contextual factors in mobile security and privacy policy
play

Contextual Factors in Mobile Security and Privacy Policy Enforcement - PowerPoint PPT Presentation

Aug 17, 2022 •224 likes •542 views

Contextual Factors in Mobile Security and Privacy Policy Enforcement Mobile Services and Edge Computing Workshop, Helsinki, 28.7.2016 Markus Miettinen Technische Universitt Darmstadt 28.07.2016 | Fachbereich Informatik | Lehrstuhl

  1. Contextual Factors in Mobile Security and Privacy Policy Enforcement Mobile Services and Edge Computing Workshop, Helsinki, 28.7.2016 Markus Miettinen Technische Universität Darmstadt 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 1

  2. About the Speaker Alumnus of the University of Helsinki 13 years experience in industrial R&D at NOKIA Research Center Helsinki, Finland and Lausanne, Switzerland Researcher at Fraunhofer Institute for Secure Information Technology, Darmstadt Since 2013 Researcher at Technische Universität Darmstadt Areas of interest include Mobile Security, Context- Awareness, Data analysis for security applications and IoT Security 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 2

  3. Outline Context-aware policy adaptation • Utilizing profiled information about the context to make access control decisions Context-based Proofs-of-Presence (PoP) • Using context measurements to verify co-presence of two devices 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 3

  4. What is Context? In this presentation: Any properties of the physical ambient environment that mobile devices can sense with their on-board sensors. 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 4

  5. Context-Aware Policy Adaptation Markus Miettinen, Stephan Heuser, Wiebke Kronz, N. Asokan and Ahmad-Reza Sadeghi ” Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2014) , June 2014. 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 5

  6. Security and Context Rich sensing capabilities New context-aware apps and services All of these features need to be managed! Challenge: How to make security & privacy policy management • User-friendly • Personalized • Context-aware 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 6 6

  7. Challenge: Inflexible device lock Many people feel device locks to be too difficult to use, leaving their device unprotected  need for a better device locking mechanism Goal: context-sensitive device locking:  Quick locking in high-risk contexts  Fewer passcode requests in low-risk contexts 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 7 7 Markus Miettinen

  8. Challenge: Sensory Malware Mobile apps tend to ask for excessive permissions  Users often grant permissions automatically Adversary: Sensory Malware  malicious software can use sensors to collect potentially sensitive information from user’s context  e.g., audio, video, accelerometer, etc.  Need for more fine-grained, context-sensitive permission management Goal: restrict apps’ access to sensors in sensitive contexts 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 8

  9. Legacy solution: user-specified, pre-defined policies This has some Drawbacks: A quick remedy: One preconfigured policy - Difficult to understand - Inflexible - Time-consuming - Not personalized - Likelihood of erroneous policies is high - May surprise users M. Covington, P. Fogla, Z. Zhan, and M. Ahamad. A context-aware security architecture for emerging applications. In Computer Security Applications Conference, 2002. Proceedings. 18th Annual, pages 249-258, 2002. M. L. Damiani, E. Bertino, B. Catania, and P. Perlasca. GEO-RBAC: A spatially aware RBAC. ACM Trans. Inf. Syst. Secur., 10(1), Feb. 2007. M. Conti, V. Nguyen, and B. Crispo. CRePE: Context-Related Policy Enforcement for Android. In ISC 2011, volume 6531 of LNCS, pages 331-345. Springer, 2011. 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 9 9

  10. User Perceptions What security concerns do users have with regard to their smartphone? Questionnaires and on-line survey More than 150 participants 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 10

  11. User Perceptions Two main user concerns: Concerns related to privacy exposure  Intrusive apps exfiltrating sensitive user information to unauthorised parties Risk of device misuse  Someone stealing the user‘s device or using it without the user‘s permission 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 11

  12. Main findings from the Survey Perception of risk of device misuse depends on people present and their familiarity, not so much on the place  Estimate familiarity of people Perception of privacy exposure depends on the place itself, not so much on the people present  Estimate familiarity of places 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 12

  13. Our approach Profile user‘s relevant places (= "contexts") Profile frequent social contacts (= devices) Create prediction model for access control based on profiles and sensed data Safe? Unsafe? Sensitive? Public? Relevant places Relations to other users 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 15

  14. Context Features Familiarity of Context (identified through GPS and WiFi)  Number of visits  Time spent in context Familiarity of devices in vicinity (identified thorough Bluetooth)  Number of visible devices  Number of visible familiar devices  Average # of past encounters for familiar devices  Average time spent with familiar devices 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 23

  15. Results Adaptive device lock : 70% TP rate at relatively moderate FP rate of 10% Number of passcode queries reduced by 70%! Sensory malware protection : Random Forest and k-NN achieve 70% TP rate at very low FP rate of 2-3.5% 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 26

  16. Context-based Proofs-of-Presence Markus Miettinen, N. Asokan, Farinaz Koushanfar, Thien Duc Nguyen, Jon Rios, Ahmad-Reza Sadeghi, Majid Sobhani, Sudha Yellapantula, „ I know where you are: Proofs of Presence resilient to malicious provers” 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015) , April 2015. 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 33

  17. Venue check-ins in OSN:s “check - in” Location claim Incentives for location cheating 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 34

  18. Context-based Proofs-of-Presence Luminosity Audio Bluetooth WiFi 𝐷 𝑊 = 𝑛 1 , 𝑛 2 , … Context measurements 𝐷 𝑄 = 𝑛 1 ′, 𝑛 2 ′, … PoP request, 𝐷 𝑄 Verifier 𝑊 Prover 𝑄 If 𝑒𝑗𝑡𝑢(𝐷 𝑊 , 𝐷 𝑄 ) < Δ 𝑢ℎ𝑠 , accept PoP PoP accept 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 36

  19. Location Claim Verification Machine learning-based classification model Trained with a set of annotated pairs of co-located and non- co-located measurements Classifier used to determine whether two measurements originate from co-located devices or not 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 37

  20. Context Guessing Context 𝐷 Malicious prover A Verifier 𝑊 𝐷 𝑊 (𝑢) 𝐷 A (𝑢 − 𝑜) Context replay: 𝐷 A (𝑢 − 𝑜) 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 38

  21. Hardening of PoPs Surprisal filtering  Reject easy-to-guess PoPs Longitudinal ambient context modalities  Increase the inherent entropy of PoPs 41 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 41

  22. Surprisal of Context Measurements We use surprisal to measure how easy it would be for a malicious prover to guess a valid context observation in a context. The higher the surprisal is, the more difficult it would be for the attacker to correctly guess such observations. The surprisal of a context measurement 𝐷 is defined as the self-information that measurement 1 𝐽 𝑃 𝑌 = 𝐷 = log 2 ( 𝑄 𝑃 𝑌 = 𝐷 ) = − log 2 (𝑄(𝑃 𝑌 = 𝐷)) 42 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 42

  23. Types of Context Information Static 𝑒 3 𝑒 2 𝑒 4 WiFi, Bluetooth 𝑒 1 𝑒 5 Dynamic 𝑒 6 𝑒 7 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 43

  24. Surprisal Filtering 1. Profile the occurrence frequency of contextual elements (e.g. WiFi and BT devices) in the context 2. When receiving a PoP, evaluate the surprisal associated with the elements of the verifier’s context measurement. If surprisal is too below surprisal threshold 𝐽 𝑢ℎ𝑠 , reject PoP. 3. 44 28.07.2016 | Fachbereich Informatik | Lehrstuhl Systemsicherheit | Prof. Ahmad-Reza Sadeghi | 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda Protecting mobile devices and your privacy Protecting Mobile Devices and Your Privacy Before We Start The City of Phoenix does not

971 views • 52 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
Privacy CS 4720 Mobile Application Development CS 4720 Creating a Privacy Policy A

Privacy CS 4720 Mobile Application Development CS 4720 Creating a Privacy Policy A

Privacy CS 4720 Mobile Application Development CS 4720 Creating a Privacy Policy A privacy policy is a document created to go with a product (app, website, etc.) that describes how the product and company behind it will do the

523 views • 13 slides
Mobile Ad Effectiveness: Hyper-Contextual Targeting with Crowdednes 2 Mobile Targeting

Mobile Ad Effectiveness: Hyper-Contextual Targeting with Crowdednes 2 Mobile Targeting

Mobile Ad Effectiveness: Hyper-Contextual Targeting with Crowdednes 2 Mobile Targeting Motivation Ad spending: $100B by 2018 Key: reach consumers when and where most receptive 3 eMarketer 2014 Mobile Technology Portability =

464 views • 33 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security &amp; Privacy

1.03k views • 57 slides
Human Factors Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI)

Human Factors Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Human Factors Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Discuss the practical consideration of usability of security

459 views • 31 slides
SESSION 2: CONCEPTUALIZE THE CONTEXTUAL FACTORS Do resea searcher ers s emplo loy y simila

SESSION 2: CONCEPTUALIZE THE CONTEXTUAL FACTORS Do resea searcher ers s emplo loy y simila

SESSION 2: CONCEPTUALIZE THE CONTEXTUAL FACTORS Do resea searcher ers s emplo loy y simila lar cont ntextua tual fact ctor ors? You are given a softcopy of contextual (a.k.a. background) questionnaires used in three different

1.01k views • 32 slides
T Towards Integrated Policy d I t t d P li Managem ent for Privacy Managem ent for Privacy

T Towards Integrated Policy d I t t d P li Managem ent for Privacy Managem ent for Privacy

T Towards Integrated Policy d I t t d P li Managem ent for Privacy Managem ent for Privacy Dr Nick Papanikolaou e-Security Group International Digital Laboratory WMG, University of Warwick , y http: / / go.warwick.ac.uk/ nikos C

168 views • 15 slides
Privacy and Surveillance in Web 2.0 A study in Contextual Integrity, and the Emergence of

Privacy and Surveillance in Web 2.0 A study in Contextual Integrity, and the Emergence of

Privacy and Surveillance in Web 2.0 A study in Contextual Integrity, and the Emergence of Netaveillance Michael Zimmer, PhD Fellow, Information Society Project Yale Law School ASIS&amp;T Annual Conference Milwaukee, WI October 11, 2007

620 views • 22 slides
Contextual factors of the external effectiveness of the university effectiveness of the

Contextual factors of the external effectiveness of the university effectiveness of the

19th International Conference on Computational Statistics Paris - France, August 22-27 Contextual factors of the external effectiveness of the university effectiveness of the university education: a multilevel approach Matilde Bini European

823 views • 14 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security &amp; Privacy Issues in Mobile Cloud Computing Manmohan Chaturvedi ,1 , Sapna Malik,

Security &amp; Privacy Issues in Mobile Cloud Computing Manmohan Chaturvedi ,1 , Sapna Malik,

Security &amp; Privacy Issues in Mobile Cloud Computing Manmohan Chaturvedi ,1 , Sapna Malik, Preeti Aggarwal and Shilpa Bahl Ansal University, Gurgaon- 122011, India 1 mmchaturvedi@ansaluniversity.edu.in Indian Context The potential uptake

1.27k views • 28 slides
Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security Dr. Christos Xenakis Dr. Christoforos Ntantogian Associate Professor, Department of Digital Systems School of Information and Communication

524 views • 26 slides
Privacy and Security: Policy and Tech Tim Bray tbray@textuality.com tbray.org @timbray

Privacy and Security: Policy and Tech Tim Bray tbray@textuality.com tbray.org @timbray

Privacy and Security: Policy and Tech Tim Bray tbray@textuality.com tbray.org @timbray +TimBray Links featured in this talk: goo.gl/ggrSBj Recent security blogging: tbray.org/ongoing/What/Technology/Security Photo: Wikimedia

727 views • 45 slides
Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Mobile Networks - Module H2 Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; privacy preserving routing in ad hoc networks; Slides adapted from Security and

909 views • 55 slides
Perceptive Context Trevor Darrell Vision Interface Group MIT CSAIL Perceptive Context

Perceptive Context Trevor Darrell Vision Interface Group MIT CSAIL Perceptive Context

Perceptive Context Trevor Darrell Vision Interface Group MIT CSAIL Perceptive Context Awareness of the User -- Visual Conversation Cues: Interfaces (kiosks, agents, robots) are currently blind to usersmachines should be aware of

484 views • 36 slides
Contextual apps for Tizen Shashwat Pradhan (Emberify) ( )

Contextual apps for Tizen Shashwat Pradhan (Emberify) ( )

Contextual apps for Tizen Shashwat Pradhan (Emberify) ( ) Introduction to Contextual apps What is context? Context refers to information that characterizes a situation, between: Apps People

830 views • 34 slides
Context-Aware Computing Sfide ed Opportunit Francesco Ricci Free University of Bozen-Bolzano

Context-Aware Computing Sfide ed Opportunit Francesco Ricci Free University of Bozen-Bolzano

Context-Aware Computing Sfide ed Opportunit Francesco Ricci Free University of Bozen-Bolzano fricci@unibz.it Content p Paradox of choice p Personalization p Contextualization p Recommender system p Examples p Issues and problems p Questions

856 views • 28 slides
Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P Presented by Mary Salinas t d b M S li What problem are they trying to solve? l ? Context-aware applications are great for Context aware

164 views • 13 slides
Agenda IoT Xbox How Windows interacts with you app Suspend and resume Background execution

Agenda IoT Xbox How Windows interacts with you app Suspend and resume Background execution

Agenda IoT Xbox How Windows interacts with you app Suspend and resume Background execution Resource management System triggers and notifications Application Lifetime Apps can be in 1 of 3 states Not Running Running Suspended

536 views • 30 slides
How to best deploy your Fog applications, probably Stefano Forti Ahmad Ibrahim Antonio Brogi 1

How to best deploy your Fog applications, probably Stefano Forti Ahmad Ibrahim Antonio Brogi 1

How to best deploy your Fog applications, probably Stefano Forti Ahmad Ibrahim Antonio Brogi 1 st International Conference on Fog and Edge Computing 2017 14 th May 2017 name.surname@di.unipi.it IoT and Cloud Computing 50 billion of connected

545 views • 30 slides
PointGrow: Autoregressively Learned Point Cloud Generation with Self-Attention Anonymous Authors

PointGrow: Autoregressively Learned Point Cloud Generation with Self-Attention Anonymous Authors

PointGrow: Autoregressively Learned Point Cloud Generation with Self-Attention Anonymous Authors Key Ideas Generate realistic point cloud from scratch or conditioned on semantic contexts Recurrent sampling operation Augment with

1.23k views • 21 slides
Interactivity for Reactive Access Control To appear in Secrypt 2008 Yehia ElRakaiby, Frederic

Interactivity for Reactive Access Control To appear in Secrypt 2008 Yehia ElRakaiby, Frederic

TELECOM Bretagne Interactivity for Reactive Access Control To appear in Secrypt 2008 Yehia ElRakaiby, Frederic Cuppens &amp; Nora Cuppens Boulahia TELECOM Institute ; TELECOM Bretagne D epartement R eseau S ecurit e et Multim

395 views • 17 slides

More recommend