The issue of trust is a primary concern for individuals in distributed collaborative environments (DCEs), particularly in emergencies such as the COVID-19 pandemic. In these environments, collaboration and access to services are achieved through collaborative activities, so collaborators must have a certain level of trust to participate in and achieve the goals of these activities. Most of the trust models proposed for DCEs do not consider collaboration as a factor influencing trust, so they do not help users determine who to trust, what level of trust to assign, and why trust is important during collaborative activities. In this work, we propose a new trust model for DCEs that considers collaboration as an influencing factor in evaluating users' trust levels according to the goals they want to achieve during a collaborative activity. One of the strengths of our proposed model is that it also assesses the trust of a collaborative teams. Our model relies on three trust components-recommendation, reputation, and collaboration-to assess trust relationships, and we dynamically assign weights to each trust component using the weighted moving average and ordered weighted averaging combination algorithm to increase flexibility. The healthcare case prototype we developed demonstrates that our trust model is an effective approach for reinforcing trustworthiness in DCEs.

Along with the advancement of online platforms and significant growth in Internet usage, various threats and cyber-attacks have been emerging and become more complicated and perilous in a day-by-day base. Anomaly-based intrusion detection systems (AIDSs) are lucrative techniques for dealing with cybercrimes. As a relief, AIDS can be equipped with artificial intelligence techniques to validate traffic contents and tackle diverse illicit activities. A variety of methods have been proposed in the literature in recent years. Nevertheless, several important challenges like high false alarm rates, antiquated datasets, imbalanced data, insufficient preprocessing, lack of optimal feature subset, and low detection accuracy in different types of attacks have still remained to be solved. In order to alleviate these shortcomings, in this research a novel intrusion detection system that efficiently detects various types of attacks is proposed. In preprocessing, Smote-Tomek link algorithm is utilized to create balanced classes and produce a standard CICIDS dataset. The proposed system is based on gray wolf and Hunger Games Search (HGS) meta-heuristic algorithms to select feature subsets and detect different attacks such as distributed denial of services, Brute force, Infiltration, Botnet, and Port Scan. Also, to improve exploration and exploitation and boost the convergence speed, genetic algorithm operators are combined with standard algorithms. Using the proposed feature selection technique, more than 80 percent of irrelevant features are removed from the dataset. The behavior of the network is modeled using nonlinear quadratic regression and optimized utilizing the proposed hybrid HGS algorithm. The results show the superior performance of the hybrid algorithm of HGS compared to the baseline algorithms and the well-known research. As shown in the analogy, the proposed model obtained an average test accuracy rate of 99.17%, which has better performance than the baseline algorithm with 94.61% average accuracy.

This paper proposes a blockchain solution for some activities currently performed by notary offices under the Civil Law judiciary that is technically viable. The architecture is also planned to accommodate Brazil's legal, political, and economic requirements. Notaries are responsible for providing various intermediation services for civil transactions, where their primary role is to be the trusted party capable of guaranteeing the authenticity of these transactions. This type of intermediation is common and demanded in Latin American countries, such as Brazil, which is regulated by a Civil Law judiciary. The lack of adequate technology to meet such legal demands leads to an excess of bureaucracy, dependence on manual document and signature checks, and centralized and face-to-face actions in the physical dependence of the notary. To deal with this scenario, this work presents a blockchain-based solution to make some of the activities performed by notaries automatic, guaranteeing non-modification and adherence to civil laws. Thus, the suggested framework was evaluated in accordance with Brazilian legislation and provides an economic evaluation of the proposed solution.

In this paper, we present the actual risks of stealing user PINs by using mobile sensors versus the perceived risks by users. First, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing any permission from the user. By analysing these streams, it infers the user's PIN using an artificial neural network. Based on a test set of fifty 4-digit PINs, PINlogger.js is able to correctly identify PINs in the first attempt with a success rate of 74% which increases to 86 and 94% in the second and third attempts, respectively. The high success rates of stealing user PINs on mobile devices via JavaScript indicate a serious threat to user security. With the technical understanding of the information leakage caused by mobile phone sensors, we then study users' perception of the risks associated with these sensors. We design user studies to measure the general familiarity with different sensors and their functionality, and to investigate how concerned users are about their PIN being discovered by an app that has access to all these sensors. Our studies show that there is significant disparity between the actual and perceived levels of threat with regard to the compromise of the user PIN. We confirm our results by interviewing our participants using two different approaches, within-subject and between-subject, and compare the results. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective in preventing such side channel attacks.

In this paper, we address an unsolved problem in the real world: how to ensure the integrity of the web content in a browser in the presence of malicious browser extensions? The problem of exposing confidential user credentials to malicious extensions has been widely understood, which has prompted major banks to deploy two-factor authentication. However, the importance of the "integrity" of the web content has received little attention. We implement two attacks on real-world online banking websites and show that ignoring the "integrity" of the web content can fundamentally defeat two-factor solutions. To address this problem, we propose a cryptographic protocol called DOMtegrity to ensure the end-to-end integrity of the DOM structure of a web page from delivering at a web server to the rendering of the page in the user's browser. DOMtegrity is the first solution that protects DOM integrity without modifying the browser architecture or requiring extra hardware. It works by exploiting subtle yet important differences between browser extensions and in-line JavaScript code. We show how DOMtegrity prevents the earlier attacks and a whole range of man-in-the-browser attacks. We conduct extensive experiments on more than 14,000 real-world extensions to evaluate the effectiveness of DOMtegrity.

The recent digital revolution led robots to become integrated more than ever into different domains such as agricultural, medical, industrial, military, police (law enforcement), and logistics. Robots are devoted to serve, facilitate, and enhance the human life. However, many incidents have been occurring, leading to serious injuries and devastating impacts such as the unnecessary loss of human lives. Unintended accidents will always take place, but the ones caused by malicious attacks represent a very challenging issue. This includes maliciously hijacking and controlling robots and causing serious economic and financial losses. This paper reviews the main security vulnerabilities, threats, risks, and their impacts, and the main security attacks within the robotics domain. In this context, different approaches and recommendations are presented in order to enhance and improve the security level of robotic systems such as multi-factor device/user authentication schemes, in addition to multi-factor cryptographic algorithms. We also review the recently presented security solutions for robotic systems.

This paper presents Duenna, an authentication framework for smart home systems (SHSs). When using controlling apps (e.g., a smartphone app), Duenna makes sure that only legitimate SHS users are allowed to operate their Internet of things (IoT) devices. Duenna is built upon a behavioral anomaly detection (BAD)-based approach. In particular, we hypothesize that SHS users usually operate their home IoT devices in typical and distinctive patterns. Therefore, users that attempt to operate devices differently from such a regular behavior are considered malicious. Technically, Duenna operates in two modes. In an initialization operation, Duenna first collects and processes the historical cyber and physical activities of an SHS user in addition to the historical states of the SHS itself to build a set of incremental anomaly detection (AD) models. Then, in an interactive operation, the trained AD models are, then, used as a baseline from which anomalous commands (i.e., outliers) are detected and rejected, while regular commands (i.e., targets) are considered legitimate and allowed to be executed. Through an empirical evaluation conducted on real-world data, Duenna exhibits high authentication rates ensuring both security and user experience. The findings obtained from such evaluation show that a user behavior-based approach is a promising security scheme that could be integrated into existing SHS platforms.

The astounding growth of the Internet has generated extensively. Users are concerned about asset management so that the asset can be conveyed successfully to the descendent posthumously. Very few works have addressed designing and modeling of digital asset inheritance (DAI) from a technical design perspective. They have several inherent limitations such as incorrect death confirmation, high participation of nominee, the possibility of failure to obtain recovery key, and are based on many unreasonable assumptions, thus inefficient to design in the real life. In this paper, we have formalized the different categories of digital assets and defined the various security goals, required functionalities, and necessary entities to build an asset inheritance model. We have also proposed a new protocol named digital asset inheritance protocol (DAIP) using certificateless encryption (CLE) and identity-based system (IBS) to convey the user's online persona efficiently to the descendent after his death. DAIP allows the nominee to successfully retrieve the asset after the user's demise, even if a nominee is uninformed regarding the asset. We, then, provide rigorous security proofs of various properties using worlds paradigm. Finally, we have implemented DAIP model using PBC and pycryptodome library. The simulation results affirm that it can be practically efficient to implement.

As a result of the declaration of the COVID-19 pandemic, several proposals of blockchain-based solutions for digital COVID-19 certificates have been presented. Considering that health data have high privacy requirements, a health data management system must fulfil several strict privacy and security requirements. On the one hand, confidentiality of the medical data must be assured, being the data owner (the patient) the actor that maintain control over the privacy of their certificates. On the other hand, the entities involved in the generation and validation of certificates must be supervised by a regulatory authority. This set of requirements are generally not achieved together in previous proposals. Moreover, it is required that a digital COVID-19 certificate management protocol provides an easy verification process and also strongly avoid the risk of forgery. In this paper we present the design and implementation of a protocol to manage digital COVID-19 certificates where individual users decide how to share their private data in a hierarchical system. In order to achieve this, we put together two different technologies: the use of a proxy re-encryption (PRE) service in conjunction with a blockchain-based protocol. Additionally, our protocol introduces an authority to control and regulate the centers that can generate digital COVID-19 certificates and offers two kinds of validation of certificates for registered and non-registered verification entities. Therefore, the paper achieves all the requirements, that is, data sovereignty, high privacy, forgery avoidance, regulation of entities, security and easy verification.

Fake news has become an industry on its own, where users paid to write fake news and create clickbait content to allure the audience. Apparently, the detection of fake news is a crucial problem and several studies have proposed machine-learning-based techniques to combat fake news. Existing surveys present the review of proposed solutions, while this survey presents several aspects that are required to be considered before designing an effective solution. To this aim, we provide a comprehensive overview of false news detection. The survey presents (1) a clarity to problem definition by explaining different types of false information (like fake news, rumor, clickbait, satire, and hoax) with real-life examples, (2) a list of actors involved in spreading false information, (3) actions taken by service providers, (4) a list of publicly available datasets for fake news in three different formats, i.e., texts, images, and videos, (5) a novel three-phase detection model based on the time of detection, (6) four different taxonomies to classify research based on new-fangled viewpoints in order to provide a succinct roadmap for future, and (7) key bibliometric indicators. In a nutshell, the survey focuses on three key aspects represented as the three T's: Typology of false information, Time of detection, and Taxonomies to classify research. Finally, by reviewing and summarizing several studies on fake news, we outline some potential research directions.

During the pandemic, the prevailing online learning has brought tremendous benefits to the education field. However, it has also become a target for cybercriminals. Cybersecurity awareness (CSA) or Internet security awareness in the education sector turns out to be critical to mitigating cybersecurity risks. However, previous research indicated that using education level alone to judge CSA level received inconsistent results. This study postulated Social Educational Level (SEL) as a moderator with an extended Knowledge-Attitude-Behaviour model, used students' year level as a proxy for the impact of education level, and used work exposure for the influence of social education level, to compare CSA among undergraduates, postgraduates and working graduates. The participants in the study were divided into six groups, namely year 1 university students, year 2-3university students, final-year students, postgraduate students, young working graduates, and experienced working graduates. The Human Aspects of Information Security Questionnaire was used to conduct a large-scale survey. The multivariate regression model analysis showed significant differences among the and dimensions across groups with different conditions of year-level and work exposure. However, it was found that SEL played a more significant role than an individual's education level. The study suggested that a greater endeavour be committed to educating the public at large together with individuals, institutes, corporate and governments to improve the national CSA level.

Distributed Denial of Service (DDoS) attacks have emerged as the top security threat with the rise of e-commerce in recent years. Volumetric attacks are the most common DDoS attacks that aim to overwhelm the victim's bandwidth. The current mitigation methods use reactive filtering techniques that are not magical and straightforward solutions. In this paper, we propose a network architecture based on the capability to address the threat of DDoS attacks. Physically Unclonable Functions (PUFs) have emerged as a promising solution in security. Motivated by the capability approach, we put forward a network architecture where the routers use Transient Effect Ring Oscillator PUF to generate and verify capabilities. This novel hardware-based solution, to address the problem, has reduced the computational overhead of capability generation. Additionally, the destination has complete control over the incoming traffic in the proposed architecture, resulting in uninterrupted communication with the legitimate clients regardless of the attacker traffic. The large-scale simulation on an open-source Network Simulator (NS-3) has shown that the proposed architecture efficiently mitigates DDoS attacks to a large extend. With our proposed architecture, the throughput was hardly affected when attacker traffic was varied from 10 to 80%.

Graph neural networks have demonstrated remarkable performance in learning node or graph representations for various graph-related tasks. However, learning with graph data or its embedded representations may induce privacy issues when the node representations contain sensitive or private user information. Although many machine learning models or techniques have been proposed for privacy preservation of traditional non-graph structured data, there is limited work to address graph privacy concerns. In this paper, we investigate the privacy problem of embedding representations of nodes, in which an adversary can infer the user's privacy by designing an inference attack algorithm. To address this problem, we develop a defense algorithm against white-box membership inference attacks, based on perturbation injection on the graph. In particular, we employ a graph reconstruction model and inject a certain size of noise into the intermediate output of the model, i.e., the latent representations of the nodes. The experimental results obtained on real-world datasets, along with reasonable usability and privacy metrics, demonstrate that our proposed approach can effectively resist membership inference attacks. Meanwhile, based on our method, the trade-off between usability and privacy brought by defense measures can be observed intuitively, which provides a reference for subsequent research in the field of graph privacy protection.

Targeted advertising has transformed the marketing landscape for a wide variety of businesses, by creating new opportunities for advertisers to reach prospective customers by delivering personalised ads, using an infrastructure of a number of intermediary entities and technologies. The advertising and analytics companies collect, aggregate, process, and trade a vast amount of users' personal data, which has prompted serious privacy concerns among both individuals and organisations. This article presents a comprehensive survey of the privacy risks and proposed solutions for targeted advertising in a mobile environment. We outline details of the information flow between the advertising platform and ad/analytics networks, the profiling process, the measurement analysis of targeted advertising based on user's interests and profiling context, and the ads delivery process, for both in-app and in-browser targeted ads; we also include an overview of data sharing and tracking technologies. We discuss challenges in preserving the mobile user's privacy that include threats related to private information extraction and exchange among various advertising entities, privacy threats from third-party tracking, re-identification of private information and associated privacy risks. Subsequently, we present various techniques for preserving user privacy and a comprehensive analysis of the proposals based on such techniques; we compare the proposals based on the underlying architectures, privacy mechanisms, and deployment scenarios. Finally, we discuss the potential research challenges and open research issues.

Society has become increasingly dependent on IT infrastructure and services. Additionally, the pandemic of COVID-19 forced the transition of the traditional way of working (i.e., physical presence) into a more modern and flexible one (i.e., working remotely). This has led to an increase of cyberattacks, as a direct consequence of the increase of the attack surface but subsequently also led to an increased necessity for the protection of information systems. Toward the protection of information systems, cyber insurance is considered as a strategy for risk management, where necessary. Cyber insurance is emerging as an important tool to protect organizations against cyberattack-related losses. In this work, we extensively examine the relevant literature on cybersecurity insurance, research and practice, in order to draft the current landscape and present the trends.

Zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) are the most efficient proof systems in terms of proof size and verification. Currently, Groth's scheme from EUROCRYPT 2016, , is the state-of-the-art and is widely deployed in practice. is originally proven to achieve knowledge soundness, which does not guarantee the non-malleability of proofs. There has been considerable progress in presenting new zk-SNARKs or modifying to efficiently achieve Simulation extractability, which is shown to be a necessary requirement in some applications. In this paper, we revise the Random oracle based variant of proposed by Bowe and Gabizon, BG18, the most efficient one in terms of prover efficiency and CRS size among the candidates, and present a more efficient variant that saves 2 pairings in the verification and 1 group element in the proof. This supersedes our preliminary construction, presented in CANS 2020 (Baghery et al. in CANS 20, volume 12579 of LNCS, Springer, Heidelberg. pp 453-461, 2020), which saved 1 pairing in the verification, and was proven in the generic group model. Our new construction also improves on BG18 in that our proofs are in the algebraic group model with Random Oracles and reduces security to standard computational assumptions in bilinear groups (as opposed to using the full power of the generic group model (GGM)). We implement our proposed simulation extractable zk-SNARK (SE zk-SNARK) along with BG18 in the Arkworks library, and compare the efficiency of our scheme with some related works. Our empirical experiences confirm that our SE zk-SNARK is more efficient than all previous simulation extractable (SE) schemes in most dimensions and it has very close efficiency to the original .