1,720,968 research outputs found
Interazioni Umane in Cybersecurity: Minacce e Opportunità
No full textNel corso degli anni, molte violazioni della sicurezza informatica sono state attribuite all'errore umano, considerando i fattori umani come uno degli anelli più deboli della catena della sicurezza. Nella pratica, i fattori umani vengono sfruttati dai criminali informatici, causando significative perdite di denaro e di reputazione alle organizzazioni. Secondo il Data Breach Investigations report 2021 di Verizon, l'85% delle violazioni ha coinvolto un elemento umano, mentre il 61% ha coinvolto credenziali rubate o compromesse, causando un costo medio di violazione di più di 3 milioni di dollari.
Per prevenire i cyberattacchi, le organizzazioni si concentrano sulla formazione dei dipendenti e sullo sviluppo di nuove policy, cercando anche di mantenere un equilibrio tra la complessità dei sistemi di sicurezza e la loro usabilità. Tuttavia, l'imprevedibilità del comportamento umano, la rapida evoluzione del mondo digitale e la crescente disponibilità di risorse tecnologiche per i criminali informatici pongono nuove sfide sia nell'anticipare le minacce informatiche in nuovi ambienti, sia per l’insorgere di nuove minacce nei sistemi considerati sicuri fino ad oggi.
D'altra parte, la complessità e l'unicità del comportamento umano aprono possibilità per la progettazione di nuove soluzioni per mitigare le minacce, migliorando la sicurezza delle organizzazioni e degli utenti.
In questa tesi, indaghiamo le interazioni umane e la sicurezza informatica, concentrandoci su due aspetti principali: (i) lo sviluppo di nuovi attacchi, basati sull'interazione umana, contro metodi di autenticazione esistenti e consolidati (PIN pad), e (ii) la proposta di nuovi metodi che sfruttano il comportamento umano in diversi contesti per migliorare la sicurezza degli utenti e delle organizzazioni.
La prima parte di questa tesi, dimostra l'efficacia di tre attacchi contro la sicurezza dei sistemi di autenticazione basati sul PIN, concentrandosi sui PIN pad degli Automated Teller Machines (ATM). Gli ATM sono diventati una parte indispensabile dell'ecosistema bancario tanto che, secondo la Banca Centrale Europea, nel 2019 solo in Europa sono state effettuate più di 11 miliardi di operazioni di prelievo e deposito.
In particolare, mostriamo come i PIN pad degli ATM siano esposti a minacce di sicurezza legate a fattori umani anche se gli utenti hanno comportamenti conformi alle policy. Analizziamo diversi scenari di attacco a seconda delle fonti di informazione disponibili per l'attaccante (ad esempio, video, audio, termico, stile di digitazione). I risultati mostrano che nello scenario peggiore per la vittima, i nostri attacchi possono ricostruire fino al 94% dei PIN a 5 cifre digitati entro tre tentativi.
Nella seconda parte di questa tesi, mostriamo come la variabilità e l'imprevedibilità del comportamento umano possano essere sfruttate per aumentare la sicurezza dei sistemi e degli utenti.
Sviluppiamo nuovi approcci human-based concentrandoci su tre diversi contesti: (i) nuovi metodi per il rilevamento dei bot nei social network (ad esempio, Twitter) basati sulla coerenza stilistica dei post nel tempo, (ii) un nuovo framework per identificare espressioni false e genuine dai video, e (iii) un nuovo metodo di de-autenticazione basato sul rilevamento di volti fisicamente sfocati. I risultati dimostrano l'efficacia degli approcci proposti, raggiungendo un F1-score fino al 98% nella classificazione dell'uomo-bot, un'accuratezza fino al 90% nell'individuazione della tristezza fasulla, e un'accuratezza nella de-autenticazione degli utenti fino al 100% sotto 3 secondi di periodo di grazia.
Questa tesi evidenzia la necessità di maggiori sforzi nella progettazione di soluzioni di sicurezza che si concentrino sui fattori umani, mostrando la direzione per ulteriori indagini nell'analisi delle interazioni umane nella cybersecurity.Over the years, many cybersecurity breaches have been attributed to human error, considering human factors as one of the weakest links in the security chain. In fact, human factors are exploited by cybercriminals, causing significant losses of money and reputation to organizations. According to Verizon's 2021 Data Breach Investigations, 85% of breaches involved a human element, while 61% involved stolen or compromised credentials, causing an average breach cost of more than $3 million.
To prevent cyberattacks, organizations focus on training employees and developing new policies, while also trying to maintain a balance between the complexity of security systems and their usability. However, the unpredictability of human behavior, the fast evolution of the digital world, and the increasing availability of technological resources for cybercriminals pose new and evolving cybersecurity challenges in anticipating both cyber threats in new environments and the rise of new threats in systems considered secure to date.
On the other hand, the complexity and uniqueness of human behavior give new opportunities for designing new solutions to mitigate threats, improving the security of organizations and users.
In this thesis, we investigate human interactions and cybersecurity, focusing on two main aspects: (i) developing new attacks, based on human interaction, against existing and consolidated authentication methods (i.e., PIN pads), and (ii) proposing new methods leveraging human behavior in multiple contexts to enhance the security of users and organizations.
The first part of this thesis demonstrates the effectiveness of three attacks against the security of PIN-based authentication systems, focusing on Automated Teller Machines (ATMs) PIN pads. ATMs have become an indispensable part of the banking ecosystem such that according to the European Central Bank, in 2019 only in Europe, more than 11 billion withdrawal and deposit transactions were made.
In particular, we show how ATM PIN pads are exposed to security threats related to human factors even if users have policy-compliant behaviors. We analyze different attack scenarios depending on the sources of information available to the attacker (e.g., video, audio, thermal, typing style). The results show that in the worst-case scenario for the victim, our attacks can reconstruct up to 94% of the 5-digit PINs typed within three attempts.
In the second part of this thesis, we show how the variability and unpredictability of human behavior can be exploited to increase the security of systems and users.
We develop new human-based approaches focusing on three different contexts: (i) new methods for bot detection in social networks (i.e., Twitter) relying on the stylistic consistency of posts over time, (ii) a new framework for identifying fake and genuine expressions from videos, and (iii) a new de-authentication method based on the detection of physically blurred faces. Results demonstrate the efficacy of the proposed approaches, achieving an F1-score up to 98% in human-bot detection, an accuracy up to 90% in fake sadness detection, and accuracy in de-authenticating users up to 100% under 3 seconds of grace period.
This thesis highlights the need for more effort in designing security solutions that focus on human factors, showing the direction for further investigation in analyzing human interactions in cybersecurity
Equilibrioception: a Method to Evaluate the Sense of Balance
No full textIn this study, we present an algorithm for the assessment of one’s own perception of balance (equilibrioception). Upright standing position is maintained by continuous updating and integration of vestibular, visual and proprioceptive information, so that a compensatory reaction can be implemented when perturbations occur. This ability to monitor and maintain balance can be considered as a physiological sense, so, as for the other senses, it is fair to assume that healthy people can perceive and evaluate differences between balance states. The aim of this study is to investigate how changes in stabilometric parametres are perceived by young, healthy adults. Participants were asked to stand still on a Wii Balance Board (WBB) with feet in a constrained position; 13 trials of 30 s each were performed by each subject, the order of Eyes Open (EO) and Eyes Closed (EC) trials being semi-randomized. At the end of each trial (except the first one), participants were asked to judge if their performance was better or worse than the one in the immediately preceding trial. SwayPath ratio data were used to calculate the Just Noticeable Difference (JND) between two consecutive trials, which was of 0.2 when participants improved their performance from one trial to the next, and of 0.4 when performance on a trial was worse than in the previous one. This “need” of a bigger difference for the worsening to be perceived seems to suggest a tendency towards overestimation of one’s own balance. Interestingly, participants’ judgement was more reliable when evaluating consecutive EC rather than EO trials, at least when performance was worsening
Detecting Identity Deception in Online Context: A Practical Approach Based on Keystroke Dynamics
No full textHand Me Your PIN! Inferring ATM PINs of Users Typing with a Covered Hand
No full textAutomated Teller Machines (ATMs) represent the most used system for withdrawing cash. The European Central Bank reported more than 11 billion cash withdrawals and loading/unloading transactions on the European ATMs in 2019. Although ATMs have undergone various technological evolutions, Personal Identification Numbers (PINs) are still the most common authentication method for these devices. Unfortunately, the PIN mechanism is vulnerable to shoulder-surfing attacks performed via hidden cameras installed near the ATM to catch the PIN pad. To overcome this problem, people get used to covering the typing hand with the other hand. While such users probably believe this behavior is safe enough to protect against mentioned attacks, there is no clear assessment of this countermeasure in the scientific literature. This paper proposes a novel attack to reconstruct PINs entered by victims covering the typing hand with the other hand. We consider the setting where the attacker can access an ATM PIN pad of the same brand/model as the target one. Afterward, the attacker uses that model to infer the digits pressed by the victim while entering the PIN. Our attack owes its success to a carefully selected deep learning architecture that can infer the PIN from the typing hand position and movements. We run a detailed experimental analysis including 58 users. With our approach, we can guess 30% of the 5-digit PINs within three attempts - the ones usually allowed by ATM before blocking the card. We also conducted a survey with 78 users that managed to reach an accuracy of only 7.92% on average for the same setting. Finally, we evaluate a shielding countermeasure that proved to be rather inefficient unless the whole keypad is shielded.Cyber Securit
A contribution to the validation of the Wii Balance Board for the assessment of standing balance
No full textValid and reliable accessible measures of balance are required in a health-related fitness test battery, both in the general population and in groups with special needs. For this purpose, the capability of the Wii Balance Board (WBB) in evaluating standing balance was analysed and compared with a laboratory-graded force platform (FP). A 30-s double limb standing test with open and closed eyes was performed by 28 individuals (12 male and 16 female, mean age = 23.8, SD = +/- 2.7 years). A simple method of acquisition of the centre of pressure (CoP) over time was applied to compare WBB and FP simultaneously on the same signal. User-defined software was developed to obtain the CoP from WBB over time and the resulting related measures and graphical representations. The comparison of measures, such as sway path and maximum oscillations along the anterior-posterior and medial-lateral direction, obtained with the FP and the WBB shows that the latter, in conjunction with the user-defined developed software, can be appropriate, considering prescribed limits, and an easy-to-use tool for evaluating standing balance
NON CONVENTIONAL METHODS FOR ASSESSING STANDING BALANCE: RELIABILITY EVALUATION OF THE NINTENDO WII BALANCE BOARD
No full textIntroduction Standing balance assessment represents a problem in field-based health-related fitness test battery and the research oflow
cost, portable and widely available measure toolsis an important issue (Clark et al., 2010; Clark et al., 2011). Therefore, the aim of this
study was contributing to analyse the validity and reliability of WII Nintendo Balance Board (WBB) compared with a laboratory-grade force
platform (FP) in evaluating subjects balance. The method adopted for comparing WBB and FP was intentionally simple in order to provide a user friendly calibration, in line with the low cost approach to the problem. Method Four unmodified WBB were placed upon theFP and
correctly aligned in order to avoid relative rotation of the respective intrinsic coordinate systems. Data from WBB with standard sampling
frequency of 30 Hz were treated by an open source software and compared with the set of data obtained by the FP. WBBwere tested in
determining the centre of pressure (COP) in different static and dynamic tests. The static test consisted in the evaluation of COP over time
for a mass of 64 kg placed on WBB, while dynamic tests involved thirty individuals (17 female, 13 male, age 23.8 •2.7 years). Dynamic
tests consisted in double limb standing of 30 s with open and close eyes. Each subject performed 4 trials (2 with opened eyes, 2 with
closed eyes). Results In static tests the variation of the COP over time for the WBB with respect to the effective COP position estimated with
the FP was limited and similar for all the tools. In dynamic tests it was found a constant offset between COP position on the medio-lateral
o anterior-posterior axis that can be related to the effect of horizontal forces on the effective position (Bobbert & Schamhardt, 1990). It was
shown that this offset can be easily compensated for each WBB and, after compensation, values of sway path and sway area measures
obtained by WBB and FP were comparable. Discussion Frequency sampling of unmodified WBB (30 Hz) is lower than usual frequency
sampling of laboratory-grade force platforms (100 Hz) but this does not appear as a limit in evaluating the position of COP over time.
Therefore, COP related measures such as sway path and sway area can be estimated in reliable way also by using a low cost set up
based on WBB. This can represent a valid and easy-to-use tool for assessing standing balancecontrol. References Clark R, Bryant A, Pua
Y, McCroy P, Bennell K, Hunt M (2010).Gait Posture, 31, 307-310. Clark R, McGough R, Paterson K (2011). Gait Posture, 34, 288-291. Bobbert
MF, Schamhardt HC (1990). JBiomech, 23, 705-710
Malingering Scraper: A novel framework to reconstruct honest profiles from malingerer psychopathological tests.
No full textMalingered responses to psychological testing are frequent when monetary incentives or other forms of rewards are at stake. Psychological symptoms are usually identified through clinical questionnaires which, however, may be easily inflated by malingered responses (fake-bad). A fake-bad response style is usually identified through specialized scales embedded in the personality questionnaires, but no procedure is currently available that reconstructs honest responses from malingered responses.
In this paper, we present a technique for the Millon (MCMI-III) questionnaire a widely used test for investigating psychopathology. This technique detects malingered MCMI-III profiles (malingering detector) and removes the intentionally inflated test results (malingering remover). We demonstrate that by applying machine learning to the validity scales of MCMI-III we can discriminate between malingerer and honest profiles with 90% accuracy. Moreover, our results show that by applying regression models to malingerer tests, we are able to well reconstruct the original honest profile. Our models decrease the RMSE (Root Mean Square Error) of the reconstruction up to 19% compared to base correction procedures. Finally, applying the malingering detector to the reconstructed scales, we show that only 9% were classified as malingerers, demonstrating the validity of the proposed approach
For Your Voice Only: Exploiting Side Channels in Voice Messaging for Environment Detection
No full textVoice messages are an increasingly popular method of communication, accounting for more than 200 million messages a day. Sending audio messages requires a user to invest lesser effort than texting while enhancing the message’s meaning by adding an emotional context (e.g., irony). Unfortunately, we suspect that voice messages might provide much more information than intended to prying ears of a listener. In fact, speech audio waves are both directly recorded by the microphone and propagated into the environment, and possibly reflected back to the microphone. Reflected waves along with ambient noise are also recorded by the microphone and sent as part of the voice message. In this paper, we propose a novel attack for inferring detailed information about user location (e.g., a specific room) leveraging a simple WhatsApp voice message. We demonstrated our attack considering 7,200 voice messages from 15 different users and four environments (i.e., three bedrooms and a terrace). We considered three realistic attack scenarios depending on previous knowledge of the attacker about the victim and the environment. Our thorough experimental results demonstrate the feasibility and efficacy of our proposed attack. We can infer the location of the user among a pool of four known environments with 85% accuracy. Moreover, our approach reaches an average accuracy of 93% in discerning between two rooms of similar size and furniture (i.e., two bedrooms) and an accuracy of up to 99% in classifying indoor and outdoor environments.Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.Cyber SecurityElectrical Engineering, Mathematics and Computer Scienc
- …
