Four papers from SECRETLab accepted in the 40th IEEE Computer Society International Conference on Computers, Software & Applications (COMPSAC), 2016. Congratulations to Shams Zawoad, Rasib Khan, Ragib Hasan, Shahid Noor, Munirul Haque, and Darrell Burke.
1. Shams Zawoad and Ragib Hasan “Chronos: Towards Securing System Time in the Cloud for Reliable Forensics Investigation“, the 40th IEEE Computer Society International Conference on Computers, Software & Applications (COMPSAC), Atlanta, Georgia, June 2016. (Acceptance rate 18%).
Abstract: In digital forensics investigations, the system time of computing resources can provide critical information to implicate or exonerate a suspect. In clouds, alteration of the system time of a virtual machine (VM) or a cloud host machine can provide unreliable time information, which in turn can mislead an investigation in the wrong direction. In this paper, we propose Chronos to secure the system time of cloud hosts and VMs in an untrusted cloud environment. Since it is not possible to prevent a malicious user or a dishonest insider of a cloud provider from altering the system time of a VM or a host machine, we propose a tamper-evident scheme to detect this malicious behavior at the time of investigation.
We integrate Chronos with a popular open-source cloud platform – OpenStack and evaluate the feasibility of Chronos while running 20 VMs on a single host machine. Our test results suggest that, Chronos can be easily deployed in the existing cloud with very low overheads, while achieving a high degree of trustworthiness of the system time of the cloud hosts and VMs.
2. Ragib Hasan, Shams Zawoad, Shahid Noor, Md Munirul Haque, and Darrell Burke “How Secure is the Healthcare Network from Insider Attacks? An Audit Guideline for Vulnerability Analysis“, 40th IEEE Computer Society International Conference on Computers, Software & Applications (COMPSAC), Atlanta, Georgia, June 2016. (Short Paper Acceptance Rate 20%)
Abstract: In recent years, wireless communication has become popular in healthcare infrastructures. The availability of wireless interfaces with the new generation medical devices has spawned numerous opportunities in providing better healthcare support to patients. However, the weaknesses of available wireless communication channels also introduce various novel attacks on the medical devices. Since the smart mobile devices, such as smartphones, tablets, laptops are also equipped with the same communication channels (WiFi/Bluetooth), attacks on medical devices can be initiated from a compromised or malware infected mobile device. Since the compromised mobile devices are already inside the security perimeter of a healthcare network, it is very challenging to block attacks from such compromised mobile devices. In this paper, we systematically analyze the novel threats on healthcare devices and networks, which can be initiated from compromised mobile devices. We provide a detail audit guideline to evaluate the security strength of a healthcare network. Based on our proposed guideline, we evaluate the current security state of a large university healthcare facility. We also propose several mitigation strategies to mitigate some of the possible attacks.
3. Rasib Khan and Ragib Hasan, “The Story of Naive Alice: Behavioral Analysis of Susceptible Users on the Internet“, 40th IEEE Computer Society International Conference on Computers, Software & Applications (COMPSAC), Atlanta, Georgia, June 2016. (Short Paper Acceptance Rate 20%)
Abstract: The Internet has become an integral part of our everyday life. Unfortunately, not all of us are equally aware of the threats which come along when we use online services. Online criminals target users and steal their personal information for illicit benefits. The most susceptible to these online predators are naive users, who are generally less aware of security and privacy practices on the Internet. In this paper, we present a behavioral analysis of Internet users and their susceptibility to online malpractices. We have considered the dataset from the Global Internet User Survey for 10789 respondents to perform a security-oriented statistical analysis of correlated user behavior. The results were used to construct logistic regression models to analyze statistical predictability of susceptible and not-so-susceptible identity theft victims based on their behavior and knowledge of particular security and privacy practices. We posit that such a study can be used to assess the vulnerability of Internet users and can hence be used to leverage institutional and personal safety on the Internet by promoting online security education, threat awareness, and guided Internet-safe behavior.
4. Rasib Khan and Ragib Hasan, “A Cloud You can Wear: Towards a Mobile and Wearable Personal Cloud“, 40th IEEE Computer Society International Conference on Computers, Software & Applications (COMPSAC), Atlanta, Georgia, June 2016. (Short Paper Acceptance Rate 20%)
Abstract: As we enter the age of mobile and wearable computing, we are using various wearable computing devices, such as, mobile phones, smart glasses, smart watches, and personal health monitors. To provide the expected user experience and the ability to run complex applications, all of these devices require powerful processors, long-lasting batteries, and uses provider-specific public clouds for the services. This makes design of such wearable devices complex, expensive, and with major personal data privacy concerns. In this paper, we show how we can simplify the design of personal wearable devices by introducing a wearable cloud — a complete yet compact and lightweight cloud which can be embedded into the clothing of a user. The wearable cloud makes the design of wearable devices simple and inexpensive, as these devices can now essentially be lightweight terminals tapping into the computing and storage power of the wearable cloud with proximal and private placement of the user’s personal data. We introduce five service delivery models using the proposed wearable cloud approach. We provide details of a prototype implementation of the wearable cloud embedded into a `Cloud Jacket’ along with a cheap touchscreen terminal device. The paper also presents experimental results on the usability of such a cloud in terms of reduced energy consumption and improved application performance.