to enhance trusted computing in critical infrastructures. In this paper we study the psychosocial perspective and the implications of insider threat prediction via social media, Open Source Intelligence and user generated content classification. Inductively, we propose a prediction method by evaluating the predisposition towards law enforcement and authorities, a personal psychosocial trait closely connected to the manifestation of malevolent insiders. We propose a methodology to detect users holding negative attitude towards authorities. For doing so, we facilitate a brief analysis of the medium (YouTube), machine learning techniques and a dictionary-based approach, in order to detect comments expressing negative attitude. Thus, we can draw conclusions over a user behavior and beliefs via the content the user generated within the limits a social medium. We also use an assumption free flat data representation technique in order to decide over the user's attitude and improve the scalability of our method. Furthermore, we compare the results of each method and highlight the common behavior and characteristics manifested by the users. As privacy violations may well-rise when using such methods, their use should be restricted only on exceptional cases, e.g. when appointing security officers or decision-making staff in critical infrastructures.
    2013 IEEE 10th International Conference on Ubiquitous Intelligence & Computing and 2013 IEEE 10th International Conference on Autonomic & Trusted Computing (UIC/ATC); 12/2013
  • Nikolaos Tsalis, Marianthi Theoharidou, Dimitris Gritzalis
    [Show abstract] [Hide abstract]
    ABSTRACT: Cloud migration is a complex decision because of the multiple parameters that contribute for or against it (e.g. available budget, costs, performance, etc.). One of these parameters is information security and the investment required in order to ensure it. A potential client needs to evaluate various deployment options and Cloud Service Providers (CSP). This paper proposes a set of metrics focused on the assessment of security controls of a cloud deployment, in terms of cost and mitigation. Such an approach can support the client to decide whether she selects to deploy part of her services, data or infrastructure to a CSP, or not.
    2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom); 12/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Insider threat is a major issue in cyber and corporate security. In this paper we study the psychosocial perspective of the insider via social media, Open Source Intelligence, and user generated content classification. Inductively, we propose a prediction method by evaluating the predisposition towards law enforcement and authorities, a personal psychosocial trait closely connected to the manifestation of malevolent insiders. We propose a methodology to detect users holding a negative attitude towards authorities. For doing so we facilitate the use of machine learning techniques and of a dictionary-based approach, so as to detect comments expressing negative attitude. Thus, we can draw conclusions over a user behavior and beliefs via the content the user generated within the limits a social medium. We also use an assumption free flat data representation technique in order to decide over the user's attitude. Furthermore, we compare the results of each method and highlight the common behavior manifested by the users. The demonstration is applied on a crawled community of users on YouTube.
    Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society; 11/2013
  • Dimitris Gritzalis, Gurvirender Tejay
    Computers & Security 10/2013; 38:1–2. DOI:10.1016/j.cose.2013.08.002 · 1.17 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: The proliferation of smartphones introduces new opportunities in digital forensics. One of the reasons is that smartphones are usually equipped with sensors (e.g. accelerometer, proximity sensor, etc.), hardware which can be used to infer the user's context. This context may be useful in a digital investigation, as it can aid in the rejection or acceptance of an alibi, or even reveal a suspect's actions or activities. Nonetheless, sensor data are volatile, thus are not available in post-mortem analysis. Thus, the only way to timely ac, quire them, in case such a need arises during a digital investigation, is by software that collects them when they are generated by the suspect's actions. In this paper we examine the feasibility of ad-hoc data acquisition from smartphone sensors by implementing a device agent for their collection in Android, as well as a protocol for their transfer. Then, we discuss our experience regarding the data collection of smartphone sensors, as well as legal and ethical issues that arise from their collection. Finally, we describe scenarios regarding the agent's preparation and use in a digital investigation.
    Computers & Security 10/2013; DOI:10.1016/j.cose.2013.03.007 · 1.17 Impact Factor
  • 9th International Workshop on Security and Trust Management, UK; 08/2013

Publication Stats

683 Citations
50.95 Total Impact Points

Institutions

  • 1997–2014
    • Athens University of Economics and Business
      • Department of Informatics
      Athínai, Attica, Greece
  • 1995–2004
    • University of the Aegean
      • • Department of Information and Communication Systems Engineering
      • • Department of Mathematics
      Mytilíni, Voreio Aigaio, Greece
  • 2000
    • National Technical University of Athens
      Athínai, Attica, Greece
  • 1991–1992
    • Technological Educational Institute of Athens
      • Department of Informatics
      Athínai, Attica, Greece