International Journal of Cyber-Security and Digital Forensics

8

Authors: Yoshihiro Kita, Fumio Sugai, MiRang Park, Naonobu Okazaki

Recently, mobile terminals such as smartphones have come into widespread use. Most of such mobile terminals store several types of important data, such as personal information. Therefore, it is necessary to lock and unlock terminals using a personal authentication method such as personal identification numbers (PINs) in order to prevent data theft. However, most existing authentication methods have a common problem referred to here as “shoulder-surfing”, in which authentication information is covertly obtained by a person watching “over-the-shoulder” of a user as he/she completes the authentication sequence. In the present paper, a new icon-based authentication method that is simple but sufficiently secure even when the authentication sequence is being watched is proposed. The proposed method is implemented on a mobile data terminal and is evaluated through experiments and questionnaire surveys.

9

Authors: Shuhui Hou, Siu-Ming Yiuy, Tetsutaro Ueharaz, Ryoichi Sasakix

Capturing digital evidence is crucial for counteracting against computer and cyber crimes. The technique of cloning the whole harddisk (for single PC) for investigation is not feasible in large sharing systems (e.g. in a third-party email server, data center or cloud system). Privacy is also a major concern as most of the data in these systems is not relevant to the crime case. The problem is how to retrieve the relevant information without the investigator knowing, other irrelevant data while the server administrator does not know what the investigator is searching. To solve this problem, Hou et al. modelled the problem as a secure keyword searching problem and proposed a number of encryption-based schemes. While the schemes are theoretically sound, the efficiency is a concern. Besides, there are several shortcomings in their schemes. Data integrity and authenticity are not considered; re-encryption for each investigator is needed if there are multiple investigators. In this paper, we solve the same problem using the technique of secret sharing to improve efficiency. By exploiting the homomorphic property of the secret sharing schemes, data integrity and authenticity can be guaranteed using digital signature. Our solution can also handle multiple investigators more efficiently. We showed that our solution is more efficient by experiments and comparing the number of operations required by our solution with some existing work.

9

Authors: S. Kami Makki, Md. Sadekur Rahman

Information theft or data leakage is a growing concern for companies, as well as, individual users. Intruders can easily copy a huge amount of confidential data using hand-held devices such as USB flash drives, iPods, digital cameras or any other external storage devices. Data theft can simply occur through both insiders and outsiders of a corporation. It is becoming the biggest challenge for companies, since the storage devices are becoming smaller in size, easier to use, have higher capacity and data transmission speed. Furthermore, these devices can easily be misplaced or stolen and sensitive data can easily be exposed. In this paper we present a multilevel password verification system for prevention of information theft by removable devices to protect data leakage by various portable devices. Our proposed system consists of three main modules: 1) portable storage device monitoring, 2) activity logging and data encryption, and 3) device authorization. These modules cooperate with each other to provide required security, and prevent information theft from the individual users and companies.

11

Authors: Frances Bernadette C. De Ocampo, Trisha Mari L. Del Castillo, Miguel Alberto N. Gomez

Signature-based Intrusion Detection System (IDS) helps in maintaining the integrity of data in a network controlled environment. Unfortunately, this type of IDS depends on predetermined intrusion patterns that are manually created. If the signature database of the Signature-based IDS is not updated, network attacks just pass through this type of IDS without being noticed. To avoid this, an Anomaly-based IDS is used in order to countercheck if a network traffic that is not detected by Signature-based IDS is a true malicious traffic or not. In doing so, the Anomaly-based IDS might come up with several numbers of logs containing numerous network attacks which could possibly be a false positive. This is the reason why the Anomaly-based IDS is not perfect, it would readily alarm the system that a network traffic is an attack just because it is not on its baseline. In order to resolve the problem between these two IDSs, the goal is to correlate data between the logs of the Anomaly-based IDS and the packet that has been captured in order to determine if a network traffic is really malicious or not. With the supervision of a security expert, the malicious network traffic would be verified as malicious. Using machine learning, the researchers can identify which algorithm is better than the other algorithms in classifying if a certain network traffic is really malicious. Upon doing so, the creation of signatures would follow by basing the automated creation of signatures from the detected malicious traffic.

11

Authors: Mohammad Rasool Sarrafi Aghdam, Noboru Sonehara

K-anonymity is the model that is widely used to protect the privacy of individuals in publishing micro-data. It could be defined as clustering with constrain of minimum k tuples in each group. K-anonymity cuts down the linking confidence between sensitive information and specific individual by the ration of 1/k. However, the accuracy of the data in k-anonymous dataset decreases due to information loss. Moreover, most of the current approaches are for numerical attributes or in case of categorical attributes they require extra information such as attribute hierarchical taxonomies which often do not exist. In this paper we propose a new model, based on clustering, defining the distance between tuples including numerical and categorical attributes which does not require extra information and present the SpatialDistance (SD) heuristic algorithm. Comparisons of experimental results on real datasets between SD algorithm and existing well-known algorithms show that SD performs the best and offers much higher data utility and reduces the information loss significantly.

12

Authors: Ralph Edem Agbefu, Yoshiaki Hori, Kouichi Sakurai

Malicious web pages that host drive by download exploits have become a popular means by which an attacker delivers malicious contents to computers across the internet. The popularity of the attack has led to researchers developing systems to detect and stop such attacks. These methods include dynamic solutions, static solutions and the use of blacklisting and whitelisting methods. Blacklisting and in particular URL blacklisting is one of such detection methods. URL blacklisting analyzes the structure of a web page URL. URL blacklisting are however prone to evasion attacks when the lexical structure of the URL changes. In this paper, we propose the usage of domain related information for the detection of drive by download web pages. These domain features are used to model a scoring mechanism classification system. We show the effectiveness of detecting malicious web pages using domain based by obtaining a high detection rate and a relatively low false negative.

14

Authors: Cheng Qu, Yinyan Yu, Zhi Tang, Xiaoyu Cui

A digital file has both the content and physical information, however the latter was not fully made use of in previous digital rights management (DRM) systems. This paper introduces the idea of making use of file physical information to improve the system security and provides a scheme based on this idea to resist the replay attack in DRM systems. In our scheme, compared to commonly used schemes, we remove the dependency on continuous online connection from the client-side to the server-side or the usage of tamper-proof hardware, such as Trusted Platform Module (TPM). The scheme is appropriate for offline digital content usage. Primary experiments demonstrate that our scheme is secure enough to be put into practice use.

16

Authors: Shuhui Hou, Siu-Ming Yiuy, Tetsutaro Ueharaz, Ryoichi Sasakix

Capturing digital evidence is crucial for counteracting against computer and cyber crimes. The technique of cloning the whole harddisk (for single PC) for investigation is not feasible in large sharing systems (e.g. in a third-party email server, data center or cloud system). Privacy is also a major concern as most of the data in these systems is not relevant to the crime case. The problem is how to retrieve the relevant information without the investigator knowing, other irrelevant data while the server administrator does not know what the investigator is searching. To solve this problem, Hou et al. modelled the problem as a secure keyword searching problem and proposed a number of encryption-based schemes. While the schemes are theoretically sound, the efficiency is a concern. Besides, there are several shortcomings in their schemes. Data integrity and authenticity are not considered; re-encryption for each investigator is needed if there are multiple investigators. In this paper, we solve the same problem using the technique of secret sharing to improve efficiency. By exploiting the homomorphic property of the secret sharing schemes, data integrity and authenticity can be guaranteed using digital signature. Our solution can also handle multiple investigators more efficiently. We showed that our solution is more efficient by experiments and comparing the number of operations required by our solution with some existing work.

18

Authors: Farid Daryabar, Ali Dehghantanha, Nur Izura Udzir, Nor Fazlida binti Mohd Sani, Solahuddin bin Shamsuddin

Nowadays, digital storage of computer data is moving toward cloud computing which is a set of infrastructure provides data storage for organizations and individuals. Due to this large scale, in case an attack occurs in the network of a cloud it would be a big challenge to investigate the cloud. Therefore, digital forensics in cloud computing is a new discipline related to the increasing use of computers, networks and digital storage devices in numerous criminal activities in both traditional and Hi-Tech. This study reviews the literature on some challenges in cloud computing forensic investigation, and it is followed by evaluation and analysis of all types of information on cloud computing and its impacts on computer forensic investigations in publishing alliances with the survey was carried out in the field.

29

Authors: Farhood Norouzizadeh Dezfoli, Ali Dehghantanha, Ramlan Mahmoud, Nor Fazlida Binti Mohd Sani, Farid Daryabar

Nowadays, rapid evolution of computers and mobile phones has caused these devices to be used in criminal activities. Providing appropriate and sufficient security measures is a difficult job due to complexity of devices which makes investigating crimes involving these devices even harder. Digital forensic is the procedure of investigating computer crimes in the cyber world. Many researches have been done in this area to help forensic investigation to resolve existing challenges. This paper attempts to look into trends of applications of digital forensics and security at hand in various aspects and provide some estimations about future research trends in this area.

5

Authors: Somdip Dey

In this paper, the author presents an advanced version of image encryption technique, which is itself an upgraded version of SD-EI image encryption method. In this new method, SD-EI Ver-2, there are more bit wise manipulations compared to original SD-EI method. The proposed method consist of three stages: 1) First, a number is generated from the password and each pixel of the image is converted to its equivalent eight binary number, and in that eight bit number, the number of bits, which are equal to the length of the number generated from the password, are rotated and reversed; 2) In second stage, extended hill cipher technique is applied by using involutory matrix, which is generated by same password used in second stage of encryption to make it more secure; 3) In last stage, we perform modified Cyclic Bit manipulation. First, the pixel values are again converted to their 8 bit binary format. Then 8 consecutive pixels are chosen and a 8X8 matrix is formed out of these 8 bit 8 pixels. After that, matrix cyclic operation is performed randomized number of times, which is again dependent on the password provided for encryption. After the generation of new 8 bit value of pixels, they are again converted to their decimal format and the new value is written in place of the old pixel value. SD-EI Ver-2 has been tested on different image files and the results were very satisfactory.

6

Authors: Julia Juremi, Ramlan Mahmod, Salasiah Sulaiman, Jazrin Ramli

This paper presents a new AES-like design for key- dependent AES using S-box rotation. The algorithm involves key expansion algorithm together with S-box rotation and this property can be used to make the S-box key-dependent, hence providing a better security to the block cipher. Fixed S-box allows attackers to study S- box and find weak points while by using key-dependent S-Box approach, it makes it harder for attacker to do any offline analysis of an attack of one particular set of S- boxes. The cipher structure resembles the original AES, only the S-box is made key-dependent without changing the value. This new design is tested using the NIST Statistical Test and will be further cryptanalyzed with algebraic attack in order to permit its subversion or evasion.

7

Authors: Kamarularifin Abd Jalil, Qatrunnada Binti Abdul Rahman

The deficient of a good authentication protocol in a ubiquitous application environment has made it a good target for adversaries. As a result, all the devices which are participating in such environment are said to be exposed to attacks such as identity impostor, man-in-the-middle attacks and also unauthorized attacks. Thus, this has created skeptical among the users and has resulted them of keeping their distance from such applications. For this reason, in this paper, we are proposing a new authentication protocol to be used in such environment. Unlike other authentication protocols which can be adopted to be used in such environment, our proposed protocol could avoid a single point of failures, implements trust level in granting access and also promotes decentralization. It is hoped that the proposed authentication protocol can reduce or eliminate the problems mentioned.

7

Authors: Ghassan Samara

Vehicular Ad hoc Network security is one of the hottest topics of research in the field of network security. One of the ultimate goals in the design of such networking is to resist various malicious abuses and security attacks. In this research new security mechanism is proposed to reduce the channel load resulted from frequent warning broadcasting happened in the adversary discovery process – Accusation Report (AR) - which produces a heavy channel load from all the vehicles in the road to report about any new adversary disovery. Furthermore, this mechanism will replace the Certificate Revocation List (CRL), which cause long delay and high load on the channel with Local Revocation List (LRL) which will make it fast and easy in the adversary discovery process.

7

Authors: Fazli Bin Mat Nor, Kamarularifin Abd Jalil, Jamalul-lail Ab Manan

Lack of security awareness amongst end users when dealing with online banking and electronic commerce leave many client side application vulnerabilities open. Thus, this is enables attackers to exploit the vulnerabilities and launch client-side attacks such as man-in-the-browser attack. The attack is designed to manipulate sensitive information via client’s application such as internet browser by taking advantage of the browser’s extension vulnerabilities. This attack exists due to lack of preventive measurement to detect any malicious changes on the client side platform. Therefore, in this paper we are proposing an enhanced remote authentication protocol with hardware based attestation and pseudonym identity enhancement to mitigate man-in-the-browser attacks as well as improving user identity privacy.

8

Authors: Alireza Tamjidyamcholo, Rawaa Dawoud Al-Dabbagh

Nowadays, information systems constitute a crucial part of organizations; by losing security, these organizations will lose plenty of competitive advantages as well. The core point of information security (InfoSecu) is risk management. There are a great deal of research works and standards in security risk management (ISRM) including NIST 800-30 and ISO/IEC 27005. However, only few works of research focus on InfoSecu risk reduction, while the standards explain general principles and guidelines. They do not provide any implementation details regarding ISRM; as such reducing the InfoSecu risks in uncertain environments is painstaking. Thus, this paper applied a genetic algorithm (GA) for InfoSecu risk reduction in uncertainty. Finally, the effectiveness of the applied method was verified through an example.

8

Authors: Kee-Won Kim, Jun-Cheol Jeon

Recently, various finite field arithmetic structures are introduced for VLSI circuit implementation on cryptosystems and error correcting codes. In this study, we present an efficient finite field arithmetic architecture based on cellular semi-systolic array for Montgomery multiplication by choosing a proper Montgomery factor which is highly suitable for the design on parallel structures. Therefore, our architecture has reduced a time complexity by 50% compared to typical architecture.

8

Authors: Liam Smit, Adrie Stander, Jacques Ophoff

An important feature within a mobile-cellular net- work is that the location of a cellphone can be determined. As long as the cellphone is powered on, the location of the cellphone can always be traced to at least the cell from which it is receiving, or last received, signal from the cellular network. Such network-based methods of estimating the location of a cellphone is useful in cases where the cellphone user is unable or unwilling to reveal his or her location, and have practical value in digital forensic investigations. This study investigates the accuracy of using mobile-cellular network base station information for estimating the location of cellphones. Through quantitative analysis of mobile-cellular network base station data, large variations between the best and worst accuracy of recorded location information is exposed. Thus, depending on the requirements, base station locations may or may not be accurate enough for a particular application.

9

Authors: Sina Manavi, Sadra Mohammadalian, Nur Izura Udzir, Azizol Abdullah

cloud security is one of the buzz words in cloud computing. Since virtualization is the fundamental of the cloud computing, needs to study it more deeply to avoid attacks and system failure. In this research is focused on virtualization vulnerabilities. In addition it is attempted to propose a model to secure and proper mechanism to react reasonable against the detected attack by intrusion detection system. With the secured model (SVM), virtual machines will be resist more efficiency against the attacks in cloud computing.

9

Authors: Mohd Anuar Mat Isa, Jamalul-lail Ab Manan, Ramlan Mahmod, Habibah Hashim, Nur Izura Udzir, Ali Dehghan Tanha, Mar Yah Said

International standard and certification play major role in product distributions and marketing activities. To be well accepted in global market, all IT products and services require international evaluation and certification such as Common Criteria (CC) certification. This paper discusses some of the security, trust and privacy issues in Common Criteria that would happen during evaluation and certification of IT products and services. Our main intention is to help interested stake holders in choosing a finest authorizing member of CC certification for IT products and services using our new trust model. The proposed trust models takes into account the dynamically changing international relationship among nations which produces an index value during selection of finest CC authorizing member. The trust models use game theory to identify the finest CC authorizing member. We hope to contribute to this area of research by lessening the “cost to market” of IT products and related services. It is anticipated that it would give positive impact on global business transaction by having better and wider acceptability using our models in the selection of the finest CC authorizing member, CC consumer, and vendor (manufacturer).

9

Authors: Ahmad Abusukhon, Mohamad Talib, Issa Ottoum

Security becomes an important issue when secure or sensitive information is sent over a network where all computers are connected together. In such a network a computer is recognized by its IP address. Unfortunately, an IP address is attacked by hackers; this is where one host claims to have the IP address of another host and thus sends packets to a certain machine causing it to take some sort of action. In order to overcome this problem cryptography is used. In cryptographic application, the data sent are encrypted first at the source machine using an encryption key then the encrypted data are sent to the destination machine. This way the attacker will not have the encryption key which is required to get the original data and thus the hacker is unable to do anything with the session. In this paper, we propose a novel method for data encryption. Our method is based on private key encryption. We call our method Text-To-Image Encryption (TTIE).

10

Authors: Davoud Mougouei, Wan Nurhayati Wan Ab. Rahman, Mohammad Moein Almasi

Addressing security in early stages of web service development has always been a major engineering trend. However, to assure security of web services it is required to perform security evaluation in a rigorous and tangible manner. The results of such an evaluation if performed in early stages of the development process can be used to improve the quality of the target web service. On the other hand, it is impossible to remove all of the security faults during the security analysis of web services. As a result, absolute security is never possible to achieve and a security failure may occur during the execution of web service. To avoid security failures, a measurable level of fault tolerance is required to be achieved through partial satisfaction of security goals. Thus any proposed measurement technique must care for this partiality. Even though there are some approaches toward assessing the security of web services but still there is no precise model for evaluation of security goal satisfaction specifically during the requirement engineering phase. This paper introduces a Security Measurement Model (SMM) for evaluating the Degree of Security (DS) in security requirements of web services by taking into consideration partial satisfaction of security goals. The proposed model evaluates overall security of the target service through measuring the security in Security Requirement Model (SRM) of the service. The proposed SMM also takes into account cost, technical ability, impact and flexibility as the key features of security evaluation.

10

Authors: A. Z. Yonis, M. F. L. Abdullah

Long Term Evolution (LTE-Advanced) is a preliminary mobile communication standard formally submitted as a candidate for 4G systems to the ITU-T. LTE-A is being standardized by the 3rd Generation Partnership Project (3GPP) as a major enhancement of the 3GPP Long Term Evolution (LTE-Release 8) standard, which proved to be sufficient to satisfy market‟s demand. The 3GPP group has been working on different aspects to improve LTE performance, where the purpose of the framework provided by LTE-Advanced, includes higher order MIMO, carrier aggregation (carriers with multiple components), peak data rate, and mobility. This paper presents a study on LTE evolution toward LTE-Advanced in terms of LTE enabling technologies (Orthogonal Frequency Division Multiplexing (OFDM) and Multiple-Input Multiple-Output (MIMO)), and also focuses on LTE- Advanced technologies MIMO enhancements for LTE-Advanced, Coordinated Multi Point transmission (CoMP).

12

Authors: Pin Shen Teh, Shigang Yue, Andrew B.J. Teoh

In this paper we study the performance and effect of diverse keystroke feature combinations on keystroke dynamics authentication system by using fusion approach. First of all, four types of keystroke features are acquired from our collected dataset, later then transformed into similarity scores by using Gaussian Probability Density Function (GPD) and Direction Similarity Measure (DSM). Next, three fusion approaches are introduced to merge the scores pairing with different combinations of fusion rules. Result shows that the finest performance is obtained by the combination of both dwell time and flight time collectively. Finally, this experiment also investigates the effect of using larger dataset on recognition performance, which turns out to be rather consistent.

13

Authors: Asou Aminnezhad, Ali Dehghantanha, Mohd Taufik Abdullah

Privacy issues have always been a major concern in computer forensics and security and in case of any investigation whether it is pertaining to computer or not always privacy issues appear. To enable privacy’s protection in the physical world we need the law that should be legislated, but in a digital world by rapidly growing of technology and using the digital devices more and more that generate a huge amount of private data it is impossible to provide fully protected space in cyber world during the transfer, store and collect data. Since its introduction to the field, forensics investigators, and developers have faced challenges in finding the balance between retrieving key evidences and infringing user privacy. This paper looks into developmental trends in computer forensics and security in various aspects in achieving such a balance. In addition, the paper analyses each scenario to determine the trend of solutions in these aspects and evaluate their effectiveness in resolving the aforementioned issues.

14

Authors: Hasan Alkahtani, Robert Goodwin, Paul Gardner-Stephen

This paper presents the results of a survey of email users in different regions of Saudi Arabia about email SPAM. The survey investigated the nature of email SPAM, how email users in the eastern, western, central, southern and northern dealt with it, and the efforts made to combat it. It also investigated the effectiveness of existing Anti-SPAM filters in detecting Arabic and English email SPAM. 1,500 participants located in the eastern, western, central, southern and northern regions of Saudi Arabia were surveyed and completed surveys were collected from 1,020 of the participants. The results showed that there were different definitions for email SPAM based on different users’ opinions in Saudi Arabia. The results showed that the participants in the central and western regions were more aware of SPAM than the participants in other regions. The results revealed that the volume of email SPAM was different from region to another and the volume of SPAM received by the participants in the northern and central regions was larger than that received in other regions. The results indicated that the majority of email SPAM received by the participants in different regions was written in English. The results showed that the most common type of email SPAM received in Arabic was emails related to forums and in English was phishing and fraud, and business advertisements. The results also showed that a few participants in all regions responded to SPAM and the average of the participants who responded to SPAM was larger in the southern region than other regions. The results showed that most of the participants were not aware of Anti-SPAM programs and the participants in the central region were more aware of Anti-SPAM programs than the participants in other regions. The results showed that the participants in all regions estimated that the existing Anti-SPAM programs were more effective in detecting English SPAM than Arabic SPAM. The results showed that most of the participants in all regions were not aware of the government efforts to combat SPAM and the participants in the central region were more aware of the government efforts than the participants in other regions. The results also showed that most of the participants in all regions were not aware of the ISPs efforts to combat SPAM and the participants in the central and western regions were more aware of the ISPs efforts than the participants in other regions.

15

Authors: Mouna Jouini, Anis Ben Aissa, Latifa Ben Arfa Rabai, Ali Mili

Cloud computing is a prospering technology that most organizations consider as a cost effective strategy to manage Information Technology (IT). It delivers computing services as a public utility rather than a personal one. However, despite the significant benefits, these technologies present many challenges including less control and a lack of security. In this paper, we illustrate the use of a cyber security metrics to define an economic security model for cloud computing system. We, also, suggest two cyber security measures in order to better understand system threats and, thus, propose appropriate counter measure to mitigate them.

17

Authors: Mohammed Ibrahim, Mohd Taufik Abdullah, Ali Dehghantanha

Voice over Internet Protocol (VoIP) is a new communication technology that uses internet protocol in providing phone services. VoIP provides various forms of benefits such as low monthly fee and cheaper rate in terms of long distance and international calls. However, VoIP is accompanied with novel security threats. Criminals often take advantages of such security threats and commit illicit activities. These activities require digital forensic experts to acquire, analyses, reconstruct and provide digital evidence. Meanwhile, there are various methodologies and models proposed in detecting, analysing and providing digital evidence in VoIP forensic. However, at the time of writing this paper, there is no model formalized for the reconstruction of VoIP malicious attacks. Reconstruction of attack scenario is an important technique in exposing the unknown criminal acts. Hence, this paper will strive in addressing that gap. We propose a model for reconstructing VoIP malicious attacks. To achieve that, a formal logic approach called Secure Temporal Logic of Action(S-TLA+) was adopted in rebuilding the attack scenario. The expected result of this model is to generate additional related evidences and their consistency with the existing evidences can be determined by means of S-TLA+ model checker.