Ioannis Kalderemidis, Aristeidis Farao, Panagiotis Bountakas, S. Panda, C. Xenakis
Investments on cybersecurity are essential for organizations to protect operational activities, develop trust relationships with clients, and maintain financial stability. A cybersecurity breach can lead to financial losses as well as to damage the reputation of an organization. Protecting an organization from cyber attacks demands considerable investments; however, it is known that organisations unequally divide their budget between cybersecurity and other technological needs. Organizations must consider cybersecurity measures, including but not limited to security controls, in their cybersecurity investment plans. Nevertheless, designing an effective cybersecurity investment plan to optimally distribute the cybersecurity budget is a primary concern. This paper presents GTM, a methodology depicted as a tool dedicated to providing optimal cybersecurity defense strategies and investment plans. GTM utilizes attack graphs to predict all possible cyber attacks, game theory to simulate the cyber attacks and 0-1 Knapsack to optimally allocate the budget. The output of GTM is an optimal cybersecurity strategy that includes security controls to protect the organisation against potential cyber attacks and enhance its cyber defenses. Furthermore, GTM’s effectiveness is evaluated against three use cases and compared against different attacker types under various scenarios.
{"title":"GTM: Game Theoretic Methodology for optimal cybersecurity defending strategies and investments","authors":"Ioannis Kalderemidis, Aristeidis Farao, Panagiotis Bountakas, S. Panda, C. Xenakis","doi":"10.1145/3538969.3544431","DOIUrl":"https://doi.org/10.1145/3538969.3544431","url":null,"abstract":"Investments on cybersecurity are essential for organizations to protect operational activities, develop trust relationships with clients, and maintain financial stability. A cybersecurity breach can lead to financial losses as well as to damage the reputation of an organization. Protecting an organization from cyber attacks demands considerable investments; however, it is known that organisations unequally divide their budget between cybersecurity and other technological needs. Organizations must consider cybersecurity measures, including but not limited to security controls, in their cybersecurity investment plans. Nevertheless, designing an effective cybersecurity investment plan to optimally distribute the cybersecurity budget is a primary concern. This paper presents GTM, a methodology depicted as a tool dedicated to providing optimal cybersecurity defense strategies and investment plans. GTM utilizes attack graphs to predict all possible cyber attacks, game theory to simulate the cyber attacks and 0-1 Knapsack to optimally allocate the budget. The output of GTM is an optimal cybersecurity strategy that includes security controls to protect the organisation against potential cyber attacks and enhance its cyber defenses. Furthermore, GTM’s effectiveness is evaluated against three use cases and compared against different attacker types under various scenarios.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124422552","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Markos Charalambous, Aristeidis Farao, George Kalatzantonakis, Panagiotis Kanakakis, Nikos Salamanos, Evangelos E. Kotsifakos, Evangellos Froudakis
In an era where all the transactions, businesses and services are becoming digital and online, the data assets and the services protection are of utmost importance. Cyber-insurance companies are offering a wide range of coverages, but they also have exclusions. Customers of these companies need to be able to understand the terms and conditions of the related contracts and furthermore they need to be able to compare various offerings in order to determine the most appropriate solutions for their needs. The research in the area is very limited while at the same time the related market is growing, giving every potential solution a high value. In this paper, we propose a methodology and a prototype system that will help customers to compare contracts based on a pre-defined ontology that is describing cyber-insurance terms. After a first preliminary analysis and validation, our approach accuracy is averaging at almost 50%, giving a promising initial evaluation. Fine tuning, larger data set assessment and ontology refinement will be our next steps to improve the accuracy of our tool. Real user evaluation will follow, in order to evaluate the tool in real world cases.
{"title":"Analyzing Coverages of Cyber Insurance Policies Using Ontology","authors":"Markos Charalambous, Aristeidis Farao, George Kalatzantonakis, Panagiotis Kanakakis, Nikos Salamanos, Evangelos E. Kotsifakos, Evangellos Froudakis","doi":"10.1145/3538969.3544453","DOIUrl":"https://doi.org/10.1145/3538969.3544453","url":null,"abstract":"In an era where all the transactions, businesses and services are becoming digital and online, the data assets and the services protection are of utmost importance. Cyber-insurance companies are offering a wide range of coverages, but they also have exclusions. Customers of these companies need to be able to understand the terms and conditions of the related contracts and furthermore they need to be able to compare various offerings in order to determine the most appropriate solutions for their needs. The research in the area is very limited while at the same time the related market is growing, giving every potential solution a high value. In this paper, we propose a methodology and a prototype system that will help customers to compare contracts based on a pre-defined ontology that is describing cyber-insurance terms. After a first preliminary analysis and validation, our approach accuracy is averaging at almost 50%, giving a promising initial evaluation. Fine tuning, larger data set assessment and ontology refinement will be our next steps to improve the accuracy of our tool. Real user evaluation will follow, in order to evaluate the tool in real world cases.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116937606","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Angeliki Aktypi, Dimitris Karnikis, N. Vasilakis, Kasper Bonne Rasmussen
In serverless computing, applications are composed of stand-alone microservices that are invoked and scale up independently. Peer-to-peer protocols can be used to enable decentralized communication among the services that compose each application. This paper presents Themis, a framework for secure service-to-service interaction targeting these environments and the underlying service mesh architectures. Themis builds on a notion of decentralized identity management to allow confidential and authenticated service-to-service interaction without the need for a centralized certificate authority. Themis adopts a layered architecture. Its lower layer forms a core communication protocol pair that offers strong security guarantees without depending on a centralized point of authority. Building on this pair, an upper layer provides a series of actions related to communication and identifier management—e.g., store, find, and join. This paper analyzes the security properties of Themis’s protocol suite and shows how it provides a decentralized and flexible communication platform. The evaluation of our Themis prototype targeting serverless applications written in JavaScript shows that these security benefits come with small runtime latency and throughput overheads, and modest startup overheads.
{"title":"Themis: A Secure Decentralized Framework for Microservice Interaction in Serverless Computing","authors":"Angeliki Aktypi, Dimitris Karnikis, N. Vasilakis, Kasper Bonne Rasmussen","doi":"10.1145/3538969.3538983","DOIUrl":"https://doi.org/10.1145/3538969.3538983","url":null,"abstract":"In serverless computing, applications are composed of stand-alone microservices that are invoked and scale up independently. Peer-to-peer protocols can be used to enable decentralized communication among the services that compose each application. This paper presents Themis, a framework for secure service-to-service interaction targeting these environments and the underlying service mesh architectures. Themis builds on a notion of decentralized identity management to allow confidential and authenticated service-to-service interaction without the need for a centralized certificate authority. Themis adopts a layered architecture. Its lower layer forms a core communication protocol pair that offers strong security guarantees without depending on a centralized point of authority. Building on this pair, an upper layer provides a series of actions related to communication and identifier management—e.g., store, find, and join. This paper analyzes the security properties of Themis’s protocol suite and shows how it provides a decentralized and flexible communication platform. The evaluation of our Themis prototype targeting serverless applications written in JavaScript shows that these security benefits come with small runtime latency and throughput overheads, and modest startup overheads.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126105722","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Data processing systems operate in increasingly dynamic environments, such as in cloud or edge computing. In such environments, changes at run time can result in the dynamic appearance of data protection vulnerabilities, i.e., configurations in which an attacker could gain unauthorized access to confidential data. An autonomous system can mitigate such vulnerabilities by means of automated self-adaptations. If there are several data protection vulnerabilities at the same time, the system has to decide which ones to address first. In other areas of cybersecurity, risk-based approaches have proven useful for prioritizing where to focus efforts for increasing security. Traditionally, risk assessment is a manual and time-consuming process. On the other hand, addressing run-time risks requires timely decision-making, which in turn necessitates automated risk assessment. In this paper, we propose a mathematical model for quantifying data protection risks at run time. This model accounts for the specific properties of data protection risks, such as the time it takes to exploit a data protection vulnerability and the damage caused by such exploitation. Using this risk quantification, our approach can make, in an automated process, sound decisions on prioritizing data protection vulnerabilities dynamically. Experimental results show that our risk prioritization method leads to a reduction of up to 15.8% in the damage caused by data protection vulnerabilities.
{"title":"Automatic online quantification and prioritization of data protection risks","authors":"Sascha Sven Zmiewski, Jan Laufer, Z. Mann","doi":"10.1145/3538969.3539005","DOIUrl":"https://doi.org/10.1145/3538969.3539005","url":null,"abstract":"Data processing systems operate in increasingly dynamic environments, such as in cloud or edge computing. In such environments, changes at run time can result in the dynamic appearance of data protection vulnerabilities, i.e., configurations in which an attacker could gain unauthorized access to confidential data. An autonomous system can mitigate such vulnerabilities by means of automated self-adaptations. If there are several data protection vulnerabilities at the same time, the system has to decide which ones to address first. In other areas of cybersecurity, risk-based approaches have proven useful for prioritizing where to focus efforts for increasing security. Traditionally, risk assessment is a manual and time-consuming process. On the other hand, addressing run-time risks requires timely decision-making, which in turn necessitates automated risk assessment. In this paper, we propose a mathematical model for quantifying data protection risks at run time. This model accounts for the specific properties of data protection risks, such as the time it takes to exploit a data protection vulnerability and the damage caused by such exploitation. Using this risk quantification, our approach can make, in an automated process, sound decisions on prioritizing data protection vulnerabilities dynamically. Experimental results show that our risk prioritization method leads to a reduction of up to 15.8% in the damage caused by data protection vulnerabilities.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123316060","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sara Ricci, Marek Sikora, Simon Parker, I. Lendák, Yianna Danidou, Argyro Chatzopoulou, Rémi Badonnel, Donatas Alksnys
This article presents a new free web-based application, the Cybersecurity Job Ads Analyzer, which has been created to collect and analyse job adverts using a machine learning algorithm. This algorithm enables the detection of the skills required in advertised cybersecurity work positions. The application is both interactive and dynamic allowing for automated analyses and for the underlying database of job adverts to be easily updated. Through the Cybersecurity Job Ads Analyzer, it is possible to explore the skills required over time, and thereby enable academia and other training providers to better understand and address the needs of the industry. We will describe in detail the user interface and technical background of the application, as well as highlight the preliminary statistical results we have obtained from analysing the current database of job adverts.
{"title":"Job Adverts Analyzer for Cybersecurity Skills Needs Evaluation","authors":"Sara Ricci, Marek Sikora, Simon Parker, I. Lendák, Yianna Danidou, Argyro Chatzopoulou, Rémi Badonnel, Donatas Alksnys","doi":"10.1145/3538969.3543821","DOIUrl":"https://doi.org/10.1145/3538969.3543821","url":null,"abstract":"This article presents a new free web-based application, the Cybersecurity Job Ads Analyzer, which has been created to collect and analyse job adverts using a machine learning algorithm. This algorithm enables the detection of the skills required in advertised cybersecurity work positions. The application is both interactive and dynamic allowing for automated analyses and for the underlying database of job adverts to be easily updated. Through the Cybersecurity Job Ads Analyzer, it is possible to explore the skills required over time, and thereby enable academia and other training providers to better understand and address the needs of the industry. We will describe in detail the user interface and technical background of the application, as well as highlight the preliminary statistical results we have obtained from analysing the current database of job adverts.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126950620","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Location-based services are getting more popular day by day. Finding nearby stores, proximity-based marketing, on-road service assistance, etc., are some of the services that use location-based services. In location-based services, user information like user identity, user query, and location must be protected. Ma et al. (INFOCOM-BigSecurity 2019) proposed a privacy-preserving location-based service using Somewhat Homomorphic Encryption (SHE). Their protocol uses edge nodes that compute on SHE encrypted location data and determines the k-nearest points of interest contained in the Location-based Server (LBS) without revealing the original user coordinates to LBS, hence, ensuring privacy of users locations. In this work, we show that the above protocol by Ma et al. has a critical flaw. In particular, we show that their secure comparison protocol has a correctness issue in that it will not lead to correct comparison. A major consequence of this flaw is that straightforward approaches to fix this issue will make their protocol insecure. Namely, the LBS will be able to recover the actual locations of the users in each and every query.
{"title":"Revisiting a Privacy-Preserving Location-based Service Protocol using Edge Computing","authors":"S. Upadhyaya, S. Vivek","doi":"10.1145/3538969.3544432","DOIUrl":"https://doi.org/10.1145/3538969.3544432","url":null,"abstract":"Location-based services are getting more popular day by day. Finding nearby stores, proximity-based marketing, on-road service assistance, etc., are some of the services that use location-based services. In location-based services, user information like user identity, user query, and location must be protected. Ma et al. (INFOCOM-BigSecurity 2019) proposed a privacy-preserving location-based service using Somewhat Homomorphic Encryption (SHE). Their protocol uses edge nodes that compute on SHE encrypted location data and determines the k-nearest points of interest contained in the Location-based Server (LBS) without revealing the original user coordinates to LBS, hence, ensuring privacy of users locations. In this work, we show that the above protocol by Ma et al. has a critical flaw. In particular, we show that their secure comparison protocol has a correctness issue in that it will not lead to correct comparison. A major consequence of this flaw is that straightforward approaches to fix this issue will make their protocol insecure. Namely, the LBS will be able to recover the actual locations of the users in each and every query.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115588897","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Blockchain is a disruptive technology that promises a multitude of benefits, such as transparency, traceability, and immutability. However, this unique bundle of key characteristics has proved to be a double-edged sword that can put users’ privacy at risk. Unlike in traditional systems, Bitcoin transactions are publicly and permanently recorded, and anyone can access the full history of the records. Despite using pseudonymous identities, an adversary can undermine users’ financial privacy and reveal their actual identities by using advanced heuristics and techniques to identify possible links between transactions, senders, receivers, and consumed services (e.g., online purchases). Hence, a multitude of approaches has been proposed to reduce financial transparency and enhance users’ anonymity. These techniques range from mixing services to off-chain transactions that address different privacy issues. In this paper, we particularly focus on comparing and evaluating privacy techniques in the Bitcoin blockchain (which can be applied in (Unspent Transaction Output (UTXO) based blockchains), present their limitations, and highlight new challenges.
{"title":"SoK: How private is Bitcoin? Classification and Evaluation of Bitcoin Privacy Techniques","authors":"Simin Ghesmati, W. Fdhila, E. Weippl","doi":"10.1145/3538969.3538971","DOIUrl":"https://doi.org/10.1145/3538969.3538971","url":null,"abstract":"Blockchain is a disruptive technology that promises a multitude of benefits, such as transparency, traceability, and immutability. However, this unique bundle of key characteristics has proved to be a double-edged sword that can put users’ privacy at risk. Unlike in traditional systems, Bitcoin transactions are publicly and permanently recorded, and anyone can access the full history of the records. Despite using pseudonymous identities, an adversary can undermine users’ financial privacy and reveal their actual identities by using advanced heuristics and techniques to identify possible links between transactions, senders, receivers, and consumed services (e.g., online purchases). Hence, a multitude of approaches has been proposed to reduce financial transparency and enhance users’ anonymity. These techniques range from mixing services to off-chain transactions that address different privacy issues. In this paper, we particularly focus on comparing and evaluating privacy techniques in the Bitcoin blockchain (which can be applied in (Unspent Transaction Output (UTXO) based blockchains), present their limitations, and highlight new challenges.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122028419","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Smart meters are increasingly a part of everyday households. These smart meters allow remote reading of the energy but also remote disconnection of the point of consumption from the energy supply. As these devices are part of the critical infrastructure of the country, the security of these devices needs to be tested and the relevant personnel trained. We would like to contribute to the scientific community by bringing practical experience from smart meter testing into the Cyber Range virtual environment. In this environment, professionals working with smart meters can be trained and smart meter safety tests can be performed. This paper presents common smart meter vulnerabilities and their demonstration in the Cyber Range environment. The article includes a sample description of scenario for testing so anyone can try it.
{"title":"Security of Smart Grid Networks in the Cyber Ranges","authors":"Tomáš Lieskovan, J. Hajny","doi":"10.1145/3538969.3543801","DOIUrl":"https://doi.org/10.1145/3538969.3543801","url":null,"abstract":"Smart meters are increasingly a part of everyday households. These smart meters allow remote reading of the energy but also remote disconnection of the point of consumption from the energy supply. As these devices are part of the critical infrastructure of the country, the security of these devices needs to be tested and the relevant personnel trained. We would like to contribute to the scientific community by bringing practical experience from smart meter testing into the Cyber Range virtual environment. In this environment, professionals working with smart meters can be trained and smart meter safety tests can be performed. This paper presents common smart meter vulnerabilities and their demonstration in the Cyber Range environment. The article includes a sample description of scenario for testing so anyone can try it.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122222964","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper presents the results of a survey conducted in order to identify the most critical factors that can affect the market adoption of the innovations developed in the H2020 R&I project SDN-microSENSE. A hierarchy of the main criteria and sub-criteria was created using the Fuzzy Analytical Hierarchy Process method and experts in the area expressed their preferences through a web-based survey. The results of this process provide an insight on the expert's vision regarding the importance of the factors that are crucial for the adoption of cyber-security solution in the Electrical Power and Energy Systems domain.
{"title":"Classifying the factors affecting the adoption of the SDN-microSENSE innovations","authors":"Theodoros Rokkas, I. Neokosmidis","doi":"10.1145/3538969.3544481","DOIUrl":"https://doi.org/10.1145/3538969.3544481","url":null,"abstract":"This paper presents the results of a survey conducted in order to identify the most critical factors that can affect the market adoption of the innovations developed in the H2020 R&I project SDN-microSENSE. A hierarchy of the main criteria and sub-criteria was created using the Fuzzy Analytical Hierarchy Process method and experts in the area expressed their preferences through a web-based survey. The results of this process provide an insight on the expert's vision regarding the importance of the factors that are crucial for the adoption of cyber-security solution in the Electrical Power and Energy Systems domain.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128211988","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Password generation techniques have recently been explored by leveraging deep-learning natural language processing (NLP) algorithms. Previous work has raised the state of the art for password guessing algorithms significantly, by approaching the problem using either variational autoencoders with CNN-based encoder and decoder architectures or transformer-based architectures (namely GPT2) for text generation. In this work we aim to combine both paradigms, introducing a novel architecture that leverages the expressive power of transformers with the natural sampling approach to text generation of variational autoencoders. We show how our architecture generates state-of-the-art results in password matching performance across multiple benchmark datasets.
{"title":"Combining Variational Autoencoders and Transformer Language Models for Improved Password Generation","authors":"D. Biesner, K. Cvejoski, R. Sifa","doi":"10.1145/3538969.3539000","DOIUrl":"https://doi.org/10.1145/3538969.3539000","url":null,"abstract":"Password generation techniques have recently been explored by leveraging deep-learning natural language processing (NLP) algorithms. Previous work has raised the state of the art for password guessing algorithms significantly, by approaching the problem using either variational autoencoders with CNN-based encoder and decoder architectures or transformer-based architectures (namely GPT2) for text generation. In this work we aim to combine both paradigms, introducing a novel architecture that leverages the expressive power of transformers with the natural sampling approach to text generation of variational autoencoders. We show how our architecture generates state-of-the-art results in password matching performance across multiple benchmark datasets.","PeriodicalId":306813,"journal":{"name":"Proceedings of the 17th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128981575","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}