Dimitris Gritzalis

Athens University of Economics and Business, Athínai, Attica, Greece

Are you Dimitris Gritzalis?

Claim your profile

Publications (123)22.53 Total impact

  • 11th International Conference on Security and Cryptography (SECRYPT-2014), Austria; 08/2014
  • [Show abstract] [Hide abstract]
    ABSTRACT: Spam over Internet Telephony SPIT is a potential source of disruption in Voice over IP VoIP systems. The use of anti-SPIT mechanisms, such as filters and audio CAPTCHA Completely Automated Public Turing Test to Tell Computer and Humans Apart can prevent unsolicited calls and lead to less unwanted traffic. In this paper, we present a game-theoretic model, in which the game is played between SPIT senders and internet telephony users. The game includes call filters and audio CAPTCHA, so as to classify incoming calls as legitimate or malicious. We show how the resulting model can be used to decide upon the trade-offs present in this problem and help us predict the SPIT sender's behavior. We also highlight the advantages in terms of SPIT call reduction of merely introducing CAPTCHA, and provide experimental verification of our results.
    Journal of Computer Security. 05/2014; 22(3):383-413.
  • Vasilis Stavrou, Dimitris Gritzalis
    Computers & Security 01/2014; · 1.16 Impact Factor
  • Nikos Virvilis, Dimitris Gritzalis
    Computers & Security 01/2014; · 1.16 Impact Factor
  • George Stergiopoulos, Dimitris Gritzalis
    Computers & Security 01/2014; · 1.16 Impact Factor
  • Nikolaos Tsalis, Dimitris Gritzalis
    Computers & Security 01/2014; · 1.16 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: As both the number and the complexity of cyber attacks continuously increase, it is becoming evident that traditional security mechanisms have limited success in detecting sophisticated threats. Stuxnet, Duqu, Flame, Red October and, more recently, Miniduke, have troubled the security community due to their severe complexity and their ability to evade detection in some cases for several years, while exfiltrating gigabytes of data or sabotaging critical infrastructures. The significant technical and financial resources needed for orchestrating such complex attacks are a clear indication that perpetrators are well organized and, likely, working under a state umbrella. In this paper we perform a technical analysis of these advanced persistent threats, highlighting particular characteristics and identifying common patterns and techniques. We also focus on the issues that enabled the malware to evade detection from a wide range of security solutions and propose technical countermeasures for strengthening our defenses against similar threats.
    Proceedings of the 2013 IEEE 10th International Conference on Ubiquitous Intelligence & Computing and 2013 IEEE 10th International Conference on Autonomic & Trusted Computing; 12/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Migrating data, applications or services to the cloud exposes a business to a number of new threats and vulnerabilities, which need to be properly assessed. Assessing privacy risk in cloud environments remains a complex challenge, mitigation of this risk requires trusting a cloud service provider to implement suitable privacy controls. Furthermore, auditors and authorities need to be able to hold service providers accountable for their actions, enforcing rules and regulations through penalties and other mechanisms, and ensuring that any problems are remedied promptly and adequately. This paper examines privacy risk assessment for cloud, and identifies threats, vulnerabilities and countermeasures that clients and providers should implement in order to achieve privacy compliance and accountability.
    Proceedings of the 2013 IEEE International Conference on Cloud Computing Technology and Science - Volume 01; 12/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Insider threat is a major issue in cyber and corporate security. In this paper we study the psychosocial perspective of the insider via social media, Open Source Intelligence, and user generated content classification. Inductively, we propose a prediction method by evaluating the predisposition towards law enforcement and authorities, a personal psychosocial trait closely connected to the manifestation of malevolent insiders. We propose a methodology to detect users holding a negative attitude towards authorities. For doing so we facilitate the use of machine learning techniques and of a dictionary-based approach, so as to detect comments expressing negative attitude. Thus, we can draw conclusions over a user behavior and beliefs via the content the user generated within the limits a social medium. We also use an assumption free flat data representation technique in order to decide over the user's attitude. Furthermore, we compare the results of each method and highlight the common behavior manifested by the users. The demonstration is applied on a crawled community of users on YouTube.
    Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society; 11/2013
  • 9th International Workshop on Security and Trust Management, UK; 08/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Sphinx was a monster in Greek mythology devouring those who could not solve her riddle. In VoIP, a new service in the role of Sphinx provides protection against SPIT (Spam over Internet Telephony) by discriminating human callers from bot-nets. The VoIP Sphinx tool uses audio CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) that are controlled by an anti-SPIT policy mechanism. The design of the Sphinx service has been formally verified for the absence of side-effects in the VoIP services (robustness), as well as for its DoS-resistance. We describe the principles and in-novations of Sphinx, together with experimental results from pilot use cases.
    Information, Intelligence, Systems and Applications ( IISA 2013 ); 07/2013
  • George Stergiopoulos, Bill Tsoumas, Dimitris Gritzalis
    [Show abstract] [Hide abstract]
    ABSTRACT: While considerable research effort has been put in the identification of technical vulnerabilities, such as buffer overflows or SQL injections, business logic vulnerabilities have drawn limited attention. Logic vulnerabilities are an important class of defects that are the result of faulty application logic. Business logic refers to requirements implemented in algorithms that reflect the intended functionality of an application, e.g. in an online shop application, a logic rule could be that each cart must register only one discount coupon per product. In our paper, we extend a novel heuristic and automated method for the detection of logic vulnerabilitieswhich we presented in a previous publication. This method detects logic vulnerabilities and asserts their criticality in Java GUI applications using dynamic analysis and static together with a fuzzy logic system in order to compare and rank its findings, in an effort to minimize false positives and negatives. An extensive analysis of the code ranking system is given along with empirical results in order to demonstrate its potential.
    Network and System Security, Madrid, Spain; 07/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we approach encryption through the properties of complex logarithm and the complex plane. We introduce a mathematical concept to be used in cryptography. As an example, we propose a new cryptosystem, by mixing known robust techniques such as chain-block encryption and AES-like structures together with complex exponentiation to provide robust encryption of plaintext messages. The proposed method implements encryption by transforming complex numbers into position vectors in a two-dimensionan Cartesian coordinate system called the complex plane and utilizes the properties of the complex logarithm together with well-defined techniques from global standards (such as AES), in order to ensure robustness against cryptanalysis. This is made possible without implementing any computational costly algorithm. This has two important consequences: First, it may open up viable solutions to known limitations in cryptography such as relatively complex key schedules (i.e. in Feistel ciphers) and the need for relatively large keys used in encryption methods (bit-wise). Second, it proposes a new mathematical concept that can be used in future cryptosystems. An example of this is the preliminary cryptosystem found in this paper. We present its algorithm and show that it can be implemented using fast mechanisms for encryption and decryption.
    SECRYPT, Reykjavik, Iceland; 07/2013
  • 10th International Conference on Trust, Privacy & Security in Digital Business, Chech Republic; 01/2013
  • Alexios Mylonas, Anastasia Kastania, Dimitris Gritzalis
    [Show abstract] [Hide abstract]
    ABSTRACT: Smartphone users increasingly download and install third-party applications from official application repositories. Attackers may use this centralized application delivery architecture as a security and privacy attack vector. This risk increases since application vetting mechanisms are often not in place and the user is delegated to authorize which functionality and protected resources are accessible by third-party applications. In this paper, we mount a survey to explore the security awareness of smartphone users who download applications from official application repositories (e.g. Google Play, Apple's App Store, etc.). The survey findings suggest a security complacency, as the majority of users trust the app repository, security controls are not enabled or not added, and users disregard security during application selection and installation. As a response to this security complacency we built a prediction model to identify users who trust the app repository. The model is assessed, evaluated and proved to be statistically significant and efficient.
    Computers & Security 01/2013; 34:47 - 66. · 1.16 Impact Factor
  • Computers & Security 01/2013; · 1.16 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Port Information and Communication Technology (PICT) systems offer a series of critical services rendering their effective security management an issue of vital importance. Existing regulation, standardization, and risk management methodologies do not adequately address the cyber threats the dependent environment of PICT systems is exposed to. In the SPort project, we identified and addressed these needs by proposing a collaborative environment offering customized security management services targeted at the unique needs of port authorities. The success of S-Port has been deployed in three commercial ports, so as to assist them in self managing security and risks. In this paper, we present the main objectives and core functionalities of S-Port environment, as well as the overall results of its assessment.
    Information, Intelligence, Systems and Applications (IISA), 2013 Fourth International Conference on; 01/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Several steganographic algorithms have been proposed for protecting message secrecy against unauthorized "reads". The most used method for hiding a message relies on embedding the secret message in Least Significant Bit (LSB) on the cover object. Though various digital formats have been proposed in literature to be used as cover objects, little attention has been paid on Matroska multimedia containers. In this work, we propose a practical method for applying steganography in these types of files. The proposed method consists of three distinct phases. The first one encrypts the hidden message, the second embeds it to the stego cover, while at the final step the stego cover is attached to a Matroska container. We tested our approach in various scenarios in order to evaluate the introduced overhead. Results shows that the use of several sizes for TXT and WAV files did not introduce considerable overhead. Depending on the file size the introduce overhead can be between 1 to 3 seconds.
    Advanced Information Networking and Applications Workshops (WAINA), 2013 27th International Conference on; 01/2013
  • Bill Tsoumas, Dimitris Gritzalis
    Computers & Security 09/2012; 31(6):801. · 1.16 Impact Factor
  • Alexis Mylonas, Dimitris Gritzalis
    Computers & Security 09/2012; 31(6):802–803. · 1.16 Impact Factor

Publication Stats

421 Citations
22.53 Total Impact Points

Institutions

  • 1970–2014
    • Athens University of Economics and Business
      • Department of Informatics
      Athínai, Attica, Greece
  • 2008
    • Carnegie Mellon University
      Pittsburgh, Pennsylvania, United States
  • 1991–2007
    • University of the Aegean
      • • Department of Product and Systems Design Engineering
      • • Department of Information and Communication Systems Engineering
      • • Department of Mathematics
      Mytilíni, Voreio Aigaio, Greece
  • 2000
    • National Technical University of Athens
      Athínai, Attica, Greece
  • 1991–1992
    • Technological Educational Institute of Athens
      • Department of Informatics
      Athínai, Attica, Greece