Aad van MoorselNewcastle University | NCL · School of Computing Science
Aad van Moorsel
PhD
About
217
Publications
79,144
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
4,646
Citations
Introduction
Publications
Publications (217)
Discrete‐event simulation is an important tool for the analysis of permissionless blockchain systems. Simulation allows one to evaluate blockchains for scenarios that cannot be mimicked easily on the life system. To simulate blockchain systems as close to reality as possible a realistic characterization of the probability distributions of various v...
Ethereum is a public, permissionless blockchain, with Ether as cryptocurrency, and with Turing-complete smart contracts to implement arbitrarily complex distributed applications. Correct operation of Ethereum relies on appropriately rewarding participating nodes (called miners) for the resources used to run the blockchain. In Ethereum the Used Gas...
Blockchain technology has been applied to various applications (e.g., smart buildings and smart cities) that typically run in an environment of smart devices, known as Internet-of-Things (IoT). To support these applications, different blockchain architectures, data structures and consensus algorithms have been proposed, tailored to IoT. One such pr...
Background. 3-D Secure 2.0 (3DS 2.0) is an identity federation protocol authenticating the payment initiator for credit card transactions on the Web. Aim. We aim to quantify the impact of factors used by 3DS 2.0 in its fraud-detection decision making process. Method. We ran credit card transactions with two Web sites systematically manipulating the...
Both in the design and deployment of blockchain solutions many performance-impacting configuration choices need to be made. We introduce BlockSim, a framework and software tool to build and simulate discrete-event dynamic systems models for blockchain systems. BlockSim is designed to support the analysis of a large variety of blockchains and blockc...
The Internet of Things (IoT) is becoming a backbone of sensing infrastructure to several mission-critical applications such as smart health, disaster management, and smart cities. Due to resource-constrained sensing devices, IoT infrastructures use Edge datacenters (EDCs) for real-time data processing. EDCs can be either static or mobile in nature,...
Both in the design and deployment of blockchain solutions many performance-impacting configuration choices need to be made. We introduce BlockSim, a framework and software tool to build and simulate discrete-event dynamic systems models for blockchain systems. BlockSim is designed to support the analysis of a large variety of blockchains and blockc...
In proof-of-work based blockchains such as Ethereum, verification of blocks is an integral part of establishing consensus across nodes. However, in Ethereum, miners do not receive a reward for verifying. This implies that miners face the Verifier's Dilemma: use resources for verification, or use them for the more lucrative mining of new blocks? We...
Credit card fraud is one of the most common cybercrimes experienced by consumers today. Machine learning approaches are increasingly used to improve the accuracy of fraud detection systems. However, most of the approaches proposed so far have been based on supervised models, i.e., models trained with labelled historical fraudulent transactions, thu...
3 Domain Secure 2.0 (3DS 2.0) is the most prominent user authentication protocol for credit card based online payment. 3DS 2.0 relies on risk assessment to decide whether to challenge the payment initiator for second factor authentication information (e.g., through a passcode). The 3DS 2.0 standard itself does not specify how to implement transacti...
Interest in processing big data has increased rapidly to gain insights that can transform businesses, government policies, and research outcomes. This has led to advancement in communication, programming, and processing technologies, including cloud computing services and technologies such as Hadoop, Spark, and Storm. This trend also affects the ne...
Ethereum and other blockchains rely on miners to contribute computational power to execute tasks such as the proof of work consensus mechanism and the execution and validation of smart contracts. Miners receive a fee for their efforts, and for the correct operation of the blockchain, rewards should be proportional to the required investment (equipm...
Blockchain based smart contracts are computer programs that encode an agreement between non-trusting participants. Smart contracts are executed on a blockchain system if specified conditions are met, without the need of a trusted third party. Blockchains and smart contracts have received increasing and booming attention in recent years, also in aca...
The ’Smart World’ envisioned by technology will
be achieved by the penetration of intelligence into ubiquitous
things including physical objects, cyber-entities, social-elements
or individuals and human thinking. The development of Smart
World is enabled by diverse applications of Wireless Sensor
Networks (WSN) into those components identified as t...
The emerging use of modern technologies has not only benefited society but also attracted fraudsters and criminals to misuse the technology for financial benefits. Fraud over the Internet has increased dramatically, resulting in an annual loss of billions of dollars to customers and service providers worldwide. Much of such fraud directly impacts i...
The two‐phase commit (2PC) protocol has long been known to have a provably inevitable vulnerability to blocking or non‐progress amidst server crashes, even when the distributed database system guarantees the most demanding timing‐related or “synchrony” requirements. Our aim here is to eliminate this vulnerability by using a blockchain for coordinat...
Both in the design and deployment of blockchains many configuration choices need to be made. Investigating different implementation and design choices is not feasible or practical on real systems. Therefore, we propose BlockSim as a framework to build discrete-event dynamic system models for blockchain systems. BlockSim is organized in three layers...
In this presentation we consider blockchain from a performance engineering perspective, with an emphasis on consensus algorithms. A set of examples of performance characteristics and challenges of public blockchains serves as introduction to the presentation. These examples motivate a list of main topics that require further analysis by the researc...
Accountability is one of the keys to the mitigation of risks associated with cloud security. A logging system is an important feature in accountability solutions to anticipate and handle threats in the cloud. However, previous accountability with logging system solutions have been provided without any description of the logging system in the contex...
Banks have introduced various financial transaction systems to manage money transfers between accounts, both locally and internationally. EMV (named after its inventors Europay, MasterCard, and Visa) is one of the most widely spread financial transaction systems. The aim of introducing EMV was to eliminate fraud. However, the EMV system has some vu...
In blockchain systems, miners execute transactions in blocks. Since each block has a limit on the number of transactions, miners usually prioritise transactions by selecting the most profitable ones. However, miners are uncertain about the exact income and the exact cost of executing transactions. Thus, they are not able to make informed decisions...
Though the 2 Phase Commit protocol (2PC) remains central to distributed database management, it has a provably-inevitable vulnerability to blocking even when a distributed system guarantees the most demanding synchrony or timing-related requirements. This paper investigates eliminating that vulnerability by coordinating 2PC using a blockchain that...
Continuous authentication is a promising approach to validate the user's identity during a work session, e.g., for mobile banking applications. Recently, it has been demonstrated that changes in the motion patterns of the user may help to note the unauthorised use of mobile devices. Several approaches have been proposed in this area but with relati...
In blockchain systems, miners execute users' transactions in blocks. Since each block has a limit of the number of transactions it can have, miners usually prioritise transactions by selecting the most profitable ones. However, miners are uncertain about the exact income and the exact cost of executing transactions. Thus, they are not able to make...
Blockchain is a highly popular paradigm for non-centralized applications, especially in finance and trade. Performance is a major challenge for blockchains, since consensus approaches are known not to scale. In this presentation we address blockchain performance, from the perspective of model-based prediction as well as benchmark-based assessment....
Cloud computing has become an irreversible trend. Together comes the pressing need for verifiability, to assure the client the correctness of computation outsourced to the cloud. Existing verifiable computation techniques all have a high overhead, thus if being deployed in the clouds, would render cloud computing more expensive than the on-premises...
An appealing feature of blockchain technology is smart contracts. A smart contract is executable code that runs on top of the blockchain to facilitate, execute and enforce an agreement between untrusted parties without the involvement of a trusted third party. In this paper, we conduct a systematic mapping study to collect all research that is rele...
Given a model with multiple input parameters, and multiple possible sources for collecting data for those parameters, a data collection strategy is a way of deciding from which sources to sample data, in order to reduce the variance on the output of the model. Cain and Van Moorsel have previously formulated the problem of optimal data collection st...
An extensive study of the current practice of online payment using credit and debit cards reveals the intrinsic security challenges caused by differences in how payment sites operate.In this article, we present the online payment landscape in detail. In particular, we aim to highlight the different manners in which online payment is performed and t...
Cities are growing rapidly, requiring effective plans for natural disasters and other vulnerabilities. Urban risk analytics can play a significant role in enabling dynamic and timely decision-making for risk management in cities. The authors' cloud-based general framework facilitates effective urban risk analytics over big city data.
To protect a system from potential cyber security breaches and attacks, one needs to select efficient security controls, taking into account technical and institutional goals and constraints, such as available budget, enterprise activity, internal and external environment. Here we model the security controls selection problem as a two-stage decisio...
In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card...
The key technique behind the bitcoin is blockchain, which has emerged as a great innovation with a wide range of applications. The blockchain is a public ledger or a public database that is maintained by all the participants of the bitcoin network. All the transactions that have ever occurred in the bitcoin network are stored and recorded in the bl...
Designing efficient workflows is complex especially when considering security constraints that restrict which users can perform which tasks. This is further exacerbated when considering users could become unavailable at runtime, which is known as the workflow resiliency problem. Ideally, designers undertake resiliency analysis at the design stage s...
The cloud offers computational resources to customers, such as networking, processing, and storage. Its flexibility and benefits of reducing IT costs are attractive to many companies. However, the cloud also brings with it security concerns which affect both cloud customers and providers. Accountability is one of the keys to mitigating risks associ...
Users of computing systems and devices frequently make decisions related to information security, e. g., when choosing a password, deciding whether to log into an unfamiliar wireless network, etc. Employers or other stakeholders may have a preference for certain outcomes, without being able to or having a desire to enforce a particular decision. In...
Cloud computing provides on-line computing resources such as storage, operating systems, applications and infrastructure, allowing these resources to be accessed via the Internet. Cloud computing is now ubiquitous, thus necessitating greater attention to security issues. Logging systems as part of an accountability approach are a core requirement t...
Choosing an optimal investment in information security is an issue most companies face these days. Which security controls to buy to protect the IT system of a company in the best way? Selecting a subset of security controls among many available ones can be seen as a resource allocation problem that should take into account conflicting objectives a...
The insider threat problem is a significant and ever present issue faced by any organisation. While security mechanisms can be put in place to reduce the chances of external agents gaining access to a system, either to steal assets or alter records, the issue is more complex in tackling insider threat. If an employee already has legitimate access r...
In this paper, we present the concept of "Ben-ware" as a beneficial software system capable of identifying anomalous human behaviour within a 'closed' organisation's IT infrastructure. We note that this behaviour may be malicious (for example, an employee is seeking to act against the best interest of the organisation by stealing confidential infor...
Computing a user-task assignment for a workflow coming with probabilistic user availability provides a measure of completion rate or resiliency. To a workflow designer this indicates a risk of failure, especially useful for workflows which cannot be changed due to rigid security constraints. Furthermore, resiliency can help outline a mitigation str...
Workflows are complex operational processes that include security constraints restricting which users can perform which tasks. An improper user-task assignment may prevent the completion of the workflow, and deciding such an assignment at runtime is known to be complex, especially when considering user unavailability (known as the resiliency proble...
People make security choices on a daily basis without fully considering the security implications of those choices. In this paper we present a prototype application which promotes the choice of secure wireless network options, specifically when users are unfamiliar with the wireless networks available. The app was developed based on behavioural the...
Workflows capture complex operational processes and include security constraints limiting which users can perform which tasks. An improper security policy may prevent certain tasks being assigned and may force a policy violation. Deciding whether a valid user-task assignment exists for a given policy is known to be extremely complex, especially whe...
By providing effective access control mechanisms, enterprise information security technologies have been proven successful in protecting the confidentiality of sensitive information in business organizations. However, such security mechanisms typically reduce the work productivity of the staff, by making them spend time working on non-project relat...
In this work we address the main issues of IT consumerisation that are related to security risks, and propose a ‘soft’ mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk asse...
Privacy is a concept with real life ties and implications. Privacy infringement has the potential to lead to serious consequences for the stakeholders involved, hence researchers and organisations have developed various privacy enhancing techniques and tools. However, there is no solution that fits all, and there are instances where privacy solutio...
In this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder's P...
In this work we address the main issues of IT consumerisation that are related to security risks, and propose a 'soft' mitigation strategy for user actions based on nudging, widely applied to health and social behaviour influence. In particular, we propose a complementary, less strict, more flexible Information Security policies, based on risk asse...
Information security decisions typically involve a trade-off between security and productivity. In practical settings, it is often the human user who is best positioned to make this trade-off decision, or in fact has a right to make its own decision (such as in the case of ‘bring your own device’), although it may be responsibility of a company sec...
We propose in this paper a formal model for soft enforcement, where a decision-maker is influenced towards a decision, rather than forced to select that decision. This novel type of enforcement is particularly useful when the policy enforcer cannot fully control the environment of the decision-maker, as we illustrate in the context of attribute-bas...
A workflow is resilient when the unavailability of some users does not force to choose between a violation of the security policy or an early termination of the workflow. Although checking for the resiliency of a workflow is a well-studied problem, solutions usually only provide a binary answer to the problem, leaving a workflow designer with littl...
On the one hand, an access control mechanism must make a conclusive decision for a given access request. On the other hand, such a mechanism usually relies on one or several decision making processes, which can return partial decisions, inconclusive ones, or conflicting ones. In some cases, this information might not be sufficient to automatically...
Behavior-change interventions are common in some areas of human-computer interaction, but rare in the domain of cybersecurity. This paper introduces a structured approach to working with organisations in order to develop such behavioral interventions or ‘nudges’. This approach uses elements of co-creation together with a set of prompts from the beh...
This paper considers the utility of employing behavioural nudges to change security-related behaviours. We examine the possibility that the effectiveness of nudges may depend on individual user characteristics – which represents a starting point for more personalized behaviour change in security. We asked participants to select from a menu of publi...
With the rapid growth and spread of Internet-based social support systems, the impact that these systems can make to society – be it good or bad – has become more significant and can make a real difference to people’s lives. As such, various aspects of these systems need to be carefully investigated and analysed, including their security/privacy is...
Cloud computing offers computational resources such as processing, networking, and storage to customers. However, the cloud also brings with it security concerns which affect both cloud consumers and providers. The Cloud Security Alliance (CSA) define the security concerns as the seven main threats. This paper investigates how threat number one (ma...
An intrusion and attack detection system usually focuses on classifying a record as either normal or abnormal. In some cases such as insider attacks, attackers rely on feedback from the attacked system, which enables them to gradually manipulate their attempts in order to avoid detection. This paper proposes the notion of accumulative manipulation...
In the practical use of security mechanisms such as CAPTCHAs and spam filters, attackers and defenders exchange ‘victories,’ each celebrating (temporary) success in breaking and defending. While most of security mechanisms rely on a single algorithm as a defense mechanism, we propose an approach based on a set of algorithms as a defense mechanism....
While security algorithms are utilized to protect system resources from misuse, using a single algorithm such as CAPTCHAs and Spam-Filters as a defence mechanism can work to protect a system against current attacks. However, as attackers learn from their attempts, this algorithm will eventually become useless and the system is no longer protected....
Contactless card payments are being introduced around the world allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Contactless transactions do not require verification of the cardholder’s PIN. However our research has found the redundant verify PIN functionality is present on the...
Infrastructure as a Service (IaaS) consists of a cloud-based infrastructure to offer consumers raw computation resources such as storage and networking. These resources are billed using a pay-per-use cost model. However, this type of infrastructure is far from being a security haven as the seven main threats defined by the Cloud Security Alliance (...
A critical challenge in cloud computing is assuring confidentiality and integrity for the execution of arbitrary software in a consumer's virtual machine. The problem arises from having multiple virtual machines sharing hardware resources in the same physical host. A security critical resource is random access memory, which in the current version o...
Probabilistic and stochastic models are routinely used in performance, dependability and security evaluation, and determining appropriate values for model parameters is a long-standing problem in the practical use of such models. With the increasing emphasis on human aspects and business considerations, data collection to estimate parameter values...
Social media and online communication encourage social interaction but do little to strengthen community relations between people who live in the same area. The aim of this work is to develop a set of requirements, in this initial case from a group of older adults, for an online system aimed at increasing local face-to-face communication and enhanc...
This report surveys existing enterprise technologies and products available to control access to confidential digital data. We survey USB access control solutions, digital rights management software, disk encryption techniques and operating system solutions. We compare the various technologies with respect to granularity and extent of administrativ...
This paper systematically reviews previous studies of trust from social, economic and technological perspectives and develops a holistic framework for trust, which can be used to analyse the establishment and maintenance of trust in online transactions, and identify the mechanisms that can be used to increase trust. Trust plays a crucial role in th...
The resilience of computing systems includes their dependability as well as their fault tolerance and security. It defines the ability of a computing system to perform properly in the presence of various kinds of disturbances and to recover from any service degradation. These properties are immensely important in a world where many aspects of our d...
The new editors of this department introduce themselves, explain how they plan to develop the department, and ask readers to submit articles and send feedback.
Service level agreement (SLA) specification languages are designed to express monitorable contracts between service providers and consumers. It is of interest to determine if predictive models can be derived for SLAs expressed in such languages, if possible in automated fashion. For this purpose, we study in this paper the mapping of the Web Servic...
In this paper we discuss the current state of our work regarding the development and planned in-situ testing of a computer-based system to enhance community relations through the Neighbourhood Watch scheme. The system is intended for use in a community to help the residents interact with each other more easily and to encourage the reporting of susp...
It is of critical business importance for organizations to keep confidential digital documents secure, as the potential cost and damage incurred from the loss of confidential digital documents have increased significantly in recent years. Digital Rights Management (DRM) was developed to help organizations keep digital documents secure, as one of ma...
Does every organization need to reinvent the wheel when it comes to IT security? Not if the IT community can develop a formal knowledge base for sharing and applying IT security management knowledge. Corporate IT security managers have a difficult time staying on top of the endless tide of new technologies and security threats sweeping into their o...
Many enterprises are currently exploring the po- tential cost benefits of running applications in public clouds. Enterprises often have global security policies to ensure that its information management conforms to business rules and legal mandates. The location of data storage and application execution therefore becomes a critical issue. The preva...
Web 2.0 applications allow individuals to manage their content online and to share it with other users and services on the Web. Such sharing requires access control to be put in place. Existing access control solutions, however, are unsatisfactory as they do not offer the functionality that users need in the open and user-driven Web environment. Ad...
Although adaptivity, the ability to adapt, is an important property of complex computing systems, so far little thought has been given to its evaluation. In this paper we propose a framework and methodology for the definition of benefit-based adaptivity metrics. The metrics thus defined allow an informed choice between systems based on their adapti...
Recent advances in the research of usable security have produced many new security mechanisms that improve usability. However, these mechanisms have not been widely adopted in practice. In most organisations, IT security managers decide on security policies and mechanisms, seemingly without considering usability. IT security managers consider risk...
The rapidly developing Web environment provides users with a wide set of rich services as varied and complex as desktop applications. Those services are collectively referred to as ``Web 2.0'', with examples such as Google Docs, Flickr, or Wordpress, that allow users to create, manage and share their content online. By switching from desktop applic...
This paper discusses about AMB technologies. EU coordination action AMBER is the state of the art document. In this document, the project partners provide an in-depth survey of a wide variety of Assessment, Measurement and Benchmarking (AMB) technologies of resilience of computer and information systems. It discusses methods and techniques related...
Currently ontology development is facilitated by generic ontology editing tools which accommodate ontology experts, and not necessarily those individuals whose knowledge requires capture. Furthermore the process of knowledge capture is time consuming, error prone and requires appropriate technical skills. We propose a graphical editing tool for ont...