Δημοσιεύσεις σε Διεθνή Περιοδικά (Journals)

Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.

C. Smiliotopoulos, G. Kambourakis, C. Kolias, Detecting Lateral Movement: A Systematic Survey, Heliyon Computer Science, 2024, Cell Press, https://doi.org/10.1016/j.heliyon.2..., indexed in SCI-E, IF = 4
Within both the cyber kill chain and MITRE ATT&CK frameworks, Lateral Movement (LM) is defined as any activity that allows adversaries to progressively move deeper into a system in seek of high-value assets. Although this timely subject has been studied in the cybersecurity literature to a significant degree, so far, no work provides a comprehensive survey regarding the identification of LM from mainly an Intrusion Detection System (IDS) viewpoint. To cover this noticeable gap, this work provides a systematic, holistic overview of the topic, not neglecting new communication paradigms, such as the Internet of Things (IoT). The survey part, spanning a time window of eight years and 53 articles, is split into three focus areas, namely, Endpoint Detection and Response (EDR) schemes, machine learning oriented solutions, and graph-based strategies. On top of that, we bring to light interrelations, mapping the progress in this field over time, and offer key observations that may propel LM research forward.
C. Smiliotopoulos, G. Kambourakis, K. Barmpatsalou, On the Detection of Lateral Movement Through Supervised Machine Learning and an Open-Source Tool To Create Turnkey Datasets From Sysmon Logs, International Journal of Information Security, 2023, Springer, https://doi.org/10.1007/s10207-023-..., indexed in SCI-E, IF = 3.2
Lateral movement (LM) is a principal, increasingly common, tactic in the arsenal of advanced persistent threat (APT) groups and other less or more powerful threat actors. It concerns techniques that enable a cyberattacker, after establishing a foothold, to maintain ongoing access and penetrate further into a network in quest of prized booty. This is done by moving through the infiltrated network and gaining elevated privileges using an assortment of tools. Concentrating on the MS Windows platform, this work provides the first to our knowledge holistic methodology supported by an abundance of experimental results towards the detection of LM via supervised machine learning (ML) techniques. We specifically detail feature selection, data preprocessing, and feature importance processes, and elaborate on the configuration of the ML models used. A plethora of ML techniques are assessed, including 10 base estimators, one ensemble meta-estimator, and five deep learning models. Vis-à-vis the relevant literature, and by considering a highly unbalanced dataset and a multiclass classification problem, we report superior scores in terms of the F1 and AUC metrics, 99.41% and 99.84%, respectively. Last but not least, as a side contribution, we offer a publicly available, open-source tool, which can convert Windows system monitor logs to turnkey datasets, ready to be fed into ML models.
V. Kouliaridis, G. Karopoulos, G. Kambourakis, Assessing the Security and Privacy of Android Official ID Wallet Apps, Information, pp. 1-13, 2023, MDPI, https://www.mdpi.com/2078-2489/14/8..., indexed in SCI-E, IF = 3.1
With the increasing use of smartphones for a wide variety of online services, states and countries are issuing official applications to store government-issued documents that can be used for identification (e.g., electronic identity cards), health (e.g., vaccination certificates), and transport (e.g., driver licenses). However, the privacy and security risks associated with the storage of sensitive personal information on such apps are a major concern. This work presents a thorough analysis of official Android wallet apps, focusing mainly on apps used to store identification documents and/or drivers' licenses. Specifically, we examine the security and privacy level of such apps using three analysis tools and discuss the key findings and the risks involved. We additionally explore Android app security best practices and various security measures that can be employed to mitigate these risks, such as updating deprecated components and libraries. Altogether, our findings demonstrate that, while there are various security measures available, there is still a need for more comprehensive solutions to address the privacy and security risks associated with the use of Android wallet apps.
G. Papaioannou, M. Volakaki, S. Kokolakis, D. Vouyioukas, Learning spaces in higher education: A state of the art review, Trends in Higher Education, Vol. 2, No. 3, pp. 526-545, 2023, MDPI, https://doi.org/10.3390/higheredu20...
A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, Exploring users’ attitude towards privacy-preserving search engines: A protection motivation theory approach, Information and Computer Security, 2023, Emerald Publishing Limited, https://www.emerald.com/insight/con...
Search engines, the most popular online services, are associated with several concerns. Users are concerned about unauthorized processing of their personal data, as well as about search engines keeping track of their search preferences. Various search engines have been introduced to address these concerns, claiming that they protect users’ privacy. We call these search engines Privacy-Preserving Search Engines (PPSEs). In this paper, we investigate the factors that motivate search engine users to use PPSEs. To this aim, we adopted Protection Motivation Theory (PMT) and associated its constructs with subjective norms to build a comprehensive research model. We tested our research model using survey data from 830 search engine users worldwide. Our results confirm the interpretive power of PMT in privacy-related decision making and show that users are more inclined to take protective measures when they consider that data abuse is a more severe risk and that they are more vulnerable to data abuse. Furthermore, our results highlight the importance of subjective norms in predicting and determining PPSE use. Since subjective norms refer to perceived social influences from important others to engage or refrain from protective behavior, we reveal that the recommendation from people that users consider important motivates them to take protective measures and use PPSE.
E. Chatzoglou, G. Kambourakis, C. Kolias, Your WAP is at risk: A vulnerability analysis on wireless access point Web-based management interfaces, Security and Communication Networks, Vol. 2022, No. Article ID 1833062, pp. 1-24, 2022, Wiley/Hindawi, https://www.hindawi.com/journals/sc..., indexed in SCI-E, IF = 1.791
This work provides an answer to the following key question: Are the Web-based management interfaces of the contemporary off-the-shelf wireless access points (WAP) free of flaws and vulnerabilities? The short answer is not very much. That is, after performing a vulnerability assessment on the Web interfaces of six different WAPs by an equal number of diverse renowned vendors, we reveal a significant number of assorted medium to high severity vulnerabilities that are straightforwardly or indirectly exploitable. Overall, 13 categories of vulnerabilities translated to 28 zero-day attacks are exposed. Our findings range from legacy path traversal, cross-site scripting, and clickjacking attacks to HTTP request smuggling and splitting, replay, denial of service, and information leakage among others. In the worst case, the attacker can acquire the administrator's (admin) credentials and the WAP's Wi-Fi passphrases or permanently lock the admin out of accessing the WAP's Web interface. On top of everything else, we identify the already applied hardening measures by these devices and elaborate on extra countermeasures which are required to tackle the identified weaknesses. To our knowledge, this work contributes the first wholemeal appraisal of the security level of this kind of Web-based interfaces that go hand and glove with the myriads of WAPs out there, and it is therefore anticipated to serve as a basis for further research in this timely and challenging field.
E. Chatzoglou, G. Kambourakis, C. Smiliotopoulos, Let the cat out of the bag: Popular Android IoT apps under security scrutiny, Sensors, Vol. 22, No. 2:513, pp. 1-41, 2022, MDPI, https://www.mdpi.com/1424-8220/22/2..., indexed in SCI-E, IF = 3.576
The impact that IoT technologies have on our everyday life is indisputable. Wearables, smart appliances, lighting, security controls, and others make our life simpler and more comfortable. For the sake of easy monitoring and administration, such devices are typically accompanied by smartphone apps, which are becoming increasingly popular, and sometimes are even required to operate the device. Nevertheless, the use of such apps may indirectly augment the attack surface of the IoT device itself and expose the end-user to security and privacy breaches. Therefore, a key question arises: Do these apps curtail their functionality to the minimum needed, and additionally, are they secure against known vulnerabilities and flaws? In seek of concrete answers to the aforesaid question, this work scrutinizes more than forty chart-topping Android official apps belonging to six diverse mainstream categories of IoT devices. We attentively analyze each app statically, and almost half of them dynamically, after pairing them with real-life IoT devices. The results collected span several axes, namely sensitive permissions, misconfigurations, weaknesses, vulnerabilities, and other issues, including trackers, manifest data, shared software, and more. The short answer to the posed question is that the majority of such apps still remain susceptible to a range of security and privacy issues, which in turn, and at least to a significant degree, reflects the general proclivity in this ecosystem.
M. Anagnostopoulos, S. Lagos, G. Kambourakis, Large-scale empirical evaluation of DNS and SSDP amplification attacks, Journal of Information Security and Applications, Vol. 66, pp. 1-17, 2022, Elsevier, https://www.sciencedirect.com/scien..., indexed in SCI-E, IF = 3.872
Reflection-based volumetric distributed denial-of-service (DDoS) attacks take advantage of the available to all (open) services to flood and possibly overpower a victim's server or network with an amplified amount of traffic. This work concentrates on two key protocols in the assailants' quiver regarding DoS attacks, namely domain name system (DNS) and simple service discovery protocol (SSDP). Our contribution spans three axes: (a) We perform countrywide IP address scans (probes) across three countries in two continents to locate devices that run open DNS or SSDP services, and thus can be effectively exploited in the context of amplification attacks, (b) we fingerprint the discovered devices to derive information about their type and operating system, and (c) we estimate the amplification factor of the discovered reflectors through a dozen of diverse, suitably crafted DNS queries and a couple of SSDP ones depending on the case. The conducted scans span fifteen months, therefore comparative conclusions regarding the evolution of the reflectors population over time, as well as indirect ones regarding the security measures in this field, can be deduced. For instance, for DNS, it was calculated that the third quartile of the amplification factor distribution remains more than 30 for customarily exploited queries across all the examined countries, while in the worst case this figure can reach up to 70. The same figures for SSDP range between roughly 41 and 73 for a specific type of query. To our knowledge, this work offers the first full-fledged mapping and assessment of DNS and SSDP amplifiers, and it is therefore anticipated to serve as a basis for further research in this ever-changing and high-stakes network security field.
G. Karopoulos, G. Kambourakis, E. Chatzoglou, J. L. Hernandez-Ramos, V. Kouliaridis, Demystifying in-vehicle Intrusion Detection Systems: A survey of surveys and a meta-taxonomy, Electronics, Vol. 11, No. 7, pp. 1-34, 2022, MDPI, https://www.mdpi.com/2079-9292/11/7..., indexed in SCI-E, IF = 2.397
Breaches in the cyberspace due to cyber-physical attacks can harm the physical space, and any type of vehicle is an alluring target for wrongdoers for an assortment of reasons. Especially, as the automobiles are becoming increasingly inter-connected within the Cooperative Intelligent Transport System (C-ITS) realm and their level of automation elevates, the risk for cyberattacks augments along with the attack surface, thus inexorably rendering the risk of complacency and inaction sizable. Next to other defensive measures, Intrusion Detection Systems (IDS) already comprise an inextricable component of modern automobiles in charge of detecting intrusions in the system while in operation. This work concentrates on in-vehicle IDS with the goal to deliver a fourfold comprehensive survey of surveys on this topic. First, we collect and analyze all existing in-vehicle IDS classifications and fuse them into a simpler, overarching one that can be used as a base for classifying any work in this area. Second, we gather and elaborate on the so far available datasets which can be possibly used to train and evaluate an in-vehicle IDS. Third, we survey non-commercial simulators which may be utilized for creating a dataset or evaluating an IDS. The last contribution pertains to a thorough exposition of the future trends and challenges in this area. To our knowledge, this work provides the first wholemeal survey on in-vehicle IDS, and it is therefore anticipated to serve as a groundwork and point of reference for multiple stakeholders at varying levels.
G. Kambourakis, E. Chatzoglou, C. Zaroliagis, V. Kampourakis, Revisiting man-in-the-middle attacks against HTTPS, Network Security, Vol. 2022, No. 3, 2022, Mark Allen Group, https://www.magonlinelibrary.com/do...
A man-in-the-middle (MitM) attack enables threat actors to position themselves in a conversation between two parties. It can be used to eavesdrop on, or impersonate, either of the parties and may enable the perpetrator to steal personal information, including login credentials, payment card data and account details. By leveraging the hijacked information, the attacker can perform an unsanctioned password change, commit identity theft, authorise money transfers, and so on. This article re-examines MitM against HTTPS by both briefly referring to its constituents and assessing its feasibility on modern browsers. We show that under certain circumstances, specific variations of MitM can be effective on all mainstream browsers using cheap, pocket-sized hardware, open-source software and a script-kiddie level of understanding.
G. Kambourakis, G. Karopoulos, Encrypted DNS: The good, the bad, and the moot, Computer Fraud and Security, Vol. 2022, No. 5, 2022, Mark Allen Group, https://www.magonlinelibrary.com/do...
While the Domain Name System Security Extensions (DNSSEC) offers authenticity for DNS data, it still presents fairly low levels of deployment and does not provide confidentiality. Encrypted DNS in the form of quite similar and arguably antagonistic protocols, namely DoT, DoH, and DoQ, provides the client with a secure channel to the resolver. Consequently, on top of confidentiality, the DNS responses cannot be maliciously altered while en route from the resolver to the client. This article critically reviews encrypted DNS with a particular focus on each constituent protocol as well as on the debate around the actual strength of the protection it provides.
E. Chatzoglou, G. Kambourakis, C. Kolias, C. Smiliotopoulos, Pick quality over quantity: Expert feature selection and data preprocessing for 802.11 Intrusion Detection Systems, IEEE Access, Vol. 10, pp. 64761-64784, 2022, IEEE Press, https://ieeexplore.ieee.org/documen..., indexed in SCI-E, IF = 3.367
Wi-Fi is arguably the most proliferated wireless technology today. Due to its massive adoption, Wi-Fi deployments always remain in the epicenter of attackers and evildoers. Surprisingly, research regarding machine learning driven intrusion detection systems (IDS) that are specifically optimized to detect Wi-Fi attacks is lagging behind. On top of that, the field is dominated by false or half-true assumptions that potentially can lead to corresponding models being overfilled to certain validation datasets, simply giving the impression or illusion of high efficiency. This work attempts to provide concrete answers to the following key questions regarding IEEE 802.11 machine learning driven IDS. First, from an expert's viewpoint and with reference to the relevant literature, what are the criteria for determining the smallest possible set of classification features, which are also common and potentially transferable to virtually any deployment types/versions of 802.11? And second, based on these features, what is the detection performance across different network versions and diverse machine learning techniques, i.e., shallow versus deep learning ones? To answer these questions, we rely on the renowned 802.11 security-oriented AWID family of datasets. In a nutshell, our experiments demonstrate that with a rather small set of 16 features and without the use of any optimization or ensemble method, shallow and deep learning classification can achieve an average F1 score of up to 99.55\% and 97.55\%, respectively. We argue that the suggested human expert driven feature selection leads to lightweight, deployment-agnostic detection systems, and therefore can be used as a basis for future work in this interesting and rapidly evolving field.
G. Stergiopoulos, P. Dedousis, D. Gritzalis, Automatic analysis of attack graphs for risk mitigation and prioritization on large-scale and complex networks in Industry 4.0, International Journal of Information Security (IJIS), 2022, Springer,
D. Dermanis, A. Bogris, P. Rizomiliotis, C. Mesaritakis, Photonic Physical Unclonable Function based on an Integrated Neuromorphic schemes, IEEE Journal of Lightwave Technology , 2022, IEEE, (to_appear),
E. Chatzoglou, G. Kambourakis, C. Smiliotopoulos, C. Kolias, Best of both worlds: Detecting application layer attacks through 802.11 and non-802.11 features, Sensors, Vol. 2022, No. 15, pp. 1-19, 2022, MDPI, https://www.mdpi.com/1424-8220/22/1..., indexed in SCI-E, IF = 3.847
Intrusion detection in wireless and, more specifically, Wi-Fi networks is lately increasingly under the spotlight of the research community. However, the literature currently lacks a comprehensive assessment of the potential to detect application layer attacks based on both 802.11 and non-802.11 network protocol features. The investigation of this capacity is of paramount importance, since Wi-Fi domains are often used as a stepping stone by threat actors for unleashing an ample variety of application layer assaults. In this setting, by exploiting the contemporary AWID3 benchmark dataset along with both shallow and deep learning machine learning techniques, this work attempts to provide concrete answers to a dyad of principal matters. First, what is the competence of 802.11-specific and non-802.11 features when used separately and in tandem in detecting application layer attacks, say, website spoofing? Second, which network protocol features are the most informative to the machine learning model for detecting application layer attacks? Without relying on any optimization or dimensionality reduction technique, our experiments, indicatively exploiting an engineered feature, demonstrate a detection performance up to 96.7% in terms of the Area under the ROC Curve (AUC) metric.
C. Smiliotopoulos, K. Barbatsalou, G. Kambourakis, Revisiting the detection of Lateral Movement through Sysmon, Applied Sciences, Vol. 12, No. 15, pp. 1-30, 2022, MDPI, https://doi.org/10.3390/app12157746, indexed in SCI-E, IF = 2.838
This work attempts to answer in a clear way the following key questions regarding the optimal initialization of the Sysmon tool for the identification of Lateral Movement in the MS Windows ecosystem. First, from an expert’s standpoint and with reference to the relevant literature, what are the criteria for determining the possibly optimal initialization features of the Sysmon event monitoring tool, which are also applicable as custom rules within the config.xml configuration file? Second, based on the identified features, how can a functional configuration file, able to identify as many LM variants as possible, be generated? To answer these questions, we relied on the MITRE ATT and CK knowledge base of adversary tactics and techniques and focused on the execution of the nine commonest LM methods. The conducted experiments, performed on a properly configured testbed, suggested a great number of interrelated networking features that were implemented as custom rules in the Sysmon’s config.xml file. Moreover, by capitalizing on the rich corpus of the 870K Sysmon logs collected, we created and evaluated, in terms of TP and FP rates, an extensible Python .evtx file analyzer, dubbed PeX, which can be used towards automatizing the parsing and scrutiny of such voluminous files. Both the .evtx logs dataset and the developed PeX tool are provided publicly for further propelling future research in this interesting and rapidly evolving field.
B. Kampourakis, E. Chatzoglou, G. Kambourakis, A. Dolmes, C. Zaroliagis, WPAxFuzz: Sniffing out vulnerabilities in Wi-Fi implementations, Cryptography, Vol. 6(4), No. 53, pp. 1-12, 2022, MDPI, https://www.mdpi.com/2410-387X/6/4/...
This work attempts to provide a way of scrutinizing the security robustness of Wi-Fi implementations in an automated fashion. To this end, we contribute the first to our knowledge full-featured and extensible Wi-Fi fuzzer. At the time of writing, the tool, made publicly available as open source, covers the IEEE 802.11 management and control frame types and provides a separate module for the pair of messages of the Simultaneous Authentication of Equals (SAE) authentication and key exchange method. It can be primarily used to detect vulnerabilities potentially existing in wireless Access Points (AP) under the newest Wi-Fi Protected Access 3 (WPA3) certification, but its functionalities can also exploited against WPA2-compatible APs. Moreover, the fuzzer incorporates: (a) a dual-mode network monitoring module that monitors in real-time the behavior of the connected to the AP stations and logs possible service or connection disruptions, and (b) an attack tool used to verify any glitch found, and automatically craft the corresponding exploit. We present results after testing the fuzzer against an assortment of off-the-shelf APs by different renowned vendors. Adhering to a coordinated disclosure process, we have reported the discovered issues to the affected vendors, already receiving positive feedback from some of them.
E. Chatzoglou, V. Kouliaridis, G. Karopoulos, G. Kambourakis, Revisiting QUIC attacks: A comprehensive review on QUIC security and a hands-on study, International Journal of Information Security, 2022, Springer, https://link.springer.com/article/1..., indexed in SCI-E, IF = 2.427
Built on top of UDP, the recently standardized QUIC protocol primarily aims to gradually replace the TCP plus TLS plus HTTP/2 model. For instance, HTTP/3 is designed to exploit QUIC's features, including reduced connection establishment time, multiplexing without head of line blocking, always-encrypted end-to-end security, and others. This work serves two key objectives. Initially, it offers the first to our knowledge full-fledged review on QUIC security as seen through the lens of the relevant literature so far. Second and more importantly, through extensive fuzz testing, we conduct a hands-on security evaluation against the six most popular QUIC-enabled production-grade servers. This assessment identified several effective and practical zero-day vulnerabilities, which, if exploited, can quickly overwhelm the server resources. This finding is a clear indication that the fragmented production-level implementations of this contemporary protocol are not yet mature enough. Overall, the work at hand provides the first wholemeal appraisal of QUIC security from both a literature review and empirical standpoint, and it is therefore foreseen to serve as a reference for future research in this timely area.
E. Chatzoglou, V. Kouliaridis, G. Kambourakis, G. Karopoulos, S. Gritzalis, A hands-on gaze on HTTP/3 security through the lens of HTTP/2 and a public dataset, Computers & Security, Vol. 125, 2022, Elsevier, https://www.sciencedirect.com/scien..., indexed in SCI-E, IF = 5.105
Following QUIC protocol ratification on May 2021, the third major version of the Hypertext Transfer Protocol, namely HTTP/3, was published around one year later in RFC 9114. In light of these consequential advancements, the current work aspires to provide a full-blown coverage of the following issues, which to our knowledge have received feeble or no attention in the literature so far. First, we provide a complete review of attacks against HTTP/2, and elaborate on if and in which way they can be migrated to HTTP/3. Second, through the creation of a testbed comprising the at present six most popular HTTP/3-enabled servers, we examine the effectiveness of a quartet of attacks, either stemming directly from the HTTP/2 relevant literature or being entirely new. This scrutiny led to the assignment of at least one CVE ID with a critical base score by MITRE. No less important, by capitalizing on a realistic, abundant in devices testbed, we compiled a voluminous, labeled corpus containing traces of ten diverse attacks against HTTP and QUIC services. An initial evaluation of the dataset mainly by means of machine learning techniques is included as well. Given that the 30 GB dataset is made available in both pcap and CSV formats, forthcoming research can easily take advantage of any subset of features, contingent upon the specific network topology and configuration.
F. Giannakas, V. Kouliaridis, G. Kambourakis, A closer look at machine learning effectiveness in Android malware detection, Information, pp. 1-25, 2022, MDPI, https://www.mdpi.com/journal/inform...
Nowadays, with the increasing usage of Android devices in daily life activities, malware has been increasing rapidly, putting peoples' security and privacy at risk. To mitigate this threat, several researchers have proposed different methods to detect Android malware. Recently, machine learning based models have been explored by a significant mass of researchers checking for Android malware. However, selecting the most appropriate model is not straightforward, since there are several aspects that must be considered. Contributing to this domain, the current paper explores Android malware detection from diverse perspectives; this is done by optimizing and evaluating various machine learning algorithms. Specifically, we conducted an experiment for training, optimizing, and evaluating 27 machine learning algorithms, and a Deep Neural Network (DNN). During the optimization phase, we performed hyperparameter analysis using the Optuna framework. The evaluation phase includes the measurement of different performance metrics against a contemporary, rich dataset, to conclude to the most accurate model. The best model was further interpreted by conducting feature analysis, using the Shapley Additive Explanations (SHAP) framework. Our experiment results showed that the best model is the DNN consisting of 4 layers (two hidden), using the Adamax optimizer, as well as the Binary Cross-Entropy (loss), and the Softsign activation functions. The model succeeded 86% prediction accuracy, while the balanced accuracy, the F1-score, and the ROC-AUC metrics were at 82%.
Ioannis Stylios, A. Skalkos, M. Karyda, S. Kokolakis, BioPrivacy: a behavioral biometrics continuous authentication system based on keystroke dynamics and touch gestures, Information & Computer Security, Vol. 30, No. 5, pp. 687-704, 2022, Emerald Publishing Limited, https://www.emerald.com/insight/con...
E. Chatzoglou, G. Kambourakis, C. Kolias, How is your Wi-Fi connection today? DoS attacks on WPA3-SAE, Journal of Information Security and Applications, Vol. 64, 2022, Elsevier, https://www.sciencedirect.com/scien..., indexed in SCI-E, IF = 3.872
WPA3-Personal renders the Simultaneous Authentication of Equals (SAE) password-authenticated key agreement method mandatory. The scheme achieves forward secrecy and is highly resistant to offline brute-force dictionary attacks. Given that SAE is based on the Dragonfly handshake, essentially a simple password exponential key exchange, it remains susceptible to clogging type of attacks at the Access Point side. To resist such attacks, SAE includes an anti-clogging scheme. To shed light on this contemporary and high-stakes issue, this work offers a full-fledged empirical study on Denial of Service (DoS) against SAE. By utilizing both real-life modern Wi-Fi 6 certified and non-certified equipment and the OpenBSD's hostapd, we expose a significant number of novel DoS assaults affecting virtually any AP. No less important, more than a dozen of vendor-depended and severe zero-day DoS assaults are manifested, showing that the implementation of the protocol by vendors is not yet mature enough. The fallout of the introduced attacks to the associated stations ranges from a temporary loss of Internet connectivity to outright disconnection. To our knowledge, this work provides the first wholemeal appraisal of SAE's mechanism endurance against DoS, and it is therefore anticipated to serve as a basis for further research in this timely and intriguing area.
A. Skalkos, Ioannis Stylios, M. Karyda, S. Kokolakis, Users’ Privacy Attitudes towards the Use of Behavioral Biometrics Continuous Authentication (BBCA) Technologies: A Protection Motivation Theory Approach, Journal of Cybersecurity and Privacy, Vol. 1, No. 4, pp. 24, 2021, MDPI, https://www.mdpi.com/2624-800X/1/4/...
Smartphone user authentication based on passwords, PINs, and touch patterns raises several security concerns. Behavioral Biometrics Continuous Authentication (BBCA) technologies provide a promising solution which can increase smartphone security and mitigate users’ concerns. Until now, research in BBCA technologies has mainly focused on developing novel behavioral biometrics continuous authentication systems and their technical characteristics, overlooking users’ attitudes towards BBCA. To address this gap, we conducted a study grounded on a model that integrates users’ privacy concerns, trust in technology, and innovativeness with Protection Motivation Theory. A cross-sectional survey among 778 smartphone users was conducted via Amazon Mechanical Turk (MTurk) to explore the factors which can predict users’ intention to use BBCA technologies. Our findings demonstrate that privacy concerns towards intention to use BBCA technology have a significant impact on all components of PMT. Further to this, another important construct we identified that affects the usage intention of BBCA technology is innovativeness. Our findings posit the view that reliability and trustworthiness of security technologies, such as BBCA are important for users. Together, these results highlighted the importance of addressing users’ perceptions regarding BBCA technology.
G. M. Makrakis, C. Kolias, G. Kambourakis, C. Rieger, J. Benjamin, Industrial and Critical Infrastructure Security: Technical Analysis of Real-Life Security Incidents, IEEE Access, 2021, IEEE Press, https://ieeexplore.ieee.org/documen..., indexed in SCI-E, IF = 3.367
Critical infrastructures and industrial organizations aggressively move towards integrating elements of modern Information Technology (IT) into their monolithic Operational Technology (OT) architectures. Yet, as OT systems progressively become more and more interconnected, they silently have turned into alluring targets for diverse groups of adversaries. Meanwhile, the inherent complexity of these systems, along with their advanced-in-age nature, prevents defenders from fully applying contemporary security controls in a timely manner. Forsooth, the combination of these hindering factors has led to some of the most severe cybersecurity incidents of the past years. This work contributes a full-fledged and up-to-date survey of the most prominent threats and attacks against Industrial Control Systems and critical infrastructures, along with the communication protocols and devices adopted in these environments. Our study highlights that threats against critical infrastructure follow an upward spiral due to the mushrooming of commodity tools and techniques that can facilitate either the early or late stages of attacks. Furthermore, our survey exposes that existing vulnerabilities in the design and implementation of several of the OT-specific network protocols and devices may easily grant adversaries the ability to decisively impact physical processes. We provide a categorization of such threats and the corresponding vulnerabilities based on various criteria. As far as we are aware, this is the first time an exhaustive and detailed survey of this kind is attempted.
G. Karopoulos, J. L. Hernandez-Ramos, V. Kouliaridis, G. Kambourakis, A Survey on Digital Certificates Approaches for the COVID-19 Pandemic, IEEE Access, Vol. 9, pp. 138003 -138025, 2021, IEEE Press, https://ieeexplore.ieee.org/documen..., indexed in SCI-E, IF = 3.367
Digital COVID-19 certificates serve as reliable proof that an individual was vaccinated, tested negative, or healed from COVID-19, facilitating health, occupational, educational, and travel activities during the pandemic. This paper contributes the first to our knowledge state-of-the-art and holistic review of this ecosystem, attempting to answer the following questions: 1) is there a harmonization among academia, organizations, and governments in terms of the certificate deployment technology?; 2) what is the proliferation of such schemes worldwide and how similar are they?; 3) are smartphone applications that accompany such schemes privacy-preserving from an end-user’s perspective? To respond to these questions, a four-tier approach is followed: (a) we scrutinize the so far academic works suggesting some type of digital certificate, highlighting common characteristics and weaknesses; (b) we constructively report on the different initiatives proposed by organizations or alliances; (c) we briefly review 54 country initiatives around the globe; and (d) we analyze both statically and dynamically all official Android smartphone applications offered for such certificates to reveal possible hiccups affecting the security or privacy of the end-user. From a bird’s eye view, the great majority of the proposed or developed schemes follow either the blockchain model or the asymmetric cryptosystem, the spread of schemes especially in Europe and partly in Asia is high, some degree of distinctiveness among the relevant schemes developed by countries does exist, and there are substantial variations regarding the privacy level of the applications between Europe on the one hand and Asia and America on the other.
P. Dedousis, G. Stergiopoulos, G. Arampatzis, D. Gritzalis, A security-aware framework for designing in-dustrial engineering processes, IEEE ACCESS, 2021, IEEE,
C. Xarhoulacos , A. Anagnostopoulou, G. Stergiopoulos, D. Gritzalis, Misinformation vs. situational awareness: The art of deception and the need for cross-domain detection, Sensors (Special Issue: Cyber Situational Awareness), 2021, MDPI,
C. Xarhoulacos , A. Anagnostopoulou, G. Stergiopoulos, D. Gritzalis, Misinformation vs. situational awareness: The art of deception and the need for cross-domain detection, Sensors (Special Issue: Cyber Situational Awareness), 2021, MDPI,
V. Malamas, F. Chantzis, T. Dasaklis, G. Stergiopoulos, P. Kotzanikolaou, C. Douligeris, Risk Assessment Methodologies for the Internet of Medical Things: A Survey and Comparative Appraisal, IEEE ACCESS, Vol. 9, 2021, IEEE ,
G. Stergiopoulos, D. Gritzalis, A. Anagnostopoulou, E. Vasilellis , Dropping malware through sound injection: A comparative analysis on Android operating systems, Computers & Security, 2021,
P. Dedousis, G. Stergiopoulos, D. Gritzalis, An improved bit masking technique to enhance covert channel attacks in everyday IT systems, ICETE 2020: E-Business and Telecommunications, 2021, Springer,
E. Chatzoglou, G. Kambourakis, C. Kolias, WiF0: All Your Passphrase Are Belong to Us, IEEE Computer, Vol. 54, No. 7, pp. 82-88, 2021, IEEE Press, https://www.computer.org/csdl/magaz..., indexed in SCI-E, IF = 2.683
No nontrivial software system can be built without regard for security. Even noncritical software systems can be used as an entry point to the critical systems to which they are connected, for example, exploiting system vulnerabilities to steal passwords for login and network access. This article describes one such attack.
T. Papaioannou, A. Tsohou, M. Karyda, Forming Digital Identities in Social Networks: The Role of Privacy Concerns and Self-Esteem, Information and Computer Security, Vol. 29, No. 2, pp. 240-262, 2021, Emerald,
V. Kouliaridis, G. Kambourakis, E. Chatzoglou, D. Geneiatakis, H. Wang, Dissecting contact tracing apps in the Android platform, PLOS One, Vol. 16, No. 5, pp. 1-28, 2021, Public Library of Science, https://journals.plos.org/plosone/a..., indexed in SCI-E, IF = 3.240
Contact tracing has historically been used to retard the spread of infectious diseases, but if it is exercised by hand in large-scale, it is known to be a resource-intensive and quite deficient process. Nowadays, digital contact tracing has promptly emerged as an indispensable asset in the global fight against the coronavirus pandemic. The work at hand offers a meticulous study of all the official Android contact tracing apps deployed hitherto by European countries. Each app is closely scrutinized both statically and dynamically by means of dynamic instrumentation. Depending on the level of examination, static analysis results are grouped in two axes. The first encompasses permissions, API calls, and possible connections to external URLs, while the second concentrates on potential security weaknesses and vulnerabilities, including the use of trackers, in-depth manifest analysis, shared software analysis, and taint analysis. Dynamic analysis on the other hand collects data pertaining to Java classes and network traffic. The results demonstrate that while overall these apps are well-engineered, they are not free of weaknesses, vulnerabilities, and misconfigurations that may ultimately put the user security and privacy at risk.
V. Kouliaridis, G. Kambourakis, A Comprehensive Survey on Machine Learning Techniques for Android Malware Detection, Information, Vol. 12, No. 5, pp. 1-12, 2021, MDPI, https://www.mdpi.com/2078-2489/12/5...
Year after year, mobile malware attacks grow in both sophistication and diffusion. As the open source Android platform continues to dominate the market, malware writers consider it as their preferred target. Almost strictly, state-of-the-art mobile malware detection solutions in the literature capitalize on machine learning to detect pieces of malware. Nevertheless, our findings clearly indicate that the majority of existing works utilize different metrics and models and employ diverse datasets and classification features stemming from disparate analysis techniques, i.e., static, dynamic, or hybrid. This complicates the cross-comparison of the various proposed detection schemes and may also raise doubts about the derived results. To address this problem, spanning a period of the last seven years, this work attempts to schematize the so far ML-powered malware detection approaches and techniques by organizing them under four axes, namely, the age of the selected dataset, the analysis type used, the employed ML techniques, and the chosen performance metrics. Moreover, based on these axes, we introduce a converging scheme which can guide future Android malware detection techniques and provide a solid baseline to machine learning practices in this field.
E. Chatzoglou, G. Kambourakis, V. Kouliaridis, A Multi-Tier Security Analysis of Official Car Management Apps for Android, Future Internet, Vol. 13, No. 3, pp. 1-35, 2021, MDPI, https://www.mdpi.com/1999-5903/13/3...
Using automotive smartphone applications (apps) provided by car manufacturers may offer numerous advantages to the vehicle owner, including improved safety, fuel efficiency, anytime monitoring of vehicle data, and timely over-the-air delivery of software updates. On the other hand, the continuous tracking of the vehicle data by such apps may also pose a risk to the car owner, if, say, sensitive pieces of information are leaked to third parties or the app is vulnerable to attacks. This work contributes the first to our knowledge full-fledged security assessment of all the official single-vehicle management apps offered by major car manufacturers who operate in Europe. The apps are scrutinised statically with the purpose of not only identifying surfeits, say, in terms of the permissions requested, but also from a vulnerability assessment viewpoint. On top of that, we run each app to identify possible weak security practices in the owner-to-app registration process. The results reveal a multitude of issues, ranging from an over-claim of sensitive permissions and the use of possibly privacy-invasive API calls, to numerous potentially exploitable CWE and CVE-identified weaknesses and vulnerabilities, the, in some cases, excessive employment of third-party trackers, and a number of other flaws related to the use of third-party software libraries, unsanitised input, and weak user password policies, to mention just a few.
E. Chatzoglou, G. Kambourakis, C. Kolias, Empirical Evaluation of Attacks Against IEEE 802.11 Enterprise Networks: The AWID3 Dataset, IEEE Access, Vol. 9, pp. 34188-34205, 2021, IEEE, https://ieeexplore.ieee.org/abstrac..., indexed in SCI-E, IF = 3.367
This work serves two key objectives. First, it markedly supplements and extends the well-known AWID corpus by capturing and studying traces of a wide variety of attacks hurled in the IEEE 802.1X Extensible Authentication Protocol (EAP) environment. Second, given that all the 802.11-oriented attacks have been carried out when the defenses introduced by Protected Management Frames (PMF) were operative, it offers the first to our knowledge full-fledged empirical study regarding the robustness of the IEEE 802.11w amendment, which is mandatory for WPA3 certified devices. Under both the aforementioned settings, the dataset, and study at hand are novel and are anticipated to be of significant aid towards designing and evaluating intrusion detection systems. Moreover, in an effort to deliver a well-rounded dataset of greater lifespan, and under the prism of an attacker escalating their assault from the wireless MAC layer to higher ones, we have additionally included several assaults that are common to IEEE 802.3 networks. Since the corpus is publicly offered in the form of raw cleartext pcap files, future research can straightforwardly exploit any subset of features, depending on the particular application scenario.
J. L. Hernandez-Ramos, G. Karopoulos, D. Geneiatakis, T. Martin, G. Kambourakis, I. N. Fovino, Sharing pandemic vaccination certificates through blockchain: Case study and performance evaluation, Wireless Communications and Mobile Computing, Vol. 2021, No. 2427896, pp. 1-12, 2021, Hindawi, https://www.hindawi.com/journals/wc..., indexed in SCI-E, IF = 2.336
During 2021, different worldwide initiatives have been established for the development of digital vaccination certificates to alleviate the restrictions associated to the COVID-19 pandemic to vaccinated individuals. Although diverse technologies can be considered for the deployment of such certificates, the use of blockchain has been suggested as a promising approach due to its decentralization and transparency features. However, the proposed solutions often lack realistic experimental evaluation that could help to determine possible practical challenges for the deployment of a blockchain platform for this purpose. To fill this gap, this work introduces a scalable, blockchain-based platform for the secure sharing of COVID-19 or other disease vaccination certificates. As an indicative use case, we emulate a large-scale deployment by considering the countries of the European Union. The platform is evaluated through extensive experiments measuring computing resource usage, network response time, and bandwidth. Based on the results, the proposed scheme shows satisfactory performance across all major evaluation criteria, suggesting that it can set the pace for real implementations. Vis-a-vis the related work, the proposed platform is novel, especially through the prism of a large-scale, full-fledged implementation and its assessment.
Stylios, I.C., S. Kokolakis, Thanou, O., Chatzis, S., Behavioral Biometrics & Continuous User Authentication on Mobile Devices: A Survey, Information Fusion, Vol. 66, pp. 76-99, 2021, , indexed in SCI-E
Ioannis Stylios, S. Kokolakis, A. Skalkos, Chatzis, S., BioGames: A new Paradigm and a Behavioral Biometrics Collection Tool for Research Purposes, Information & Computer Security, Vol. 30, No. 2, pp. 243-254, 2021, https://doi.org/10.1108/ICS-12-2020...
L. Mitrou, Greece: The New Data Protection Framework, (EDPL) 1/2020, pp. 107-113, European Data Protection Law Review, Vol. 6, No. 1, pp. 107-113, 2020, LEXXION, https://doi.org/10.21552/edpl/2020...
G. Lykou, P. Dedousis, G. Stergiopoulos, D. Gritzalis, Assessing Interdependencies and Congestion Delays in the Aviation Network, IEEE ACCESS, 2020, IEEE ,
D. Koutras, G. Stergiopoulos, T. Dasaklis, P. Kotzanikolaou, D. Glynos, C. Douligeris, Security in IoMT Communications: A survey, SENSORS Journal, 2020, MDPI,
G. Stergiopoulos, D. Gritzalis, V. Limnaios, Cyber-attacks on the Oil & Gas sector: A survey on incident assessment and attack patterns, IEEE ACCESS, 2020, IEEE ,
D. Gritzalis, G. Stergiopoulos, E. Vasilellis , A. Anagnostopoulou, Readiness exercises: Are risk assessment methodologies ready for the Cloud?, Learning and Analytics in Intelligent Systems, 2020, Springer,
G. Stergiopoulos, P. Dedousis, D. Gritzalis, Αutomatic network restructuring and risk mitigation through business process asset dependency analysis, Computers and Security , Vol. 96, 2020, Elsevier,
I. Paspatis, A. Tsohou, S. Kokolakis, AppAware: a policy visualization model for mobile applications, Information & Computer Security, Vol. 28, No. 1, pp. 116-132, 2020, https://doi.org/10.1108/ICS-04-2019...
C. Kalloniatis, V. Diamantopoulou, K. Kotis, C. Lyvas, K. Maliatsos, M. Gay, A. G. Kanatas, C. Lambrinoudakis, Towards the design of an assurance framework for increasing security and privacy in connected vehicles, International Journal of Internet of Things and Cyber-Assurance, Vol. 1, No. 3-4, pp. 244-266, 2020, Inderscience Enterprises Ltd.,
C. Mesaritakis, P. Rizomiliotis, M. Akriotou, C. Chaintoutis, A. Fragkos, D. Syvridis, Photonic Pseudo-Random Number Generator for Internet-of-Things Authentication using a Waveguide based Physical Unclonable Function, Arxiv, 2020,
G. Kavalieratos, V. Diamantopoulou, S. K. Katsikas, Shipping 4.0: Security requirements for the Cyber-Enabled Ship, SS on Security and Privacy in Industry 4.0 - IEEE Transactions on Industrial Informatics, Vol. 16, No. 10, pp. 6617 - 6625, 2020, IEEE, (to_appear), https://ieeexplore.ieee.org/xpl/Rec..., indexed in SCI-E, IF = 7.377
The Cyber-Enabled Ship (C-ES) is either an autonomous or a remotely controlled vessel which relies on interconnected cyber physical-systems (CPS) for its operations. Such systems are not well protected against cyber attacks. Considering the criticality of the functions that such systems provide, it is important to address their security challenges, thereby ensuring the ship's safe voyage. In this work we leverage the Maritime Architectural Framework reference architecture to analyze and describe the environment of the C-ES. We then apply the Secure Tropos methodology to systematically elicit the security requirements of the three most vulnerable CPSs onboard a C-ES, namely the Automatic Identification System (AIS), the Electronic Chart Display Information System (ECDIS) and the Global Maritime Distress and Safety System (GMDSS). The outcome is a set of cyber security requirements for the C-ES ecosystem in general and these systems in particular.
V. Diamantopoulou, A. Androutsopoulou, S. Gritzalis, Y. Charalabidis, Preserving Digital Privacy in e-Participation Environments: Towards GDPR Compliance, Information - Special Issue "Security Requirements Engineering: Designing Secure Socio-Technical Systems", pp. 1–27, 2020, MDPI, https://www.mdpi.com/journal/inform...
The application of the General Data Protection Regulation (GDPR) 2016/679/EC, the Regulation for the protection of personal data, is a challenge and must be seen as an opportunity for the redesign of the systems that are being used for the processing of personal data. An unexplored area where systems are being used to collect and process personal data are the e-Participation environment. The latest generations of such environments refer to sociotechnical systems based on the exploitation of the increasing use of Social Media, by using them as valuable tools, able to provide answers and decision support in public policy formulation. This work explores the privacy requirements that GDPR imposes in such environments, contributing to the identification of challenges that e-Participation approaches have to deal with, with regard to privacy protection.
G. Kambourakis, C. Kolias, D. Geneiatakis, G. Karopoulos, G. M. Makrakis, I. Kounelis, A state-of-the-art review on the security of mainstream IoT Wireless PAN protocol stacks, Symmetry, 2020, MDPI, https://www.mdpi.com/2073-8994/12/4..., indexed in SCI-E, IF = 2.645
Protocol stacks specifically designed for the Internet of Things (IoT) have become commonplace. At the same time, security and privacy concerns regarding IoT technologies are also attracting significant attention given the risks that are inherently associated with the respective devices and their numerous applications, ranging from healthcare, smart homes and cities, to intelligent transportation systems and industrial automation. Considering the still heterogeneous nature of the majority of IoT protocols, a major concern is to find common references for investigating and analysing their security and privacy threats. To this end, and on top of the current literature, this work provides a comprehensive, vis-à-vis comparison of the security aspects of the so far most widespread IoT Wireless Personal Area Network (WPAN) protocols, namely, BLE, Z-Wave, Zigbee, Thread, and EnOcean. A succinct but exhaustive review of the relevant literature from 2013 up to now is offered as a side contribution.
V. Diamantopoulou, A. Tsohou, M. Karyda, From ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR Compliance Controls, Information and Computer Security, Vol. 28, No. 4, 2020, Emerald, https://www.emerald.com/insight/con...
Purpose – This paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this work i) as a basis for extending the already existing security control modules towards data protection; ii) as guidance for reaching compliance with the Regulation. Design/methodology/approach – This study has followed a two-step approach; First synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013, and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, we identified GDPR requirements not addressed by ISO/IEC 27001:2013. Findings – The findings of this work include i) the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; ii) the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; iii) the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR. Originality/value – This work provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.
A. Fakis, G. Karopoulos, G. Kambourakis, Neither Denied nor Exposed: Fixing WebRTC Privacy Leaks, Future Internet, 2020, MDPI, https://www.mdpi.com/1999-5903/12/5...
To establish peer-to-peer connections and achieve realtime web-based communication, the WebRTC framework requires address information of the communicating peers. This means that users behind, say, NAT or firewalls normally rely on the ICE framework for the sake of negotiating information about the connection and media transferring. This typically involves STUN/TURN servers, which assist the peers discover each other's private and public IP:port, and relay traffic if direct connection fails. Nevertheless, these IP:port pieces of data can be easily captured by anyone who controls the corresponding STUN/TURN server, and even more become readily available to the JavaScript application running on the webpage. While this is acceptable for a user that deliberately initiates a WebRTC connection, it becomes a worrisome privacy issue for those being unaware that such a connection is attempted. Furthermore, the application acquires more information on the local network architecture compared to what is exposed in usual HTTP interactions, where only the public IP is visible. Even though this problem is well-known in the related literature, no practical solution has been proposed so far. To this end, and for the sake of detecting and preventing in realtime the execution of STUN/TURN clandestine, privacy-invading requests, we introduce two different kinds of solutions (a) a browser extension, and (b) an HTTP gateway, implemented in C++ as well as in Golang. Both solutions detect any WebRTC API call before it happens and inform accordingly the end-user about the webpage's intentions. We meticulously evaluate the proposed schemes in terms of performance and demonstrate that even in the worst case, the latency introduced is tolerable.
V. Kouliaridis, G. Kambourakis, D. Geneiatakis, N. Potha, Two anatomists are better than one: Dual-level Android malware detection, Symmetry, Vol. 12, No. 7, 2020, MDPI, https://www.mdpi.com/2073-8994/12/7..., indexed in SCI-E, IF = 2.645
The openness of the Android operating system and its immense penetration into the market makes it a hot target for malware writers. This work introduces Androtomist, a novel tool capable of symmetrically applying static and dynamic analysis of applications on the Android platform. Unlike similar hybrid solutions, Androtomist capitalizes on a wealth of features stemming from static analysis along with rigorous dynamic instrumentation to dissect applications and decide if they are benign or not. The focus is on anomaly detection using machine learning, but the system is able to autonomously conduct signature-based detection as well. Furthermore, Androtomist is publicly available as open source software and can be straightforwardly installed as a web application. The application itself is dual mode, i.e., fully automated for the novice user and configurable for the expert one. As a proof-of-concept, we meticulously assess the detection accuracy of Androtomist against three different popular malware datasets and a handful of machine learning classifiers. We particularly concentrate on the classification performance achieved when the results of static analysis are combined with dynamic instrumentation vis-`a-vis static analysis only. Our study also introduces an ensemble approach by averaging the output of all base classification models per malware instance separately, and provides a deeper insight on the most influencing features regarding the classification process. Depending on the employed dataset, for hybrid analysis, we report notably promising to excellent results in terms of the accuracy, F1, and AUC metrics.
G. Kambourakis, Draper-Gil G., Sanchez I., What email servers can tell to Johnny: An empirical study of provider-to-provider email security, IEEE Access, 2020, IEEE Press, https://ieeexplore.ieee.org/documen..., indexed in SCI-E, IF = 4.640
With hundred billions of emails sent daily, the adoption of contemporary email security standards and best practices by the respective providers are of utmost importance to everyone of us. Leaving out the user-dependent measures, say, S/MIME and PGP, this work concentrates on the current security standards adopted in practice by providers to safeguard the communications among their SMTP servers. To this end, we developed a non-intrusive tool coined MECSA, which is publicly available as a web application service to anyone who wishes to instantly assess the security status of their email provider regarding both the inbound and outbound communication channels. By capitalising on the data collected by MECSA over a period of 15 months, that is, approximately 7,650 assessments, analysing a total of 3,236 unique email providers, we detail on the adoption rate of state-of-the-art email security extensions, including STARTTLS, SPF, DKIM, DMARC, and MTA-STS. Our results indicate a clear increase in encrypted connections and in the use of SPF, but also considerable retardation in the penetration rate of the rest of the standards. This tardiness is further aggravated by the still low prevalence of DNSSEC, which is also appraised for the email security space in the context of this work.
Martin T., G. Karopoulos, J. L. Hernandez-Ramos, G. Kambourakis, I. N. Fovino, Demystifying COVID-19 digital contact tracing: A survey on frameworks and mobile apps, Wireless Communications and Mobile Computing, 2020, Wiley/Hindawi, https://www.hindawi.com/journals/wc..., indexed in SCI-E, IF = 1.819
The coronavirus pandemic is a new reality and it severely affects the modus vivendi of the international community. In this context, governments are rushing to devise or embrace novel surveillance mechanisms and monitoring systems to fight the outbreak. The development of digital tracing apps,which among others are aimed at automatising and globalising the prompt alerting of individuals at risk in a privacy-preserving manner is a prominent example of this ongoing effort. Very promptly,a number of digital contact tracing architectures has been sprouted, followed by relevant app implementations adopted by governments worldwide. Bluetooth, and specifically its Low Energy (BLE)power-conserving variant has emerged as the most promising short-range wireless network technology to implement the contact tracing service. This work offers the first to our knowledge, full-fledged review of the most concrete contact tracing architectures proposed so far in a global scale.This endeavour does not only embrace the diverse types of architectures and systems, namely centralised, decentralised, or hybrid, but it equally addresses the client side, i.e., the apps that have been already deployed in Europe by each country. There is also a full-spectrum adversary model section,which does not only amalgamate the previous work in the topic, but also brings new insights and angles to contemplate upon.
A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, Identifying the values associated with users’ behavior towards anonymity tools through means-end analysis, Computers in Human Behavior Reports, Vol. 2C, No. 100034, 2020, Elsevier, http://www.sciencedirect.com/scienc...
N. Potha, V. Kouliaridis, G. Kambourakis, An Extrinsic Random-based Ensemble Approach for Android Malware Detection, Connection Science, 2020, Taylor and Francis, https://www.tandfonline.com/toc/cco..., indexed in SCI-E, IF = 1.042
Malware detection is a fundamental task and associated with significant applications in humanities, cybersecurity, and social media analytics. In some of the relevant studies, there is substantial evidence that heterogeneous ensembles can provide very reliable solutions, better than any individual verification model. However, so far, there is no systematic study of examining the application of ensemble methods in this task. This paper introduces a sophisticated Extrinsic Random-based Ensemble(ERBE) method where in a predetermined set of repetitions, a subset of external instances (either malware or benign) as well as classification features are randomly selected, and an aggregation function is adopted to combine the output of all base models for each test case separately. By utilising static analysis only, we demonstrate that the proposed method is capable of taking advantage of the availability of multiple external instances of different size and genre. The experimental results in AndroZoo benchmark corpora verify the suitability of a random-based heterogeneous ensemble for this task and exhibit the effectiveness of our method, in some cases improving the hitherto best reported results by more than 5%.
V. Kouliaridis, K. Barbatsalou, G. Kambourakis, S. Chen, A Survey on Mobile Malware Detection Techniques, IEICE Transactions on Information & Systems, 2020, IEICE, https://search.ieice.org/, indexed in SCI-E, IF = 0.770
Modern mobile devices are equipped with a variety of tools and services, and handle increasing amounts of sensitive information. In the same trend, the number of vulnerabilities exploiting mobile devices are also augmented on a daily basis and, undoubtedly, popular mobile platforms, such as Android and iOS, represent an alluring target for malware writers. While researchers strive to find alternative detection approaches to fight against mobile malware, recent reports exhibit an alarming increase in mobile malware exploiting victims to create revenues, climbing towards a billion-dollar industry. Current approaches to mobile malware analysis and detection cannot always keep up with future malware sophistication [2][4]. The aim of this work is to provide a structured and comprehensive overview of the latest research on mobile malware detection techniques and pinpoint their benefits and limitations.
G. Stergiopoulos, G. Chronopoulou, E. Bitsikas, N. Tsalis, D. Gritzalis, Using side channel TCP features for real-time detection of malware connections, Journal of Computer Security, 2019,
G. Stergiopoulos, N. Kapetanas, E. Vasilellis , D. Gritzalis, Leaking SCADA commands over unpadded TCP/IP encryption through differential packet size analysis, Security & Privacy, 2019,
D. Papamartzivanos, Félix Gómez Mármol, G. Kambourakis, Introducing Deep Learning Self-Adaptive Misuse Network Intrusion Detection Systems, IEEE Access, Vol. 7, No. 1, pp. 13546-13560, 2019, IEEE Press, https://ieeexplore.ieee.org/abstrac..., indexed in SCI-E, IF = TBD before next July
Intrusion detection systems (IDSs) are essential elements when it comes to the protection of an ICT infrastructure. Misuse IDSs a stable method that can achieve high attack detection rates (ADR), while keeping false alarm rates under acceptable levels. However, misuse IDSs suffer from the lack of agility, as they are unqualified to adapt to new and "unknown" environments. That is, such an IDS puts a security administrator into an intensive engineering task for keeping the IDS up-to-date every time it faces efficiency drops. Considering the extended size of modern networks and the complexity of big network traffic data, the problem exceeds by far the limits of human managing capabilities. In this regard, we propose a novel methodology which combines the benefits of self-taught learning and MAPE-K frameworks to deliver a scalable, self-adaptive and autonomous misuse IDS. Our methodology enables a misuse IDS to sustain a high ADR even if it is imposed to consecutive and drastic environmental changes. Through the utilization of deep-learning based methods, the IDS is able to grasp an attack’s nature based on generalized features reconstructions stemming directly from the unknown environment and its unlabeled data. The experimental results reveal that our methodology can breathe new life into the IDS without the constant need of manually refreshing its training set. We evaluate our proposal under several classification metrics, and we show that it is able to increase the ADR of the IDS up to 73.37% in critical situations where a statically trained IDS is rendered totally ineffective.
D. Damopoulos, G. Kambourakis, Hands-Free One-Time and Continuous Authentication Using Glass Wearable Devices, Journal of Information Security and Applications, Vol. 46, pp. 138-150, 2019, Elsevier, https://www.journals.elsevier.com/j...
This paper investigates whether glass wearable devices can be used to authenticate users, both to grant access (onetime)and to maintain access (continuous), in a hands-free way. We do so by designing and implementing Gauth, a system that enables users to authenticate with a service simply by issuing a voice command, while facing the computer terminal they are going to use to access the service. To achieve this goal, we create a physical communication channel from the terminal to the glass device using machine readable visual codes, say, QR codes, and utilize the device’s network adapter to communicate directly with a service. More importantly, we continuously authenticate the user accessing the terminal, exploiting the fact that a user operating a terminal is most likely facing it most of the time. We periodically issue authentication challenges, which are displayed as a QR code on the terminal. This causes the glass device to re-authenticate the user with an appropriate response. We thoroughly evaluate Gauth to determine the technical limits of our approach. We show that even with the relatively low-resolution camera of the current Google Glass prototype, QR codes can be consistently processed correctly with an average accuracy of 88%, and continuous authentication, while strenuous to the battery, is feasible. Finally, we perform a small user study involving students to demonstrate the benefits our our approach. We found that authentication using Gauth takes on average 1.63 seconds, while using username/password credentials takes 3.85 seconds and varies greatly depending on the computer-literacy level of the user.
C. Kalloniatis, V. Diamantopoulou, K. Kotis, C. Lyvas, K. Maliatsos, M. Gay, A. G. Kanatas, C. Lambrinoudakis, Towards the design of an assurance framework for increasing security and privacy in Connected Vehicles, International Journal of Internet of Things and Cyber-Assurance, 2019, Inderscience Publishers, (to_appear), https://www.inderscience.com/jhome....
Intelligent Transport Systems (ITS) play a key role in our daily activities. ITS development over the last decades has been based on the rapid evolution of information and communication technologies (ICT), which include processing capabilities, availability of hardware and communication technologies. Moreover, ITS use ICT to improve sustainability, efficiency, innovation and safety of transportation networks helping towards better management of transportation networks with the use of advanced technologies, which in turn facilitate monitoring and management of information. However, as the development of ITS services increases so does the users' awareness regarding the degree of trust that they demonstrate on adopting this kind of services. The later has brought to light several security and privacy concerns that ITS analysts should consider when designing and implementing various IT related services. This paper moves into this direction by identifying how risk analysis can interact with security and privacy requirements’ engineering world, in order to provide a holistic approach for reasoning about security and privacy in such complex environments like ITS systems. The key contribution of the paper is the conceptual alignment of three well-known methods (EBIOS, Secure Tropos and PriS) as the first step towards the design of a complete assurance framework that will support analysts in designing and consequently implementing secure and trustworthy ITS services.
M. Salnitri, K. Angelopoulos, M. Pavlidis, V. Diamantopoulou, C. Mouratidis, P. Giorgini, Modelling the Interplay of Security, Privacy and Trust in Sociotechnical Systems: A Computer-Aided Design Approach, Journal of Software and Systems Modeling, 2019, Springer, https://link.springer.com/journal/1..., indexed in SCI-E, IF = 1.722
Personal data has become a central asset for multiple enterprise applications and online services offered by private companies, public organisations or a combination of both. The sensitivity of such data and the continuously growing legislation that accompanies their management dictate the development of methods that allow the development of more secure, trustworthy software systems with focus on privacy protection. In this work we propose a method that combines two modelling approaches to cover both early and late requirements specification, giving emphasis on security, privacy and trust. The novelty of our proposal is that it provides the means for software designers and security experts to analyse the system-to-be from multiple aspects, starting from identifying high level goals to the definition of business process composition, and\\r\\nelicitation of mechanisms to fortify the system from external threats. Our approach, which is supported by two CASE tools, demonstrates its application to a real-world case study.
M. Zago, P. Nespoli, D. Papamartzivanos, M. G. Perez, Félix Gómez Mármol, G. Kambourakis, G. M. Perez, Screening out social bots interference: are there any silver bullets?, IEEE Communications Magazine, 2019, IEEE Press, https://www.comsoc.org/publications..., indexed in SCI-E, IF = TBD before next July
Social networks are nowadays a primary source of news and information that can be steered, distorted, and influenced. Recent scandals such as the Cambridge Analytics proved that social media users are prone to such direct manipulation. Among the weapons available to perform these antidemocracy attacks, Social Bots are beyond question the most powerful one. These autonomous entities constitute coordinated armies which sneakily manipulate and deceive real users. Thus, our research identifies five major challenges that the research community needs to face toward tackling Social Bots activities in four individual but comparable scenarios. To address these key challenges, we propose, elaborate, and evaluate on a mix of remedies in the form of a proof-of-concept platform combining the agility of Artificial Intelligence with the expertise of human analysts to detect and shield against Social Bots interference
V. Diamantopoulou, C. Mouratidis, Practical Evaluation of a Reference Architecture for the Management of Privacy Level Agreements, Information and Computer Security, 2019, Emerald, http://www.emeraldgrouppublishing.c...
With the enforcement of the General Data Protection Regulation, any entity seeking compliance to specific privacy- and security-related requirements, the adoption of Privacy by Design and Security by Design principles can be considered as a legal obligation for any such entity processing EU citizens’ personal data. A formal way to support Data Controllers towards their compliance to the new Regulation could be the use of a Privacy Level Agreement (PLA), a mutual agreement of the privacy settings between a Data Controller and a Data Subject, that supports privacy management, by analysing privacy threats, vulnerabilities and Information Systems’ trust relationships. However, the concept of PLA has only been proposed on a theoretical level. In this paper, we propose a novel reference architecture to enable PLA management in practice, and we report on the application and evaluation of PLA management. To this aim, two different domains have been selected acting as real-life case studies, the public administration and the healthcare, where special categories of personal data is processed. The results of this evaluation are rather positive, indicating that the adoption of such an agreement promotes the transparency of an organisation while enhances Data Subjects’ trust.
I. Topa, M. Karyda, From Theory to Practice: Guidelines for Enhancing Information Security Management, Journal of Information and Computer Security, Vol. 27, No. 3, pp. 326-342, 2019, Emerald Publishing
This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005. Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices. The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards. This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance. This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.
F. Giannakas, A. Papasalouros, G. Kambourakis, S. Gritzalis, A comprehensive cybersecurity learning platform for elementary education, Information Security Journal: A Global Perspective, Vol. 28, No. 3, pp. 81-106, 2019, Taylor and Francis, https://www.tandfonline.com/toc/uis...
For elementary students, security and privacy education is anticipated to be more joyful when the knowledge is delivered in the form of a digital game-based learning activity. This paper details on the development of a novel learning platform that comprises a web-based Learning Content Management Systems (LCMS) and a mo- bile client application (app) for educating and raising young learners' awareness on basic cybersecurity and privacy issues. The app, which comprises a suite of quick games, can be played either in standalone or in client/server mode and it is especially destined to elementary students. Further, due to the anytime and anywhere characteristics of the app, it can be experienced as a classroom or an outdoor learning activity. Contrary to analogous studies found in the literature so far, during the design phase of the app, our focus was not solely on its technological aspects, but we uniformly paid special attention to the educational factor by applying the Attention, Relevance, Confidence, and Satisfaction (ARCS) model of motivation. A preliminary evaluation of the app, including learning e ectiveness, usability, and user's satisfaction was conducted with 52 elementary-aged students. Among others, the results show that the interaction with the app significantly increases the mean performance of the participants by almost 20%.
K. Vemou, M. Karyda, Evaluating privacy impact assessment methods: guidelines and best practice, Information & Computer Security, 2019, Emerald Publishing Limited, https://doi.org/10.1108/ICS-04-2019...
(Purpose) This paper aims to practically guide privacy impact assessment (PIA) implementation by proposing a PIA process incorporating best practices from existing PIA guidelines and privacy research. (Design/methodology/approach) This paper critically reviews and assesses generic PIA methods proposed by related research, data protection authorities and standard’s organizations, to identify best practices and practically support PIA practitioners. To address identified gaps, best practices from privacy literature are proposed. (Findings) This paper proposes a PIA process based on best practices, as well as an evaluation framework for existing PIA guidelines, focusing on practical support to PIA practitioners. (Practical implications) The proposed PIA process facilitates PIA practitioners in organizing and implementing PIA projects. This paper also provides an evaluation framework, comprising a comprehensive set of 17 criteria, for PIA practitioners to assess whether PIA methods/guidelines can adequately support requirements of their PIA projects (e.g. special legal framework and needs for PIA project organization guidance). (Originality/value) This research extends PIA guidelines (e.g. ISO 29134) by providing comprehensive and practical guidance to PIA practitioners. The proposed PIA process is based on best practices identified from evaluation of nine commonly used PIA methods, enriched with guidelines from privacy literature, to accommodate gaps and support tasks that were found to be inadequately described or lacking practical guidance.
K. Vemou, M. Karyda, Requirements for Private Communications over Public Spheres, Information and Computer Security, Vol. 28, No. 1, pp. 68-96, 2019, Emerald Publishing Limited, https://doi.org/10.1108/ICS-01-2019...
(Purpose) In the Web 2.0 era, users massively communicate through social networking services (SNS), often under false expectations that their communications and personal data are private. This paper aims to analyze privacy requirements of personal communications over a public medium. (Design/methodology/approach) This paper systematically analyzes SNS services as communication models and considers privacy as an attribute of users’ communication. A privacy threat analysis for each communication model is performed, based on misuse scenarios, to elicit privacy requirements per communication type. (Findings) This paper identifies all communication attributes and privacy threats and provides a comprehensive list of privacy requirements concerning all stakeholders: platform providers, users and third parties. (Originality/value) Elicitation of privacy requirements focuses on the protection of both the communication’s message and metadata and takes into account the public–private character of the medium (SNS platform). The paper proposes a model of SNS functionality as communication patterns, along with a method to analyze privacy threats. Moreover, a comprehensive set of privacy requirements for SNS designers, third parties and users involved in SNS is identified, including voluntary sharing of personal data, the role of the SNS platforms and the various types of communications instantiating in SNS.
P. Mavriki, M. Karyda, Automated data- driven profiling: Threats for group privacy, Information and Computer Security, 2019, Emerald , (to_appear),
G. Stergiopoulos, E. Valvis, D. Mitrodimas, D. Lekkas, D. Gritzalis, Analyzing congestion interdependencies of ports and container ship routes in the maritime network infrastructure, IEEE ACCESS, Vol. 6, 2018, IEEE ,
G. Stergiopoulos, D. Gritzalis, V. Kouktzoglou, Using formal distributions for threat likelihood estimation in cloud-enabled IT risk assessment, Computer Networks, 2018, Elsevier,
Z. Tsiatsikas, G. Kambourakis, D. Geneiatakis, H. Wang, The devil is in the detail: SDP-driven malformed message attacks and mitigation in SIP ecosystems, IEEE Access, Vol. 7, pp. 2401-2417, 2018, IEEE Press, https://ieeexplore.ieee.org/abstrac..., indexed in SCI-E, IF = TBD before next July
VoIP services in general, and Session Initiation Protocol (SIP) ones in particular, continue to grow at a fast pace and have already become a key component of Next Generation Networks (NGN). Despite this proliferation, SIP-based services expose a large attack surface for perpetrators and especially those who seek to cause Denial of Service (DoS). While so far a plethora of works in the literature have been devoted to the detection of DoS attacks in SIP ecosystems, the focus is on those which exploit SIP headers neglecting the message body. In an effort to fill this gap, the work at hand concentrates on the detection of DoS attacks which instead capitalize on the Session Description Protocol (SDP) part of SIP requests. To this end, we not only scrutinize this ilk of attacks and demonstrate their effect against the end-user, but also develop an open source extensible SDP parser module capable of detecting intentionally or unintentionally crafted SDP segments parasitizing in SIP requests. Following a firewall-based logic,currently, the parser incorporates 100 different rules organized in 4 categories (policies) based on the corresponding RFC [1]. Through extensive experimentation, we show that our scheme induces negligible overhead in terms of processing time when working as a software module in either the SIP proxy or a separate machine in front of the latter.
D. Papamartzivanos, Félix Gómez Mármol, G. Kambourakis, Dendron: Genetic Trees driven Rule Induction for Network Intrusion Detection Systems, Future Generation Computer Systems, Vol. 79, No. 2, pp. 558-574, 2018, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E
Intrusion detection systems (IDSs) are essential entities in a network topology aiming to safeguard the integrity and availability of sensitive assets in the protected systems. In misuse detection systems, which is the topic of the paper at hand, the detection process relies on specific attack signatures (rules) in an effort to distinguish between legitimate and malicious network traffic. Generally, three major challenges are associated with any IDS of this category: identifying patterns of new attacks with high accuracy, ameliorating the human-readability of the detection rules, and rightly designating the category these attacks belong to. To this end, we propose Dendron, a methodology for generating new detection rules which are able to classify both common and rare types of attacks. Our methodology takes advantage of both Decision Trees and Genetic Algorithms for the sake of evolving linguistically interpretable and accurate detection rules. It also integrates heuristic methods in the evolutionary process aiming to deal with the challenging nature of the network traffic, which generally biases machine learning techniques to neglect the minority classes of a dataset. The experimental results, using KDDCup'99, NSL-KDD and UNSW-NB15 datasets, reveal that Dendron is able to achieve superior results over other state-of-the-art and legacy techniques under several classification metrics, while at the same time is able to significantly detect rare intrusive incidents.
F. Giannakas, G. Kambourakis, A. Papasalouros, S. Gritzalis, A critical review of 13 years of Mobile Game-based Learning, Educational Technology Research and Development, Vol. 66, pp. 341-384, 2018, Springer, http://rdcu.be/BdTM, indexed in SCI-E, IF = 2.115
With the increasing popularity of smartphones and tablets, Game-Based Learning (GBL) is undergoing a rapid shift to mobile platforms. This transformation is driven by mobility, wireless interfaces, and built-in sensors that these smart devices offer in order to enable blended and context-sensitive mobile learning (m-Learning) activities. Thus, m-Learning is becoming more independent and ubiquitous (u-Learning). In order to identify and analyze the main trends and the future challenging issues involved in designing mGBL learning strategies, as well as to bring to the foreground important issues pertaining to mobile and context-aware ubiquitous GBL, the work at hand conducts a comprehensive survey of this particular area. Specifically, it introduces and applies a six-dimensional framework consisted of Spatio-temporal, Collaboration/Social, Session, Personalization, Data security & privacy, and Pedagogy, with the aim of scrutinizing the contributions in the field of mGBL published from 2004 to 2016. It was found that the transition to mGBL presents several difficulties, and therefore cannot be conceived as a simple and quick modification of existing GBL solutions. In this respect, this work is anticipated to foster the development of well-designed solutions that are intensive not only in their technological aspect, but in pedagogical qualities as well.
Pantaleone Nespoli, D. Papamartzivanos, Félix Gómez Mármol, G. Kambourakis, Optimal countermeasures selection against cyber attacks: A comprehensive survey on reaction frameworks, IEEE Communications Surveys and Tutorials, Vol. 20, No. 2, pp. 1361-1396, 2018, IEEE Press, http://ieeexplore.ieee.org/document..., indexed in SCI-E, IF = 17.188
It is without doubt that today the volume and sophistication of cyber attacks keeps consistently growing, militating an endless arm race between attackers and defenders. In this context, full-fledged frameworks, methodologies, or strategies that are able to offer optimal or near-optimal reaction in terms of countermeasure selection, preferably in a fully or semi-automated way, are of high demand. This is reflected in the literature, which encompasses a significant number of major works on this topic spanning over a time period of 5 years, that is, from 2012 to 2016. The survey at hand has a dual aim, namely: first, to critically analyze all the pertinent works in this field, and second to offer an in-depth discussion and side-by-side comparison among them based on 7 common criteria. Also, a quite extensive discussion is offered to highlight on the shortcomings and future research challenges and directions in this timely area.
V. Diamantopoulou, C. Mouratidis, Applying the Physics of Notation to the Evaluation of a Security and Privacy Requirements Engineering Methodology, Information and Computer Security, Vol. 26, No. 4, pp. 382-400, 2018, Emerald Publishing Limited, https://www.emeraldinsight.com/epri...
Security and Privacy Requirements Engineering Methodologies are considered an important part of the development process of systems, especially for the ones that contain and process a large amount of critical information and inevitably need to remain secure and thus, ensuring privacy. These methodologies provide techniques, methods, and norms for tackling security and privacy issues in Information Systems. In this process, the utilisation of effective, clear and understandable modelling languages with sufficient notation is of utmost importance, since the produced models are used not only among IT experts or among security specialists, but also for communication among various stakeholders, in business environments or among novices in an academic environment. This paper evaluates the effectiveness of a Security and Privacy Requirements Engineering Methodology, namely Secure Tropos, on the nine principles of the Theory of Notation. Our qualitative analysis revealed a partial satisfaction of these principles.
G. Fotiadis, E. Konstantinou, Generating Pairing-Friendly Elliptic Curve Parameters Using Sparse Families, Journal of Mathematical Cryptology, Vol. 12, No. 2, pp. 83-99, 2018, Walter de Gruyter GmbH, Berlin/Boston, https://doi.org/10.1515/jmc-2017-00...
G. Fotiadis, E. Konstantinou, TNFS Resistant Families of Pairing-Friendly Elliptic Curves, Journal of Theoretical Computer Science, 2018, Elsevier, (to_appear),
C. Mouratidis, V. Diamantopoulou, A Security Analysis Method for Industrial Internet of Things, Applied Cryptography, Security, and Trust Computing for Industrial Internet-of-Things, Vol. 14, No. 9, pp. 4093-4100, 2018, IEEE Transactions on Industrial Informatics, https://ieeexplore.ieee.org/abstrac..., indexed in SCI-E, IF = 6.764
The Industrial Internet of Things (IIoT) provide an opportunity for industries to build large interconnected systems that utilise various technologies such as personal computers, wireless devices, and sensor devices and bring together the cyber and the physical world. Such systems provide us with huge advantages but they also introduce major security challenges at both the design and runtime stages. The literature argues for the need to introduce security-by-design methods, which enable security analysis and mitigation of security threats. This paper proposes a novel security-by-design method for IIoT environments across two different levels, design/modelling and runtime/simulation. Our method supports analysis of security requirements and identification of attack paths and their integration for the mitigation of potential vulnerabilities. We demonstrate its applicability through a real case study on a critical environment from the maritime sector which demonstrates that our method helps to identify security mechanisms to mitigate attacks on critical assets.
L. Mitrou, A. Vorras, Artificial Intelligence and Personal Data – A perception in the light of the European General Data Protection Regulation (ΕU) 2016/679, DIKAIO MESON ENIMEROSIS KAI EPIKOINONIAS (DIMEE), No. 4, pp. 460-466, 2018, NOMIKI VIVLIOTHIKI,
P. Mavriki, M. Karyda, Big Data analysis in political communication: Implications for Group Privacy , International Journal of Electronic Governance, 2018, (to_appear)
A growing body of academic literature explores the implications of the adoption of big data analytics technologies in the area of political marketing and communication. While academic and public discourse on privacy focuses on the individual level, this paper explores a scarcely studied issue: group privacy. We elaborate on the importance and role of group privacy and we identify and analyse threats to group privacy that stem from exploiting big data for political purposes. This paper argues that the use of big data analysis technologies in a political context can have severe implications for group privacy such as (political) targeting of particular groups and biased decision making based on group behaviour. We also show that threats to group privacy may have long term implications for society, e.g. with regard to the impact of populist movements.
Pipyros K., Thraskias Ch. , L. Mitrou, D. Gritzalis, Apostolopoulos T., A new strategy for improving cyber-attack evaluation in the context of Tallinn Manual, Computers and Security, No. 74, pp. 371-383, 2018,
Pipyros K., L. Mitrou, Cyberattack or cyberwar?, DIMEE, No. 2, pp. 192-201, 2018
G. Stergiopoulos, E. Valvis, F. Anagnou - Misyris, N. Bozovic, D. Gritzalis, Interdependency analysis of junctions for congestion mitigation in transportation infrastructure, ACM SIGMETRICS Performance Evaluation Review, Vol. 45, 2017, ACM ,
G. Stergiopoulos, V. Kouktzoglou, M. Theoharidou, D. Gritzalis, A process-based dependency risk analysis methodology for critical infrastructures, International Journal of Critical Infrastructures (Special Issue), Vol. 13, 2017,
G. Stergiopoulos, P. Katsaros, D. Gritzalis, Program analysis with risk-based classification of dynamic invariants for logical error detection, Computers & Security (CoSe), Vol. 71, 2017, Elsevier,
V. Diamantopoulou, A. Androutsopoulou, Y. Charalabidis, Towards a Taxonomy of Services Offered by Start-up business Incubators: Insights from the Mediterranean Region, International Journal of Entrepreneurship and Small Business, Vol. 33, No. 4, pp. 494-513, 2017, Inderscience Publishers
Business incubation aims at stimulating entrepreneurship and nurturing ideas to transform them to viable ventures and drive economic growth. Since the emergence of the concept, some decades ago, the incubation process and its underlying services have been evolved, while incubators around the world are continuously increasing. These incubators vary according to their type, operation model and specialisation. The aim of this paper is to define a comprehensive framework that serves as a basis for the categorisation of all services that can be part of the incubation process. The proposed taxonomy, comprised of 8 core service categories, has then been applied on ten University associated incubators from the Mediterranean region, since the various socio-economic conditions encountered there, cause particular interest in the prospect of entrepreneurship. An indicative sample of five European, Middle East and North African countries (i.e. Italy, Greece, Turkey, Israel, Egypt) has been defined, with the Mediterranean Sea uniting them and shaping their unique characteristics. We selected to focus on the University incubators from this area as they bridge the innovation potential of research and academia communities with the real business world and can underpin a sustainable and robust entrepreneurship model. By mapping the sample with the categories of services they offer, we intended to find out how they differentiate from other types of incubators. It was concluded that University incubators fall shorter only in the provision of administrative services in relation to the typical incubators. However, the purpose of this framework is to be further used as a tool both for policy makers’ and support their resource allocation decisions and help the internal stakeholders of incubator activities identify and adopt best practice models.
S. Vidros, C. Kolias, G. Kambourakis, L. Akoglu, Automatic Detection of Online Recruitment Frauds: Characteristics, Methods, and a Public Dataset, Future Internet, 2017, MDPI, http://www.mdpi.com/1999-5903/9/1/6
The critical process of hiring has relatively recently been ported to the cloud. Specifically, the automated systems responsible for completing the recruitment of new employees in an online fashion, aim to make the hiring process more immediate, accurate and cost-efficient. However, the online exposure of such traditional business procedures has introduced new points of failure that may lead to privacy loss for applicants and harm the reputation of organizations. So far, the most common case of Online Recruitment Frauds (ORF), is employment scam. Unlike relevant online fraud problems, the tackling of ORF has not yet received the proper attention, remaining largely unexplored until now. Responding to this need, the work at hand defines and describes the characteristics of this severe and timely novel cyber security research topic. At the same time, it contributes and evaluates the first to our knowledge publicly available dataset of 17,880 annotated job ads, retrieved from the use of a real-life system.
A. Tsohou, E. Kosta, Enabling valid informed consent for location tracking through privacy awareness of users: A process theory, Computer Law & Security Review: The International Journal of Technology Law and Practice, 2017, (to_appear), http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.373
People use mobile applications installed in their smartphones and mobile devices for increasingly more purposes in their everyday life; they check the local weather, road traffic, personalised local news, their personalised favourite social network etc. At the same time, application developers and market stores deploy mobile applications that collect vast amounts of information on mobile users, such as their age, gender, location or specific phone identifiers. Numerous studies illustrate that mobile applications collect valuable information about users and use it for profiling the users for their own purposes or sell this information for commercial interests. Therefore, the topic of consent to information processing becomes increasingly more interesting for researchers, legal experts and practitioners. In this paper, we examine the issue of valid informed consent for location tracking by mobile phone users. We first analyse the legal premises for informed consent that represent requirements for mobile application developers and providers who request consent. However, the ones who actually give consent are the mobile users and therefore their understanding of consent is of paramount importance. Extensive literature is missing on empirical studies examining the topic from the users’ perception perspective. For that reason, we conduct an empirical investigation with mobile users and we present the findings in the form of a process theory. Our process theory reveals how users’ valid informed consent for location tracking can be obtained, starting from enhancing reading the privacy policy to stimulating privacy awareness and enabling informed consent. The paper includes a discussion section in which we describe the implications of the process theory for the different stakeholders and we offer recommendations deriving from the empirical findings. Our contribution is addressed to software and mobile application developers and providers, technology regulation researchers and policy makers, as well as security and privacy researchers.
C. Kolias, G. Kambourakis, A. Stavrou, J. Voas, DDoS in the IoT: Mirai and Other Botnets, IEEE Computer, Vol. 50, No. 7, pp. 80-84, 2017, IEEE Press, https://www.computer.org/csdl/mags/..., indexed in SCI-E
The Mirai botnet and its variants and imitators are a wake-up call to the industry to better secure Internet of Things (IoT) devices or risk exposing the Internet infrastructure to increasingly disruptive distributed denial-of-service (DDoS) attacks.
S. A. Menesidou, V. Katos, G. Kambourakis, Cryptographic Key Management in Delay Tolerant Networks: A Survey, Future Internet, Vol. 9, No. 3, pp. 1-21, 2017, MDPI, http://www.mdpi.com/1999-5903/9/3/2...
Since their appearance at the dawn of the second millennium, Delay or Disruption Tolerant Networks (DTNs) have gradually evolved, spurring the development of a variety of methods and protocols for making them more secure and resilient. In this context, perhaps, the most challenging problem to deal with is that of cryptographic key management. To the best of our knowledge, the work at hand is the first to survey the relevant literature and classify the various so far proposed key management approaches in such a restricted and harsh environment. Towards this goal, we have grouped the surveyed key management methods into three major categories depending on whether the particular method copes with a) security initialization, b) key establishment, and c) key revocation. We have attempted to provide a concise but fairly complete evaluation of the proposed up-to-date methods in a generalized way with the aim of offering a central reference point for future research.
A. Fakis, G. Karopoulos, G. Kambourakis, OnionSIP: Preserving privacy in SIP with Onion Routing, The Journal of Universal Computer Science (J.UCS), Vol. 23, No. 10, pp. 969-991, 2017, Verlag der Technischen Universität Graz, http://www.jucs.org/jucs_23_10/onio..., indexed in SCI-E, IF = 0.696
While more and more users turn to IP-based communication technologies, privacy and anonymity remain largely open issues. One of the most prominent VoIP protocols for multimedia session management is SIP which, despite its popularity, suffers from security and privacy flaws. As SIP messages are sent in plain text, user data are exposed to intermediate proxies and eavesdroppers. As a result, information about users participating in a call can leak from header data, which cannot be omitted since they are needed for the correct routing of SIP messages to their final destination. Even more, traffic analysis attacks can be mounted with data stemming from lower layers. To redress this kind of problems, privacy can be achieved either by the construction of a lower level tunnel (via the use of SSL or IPsec protocols) or by employing a custom-tailored solution. However, SSL and IPsec are known for leading to undesirable, non affordable delays, and thus the need for a SIP-oriented solution is preferable. In the context of this article, we evaluate three alternative solutions to encounter the above issues. More specifically, we use two well-known anonymity networks, Tor and I2P, for secluding both caller's and callee's actions by securing SIP messages content. As a third solution, we present our proposal for preserving privacy in SIP signaling, by using an onion-routing approach, where selected sensitive fields of SIP messages are encrypted using either asymmetric or symmetric encryption. We compare these three alternatives in terms of performance, mentioning the pros and cons that come up with each proposal. Our work also presents the reasons why other existing anonymity networks fail to be considered as appropriate for preserving anonymity in SIP.
S. Kokolakis, Privacy attitudes and privacy behavior: A review of current research on the privacy paradox phenomenon, Computers & Security, Vol. 64, pp. 122-134, 2017, Elsevier, (to_appear), , indexed in SCI-E, IF = 1.640
M. Kandias, L. Mitrou, V. Stavrou, D. Gritzalis, Profiling Online Social Networks Users: An Omniopticon Tool, International Journal of Social Networks Mining, Vol. 2, No. 4, 2017,
C. Kolias, V. Kolias, G. Kambourakis, TermID: A Distributed Swarm Intelligence Based Approach for Wireless Intrusion Detection, International Journal of Information Security, Vol. 16, No. 4, pp. 401-416, 2017, Springer, https://link.springer.com/article/1..., indexed in SCI-E, IF = TBD before next July
With the mushrooming of wireless access infrastructures, the amount of data generated, transferred and consumed by the users of such networks has taken enormous proportions. This fact further complicates the task of network intrusion detection, especially when advanced Machine Learning (ML) operations are involved in the process. In wireless environments, the monitored data are naturally distributed among the numerous sensor nodes of the system. Therefore, the analysis of data must either happen in a central location after first collecting it from the sensors or locally through collaboration by viewing the problem through a distributed ML perspective. In both cases, concerns are risen regarding the requirements of this demanding task in matters of required network resources and achieved security/privacy. This paper proposes TermID, a distributed network intrusion detection system that is well-suited for wireless networks. The system is based on classification rule induction and Swarm Intelligence principles to achieve efficient model training for intrusion detection purposes, without exchanging sensitive data. An additional achievement is that the produced model is easily readable by humans. While these are the main design principles of our approach the accuracy of the produced model is not compromised by the distribution of the tasks and remains at competitive levels. Both the aforementioned claims are verified by the results of detailed experiments withheld with the use of a publicly available security-focused wireless dataset.
G. Stergiopoulos, P. Kotzanikolaou, M. Theoharidou, G. Lykou, D. Gritzalis, Time-based critical infrastructure dependency analysis for large-scale and cross-sectoral failures, International Journal of Critical Infrastructure Protection, Vol. 12, 2016, Elsevier,
S. Arvanitis, E. Loukis, V. Diamantopoulou, Are ICT, Workplace Organization and Human Capital Relevant for Innovation? A Comparative Study Based on Swiss and Greek Micro Data, International Journal of the Economics of Business, Vol. 23, No. 3, pp. 319-349, 2016, Taylor & Francis
This paper investigates and compares the relationships for Swiss and Greek firms between indicators for the intensity of use of modern information and communications technologies (ICT), several forms of workplace organization, and human capital, on the one hand, and several measures of innovation performance at firm level, on the other hand. For the Swiss firms, we find that ICT contribute to innovation activities (a) as enablers of process innovation (but not of product innovation) and (b) as means for increasing the efficiency of the R&D process. The organizational variables for “work design” and “employee voice” show significant positive correlations for most innovation indicators. Human capital matters primarily for R&D activities. The findings for the Greek firms indicate positive correlations of ICT with product and process innovation and of new “work design” with product innovation and R&D. No correlation of human capital with innovation could be found. No complementarities for the three factors with respect to innovation performance could be detected in either country.
Tasidou Aimilia, Efraimidis , I. Soupionis, L. Mitrou, V. Katos, 4. Tasidou, A., Privacy-preserving, user-centric VoIP CAPTCHA challenges: An integrated solution in the SIP environment., 24(1), 2-19., Information & Computer Security, Vol. 24, No. 1, pp. 18, 2016,
G. Kambourakis, D. Damopoulos, D. Papamartzivanos, M. Pavlidakis, Introducing Touchstroke: Keystroke-based Authentication System for Smartphones, Security and Communication Networks, Vol. 9, No. 6, pp. 542-554, 2016, Wiley, http://onlinelibrary.wiley.com/doi/..., indexed in SCI-E, IF = 1.067
Keystroke dynamics is a well-investigated behavioral biometric based on the way and rhythm in which someone interacts with a keyboard or keypad when typing characters. This paper explores the potential of this modality but for touchscreen- equipped smartphones. The main research question posed is whether “touchstroking” can be effective in building the biometric profile of a user, in terms of typing pattern, for future authentication. To reach this goal, we implemented a touchstroke system in the Android platform and executed different scenarios under disparate methodologies to estimate its effectiveness in authenticating the end-user. Apart from typical classification features used in legacy keystroke systems, we introduce two novel ones, namely, speed and distance. From the experiments, it can be argued that touchstroke dynamics can be quite competitive, at least, when compared to similar results obtained from keystroke evaluation studies. As far as we are aware of, this is the first time this newly arisen behavioral trait is put into focus.
C. Kolias, G. Kambourakis, A. Stavrou, S. Gritzalis, Intrusion Detection in 802.11 Networks: Empirical Evaluation of Threats and a Public Dataset, IEEE Communications Surveys and Tutorials, Vol. 18, No. 1, pp. 184-208, 2016, IEEE Press, http://www.comsoc.org/cst, indexed in SCI-E, IF = 17.188
WiFi has become the de facto wireless technology for achieving short to medium-range device connectivity. While early attempts to secure this technology have been proved inadequate in several respects, the current, more robust, security amendments will inevitably get outperformed in the future too. In any case, several security vulnerabilities have been spotted in virtually any version of the protocol rendering the integration of external protection mechanisms a necessity. In this context, the contribution of this paper is multi-fold. First, it gathers, categorizes, thoroughly evaluates the most popular attacks on 802.11, and analyzes their signatures. Second, it offers a publicly available dataset containing a rich blend of normal and attack traffic against 802.11 networks. A quite extensive first-hand evaluation of this dataset using several machine learning algorithms and data features is also provided. Given that to the best of our knowledge the literature lacks such a rich and well-tailored dataset, it is anticipated that the results of the work at hand will offer a solid basis for intrusion detection in the current as well as, next generation wireless networks.
M. Anagnostopoulos, G. Kambourakis, S. Gritzalis, New facets of Mobile Botnet: Architecture and Evaluation, International Journal of Information Security, Vol. 15, No. 5, pp. 455-473, 2016, Springer, http://link.springer.com/journal/10..., indexed in SCI-E, IF = 1.915
It is without a doubt that botnets pose a growing threat to the Internet, with DDoS attacks of any kind carried out by botnets to be on the rise. Nowadays, botmasters rely on advanced Command & Control (C&C) infrastructures to achieve their goals and most importantly to remain undetected. This work introduces two novel botnet architectures that consist only of mobile devices and evaluates both their impact in terms of DNS amplification and TCP flooding attacks, and their cost pertaining to the maintenance of the C&C channel. The first one, puts forward the idea of using a continually-changing mobile HTTP proxy in front of the botherder, while the other capitalizes on DNS protocol as a covert channel for coordinating the botnet. That is, for the latter, the messages exchanged among the bots and the herder appear as legitimate DNS transactions. Also, a third architecture is described and assessed, which is basically an optimized variation of the first one. Namely, it utilizes a mixed layout where all the attacking bots are mobile, but the proxy machines are typical PCs not involved in the actual attack. For the DNS amplification attack, which is by nature more powerful, we report an amplification factor that fluctuates between 32.7 and 34.1. Also, regarding the imposed C&C cost, we assert that it is minimal (about 0.25 Mbps) per bot in the worst case happening momentarily when the bot learns about the parameters of the attack.
F. Giannakas, G. Kambourakis, A. Papasalouros, S. Gritzalis, Security education and awareness for K-6 going mobile, International Journal of Interactive Mobile Technologies, Vol. 10, No. 2, pp. 41-48, 2016, International Association of Online Engineering, http://www.i-jim.org
Nowadays, due to the widespread participation of elementary school children in cyberspace activities, basic cybersecurity education and awareness is deemed necessary. Within this context, knowledge acquisition in this timely and important field has greater chances to be more fruitful when the learner is properly motivated. Also, it is anticipated to be more joyful when knowledge is acquired in the form of a digital game-based activity. The paper at hand discusses the development of a novel mobile app called CyberAware, destined to cybersecurity education and awareness. At present, the game is designed for K-6 children in order to support either or both formal or informal learning. Additionally, due to its mobile characteristics, the game can be experienced as an outdoor or classroom activity. Finally, opposite to similar studies found in the literature so far, our attention is not solely drawn to game’s technological aspects but equally to the educational factor. This is achieved through the consideration and use of the ARCS motivational model already from the game's design phase.
S. Vidros, C. Kolias, G. Kambourakis, Online Recruitment services; yet another playground for fraudsters?, Computer Fraud & Security, Vol. 2016, No. 3, pp. 8-13, 2016, Elsevier, http://www.sciencedirect.com/scienc...
Corporate hiring has recently been ported to the cloud, mainly through the use of Applicant Tracking Systems (ATS). However, the online exposure fueled a new type of online scam, namely Employment Scam, that jeopardizes job seekers privacy and harms the reputation of organizations. Employment Scam remains largely unexplored until now. It shares common characteristics with relevant fraud detection problems such as email spam and phishing but its own peculiarities can intrigue researchers to delve deeper into the field. To this direction, this article also presents a preliminary empirical analysis of real-life fraudulent job ads.
Pipyros K., L. Mitrou, D. Gritzalis, Apostolopoulos T., Cyberoperations and international humanitarian law: A review of obstacles in applying international law rules in cyber warfare, Information & Computer Security, Vol. 24, No. 1, pp. 38-52, 2016,
G. Stergiopoulos, P. Kotzanikolaou, M. Theoharidou, D. Gritzalis, Risk mitigation strategies for critical infrastructures based on graph centrality analysis, International Journal of Critical Infrastructure Protection, Vol. 10, 2015, Elsevier,
Z. Tsiatsikas, D. Geneiatakis, G. Kambourakis, A. Keromytis, An efficient and easily deployable method for dealing with DoS in SIP services, Computer Communications, Vol. 57, pp. 50-63, 2015, Elsevier, http://www.journals.elsevier.com/co..., indexed in SCI-E, IF = 2.099
Voice over IP (VoIP) architecture and services consist of different software and hardware components that may be susceptible to a plethora of attacks. Among them, Denial of Service (DoS) is perhaps the most powerful one, as it aims to drain the underlying resources of a service and make it inaccessible to the legitimate users. So far, various detection and prevention schemes have been deployed to detect, deter and eliminate DoS occurrences. However, none of them seems to be complete in assessing in both realtime and offline modes if a system remains free of such types of attacks. To this end, in the context of this paper, we assert that audit trails in VoIP can be a rich source of information toward flushing out DoS incidents and evaluating the security level of a given system. Specifically, we introduce a privacy-friendly service to assess whether or not a SIP service provider suffers a DoS by examining either the recorded audit trails (in a forensic-like manner) or the realtime traffic. Our solution relies solely on the already received network logistic files, making it simple, easy to deploy, and fully compatible with existing SIP installations. It also allows for the exchange of log files between different providers for cross-analysis or its submission to a single analysis center (as an outsourced service) in an opt-in basis. Through extensive evaluation involving both offline and online executions and a variety of DoS scenarios, it is argued that our detection scheme is efficient enough, while its realtime operation introduces negligible overhead.
N. Nomikos, A. Nieto, P. Makris, D. N. Skoutas, D. Vouyioukas, P. Rizomiliotis, J. Lopez, C. Skianis, Relay selection for secure 5G green communications, Telecommunication Systems, Vol. 59, pp. 169-187, 2015, Springer, http://rdcu.be/nMNV, indexed in SCI-E, IF = 1.707
L. Ntalkos, G. Kambourakis, D. Damopoulos, Let, Telematics and Informatics, Vol. 32, No. 4, pp. 539-563, 2015, Elsevier, http://www.journals.elsevier.com/te..., indexed in SCI-E, IF = 2.261
Modern mobile devices are nowadays powerful enough and can be used toward defining a new channel of communication with potential consumers. This channel is commonly known as mobile marketing and there is already a number of mobile marketing apps, whose aim is to increase the sales of some product or service. In this context, the Let's Meet! framework presented in this paper is essentially a mobile marketing app. The app groups two or more persons, who basically do not know each other, having as sole criterion their common interest in an offer about a product or a service. Its main objective is to bring them together, so that they can purchase and enjoy an offer, which otherwise could not afford. One of the highlights of our proposal is that all sensitive user data are transmitted in a secure manner, and thus confidentiality is preserved. Users' privacy is also given great consideration. This means for example that the exact geographic locations of the users are never shared with others. For user authentication, Let's Meet! supports both a complete anonymous mode and OAuth 2.0. The framework's main objective, which is to bring the users together, is guaranteed by means of a one-time coupon, generated by the OCRA algorithm, while the final face-to-face user group meeting is achieved through Wi-Fi Direct technology. Moreover, the app implements a smart queueing system for increasing its efficiency. Every possible effort is made to maximize both the number of products being sold and the number of users that eventually enjoy an offer. Finally, a user rating system has been adopted, which rewards any user attitude that helps towards improving the framework's competence. The above qualities make Let's Meet! a novel proposal when considering similar works in the literature so far.
A. Tsohou, M. Karyda, S. Kokolakis, Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs, Computers & Security, Vol. 52, pp. 128–141, 2015, Elsevier, https://www.researchgate.net/public..., indexed in SCI-E, IF = 1.17
Standards and best practices for information security awareness programs focus on the content and processes of the programs, without taking into consideration how individuals internalize security-related information and how individuals make security related decisions. Relevant literature, however has identified that individual perceptions, beliefs, and biases significantly influence security policy compliance behaviour. Security awareness programs need, therefore, to be aligned with the factors affecting the internalization of the communicated security objectives. Τhis paper explores the role of cognitive and cultural biases in shaping information security perceptions and behaviors. We draw upon related literature from contiguous disciplines (namely behavioral economics and health and safety research) to develop a conceptual framework and analyze the role of cognitive and cultural biases in information security behaviour. We discuss the implications of biases for security awareness programs and provide a set of recommendations for planning and implementing awareness programs, and for designing the related material. This paper opens new avenues for information security awareness research with regard to security decision making and proposes practical recommendations for planning and delivering security awareness programs, so as to exploit and alleviate the effect of cognitive and cultural biases on shaping risk perceptions and security behaviour. Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs. Available from: https://www.researchgate.net/publication/275898027_Analyzing_the_role_of_Cognitive_and_Cultural_Biases_in_the_Internalization_of_Information_Security_Policies_Recommendations_for_Information_Security_Awareness_Programs [accessed May 13, 2015].
Tsavli M., Efraimidis , V. Katos, L. Mitrou, Reengineering the user: privacy concerns about personal data on smartphones, Information and Computer Security, Vol. 23, No. 4, pp. 394-405, 2015, Emerald,
P. Drogkaris, S. Gritzalis, C. Kalloniatis, C. Lambrinoudakis, A Hierarchical Multitier Approach for Privacy Policies in e-Government Environments, Future Internet , Vol. 7, No. 4, pp. 500-515, 2015, MDPI, http://www.mdpi.com/1999-5903/7/4/5...
The appeal of e-Government users to retain control over their personal information, while making use of advanced governmental electronic services through interconnected and interoperable deployments, can be assisted by the incorporation of Privacy Policy and Preferences documents. This paper addresses the formulation of coherent and accurate Privacy Policies while preserving compliance with underlying legal and regulatory framework. Through the exploitation of existing governmental hierarchies, a multitier approach is proposed able to support diverge data needs and processing requests imposed by Service Providers. The incorporation of this approach into e-Government environments will reduce the administrative workload, imposed by the inclusion of Privacy Policy documents, promote the implementation and provision of user-centric and data privacy aware electronic services.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Managing the Introduction of Information Security Awareness Programs in Organisations, European Journal of Information Systems, Vol. 24, No. 1, pp. 38-58, 2015, Palgrave , https://www.researchgate.net/public..., indexed in SCI-E, IF = 2.213
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.
L. Mitrou, Data Protection and cloud computing, DIMEE, No. 4, pp. 534-550, 2015,
A. Tsohou, H. Lee, Z. Irani, Innovative Public Governance Through Cloud Computing: Information Privacy, Business Models and Performance Measurement Challenges, Transforming Government: People, Process and Policy, Vol. 8, No. 2, pp. 251-282, 2014, Emerald
Purpose: Innovative technologies, such as federation of services and cloud computing, can greatly contribute to the provision of e-government services, through scalable and flexible systems. Furthermore, they can facilitate in reducing costs and overcoming public information segmentation. Nonetheless, when public agencies employ those technologies they encounter several associated organizational and technical changes, as well as significant challenges. The purpose of this paper is to identify and analyse such challenges and discuss proposed solutions. Design/methodology/approach: We followed a multi-disciplinary perspective (social, behavioural, business and technical) and conducted a conceptual analysis for the analyzing the associated challenges. We realized focus groups interviews in two countries for evaluating the performance models that resulted from the conceptual analysis. Findings: This study identifies and analyses several challenges that may emerge while adopting innovative technologies for public governance and e-government services. Furthermore, it presents suggested solutions deriving from the experience of designing a related platform for public governance including solutions for privacy requirements, proposed business models and KPIs for public services on cloud computing. Research limitations: The challenges and solutions discussed are based on the experience gained by designing one platform. However, we rely on issues and challenges collected from four countries. Practical implications: The identification of challenges for innovative design of e-government services through a central portal in Europe and using service federation is expected to inform practitioners in different roles about significant changes across multiple levels that are implied and may accelerate the challenges’ resolution. Originality/value: This is the first study that discusses from multiple perspectives and through empirical investigation the challenges to realise public governance through innovative technologies. The results emerge from an actual portal that will function at a European level.
G. Kambourakis, Anonymity and closely related terms in the Cyberspace: An analysis by example, Journal of Information Security and Applications, Vol. 19, No. 1, pp. 2-17, 2014, Elsevier, http://www.sciencedirect.com/scienc...
Anonymity is generally conceived to be an integral part of user's right to privacy. Without anonymity, many online activities would become prone to eavesdropping, making them potentially risky to use. This work highlights on the different aspects closely related to anonymity and argues that it is rather a multifaceted and contextual concept. To support this argumentation, the paper examines as a dual case study the ways anonymity is conceptualised in the case of two well-established but dissimilar protocols employed in the cyberspace on a wide-scale; that is, SIP and Kerberos ones. By surveying the research done for preserving anonymity (and privacy in general) in the context of the aforementioned protocols several useful observations emerge. Our aim is to contribute towards acquiring a comprehensive view of this particular research area, mainly by examining how anonymity is put to work in practice. As a result, the work at hand can also be used as a reference for anyone interested in grasping the diverse facets of this constantly developing research field.
E. Rekleitis, P. Rizomiliotis, S. Gritzalis, How to Protect Security and Privacy in the Internet of Things: A Policy-based RFID tag management protocol, Security and Communication Networks, Vol. 7, No. 12, pp. 2669-2683, 2014, Wiley, http://onlinelibrary.wiley.com/doi/..., indexed in SCI-E, IF = 0.72
Radio-frequency identification (RFID) technology constitutes an important part of what has become known as the Internet of Things (IoT) that is accessible and interconnected machines and everyday objects that form a dynamic and complex environment. To secure the IoT in a cost-efficient manner, we need to build security and privacy into the design of its components. Moreover, mechanisms should be constructed that will allow both individuals and organizations to actively manage their “things” and information in a highly flux environment. The contributions of this paper are twofold: We first discuss the use of security and privacy policies that can offer fine granularity and context-aware information control in RFID systems. Second, we propose a novel secure and privacy-preserving tag management protocol that can support such policies. Our protocol has a modular design that allows it to support a set of desirable management operations (viz. tag authentication, delegation, and ownership transfer) while imposing minimal hardware and computational requirements on the tag side. Furthermore, inspired by the European Network and Information Security Agency's Flying 2.0 study, we describe a near-future air travel scenario to further explain and demonstrate the inner workings of our proposal.
N. Marangos, P. Rizomiliotis, L. Mitrou, Time Synchronization: Pivotal Element in Cloud Forensics, Security and Communication Networks , 2014, Wiley, http://onlinelibrary.wiley.com/doi/..., IF = 0.72
K. Vemou, M. Karyda, Guidelines and tools for incorporating privacy in Social Networking Platforms, IADIS International Journal on WWW/Internet, Vol. 12, No. 2, pp. 16-33, 2014, http://www.iadisportal.org/ijwi/
Built-in privacy is important for promoting users’ privacy and trust in Social Networking Services (SNS). Up to now, privacy research has its focus on the development and employment of Privacy Enhancing Technologies as add-on applications and on investigating users’ privacy preferences. This paper draws on the principles of privacy-by-design and extends previous literature by identifying privacy requirements for the development of privacy-friendly SNS platforms. The paper also evaluates currently embedded privacy practices in four popular SNS platforms (Facebook, Google+, Twitter and Pinterest) to assess the level of built-in privacy and proposes a list of guidelines and tools SNS platform designers can employ.
D. Kasiaras, T. Zafeiropoulos, N. Clarke, G. Kambourakis, Android Forensic Data Analyzer (AFDA): An Opensource Tool to Automatize Event Correlation Analysis on Android Devices, International Journal for Information Security Research (IJISR), Vol. 4, No. 1-4, pp. 501-509, 2014, Infonomics Society, http://www.infonomics-society.org/I...
Forensic analysis on mobile devices in general and smartphones in particular is on the rise. Naturally, this is because these devices are more than ever used by criminals of all kinds to perform a variety of offensive actions. The mushrooming of mobile services and the way people use their smartphones in their daily activities results in a plethora of valuable and private data stored in the device, which of course can be extremely helpful towards resolving a criminal case. The automatic or semi-automatic correlation of end-user events as recorded in the mobile device can be of great value to the investigator in their struggle to resolve a case. Unfortunately, existing forensic tools targeted to Android lack of such a functionality. To fill this gap, we propose AUDA, a tool that is able to gather end-user’s data stored in critical system areas and then inter-correlate them in terms of a time series of events. We argue that this type of analysis not only saves time and effort from an investigator's viewpoint but also can reveal hidden information related to a case in a roundabout way.
L. Spiliotopoulou, Y. Charalabidis, E. Loukis, V. Diamantopoulou, A framework for advanced social media exploitation in government for crowdsourcing, Transforming Government: People, Process and Policy, Vol. 8, No. 4, pp. 545-568, 2014, Emerald
Purpose – This paper aims to develop and evaluate, in “real-life” pilot applications, a framework for advanced social media exploitation by government agencies in their policy-making processes to promote public participation and conduct crowdsourcing. Design/methodology/approach – This framework has been developed through cooperation with public sector employees experienced in public policy-making, using both qualitative and quantitative techniques: semi-structured focus group discussions, scenarios development and questionnaire surveys. The evaluation of the framework has been conducted through semi-structured focus group discussions with public sector employees involved in the pilot applications. Findings – A framework has been developed for advanced social media exploitation by government agencies, which is based on the automated posting of policy-related content to multiple social media, and then retrieval and processing of citizens’ interactions with it (e.g. views, likes, comments and retweets), using the application programming interfaces (API) of these social media. Furthermore, a supporting information and communication technologies (ICT) infrastructure and an application process model for it were developed. Its evaluation, based on “real-life” pilot applications, leads to useful insights concerning its capabilities, strengths and weaknesses. Research limitations/implications – The proposed framework has been evaluated in a small number of pilot applications, so further evaluation of it is required, in various types of government agencies and for different kinds of policy consultations. Practical/Implications – The above framework enables government agencies to communicate with wider and more heterogeneous audiences in a short time and at a low cost, increase public participation in their policy-making processes, collect useful knowledge, ideas and opinions from citizens and, finally, design better, more socially rooted, balanced and realistic policies. Originality/value – This research contributes to the development of knowledge concerning advanced practices for effective social media exploitation in government (which is currently limited, despite the considerable relevant knowledge developed in this area for the private sector), by developing and evaluating a framework for advanced and highly automated exploitation of multiple social media by government agencies. Furthermore, an evaluation methodology for such practices has been developed, which is based on sound theoretical foundations.
D. Damopoulos, G. Kambourakis, S. Gritzalis, S. O. Park, Exposing mobile malware from the inside (or what is your mobile app really doing?), Peer-to-Peer Networking and Applications, Vol. 7, No. 4, pp. 687-697, 2014, Springer, http://link.springer.com/content/pd..., indexed in SCI-E, IF = 0.632
It is without a doubt that malware especially designed for modern mobile platforms is rapidly becoming a serious threat. The problem is further multiplexed by the growing convergence of wired, wireless and cellular networks, since virus writers can now develop sophisticated malicious software that is able to migrate across network domains. This is done in an effort to exploit vulnerabilities and services specific to each network. So far, research in dealing with this risk has concentrated on the Android platform and mainly considered static solutions rather than dynamic ones. Compelled by this fact, in this paper, we contribute a fully-fledged tool able to dynamically analyze any iOS software in terms of method invocation (i.e., which API methods the application invokes and under what order), and produce exploitable results that can be used to manually or automatically trace software’s behavior to decide if it contains malicious code or not. By employing real life malware we assessed our tool both manually, as well as, via heuristic techniques and the results we obtained seem highly accurate in detecting malicious code.
Psaroudakis I., Saragiotis, V. Katos, L. Mitrou, A method for forensic artifact collection, analysis and incident response in environments running Session Initiation Protocol (SIP) and Session Description Protocol (SDP), International Journal of Electronic Security and Digital Forensics, Vol. 4, No. 6, pp. 241-267, 2014,
S. Arvanitis, E. Loukis, V. Diamantopoulou, The Effect of Soft ICT Capital on Innovation Performance of Greek Firms, Journal of Enterprise Information Management, Vol. 26, No. 6, pp. 679-701, 2013, Emerald, indexed in SCI-E, IF = 2.126
Purpose – The purpose of this paper is to investigate the effects of four types of “soft” information and communication technologies (ICT) capital related to ICT knowledge and skills (ICT personnel, ICT training of ICT personnel and users, ICT unit) on the innovation performance of Greek firms. Furthermore, the paper compares these effects with the ones of the hard ICT capital and also of four important “traditional” innovation determinants identified from previous research in this area (demand expectation, price and non-price competition, market concentration). Design/methodology/approach – A quantitative methodology has been adopted for investigating the above effects, based on the estimation of regression models. Using data collected through a survey based on a structured questionnaire from 271 Greek firms, innovation models have been estimated, having as independent variables measures of hard ICT capital, the examined four types of soft ICT capital and also the above traditional innovation determinants. Findings – The paper has been concluded that in the innovation averse Greek national context the examined traditional innovation determinants have very low impact on firms’ innovation performance, however, on the contrary both hard ICT capital, and three out of the four examined types of soft ICT capital (ICT personnel, ICT training of ICT personnel and users) have positive impact on both process and product/services innovation. Furthermore, it has been found that the total effect of these three knowledge and skills related types of soft ICT capital on innovation performance is stronger than the effect of the hard ICT capital. Research limitations/implications – The main limitations of the paper are that it uses simple innovation performance measures (not distinguishing between different types of innovations), and also is based on firm-level data collected from a single country. The paper has interesting implications for future research on the impact of the relation between ICT and innovation, which should not any more neglect the soft ICT capital, but consider various types of both hard and soft ICT capital. Practical implications – The results of the paper can be useful to firms’ chief information officers and chief executive officers and also to consultants and practitioners interested in maximizing the exploitation of the innovation potential of ICT, in order to understand the hard and soft aspects of ICT that have to be developed for this purpose and optimize firms’ ICTrelated investment. Originality/value – The limited previous empirical literature concerning the effect of ICT on innovation focus on the hard ICT capital (mainly on ICT equipment) and neglect the role of the soft ICT capital. The paper contributes to fill this research gap, by examining the effects of three types of ICT capital, and also – for comparison and regression models’ completeness purposes – of hard ICT capital and of four traditional innovation determinants, on firms’ innovation performance.
S. Arvanitis, E. Loukis, V. Diamantopoulou, New Technologies and Traditional Innovation Determinants in the Greek Economy, Journal of Balkan and Near Eastern Studies, Vol. 15, No. 4, pp. 434–458, 2013, Taylor & Francis, Routledge, indexed in SCI-E, IF = 0.616
It is widely recognized that the recent economic crisis in Greece is due not only to excessive government spending and tax evasion, but also to the low competitiveness of its economy. Innovation has become of critical importance for the competitiveness of firms, sectors and countries in the modern economy. This paper presents an empirical study of the ‘new’ innovation determinants based on information and communication technologies (ICT) and also of the ‘traditional’ innovation determinants in the Greek economy. In particular, it investigates the impact of three different ICT (internal information systems (IS), e-sales and e-procurements) and also of six important traditional innovation determinants identified by previous relevant research (four ‘external’ ones—demand expectation, price and non-price competition, market concentration—and two ‘internal’ ones—investment in research and development (R&D) and firm size), on the innovation performance of Greek firms. It is based on firm-level data collected through a survey of 271 Greek firms before the start of the economic crisis, which have been used for the estimation of regression models. It is concluded that in the Greek ‘innovation-averse’ national context (characterized by low level of innovation and uncertainty avoidance culture) none of the examined external (market-related) traditional innovation determinants has an impact on product or process innovation of firms, while on the contrary the internal ones, R&Dexpenditure per employee and size, affect positively both. Furthermore, the examined new technologies seem to be important drivers of innovation: it is concluded that the internal IS have a positive impact on both product and process innovation, the e-sales only on process innovation, but the e-procurement on none. Our results indicate the high potential of ICTas innovation drivers even in such innovation-averse and lower economic development contexts, which, however, vary between different types of ICT.
P. Drogkaris, S. Gritzalis, C. Lambrinoudakis, Employing Privacy Policies and Preferences in Modern e-Government Environments, International Journal of Electronic Governance, Vol. 6, No. 2, pp. 101-116, 2013, Inderscience, http://inderscience.metapress.com/c...
The evolvement of e-Government has raised users’ concerns on personal data disclosure and privacy threats as more and more information is released to various governmental service providers. This paper addresses the consideration of users who would wish to retain control over their personal information while using advanced governmental electronic services. Additionally, it proposes a simple, yet effective, architecture which promotes the employment of Privacy Policies and Preferences in modern e-Government environments. The aim is to simplify the provision of electronic services while preserving users’ personal data and information privacy.
A. Mylonas, V. Meletiadis, L. Mitrou, D. Gritzalis, Smartphone sensor data as digital evidence, Computers & Security (Special Issue: Cybercrime in the Digital Economy), Vol. 38, pp. 51-75, 2013,
L. Mitrou, Privacy by Design (in Greek), Media and Communication Law, Vol. 37 , pp. 14-25, 2013,
P. Belsis, C. Skourlas, S. Gritzalis, A Wireless System for Secure Electronic Healthcare Records Management, International Journal of Advanced Pervasive and Ubiquitous Computing, Vol. 5, No. 4, pp. 16-32, 2013, IGI Global, http://www.igi-global.com/journal/i...
Recent advances in wireless computing and in the hardware of wireless devices has opened new directions in many domains; for example in the medical domain the medical personnel in hospitals is able to use wireless devices to gain ubiquitous access to medical related information. However the sensitivity of medical related data poses many challenges in the effort to securely manage these data. In this paper we present an agent based architecture for efficient management of medical data. We present the security choices and also provide experimental details about the flexibility of our approach.
C. Kolias, G. Kambourakis, S. Gritzalis, Attacks and Countermeasures on 802.16: Analysis and Assessment, IEEE Communications Surveys & Tutorials, Vol. 15, No. 1, pp. 487-514, 2013, IEEE Press, http://ieeexplore.ieee.org/xpl/logi..., indexed in SCI-E, IF = 6.490
The IEEE 802.16 technology, commonly referred to as WiMAX, gains momentum as an option for broadband wireless communication access. So far, several research works focus on the security of the 802.16 family of standards. In this context, the contribution of this paper is twofold. First, it provides a comprehensive taxonomy of attacks and countermeasures on 802.16. Each attack is classified based on several factors, e.g. its type, likelihood of occurrence, impact upon the system etc. and its potential is reviewed with reference to the standard. Possible countermeasures and remedies proposed for each category of attacks are also discussed to assess their effectiveness. Second, a full-scale assessment study of indicative attacks that belong to broader attack classes is conducted in an effort to better comprehend their impact on the 802.16 realm. As far as we are aware of, this is the first time an exhaustive and detailed survey of this kind is attempted.
D. Damopoulos, G. Kambourakis, M. Anagnostopoulos, S. Gritzalis, J. H. Park, User privacy and modern mobile services: Are they on the same path?, Personal and Ubiquitous Computing, Vol. 17, No. 7, pp. 1437-1448, 2013, Springer, http://link.springer.com/content/pd..., indexed in SCI-E, IF = 1.616
Perhaps, the most important parameter for any mobile application or service is the way it is delivered and experienced by the end-users, who usually, in due course, decide to keep it on their software portfolio or not. Most would agree that security and privacy have both a crucial role to play toward this goal. In this context, the current paper revolves around a key question: Do modern mobile applications respect the privacy of the end-user? The focus is on the iPhone platform security and especially on user’s data privacy. By the implementation of a DNS poisoning malware and two real attack scenarios on the popular Siri and Tethering services, we demonstrate that the privacy of the end-user is at stake.
D. Damopoulos, G. Kambourakis, S. Gritzalis, From Keyloggers to Touchloggers: Take the Rough with the Smooth, Computers & Security, Vol. 32, pp. 102-114, 2013, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.172
The proliferation of touchscreen devices brings along several interesting research challenges. One of them is whether touchstroke-based analysis (similar to keylogging) can be a reliable means of profiling the user of a mobile device. Of course, in such a setting, the coin has two sides. First, one can employ the output produced by such a system to feed machine learning classifiers and later on intrusion detection engines. Second, aggressors can install touchloggers to harvest user's private data. This malicious option has been also extensively exploited in the past by legacy keyloggers under various settings, but has been scarcely assessed for soft keyboards. Compelled by these separate but interdependent aspects, we implement the first-known native and fully operational touchlogger for ultramodern smartphones and especially for those employing the proprietary iOS platform. The results we obtained for the first objective are very promising showing an accuracy in identifying misuses, and thus post-authenticating the user, in an amount that exceeds 99%. The virulent personality of such software when used maliciously is also demonstrated through real-use cases.
P. Rizomiliotis, S. Gritzalis, On the security of AUTH, an authentication protocol based on the subspace LPN problem, International Journal of Information Security, Vol. 12, No. 2, pp. 151-154, 2013, Springer, http://link.springer.com/article/10..., indexed in SCI-E, IF = 0.941
At the 2011 Eurocrypt, Kiltz et al., in their best paper price awarded paper, proposed an ultra-lightweight authentication protocol, called AUTH . While the new protocol is supported by a delicate security proof based on the conjectured hardness of the learning parity with noise problem, this security proof does not include man-in-the-middle attacks. In this paper, we show that AUTH is weak against MIM adversaries by introducing a very efficient key recovery MIM attack that has only linear complexity with respect to the length of the secret key.
A. Tsohou, Lee H., Z. Irani, V. Weerakkody , I. Osman, A Anouze, Proposing a Reference Process Model for the Citizen-Centric Evaluation of E-Government Services, Transforming Government: People, Process and Policy, Vol. 7, No. 2, pp. 240-255, 2013, Emerald,
F. Pereniguez, R. Marin-Lopez, G. Kambourakis, A. Ruiz Martinez, S. Gritzalis, A. F. Gomez, KAMU: Providing Advanced User Privacy in Kerberos Multi-Domain Scenarios, International Journal of Information Security (IJIS), Vol. 12, No. 6, pp. 505-525, 2013, Springer, http://link.springer.com/content/pd..., indexed in SCI-E, IF = 0.941
In Next Generation Networks (NGN), Kerberos is becoming a key component to support authentication and key distribution for Internet application services. However, for this purpose, Kerberos needs to rectify certain deficiencies that it presents and especially that of privacy which allows an eavesdropper to obtain information of the services users are accessing. This paper presents a comprehensive privacy framework that guarantees user anonymity, service access unlinkability and message exchange unlinkability in Kerberos both in single-domain and multi-domain scenarios. This proposal is based on different extensibility mechanisms already defined for Kerberos, which facilitate its adoption in already deployed systems. Furthermore, our proposal has been evaluated in terms of performance and the results demonstrate its lightweight nature.
K. Anastasopoulou, S. Kokolakis, Exploring Citizens’ Intention to Use e-Government Services: The Role of Cultural Bias, International Journal of Electronic Governance, Vol. 6, No. 1, pp. 3-19, 2013, Inderscience, http://www.inderscience.com/info/in...
E-government initiatives often face citizens' mistrust, particularly when they involve the collection and processing of personal data. In this paper, we present the results of an empirical study regarding citizens' intention to use a new service offered by the Greek Ministry of Finance, the so-called 'tax card'. Tax card is used to collect information about everyday purchases and aims to diminish tax avoidance. We have examined the strong influence of cultural bias on the formulation of citizens' intention to use and concluded that different cultural types of people should be addressed in different ways in order to achieve broad adoption of e-government services.
G. Kambourakis, Security and Privacy in m-Learning and Beyond: Challenges and State-of-the-art, International Journal of u- and e- Service, Science and Technology, Vol. 6, No. 3, pp. 67-84, 2013, SERSC, http://www.sersc.org/journals/IJUNE...
Mobile learning is constantly evolving, following the shift of mobile technologies from laptops to handheld devices and smartphones. Indeed, the opportunities for innovation in this area are numerous and constantly under the focus of all the parties involved, ranging from traditional schools and universities to individual learners. However, mobile technology brings along increased threats to system and data security and privacy, given the fact that learners and educators are mobile, and in most cases, permitted to use their own mobile devices to access resources and services. After identifying the challenges, this paper provides a comprehensive review and classification of the state-of-the-art research on security and privacy in the m-learning realm and beyond. As far as we are aware of, this is the first time an exhaustive and detailed survey of this kind is attempted.
M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, S. Gritzalis, DNS Amplification Attack Revisited, Computers & Security, Vol. 39, pp. 475-485, 2013, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.172
It is without doubt that the Domain Name System (DNS) is one of the most decisive elements of the Internet infrastructure; even a slight disruption to the normal operation of a DNS server could cause serious impairment to network services and thus hinder access to network resources. Hence, it is straightforward that DNS nameservers are constantly under the threat of distributed Denial of Service (DoS) attacks. This paper presents a new, stealthy from the attacker's viewpoint, flavor of DNSSEC-powered amplification attack that takes advantage of the vast number of DNS forwarders out there. Specifically, for augmenting the amplification factor, the attacker utilizes only those forwarders that support DNSSEC-related resource records and advertize a large DNS size packet. The main benefits of the presented attack scenario as compared to that of the typical amplification attack are: (a) The revocation of the need of the aggressor to control a botnet, and (b) the elimination of virtually all traces that may be used toward disclosing the attacker's actions, true identity and geographical location. The conducted experiments taking into consideration three countries, namely Greece, Ireland and Portugal demonstrate that with a proper but simple planning and a reasonable amount of resources, a determined perpetrator is able to create a large torrent of bulky DNS packets towards its target. In the context of the present study this is translated to a maximum amplification factor of 44.
K. Barbatsalou, D. Damopoulos, G. Kambourakis, V. Katos, A critical review of 7 years of Mobile Device Forensics, Digital Investigation, Vol. 10, No. 4, pp. 323-349, 2013, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.986
Mobile Device Forensics (MF) is an interdisciplinary field consisting of techniques applied to a wide range of computing devices, including smartphones and satellite navigation systems. Over the last few years, a significant amount of research has been conducted, concerning various mobile device platforms, data acquisition schemes, and information extraction methods. This work provides a comprehensive overview of the field, by presenting a detailed assessment of the actions and methodologies taken throughout the last seven years. A multilevel chronological categorization of the most significant studies is given in order to provide a quick but complete way of observing the trends within the field. This categorization chart also serves as an analytic progress report, with regards to the evolution of MF. Moreover, since standardization efforts in this area are still in their infancy, this synopsis of research helps set the foundations for a common framework proposal. Furthermore, because technology related to mobile devices is evolving rapidly, disciplines in the MF ecosystem experience frequent changes. The rigorous and critical review of the state-of-the-art in this paper will serve as a resource to support efficient and effective reference and adaptation.
D. Damopoulos, S. A. Menesidou, G. Kambourakis, M. Papadaki, N. Clarke, S. Gritzalis, Evaluation of Anomaly-Based IDS for Mobile Devices Using Machine Learning Classifiers, Security and Communication Networks, Vol. 5, No. 1, pp. 3-14, 2012, Wiley, http://onlinelibrary.wiley.com/doi/..., indexed in SCI-E, IF = 0.311
Mobile devices have evolved and experienced an immense popularity over the last few years. This growth however has exposed mobile devices to an increasing number of security threats. Despite the variety of peripheral protection mechanisms described in the literature, authentication and access control cannot provide integral protection against intrusions. Thus, a need for more intelligent and sophisticated security controls such as intrusion detection systems (IDSs) is necessary. Whilst much work has been devoted to mobile device IDSs, research on anomaly-based or behaviour-based IDS for such devices has been limited leaving several problems unsolved. Motivated by this fact, in this paper, we focus on anomaly-based IDS for modern mobile devices. A dataset consisting of iPhone users data logs has been created, and various classification and validation methods have been evaluated to assess their effectiveness in detecting misuses. Specifically, the experimental procedure includes and cross-evaluates four machine learning algorithms (i.e. Bayesian networks, radial basis function, K-nearest neighbours and random Forest), which classify the behaviour of the end-user in terms of telephone calls, SMS and Web browsing history. In order to detect illegitimate use of service by a potential malware or a thief, the experimental procedure examines the aforementioned services independently as well as in combination in a multimodal fashion. The results are very promising showing the ability of at least one classifier to detect intrusions with a high true positive rate of 99.8%.
A. Tsakountakis, G. Kambourakis, S. Gritzalis, SIPA: Generic and Secure Accounting for SIP, Security and Communication Networks, Vol. 5, No. 9, pp. 1006-1027, 2012, Wiley, http://onlinelibrary.wiley.com/doi/..., indexed in SCI-E, IF = 0.311
Authentication, authorization, and accounting services provide the framework on top of which a reliable, secure, and robust accounting system can be built. In a previous work of ours, we have presented a flexible and, most importantly, generic accounting scheme for next generation networks. In this paper, we substantially improve our previous work by providing the required Diameter application namely SIP-Accounting (SIPA) that enables the use of our accounting scheme for Session Initiation Protocol (SIP) services. Additionally, in an effort to protect the service providers and the end users against accounting frauds, we implement an add-on mechanism referred to as SIPA+ to combat attacks targeting the core accounting functions and the integrity of the respective accounting messages. Using the implemented SIPA and SIPA+ prototypes, we conducted a complete set of experiments testing several configurations and two distinct scenarios. The results reveal that the proposed accounting system and its security add-on are fully operable in SIP environments without incurring much cost in terms of performance and overhead.
A. Katsiotis, P. Rizomiliotis, N. Kalouptsidis, Flexible Convolutional Codes: Variable Rate and Complexity, IEEE Transactions on Communications, Vol. 3, pp. 608-613, 2012, IEEE Press, doi:10.1109/TCOMM.2011.121211.11012..., indexed in SCI-E, IF = 1.979
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Analyzing Trajectories of Information Security Awareness, Information Technology & People, Vol. 25, No. 3, 2012, Emerald, http://www.emeraldinsight.com/journ..., indexed in SCI-E, IF = 0.767
Purpose – Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program. Design/methodology/approach – Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings. Findings – The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events. Practical implications – The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it. Originality/value – This study is one of the first to examine information security awareness as a managerial and socio-technical process within an organizational context.
A. Tsohou, Lee H., K. Al-Yafi, V. Weerakkody , R. El-Haddadeh , Z. Irani, T. Medeni, L. Campos, Supporting Public Policy Making Processes with Workflow Technology: Lessons Learned From Cases in Four European Countries, International Journal of Electronic Government Research, Vol. 8, No. 3, pp. 63-77, 2012, IGI Global,
H. H. Chan, E. Konstantinou, A. Kontogeorgis, C. H. Tan, What is your “birthday elliptic curves”?, Finite Fields and Applications, Vol. 18, No. 6, 2012, Elsevier, indexed in SCI-E
A. Loukas, D. Damopoulos, S. A. Menesidou, Maria Eleni Skarkala, G. Kambourakis, S. Gritzalis, MILC: A Secure and Privacy-Preserving Mobile Instant Locator with Chatting, Information System Frontiers, Vol. 14, No. 3, pp. 481-497, 2012, Springer, http://link.springer.com/content/pd..., indexed in SCI-E, IF = 0.851
The key issue for any mobile application or service is the way it is delivered and experienced by users, who eventually may decide to keep it on their software portfolio or not. Without doubt, security and privacy have both a crucial role to play towards this goal. Very recently, Gartner has identified the top ten of consumer mobile applications that are expected to dominate the market in the near future. Among them one can earmark location-based services in number 2 and mobile instant messaging in number 9. This paper presents a novel application namely MILC that blends both features. That is, MILC offers users the ability to chat, interchange geographic co-ordinates and make Splashes in real-time. At present, several implementations provide these services separately or jointly, but none of them offers real security and preserves the privacy of the end-users at the same time. On the contrary, MILC provides an acceptable level of security by utilizing both asymmetric and symmetric cryptography, and most importantly, put the user in control of her own personal information and her private sphere. The analysis and our contribution are threefold starting from the theoretical background, continuing to the technical part, and providing an evaluation of the MILC system. We present and discuss several issues, including the different services that MILC supports, system architecture, protocols, security, privacy etc. Using a prototype implemented in Google’s Android OS, we demonstrate that the proposed system is fast performing, secure, privacy-preserving and potentially extensible.
E. Konstantinou, Efficient Cluster-based Group Key Agreement Protocols for Wireless Ad Hoc Networks, Journal of Networks and Computer Applications, Vol. 34, No. 1, pp. 384-393, 2011, Elsevier, , indexed in SCI-E
E. Konstantinou, A. Kontogeorgis, Some Remarks on the Construction of Class Field Polynomials, Advances in Mathematics of Communications, Vol. 5, No. 1, pp. 109-118, 2011, indexed in SCI-E
C. Kalloniatis, P. Belsis, S. Gritzalis, A Soft Computing approach for Privacy Requirements Engineering, Journal of Applied Soft Computing, Vol. 11, No. 7, pp. 4341-4348, 2011, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 2.612
Soft computing continuously gains interest in many fields of academic and industrial domain; among the most notable characteristics for using soft computing methodological tools is the ability to handle with vague and imprecise data in decision making processes. Similar conditions are often encountered in requirements engineering. In this paper, we introduce the PriS approach, a security and privacy requirements engineering framework which aims at incorporating privacy requirements early in the system development process. Specifically, PriS provides a set of concepts for modelling privacy requirements in the organisation domain and a systematic way-of-working for translating these requirements into system models. The conceptual model of PriS uses a goal hierarchy structure. Every privacy requirement is either applied or not on every goal. To this end every privacy requirement is a variable that can take two values [0,1] on every goal meaning that the requirements constraints the goal (value 1) or not (value 0). Following this way of working PriS ends up suggesting a number of implementation techniques based on the privacy requirements constraining the respective goals. Taking into account that the mapping of privacy variables to a crisp set consisting of two values [0,1] is constraining, we extend also the PriS framework so as to be able to address the degree of participation of every privacy requirement towards achieving the generic goal of privacy. Therefore, we propose a fuzzification of privacy variables that maps the expression of the degree of participation of each privacy variable to the [0,1] interval. We also present a mathematical framework that allows the concurrent management of combined independent preferences towards the necessity of a privacy measure; among the advantages of the presented extended framework is the scalability of the approach in such a way that the results are not limited by the number of independent opinions or by the number of factors considered while reasoning for a specific selection of privacy measures.
P. Belsis, D. Vassis, C. Skourlas, Identifying and Utilizing Secure paths in Ad-hoc Assistive Medical Environments, Security Communication Networks Journal , 2011, Wiley, (to_appear), http://onlinelibrary.wiley.com/jour..., indexed in SCI-E
F. Pereniguez, R. Marin-Lopez, G. Kambourakis, S. Gritzalis, A. F. Gomez, PrivaKERB: A User Privacy Framework for Kerberos, Computers & Security, Vol. 30, No. 6-7, pp. 446-463, 2011, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.868
Kerberos is one of the most well-respected and widely used authentication protocols in open and insecure networks. It is envisaged that its impact will increase as it comprises a reliable and scalable solution to support authentication and secure service acquisition in the Next Generation Networks (NGN) era. This means however that security and privacy issues related to the protocol itself must be carefully considered. This paper proposes a novel two-level privacy framework, namely PrivaKERB, to address user privacy in Kerberos. Our solution offers two privacy levels to cope with user anonymity and service access untraceability. We detail how these modes operate in preserving user privacy in both single-realm and cross-realm scenarios. By using the extensibility mechanisms already available in Kerberos, PrivaKERB does not change the semantics of messages and enables future implementations to maintain interoperability. We also evaluate our solution in terms of service time and resource utilization. The results show that PrivaKERB is a lightweight solution imposing negligible overhead in both the participating entities and network.
C. Kolias, G. Kambourakis, M. Maragoudakis, Swarm Intelligence in Intrusion Detection: A Survey, Computers & Security, Vol. 30, No. 8, pp. 625-642, 2011, Elsevier, www.elsevier.com/locate/cose, indexed in SCI-E, IF = 0.868
Intrusion Detection Systems (IDS) have nowadays become a necessary component of almost every security infrastructure. So far, many different approaches have been followed in order to increase the efficiency of IDS. Swarm Intelligence (SI), a relatively new bioinspired family of methods, seeks inspiration in the behavior of swarms of insects or other animals. After applied in other fields with success SI started to gather the interest of researchers working in the field of intrusion detection. In this paper we explore the reasons that led to the application of SI in intrusion detection, and present SI methods that have been used for constructing IDS. A major contribution of this work is also a detailed comparison of several SI-based IDS in terms of efficiency. This gives a clear idea of which solution is more appropriate for each particular case.
E. Konstantinou, A. Kontogeorgis, Ramanujan Invariants for Discriminants Congruent to 5 mod 24, International Journal of Number Theory, Vol. 8, No. 1, 2011, World Scientific
E. Makri, E. Konstantinou, Constant Round Group Key Agreement Protocols: A Comparative Study, Computers and Security, Vol. 30, No. 8, pp. 643-678, 2011, Elsevier, indexed in SCI-E
P. Belsis, C. Skourlas, S. Gritzalis, Secure electronic healthcare records management in wireless environments, Journal of Information Technology Research, Vol. 4, No. 4, pp. 1-17, 2011, IGI Global, http://www.igi-global.com/article/s...
Wireless technologies have lately been integrated in many types of environments; their development is able to provide innovative services minimizing costs and the time necessary to identify the necessary information. However medical information is very sensitive since it contains critical personal data. Security and privacy preservation are very critical parameters. Lately, innovative technologies such as software agents’ technology have been utilized to support distributed environments. Presented is an architecture that allows secure medical related information management using software agents; this work expands previous research (Belsis, Skourlas, & Gritzalis, 2011). The authors present a security oriented solution and also provide experimental evidence about the capability of the platform to operate in wireless environments with large number of users.
G. Kambourakis, C. Kolias, S. Gritzalis, J. H. Park, DoS Attacks Exploiting Signaling in UMTS and IMS, Computer Communications, Vol. 34, No. 3, pp. 226-235, 2011, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.044
The Universal Mobile Telecommunication Standard (UMTS) is continuously evolving to meet the growing demand of modern mobile and Internet applications for high capacity and advanced features in security and quality of service. Although admittedly enhanced in terms of security when compared to 2G systems, UMTS still has weaknesses that can lead to security incidents. In this paper, we investigate the vulnerabilities of the UMTS security architecture that can be exploited by a malicious individual to mount Denial of Service (DoS) attacks. Our focus is on signaling-oriented attacks above the physical layer. We describe and analyze several novel attacks that can be triggered against both core UMTS architecture as well as hybrid UMTS/WLAN realms. An additional contribution of this paper is the presentation of an extensive survey of similar attacks in UMTS and related protocol infrastructures such as IP Multimedia Subsystem (IMS). Finally, we offer some suggestions that would provide greater tolerance to the system against DoS attacks.
V. Kolias, C. Kolias, J. Anagnostopoulos, G. Kambourakis, E. Kayafas, TELS: A Voice-Response Internet-based Learning System, Journal of Internet Technology, Vol. 12, No. 2, pp. 217-235, 2011, Executive Committee, Taiwan Academic Network, Ministry of Education, Taipei, Taiwan, ROC, http://jit.ndhu.edu.tw/, indexed in SCI-E, IF = 0.508
During the last decade the academic world is continuously capitalizing on the use of Internet and web-based learning solutions, because of the simplicity and immediacy in creating, organizing and managing educational material and student data. However, the delivery of educational content to the end-user is characterized by visual presentation and the requirement of some sort of access either wired or wireless to the Internet, which blocks visually impaired individuals or people who don’t have access to the Internet in one way or another from accessing educational content. In this paper we describe the design and implementation of the Internet Telephony Learning System (TELS). Besides all other, TELS exploits mature Internet/ web standards and the most popular communication mean in the world, the telephone, to provide audio interactivity between an otherwise traditional web application and the end-user. Unlike other similar applications, TELS does not need any special software or hardware to be accessed and since it is an open source traditional web application it can be custom-tailored to the individual needs of each institution. Since it is accessible to almost every communication device, we argue that it is useful for visually impaired, technologically uneducated, and underprivileged people for accessing information originally intended to be accessed visually via a Personal Computer.
G. Karopoulos, G. Kambourakis, S. Gritzalis, PrivaSIP: Ad-hoc Identity Privacy in SIP, Computer Standards and Interfaces, Vol. 33, No. 3, pp. 301-314, 2011, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.257
In modern and future networks that belong to different providers, multimedia protocols will have to operate through multiple domains. In such an environment security is considered a crucial parameter; this is true especially for privacy since not all domains can be considered trusted beforehand in terms of personal data protection. Probably the most promising protocol for multimedia session management is SIP. While SIP is popular and a lot of research has been conducted, it still has some security issues, one of which is related to privacy and more particularly the protection of user identities (IDs). In the general case everybody can reveal the communicating parties IDs by simply eavesdropping on the exchanged SIP messages. In this paper we analyze the lack of user ID protection in SIP and propose two solutions; in the first the ID of the caller is protected while in the second both IDs of the caller and the callee are protected. Our work also includes performance results and extensive comparison with similar methods. The most significant advantage of our method is that it can assure user ID protection even when SIP messages are transmitted through untrusted SIP domains before reaching the Home Domain of the user or another trusted domain. Moreover, it does not require from the SIP Proxy server to maintain state information for exchanged SIP requests and respective responses.
I. Terzis, G. Kambourakis, G. Karopoulos, C. Lambrinoudakis, Privacy Preserving Context Transfer Schemes for 4G Networks, Wireless Communications and Mobile Computing, Vol. 11, No. 2, pp. 289–302, 2011, Wiley, http://onlinelibrary.wiley.com/doi/..., indexed in SCI-E, IF = 0.884
In the near future, wireless heterogeneous networks are expected to interconnect in an all-IP architecture. An open issue towards this direction is the uninterrupted continuation of the received services during handover between networks employing different access technologies. In this context, Mobile IP (MIP) is a protocol that allows fast and secure handovers. However, MIP per se cannot handle all the issues that surface during handovers in certain services, and more specifically, when the information of the current state of a service requires re-establishment on the new subnet without having to repeat the entire protocol exchange with the mobile host from the outset. A number of methods have been proposed to solve the aforementioned problem, commonly referred to as secure context transfer. However, while such methods do succeed in minimising the disruption caused by security-related delays, it seems that little has been done to protect the end-users’ privacy as well. In this paper, a number of privacy enhanced (PE) context transfer schemes are presented. The first two of them have been introduced in a previous work of ours while the other two are novel. All schemes are analysed in terms of message exchange and evaluated through simulations. The performance of our schemes is compared with the standard ones proposed by the Seamoby work group (WG). The results demonstrate that the proposed schemes are very efficient in terms of application handover times, while at the same time guarantee the privacy of the end-user.
E. Klaoudatou, E. Konstantinou, G. Kambourakis, S. Gritzalis, A Survey on Cluster-based Group Key Agreement Protocols for WSNs, IEEE Communications Surveys and Tutorials, Vol. 13, No. 3, pp. 429-442, 2011, IEEE Press, http://ieeexplore.ieee.org/xpl/logi..., indexed in SCI-E, IF = 6.311
The scope of this survey is to examine and thoroughly evaluate the cluster-based Group Key Agreement (GKA) protocols for Wireless Sensor Networks (WSNs). Towards this goal, we have grouped the WSNs application environments into two major categories (i.e., infrastructure-based and infrastructureless) and have examined: a) which of the cluster-based Group Key Agreement (GKA) protocols that appear in the literature are applicable to each category, and b) to which degree these protocols will impact the systems' performance and energy consumption. In order to answer these questions we have calculated the complexity of each protocol and the energy cost it will add to the system. The evaluation of all discussed protocols is presented in a generalized way and can therefore serve as a reference point for future evaluations and for the design of new, improved GKA protocols.
P. Rizomiliotis, On the Security of the Feng-Liao-Yang family of Boolean functions with optimal algebraic immunity against fast algebraic attacks, Designs, Codes and Cryptography, Vol. 57, No. 3, pp. 283-292, 2010, Springer, http://www.springerlink.com/content..., indexed in SCI-E, IF = 0.958
P. Rizomiliotis, On the Resistance of Boolean Functions against Algebraic Attacks using Univariate Polynomial Representation, IEEE Transactions on Information Theory, Vol. 56, pp. 4014-4024, 2010, IEEE Press, http://ieeexplore.ieee.org/xpl/free..., indexed in SCI-E, IF = 2.650
A. Katsiotis, P. Rizomiliotis, N. Kalouptsidis, New Constructions of High-Performance Low-Complexity Convolutional Codes, IEEE Transactions on Communications, Vol. 58, No. 7, pp. 1950 - 1961, 2010, IEEE Press, doi:10.1109/TCOMM.2010.07.090149 , indexed in SCI-E, IF = 1.979
P. Rizomiliotis, A. Bogris, D. Syvridis, Message Origin Authentication and Integrity Protection in Chaos-based Optical Communication, IEEE Journal of Quantum Electronics, Vol. 46, No. 3, pp. 377-383, 2010, IEEE Press, doi: 10.1109/JQE.2009.2034028 , indexed in SCI-E, IF = 2.113
G. Kambourakis, S. Gritzalis, J. H. Park, Device Authentication in Wireless and Pervasive Environments, Intelligent Automation and Soft Computing (AutoSoft), Vol. 16, No. 3, pp. 399-418, 2010, TSI Press, http://wacong.org/autosoft/auto/163..., indexed in SCI-E, IF = 0.187
Security can only be guaranteed as long as the hardware and other key parameters, including software components, secret keys etc, of a device remain genuine and unmodified. Under this context, device authentication must be considered as a key security issue, complementary and of equal importance to user authentication, in today’s wireless and forthcoming ubiquitous realms. This paper classifies and analyses possible major solutions proposed until now towards solving the device authentication issue. We constructively argue on each solution presented examining its advantages and disadvantages. A qualitative comparative analysis for the device authentication schemes in question is also offered, probing its applicability for both infrastructure and ad-hoc deployments. Inter-domain device authentication, where applicable, and users’ privacy as a side-effect are investigated as well.
E. Konstantinou, A. Kontogeorgis, Ramanujan’s Class Invariants and Their Use in Elliptic Curve Cryptography, Computers and Mathematics with Applications, Vol. 59, No. 8, pp. 2901-2917, 2010, Elsevier, , indexed in SCI-E
E. Kosta, C. Kalloniatis, L. Mitrou, S. Gritzalis, Data protection issues pertaining to social networking under EU law, Transforming Government: People, Process, and Policy journal, Vol. 4, No. 2, pp. 193-201, 2010, Emerald, http://www.emeraldinsight.com/journ...
Purpose – The purpose of this paper is to examine how the introduction of new communication channels facilitates interactive information sharing and collaboration between various actors over social networking services and how social networking fits in the existing European legal framework on data protection. The paper also aims to discuss some specific data protection issues, focusing on the role of the relevant actors, using the example of photo tagging. Design/methodology/approach – Privacy in social networks is one of the main concerns for providers and users. This paper examines the role of the main actors in social networking, i.e. the providers and the users, scrutinised under the light of the European data protection legislation. Specifically, how social networking service providers deal with users' privacy and how users handle their personal information, if this manipulation is complied with the respective legislation and how “tagging”, one of the most familiar services provided by the social networking providers, may cause privacy risks. Findings – Social networking is one of the most remarkable cultural phenomena that has blossomed in the Web 2.0 era. They enable the connection of users and they facilitate the exchange of information among them. However, the users reveal vast amounts of personal information over social networking services, without realising the privacy and security risks arising from their actions. The European data protection legislation could be used as a means for protecting the users against the unlawful processing of their personal information, although a number of problems arise regarding its applicability. Originality/value – The paper discusses some privacy concerns involved in social networks and examines how social networking service providers and users deal with personal information with regard to the European data protection legislation.
D. Vassis, P. Belsis, C. Skourlas, G. Pantziou, Providing advanced remote medical treatment services through pervasive environments, Personal and Ubiquitous Computing , Vol. 14, No. 4, pp. 563-573, 2010, Springer, http://www.springerlink.com/content..., indexed in SCI-E
G. Kambourakis, E. Konstantinou, S. Gritzalis, Revisiting WiMAX MBS Security, Computers and Mathematics with Applications, Vol. 60, No. 2, pp. 217-223, 2010, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.472
IEEE 802.16 technology also well known as WiMax is poised to deliver the next step in the wireless evolution. This is further fostered by the 802.16e specification which, amongst other things, introduces support for mobility. The Multicast/Broadcast Service (MBS) is also an integral part of 802.16e destined to deliver next generation services to subscribers. In this paper we concentrate on the Multicast and Broadcast Rekeying Algorithm (MBRA) of 802.16e. This algorithm has been recently criticized for various vulnerabilities and security inefficiencies, as its designers are trying to balance wisely between performance and security. After surveying related work, we extensively discuss MBRA security issues and propose the use of a novel asymmetric group key agreement protocol based on the work in Wu et al. (2009) [3]. Our scheme guarantees secure delivery of keys to all the members of a given group and mandates rekeying upon join and leave events. It can prevent insider attacks since only the Base Station possesses a secret encryption key while all other members in the network acquire the transmitted data by using their secret decryption keys. We compare our scheme with related work and demonstrate that although heavier in terms of computing costs, it compensates when scalability and security come to the foreground.
F. Pereniguez, G. Kambourakis, R. Marin-Lopez, S. Gritzalis, A. F. Gomez, Privacy-Enhanced Fast Re-authentication for EAP-based Next Generation Network, Computer Communications, Vol. 33, No. 14, pp. 1682-1694, 2010, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.815
In next generation networks one of the most challenging issues is the definition of seamless and secure handoffs in order to assure service continuity. In general, researchers agree on the use of EAP as an authentication framework independent of the underlying technology. To date, efforts have focused on optimizing the authentication process itself, leaving out other relevant but sometimes important aspects like privacy. In this paper we present a solution that provides a lightweight authentication process while preserving user anonymity at the same time. The goal is to define a multi-layered pseudonym architecture that does not affect the fast re-authentication procedure and that allows a user to be untraceable. Taking as reference our previous work in fast re-authentication, we describe the extensions required to support identity privacy. Moreover, results collected from an implemented prototype, reveal that the proposed privacy-enhanced fast re-authentication scheme is attainable without significant cost in terms of performance in 4G foreseeable environments.
C. Kolias, V. Kolias, J. Anagnostopoulos, G. Kambourakis, E. Kayafas, Design and implementation of a VoiceXML-driven Wiki Application for Assistive Environments on the Web, Personal and Ubiquitous Computing, Vol. 14, No. 6, pp. 527-539, 2010, Springer, http://www.springer.com/computer/hc..., indexed in SCI-E, IF = 1.137
In this paper, we describe the design and implementation of an audio wiki application accessible via both the Public Switched Telephone Network and the Internet. The application exploits mature World Wide Web Consortium standards, such as VoiceXML, Speech Synthesis Markup Language, and Speech Recognition Grammar Specification toward achieving our goals. The purpose of such an application is to assist visually impaired, technologically uneducated, and underprivileged people in accessing information originally intended to be accessed visually via a personal computer (PC). Users may access wiki content via fixed or mobile phones, or via a PC using a Web Browser or a Voice over IP service. This feature promotes pervasiveness to collaboratively created content to an extremely large population, i.e., those who simply own a telephone line.
G. Karopoulos, G. Kambourakis, S. Gritzalis, E. Konstantinou, A Framework for Identity Privacy in SIP, Journal of Network and Computer Applications, Vol. 33, No. 1, pp. 16-28, 2010, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.660
Secure multimedia delivery in modern and future networks is one of the most challenging problems towards the system integration of fourth generation (4G) networks. This integration means that different service and network providers will have to interoperate in order to offer their services to end users. This multidomain environment poses serious threats to the end user who has contract with, and trusts only a limited number of operators and service providers. One such threat is end users’ privacy on which we will focus in this paper. Probably the most promising protocol for multimedia session management is the Session Initiation Protocol (SIP), which is an application layer protocol and thus can operate on top of different lower layer technologies. SIP is quite popular and a lot of research has been conducted; however, it still has some security issues, one of which is related to privacy and more particularly the protection of user identities (IDs). In this paper we comment on the ID privacy issue of SIP and propose a framework called PrivaSIP that can protect either the caller's ID or both the caller's and the callee's IDs in multidomain environments. We present different implementations of our framework based on asymmetric and symmetric cryptography analyzing the pros and cons of each one of them. Furthermore, we provide performance measurements in order to estimate the performance penalty of our framework over standard SIP. The most significant advantage of our method is that it can assure user ID protection even when SIP messages are transmitted through untrusted SIP domains, while our results show that this can be achieved with no perceived delay by the end user.
E. Konstantinou, A. Kontogeorgis, Y. Stamatiou, C. Zaroliagis, On the Efficient Generation of Prime Order Elliptic Curves, Journal of Cryptology, Vol. 23, pp. 477-503, 2010, Springer, indexed in SCI-E
P. Rizomiliotis, Improving the high order nonlinearity lower bound for Boolean functions with given Algebraic Immunity, Discrete Applied Mathematics, Vol. 158, No. 18, pp. 2049-2055, 2010, Elsevier, doi:10.1016/j.dam.2010.08.023, indexed in SCI-E, IF = 0.862
G. Kambourakis, E. Konstantinou, A. Douma, M. Anagnostopoulos, G. Fotiadis, Efficient Certification Path Discovery for MANET, EURASIP Journal on Wireless Communications and Networking, Vol. 2010, pp. 1-16, 2010, Hindawi Publishing Corporation, http://jwcn.eurasipjournals.com/, indexed in SCI-E, IF = 0.815
A Mobile Ad Hoc Network (MANET) is characterized by the lack of any infrastructure, absence of any kind of centralized administration, frequent mobility of nodes, network partitioning, and wireless connections. These properties make traditional wireline security solutions not straightforwardly applicable in MANETs, and of course, constitute the establishment of a Public Key Infrastructure (PKI) in such networks a cumbersome task. After surveying related work, we propose a novel public key management scheme using the well-known web-of-trust or trust graph model. Our scheme is based on a binary tree formation of the network’s nodes. The binary tree structure is proved very effective for building certificate chains between communicating nodes that are multihops away and the cumbersome problem of certificate chain discovery is avoided.We compare our scheme with related work and show that it presents several advantages, especially when a fair balancing between security and performance is desirable. Simulations of the proposed scheme under different scenarios demonstrate that it is effective in terms of tree formation, join and leave occurrences, and certificate chain establishment.
G. Kambourakis, D. Geneiatakis, S. Gritzalis, T. Dagiuklas, C. Lambrinoudakis, S. Ehlert, J. Fiedler, High Availability for SIP: Solutions and Real-Time Measurement Performance Evaluation, International Journal of Disaster Recovery and Business Continuity, Vol. 1, No. 1, pp. 11-30, 2010, SERSC, http://www.sersc.org/journals/IJDRB...
SIP is rapidly becoming a standard for service integration within a variety of wireless and wireline networks. In this regard high availability, reliability and redundancy are key factors for any SIP based infrastructure. In an adverse environment, especially the Internet and foreseeable 3GPP IMS, high availability solutions are of major importance for SIP network components to smoothly mitigate call increments, device failures, misconfigurations, physical disasters and throttle active attacks. This paper proposes a practical and transparent failover solution for SIP and RTP-Proxy servers. We demonstrate that both methods work properly and increase stability and availability of such systems. Furthermore, high availability solutions are enhanced through the employment of easy to implement load balancing schemes. All the proposed solutions are technically analyzed and evaluated via properly designed test-beds, showing fine performance in terms of service times.
A. Tsohou, C. Lambrinoudakis, S. Kokolakis, S. Gritzalis, The Importance of Context-Dependent Privacy Requirements and Perceptions to the Design of Privacy-Aware Systems, UPGRADE, Vol. 11, No. 1, pp. 32-37, 2010, CEPIS, http://www.cepis.org/files/cepisupg...
The issue of information privacy protection is ensured nowadays by European and national legislation. However, it is not possible to protect information system user privacy adequately without establishing privacy requirements and employing an appropriate privacy assessment process that can identify the required privacy level and the possible countermeasures for achieving it. In this paper we draw upon security management tasks in order to highlight the gaps that need to be explored regarding privacy management, so as to be able to justifiably select the privacy enhancing technologies that fit a system’s privacy requirements.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Aligning Security Awareness with Information Systems Security Management, Journal of Information Systems Security, Vol. 6, No. 1, pp. 36-64, 2010, http://www.jissec.org/Contents/V6/N...
This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.
A. Tsohou, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, A Security Standards’ Framework to facilitate Best Practices’ Awareness and Conformity, Information Management & Computer Security, Vol. 18, No. 5, pp. 350-365, 2010, Emerald, http://www.emeraldinsight.com/journ...
Purpose – Recent information security surveys indicate that both the acceptance of international standards and the relative certifications increase continuously. However, it is noted that still the majority of organizations does not know the dominant security standards or does not fully implement them. The aim of this paper is to facilitate the awareness of information security practitioners regarding globally known and accepted security standards, and thus, contribute to their adoption. Design/methodology/approach – The paper adopts a conceptual approach and results in a classification framework for categorizing available information security standards. The classification framework is built in four layers of abstraction, where the initial layer is founded in ISO/IEC 27001:2005 information security management system. Findings – The paper presents a framework for conceptualizing, categorizing and interconnecting available information security standards dynamically. Research limitations/implications – The completeness of the information provided in the paper relies on the pace of standards’ publications; thus the information security standards that have been classified in this paper need to be updated when new standards are published. However, the proposed framework can be utilized for this constant effort. Practical implications – Information security practitioners can benefit by the proposed framework for available security standards and effectively invoke the relevant standard each time. Guidelines for utilizing the proposed framework are presented through a case study. Originality/value – Although the practices proposed are not innovative by themselves, the originality of this work lies on the best practices’ linkage into a coherent framework that can facilitate the standards diffusion and systematic adoption.
L. Boukas, G. Kambourakis, S. Gritzalis, Pandora: An SMS-oriented m-informational system for educational realms, Journal of Network and Computer Applications, Vol. 32, No. 3, pp. 684-702, 2009, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.111
e-Informational systems based on the Internet infrastructure and services like e-mail, WWW, etc., are a de-facto option for various educational realms, in order to enhance the quality and diversity of services offered to their educators and students. On the other hand, despite the fact that pure mobile services like short message service (SMS) or multimedia message service (MMS) have managed to highly penetrate the wireless market to a great degree and gain users’ wide acceptance, are rarely employed to support or offer informational services in the context of education. In this paper, we describe in detail a fully functional SMS-oriented mobile-informational (m-informational) system named Pandora that was designed and developed from the onset to speci?cally support a plethora of services obtainable mainly by the students of our university. The analysis and our contribution are two-fold starting from the theoretical background and continuing to the technical part of the Pandora system. We present and discuss several issues, including the different services that Pandora supports, system architecture, Pandora’s box, core, Web services, security, etc. We demonstrate that the proposed system is practical to implement, flexible, effective, secure, affordable and above all scalable and potentially extensible.
P. Rizomiliotis, E. Rekleitis, S. Gritzalis, Security Analysis of the Song-Mitchell Authentication Protocol for Low-Cost RFID tags, IEEE Communications Letters, Vol. 13, No. 4, pp. 274-276, 2009, IEEE Press, http://ieeexplore.ieee.org/xpl/arti..., indexed in SCI-E, IF = 1.463
In this paper, we describe an attack against one of the most efficient authentication protocols for low-cost RFID tags recently proposed by Song and Mitchell. A weak attacker, i.e. an attacker that has no access to the internal data of a tag, is able to impersonate a legitimate reader/server, and to desynchronize a tag. The attack is very efficient and has minimal computational complexity. Finally, we propose a simple solution to fix the flaw.
M. Karyda, S. Gritzalis, J. H. Park, S. Kokolakis, Privacy and Fair Information Practices in Ubiquitous Environments: Research Challenges and Future Directions, Internet Research, Vol. 19, No. 2, pp. 194-208, 2009, Emerald , http://www.emeraldinsight.com/journ..., indexed in SCI-E, IF = 0.844
Purpose – This paper aims to contribute to the ongoing discourse about the nature of privacy and its role in ubiquitous environments and provide insights for future research. Design/methodology/approach – The paper analyses the privacy implications of particular characteristics of ubiquitous applications and discusses the fundamental principles and information practices used in digital environments for protecting individuals’ private data. Findings – A significant trend towards shifting privacy protection responsibility from government to the individuals is identified. Also, specific directions for future research are provided with a focus on interdisciplinary research. Research limitations/implications – This paper identifies key research issues and provides directions for future research. Originality/value – This study contributes by identifying major challenges that should be addressed, so that a set of “fair information principles” can be applied in the context of ubiquitous environments. It also discusses the limitations of these principles and provides recommendations for future research.
A. Tsakountakis, G. Kambourakis, S. Gritzalis, A Generic Accounting Scheme for Next Generation Networks, Computer Networks, Vol. 53, No. 14, pp. 2408-2426, 2009, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.201
Accounting is generally considered as one of the most challenging issues in modern and future mobile networks. As multi-domain complex heterogeneous environments are becoming a common terrain, accounting procedures performed by network and service providers have turned into a key aspect. However, in order for these networks to reliably deliver modern real-time services, they should, among other things, provide accurate accounting services, particularly billing. This work elaborates on the accounting process, proposing a novel and robust accounting system. The requirements of the proposed mechanism are defined and all the accounting scenarios that the system should cope with are examined. All the proposed accounting extensions are implemented by means of Diameter AVPs and commands. Our mechanism is generic and capitalizes on the existing AAA infrastructure, thus providing secure means to transfer and store sensitive billing data. More importantly, it can be easily incorporated into the providers’ existing mechanisms regardless of the underlying network technology. At the same time, its generic nature allows for interoperability between different network operators and service providers. Through extensive experimentation, we can also infer that our scheme is lightweight, scalable, and easy to implement requiring only minor modifications to the core Diameter protocol.
P. Rizomiliotis, A. Tsohou, C. Lambrinoudakis, S. Gritzalis, Security and Privacy Issues in Bipolar Disorder Research, The Journal on Information Technology in Healthcare, Vol. 7, No. 4, pp. 244-250, 2009, HL7 Ramius Corp
Mental health diseases are common but research to further knowledge and understanding of them is hampered by data privacy and con.dentiality regulations that apply to medical records. Centralised databases containing the relevant medical history of thousands of patients with an individual mental disease would be of great value for researchers, enabling techniques such as data mining to be applied. The major challenge in achieving this is anonymising the data to satisfy legal and ethical requirements without removing important clinical information. In this paper we propose a model that can be used to create a central repository of anonymised data for patients with bipolar disease. Knowledge obtained from the database is fed into an expert system which can guide clinicians in patient management. Security requirements are provided by access to the database being controlled by RBAC (Role Based Access Control).
E. Konstantinou, A. Kontogeorgis, Computing Polynomials of the Ramanujan t_n class invariants, Canadian Mathematical Bulletin, Vol. 52, No. 4, pp. 583-597, 2009, indexed in SCI-E
D. Geneiatakis, C. Lambrinoudakis, G. Kambourakis, An Ontology-based Policy for Deploying Secure SIP-based VoIP Services, Computers & Security (COSE), Vol. 27, No. 7-8, pp. 285-297, 2008, Elsevier, http://dx.doi.org/10.1016/j.cose.20..., indexed in SCI-E, IF = 1.028
Voice services over Internet Protocol (VoIP) are nowadays much promoted by telecommunication and Internet service providers. However, the utilization of open networks, like the Internet, raises several security issues that must be accounted for. On top of that, there are new sophisticated attacks against VoIP infrastructures that capitalize on vulnerabilities of the protocols employed for the establishment of a VoIP session (for example the Session Initiation Protocol – SIP). This paper provides a categorization of potential attacks against VoIP services, followed by specific security recommendations and guidelines for protecting the underlying infrastructure from these attacks and thus ensuring the provision of robust and secure services. In order to utilize (share) the aforementioned security guidelines and recommendations into different domains, it is necessary to have them represented in some formal way. To this end, ontologies have been used for representing the proposed guidelines and recommendations in the form of a unified security policy for VoIP infrastructures. This ontology-based policy has been then transformed to a First Order Logic (FOL) formal representation. The proposed ontology-based security policy can be applied in a real VoIP environment for detecting attacks against an SIP-based service, but it can be also utilized for security testing purposes and vulnerabilities identification. The work presented in this paper has been focused to the SIP protocol. However, generalization to other signaling protocols is possible.
S. Ehlert, G. Zhang , D. Geneiatakis, G. Kambourakis, T. Dagiuklas, J. Mark , D. Sisalem, Two Layer Denial of Service Prevention on SIP VoIP Infrastructures, Computer Communications (COMCOM), Vol. 31, No. 10, pp. 2443-2456, 2008, Elsevier, http://dx.doi.org/10.1016/j.comcom...., indexed in SCI-E, IF = 0.619
The emergence of Voice over IP (VoIP) has offered numerous advantages for end users and providers alike, but simultaneously has introduced security threats, vulnerabilities and attacks not previously encountered in networks with a closed architecture like the Public Switch Telephone Network (PSTN). In this paper we propose a two layer architecture to prevent Denial of Service attacks on VoIP systems based on the Session Initiation Protocol (SIP). The architecture is designed to handle different types of attacks, including request flooding, malformed message sending, and attacks on the underlying DNS system. The effectiveness of the prevention mechanisms have been tested both in the laboratory and on a real live VoIP provider network.
T. Balopoulos, S. Gritzalis, S. K. Katsikas, Specifying and Implementing Privacy-preserving protocols, International Journal of Information Security, Vol. 7, No. 6, pp. 395-420, 2008, Springer, http://link.springer.com/content/pd..., indexed in SCI-E, IF = 1.094
Formal methods are an important tool for designing secure cryptographic protocols. However, the existing work on formal methods does not cover privacy-preserving protocols as much as other types of protocols. Furthermore, privacy-related properties, such as unlinkability, are not always easy or even possible to prove statically, but need to be checked dynamically during the protocol’s execution. In this paper, we demonstrate how, starting from an informal description of a privacy-preserving protocol in natural language, one may use a modified and extended version of the Typed MSR language to create a formal specification of this protocol, typed in a linkability-oriented type system, and then use this specification to reach an implementation of this protocol in Jif, in such a way that privacy vulnerabilities can be detected with a mixture of static and runtime checks.
A. Tsohou, S. Kokolakis, M. Karyda, E. Kiountouzis, Investigating information security awareness: research and practice gaps, Information Security Journal: A Global Perspective, Vol. 17, No. 5&6, pp. 207–227, 2008, Taylor & Francis, http://www.tandfonline.com/doi/pdf/...
Several studies explore information security awareness focusing on individual and/ or organisational aspects. This paper argues that security awareness processes are associated with interrelated changes that occur at the organisational, the technological and the individual level. We introduce an integrated analytical framework that has been developed through action research in a public sector organisation, comprising actor-network theory (ANT), structuration theory and contextualism. We develop and use this framework to analyse and manage changes introduced by the implementation of a security awareness programme in the research setting. The paper illustrates the limitations of each theory (ANT, structuration theory and contextualism) to study multi-level changes when used individually, demonstrates the synergies of the three theories, and proposes how they can be used to study and manage awareness-related changes at the individual, organisational and technological level.
A. Tsohou, S. Kokolakis, M. Karyda, E. Kiountouzis, Process-Variance Models in Information Security Awareness Research, Information Management and Computer Security, Vol. 16, No. 3, pp. 271 – 287, 2008, Emerald , http://www.emeraldinsight.com/journ...
Purpose – The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes. Design/methodology/approach – Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology. Findings – The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness. Research limitations/implications – The paper represents a pilot survey, performed in a selected number of publications. Practical implications – The paper helps researchers and practitioners to distinguish the research models that can be adopted for the study of information security awareness organizational process, by identifying the key dimensions along which they differ. Originality/value – The proposed typology provides a guide to identify the range of options available to researchers and practitioners when they design their work regarding the security awareness topic. Moreover, it can facilitate the communication between scholars in the field of security awareness.
P. Belsis, K. Fragos, S. Gritzalis, C. Skourlas, Applying effective feature selection techniques with Hierarchical Mixtures of Experts for spam classification, Journal of Computer Security, Vol. 16, No. 6, pp. 761-790, 2008, IOS Press, http://iospress.metapress.com/conte...
E-mail abuse has been steadily increasing during the last decade. E-mail users find themselves targeted by massive quantities of unsolicited bulk e-mail, which often contains offensive language or has fraudulent intentions. Internet Service Providers (ISPs) on the other hand, have to face a considerable system overloading as the incoming mail consumes network and storage resources. Among the plethora of solutions, the most prominent in terms of cost efficiency and complexity are the text filtering approaches. Most of the approaches model the problem using linear statistical models. Despite their popularity – due both to their simplicity and relative ease of interpretation – the non-linearity assumption of data samples is inappropriate in practice. This is mainly due to the inability of other approaches to capture the apparent non-linear relationships, which characterize these samples. In this paper, we propose a margin-based feature selection approach integrated with a Hierarchical Mixtures of Experts (HME) system, which attempts to overcome limitations common to other machine-learning based approaches. By reducing the data dimensionality using effective algorithms for feature selection we evaluated our system with publicly available corpora of e-mails, characterized by very high similarity between legitimate and bulk e-mail (and thus low discriminative potential). We experimented with two different architectures, a hierarchical HME and a perceptron HME. As a result, we confirm the domination of our Spam Filtering (SF) – HME method against other machine learning approaches, which present lesser degree of recall, as well as against traditional rule-based approaches, which lack considerably in the achieved degrees of precision.
D. Geneiatakis, C. Lambrinoudakis, A Lightweight Protection Mechanism against Signaling Attacks in a SIP-Based VoIP Environment, Telecommunication Systems, 2008, Springer, http://dx.doi.org/10.1007/s11235-00...
D. Vouyioukas, G. Kambourakis, I. Maglogiannis, A. Rouskas, C. Kolias, S. Gritzalis, Enabling the Provision of Secure Web based M-Health Services utilizing XML based Security Models, Security and Communication Networks, Vol. 1, No. 5, pp. 375-388, 2008, Wiley InterScience, http://doi.org/10.1002/sec.46, indexed in SCI-E, IF = 0904
It has been generally agreed that the security of electronic patient records and generally e-health applications must meet or exceed the standard security that should be applied to paper medical records, yet the absence of clarity on the proper goals of protection has led to confusion. The primary purpose of this study was to investigate appropriate security mechanisms, which will help clinical professionals and patients discharge their ethical and legal responsibilities by selecting suitable systems and operating them safely and in short order. Thus, in this paper we propose a security model based on XML with the intention of developing a fast security policy mostly intended for mobile healthcare information systems. The proposed schema consists of a set of principles based on XML security models through the use of partial encryption, signature and integrity services and it was implemented by means of a web-based m-health application in a centralized three-tier architecture utilizing wireless networks environment. Several experiments took place with the aim of measuring the client response time implementing a number of m-health scenarios. The results showed that the response times required for the fulfillment of a client request with the XML security model are smaller compared to those corresponding to the conventional security mechanisms such as the application of SSL. By selectively applying confidentiality and integrity services either to the medical information as a whole or to some sensitive parts of it, the obtained results clearly demonstrate that XML security mechanisms overwhelm those of SSL and they are suitable for deployment in m-health applications.
A. Bogris, P. Rizomiliotis, K. Chlouverakis, A. Argyris, D. Syvridis, Feedback phase in optically generated chaos: A secret key for cryptography applications, IEEE Journal of Quantum Electronics, Vol. 44, pp. 119-124, 2008, IEEE Press , doi: 10.1109/JQE.2007.911687 , indexed in SCI-E, IF = 2.113
S. Gritzalis, P. Belsis, S. K. Katsikas, Interconnecting Autonomous MedicalDomains: Security, Interoperability and Semantic-Driven Perspectives, IEEE Engineering in Medicine and Biology, Vol. 26, No. 5, pp. 23-28, 2007, IEEE Press, http://ieeexplore.ieee.org/xpl/logi..., indexed in SCI-E, IF = 1.066
In this article we discuss the technological challenges from a security and interoperability perspective toward enabling the interconnection of different medical domains. The emergence of networked infrastructures and electronic health records (EHRs) has brought new challenges in the field of medical informatics. Healthcare information needs to be accessible by authorized users only, while its fundamental security properties (namely, integrity, availability, and confidentiality) must be retained. It is concluded that international efforts are needed to enable the creation of a widely accepted EHR that will be able to be used between different countries to provide better health services and therefore improve the care of their traveling citizens.
D. Geneiatakis, G. Kambourakis, C. Lambrinoudakis, A. Dagiouklas, S. Gritzalis, A framework for protecting SIP-based infrastructure against Malformed Message Attacks, Computer Networks, Vol. 51, No. 10, pp. 2580-2593, 2007, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.830
This paper presents a framework that can be utilized for the protection of session initiation protocol (SIP)-based infrastructures from malformed message attacks. Its main characteristic is that it is lightweight and that it can be easily adapted to heterogeneous SIP implementations. The paper analyzes several real-life attacks on VoIP services and proposes a novel detection and protection mechanism that is validated through an experimental test-bed under different test scenarios. Furthermore, it is demonstrated that the employment of such a mechanism for the detection of malformed messages imposes negligible overheads in terms of the overall SIP system performance.
I. Chatzigiannakis, E. Konstantinou, V. Liagkou, P. Spirakis, Design, Analysis and Performance Evaluation of Group Key Establishment in Wireless Sensor Networks, Electronic Notes in Theoretical Computer Science, Vol. 171, No. 1, pp. 17-31, 2007, Elsevier,
G. Kambourakis, D. P. Kontoni, A. Rouskas, S. Gritzalis, A PKI Approach for Deploying Modern Secure Distributed e-learning and m-learning Environments, Computers and Education, Vol. 48, No. 1, pp. 1-16, 2007, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.602
While public key cryptography is continuously evolving and its installed base is growing significantly, recent research works examine its potential use in e-learning or m-learning environments. Public key infrastructure (PKI) and attribute certificates (ACs) can provide the appropriate framework to effectively support authentication and authorization services, offering mutual trust to both learners and service providers. Considering PKI requirements for online distance learning networks, this paper discusses the potential application of ACs in a proposed trust model. Typical e-learning trust interactions between e-learners and providers are presented, demonstrating that robust security mechanisms and effective trust control can be obtained and implemented. The application of ACs to support m-learning is also presented and evaluated through an experimental test-bed setup, using the general packet radio service network. The results showed that AC issuing is attainable in service times while simultaneously can deliver flexible and scalable solutions to both learners and e-learning providers.
D. Geneiatakis, C. Lambrinoudakis, An Ontology Description for SIP Security Flaws, Computer Communication, Computer Communication, Vol. 30, No. 6, pp. 1367-1374, 2007, Elsevier, http://dx.doi.org/10.1016/j.comcom....
P. Belsis, S. Gritzalis, S. K. Katsikas, Partial and fuzzy constraint satisfaction to support coalition formation, ENTCS Electronic Notes on Theoretical Computer Science, Vol. 179, No. 1, pp. 75-86, 2007, Elsevier, http://www.sciencedirect.com/scienc...
The creation of dynamic coalitions is a challenging task, seen from a security perspective. Due to the presence of con?icting requirements and speci?cations, the policy negotiation and policy merging processes call for the use of e?cient techniques to resolve ambiguities. Constraints and constraint programming on the other hand, are useful means for representing a wide range of access control states and access control problems. In this paper we utilize constraints to represent access control policies in a multi-domain environment. In contrast to monolithic (crisp) constraint satisfaction techniques, we extend the applicability of constraints for access control, by examining soft constraints and partial constraint satisfaction. We also introduce a security framework based on fuzzy constraints that allows the determination of preferences for the participating domains.
G. Karopoulos, G. Kambourakis, S. Gritzalis, Survey of Secure Hand-off Optimization Schemes for Multimedia Services over all-IP Wireless Heterogeneous Networks, IEEE Communications Surveys and Tutorials, Vol. 9, No. 3, pp. 18-28, 2007, IEEE Press, https://heim.ifi.uio.no/paalee/refe..., indexed in SCI-E, IF = 6.348
In the very near future, we shall witness the coexistence of networks with heterogeneous link layer technologies. Such networks will naturally overlap each other and mobile users will need to frequently handoff among them for a number of reasons, including the quest for higher speeds and/or lower cost. Handoffs between such hybrid networks should be fast enough to support demanding applications, like multimedia content delivery, but also secure enough since different network providers are involved. This gets even more complicated considering that network providers may not simultaneously be multimedia service providers as it is the case today. In order to support security operations in a large scale the employment of an AAA protocol is mandated; however, this adds more delay to the handoff process. This article analyses and compares the prominent methods proposed so far that optimize the secure handoff process in terms of delay and are suitable for uninterruptible secure multimedia service delivery.
E. Konstantinou, Y. Stamatiou, C. Zaroliagis, Efficient Generation of Secure Elliptic Curves, International Journal of Information Security, Vol. 6, No. 1, pp. 47-63, 2007, Springer, indexed in SCI-E
D. Geneiatakis, A. Dagiouklas, G. Kambourakis, C. Lambrinoudakis, S. Gritzalis, S. Ehlert, D. Sisalem, Survey of Security Vulnerabilities in Session Initiation Protocol, IEEE Communications Surveys and Tutorials, Vol. 8, No. 3, pp. 68-81, 2006, IEEE Press, http://ieeexplore.ieee.org/xpl/arti...
The open architecture of the Internet and the use of open standards like Session Initiation Protocol (SIP) constitute the provisioning of services (e.g., Internet telephony, instant messaging, presence, etc.) vulnerable to known Internet attacks, while at the same time introducing new security problems based on these standards that cannot been tackled with current security mechanisms. This article identifies and describes security problems in the SIP protocol that may lead to denial of service. Such security problems include flooding attacks, security vulnerabilities in parser implementations, and attacks exploiting vulnerabilities at the signaling-application level. A qualitative analysis of these security flaws and their impacts on SIP systems is presented.
S. Dritsas, L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Kokolakis, C. Lambrinoudakis, S. K. Katsikas, A knowledge-based approach to security requirements for e-health applications, The electronic Journal for E-Commerce Tools & Applications (eJETA), Special Issue on Emerging Security Paradigms in the Knowledge Era, 2006, http://www.ejeta.org/specialOct06-i...
This paper introduces a knowledge-based approach for the security analysis and design of e-health applications. Following this approach, knowledge acquired through the process of developing secure e-health applications is represented in the form of security patterns; thus, it is made available to future developers. In this paper we present a set of security patterns that was developed based on the aforementioned approach. Security requirements for this set of patterns have been identified following a security and privacy analysis. The security patterns have been designed on the basis of a security ontology that was developed for this purpose. The ontology allows all concepts of importance and their relationships to be identified. The paper also describes the validation of the developed ontology, and compares the approach employed to other relevant methods in the domain of secure application development.
G. Kambourakis, A. Rouskas, S. Gritzalis, D. Geneiatakis, Support of Subscribers Certificates in a Hybrid WLAN-3G Environment, Computer Networks, Vol. 50, No. 11, pp. 1843-1859, 2006, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.631
Third Generation Partnership Project (3GPP) has recently provided a cellular-WLAN interworking architecture as an add-on to 3GPP system specifications. This architecture can offer IP-based services, compatible with those obtainable by 3G packet switched domain, to a 3G subscriber who is connected via a WLAN. Following this approach, in this paper we propose extensions to current 3GPP specifications, implementing and experimenting with a hybrid WLAN-3G network architecture capable of supporting subscribers certificates. We focus on attribute certificates, which are of major importance for user authorization and, due to their temporary nature, entail minimum concern regarding revocation issues. We emphasise on the necessary public key infrastructure incorporation which requires minimum changes in 3G core network elements and signalling and provide a list of the potential threats, which can be identified in a presumable deployment. Apart from the description and requirements of the proposed WLAN-3G architecture, particular emphasis is placed on the experimental evaluation of the performance of two alternative test-bed scenarios, which shows that digital certificates technology is not only feasible to implement in present and future heterogeneous mobile networks, but also can deliver flexible and scalable services to subscribers, without compromising security.
L. Mitrou, M. Karyda, Employees Privacy vs. Employers, Telematics and Informatics Journal, Vol. 14, No. 5, pp. 198-217, 2006, Elsevier , http://ac.els-cdn.com/S073658530500...
This paper addresses the controversy between employees right to privacy and employers need to safeguard organizational resources by employing monitoring tools. It shows how organizations can formulate use policies, by applying basic principles for fair and lawful monitoring. A list of key points is presented, which organizations should take into account, for developing such policies. Finally, the paper explores how, widely accepted information security standards, such as the ISO 17799, can aid the attempt to address this controversy.
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Formulating Information Systems Risk Management Strategies through Cultural Theory, Information Management and Computer Security, Vol. 14, No. 3, pp. 198-217, 2006, Emerald, http://www.emeraldinsight.com/journ...
Purpose – The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders’ perception of risk and its effect on information system (IS) risk management. Design/methodology/approach – Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions. Findings – A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have. Research limitations/implications – The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS). Originality/value – IS security management overlooks stakeholders’ risk perception; for example,there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.
M. Karyda, L. Mitrou, G. Quirchmayr, A framework for outsourcing IS/IT security services, Information Management and Computer Security, Vol. 14, No. 5, pp. 402-415, 2006, Emerald , http://www.emeraldinsight.com/journ...
Purpose – This paper seeks to provide an overview of the major technical, organizational and legal issues pertaining to the outsourcing of IS/IT security services. Design/methodology/approach – The paper uses a combined socio-technical approach to explore the different aspects of IS/IT security outsourcing and suggests a framework for accommodating security and privacy requirements that arise in outsourcing arrangements. Findings – Data protection requirements are a decisive factor for IS/IT security outsourcing, not only because they pose restrictions to management, but also because security and privacy concerns are commonly cited among the most important concerns prohibiting organizations from IS/IT outsourcing. New emerging trends such as outsourcing in third countries, pose significant new issues, with regard to meeting data protection requirements. Originality/value – The paper illustrates the reasons for which the outsourcing of IS/IT security needs to be examined under a different perspective from traditional IS/IT outsourcing. It focuses on the specific issue of personal data protection requirements that must be accommodated, according to the European Union directive.
L. Mitrou, Videosurveillance in the Decisions of Courts and Data Protection Authority, To Syntagma , Vol. 1, No. 1, 2006, Ekdoseis Sakkoula, (to_appear),
P. Rizomiliotis, Constructing Periodic Binary Sequences of Maximum Nonlinear Span, IEEE Transactions on Information Theory, Vol. 52, No. 9, pp. 4257-4261, 2006, IEEE Press , doi: 10.1109/TIT.2006.880054 , indexed in SCI-E, IF = 2.650
E. Tsekmezoglou, J. Iliadis, A Critical View on Internet Voting Technology, The Electronic Journal for E-Commerce Tools & Applications (eJETA.org), Vol. 1, No. 4, 2005, http://www.ejeta.org/fourth-issue/e...
We present a set of requirements for Internet voting protocols. We also present a short overview of the most prominent Internet voting protocols published so far, and we provide a comparative evaluation of those protocols, using the set of requirements we have developed. We proceed with discussing our thoughts regarding possible improvements in e-voting protocols. Internet is an application with a vision to the future. Nevertheless, a lot of work needs to be done before it can be accepted for large-scale elections.
M. Theoharidou, S. Kokolakis, M. Karyda, E. Kiountouzis, The insider threat to Information Systems and the effectiveness of ISO 17799, Computers and Security Journal, Vol. 24, No. 6, pp. 472-484, 2005, Elsevier , http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.430 (5-year)
Insider threat is widely recognised as an issue of utmost importance for IS security management. In this paper, we investigate the approach followed by ISO17799, the dominant standard in IS security management, in addressing this type of threat. We unfold the criminology theory that has designated the measures against insider misuse suggested by the standard, i.e. the General Deterrence Theory, and explore the possible enhancements to the standard that could result from the study of more recent criminology theories. The paper concludes with supporting the argument for a multiparadigm and multidisciplinary approach towards IS security management and insider threat mitigation.
M. Karyda, E. Kiountouzis, S. Kokolakis, Information Systems Security: A Contextual Perspective, Computers and Security Journal, Vol. 24, No. 3, pp. 246-260, 2005, Elsevier , http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.430 (5-year)
The protection of information systems is a major problem faced by organisations. The application of a security policy is considered essential for managing the security of information systems. Implementing a successful security policy in an organisation, however, is not a straightforward task and depends on many factors. This paper explores the processes of formulating, implementing and adopting a security policy in two different organisations. A theoretical framework based on the theory of contextualism is proposed and applied in the analysis of these cases. The contextual perspective employed in this paper illuminates the dynamic nature of the application of security policies and brings forth contextual factors that affect their successful adoption.
P. Belsis, E. Kiountouzis, S. Kokolakis, Information systems security from a knowledge management perspective, Information Management and Computer Security, Vol. 13, No. 3, pp. 189-202, 2005, Emerald, http://www.emeraldinsight.com/journ...
Purpose – Information systems security management is a knowledge-intensive activity that currently depends heavily on the experience of security experts. However, the knowledge dimension of IS security management has been neglected, both by research and industry. This paper aims to explore the sources of IS security knowledge and the potential role of an IS security knowledge management system. Design/methodology/approach – The results of this paper are based on field research involving five organizations (public and private) and five security experts and consultants. A model to illustrate the structure of IS security knowledge in an organization is then proposed. Findings – Successful security management largely depends on the involvement of users and other stakeholders in security analysis, design, and implementation, as well as in actively defending the IS. However, most stakeholders lack the required knowledge of IS security issues that would allow them to play an important role in IS security management. Originality/value – In this paper, the knowledge management aspect of IS security management has been highlighted. Moreover, the basic sources of security-related knowledge have been identified and a model of IS security knowledge has been created. Also, the activities to be supported by a security-focused KM system have been identified. Thus, the basis for the development of specialized security KM systems has been set.
S. Kokolakis, C. Lambrinoudakis, ICT security standards for healthcare applications, UPGRADE, Special Issue: Standardization for ICT Security, Vol. 6, No. 4, 2005, CEPIS , http://www.cepis.org/upgrade/index....
Healthcare has always been a favouring area for the application of Information and Communication Technologies (ICT) and healthcare organisations were among the first to incorporate information systems in their operation. Following the trend, Health Information Systems (HIS) have followed an evolutionary course leading to a new generation of e-Health systems. Personalization of service, ubiquitous information management, integration of intelligent and communicating devices, are only a few of the new features that HIS are expected to embed in the near future. Moreover, HIS store and process information, which is characterised as highly sensitive. Therefore, privacy and security have been acknowledged as high-priority issues and critical factors for the adoption and effective integration of ICT in the healthcare sector. Furthermore, when considering a shared care environment with the participation of many independent healthcare organisations and the requirement for exchanging electronic healthcare records, the situation becomes much more complex since the implementation of global security policy may turn out to be an over ambitious task. This paper presents some of the most important international and European Health Informatics Standards, highlighting their contribution towards Health Information Systems’ interoperability, fulfilment of safety, security and legal requirements and market efficiency.
P. Belsis, A. Malatras, S. Gritzalis, C. Skourlas, I. Chalaris, Flexible Secure heterogeneous File Management in Distributed Environments , IADAT Journal of Advanced Technology, Vol. 1, No. 2, pp. 66-69, 2005, IADAT, http://www.iadat.org/publication/de...
In this paper we present an interdisciplinary framework for the effective management of heterogeneous files across several cooperating domains. Prior to enabling distribution, we apply a security policy based framework, in order to achieve a flexible and scalable method for the management of resources. We also present the architecture of a software tool that enables the secure management of resources based on security policies
A. Malatras, G. Pavlou, P. Belsis, S. Gritzalis, C. Skourlas, I. Chalaris, Deploying Pervasive Secure Knowledge Management Infrastructures, International Journal of Pervasive Computing and Communications, Vol. 1, No. 4, pp. 265-276, 2005, Troubador Publishing, http://www.emeraldinsight.com/journ...
Pervasive environments are mostly based on the ad hoc networking paradigm and are characterized by ubiquity in both users and devices and artifacts. In these inherently unstable conditions and bearing in mind the resource’s limitations that are attributed to participating devices, the deployment of Knowledge Management techniques is considered complicated due to the particular requirements. Security considerations are also very important since the distribution of knowledge information to multiple locations over a network, poses inherent problems and calls for advanced methods in order to mitigate node misbehaviour and in order to enforce authorized and authenticated access to this information. This paper addresses the issue of secure and distributed knowledge management applications in pervasive environments. We present a prototype implementation after having discussed detailed design principles as far as the communications and the application itself is regarded. Robustness and lightweight implementation are the cornerstones of the proposed solution. The approach we have undertaken makes use of overlay networks to achieve efficiency and performance optimization, exploiting ontologies. The work presented in this paper extends our initial work to tackle this problem, as this was described in (28).
D. Lekkas, S. Gritzalis, L. Mitrou, Withdrawing a Declaration of Will: Towards a Framework for Digital Signature Revocation, Internet Research, Vol. 15, No. 4, pp. 400-420, 2005, Emerald, http://www.emeraldinsight.com/Insig..., indexed in SCI-E, IF = 0.688
Purpose – The objective of this paper is to investigate the legal and technical reasons why a declaration of will, denoted by a digital signature, can be cancelled and how this cancellation can be technically achieved. Design/methodology/approach – Proposes a technical framework for establishing a signature revocation mechanism based on special data structures, the signature revocation tokens (SRT), and investigates the alternatives for disseminating the signature status information (SSI) to the relying parties. Findings – A relying party has to take into consideration the possible existence of a signature revocation, in order to decide on the validity of a digital signature. A scheme based on a central public repository for the archival and distribution of signature revocation tokens exhibits significant advantages against other alternatives. Originality/value – Identifies various intrinsic problems of the digital signature creation process that raise several questions on whether the signer performs a conscious and wilful act, although he/she is held liable for this action. The law faces the eventual right of the signer to claim a revocation of a previously made declaration of will, especially in cases of an error, fraud
T. Balopoulos, S. Gritzalis, S. K. Katsikas, Specifying Privacy Preserving Protocols in Typed MSR, Computer Standards and Interfaces, Vol. 27, No. 5, pp. 501-512, 2005, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.620
Privacy-preserving protocols, such as electronic cash, electronic voting and selective disclosure protocols, use special message constructors that are not widely used in other types of protocols (for example, in authentication protocols). These message constructors include blind signatures, commitments and zero-knowledge proofs. Furthermore, a standard formalization of the Dolev-Yao intruder does not take into account these message constructors, nor does it consider some types of attacks (such as privacy attacks, brute-force dictionary attacks and known-plaintext attacks) that privacy-preserving as well as other types of protocols are designed to protect against. This paper aims to present an extension of Typed MSR in order to formally specify the needed message constructors, as well as the capabilities of a Dolev-Yao intruder designed to attack such protocols.
P. Rizomiliotis, N. Kalouptsidis, Results on the nonlinear span of binary sequences, IEEE Transactions on Information Theory, Vol. 51, No. 4, pp. 1555-1563, 2005, IEEE Press , doi: 10.1109/TIT.2005.844090 , indexed in SCI-E, IF = 2.650
P. Rizomiliotis, N. Kolokotronis, N. Kalouptsidis, On the quadratic span of binary sequences, IEEE Transactions on Information Theory, Vol. 51, No. 5, pp. 1840-1848, 2005, IEEE Press, doi: 10.1109/TIT.2005.846428 , indexed in SCI-E, IF = 2.650
G. Kambourakis, I. Maglogiannis, A. Rouskas, PKI-based Secure Mobile Access to Electronic Health Services and Data, Technology and Health Care (T&HC), Vol. 13, pp. 511-526, 2005, IOS Press, http://iospress.metapress.com/conte...
Recent research works examine the potential employment of public-key cryptography schemes in e-health environments. In such systems, where a Public Key Infrastructure (PKI) is established beforehand, Attribute Certificates (ACs) and public key enabled protocols like TLS, can provide the appropriate mechanisms to effectively support authentication, authorization and confidentiality services. In other words, mutual trust and secure communications between all the stakeholders, namely physicians, patients and e-health service providers, can be successfully established and maintained. Furthermore, as the recently introduced mobile devices with access to computer-based patient record systems are expanding, the need of physicians and nurses to interact increasingly with such systems arises. Considering public key infrastructure requirements for mobile online health networks, this paper discusses the potential use of Attribute Certificates (ACs) in an anticipated trust model. Typical trust interactions among doctors, patients and e-health providers are presented, indicating that resourceful security mechanisms and trust control can be obtained and implemented. The application of attribute certificates to support medical mobile service provision along with the utilization of the de-facto TLS protocol to offer competent confidentiality and authorization services is also presented and evaluated through experimentation, using both the 802.11 WLANand General Packet Radio Service (GPRS) networks.
K. Moulinos, J. Iliadis, V. Tsoumas, Towards Secure Sealing of Privacy Policies, Information Management and Computer Security, Vol. 12, No. 4, pp. 350-361, 2004, MCB University Press, http://dx.doi.org/10.1108/096852204...
A common practice among companies with an online presence is to sign on to a "seal" programme in order to provide customers with a sense of security regarding the protection of their personal data. Companies must adhere to a set of rules, forming a privacy protection policy designed by the seal issuer in accordance to underlying laws, regulatory frameworks and related best practice. Some of the most widely used seal programmes are TRUSTe, BBOnline, WebTrust and BetterWeb. Using the functionality they offer a user can verify online that a specific organisation adheres to a published privacy policy. In this paper, we argue that the verifications means these programmes use are vulnerable to DNS spoofing attacks. Furthermore, we present a privacy policy verification ("seal") scheme, which is not vulnerable to the aforementioned attack. We also argue that there are disadvantages in operating seal schemes that attempt to publicly certify compliance levels with a self-regulatory privacy protection model. On the contrary, these disadvantages are softened when used in a regulatory model that has adopted comprehensive laws to ensure privacy protection.
E. Loukis, S. Kokolakis, An architecture for a flexible public sector collaborative environment, eJETA, Vol. 1, No. 3, 2004
e-Government today is focused on the electronic delivery of existing public services (e.g. social services, etc.) and, in general, on offering to citizens/enterprises the capability to transact electronically with Public Administration (e.g. declarations, applications, etc.), mainly over the Internet. In this sense modern e-Government, only to a small extent, exploits the huge capabilities of the Information and Communication Technologies for supporting and transforming the whole lifecycle of public policies, programmes and services design, production, delivery and evaluation. This paper examines the exploitation of Computer Supported Collaborative Work (CSCW) methodologies and technologies for supporting and transforming G2G collaboration concerning interorganizational processes, public policies/programmes/services design, monitoring and evaluation, as well as decision-making for difficult and complex social problems. An architecture of a flexible Public Sector Collaborative Environment for the above purposes is described, which has been developed, based on a detailed user requirements analysis, as part of the ICTE-PAN (Methodologies and Tools for Building Intelligent Collaboration and Transaction Environments in Public Administration Networks)Project of the European Union IST (Information Society Technologies) Programme. In order to provide the required flexibility for supporting the huge variety of G2G collaboration typologies of modern Public Administration, this Collaborative Environment should consist of a set of adaptable and customisable modules. In order to support the users-centred and participative customisation of this Collaborative Environment for a specific collaborative process, a Collaborative Processes Modeling Methodology has been developed. This Methodology also incorporates an Ontology of the domains of Public Sector Collaborative Decision Making and Public Policies/Programmes Design and Management, consisting of the main concepts-elements used in these domains and the main associations among them.
L. Mitrou, The new Electronic Privacy Directive, Law of Information and Communication Media, Vol. 2, No. 3, pp. 371-375, 2004, Nomiki Vivliothiki, http://www.nb.org
G. Kambourakis, A. Rouskas, S. Gritzalis, Performance Evaluation of Public Key Based Authentication in Future Mobile Communication Systems, EURASIP Journal on Wireless Communications and Networking, Vol. 1, No. 1, pp. 184-197, 2004, Hindawi Publishing Corporation, http://downloads.hindawi.com/journa..., indexed in SCI-E, IF = 0.974
While mobile hosts are evolving into full-IP enabled devices, there is a greater demand to provide a more flexible, reconfigurable, and scalable security mechanism in mobile communication systems beyond 3G (B3G). Work has already begun on such an “all- IP” end-to-end solution, commonly referred to as 4G systems. Fully fledged integration between heterogeneous networks, such as 2.5G, UMTS, WLAN, Bluetooth, and the Internet, demands fully compatible, time-tested, and reliable mechanisms to depend on. SSL protocol has proved its effectiveness in the wired Internet and it will probably be the most promising candidate for future wireless environments. In this paper, we discuss existing problems related to authentication and key agreement (AKA) procedures, such as compromised authentication vectors attacks, as they appear in current 2/2.5G/3G mobile communication systems, and propose how SSL, combined with public key infrastructure (PKI) elements, can be used to overcome these vulnerabilities. In this B3G environment, we perceive authentication as a service, which has to be performed at the higher protocol layers irrespective of the underlying network technology. Furthermore, we analyze the effectiveness of such a solution, based on measurements of a “prototype” implementation. Performance measurements indicate that SSL-based authentication can be possible in terms of service time in future wireless systems, while it can simultaneously provide both the necessary flexibility to network operators and a high level of confidence to end users.
G. Kambourakis, A. Rouskas, S. Gritzalis, Experimental Analysis of an SSL-based AKA mechanism in 3G-and-beyond Wireless Networks, Wireless Personal Communications, Vol. 29, No. 3-4, pp. 303-321, 2004, Kluwer Academic Publishers / Springer, http://link.springer.com/content/pd..., indexed in SCI-E, IF = 0.243
The SSL/TLS protocol is a de-facto standard that has proved its effectiveness in the wired Internet and it will probably be the most promising candidate for future heterogeneous wireless environments. In this paper, we propose potential solutions that this protocol can offer to future “all-IP” heterogeneous mobile networks with particular emphasis on the user’s side. Our approach takes into consideration the necessary underlying public key infrastructure (PKI) to be incorporated in future 3G core network versions and is under investigation by 3GPP. We focus on the standard 3G+ authentication and key agreement (AKA), as well as the recently standardized extensible authentication protocol (EAP)-AKA procedures and claim that SSL-based AKA mechanisms can provide for an alternative, more robust, flexible and scalable security framework. In this 3G+ environment, we perceive authentication as a service, which has to be performed at the higher protocol layers irrespectively of the underlying network technology. We conducted a plethora of experiments concentrating on the SSL’s handshake protocol performance, as this protocol contains demanding public key operations, which are considered heavy for mobile devices. We gathered measurements over the GPRS and IEEE802.11b networks, using prototype implementations, different test beds and considering battery consumption. The results showed that the expected high data rates on one hand, and protocol optimisations on the other hand, can make SSL-based authentication a realistic solution in terms of service time for future mobile systems.
G. Kambourakis, A. Rouskas, G. Kormentzas, S. Gritzalis, Advanced SSL/TLS based Authentication for Secure WLAN-3G Interworking, IEE Proceedings Communications, Vol. 151, No. 5, pp. 501-506, 2004, IEE Press, http://ieeexplore.ieee.org/xpl/log..., indexed in SCI-E, IF = 0.195
Motivated by the fact that the SSL protocol has proved its effectiveness in wired IP networks, recent research work has examined the potential use of this protocol in various wireless technologies. Although Wi-Fi networks present security deficiencies, they manage to penetrate the wireless market to a great degree due to their low cost, easy administration, great capacity, IP-oriented nature, etc. Considering Wi-Fi networking settings, administrated by different operators, as parts of a common core 3G infrastructure, the author propose the potential application of enhanced SSL-based authentication mechanisms in integrated emerging-3G and Wi-Fi networks. Existing problems related to authentication and key agreement (AKA) procedures and the extensible authentication protocol (EAP)-AKA, as they appear in the latest 3G and integrated 3G/ Wi-Fi specifications, are discussed. It is proposed how EAP-TLS, combined with public key infrastructure (PKI) elements, can be used to overcome these inefficiencies in a hybrid WLAN 3G heterogeneous environment, in order to provide strong authentication and end-to-end security to the mobile user.
J. Iliadis, S. Gritzalis, D. Spinellis, D. De Cock, B. Preneel, D. Gritzalis, Towards a Framework for Evaluating Certificate Status Information Mechanisms, Computer Communications, Vol. 26, No. 16, pp. 1839-1850, 2003, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.556
A wide spectrum of certi?cate revocation mechanisms is currently in use. A number of them have been proposed by standardisation bodies, while some others have originated from academic or private institutions. What is still missing is a systematic and robust framework for the sound evaluation of these mechanisms. We present a mechanism-neutral framework for the evaluation of certi?cate status information (CSI) mechanisms. These mechanisms collect, process and distribute CSI. A detailed demonstration of its exploitation is also provided. The demonstration is mainly based on the evaluation of Certi?cate Revocation Lists, as well as of the Online Certi?cate Status Protocol. Other well-known CSI mechanisms are also mentioned for completeness.
J. Iliadis, S. Gritzalis, D. Gritzalis, ADoCSI: Towards an Alternative Mechanism for Disseminating Certificate Status Information, Computer Communications, Vol. 26, No. 16, pp. 1851-1862, 2003, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.556
Several mechanisms have been proposed for disseminating information regarding the status of a digital certi?cate, each one with its own advantages and disadvantages. We believe that what is still missing from such mechanisms is transparency. A user should not need to comprehend the mechanics of such mechanisms in order to verify a certi?cate. In this paper, we present a mechanism called Alternative mechanism for the Dissemination of Certi?cate Status Information that supports transparency in disseminating Certi?cate Status Information.
D. Spinellis, K. Moulinos, J. Iliadis, D. Gritzalis, S. Gritzalis, S. K. Katsikas, Deploying a Secure Cyberbazaar by adding Trust on Commercial Transactions, The Electronic Journal for E-Commerce Tools & Applications, Vol. 1, No. 2, 2002, eJETA.org, http://www.ejeta.org/second-issue/e...
Traditional business practice depends on trust relations between the transacting parties. One of the most important aspects of this trust is the quality of the offered services or products. The Web currently constitutes an enabler for Electronic Commerce, providing a global transaction platform that does not require physical presence. However, transferring trust from the physical world to the electronic one is a process that requires a trust infrastructure to be provided by the electronic world. We believe that current infrastructure models based on Trusted Third Parties can be enhanced. We introduce the notion of Digital Seals and we provide a mechanism for transferring the trust placed by users to companies in the physical world, to the electronic one.
N. Kolokotronis, P. Rizomiliotis, N. Kalouptsidis, Minimum linear span approximation of binary sequences, IEEE Transactions on Information Theory, Vol. 48, No. 10, pp. 2758-2764, 2002, IEEE Press , doi: 10.1109/TIT.2002.802621, indexed in SCI-E, IF = 2.650
S. Gritzalis, D. Gritzalis, K. Moulinos, J. Iliadis, An integrated Architecture for deploying a Virtual Private Medical Network over the Web, Medical Informatics and the Internet in Medicine journal, Vol. 26, No. 1, pp. 49-72, 2001, Taylor & Francis Publications, http://informahealthcare.com/doi/pd..., indexed in SCI-E, IF = 0.419
In this paper we describe a pilot architecture aiming at protecting Web-based medical applications through the development of a virtual private medical network. The basic technology, which is utilized by this integrated architecture, is the Trusted Third Party (TTP). In specific, a TTP is used to generate, distribute, and revoke digital certificates to/from medical practitioners and healthcare organizations wishing to communicate in a secure way. Digital certificates and digital signatures are, in particular, used to provide peer and data origin authentication and access control functionalities. We also propose a logical Public Key Infrastructure (PKI) architecture, which is robust, scalable, and based on standards. This architecture aims at supporting large-scale healthcare applications. It supports openness, scalability, flexibility and extensibility, and can be integrated with existing TTP schemes and infrastructures offering transparency and adequate security. Finally, it is demonstrated that the proposed architecture enjoys all desirable usability characteristics, and meets the set of criteria, which constitutes an applicable framework for the development of trusted medical services over the Web.
S. Gritzalis, J. Iliadis, S. Oikonomopoulos, Distributed Component Software Security Issues on Deploying a Secure Electronic Marketplace, Information Management and Computer Security, Vol. 8, No. 1, pp. 5-13, 2000, MCB University Press, http://www.emeraldinsight.com/journ...
A secure electronic marketplace involves a significant number of real-time transactions between remote systems, either for commercial or for authentication purposes. The underlying infrastructure of choice to support these transactions seems to be a distributed component architecture. Distributed component software (DCS) is the natural convergence of client/server network computing and object oriented technology in a mix providing reusability, scaleability and maintainability for software constructs. In DCS a client acquires references to objects provided by components located to remote machines and invokes methods of them as if they were located in its native environment. One implementation also provides the ability to pass objects by value, an approach recently examined also by others. The three major models in the distributed component software industry are OMG's CORBA, Sun's Enterprise Java Beans, and Microsoft's DCOM. Besides these, we will discuss the progress for interoperable DCS systems performed in TINA, an open architecture for telecommunications services based on CORBA distributed components. In this paper the security models of each architecture are described and their efficiency and flexibility are evaluated in a comparative manner. Finally, upcoming extensions are discussed.
S. Kokolakis, E. Kiountouzis, Achieving interoperability in a multiple-security-policies environment, Computers and Security Journal, Vol. 19, No. 3, pp. 267-281, 2000, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 1.158
The interoperability problems that emerge when information systems cooperate, are often attributed to incompatible security policies. In this paper, we introduce a systemic framework for achieving interoperability when multiple security policies are employed. First, we present a Metapolicy Development System (MDS) for the resolution of interoperability problems caused by incompatible security policies. Then we provide a policy framework and a metapolicy framework to serve as conceptual devices in the application of the MDS. Finally, we examine the possibility of developing software tools to support the MDS. We argue that a policy repository may serve as the basic component of a software tool for the management of multiple security policies and the application of the MDS. The policy repository is implemented in Telos, an object-oriented knowledge representation language.
S. Kokolakis, A. Demopoulos, E. Kiountouzis, The use of business process modelling in information systems security analysis and design, Information Management and Computer Security, Vol. 8, No. 3, pp. 107-116, 2000, MCB, www.emeraldinsight.com/journals.htm...
The increasing reliance of organisations on information systems connected to or extending over open data networks has established information security as a critical success factor for modern organisations. Risk analysis appears to be the predominant methodology for the introduction of security in information systems (IS). However, risk analysis is based on a very simple model of IS as consisting of assets, mainly data, hardware and software, which are vulnerable to various threats. Thus, risk analysis cannot provide for an understanding of the organisational environment in which IS operate. We believe that a comprehensive methodology for information systems security analysis and design (IS-SAD) should incorporate both risk analysis and organisational analysis, based on business process modelling (BPM) techniques. This paper examines the possible contribution of BPM techniques to IS-SAD and identifies the conceptual and methodological requirements for a technique to be used in this context. Based on these requirements, several BPM techniques have been reviewed. The review reveals the need for either adapting and combining current techniques or developing new, specialised ones.
D. Spinellis, S. Kokolakis, S. Gritzalis, Security requirements, risks, and recommendations for small enterprise and home-office environments, Information Management and Computer Security, Vol. 7, No. 3, pp. 121-128, 1999, MCB University Press , http://www.emeraldinsight.com/Insig...
The pervasive use of information technology in enterprises of every size and the emergence of widely deployed ubiquitous networking technologies have brought with them a widening need for security. Information system security policy development must begin with a thorough analysis of sensitivity and criticality. Risk analysis methodologies, like CRAMM, provide the ability to analyse and manage the associated risks. By performing a risk analysis on a typical small enterprise and a home-office set-up the article identifies the risks associated with availability, confidentiality, and integrity requirements. Although both environments share weaknesses and security requirements with larger enterprises, the risk management approaches required are different in nature and scale. Their implementation requires co-operation between end users, network service providers, and software vendors.
S. Gritzalis, J. Iliadis, D. Gritzalis, D. Spinellis, S. K. Katsikas, Developing Secure Web based Medical Applications, Medical Informatics and the Internet in Medicine Journal, Vol. 24, No. 1, pp. 75-90, 1999, Taylor & Francis Publications, http://informahealthcare.com/doi/pd..., indexed in SCI-E, IF = 0.419
The EUROMED-ETS pilot system offers a number of security functionalities using off-the-shelf available products, in order to protect Web-based medical applications. The basic concept used by the proposed security architecture is the Trusted Third Party (TTP). A TTP is used in order to generate, distribute and revoke digital certificates to medical practitioners and healthcare organizations that wish to communicate securely. Digital certificates and digital signatures are used to provide peer and data origin authentication and access control. The paper demonstrates how TTPs can be used effectively in order to develop medical applications that run securely over the World Wide Web.
D. Spinellis, S. Gritzalis, J. Iliadis, D. Gritzalis, S. K. Katsikas, Trusted third Party services for deploying secure telemedical applications over the Web, Computers & Security, Vol. 18, No. 7, pp. 627-639, 1999, Elsevier, http://www.sciencedirect.com/scienc..., indexed in SCI-E, IF = 0.743
The EUROMED-ETS schema provides a robust security framework for telemedical applications operating over the World Wide Web. It is based on a trusted third party architecture under which certificate authorities store the public-key certificates of participating hospitals and medical practitioners. Digital signatures are used to provide peer and data origin authentication, and, in combination with access control lists, to provide access control. The deployed infrastructure is based on off-the-shelf available clients and servers, and provides functions for electronic registration of participants, session initialization, user authentication, key generation and personalization, certificate generation, distribution, storage and retrieval, certificate revocation lists, and auditing. It was found that, as the underlying technologies mature, a Web-based trusted third party architecture provides a viable solution for delivering secure telemedical applications.
S. K. Katsikas, D. Spinellis, J. Iliadis, B. Blobel, Using trusted third parties for secure telemedical applications over the WWW: The EUROMED-ETS approach, International Journal of Medical Informatics, Vol. 49, No. 1, pp. 59-68, 1998, Elsevier Science
This paper reports on the results obtained by the pilot operation of Trusted Third Parties (TTP) for secure telemedical applications over the WWW The work reported on herein was carried out within the context of EUROMED-ETS, a R&D project funded by the INFOSEC office of Directorate General XIII of the European Union. The paper discusses the platform used, the security needs of the specific application, the TTP solution provided, the steps taken in order to implement the solution at a pilot scale and the results of the pilot opreration; it is compiled using material included in the project deliverables.
S. Kokolakis, D. Gritzalis, S. K. Katsikas, Generic security policies for healthcare information systems, Health Informatics Journal, Vol. 4, No. 3, pp. 184-195, 1998, SAGE , http://jhi.sagepub.com/content/4/3-...
Healthcare Establishments (HCEs) have developed a major dependency on Information and Communications Technologies (ICT) in the last decade. The increasing reliance upon ICT has stressed the need to foster security in Healthcare Information Systems (HIS). Security policies may have a significant contribution to make to this effort, but they could cause portability and inter-operability problems. Moreover, policies that fail to take into account all the aspects of HIS security, the legal and regulatory requirements, and the effect of several stakeholders, may lead to ineffective and inefficient security measures. We argue that policies of a special category, named Generic Security Policies (GSPs), should be developed to provide policy-level harmonization and guidance to policy-makers within HCEs. We have reviewed five policies that appear as candidates and have used the results of this review to compile a set of guidelines for potential developers of GSPs.
L. Mitrou, Das Griechische Datenschutzgesetz als Beispiel eine problemlosen Umsetzung der EU Datenschutzrichtlinie, Recht der Datenverarbeitung, Vol. 15, No. 2, pp. 56-63, 1998, Datacontext Fachverlag, http://www.datakontext.com