Journal of Information Security and Applications最新文献

Biometric systems based on brain activity have been proposed as an alternative to passwords or to complement current authentication techniques. By leveraging the unique brainwave patterns of individuals, these systems offer the possibility of creating authentication solutions that are resistant to theft, hands-free, accessible, and potentially even revocable. However, despite the growing stream of research in this area, faster advance is hindered by reproducibility problems. Issues such as the lack of standard reporting schemes for performance results and system configuration, or the absence of common evaluation benchmarks, make comparability and proper assessment of different biometric solutions challenging. Further, barriers are erected to future work when, as so often, source code is not published open access. To bridge this gap, we introduce NeuroIDBench, a flexible open source tool to benchmark brainwave-based authentication models. It incorporates nine diverse datasets, implements a comprehensive set of pre-processing parameters and machine learning algorithms, enables testing under two common adversary models (known vs unknown attacker), and allows researchers to generate full performance reports and visualizations. We use NeuroIDBench to investigate the shallow classifiers and deep learning-based approaches proposed in the literature, and to test robustness across multiple sessions. We observe a 37.6% reduction in Equal Error Rate (EER) for unknown attacker scenarios (typically not tested in the literature), and we highlight the importance of session variability to brainwave authentication. All in all, our results demonstrate the viability and relevance of NeuroIDBench in streamlining fair comparisons of algorithms, thereby furthering the advancement of brainwave-based authentication through robust methodological practices.

To achieve privacy protection and effective management in cloud computing, and solve the problem of existing reversible data hiding in encrypted image (RDH-EI) algorithms being unable to resist existing various attacks, an RDH-EI algorithm based on key-controlled balanced Huffman coding (KBHC) is proposed. The novelty lies in KBHC and variable-length bit scrambling. KBHC possesses non-preset, balanced, and key-controlled characteristics, providing the proposed algorithm with high capacity and enhanced security. The non-preset allows coding tables to be adaptively generated based on prediction error maps, resulting in shorter encoded streams for higher embedding capacity. The balanced characteristic is achieved by adjusting the subtrees, so that the balance rate in the encoded stream is 0.014, and can also reach 0.065 for particularly smooth images, achieving uniform distribution of the encoded stream, thereby improving the ability to resist statistical analysis attacks. The random key controls the leaf nodes scrambling in the Huffman tree, which realizes the variability of the encoded stream and avoids the potential security risks caused by timestamp reconstruction, laying the foundation to achieve differential attack security. Variable-length bit scrambling determines the pseudo-random extension length and scrambling sequence by both the encryption key and coding table information, effectively resists brute force attacks and ensures up to 100 % difference rate between scrambling sequences generated in each run. Experimental results demonstrate that compared to several RDH-EI methods, the proposed algorithm achieves higher embedding capacity and security under acceptable complexity. The average embedding rate of three databases reaches 3.897 bpp, and the proposed algorithm effectively resists statistical analysis attacks, COA, KPA, and differential attack.

Business processes (BP) are considered the enterprise’s cornerstone but are increasingly in the spotlight of attacks. Therefore, the design of business processes must consider the security risks and be adequately integrated into the information and operational systems. However, security risk assessment and management are rarely considered at the level of business processes during design time, let alone considering a risk architecture that takes into account the connection and dependencies of risks at these levels of the organisation, business processes, and information systems. In general, most approaches deal with integrating new artefacts for business process models to support risk analysis, but sometimes, the notation can increase complexity, making it difficult to have a risk management tool to support the analysis. After analysing the current risk processes and frameworks, we have realised that they are often neglected when considering organisational and business process levels. In this paper, MARISMA-BP (MARISMA for Business Process) pattern is proposed, a security risk pattern to enable the assessment and management of risks for business process models. This approach is an artefact that has been validated in a real scenario following the design science methodology. Further, MARISMA-BP pattern is supported by eMARISMA, an automated infrastructure that allows the definition and reuse of each risk component, helping us to carry out the risk assessment and management process in an efficient and dynamic way. To demonstrate the applicability of the proposal, MARISMA-BP pattern is applied to a real health-based business process scenario. The findings illustrate the efficacy of MARISMA-BP within eMARISMA for comprehensive risk assessment and management, underscoring its versatility and practical relevance in any business process environment.

Nonlinear invariant attack applied to lightweight block ciphers relies on the existence of a nonlinear invariant $g:F_2^n\to F_2$ for the round function. Whereas invariants of the entire S-box layer have been studied in terms of the corresponding cycle structure, a similar analysis for the linear layer has not been performed yet. In this article, we provide a theoretical analysis for specifying the minimal length of cycles for commonly used linear permutations in lightweight block ciphers. Namely, using a suitable matrix representation, we exactly specify the minimal cycle lengths for those linear layers that employ ShiftRows, Rotational-XOR and circular Boolean matrix operations which can be found in many well-known families of block ciphers. These results are practically useful for the purpose of finding nonlinear invariants of the entire encryption rounds since these can be specified using the intersection of cycles corresponding to the linear and S-box layer. We also apply our theoretical analysis practically and specify minimal cycle lengths of linear layers for certain families of block ciphers including some NIST candidates.

Three-party Password Authenticated Key Exchange (3PAKE) is a protocol where two parties generate the same session key with the help of a trusted server. With the evolution of quantum computers, there is a growing need to develop the 3PAKE protocols that can resist the quantum attacks. Hence, various 3PAKE protocols have been proposed based on the famous Ring Learning With Error (RLWE) problem. But we find out that all these protocols are vulnerable to signal leakage attacks if their public/private keys are reused. Also, the design of these protocols are pretty complex, thus making these protocols highly inefficient. Hence, to overcome the above issues, we have proposed Simple Lattice-based 3PAKE (SL3PAKE), which is simple in its design and resists signal leakage attack if its public/private keys are reused. The order and flow of messages in the proposed SL3PAKE protocol is quite natural without added complexity, thus makes it simple 3PAKE protocol. Finally, we present the comparative analysis based on communication overhead among the proposed SL3PAKE and other three-party protocols. From the analysis, it has been shown that the proposed SL3PAKE protocol has much less communication overhead/communication rounds than the other three-party protocols.

Currently, the connectivity of vehicles using the latest communication and computing technologies has grown as the Internet of Vehicles (IoV). IoV has been utilized to foster an easy traffic flow by sharing safety-warning messages. However, authentication and confidentiality of shared information is a challenging issue. To solve the problem, various privacy-preserving authenticated data-aggregation schemes have been devised. However, existing schemes have shortcomings specifically concerning a heavy computational cost, and the need for a secure channel. Besides, static pseudonyms may increase the risk of a vehicle’s privacy leakage. In response to these challenges, this study introduces a new pairing-less and secure privacy-preserving authenticated data aggregation (PLS-PPADA) scheme. Leveraging the pairing-less and certificate-based setting, the PLS-PPADA scheme emerges as a robust, efficient, and effective solution for safety-warning systems in IoV. Further, to resolve the risk of privacy leakage due to static pseudonyms, the paradigm of fuzzy identity has been utilized. Thus, it achieves efficiency and dynamic anonymity and also does not require a secure channel for key sharing. A comprehensive security analysis underscores its effective data protection capabilities and efficiency comparison presents it as a compelling alternative to existing state-of-the-art schemes.

Deep-learning-based image inpainting repairs a region with visually believable content, leaving behind imperceptible traces. Since deep image inpainting approaches can malevolently remove key objects and erase visible copyright watermarks, the desire for an effective method to distinguish the inpainted regions has become urgent. In this work, we propose an adaptive forgery trace learning network (AFTLN), which consists of two subblocks: the adaptive block and the Densenet block. Specifically, the adaptive block exploits an adaptive difference convolution to maximize the forgery traces by iteratively updating its weights. Meanwhile, the Densenet block improves the feature weights and reduces the impact of noise on the forgery traces. An image-inpainting detector, namely AFTLNet, is designed by integrating AFTLN with neural architecture search, and global and local attention modules, which aims to find potential tampered regions, enhance feature consistency, and reduce intra-class differences, respectively. The experimental results present that our proposed AFTLNet exceeds existing inpainting detection approaches. Finally, an inpainting dataset of 26K image pairs is constructed for future research. The dataset is available at https://pan.baidu.com/s/10SRJeQBNnTHJXvxl8xzHcg with password: 1234.

In light of the escalating frequency of DNS attacks, it is imperative to bolster user security and privacy through the encryption of DNS queries. However, conventional methods for detecting DNS traffic are no longer effective in identifying encrypted traffic, particularly with the utilization of the DNS-over-HTTPS (DoH) protocol, which employs secure HTTPS for DNS resolution. To confront this challenge, we propose a novel model for detecting malicious DoH traffic, named DoH-TriCGAN, which distinguishes between non-DoH, benign DoH, and malicious DoH traffic. DoH-TriCGAN employs a conditional generative adversarial network comprising three network components, for which we only provide additional information to the generator. We extracted different small sample datasets and large sample dataset from the CIRA-CIC-DoHBrw-2020 dataset, to evaluate the efficiency and effectiveness of the proposed DoH-TriCGAN model, and compared the quality of the generated synthetic data. To establish a benchmark, we utilized the six metrics – accuracy, precision, recall, F1-score, ROC_AUC, and PR_AUC – to assess the performance of our model. The results demonstrate our proposed model outperforms the other five models (RF, XGBoost, BiGRU, Autoencoder, Transformer), showing the best performance particularly in scenarios with limited training samples, while also demonstrating data expansion capabilities by generating high-quality synthetic data to address the issue of insufficient network traffic.

Cloud Service Providers (CSPs) allow data owners to migrate their data to resource-rich and powerful cloud servers and provide access to this data by individual users. Some of this data may be highly sensitive and important and CSPs cannot always be trusted to provide secure access. It is also important for end users to protect their identities against malicious authorities and providers, when they access services and data. Attribute-Based Encryption (ABE) is an end-to-end public key encryption mechanism, which provides secure and reliable fine-grained access control over encrypted data using defined policies and constraints. Since, in ABE, users are identified by their attributes and not by their identities, collecting and analyzing attributes may reveal their identities and violate their anonymity. Towards this end, we define a new anonymity model in the context of ABE. We analyze several existing anonymous ABE schemes and identify their vulnerabilities in user authorization and user anonymity protection. Subsequently, we propose a Privacy-Preserving Access Control Scheme (PACS), which supports multi-authority, anonymizes user identity, and is immune against users collusion attacks, authorities collusion attacks and chosen plaintext attacks. We also propose an extension of PACS, called Statistical Privacy-Preserving Access Control Scheme (SPACS), which supports statistical anonymity even if malicious authorities and providers statistically analyze the attributes. Lastly, we show that the efficiency of our scheme is comparable to other existing schemes. Our analysis show that SPACS can successfully protect against Collision Attacks and Chosen Plaintext Attacks.

Considering the existence of fast implementation methods for multiplication operations over ideal lattices, we constructed a selectively secure ciphertext policy attribute-based encryption scheme supporting Boolean circuits based non-monotonic linear secret sharing scheme. It uses the trapdoor generation algorithm TrapGen to generate the public parameters and the preimage sampling algorithm SamplePre to embed the public parameters and randomness into the user’s secret key, which achieves the randomization of the secret key. The sharing and reconstruction of the secret in the encryption and decryption algorithm are achieved by a non-monotonic linear secret sharing scheme. Compared to the existing ciphertext policy attribute-based encryption schemes based on a similar sampling algorithm, the size of the ciphertext is significantly reduced.