Search

Your search keyword '"Ron Poet"' showing total 94 results
Start Over Author "Ron Poet"
94 results on '"Ron Poet"'

29. Utilizing Sentence Embedding for Dangerous Permissions Detection in Android Apps' Privacy Policies

Author

Ron Poet and Rawan Baalous

Subjects
Government, business.industry, Computer science, Privacy policy, Internet privacy, 020206 networking & telecommunications, 02 engineering and technology, Terminology, Order (business), 0202 electrical engineering, electronic engineering, information engineering, Embedding, 020201 artificial intelligence & image processing, Android (operating system), business, Sentence, Information Systems, Meaning (linguistics)
Abstract

Privacy policies analysis relies on understanding sentences meaning in order to identify sentences of interest to privacy related applications. In this paper, the authors investigate the strengths and limitations of sentence embeddings to detect dangerous permissions in Android apps privacy policies. Sent2Vec sentence embedding model was utilized and trained on 130,000 Android apps privacy policies. The terminology extracted by the sentence embedding model was then compared with the gold standard on a dataset of 564 privacy policies. This work seeks to provide answers to researchers and developers interested in extracting privacy related information from privacy policies using sentence embedding models. In addition, it may help regulators interested in deploying sentence embedding models to check for privacy policies' compliance with the government regulations and to identify points of inconsistencies or violations.

Published
2021

36. Factors Affecting Users' Disclosure Decisions in Android Runtime Permissions Model

Author

Ron Poet and Rawan Baalous

Subjects
Information privacy, business.industry, Computer science, Internet privacy, Mobile computing, Context (language use), 02 engineering and technology, Permission, law.invention, law, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, CLARITY, 020201 artificial intelligence & image processing, Android (operating system), business, Personally identifiable information, Private information retrieval
Abstract

Today, Android users are faced with several permissions' screens asking to access their personal information when using Android apps. In fact, Android users have to balance several considerations when choosing to grant or deny these data collection activities. Hence, it is important to understand how users' decisions are made and what factors play a role in users' decisions. A number of studies on the permissions' screens of Android devices have reported users discomfort and misunderstanding of the permission system. However, most studies were carried out on the old permission system where all permissions are presented at installation time, and the user has to either accept all the permissions or stop the installation. With the new permission system started with Android version 6.0 and higher, permissions are presented differently at run time. In this work, we aim to study users' disclosure decisions with the new run time system on Android. We have modeled users' disclosure decisions from three perspectives: dangerous permission type, clarity of rationale, and clarity of context. The study has been conducted on Amazon Mechanical Turk. The results show that dangerous permission type as well as clarity of the context have a statistical significant effect on users' disclosure decisions. On the other hand, clarity of dangerous permission's rationale does not contribute significantly to users' decisions. These findings shed light upon important factors that users consider in making privacy decisions in the new Android run time model. Such factors should be taken into account by Android apps developers when requesting access to users' private information.

Published
2020

37. Permission Management and User Privacy Based On Android

Author

Ron Poet and Jiyou Wang

Subjects
Flexibility (engineering), SIMPLE (military communications protocol), Computer science, Questionnaire, 020206 networking & telecommunications, 02 engineering and technology, Permission, Computer security, computer.software_genre, Personalization, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Android (operating system), Reset (computing), computer, Private information retrieval
Abstract

Nowadays, smartphones become widely popular and indispensable in our daily life. The largest proportion of the smartphone market is the Android operating system. Because of its modifiability and customization, it is favored by smartphone manufacturers and users. However, because of its flexibility, there are many user privacy risks when using Android applications. Although the country and users already pay attention to the protection of user privacy information, there is still no particularly perfect method to solve this problem for the Android operating system. The purpose of this project is to find a suitable method to protect the privacy information of Android application users.The project conducted a questionnaire survey on smartphone users to obtain their understanding of the protection of private information. At the same time, some existing methods are compared to find out their shortcomings. Based on the above comparison, this project chose the MIUI 12 operating system of Xiaomi. Then, the project made corresponding tests and analyses based on the privacy protection functions of the MIUI 12 operating system. When testing the privacy protection functions of the MIUI 12, in addition to testing from the perspective of users, the project also developed the TestPermission application to test from the perspective of developers.At the end of the project, we concluded that the new privacy protection functions provided by MIUI 12 were a suitable choice for protecting user privacy and controlling application permissions. It is simple and intuitive for general users. At the same time, for the limitations of MIUI 12, the project proposed to reset the OAID and refine the granularity of permissions to be further optimised in future work.

Published
2020

38. Creating Graphical Passwords on a Mobile Phone

Author

Ron Poet and Jessica Fong

Subjects
Scheme (programming language), Password, Authentication, Computer science, business.industry, 05 social sciences, 020206 networking & telecommunications, Usability, 02 engineering and technology, Login, law.invention, Touchscreen, Software deployment, law, Mobile phone, Human–computer interaction, 050501 criminology, 0202 electrical engineering, electronic engineering, information engineering, business, computer, 0505 law, computer.programming_language
Abstract

An alternative to traditional text based passwords (TP) is graphical passwords (GP). Psychological research has shown individuals to have superior memorability for images compared to text. With smartphones being touchscreen, GPs could be more suitable and provide better usability and security compared to TPs. However, GP is a relatively new area, with problems between usability and security. Some GP schemes involve creating password via drawing, as drawing is also shown to enhance memorability. But current GP schemes’ drawing tools are too complex and difficult to use. Therefore, this project aimed to create a GP scheme specifically for smartphones that provides an easy and simple to use drawing tool while providing high usability and security.The project created a recognition based GP scheme involving users drawing 3 images for their password. For logging in, users are required to select their image passwords in the sequence they had drawn them in for a successful login. A user study was conducted and results found were positive and encouraging with the drawing tool being easy and simple to use. Additionally, the time taken to login and register was relatively short. Overall participants were favourable with the design and enjoyed drawing their own GP.This project was the first to design an easy and simple drawing tool for users to create their image passwords and to incorporate the drawing tool into a recognition based GP scheme designed specifically for smartphones. Future work on implementation for deployment will also be suggested.

Published
2020

39. Hacking Passwords that Satisfy Common Password Policies

Author

Richard Beno and Ron Poet

Subjects
Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Password policy, Software_OPERATINGSYSTEMS, Computer science, Password cracking, Alphabet, Computer security, computer.software_genre, computer, Hacker
Abstract

The password policies for 14 popular websites were checked and a list of passwords that satisfied the minimal requirements created for each website. 58 users then created realistic passwords that satisfied the minimal requirements. A special purpose cracking computer was built to crack these passwords using dictionary and brute-force attacks. All minimal passwords were cracked and it was found that weaker password policies produced weaker realistic passwords. It is recommended that password policies increase the minimal length to 8 characters, require a more diverse alphabet, prevent simple passwords based on repetitions and sequences, and check a database of already hacked passwords.

Published
2020

40. Is it better to choose seen or unseen distracters for graphical passwords

Author

Ron Poet and Abdul Ashraf

Subjects
Password, Computer science, business.industry, 05 social sciences, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, 020207 software engineering, 02 engineering and technology, Login, USable, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, Computer vision, Artificial intelligence, business, Set (psychology), 050107 human factors
Abstract

We investigate a form of recognition-based graphical passwords where users choose their pass images from a system provided collection. In these systems the user is presented with a challenge set containing their pass images, together with distracters, when they login. They need to recognise their pass images to gain access.The distracters come from the same system provided collection and can be either images that the user has already seen when registering or images that they have not seen. Our experiment investigates which approach is more usable, measured by login accuracy and login time.Our results show that it is better to use images that the user has already seen as distracters. This does not affect the accuracy but leads to faster login times. In our experiment users were presented with one 60 images challenge set that contained both their pass images and distracters.Most login errors were caused by choosing the two images in the wrong order. Participants also thought that the system was easier to use than text based passwords, both when registering and logging in. They also suggested using three images rather than two for more security. This suggests that a more usable system would have three pass images that could be selected in any order.

Published
2019

41. How Dangerous Permissions are Described in Android Apps' Privacy Policies?

Author

Rawan Baalous and Ron Poet

Subjects
World Wide Web, ComputerSystemsOrganization_COMPUTERSYSTEMIMPLEMENTATION, Computer science, Privacy policy, 0202 electrical engineering, electronic engineering, information engineering, 020206 networking & telecommunications, 020207 software engineering, 02 engineering and technology, Android (operating system), Semantic information, Natural language, Terminology
Abstract

Google requires Android apps which handle users' personal data such as photos and contacts information to post a privacy policy which describes comprehensively how the app collects, uses and shares users' information. Unfortunately, while knowing why the app wants to access specific users' information is considered very useful, permissions screen in Android does not provide such pieces of information. Accordingly, users reported their concerns about apps requiring permissions that seem to be not related to the apps' functions. To advance toward practical solutions that can assist users in protecting their privacy, a technique to automatically discover the rationales of dangerous permissions requested by Android apps, by extracting them from apps' privacy policies, could be a great advantage. However, before being able to do so, it is important to bridge the gap between technical terms used in Android permissions and natural language terminology in privacy policies. In this paper, we recorded the terminology used in Android apps' privacy policies which describe usage of dangerous permissions. The semi-automated approach employs NLP and IE techniques to map privacy policies' terminologies to Android dangerous permissions. The mapping links 128 information types to Android dangerous permissions. This mapping produces semantic information which can then be used to extract the rationales of dangerous permissions from apps' privacy policies.

Published
2018

42. Analyzing Privacy Policies of Zero Knowledge Cloud Storage Applications on Mobile Devices

Author

Tim Storer, Ron Poet, and Rawan Baalous

Subjects
Computer science, Privacy policy, Information sharing, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Retention period, Zero-knowledge proof, Data retention, Mobile device, Cloud storage, computer
Abstract

With the rapid growth of mobile applications and the increase number of mobile users, many cloud storage services started to design stand-alone mobile applications that can be used to access files remotely from mobile and share them. In this paper, an in-depth analysis has been performed on the privacy policies of zero knowledge cloud storage applications on mobile. The analysis includes the type of information collected, collection mechanisms, purpose for collection, sharing of information, user controls and information retention period. The results showed that most privacy policies addressed important areas of information collection, purposes of collection, information sharing and users' controls. On the other hand, many policies lacked detailed information of the data retention period.

Published
2018

43. Formalising identity management protocols

Author

Ron Poet and Sadek Ferdous

Subjects
060201 languages & linguistics, Authentication, business.industry, Computer science, 06 humanities and the arts, 02 engineering and technology, Computer security, computer.software_genre, Internet security, Identity management, law.invention, law, Formal specification, 0602 languages and literature, Internet Protocol, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, business, OpenID, computer, Formal verification
Abstract

In this paper we present the formalisation of three well-known Identity Management protocols - SAML, OpenID and OAuth. The formalisation consists of two steps: formal specification using HLPSL (High-Level Protocol Specification Language) and formal verification using a state-of-the-art verification tool for security protocols called AVISPA (Automated Validation of Internet Security Protocols and Applications). The existing formalisation initiatives using AVISPA are based on SAML and OpenID, leaving OAuth entirely, even though OAuth is one of the most widely-used Internet protocols. Furthermore, the motivation of the existing initiatives was to identify any weakness. In this paper, we have taken an opposite approach as we are keen to present how to model these protocols correctly. Moreover, our formalisation is based on a model of identity and also captures the authentication mechanism; both of these are missing in theexisting works.

Published
2017

44. A hybrid model of attribute aggregation in federated identity management

Author

Ron Poet, Farida Chowdhury, Md. Sadek Ferdous, Chang, Victor, Ramachandran, Muthu, Walters, Robert J., and Wills, Gary

Subjects
021110 strategic, defence & security studies, Service (systems architecture), Computer science, Aggregate (data warehouse), 0211 other engineering and technologies, 02 engineering and technology, Service provider, Data science, Session (web analytics), Security Assertion Markup Language, World Wide Web, Identity provider, Proof of concept, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Federated identity management
Abstract

The existing model of Federated Identity Management (FIM) allows a user to provide attributes only from a single Identity Provider (IdP) per service session. However, this does not cater to the fact that the user attributes are scattered and stored across multiple IdPs. An attribute aggregation mechanism would allow a user to aggregate attributes from multiple providers and pass them to a Service Provider (SP) in a single service session which would enable the SP to offer innovative service scenarios. Unfortunately, there exist only a handful of mechanisms for aggregating attributes and most of them either require complex user interactions or are based on unrealistic assumptions. In this paper, we present a novel approach called the Hybrid Model for aggregating attributes from multiple IdPs using one of the most popular FIM technologies: Security Assertion Markup Language (SAML). We present a thorough analysis of different requirements imposed by our proposed approach and discuss how we have developed a proof of concept using our model and what design choices we have made to meet the majority of these requirements. We also illustrate two use-cases to elaborate the applicability of our approach and analyse the advantages it offers and the limitations it currently has.

Published
2017

45. A Security-Oriented Workflow Framework for Collaborative Environments

Author

Ron Poet, Sardar Hussain, and Richard O. Sinnott

Subjects
Computer science, 020208 electrical & electronic engineering, 020206 networking & telecommunications, 02 engineering and technology, Service provider, computer.software_genre, Computer security, Credential, Workflow engine, Workflow technology, Workflow, Security service, 0202 electrical engineering, electronic engineering, information engineering, Web service, computer, Workflow management system
Abstract

Protecting (authorizing) access to individual web services has been explored in many research efforts. The focus of such research is to ensure that authorized users with appropriate credentials are able to access resources under controlled and authorized security. However, integrating and/or composing such services, e.g. through workflow environments in collaborative environments, remains an open challenge. A key issue is to ensure the security requirements of each individual service and hence their service provider, whilst still allowing them to be used as part of a workflow execution – potentially by users with diverse security credentials. The aim of this research is to provide a security-oriented workflow framework that supports such secure workflow enactment. The framework supports a variety of security evaluation mechanisms using diverse security credential aggregation mechanisms leveraging centralized and decentralized security with push/pull of security information as required. We describe the core components of this framework and how they can be used to support security-oriented workflow enactment.

Published
2016

46. Security-enabled Enactment of Decentralized Workflows

Author

Richard O. Sinnott, Ron Poet, and Sardar Hussain

Subjects
Service (systems architecture), Computer science, business.industry, media_common.quotation_subject, Authorization, 020206 networking & telecommunications, Access control, 02 engineering and technology, Service provider, Computer security, computer.software_genre, Workflow, 0202 electrical engineering, electronic engineering, information engineering, Information system, 020201 artificial intelligence & image processing, business, computer, Autonomy, media_common
Abstract

Decentralized enactment of workflows is generally advocated for data intensive scientific applications. This approach offers a number of advantages including avoiding a single (centralized) point of failure, and associated (centralized) performance bottlenecks. However, such services are often assumed to be openly available with little or no security. This is increasingly not the case. Instead organizations and the services they offer require autonomous ways of defining and enforcing their own access control policies supporting fine-grained authorization. Tackling such scenarios raises many issues regarding workflow definition, enactment and potential re-enactment. This research explores the issues related to security-oriented decentralized workflow definition and enactment. The solution is respectful of the need for autonomy of service providers and allows each participating service to define their own access control policies. We also show how different security delivery models can be supported leveraging the pulling and pushing of security credentials.

Published
2016

47. Service-Oriented Workflow Executability from a Security Perspective

Author

Ron Poet, Sardar Hussain, and Richard O. Sinnott

Subjects
Knowledge management, Exploit, business.industry, Computer science, InformationSystems_INFORMATIONSYSTEMSAPPLICATIONS, Access control, computer.file_format, Workflow technology, Workflow, A priori and a posteriori, Graph (abstract data type), Executable, business, Software engineering, computer, Workflow management system
Abstract

Scientific workflows are composed of different services to support scientific experiments. Often such services are provided by different organizations that can have their own autonomous access control policies. Workflows are often shared and repurposed with the same and/or different datasets to repeat scientific experiments, therefore, different users can require different privileges to access different services to execute (enact) a given workflow. It can be the case that a given user may not have sufficient privileges to access some of the services of the workflow. As such, it needs to be ascertained whether a user (or enactment engine acting on behalf of a user) with a given set of security credentials should be allowed to enact a workflow and whether this will lead to runtime failure of the workflow. Ideally it should be determined a priori whether a path exists from the root node of the workflow graph to the leaf node, i.e. that it is possible for the workflow to be fully executable or partially executable on the basis of the available credentials of the user. This paper presents an algorithm and its realization that exploits existing workflow patterns to determine the structural path of the workflow whilst checking the availability of credentials at different service points in the workflow path.

Published
2016

48. Analysing Power Consumption Of Different Browsers & Identity Management Systems In Mobile Phones

Author

Ron Poet and M. D. Sadek Ferdous

Subjects
World Wide Web, Computer science, business.industry, Mobile phone, Power consumption, Mobile computing, Mobile search, Mobile Web, Telecommunications, business, Identity management
Abstract

Currently there are many different Identity Management Systems which differ in their architectures as well as use different protocols and serve different purposes and are extensively used by organisations to provide online services. With the remarkable growth of mobile phones in the last few years, both in number and computational power, more and more users are accessing an array of online services using their mobile phones. One of the major concerns for the user of mobile phones is the battery life which is limited and tends to run out quickly. Hence, efficiency in power consumption is a crucial factor for any system when it is accessed using a mobile phone. In this paper, we analyse the efficiency, in terms of power consumption, of different browsers in mobile phones and different Identity Management Systems when the mobile phones are used to access online services protected by those Identity Management Systems.

Published
2012

50. Managing Dynamic Identity Federations using Security Assertion Markup Language

Author

Ron Poet and Md. Sadek Ferdous

Subjects
Process management, Computer science, Federated identity management, Identity federation, Computer security, computer.software_genre, Trust, General Business, Management and Accounting, Service provisioning, Identity management, Computer Science Applications, Security Assertion Markup Language, Security assertion markup language (SAML), Proof of concept, Identity (object-oriented programming), Key (cryptography), computer
Abstract

Security Assertion Markup Language is one of the most widely used technologies to enable Identity Federations among different organisations. Despite its several advantages, one of its key disadvantages is that it does not allow creating a federation in a dynamic fashion to enable service provisioning (or de-provisioning) in real time. A few approaches have been proposed to rectify this problem. However, most of them require elaborate changes of the language and do not provide mechanisms to manage federations dynamically. This paper presents a better approach based on an already drafted Security Assertion Markup Language Profile and requires no change in its specification, rather it depends on the specific implementation. Our proposed approach covers all aspects regarding the management of dynamic Identity Federation. It will allow users to create federations dynamically between two prior unknown organisations and will allow them to manage such federations as long as it is required. Implicit in each identity federation is the issue of trust. Therefore, the trust issues involved in the management of dynamic federations are analysed in details. Finally, a proof of concept is discussed with a few use-cases to elaborate the practicality of our approach.

Published
2015

Catalog

Books, media, physical & digital resources
See catalog results