Conference Publications

271 publication(s)

E. Chatzoglou, V. Kampourakis, G. Kambourakis, A. Stavrou, Chaos by Design: The Death of Stochastic Race Conditions in HTTP/3, Black Hat USA, Aug, 2026, Las Vegas, USA, https://blackhat.com/us-26/briefings/...
Abstract

Race conditions have long been regarded as stochastic, unreliable vulnerabilities. To date, the principle of exploitation has been Single-Packet Attacks (SPA) over HTTP/2 and HTTP/3. However, SPA relies entirely on aligning network delivery, making it inherently fragile and frequently neutralized by standard proxy buffering. This research obsoletes this field, proving that attackers no longer need to race the network; they can now deterministically orchestrate the server itself. In this Briefing, we will introduce two novel attack classes -- Temporal Hijacking and Server-Side Race Orchestration (SSRO) -- comprising in total nine attack variants that shift timing control to the protocol's internal state. By manipulating HTTP/3 QPACK Head-of-Line blocking, dynamic table saturation, and RFC 9218 priorities, we build an internal "crowded waiting room" within the proxy's memory. Unlike SPA, our SSRO techniques exploit the very buffers meant to protect the backend, maintaining high precision regardless of network jitter. We demonstrate how Temporal Hijacking reliably forces out-of-order execution to invert backend state transitions, while SSRO achieves 96.4% execution precision and triggers 20x transaction limit violations across major edge architectures. We also release TimeOrch, a novel open-source tool to automate these attacks. Backed by an analysis of 10,000 top-ranked domains revealing an 87% vulnerability rate, this research exposes a critical architectural void. With major vendors dismissing these findings as "working as intended", this talk equips attendees with the only remaining lifelines: recompiling binaries with security-hardened settings and adopting the pessimistic locking strategies required to survive these unpatchable, microsecond-level bursts.

K. Kampourakis, V. Kampourakis, E. Chatzoglou, G. Kambourakis, S. Gritzalis, Knowledge-to-Data: LLM-Driven Synthesis of Structured Network Traffic for Testbed-Free IDS Evaluation, The 8th International Conference on Application Intelligence and Blockchain Security (AIBlock 2026), Jul, 2026, Lancaster, UK, Springer LNCS
Abstract

Realistic, large-scale, and well-labeled cybersecurity datasets are essential for training and evaluating Intrusion Detection Systems (IDS). However, they remain difficult to obtain due to privacy constraints, data sensitivity, and the cost of building controlled collection environments such as testbeds and cyber ranges. This paper investigates whether Large Language Models (LLMs) can operate as controlled knowledge-to-data engines for generating structured synthetic network traffic datasets suitable for IDS research. We propose a methodology that combines protocol documentation, attack semantics, and explicit statistical rules to condition LLMs without fine-tuning or access to raw samples. Using the AWID3 IEEE~802.11 benchmark as a demanding case study, we generate labeled datasets with four state-of-the-art LLMs and assess fidelity through a multi-level validation framework including global similarity metrics, per-feature distribution testing, structural comparison, and cross-domain classification. Results show that, under explicit constraints, LLM-generated datasets can closely approximate the statistical and structural characteristics of real network traffic, enabling gradient-boosting classifiers to achieve F1-scores up to 0.956 when evaluated on real samples. Overall, the findings suggest that constrained LLM-driven generation can facilitate on-demand IDS experimentation, providing a testbed-free, privacy-preserving alternative that overcomes the traditional bottlenecks of physical traffic collection and manual labeling.

A. Skalkos, S. Kokolakis, Modification of User Behavior Towards the Use of Privacy-Preserving Search Engines: Insights from an Experiment on Privacy., EMCIS '24, Themistocleous, M., Bakas, N., Kokosalakis, G., Papadaki, M. , (eds), pp. 295–312, Feb, 2025, Athens, Greece, Springer, https://link.springer.com/chapter/10....
Abstract

This study examines the relationship between user behavior and exposure to information about Privacy-Preserving Search Engines (PPSEs). The research explores whether exposure to positive, neutral, or negative information about privacy practices affects user behavior toward PPSEs. Results show an increase in PPSE awareness post-exposure but no substantial change in usage. Negative news impacts trust, while positive news enhances usability perception. These findings highlight the need for multifaceted strategies to address privacy concerns and promote PPSE adoption.

V. Kouliaridis, G. Karopoulos, G. Kambourakis, Assessing the Effectiveness of LLMs in Android Application Vulnerability Analysis, The 7th International Conference on Attacks and Defenses for Internet-of-Things (ADIoT 2024), Dec, 2024, Hangzhou, China, LNCS, Springer
Abstract

The increasing frequency of attacks on Android applications coupled with the recent popularity of large language models (LLMs) necessitates a comprehensive understanding of the capabilities of the latter in identifying potential vulnerabilities, which is key to mitigate the overall risk. To this end, the work at hand compares the ability of nine state-of-the-art LLMs to detect Android code vulnerabilities listed in the latest Open Worldwide Application Security Project (OWASP) Mobile Top 10. Each LLM was evaluated against an open dataset of over 100 vulnerable code samples, assessing each model's ability to identify key vulnerabilities. Our analysis reveals the strengths and weaknesses of each LLM, identifying important factors that contribute to their performance. Additionally, we offer insights into context augmentation with retrieval-augmented generation (RAG) for detecting Android code vulnerabilities, which in turn may propel secure application development. Finally, while the reported findings regarding code vulnerability analysis show promise, they also reveal significant discrepancies among the different LLMs.

[5]
M. Arenas, G. Fotiadis, E. Konstantinou, Special TNFS-Secure Pairings on Ordinary Genus 2 Hyperelliptic Curves, Africacrypt 2024, pp. 285-310, Jul, 2024, Springer-Verlag
Y. Ge, H. Wang, J. Cao, Y. Zhang, G. Kambourakis, Federated Genetic Algorithm: Two-Layer Privacy-Preserving Trajectory Data Publishing, The Genetic and Evolutionary Computation Conference (GECCO), Jul, 2024, Melbourne, Australia, ACM, https://doi.org/10.1145/3638529.3654200
Abstract

Nowadays, trajectory data is widely available and used in various real-world applications such as urban planning, navigation services, and location-based services. However, publishing trajectory data can potentially leak sensitive information about identity, personal profiles, and social relationships, and requires privacy protection. This paper focuses on optimizing Privacy-Preserving Trajectory Data Publishing (PP-TDP) problems, addressing the limitations of existing techniques in the trade-off between privacy protection and information preservation. We propose the Federated Genetic Algorithm (FGA) in this paper, aiming to achieve better local privacy protection and global information preservation. FGA consists of multiple local optimizers and a single global optimizer. The parallel local optimizer enables the local data center to retain the original trajectory data and share only the locally anonymized outcomes. The global optimizer collects the local anonymized outcomes and further optimizes the preservation of information while achieving comprehensive privacy protection. To optimize the discrete-domain PP-TDP problems more efficiently, this paper proposes a grouping-based strategy, an intersection-based crossover operation, and a complement-based mutation operation. Experimental results demonstrate that FGA outperforms its competitors in terms of solution accuracy and search efficiency.

E. Chatzoglou, V. Kampourakis, Z. Tsiatsikas, G. Karopoulos, G. Kambourakis, Keep your memory dump shut: Unveiling data leaks in password managers, The 39th International Conference on ICT Systems Security and Privacy Protection (IFIP SEC 2024), Jun, 2024, Edinburgh, UK, Springer, https://doi.org/10.1007/978-3-031-651...
Abstract

Password management has long been a persistently challenging task. This led to the introduction of password management software, which has been around for at least 25 years in various forms, including desktop and browser-based applications. This work assesses the ability of two dozen password managers, 12 desktop applications and 12 browser plugins, to effectively protect the confidentiality of secret credentials in six representative scenarios. Our analysis focuses on the period during which a Password Manager (PM) resides in the RAM. Despite the sensitive nature of these applications, our results show that across all scenarios, only three desktop PM applications and two browser plugins do not store plaintext passwords in the system memory. Oddly enough, only one vendor recognized the exploit as a vulnerability, assigning it the at the time of writing reserved CVE-2023-23349, while the rest chose to disregard or underrate the issue.

M. You, Y. Ge, K. Wang, H. Wang, J. Cao, G. Kambourakis, TLEF: Two-Layer Evolutionary Framework for t-closeness Anonymization, The 24th International Conference on Web Information Systems Engineering (WISE 2023), pp. 10, Oct, 2023, Melbourne, Springer, https://doi.org/10.1007/978-981-99-72...
Abstract

Data anonymization is a fundamental and practical privacy-preserving data publication (PPDP) method, while searching for the optimal anonymization scheme using traditional methods has been proven to be NP-hard. Some recent studies have introduced genetic algorithms (GA) into data anonymization to address this issue, revealing potential solutions. However, the discussions are restricted to a few privacy protection models and evolutionary algorithms (EAs). This paper extends this field by introducing differential evolution (DE) for the first time to optimize data anonymization schemes under the constraints of the t-closeness privacy model. To further enhance the algorithm’s performance, this paper designs a two-layer evolutionary framework (TLEF) that effectively explores optimal solutions by leveraging the unique properties of both GA and DE in a balanced manner. Experimental evaluations conducted on 16 test datasets highlight the advantages of DE in addressing optimal t-closeness anonymization and validate the effectiveness of the TLEF.

E. Chatzoglou, G. Karopoulos, G. Kambourakis, Z. Tsiatsikas, Bypassing antivirus detection: old-school malware, new tricks, The 20th International Workshop on Trust, Privacy and Security in the Digital Society (TrustBus), in conjunction with the 18th International Conference on Availability, Reliability and Security (ARES 2023), Aug, 2023, Benevento, ACM Press, https://doi.org/10.1145/3600160.3605010
Abstract

Being on a mushrooming spree since at least 2013, malware can take a large toll on any system. In a perpetual cat-and-mouse chase with defenders, malware writers constantly conjure new methods to hide their code so as to evade detection by security products. In this context, focusing on the MS Windows platform, this work contributes a comprehensive empirical evaluation regarding the detection capacity of popular, off-the-shelf antivirus and endpoint detection and response engines when facing legacy malware obfuscated via more or less uncommon but publicly known methods. Our experiments exploit a blend of seven traditional AV evasion techniques in 16 executables built in C++, Go, and Rust. Furthermore, we conduct an incipient study regarding the ability of the ChatGPT chatbot in assisting threat actors to produce ready-to-use malware. The derived results in terms of detection rate are highly unexpected: approximately half of the 12 tested AV engines were able to detect less than half of the malware variants, four AVs exactly half of the variants, while only two of the rest detected all but one of the variants.

E. Chatzoglou, V. Kampourakis, G. Kambourakis, Bl0ck: Paralyzing 802.11 connections through Block Ack frames, The 38th International Conference on ICT Systems Security and Privacy Protection (IFIP SEC 2023), Jun, 2023, Poznan, Poland, Springer, https://doi.org/10.1007/978-3-031-563...
Abstract

Despite Wi-Fi is at the eve of its seventh generation, security concerns regarding this omnipresent technology remain in the spotlight of the research community. This work introduces two new denial of service attacks against contemporary Wi-Fi 5 and 6 networks. Differently to similar works in the literature which focus on 802.11 management frames, the introduced assaults exploit control frames. Both the attacks target the central element of any infrastructure-based 802.11 network, i.e., the access point (AP), and result in depriving the associated stations from any service. We demonstrate that, at the very least, the attacks affect a great mass of off-the-self AP implementations by different renowned vendors, and it can be mounted with inexpensive equipment, little effort, and a low level of expertise. With reference to the latest standard, namely, 802.11-2020, we elaborate on the root cause of the respected vulnerabilities, pinpointing shortcomings. Following a coordinated vulnerability disclosure process, our findings have been promptly communicated to each affected AP vendor, already receiving positive feedback as well as a – currently reserved – common vulnerabilities and exposures (CVE) ID, namely CVE-2022-32666.

Z. Tsiatsikas, G. Karopoulos, G. Kambourakis, Measuring the adoption of TLS Encrypted Client Hello extension and its forebear in the wild, The 6th International Workshop Security and Privacy Requirements Engineering (SECPRE), Sep, 2022, Copenhagen, Springer, LNCS, https://doi.org/10.1007/978-3-031-254...
Abstract

The Transport Layer Security (TLS) protocol was introduced to solve the lack of security and privacy in the early versions of the world wide web. However, even though it has substantially evolved over the years, certain features still present privacy issues. One such feature is the Server Name Indication (SNI) extension, which allows multiple web servers to reside behind a provider hosting multiple domains with the same IP address; at the same time it allows third parties to discover the domains that end users visit. In the last few years, the Encrypted Server Name Indication (ESNI) Internet draft is being developed by the Internet Engineering Task Force (IETF); this encrypted variant of the extension was renamed to Encrypted Client Hello (ECH) in latest versions. In this paper, we measure the adoption of both these versions, given that they have substantial differences. By analyzing the top 1M domains in terms of popularity, we identify that only a small portion, less than 19%, supports the privacy-preserving ESNI extension and practically no domain supports ECH. Overall, these results demonstrate that there is still a long way to go to ensure the privacy of end users visiting TLS-protected domains which are co-located behind a common Internet-facing server.

Z. Tsiatsikas, G. Karopoulos, G. Kambourakis, The effects of the Russo-Ukrainian war on network infrastructures through the lens of BGP, The 8th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems (CyberICPS 2022), Sep, 2022, Copenhagen, Springer, LNCS, https://doi.org/10.1007/978-3-031-254...
Abstract

One of the most critical building blocks of the reliable operation of the Internet is the Border Gateway Protocol (BGP) that is used to exchange routing messages, signaling active and defective routing paths. During large-scale catastrophic incidents, such as conventional military operations or cyberwarfare, the stability of the Internet is affected, causing the announcements of defective routing paths to increase substantially. This work studies the relation between major incidents, such as armed conflicts in a country scale, and the corresponding network outages observed in the core of the Internet infrastructure as announced by BGP. We focus on the Russo-Ukrainian war as a timely and prominent use case and examine geolocalized BGP data for a 2-month period. Our methodology allows us to cherry-pick long-term network outages among temporary interruptions of service in this specific time window, and pinpoint them to the areas of the operations. Our results indicate that there is a high correlation between the start of military operations and network outages in a city and country level. Furthermore, we show that the last few days before the start of the operations network outages rise as well, indicating that preparatory cyberattack activities take place. No less important, network outages remain at much higher than usual levels during the operations, something that can be attributed to infrastructure destruction possibly backed by cyberattacks.

Ioannis Stylios, A. Skalkos, S. Kokolakis, M. Karyda, BioPrivacy: Development of a Keystroke Dynamics Continuous Authentication System, ESORICS 2021 International Workshops. ESORICS 2021, Katsikas S. et al., pp. pp 158-170, Oct, 2021, Darmstadt, Germany, Springer, https://link.springer.com/chapter/10....
Abstract

Session authentication schemes establish the identity of the user only at the beginning of the session, so they are vulnerable to attacks that tamper with communications after the establishment of the authenticated session. Moreover, smartphones themselves are used as authentication means, especially in two-factor authentication schemes, which are often required by several services. Whether the smartphone is in the hands of the legitimate user constitutes a great concern, and correspondingly whether the legitimate user is the one who uses the services. In response to these concerns, Behavioral Biometrics (BB) Continuous Authentication (CA) technologies have been proposed on a large corpus of literature. This paper presents a research on the development and validation of a BBCA system (named BioPrivacy), that is based on the user’s keystroke dynamics, using a Multi-Layer Perceptron (MLP). Also, we introduce a new behavioral biometrics collection tool, and we propose a methodology for the selection of an appropriate set of behavioral biometrics. Our system achieved 97.18% Accuracy, 0.02% Equal Error Rate (EER), 97.2% True Acceptance Rate (TAR) and 0.02% False Acceptance Rate (FAR).

L. Mitrou, Marijn Janssen, E. Loukis, Human Control and Discretion in AI-driven Decision-making in Government, 14th International Conference on Theory and Practice of Electronic Governance – ICEGOV 2021, Loukis Euripidis, Macadar Marie Anne, Meyerhoff Nielsen Morten , Oct, 2021, Athens, Greece, ACM
Abstract

Traditionally public decision-makers have been given discretion in many of the decisions they have to make in how to comply with legislation and policies. In this way, the context and specific circumstances can be taken into account when making decisions. This enables more acceptable solutions, but at the same time, discretion might result in treating individuals differently. With the advance of AI-based decisions, the role of the decision-makers is changing. The automation might result in fully automated decisions, humans in-the-loop or AI might only be used as recommender systems in which humans have the discretion to deviate from the suggested decision. The predictability of and the accountability of the decisions might vary in these circumstances, although humans always remain accountable. Hence, there is a need for human-control and the decision-makers should be given sufficient authority to control the system and deal with undesired outcomes. In this direction this paper analyzes the degree of discretion and human control needed in AI-driven decision-making in government. Our analysis is based on the legal requirements set/posed to the administration, by the extensive legal frameworks that have been created for its operation, concerning the rule of law, the fairness – non-discrimination, the justifiability and accountability, and the certainty/ predictability.

G. Karopoulos, D. Geneiatakis, G. Kambourakis, Neither good nor bad: A large-scale empirical analysis of HTTP security response headers, The 18th International Conference on Trust, Privacy and Security in Digital Business (TrustBUS 2021), pp. 83-95, Sep, 2021, Linz, Austria, Springer, LNCS, https://link.springer.com/chapter/10....
Abstract

HTTP security-focused response headers can be of great aid to web applications towards augmenting their overall security level. That is, if set at the server side, these headers define whether certain security countermeasures are in place for protecting end-users. By utilising the curated Tranco list, this work conducts a wide-scale internet measurement that provides timely answers to the following questions: (a) How the adoption of these headers is developing over time?, (b) What is the penetration ratio of each key header in the community?, (c) Are there any differences in the support of these headers between diverse major browsers and platforms?, (d) Does the version of a browser (outdated vs. new) affects the support rate per key header?, and (e) Is the status of a header (active vs. deprecated) reflected to its support rate by web servers? Setting aside the use of the more robust Tranco corpus, to our knowledge, with reference to the literature, the contributions regarding the third and fifth questions are novel, while for the rest an updated, up-to-the-minute view of the state of play is provided. Amongst others, the results reveal that the support of headers is somewhat related to the browser version, the penetration ratio of all headers is less than 17% across all platforms, outdated browser versions may be better supported in terms of headers, while deprecated headers still enjoy wide implementation.

Z. Tsiatsikas, G. Kambourakis, D. Geneiatakis, At your service 24/7 or not? Denial of Service on ESInet systems, The 18th International Conference on Trust, Privacy and Security in Digital Business (TrustBUS 2021), pp. 35-49, Sep, 2021, Linz, Austria, Springer, LNCS, https://link.springer.com/chapter/10....
Abstract

Emergency calling services are a cornerstone of public safety. During the last few years such systems are transitioning to VoIP and unified communications, and are continuously evolving under the umbrella of organizations, including NENA and EENA. The outcome of this effort is NG911 or NG112 services operating over the so-called Emergency Services IP network (ESInet). This work introduces and meticulously assesses the impact of an insidious and high-yield denial-of-service (DoS) attack against ESInet. Contrariwise to legacy SIP-based DoS, the introduced assault capitalizes on the SDP body of the SIP message with the sole purpose of instigating CPU-intensive transcoding operations at the ESInet side. We detail on the way such an attack can be carried out, and scrutinize on its severe, if not catastrophic, impact through different realistic scenarios involving a sufficient set of codecs. Finally, highlighting on the fact that 911 or 112 calls cannot be dropped, but need to be answered as fast as possible, we offer suggestions on how this kind of assault can be detected and mitigated.

P. Nespoli, Félix Gómez Mármol, G. Kambourakis, AISGA: Multi-objective parameters optimization forcountermeasures selection through genetic algorithm, The 16th International Conference on Availability, Reliability and Security (ARES 2021), pp. 1-8, Aug, 2021, Vienna, Austria, ACM, https://dl.acm.org/doi/abs/10.1145/34...
Abstract

Cyberattacks targeting modern network infrastructures are increasing in number and impact. This growing phenomenon emphasizes the central role of cybersecurity and, in particular, the reaction against ongoing threats targeting assets within the protected system. Such centrality is reflected in the literature, where several works have been presented to propose full-fledged reaction methodologies to tackle offensive incidents’ consequences. In this direction, the work in [18] developed an immuno-based response approach based on the application of the Artificial Immune System (AIS) methodology. That is, the AIS-powered reaction is able to calculate the optimal set of atomic countermeasure to enforce on the asset within the monitored system, minimizing the risk to which those are exposed in a more than adequate time. To further contribute to this line, the paper at hand presents AISGA, a multi-objective approach that leverages the capabilities of a Genetic Algorithm (GA) to optimize the selection of the input parameters of the AIS methodology. Specifically, AISGA selects the optimal ranges of inputs that balance the tradeoff between minimizing the global risk and the execution time of the methodology. Additionally, by flooding the AIS-powered reaction with a wide range of possible inputs, AISGA intends to demonstrate the robustness of such a model. Exhaustive experiments are executed to precisely compute the optimal ranges of parameters, demonstrating that the proposed multi-objective optimization prefers a fast-but-effective reaction.

V. Kouliaridis, G. Kambourakis, T. Peng, Feature importance in Android malware detection, The 11th International Workshop on Collaborative Computing with Cloud and Client (C4W 2020) in conjunction with The 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2020), Dec, 2020, Guangzhou, China, IEEE Press, https://ieeexplore.ieee.org/document/...
Abstract

The topic of mobile malware detection on the Android platform has attracted significant attention over the last several years. However, while much research has been conducted toward mobile malware detection techniques, little attention has been devoted to feature selection and feature importance. That is, which app feature matters more when it comes to machine learning classification. After succinctly surveying all major, dated from 2012 to 2020, datasets used by state-of-the-art malware detection works in the literature, we analyse a critical mass of apps from the most contemporary and prevailing datasets, namely Drebin, VirusShare, and AndroZoo. Next, we rank the importance of app classification features pertaining to permissions and intents using the Information Gain algorithm for all the three above-mentioned datasets.

V. Kouliaridis, N. Potha, G. Kambourakis, Improving Android malware detection through dimensionality reduction techniques, The 3rd International Conference on Machine Learning for Networking (MLN 2020), Nov, 2020, Paris, France, Springer LNCS, https://link.springer.com/chapter/10....
Abstract

Mobile malware poses undoubtedly a major threat to the continuously increasing number of mobile users worldwide. While researchers have been trying vigorously to find optimal detection solutions, mobile malware is becoming more sophisticated and its writers are getting more and more skilled in hiding malicious code. In this paper, we examine the usefulness of two known dimensionality reduction transformations namely, Principal Component Analysis (PCA) and t-distributed stochastic neighbor embedding (t-SNE) in malware detection. Starting from a large set of base prominent classifiers, we study how they can be combined to build an accurate ensemble. We propose a simple ensemble aggregated base model of similar feature type as well as a complex ensemble that can use multiple and possibly heterogeneous base models. The experimental results in contemporary Androzoo benchmark corpora verify the suitability of ensembles for this task and clearly demonstrate the effectiveness of our method.

[20]
V. Diamantopoulou, C. Kalloniatis, C. Kalyvas, K. Maliatsos, M. Gay, A. G. Kanatas, C. Lambrinoudakis, Aligning the Concepts of Risk, Security and Privacy towards the design of Secure Intelligent Transport Systems, SECPRE 2020 4th International Workshop on SECurity and Privacy Requirements, in conjunction with ESORICS 2020, Sep, 2020, on-line due to covid19
V. Diamantopoulou, C. Kalloniatis, C. Lyvas, K. Maliatsos, M. Gay, A. G. Kanatas, C. Lambrinoudakis, Aligning the Concepts of Risk, Security and Privacy towards the design of Secure Intelligent Transport Systems, SECPRE 2020 4th International Workshop on SECurity and Privacy Requirements, in conjunction with ESORICS 2020, J. Mylopoulos, C. Kalloniatis, (eds), Sep, 2020, online - covid-19, Springer LNCS, http://samosweb.aegean.gr/secpre2020/
Abstract

Intelligent Transport Systems (ITS) play a key role in our daily activities. ITS development over the last decades has been based on the rapid evolution of information technologies, which include processing capabilities, availability of hardware and communication technologies. Moreover, ITS use Information and Communication Technologies (ICT) to improve sustainability, efficiency, innovation and safety of transportation networks helping towards better management of transportation networks with the use of advanced technologies, which facilitate monitoring, and management of information. However, as the development of ITS services increases so does the users' awareness regarding the degree of trust that they show on adopting this kind of services. The later has brought to light several security and privacy concerns that ITS analysts should consider when implementing various IT related services. This paper moves into this direction by identifying how risk analysis can interact with security and privacy requirements engineering world, in order to provide a holistic approach for reasoning about security and privacy in such complex environments like ITS systems. The key contribution of the paper is the conceptual alignment of three well-known methods (EBIOS, Secure Tropos and PriS) as the fi rst step towards the design of a complete assurance framework that will assist analysts in designing safe and trustworthy ITS services.

Maria Eleni Skarkala, M. Maragoudakis, S. Gritzalis, L. Mitrou, PP-TAN: a Privacy Preserving Multi-party Tree Augmented Naive Bayes Classifier, SEEDA CECNSM 2020 5th South East Europe Design, Automation, Computer Engineering, Computer Networks and Social Media Conference, Sep, 2020, Corfu, Greece, IEEE CPS Conference Publishing Services, https://hilab.di.ionio.gr/seeda2020/
Abstract

The rapid growth of Information and Communication Technologies emerges deep concerns on how data mining techniques and intelligent systems parse, analyze and manage enormous amount of data. Due to sensitive information contained within, data can be exploited by potential aggressors. Previous research has shown the most accurate approach to acquire knowledge from data while simultaneously preserving privacy is the exploitation of cryptography. In this paper we introduce an extension of a privacy preserving data mining algorithm designed and developed for both horizontally and vertically partitioned databases. The proposed algorithm exploits the multi-candidate election schema and its capabilities to build a privacy preserving Tree Augmented Naive Bayesian classifier. Security analysis and experimental results ensure the preservation of private data throughout mining processes.

P. Mavriki, M. Karyda, Big data analytics: From threating privacy to challenging democracy , eDemocracy 2019: 8th eDemocracy International Conference, pp. 16, Dec, 2019, Athens
Abstract

The vast amount of accumulated information and the technologies that store, process and disseminate it are producing deep changes in society. The amount of data generated by Internet users poses great opportunities and significant challenges for political scientists. Having a positive effect in many fields, business intelligence and analytics tools are used increasingly for political purposes. Pervasive digital tracking and profiling, in combination with personalization, have become a powerful toolset for systematically influencing user behaviour. When used in political campaigns or in other efforts to shape public policy, privacy issues intertwine with electoral outcomes. The practice of targeting voters with personalized messages adapted to their personality and political views, has already raised debates about political manipulation; however, studies focusing on privacy are still scarce. Focusing on the democracy aspects and identifying the threats to privacy stemming from the use of big data technologies for political purposes, this paper identifies long -term privacy implications which may undermine fundamental features of democracy such as fair elections and political equality of all citizens. Furthermore, this paper argues that big data analytics raises the need to develop alternative narratives to the concept of privacy.

P. Rizomiliotis, S. Gritzalis, Simple Forward and Backward Private Searchable Symmetric Encryption Schemes with constant number of Roundtrips, ACM CCSW 2019 11th ACM Cloud Computing Security Workshop, C. Papamanthou, R. Sion, (eds), Nov, 2019, London, UK, ACM Press, https://ccsw.io/
Abstract

Searchable Symmetric Encryption (SSE) is a mechanism that facilitates search over encrypted data that are outsourced to an untrusted Server. SSE schemes offer practicality at the expense of some information leakage. The last two years, the first dynamic SSE (DSSE) schemes, i.e. schemes that support updates, that are both forward and backward private were introduced. Two lines of design have been proposed. The first one contains the schemes that use some type of oblivious data structure, i.e. the Client hides the memory access pattern from the Server. This level of security comes at the expense of significant communication overheads as the oblivious memory access requires several communication roundtrips or the use of expensive primitives that limits the potential of practicality. The second line of design contains solutions that avoid oblivious data structures. In this paper, we introduce two new DSSE solutions that offer both forward and the highest level of backward privacy. Our schemes are the first ones that follow the first line of design and achieve this level of security with a constant and small number of communication roundtrips. We evaluate their performance and we show that they are practical.

[25]
T. Papaioannou, A. Tsohou, M. Karyda, Shaping Digital Identities in Social Networks: Data Elements and the Role of Privacy Concerns, 3rd International Workshop on SECurity and Privacy Requirements Engineering , Sep, 2019, Luxembourg, Springer
V. Diamantopoulou, A. Tsohou, M. Karyda, From ISO/IEC 27002:2013 Information Security Controls to Personal Data Protection Controls: Guidelines for GDPR Compliance, SECPRE 2019 3rd International Workshop on SECurity and Privacy Requirements, in conjunction with ESORICS 2019 Engineering, J. Mylopoulos, C. Kalloniatis, (eds), Sep, 2019, Luxemburg, Springer LNCS, http://samosweb.aegean.gr/secpre2019/
Abstract

With the enforcement of the General Data Protection Regulation (GDPR) in EU, organisations must make adjustments in their business processes and apply appropriate technical and organisational measures to ensure the protection of the personal data they process. Further, organisations need to demonstrate compliance with GDPR. Organisational compliance demands a lot of effort both from a technical and from an organisational perspective. Nonetheless, organisations that have already applied ISO27k standards and employ an Information Security Management System and respective security controls need considerably less effort to comply with GDPR requirements. To this end, this paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, if/where possible, the data protection requirements that the GDPR imposes. Thus, an organisation that already follows ISO/IEC 27001:2013, can use this work as a basis for compliance with the GDPR.

V. Diamantopoulou, A. Tsohou, M. Karyda, General Data Protection Regulation and ISO/IEC 27001:2013: Synergies of activities towards organisations, TrustBus 2019 16th International Conference on Trust, Privacy and Security in Digital Business, S. Katsikas, S. Gritzalis, E. R. Weippl, (eds), Aug, 2019, Linz, Austria, Springer LNCS, http://www.dexa.org/trustbus2019
Abstract

The General Data Protection Regulation that is already in effect for about a year now, provisions numerous adjustments and controls that need to be implemented by an organisation in order to be able to demonstrate that all the appropriate technical and organisational measures have been taken to ensure the protection of the personal data. Many of the requirements of the GDPR are also included in the ``ISO27k'' family of standards. Consequently, organisations that have applied ISO27k to develop an Information Security Management System (ISMS) are likely to have already accommodated many of the GDPR requirements. This work identifies synergies between the new Regulation and the well-established ISO/IEC 27001:2013 and proposes practices for their exploitation. The proposed alignment framework can be a solid basis for compliance, either for organisations that are already certified with ISO/IEC 27001:2013, or for others that pursue compliance with the Regulation and the ISO/IEC 27001:2013 to manage information security.

[28]
R. Meneses, R. Moraes, V. Diamantopoulou, I. Blanquer, Compliance of the privacy regulations in an international Europe-Brazil context, Position paper in Proceedings of the Cloudscape Brazil 2019, Using secure cloud and IT services into market innovation leadership, Jul, 2019, Belem, Brazil, https://eubrasilcloudforum.eu/en/clou...
C. Alexopoulos, Z. Lachana, A. Androutsopoulou, V. Diamantopoulou, Y. Charalabidis, M. Loutsaris, How Machine Learning is changing e-Government, 12th International Conference on Theory and Practice of Electronic Governance (ICEGOV2019), Soumaya Ben Dhaou, Lemuria Carter, and Mark Gregory, (eds), (to appear), Apr, 2019, Melbourne, Australia, ACM Press, http://www.icegov.org
Abstract

Big Data is, clearly, an integral part of modern information societies. A vast amount of data is, daily, produced and it is estimated that, for the years to come, this number will grow dramatically. In order for transforming this hidden provided information into a useful one, the use of advanced technologies, such as Machine Learning is deemed appropriate. Over the last years, Machine Learning has grown a great effort considering the given opportunities its usage provides. Furthermore, Machine Learning is a technology that can handle Big Data classification for statistical or even more complex purposes such as decision making. At the same time the new generation of government, Government 3.0, explores all the new opportunities to tackle any challenge faced by contemporary societies by utilizing new technologies for data driven decision making. Taking into account the opportunities Machine Learning can provide, more and more governments participate in the development of such applications in different governmental domains. But is the Machine Learning only beneficial for public sectors? Although there is a huge number of researches in the literature there is no a comprehensive study towards the analysis of this technology. Our research moves towards this question conducting a comprehensive analysis of the use of Machine Learning from Governments. Through the analysis all benefits and barriers are indicated from the public sectors' perspective pinpointing, also, a number of Machine Learning applications where governments are involved.

[30]
Vorras A., L. Mitrou, Regulation and Policy in the Algorithmic Society, 9th International Conference on Information Law and Ethics, (to appear), 2019, Rome, Italy
[31]
L. Mitrou, Vorras A., Unboxing the Black Box: Algorithmic transparency and/or a right to functional explainability ?, International Conference Regulation and Enforcement in the Digital Age, (to appear), 2019
[32]
L. Mitrou, Artificial Intelligence and Data Protection, 9th International Conference on Information Law and Ethics, (to appear), 2019, Rome, Italy
K. Moutselos, D. Kyriazis, V. Diamantopoulou, I. Maglogiannis, Trustworthy data processing for health analytics tasks, IEEE BigData 2018 Workshop, Dec, 2018, Seattle, WA, USA, IEEE Conference Publishing Services, http://cci.drexel.edu/bigdata/bigdata...
Abstract

Big Data Analytics are indispensable components of architectures dealing with processing and visualizing results of diverse healthcare-related information sources. In this work, we propose a versatile cloud design where the Health Analytic Tools (HATs) are decoupled from the Datastore and the User-Interface parts, still preserving the element of system trust. This design offers advantages over the process of modifying and constructing new health policy models by means of supporting many-to-many relations between HATs and Health Key Performance Indicators. Additionally, it offers independence regarding HAT providers, analytics frameworks, cloud providers and deployment environments allowing the scaling of the proposed architecture.

K. Vemou, M. Karyda, An Organizational Scheme for Privacy Impact Assessments, 15th European Mediterranean & Middle Eastern Conference on Information Systems, Themistocleous M., Rupino da Cunha P., (eds), pp. 258-271, Oct, 2018, Limassol, Cyprus, Springer, https://link.springer.com/chapter/10....
Abstract

The importance of Privacy Ιmpact Αssessment (PIA) has been emphasized by privacy researchers and its conduction is provisioned in legal frameworks, such as the European Union’s General Data Protection Regulation. However, it is still a complicated and bewildering task for organizations processing personal data, as available methods and guidelines fail to provide adequate guidance confusing organisations and PIA practitioners. This paper analyzes the interplay among PIA stakeholders and proposes an organizational scheme for successful PIA projects.

V. Kouliaridis, K. Barbatsalou, G. Kambourakis, G. Wang, Mal-warehouse: A data collection-as-a-service of mobile malware behavioral patterns, The 15th IEEE International Conference on Ubiquitous Intelligence and Computing (UIC 2018), Oct, 2018, Guangzhou, China, IEEE Press, https://ieeexplore.ieee.org/document/...
Abstract

Smartphones are pervasively used in many everyday life extents, and have been both targets and victims of malware. While there are many anti-malware applications available in mobile markets, so far there are no public services that collect mobile usage data, so as to observe malware effects on mobile devices. The main contribution of this paper is the Mal-warehouse, an open-source tool performing data collection-as-a-service for Android malware behavioral patterns. During its initial development and experimentation phase, the tool extracts mobile device statistics, including CPU, memory and battery usage, process reports, and network statistics for 14 Android malware applications from a target device. It then stores them in a classified manner on a cloud database. Despite the fact that the work at hand is still in an early stage, the detection model is enhanced with a preliminary detection module. Machine learning techniques are used as a proof-of-concept so as to evaluate the detection capabilities of the detection model, when compared to a clean snapshot of the target device. Mal-warehouse is publicly available, meaning that anyone can download and use it locally and then upload their findings to the cloud service for further evaluation and processing by others.

I. Paspatis, A. Tsohou, S. Kokolakis, AppAware: A Model for Privacy Policy Visualization for Mobile Applications, MCIS 2018, Sep, 2018, AIS Electronic Library, https://aisel.aisnet.org/cgi/viewcont...
Abstract

Privacy policies emerge as the main mechanism to inform users on the way their information is managed by online service providers, and still remain the dominant approach for this purpose. Literature notes that users find difficulties in understanding privacy policies because they are usually written in technical or legal language even, although most users are unfamiliar with them. These difficulties have led most users to skip reading privacy policies and blindly accept them. In an effort to address this challenge this paper presents AppWare, a multiplatform tool that intends to improve the visualization of privacy policies for mobile applications. AppWare formulates a visualized report with the permission set of an application, which is easily understandable by a common user. AppWare aims to bridge the difficulty to read privacy policies and android’s obscure permission set with a new privacy policy visualization model. To validate AppAware we conducted a survey through questionnaire aiming to evaluate AppAware in terms of installability, usability, and viability-purpose. The results demonstrate that AppAware is assessed above average by the users in all categories.

K. Vemou, M. Karyda, An Evaluation Framework for Privacy Impact Assessment Methods, 12th Mediterranean Conference on Information Systems (MCIS2018), Sep, 2018, Corfu, Greece, Association of Information Systems (AIS), https://aisel.aisnet.org/mcis2018/5/
Abstract

Privacy Impact Assessment (PIA) methods guide the implementation of Privacy-by-Design principles and are provisioned in the European Union’s General Data Protection Regulation. As implementing a PIA is still an intricate task for organizations, this paper provides a critical review and assessment of generic PIA methods proposed by related research, Data Protection Authorities and Standard’s Or-ganizations. The evaluation framework is based on a comprehensive set of criteria elicited through a systematic analysis of relevant literature. This paper also identifies elements of PIA methods that re-quire further support or clarification as well as issues that still remain open, such as the need for im-plementation of supporting tools.

I. Topa, M. Karyda, Usability Characteristics of Security and Privacy Tools: The User’s Perspective, 33rd IFIP TC 11 International Conference, SEC 2018 Held at the 24th IFIP World Computer Congress, WCC 2018, Lech Jan Janczewski, Mirosław Kutyłowski, (eds), pp. 231–244, Sep, 2018, Poznan, Poland, Springer Nature Switzerland AG 2018
Abstract

Abstract. Use of security and privacy tools is still limited for various reasons, including usability issues. This paper analyses usability characteristics of security and privacy tools by drawing on relevant literature and employing scenario-based questionnaires and interviews with 150 users to capture their views. Based on users’ feedback, we analyse the role of usability characteristics and identify critical issues such as transparency, control of personal data, design and accessibility and consistency. This paper provides insights into the multifaceted issue of usability of security tools from the users’ perspective and a comprehensive picture of users’ needs and expectations. Some of the findings of this study show that users regard as important that security and privacy tools incorporate usability characteristics relevant to installation, design and accessibility, control and automation, visible feedback, and locatable security settings. Furthermore, users encounter problems with understanding technical terms and report that the availability of tools among smartphones and operating systems is a usability issue.

P. Mavriki, M. Karyda, Profiling with big data: identifying privacy implications for individuals, groups and society , The 12th Mediterranean Conference on Information Systems, Sep, 2018, Corfu, https://aisel.aisnet.org/mcis2018/4/
Abstract

User profiling with big data raises critical issues regarding personal data and privacy. Until recently, privacy studies were focused on the control of personal data; due to big data analysis, however, new privacy issues have emerged with unidentified implications. This paper identifies and analyzes privacy threats that stem from data-driven profiling using a multi-level approach: individual, group and society. We analyze the privacy implications stemming from the generation of new knowledge used for automated predictions and decisions. We also argue that mechanisms are required to protect the privacy interests of groups as entities, independently of the interests of their individual members. Finally, this paper discusses privacy threat resulting from the cumulative effect of big data profiling.

V. Diamantopoulou, C. Mouratidis, Evaluating a Reference Architecture for Privacy Level Agreements Management, 12th Mediterranean Conference on Information Systems, Sep, 2018, Corfu, Greece, AIS, http://www.mcis2018.eu/
Abstract

With the enforcement of the General Data Protection Regulation and the compliance to specific privacy-and security-related principles, the adoption of Privacy by Design and Security by Design principles can be considered as a legal obligation for all organisations keeping EU citizens’ personal data. A formal way to support Data Controllers towards their compliance to the new regulation could be a Privacy Level Agreement (PLA), a mutual agreement of the privacy settings between a Data Controller and a Data Subject, that supports privacy management, by analysing privacy threats, vulnerabilities and Information Systems’ trust relationships. However, the concept of PLA has only been proposed on a theoretical level. In this paper, we propose a novel reference architecture to enable PLA management in practice, and we report on the application and evaluation of PLA management within the context of real-life case studies from two different domains, the public administration and the healthcare, where sensitive data is kept. The results are rather positive, indicating that the adoption of such an agreement promotes the transparency of an organisation while enhances data subjects’ trust. Keywords: Privacy Level Agreement, Security Requirements Engineering, Privacy Requirements Engineering, Practical Evaluation.

A. Pattakou, A. G. Mavroeidi, V. Diamantopoulou, C. Kalloniatis, S. Gritzalis, Towards the Design of Usable Privacy by Design Methodologies, ESPRE 2018 5th International Workshop on Evolving Security and Privacy Requirements Engineering (in conjunction with the RE'18 26th IEEE Requirements Enginneering Conference), K. Beckers, S. Faily, S.-W. Lee, N. Mead, (eds), Aug, 2018, Banff, Canada, IEEE CPS Conference Publishing Services, https://cybersecurity.bournemouth.ac....
Abstract

As privacy engineering gains much attention, recently literature records a number of methodologies that support software designers to model privacy – aware systems starting from the early stages of the software lifecycle until the late design stages prior to implementation. However, in order for these methodologies to be used and applied successfully from system engineers, it is important to be developed following a number of existing usability criteria for increasing designers’ acceptance and performance. In this paper, we, initially, identify the set of usability criteria presented in the respective literature and examine how the existing privacy requirement engineering methodologies conform with these usability criteria. The results show that most methodologies conform with a number of criteria but still there are opportunities for further improvements.

I. Blanqer, F. Brazileiro, D. Ardagna, A. Brito, A. Calatrava, A. Carvalho, V. Diamantopoulou, C. Fetzer, W. Meira, R. Moraes, How much can I trust my cloud services, Position paper in Proceedings of the Cloudscape Brazil 2018, Trusted Technologies for strong and competitive economies, Jul, 2018, Natal, Brazil, https://eubrasilcloudforum.eu/en/clou...
L. Balby, F. Figueiredo, N. Antunes, V. Diamantopoulou, W. Meira, Fairness and Transparency in Trustworthy Cloud-based Analytics Services, Position paper in Proceedings of the Cloudscape Brazil 2018, Trusted Technologies for strong and competitive economies, Jul, 2018, Natal, Brazil, https://eubrasilcloudforum.eu/en/clou...
V. Diamantopoulou, A. Androutsopoulou, S. Gritzalis, Y. Charalabidis, An Assessment of Privacy Preservation in Crowdsourcing Approaches: Towards GDPR Compliance, IEEE RCIS 12nd International Conference on Research Challenges in Information Science, B. Le Grand, (ed), pp. 1-9, May, 2018, Nantes, France, IEEE Conference Publishing Services, https://ieeexplore.ieee.org/abstract/...
Abstract

The increasing use of Social Media has transformed them into valuable tools, able to provide answers and decision support in public policy formulation. This has resulted in the emergence of new e-participation paradigms, such as crowdsourcing approaches, aiming to drive more constructive interactions between governments and citizens or experts, in order to exploit their knowledge, opinions, and ideas when tackling complex societal problems. However, the continuous exposure of the average users, without or with limited awareness of the dangers of the disclosure of sensitive data, remains a threat to the preservation of their information privacy. The upcoming EU regulation (GDPR) about the protection of personal data is especially well timed, and forces for revision of the processes followed related to the manipulation of personal data within public participation methods. Towards this direction, a thorough examination of three advanced methods of crowdsourcing in public policy-making processes is conducted in the current paper, analysing the data collection and processing methods they encompass. Then, an assessment of their compliance with fundamental privacy requirements is presented. The research contributes to the identification of challenges that crowdsourcing, and in general, e-participation approaches impose with regard to privacy protection. Further research directions include the implementation of techniques that can satisfy the identified requirements.

M. Anagnostopoulos, G. Kambourakis, S. Gritzalis, D. K. Y. Yau, Never say Never: Authoritative TLD nameserver-powered DNS amplification, NOMS 2018 16th IEEE/IFIP Network Operations and Management Symposium, Yu-Chee Tseng et al., (eds), pp. 1-9, Apr, 2018, Taipei, Taiwan, IEEE CPS Conference Publishing Services, http://noms2018.ieee-noms.org/
Abstract

DNS amplification is considered a significant and constant threat to any networking environment. Certainly, the Authoritative Name Servers (ANS) of popular domain zones, and in particular the DNSSEC-enabled ones, do not elude the attention of attackers for entangling them in this type of assaults. The ANS list of Top Level Domains (TLD) are publicly accessible in the form of root.zone file, so even a casual attacker is able to acquire the list of TLD zones and their matching ANSs. In this context, the paper at hand examines the potential of ANSs of TLD to be unknowingly engaged by attackers in DNS amplification attacks. In particular, using two distinct versions of the root.zone file, we assess the amplification factor that these entities may produce when replying to both individual and multiple queries. As a side-goal, we measure the degree of adoption of Response Rate Limiting (RRL) by ANS. Our most important findings are that (i) an 25% and 37% of unique DNS queries for TLDs produce an amplification factor that respectively exceeds 60 and 50 when the query is sent individually or in batch, and (ii) an almost 43% of unique ANSs do not properly implement RRL or leave it inactive.

P. Mavriki, M. Karyda, Using personalization technologies for political purposes: privacy implications, 7th International Conference on eDemocracy, S. Katsikas and V. Zorkadis, (eds), pp. 33-46, Dec, 2017, Athens, Greece, Springer International Publishing AG, https://link.springer.com/chapter/10....
Abstract

A growing body of literature has recently focused on the adoption of personalization methods and tools traditionally used in e-commerce, in the area of political marketing and communication. However, the impact of adopting personalization applications for political purposes has not been studied yet. This paper contributes to filling this gap, by analyzing privacy threats stemming from the use of personalization tools for political purposes and identifying their impact on individuals and society. This paper also identifies issues that need further research, as big data, individual targeting, the development of behavioral science and sophisticated personalization techniques are reshaping political communication and pose new privacy risks.

G. Fotiadis, E. Konstantinou, Ordinary Pairing-Friendly Genus 2 Hyperelliptic Curves with Absolutely Simple Jacobians, 7th International Conference on Mathematical Aspects of Computer and Information Sciences - MACIS 2017, J. Blömer, I. S. Kotsireas, T. Kutsia, D. Simos, (eds), pp. 409-424, Nov, 2017, Vienna, AT, Springer International Publishing AG, https://doi.org/10.1007/978-3-319-724...
P. Rizomiliotis, E. Molla, S. Gritzalis, REX: a Searchable Symmetric Encryption Scheme Supporting Range Queries, ACM CCSW 2017 9th ACM Cloud Computing Security Workshop, A. Stavrou, G. Karame, (eds), pp. 29-37, Nov, 2017, Dallas, Texas, USA, ACM Press, https://dl.acm.org/citation.cfm?id=31...
Abstract

Searchable Symmetric Encryption is a mechanism that facilitates search over encrypted data that are outsourced to an untrusted server. SSE schemes are practical as they trade nicely security for efficiency. However, the supported functionalities are mainly limited to single keyword queries. In this paper, we present a new efficient SSE scheme, called REX, that supports range queries. REX is a no interactive (single round) and response-hiding scheme. It has optimal communication and search computation complexity, while it is much more secure than traditional Order Preserving Encryption based range SSE schemes.

V. Diamantopoulou, K. Angelopoulos, M. Pavlidis, C. Mouratidis, A Metamodel for GDPR-based Privacy Level Agreements, ER Forum 2017 36th International Conference on Conceptual Modeling, Nov, 2017, Valencia, Spain, CEUR LNCS, http://ceur-ws.org/Vol-1979/#paper-08
Abstract

The adoption of the General Data Protection Regulation (GDPR) is a major concern for data controllers of the public and private sector, as they are obliged to conform to the new principles and requirements managing personal data. In this paper, we propose that the data controllers adopt the concept of the Privacy Level Agreement. We present a metamodel for PLAs to support privacy management, based on analysis of privacy threats, vulnerabilities and trust relationships in their Information Systems, whilst complying with laws and regulations, and we illustrate the relevance of the metamodel with the GDPR.

M. Anagnostopoulos, G. Kambourakis, P. Drakatos, M. Karavolos, S. Kotsilitis, D. K. Y. Yau, Botnet command and control architectures revisited: Tor Hidden services and Fluxing, The 18th International Conference on Web Information Systems Engineering (WISE 2017), pp. 517-527, Oct, 2017, Moscow, Russia, Springer LNCS Vol. 10570, http://www.wise-conferences.org/
Abstract

Botnet armies constitute a major and continuous threat to the Internet. Their number, diversity, and power grows with each passing day, and the last years we are witnessing their rapid expansion to mobile and even IoT devices. The work at hand focuses on botnets which comprise mobile devices (e.g. smartphones), and aims to raise the alarm on a couple of advanced Command and Control (C&C) architectures that capitalize on Tor's hidden services (HS) and DNS protocol. Via the use of such architectures, the goal of the perpetrator is dual; first to further obfuscate their identity and minimize the botnet's forensic signal, and second to augment the resilience of their army. The novelty of the introduced architectures is that it does not rely on static C&C servers, but on rotating ones, which can be reached by other botnet members through their (varied) onion address. Also, we propose a scheme called "Tor fluxing", which opposite to legacy IP or DNS fluxing, does not rely on A type of DNS resource records but on TXT ones. We demonstrate the soundness and effectiveness of the introduced C&C constructions via a proof-of-concept implementation, and suggest possible remedies.

G. Kambourakis, C. Kolias, A. Stavrou, The Mirai Botnet and the IoT Zombie Armies, The 36th IEEE Military Communications Conference (MILCOM 2017), Oct, 2017, Baltimore, MD, USA, IEEE Press, http://events.afcea.org/milcom17/publ...
Abstract

The rapidly growing presence of Internet of Things (IoT) devices is becoming a continuously alluring playground for malicious actors who try to harness their vast numbers and diverse locations. One of their primary goals is to assemble botnets that can serve their nefarious purposes from Denial of Service (DoS) to spam and advertisement fraud. The most recent example that highlights the severity of the problem is the Mirai family of malware, which is accountable for a plethora of massive DDoS attacks of unprecedented volume and diversity. The aim of this paper is to offer a comprehensive state-of-the-art review of the state of IoT malware and the underlying reasons of its success with a particular focus on Mirai and major similar worms. To that end, we provide extensive details on the internal workings of IoT malware, examine their interrelationships, and elaborate on the possible strategies for defending against them.

I. Paspatis, A. Tsohou, S. Kokolakis, Mobile Application Privacy Risks: Viber Users’ De-Anonymization Using Public Data, MCIS 2017, Sep, 2017, AIS Electronic Library, https://aisel.aisnet.org/mcis2017/32/
Abstract

Mobile application developers define the terms of use for the applications they develop, which users may accept or declined during installation. Application developers on the one hand seek to gain access to as many user information as possible, while users on the other hand seem to lack awareness and comprehension of privacy policies. This allows application developers to store an enormous number of personal data, sometimes even irrelevant to the application’s function. It’s also common that users choose not to alter the default settings, even when such an option is provided. In combination, the above conditions jeopardize users’ rights to privacy. In this research, we examined the Viber application to demonstrate how effortless it is to discover the identity of unknown Viber users. We chose a pseudorandom sample of 2000 cellular telephone numbers and examined if we could reveal their personal information. We designed an empirical study that compares the reported behavior with the actual behavior of Viber’s users. The results of this study show that users’ anonymity and privacy is easily deprived and information is exposed to a knowledgeable seeker. We provide guidelines addressed to both mobile application users and developers to increase privacy awareness and prevent privacy violations.

[53]
M. Karyda, FOSTERING INFORMATION SECURITY CULTURE IN ORGANISATIONS: A RESEARCH AGENDA, 11th Mediterranean Conference on Information Systems (MCIS 2017) , Sep, 2017, Genoa, Italy, AIS Electronic Library (AISeL)
[54]
A. Skalkos, A. Tsohou, M. Karyda, S. Kokolakis, INVESTIGATING THE VALUES THAT DRIVE THE ADOPTION OF ANONYMITY TOOLS: A LADDERING APPROACH, 11th Mediterranean Conference on Information Systems (MCIS 2017) , Sep, 2017, The 11th Mediterranean Conference on Information Systems Genoa,Italy, AIS Electronic Library (AISeL)
V. Diamantopoulou, M. Pavlidis, C. Mouratidis, Evaluation of a Security and Privacy Requirements Methodology using the Physics of Notations, SECPRE 2017 1st International Workshop on SECurity and Privacy Requirements Engineering, J. Mylopoulos, C. Kalloniatis, (eds), Sep, 2017, Oslo, Norway, Springer LNCS, http://www.springer.com/us/book/97833...
Abstract

Security and Privacy Requirements Methodologies are considered an important part of the development process of systems, especially for the ones that contain and process a large amount of critical information and inevitably needs to remain secure and thus, ensuring privacy. These methodologies provide techniques, methods, and norms for tackling security and privacy issues in Information Systems. In this process, the utilisation of effective, clear and understandable modelling languages with sufficient notation is of utmost importance, since the produced models are used not only among IT experts or among security specialists, but also for communication among various stakeholders, in business environments or among novices in an academic environment. This paper evaluates the effectiveness of a Security and Privacy Requirements Engineering methodology, namely Secure Tropos on the nine principles of the Theory of Notation. Our qualitative analysis revealed a partial satisfaction of these principles.

C. Gkountis, M. Taha, J. Lloret, G. Kambourakis, Lightweight Algorithm for Protecting SDN controller against DDoS attacks, The 10th IFIP Wireless and Mobile Networking Conference (WMNC 2017), Sep, 2017, Valencia, Spain, IEEE Press, http://jlloret.webs.upv.es/wmnc2017/
Abstract

It is without a doubt that both the controller and switch of an SDN are vulnerable to Distributed Denial of Service (DDoS) attacks. Typically, this ilk of attacks targets the flow table of the deployed switches with the aim of producing overloading, high network delays, and consume bandwidth. Motivated by this fact, in this paper, we propose a lightweight scheme which is based on a set of rules to efficiently characterize packets sent to a network switch as malicious or not. Through testbed experimentation and comparison with legacy DDoS protection schemes, we demonstrate that our solution performs significantly better when it comes to SDN ecosystem for mobile and wireless users.

K. Angelopoulos, V. Diamantopoulou, C. Mouratidis, M. Pavlidis, M. Salnitri, P. Giorgini, J.F. Ruiz, A Holistic Approach for Privacy Protection in E-Government, ARES Conference 2017 International Conference on Availability, Reliability and Security, M. Mühlhäuser, M. Fischer, Sep, 2017, Calabria, Italy, ACM, http://www.ares-conference.eu/
Abstract

Improving e-government services by using data more effectively is a major focus globally. It requires Public Administrations to be transparent, accountable and provide trustworthy services that improve citizen confidence. However, despite all the technological advantages on developing such services and analysing security and privacy concerns, the literature does not provide evidence of frameworks and platforms that enable privacy analysis, from multiple perspectives, and take into account citizens’ needs with regards to transparency and usage of citizens information. .is paper presents the VisiOn (Visual Privacy Management in User Centric Open Requirements) platform, an outcome of a H2020 European Project. Our objective is to enable Public Administrations to analyse privacy and security from different perspectives, including requirements, threats, trust and law compliance. Finally, our platform-supported approach introduces the concept of Privacy Level Agreement (PLA) which allows Public Administrations to customise their privacy policies based on the privacy preferences of each citizen.

C. Alexopoulos, V. Diamantopoulou, Y. Charalabidis, The Evolutionary track of OGD portals: A Maturity Model, Proceedings of the IFIP EGOV-EPART 2017 Conference, Sep, 2017, St Petersburg, Russia, Springer LNCS
Abstract

Since its inception, open government data (OGD) as a free re-useable object has attracted the interest of researchers and practitioners, civil servants, citizens and businesses for different reasons in each target group. This study was designed to aggregate the research outcomes and developments through the recent years towards illustrating the evolutionary path of OGD portals, by presenting an analysis of their characteristics in terms of a maturity model. A four-step methodology has been followed in order to analyse the literature and construct the maturity model. The results point out the two greater dimensions of OGD portals, naming traditional and advanced evolving within three generations. The developed maturity model will guide policy makers by firstly identify the current level of their organisation and secondly design an efficient implementation to the required state.

V. Diamantopoulou, A. Tsohou, E. Loukis, S. Gritzalis, Does the Development of Information Systems Resources Lead to the Development of Information Security Resources? An Empirical Investigation, AMCIS 2017 23rd Americas Conference on Information Systems, Aug, 2017, Boston, USA, AIS, https://amcis2017.aisnet.org/
Abstract

Information Systems (IS) are nowadays considered the most important leverage for organizations to operate and gain a competitive advantage. Investments in IS technology, in the recruitment of high qualified IT personnel and the establishment of internal and external robust IT related partnerships are considered determinant factors for business success and continuity. As organizations increasingly rely on IS resources, they face more advanced IS security challenges. This paper explores the relationship between the development of IS resources and security resources; are organizations willing to invest more in IS security resources as they invest more on IS resources? The authors conduct an empirical investigation in organizations located in five Mediterranean countries. The sample includes responses from 61 CEOs, information security managers and IS managers. The results reveal that IS resources positively affect the IS security resources. The human capital plays the most important role for the adoption of IS security.

Ioannis Stylios, S. Kokolakis, P. Andriotis, Privacy decision-making in the digital era: A game theoretic review, International Conference on Human Aspects of Information Security, Privacy, and Trust, Theo Tryfonas, (ed), pp. 589-603, Jul, 2017, Vancouver, Canada, Springer, Cham, https://link.springer.com/chapter/10....
Abstract

Information privacy is constantly negotiated when people interact with enterprises and government agencies via the Internet. In this context, all relevant stakeholders take privacy-related decisions. Individuals, either as consumers buying online products and services or citizens using e-government services, face decisions with regard to the use of online services, the disclosure of personal information, and the use of privacy enhancing technologies. Enterprises make decisions regarding their investments on policies and technologies for privacy protection. Governments also decide on privacy regulations, as well as on the development of e-government services that store and process citizens’ personal information. Motivated by the aforementioned issues and challenges, we focus on aspects of privacy decision-making in the digital era and address issues of individuals’ privacy behavior. We further discuss issues of strategic privacy decision-making for online service providers and e-government service providers.

G. Fotiadis, E. Konstantinou, Pairing-Friendly Elliptic Curves Resistant to TNFS Attacks, 7th International Conference on Algebraic Informatics - CAI 2017, Jun, 2017, Kalamata, Greece
V. Diamantopoulou, K. Angelopoulos, J. Flake, A. Praitano, J.F. Ruiz, J. Jürjens, M. Pavlidis, D. Bonutto, A. Castillo Sanz , C. Mouratidis, Privacy Data Management and Awareness for Public Administrations: A Case Study from the Healthcare Domain, Proceedings of the APF2017 ENISA Annual Privacy Forum, E. Schweighofer, H. Leitold, A. Mitrakas, K. Rannenberg, (eds), pp. 192-209, Jun, 2017, Vienna, Austria, Springer LNCS, https://link.springer.com/book/10.100...
Abstract

Development of Information Systems that ensure privacy is a challenging task that spans various fields such as technology, law and policy. Reports of recent privacy infringements indicate that we are far from not only achieving privacy but also from applying Privacy by Design principles. This is due to lack of holistic methods and tools which should enable to understand privacy issues, incorporate appropriate privacy controls during design-time and create and enforce a privacy policy during run-time. To address these issues, we present VisiOn Privacy Platform which provides holistic privacy management throughout the whole information system lifecycle. It contains a privacy aware process that is supported by a software platform and enables Data Controllers to ensure privacy and Data Subjects to gain control of their data, by participating in the privacy policy formulation. A case study from the healthcare domain is used to demonstrate the platform's benefits.

V. Diamantopoulou, M. Pavlidis, C. Mouratidis, Privacy Level Agreements for Public Administration Information Systems, Proceedings of the CAiSE Forum 2017 29th International Conference on Advanced Information Systems Engineering, X. Franh, J. Ralyté, R. Matulevičius, C. Salinesi, and R. Wieringa, (eds), pp. 97-104, Jun, 2017, Essen, Germany, CEUR LNCS
Abstract

Improving Public Administration (PA) operations and services is a major focus globally; they should be transparent, accountable and provide services that improve citizens' confidence and trust. In this context, it is important that PAs have the ability to define agreements between citizens and PAs and that such agreements can be used in the context of PAs Information Systems to specify citizens' privacy needs, provide feedback on data sharing and enable PA departments to analyse privacy threats and vulnerabilities, compliance with laws and regulations and analyse trust relationships. We propose the use of the concept of Privacy Level Agreement (PLA) to address the aforementioned issues. The PLA is formally specified, based on an XML schema, which enables its automated use.

V. Diamantopoulou, N. Argyropoulos, C. Kalloniatis, S. Gritzalis, Supporting the Design of Privacy-Aware Business Processes via Privacy Process Patterns, IEEE RCIS 2017 11th International Conference on Research Challenges in Information Science, S. Assar, O. Pastor, H. Mouratidis, (eds), pp. 187-198, May, 2017, Brighton, UK, IEEE CPS Conference Publishing Services, http://sense-brighton.eu/rcis2017/
Abstract

Privacy is an increasingly important concern for modern software systems which handle personal and sensitive user information. Privacy by design has been established in order to highlight the path to be followed during a system’s design phase ensuring the appropriate level of privacy for the information it handles. Nonetheless, transitioning between privacy concerns identified early during the system’s design phase, and privacy implementing technologies to satisfy such concerns at the later development stages, remains a challenge. In order to overcome this issue, mainly caused by the lack of privacy-related expertise of software systems engineers, this work proposes a series of privacy process patterns. The proposed patterns encapsulate expert knowledge and provide predefined solutions for the satisfaction of different types of privacy concerns. The patterns presented in this work are used as a component of an existing privacy-aware system design methodology, through which they are applied to a real life system.

V. Diamantopoulou, M. Pavlidis, Visual Privacy Management in User Centric Open Environments, Proceedings of the IEEE RCIS 2017 11th International Conference on Research Challenges in Information Science, S. Assar, O. Pastor, H. Mouratidis, (eds), pp. 461-462, May, 2017, Brighton, UK, IEEE Press [Best Poster Award], http://sense-brighton.eu/rcis2017/
Abstract

In open and dynamic online services the exchange of information is demanded to be easy, simple and always available. However, potential users of online services are still reluctant to outsource sensitive data to these services, mainly due to lack of control over management and privacy issues of their data. This becomes more complex when dealing with Public Administrations (PAs) which handle data of citizens, where the latter are obliged, in many cases by law, to do so. This paper presents the VisiOn Privacy Platform, which analyses privacy preferences, and introduces the concept of the Privacy Level Agreement, capturing the PAs and citizens privacy requirements, thus supporting transparency and accountability for PAs.

V. Diamantopoulou, C. Kalloniatis, S. Gritzalis, C. Mouratidis, Supporting Privacy by Design using Privacy Process Patterns, IFIP SEC 2017 32nd IFIP International Information Security Conference, S. De Capitani di Vimercati, F. Martinelli, (eds), pp. 491-505, May, 2017, Rome, Italy, Springer LNCS, https://link.springer.com/chapter/10....
Abstract

Advances in Information and Communication Technology (ICT) have had significant impact on every-day life and have allowed us to share, store and manipulate information easily and at any time. On the other hand, such situation also raises important privacy concerns. To deal with such concerns, the literature has identified the need to introduce a Privacy by Design (PbD) approach to support the elicitation and analysis of privacy requirements and their implementation through appropriate Privacy Enhancing Technologies. However, and despite all the work presented in the literature, there is still a gap between privacy design and implementation. This paper presents a set of Privacy Process Patterns that can be used to bridge that gap. To demonstrate the practical application of such patterns, we instantiate them in JavaScript Object Notation (JSON), we use them in conjunction with the Privacy Safeguard (PriS) methodology and we apply them to a real case study.

V. Cozza, Z. Tsiatsikas, M. Conti, G. Kambourakis, Why Snoopy loves online services: An Analysis of (lack of) Privacy in Online Services (ICISSP 2017), The 3rd International Conference on Information Systems Security and Privacy, Feb, 2017, Porto, Portugal, SCITEPRESS, http://www.icissp.org/
Abstract

Over the last decade online services have penetrated the market and for many of us became an integral part of our software portfolio. On the one hand online services offer flexibility in every sector of the social web, but on the other hand these pros do not come without a cost in terms of privacy. This work focuses on online services, and in particular on the possible inherent design errors which make these services an easy target for privacy invaders. We demonstrate the previous fact using a handful of real-world cases pertaining to popular online web services. More specifically, we show that despite the progress made in raising security/privacy awareness amongst all the stakeholders (developers, admins, users) and the existence of mature security/privacy standards and practices, there still exist a plethora of poor implementations that may put user’s privacy at risk. We particularly concentrate on cases where a breach can happen even if the aggressor has limited knowledge about their target and/or the attack can be completed with limited resources. In this context, the main contribution of the paper at hand revolves around the demonstration of effortlessly exploiting privacy leaks existing in widely-known online services due to software development errors.

[68]
Pipyros K., Thraskias Ch. , L. Mitrou, D. Gritzalis, Apostolopoulos T., Cyber-attack evaluation using SAW method, 10th MEDITERRANEAN CONFERENCE ON INFORMATION SYSTEMS, Sep, 2016, Paphos, Cyprus
[69]
M. Karyda, L. Mitrou, Data Breach Notification: Issues and Challenges for Security Management, 10th MEDITERRANEAN CONFERENCE ON INFORMATION SYSTEMS, Sep, 2016, Paphos, Cyprus
Ioannis Stylios, S. Kokolakis, Thanou, O., Chatzis, S., User's Attitudes on Mobile Devices: Can Users' Practices Protect Their Sensitive Data?, 10th Mediterranean Conference on Information Systems (MCIS) 2016, Sep, 2016, https://www.researchgate.net/publicat...
Abstract

Smartphones are the most popular personal electronic devices. They are used for all sorts of purposes, from managing bank accounts to playing games. As smartphone apps and services proliferate, the amount of sensitive data stored on or processed by handheld devices rise as well. This practice entails risks, such as violating users’ privacy, stealing users’ identities, etc. Particularly, stealing an unlocked device grants full access to sensitive data and applications. In this survey, we examine whether users adopt some basic practices to protect their sensitive personal data themselves, or is there a need to further strengthen their protection? Our statistical analysis assesses smartphone users’ security attitudes and practices among different age groups. Finally, we investigate the factors that affect the attitude of users with respect to their practices for the protection of personal data.The results of this study, show that while many smartphone users do take some security precautions, a high percentage (24%) of them still ignores security and privacy risks. In addition, 19,1 % of users do not follow any practices to protect their PINs and Passwords.\r\nKeywords: Mobile Phones, Privacy Risk, Users Attitudes, Survey.

E. Mitakidis, D. Taketzis, A. Fakis, G. Kambourakis, SnoopyBot: An Android spyware to bridge the mixes in Tor, The 24th International Conference on Software, Telecommunications and Computer Networks (SoftCOM 2016), Sep, 2016, Split, Croatia, IEEE Press, http://marjan.fesb.hr/SoftCOM/2016/
Abstract

We present a moderately simple to implement but very effective and silent deanonymization scheme for Tor traffic. This is done by bridging the mixes in Tor, that is, we control both the traffic leaving the Onion Proxy (OP) and the traffic entering the Exit node. Specifically, from a user’s viewpoint, our proposal has been implemented in the popular Android platform as a spyware, having the dual aim to manipulate user traffic before it enters the Tor overlay and explicitly instruct OP to choose an exit node that is controlled by the attacker. When the user traffic is received by the rogue exit node it is filtered, and the sender’s IP details become visible. Notably, apart from deobfuscating normal http traffic, say, send via the Tor browser, the proposed scheme is able to manipulate https requests as well.

Z. Tsiatsikas, D. Geneiatakis, G. Kambourakis, S. Gritzalis, Realtime DDoS detection in SIP Ecosystems: Machine Learning tools of the trade, NSS 2016 The 10th International Conference on Network and System Security, M. Yung et al., (eds), Sep, 2016, Taipei, Taiwan, Springer LNCS Lecture Notes in Computer Science, http://nsclab.org/nss2016/
Abstract

Over the last decade, VoIP services and more especially the SIP-based ones, have gained much attention due to the low-cost and simple models they offer. Nevertheless, their inherently insecure design make them prone to a plethora of attacks. This work concentrates on the detection of resource consumption attacks targeting SIP ecosystems. While this topic has been addressed in the literature to a great extent, only a handful of works examine the potential of Machine Learning (ML) techniques to detect DoS and even fewer do so in realtime. Spurred by this fact, the work at hand assesses the potential of 5 different ML-driven methods in nipping SIP-powered DDoS attacks in the bud. Our experiments involving 17 realistically simulated (D)DoS scenarios of varied attack volume in terms of calls/sec and user population, suggest that some of the classifiers show promising detection accuracy even in low-rate DDoS incidents. We also show that the performance of ML-based detection in terms of classification time overhead does not exceed 3.5 ms in average with a mean standard deviation of 7.7 ms.

[73]
Karavaras E., E.Magos, A. Tsohou, Low User Awareness Against Social Malware: an Empirical Study and Design of a Security Application, 13th European, Mediterranean and Middle Eastern Conference on Information Systems (EMCIS 2016), Jun, 2016, Krakow, Poland
Y. Charalabidis, C. Alexopoulos, V. Diamantopoulou, A. Androutsopoulou, An open data and open services repository for supporting citizen-driven application development for governance, Proceedings of the HICSS-49 2016 Hawaii International Conference on System Sciences, pp. 2596--2604, Jan, 2016, Koloa, Hawaii, USA, IEEE CPS Conference Publishing Services, http://ieeexplore.ieee.org/document/7...
Abstract

Open data portals have been a primary source for publishing datasets from various sectors of administration, all over the world. However, making open data available does not necessarily lead to better utilisation from citizens and businesses. Our paper presents a new framework and a prototype system for supporting open application development by citizen communities, through gathering and making available open data and open web services sources from governmental actors, combined with an application development environment, training material and application examples.

I. Topa, M. Karyda, ANALYZING SECURITY BEHAVIOUR DETERMINATS FOR ENHANCING ISP COMPLIANCE AND SECURITY MANAGEMENT, 13th European, Mediterranean and Middle Eastern Conference on Information Systems(EMCIS) 2016, 2016, Krakow, Poland
Abstract

Extant literature has identified a wide range of factors that influence employees’ compliance to organisational ISPs and shape security behaviour. Security management, however, has not embodied this knowledge as many studies employ different terms to refer to similar concepts or focus only on a specific aspect (e.g. cognitive or environmental issues), depending on the theoretical approach used. Literature provides limited directions to security managers on the effect of security behaviour determinants on security management. This paper provides a comprehensive analyis of factors that have been identified, through an extensive literature review. It also provides an analysis and discussion of how these factors can enhance information security policy compliance. This work provides a conceptual framework that can facilitate security managers understand employee security behaviour and assist them to improve current security management. The paper also identifies controversial findings in relevant literature and suggests issues that need further investigation.

Ioannis Stylios, Chatzis, S., Thanou, O., S. Kokolakis, Mobile Phones & Behavioral Modalities: Surveying users’ practices, TELFOR 2015 International IEEE Conference, Nov, 2015, IEEE, https://www.researchgate.net/publicat...
Abstract

Abstract — Mobile phones are one of the most popular means of access to the internet. Users, via the telephone, connect to different services such as: Google, social networks, work accounts, banks accounts, etc. Those services, are many times, left open in their device. This enables risks, such as, loss or/and the violation of their personal data. In addition, in case of device theft after login, full access to sensitive data and applications may be fully granted. The purpose of this research is to analyze the most salient patterns characterizing user practices regarding certain behavioral modalities including: the way of using the various applications, power consumption, touch gestures and guest users’ habits. To this end, we used an original questionnaire, created for the needs of the specific survey, to examine whether we can find some trends among the users. This can give us a qualitative information, for the different behaviors / “characters” of users, in order to be used in further research regarding User’s Continuous Authentication. Keywords — Mobile Phones, Behavioral Modalities, Continuous Authentication, Survey.

[77]
Stylios, I.C., Chatzis, S., Thanou, O., S. Kokolakis, Mobile phones & behavioral modalities: Surveying users’ practices, 23rd Telecommunications Forum (TELFOR 2015), Nov, 2015, Belgrade, Serbia
F. Giannakas, G. Kambourakis, S. Gritzalis, CyberAware: A Mobile Game-based app for Cybersecurity Education and Awareness, IMCL 2015 International Conference on Interactive Mobile Communication, Technologies and Learning, M. Auer, (ed), Nov, 2015, Thessaloniki, Greece, IEEE CPS Conference Publishing Services, http://www.imcl-conference.org/imcl2015/
Abstract

Nowadays, basic cybersecurity education and awareness is deemed necessary, even for children as young as elementary school-aged. If knowledge on this topic is delivered in the form of a digital game-based activity, then it has greater chances of being more joyful and efficient. The paper at hand discusses the development of a novel mobile app called CyberAware, destined to cybersecurity education and awareness. At present, the game is designed for K-6 aged children and can be used to support either or both formal or informal learning. Also, due to its mobile nature, it can be experienced as an outdoor or classroom activity. Opposite to similar studies found in the literature so far, our attention is not solely drawn to game's technological aspects but equally to the educational factor.

K. Vemou, M. Karyda, Evaluating privacy practices in Web 2.0 services, 9th Mediterranean Conference on Information Systems, Oct, 2015, Samos, Greece, Association of Information Systems (AIS), https://aisel.aisnet.org/mcis2015/7/
Abstract

This paper discusses the effectiveness of privacy practices and tools employed by Web 2.0 service providers to facilitate users protect their privacy and respond to public pressure. By experimenting on three recently introduced tools, which claim to offer users access and choice on the data stored about them, we analyse their privacy preserving features. Research results indicate their limited effectiveness with regard to user privacy. We discuss discrepancy between stated goals of these privacy enhancing tools and actual goals these tools accomplish.

P. Rizomiliotis, S. Gritzalis, ORAM based forward privacy preserving Dynamic Searchable Symmetric Encryption Schemes, ACM CCSW 2015 7th ACM Cloud Computing Security Workshop, C. Nita-Rotaru, F. Kerschbaum, (eds), pp. 65-76, Oct, 2015, Denver, USA, ACM Press, http://ccsw.ics.uci.edu/15/
Abstract

In the cloud era, as more and more businesses and individ- uals have their data hosted by an untrusted storage service provider, data privacy has become an important concern. In this context, searchable symmetric encryption (SSE) has gained a lot of attention. An SSE scheme aims to protect the privacy of the outsourced data by supporting, at the same time, outsourced search computation. However, the design of an e_cient dynamic SSE (DSSE) has been shown to be a challenging task. In this paper, we present two e_cient DSSEs that leak a limited amount of information. Both our schemes make a limited use of ORAM algorithms to achieve forward privacy and to minimize the overhead that ORAMs introduce, at the same time. To the best of our knowledge, there is only one other DSSE scheme that o_ers e_ciently forward privacy. Our schemes are parallizable and signi_cantly improve the search and update complexity, as well as the memory access locality

P. Drogkaris, A. Gritzalis, A Privacy Preserving Framework for Big Data in e-Government Environments, 12th International Conference on Trust, Privacy & Security in Digital Business (TrustBus 2015), Javier Lopez, Fischer-Huebner Simone, Costas Lambrinoudakis, (eds), pp. 210-218, Sep, 2015, Valencia, Spain, Springer LNCS, http://link.springer.com/chapter/10.1...
Abstract

Big data is widely considered as the next big trend in e-Government environments but at the same time one of the most emerging and critical issues due to the challenges it imposes. The large amount of data being retained by governmental Service Providers that can be (potentially) exploited during Data Mining and analytics processes, include personal data and personally identifiable information, raising privacy concerns, mostly regarding data minimization and purpose limitation. This paper addresses the consideration of Central Government to aggregate information without revealing personal identifiers of individuals and proposes a privacy preserving methodology that can be easily incorporated into already deployed electronic services and e-Government frameworks through the adoption of scalable and adaptable salted hashing techniques.

Z. Tsiatsikas, M. Anagnostopoulos, G. Kambourakis, S. Lambrou, D. Geneiatakis, Hidden in plain sight. SDP-based covert channel for Botnet communication, 12th International Conference on Trust, Privacy & Security in Digital Business (TrustBus 2015), Sep, 2015, Valencia, Spain, Springer, http://www.ds.unipi.gr/trustbus15/
Abstract

Covert channels pose a significant threat for networking systems. In this paper, we examine the exploitation of Session Description Protocol (SDP) information residing in Session Initiation Protocol (SIP)requests with the aim to hide data in plain sight.While a significant mass of works in the literature cope with covert communication channels, only a very limited number of them rely on SIP to realize its goals. Also, none of them concentrates on SDP data contained in SIP messages to implement and evaluate such a hidden communication channel. Motivated by this fact, the work at hand proposes and demonstrates the feasibility of a simple but very effective in terms of stealthiness and simplicity SIP-based covert channel for botnet Command and Control (C&C). As a side contribution, we assess the soundness and the impact of such a deployment at the victim's side via the use of two different types of flooding attacks.

Z. Tsiatsikas, A. Fakis, D. Papamartzivanos, D. Geneiatakis, G. Kambourakis, C. Kolias, Battling against DDoS in SIP. Is machine learning-based detection an effective weapon?, The 12th International Conference on Security and Cryptography (SECRYPT 2015) , Jul, 2015, Colmar, France, SCITEPRESS, http://www.secrypt.icete.org/
Abstract

This paper focuses on network anomaly-detection and especially the effectiveness of Machine Learning (ML) techniques in detecting Denial of Service (DoS) in SIP-based VoIP ecosystems. It is true that until now several works in the literature have been devoted to this topic, but only a small fraction of them have done so in an elaborate way. Even more, none of them takes into account high and low-rate Distributed DoS (DDoS) when assessing the efficacy of such techniques in SIP intrusion detection. To provide a more complete estimation of this potential, we conduct extensive experimentations involving 5 different classifiers and a plethora of realistically simulated attack scenarios representing a variety of (D)DoS incidents. Moreover, for DDoS ones, we compare our results with those produced by two other anomaly-based detection methods, namely Entropy and Hellinger Distance. Our results show that ML-powered detection scores a promising false alarm rate in the general case, and seems to outperform similar methods when it comes to DDoS.

K. Vemou, G. Mousa, M. Karyda, On the low diffusion of Privacy-enhancing Technologies in Social Networking: results of an empirical investigation, 12th European, Mediterranean & Middle Eastern Conference on Information Systems 2015 (EMCIS2015), Jun, 2015, Athens, Greece
Abstract

This paper discusses the low adoption of PETs among SNS users, based on the results of an empirical investigation among users of social networking services. 170 members of 5 popular social networks provided information on how they protect their privacy, as well as on the most important factors guiding their decision to use privacy preserving tools or not. Research findings suggest that awareness of PETs is still low among social network users and that quality, effectiveness, cost and ease of use are critical factors influencing PETs adoption. A small number of users was also found not to employ any PETs, despite the fact that they reported being familiar with some of them. This paper enhances our understanding of PETs diffusion from the perspective of users and argues that usability aspects need to guide their design and implementation.

[85]
P. Drogkaris, Promoting Intelligent Analysts Training through Serious Gaming: The LEILA Approach, 12th European Mediterranean & Middle Eastern Conference on Information Systems, Jun, 2015, Athens, Greece, EMCIS Conference Proceedings
I. Topa, M. Karyda, Identifying Factors that Influence Employees’ Security Behavior for Enhancing ISP Compliance, 12th Trust, Privacy and Security in Digital Business International Conference, pp. 169-179, 2015, Valencia, Spain, Springer International Publishing
Abstract

Organizations apply information security policies to foster secure use of information systems but very often employees fail to comply with them. Employees’ security behavior has been the unit of analysis of research from different theoretical approaches, in an effort to identify the factors that influence security policy compliance. Through a systematic analysis of extant literature this paper identifies and categorizes critical factors that shape employee security behavior and proposes security management practices that can enhance security compliance. Research findings inform theory by identifying research gaps and support security management.

Z. Tsiatsikas, G. Kambourakis, D. Geneiatakis, Exposing Resource Consumption Attacks in Internet Multimedia Services, The 14th IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2014) - Security Track, Dec, 2014, Noida, India, IEEE Press, http://www.isspit.org/isspit/2014/
Abstract

Attackers always find ways to elude the employed security mechanisms of a system, no matter how strong they are. Nevertheless, audit trails - which as a rule of thumb are kept by any service provider - store all the events pertaining to the service of interest. Therefore, audit trail data can be a valuable ally when it comes to the certification of the security level of a given service. This stands especially true for critical realtime services such as multimedia ones, which nowadays are on the rise. This work proposes a practical, simple to implement yet powerful solution based on the Hellinger Distance metric for conducting audit trail analysis destined to expose security incidents. Our solution relies on a set of different features existing in the app layer protocol for session handling in order to classify the analyzed traffic as intrusive or not. Taking the well-known Session Initiation Protocol (SIP) as an example, we thoroughly evaluate the effectiveness of the proposed detection scheme in terms of accuracy under various realistic scenarios. The outcomes reveal competitive detection rates in terms of false positives and negatives and can be used as a reference for future works in the field.

D. Kasiaras, T. Zafeiropoulos, N. Clarke, G. Kambourakis, Android Forensics: Correlation Analysis, The 9th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 157-162, Dec, 2014, London, UK, IEEE Press, http://www.icitst.org/
Abstract

With over 6 billion mobile phone subscribers, it is inevitable that such devices will be involved in criminal activities. Furthermore, the evolution of smartphones has changed the way people use their mobile phones in their everyday life. That is, a huge variety of services exist in the device that can be exploited for either perpetrating a criminal activity or being the subject of the crime. By conducting an analysis of existing forensic tools and the literature, it became evident that there is a significant lack of advanced tools that enable the correlation among the various events of forensic interest in order to facilitate an investigation and reduce the cognitive load on the analyst side. Motivated by this fact, the paper at hand proposes a novel tool that incorporates strong mechanisms to forensically analyze an Android device, aiming to reduce the workload of the investigator through advanced and intelligent correlation and visualization.

L. Mitrou, P. Drogkaris, G. Leventakis, Legal and Social Aspects of Surveillance Technologies: CCTV in Greece, International Conference on Citizens’ Perspectives on Surveillance, Security and Privacy: Controversies, Alternatives and Solutions, pp. 39-41, Nov, 2014, Vienna, Austria, Conference Proceedings
G. Fotiadis, E. Konstantinou, More Sparse Families of Pairing-Friendly Elliptic Curves, 13th International Conference on Cryptology and Network Security – CANS’2014, D. Gritzalis, A. Kiayias, I. Askoxylakis, (eds), pp. 384-389, Oct, 2014, Heraklion, Crete, GR, Springer, Cham, https://doi.org/10.1007/978-3-319-122...
V. Diamantopoulou, E. Loukis, Y. Charalabidis, Is Information Systems Interoperability an Innovation Driver? An Empirical Investigation, Proceedings of the EMCIS 2014 European, Mediterranean, and Middle Eastern Conference on Information Systems, Oct, 2014, Doha, Qatar, EMCIS
Abstract

Most of the research that has been conducted on the business value of information systems (IS) interoperability focuses mainly on the efficiency related benefits it can generate, but deals much less with its potential to drive innovations in firms’ products/services and processes. Our study contributes to filling this research gap by empirically investigating the effect of interoperability of firm’s IS (meant as compliance with various types of relevant standards) on firm’s innovation performance. It is based on a large dataset from 14.065 European firms (from 25 countries and 10 sectors), which has been collected through the e-Business W@tch Survey of the European Commission, and is used for estimating product/service and process innovation models. It has been concluded that IS interoperability has strong positive effects both on product/service and process innovation, which are weaker than the corresponding effects of the degree of development of firms’ IS, but stronger than the effects of the degree of functional development of firm’s e-Sales IS; also they are stronger than the corresponding effects of R&D and competition (regarded as important innovation drivers according to previous literature). Finally, a comparison among different types of IS interoperability standards shows that their positive effects on firms’ innovation activity differ, with the industry-specific and the XML-horizontal standards having stronger effects of similar magnitudes, while the proprietary standards have weaker ones.

A. Latsiou, P. Rizomiliotis, The Rainy Season of Cryptography, Proceedings of the 18th Panhellenic Conference on Informatics, pp. 1-6, Oct, 2014, ACM, http://dl.acm.org/citation.cfm?id=264...
Abstract

Cloud Computing (CC) is the new trend in computing and resource management, an architectural shift towards thin clients and conveniently centralized provision of computing and networking resources. Worldwide cloud services revenue reached 148.8 billion in 2014. However, CC introduces security risks that the clients of the cloud have to deal with. More precisely, there are many security concerns related to outsourcing storage and computation to the cloud and these are mainly attributed to the fact that the clients do not have direct control over the systems that process their data. In this paper, we investigate the new challenges that cryptography faces in the CC era. We introduce a security framework for analysing these challenges, and we describe the cryptographic techniques that have been proposed until now. Finally, we provide a list of open problems and we propose new directions for research.

K. Vemou, M. Karyda, S. Kokolakis, Directions for Raising Privacy Awareness in SNS Platforms, 18th Panhellenic Conference on Informatics, pp. 1-6, Oct, 2014, Athens, ACM New York, http://dl.acm.org/citation.cfm?id=264...
Abstract

Members of online social networks are often under an illusion of privacy, underestimating privacy risks related to their personal information published in their profiles. Current literature identifies privacy awareness as a key factor for enhancing user privacy. This paper identifies awareness raising applications and explores the effectiveness of awareness tools and practices currently employed by six popular SNS platforms, through a combined approach of literature review and experimental use. Our findings illustrate that awareness practices differ significantly among platforms and fail to promote awareness. We also show that effective awareness raising tools, such as privacy signalling and visualization applications, are overlooked and propose directions to further enhance privacy awareness mechanisms in SNS platforms.

D. Papamartzivanos, D. Damopoulos, G. Kambourakis, A cloud-based architecture to crowdsource mobile app privacy leaks, The 18th Panhellenic Conference on Informatics (PCI 2014), special session on Security and Privacy Issues in the Cloud Computing Era, pp. 1-6, Oct, 2014, Athens, Greece, ACM press, http://dl.acm.org/citation.cfm?id=264...
Abstract

Most would agree that modern app-markets have been flooded with applications that not only threaten the security of the OS uperficially, but also in their majority, trample on user’s privacy through the exposure of sensitive information not necessarily needed for their operation. In this context, the current work revolves around 3 key questions: Is there a way for the end-user to easily track - the many times - hidden privacy leaks occurring due to the way mobile apps operate? Can crowdsourcing provide the end-user with a quantitative assessment per app in terms of privacy exposure level? And if yes, in which way a cloud-based crowdsourcing mechanism can detect and alert for changes in the apps’ behavior? Motivated by the aforementioned questions, we design a cloud-based system that operates under a crowdsourcing logic, with the aim to provide i) a real-time privacy-flow tracking service, ii) a collaborative infrastructure for exchanging information related to apps’ privacy exposure level, and iii) potentially a behavior-driven detection mechanism in an effort to take advantage of the crowdsourcing data to its maximum efficasy.

P. Drogkaris, A. Gritzalis, C. Lambrinoudakis, Empowering Users to Specify and Manage their Privacy Preferences in e-Government Environments, 3rd International Conference on Electronic Government and the Information Systems Perspective (EGOVIS 2014), Andrea Kö, Enrico Francesconi, (eds), pp. 237 - 245, Sep, 2014, Munich, Germany, Springer LNCS, http://link.springer.com/chapter/10.1...
Abstract

The provision of advanced e-Government services has raised users’ concerns on personal data disclosure and privacy violation threats as more and more information is released to various governmental service providers. Towards this direction, the employment of Privacy Policies and Preferences has been proposed in an attempt to simplify the provision of electronic services while preserving users’ personal data and information privacy. This paper addresses the users’ need to create, manage and fine-tune their privacy preferences in a user friendly, yet efficient way. It presents a Graphical User Interface (GUI) that empowers them to articulate their preferences in machine readable format and resolve possible conflicts with Service Provider’s (SP) Privacy Policy, without being obliged to go through complex and nuanced XML documents or being familiar with privacy terminology. Users can now be confident that their personal data will be accessed, processed and transmitted according to their actual preferences. At the same time they will be aware of their privacy-related consequences, as a result of their selections.

G. Karopoulos, A. Fakis, G. Kambourakis, Complete SIP message obfuscation: PrivaSIP over Tor, The 9th International Conference on Availability, Reliability and Security (ARES 2014) - 9th International Workshop on Frontiers in Availability, Reliability and Security (FARES), A. M. Tjoa, E. Weippl et al., (eds), pp. 217-226, Sep, 2014, Fribourg, Switzerland , IEEE CPS, http://www.ares-conference.eu/confere...
Abstract

Anonymity on SIP signaling can be achieved either by the construction of a lower level tunnel (via the use of SSL or IPSec protocols) or by employing a custom-tailored solution. Unfortunately, the former category of solutions present significant impediments including the requirement for a PKI and the hop-by-hop fashioned protection, while the latter only concentrate on the application layer, thus neglecting sensitive information leaking from lower layers. To remediate this problem, in the context of this paper, we employ the well-known Tor anonymity system to achieve complete SIP traffic obfuscation from an attacker’s standpoint. Specifically, we capitalize on Tor for preserving anonymity on network links that are considered mostly untrusted, i.e., those among SIP proxies and the one between the last proxy in the chain and the callee. We also, combine this Tor-powered solution with PrivaSIP to achieve an even greater level of protection. By employing PrivaSIP we assure that: (a) the first hop in the path (i.e., between the caller and the outbound proxy) affords anonymity, (b) the callee does not know the real identity of the caller, and (c) no real identities of both the caller and the callee are stored in log files. We also evaluate this scheme in terms of performance and show that even in the worst case, the latency introduced is not so high as it might be expected due to the use of Tor.

[97]
Pipyros K., L. Mitrou, D. Gritzalis, A cyber attack evaluation methodology, 13th European Conference on Cyber Warfare and Security (ECCWS-2014),, pp. 264-270, Jul, 2014, Greece
T. Spyridopoulos, I. Topa, T. Tryfonas, M. Karyda, A holistic approach for Cyber Assurance of Critical Infrastructure with the Viable System Model, 29th IFIP TC 11 International Conference, SEC 2014, pp. 438-445, Jun, 2014, Marrakech, Morocco, Springer Berlin Heidelberg, http://link.springer.com/chapter/10.1...
Abstract

Industrial Control Systems (ICSs) are of the most important compo- nents of National Critical Infrastructure. They can provide control capabilities in complex systems of critical importance such as energy production and distribution, transportation, telecoms etc. Protection of such systems is the cornerstone of essential service provision with resilience and in timely manner. Effective risk management methods form the basis for the protection of an Industrial Control System. However, the nature of ICSs render traditional risk management methods insufficient. The proprietary character and the complex interrelationships of the various systems that form an ICS, the potential impacts outside its boundaries, along with emerging trends such as the exposure to the Internet, necessitate revisiting traditional risk management methods, in a way that treat an ICS as a system-of-systems rather than a single, one-off entity. Towards this direction, in this paper we present enhancements to the traditional risk management methods at the phase of risk assessment, by utilising the cybernetic construct of the Viable System Model (VSM) as a means towards a holistic view of the risks against Critical Infrastructure. For the purposes of our research, utilising VSM’s recur- sive nature, we model the Supervisory Control and Data Acquisition (SCADA) system, a most commonly used ICS, as a VSM and identify the various assets, in- teractions with the internal and external environment, threats and vulnerabilities.

[99]
P. Drogkaris, G. Leventakis, A. Sfetsos, Promoting Law Enforcement Capabilities through Asynchronous Training and Serious Games in the Fight against Cybercrime, International Conference, The Rule of Law in a era of change: Security, Social Justice and Inclusive Governance, Jun, 2014, Athens, Greece, Conference Proceedings
[100]
H. Jiang , A. Tsohou, Expressive Or Instrumental: A Dual-Perspective Model Of Personal Web Usage At Workplace (Research in Progress) , European Conference on Information Systems (ECIS), Jun, 2014, Tel Aviv, Israel
[101]
H. Jiang , A. Tsohou, The Dual Nature of Personal Web Usage At Workplace: Impacts, Antecedents And Regulating Policies, European Conference on Information Systems (ECIS), Jun, 2014, Tel Aviv, Israel
[102]
L. Mitrou, M. Kandias, V. Stavrou, D. Gritzalis, Social media profiling: A Panopticon or Omniopticon tool?, 6th Conference of the Surveillance Studies Network, Apr, 2014, Spain
D. Damopoulos, G. Kambourakis, G. Portokalidis, The Best of Both Worlds. A Framework for the Synergistic Operation of Host and Cloud Anomaly-based IDS for Smartphones, The 7th European Workshop on Systems Security (EuroSec 2014), Apr, 2014, Amsterdam, The Netherlands, ACM Press, http://www.syssec-project.eu/eurosec-...
Abstract

Smartphone ownership and usage has seen massive growth in the past years. As a result, their users have attracted unwanted attention from malicious entities and face many security challenges, including malware and privacy issues. This paper concentrates on IDS carefully designed to cater to the security needs of modern mobile platforms. Two main research issues are tackled: (a) the definition of an architecture which can be used towards implementing and deploying such a system in a dual-mode (host/cloud) manner and irrespectively of the underlying platform, and (b) the evaluation of a proof-of-concept anomaly-based IDS implementation that incorporates dissimilar detection features, with the aim to assess its performance qualities when running on state-of-the-art mobile hardware on the host device and on the cloud. This approach allow us to argue in favor of a hybrid host/cloud IDS arrangement (as it assembles the best characteristics of both worlds) and to provide quantitative evaluation facts on if and in which cases machine learning-driven detection is affordable when executed on-device.

K. Vemou, M. Karyda, Embedding privacy practices in social networking services, 7th IADIS International Conference Information Systems 2014, P. Powell, M. B. Nunes and P. Isaías, (eds), pp. 201-208, Mar, 2014, Madrid, Spain, IADIS Press, http://www.iadisportal.org/digital-li...
Abstract

Built-in privacy emerges as a necessity to keep users’ interest and trust in Social Networking Services. However, extant literature is dominated by research on developing and/or employing Privacy-Enhancing Technologies as add-ons and on exploring users’ privacy preferences, failing to provide explicit guidance on how to inscribe privacy from the early stages of SNS implementation. In this paper we draw upon the principles of privacy-by-design to propose a list of privacy requirements to drive privacy-friendly SNS design and discuss their implementation in four popular SNS platforms.

[105]
P. Rizomiliotis, Oblivious RAM: State of the Art and New Constructions, BalkanCrypt 2013, T. Baicheva, S. Nikova, T. Yalcin, (eds), (to appear), Nov, 2013, Sofia, Bulgaria
E. Loukis, Y. Charalabidis, V. Diamantopoulou, The Effects of Information Systems Interoperability on Business Performance, Proceedings of the EMCIS 2013 European, Mediterranean, and Middle Eastern Conference on Information Systems, A. Ghoneim, M. Kamal , (eds), Oct, 2013, Windsor, UK, EMCIS
Abstract

Extensive investments are made for the development of various types of information systems (IS) interoperability technologies, and also for their implementation at firm level. This necessitates the systematic study of the business value that IS interoperability technologies generate. However, quite limited empirical research has been conducted on this. Our study contributes to filling this research gap by presenting an empirical study of the effect of the adoption of three types of IS interoperability standards (industry-specific, XML-horizontal and proprietary ones) on the business benefits firms gain from their information and communication technologies (ICT) infrastructures. It is based on a large dataset from 14.065 European firms (from 25 countries and 10 sectors) collected through the e-Business W@tch Survey of the European Commission. For all these three types of IS interoperability standards it has been concluded that their adoption for establishing IS interoperability with cooperating firms (suppliers, business partners, customers) increases the business benefits gained from firm’s ICT infrastructure, both the cost reduction and the sales growth related ones. A comparison among these three types of IS interoperability standards shows that their positive effects on the ICT business benefits differ, with the industry-specific standards having the strongest effects, which are of similar magnitude with the ones of the degree of development of firm’s internal IS (widely recognized as the main determinants of these benefits). Furthermore, we have found that the adoption of industry-specific standards is particularly important for realizing sales growth related benefits from firm’s ICT infrastructure.

Y. Charalabidis, E. Loukis, L. Spiliotopoulou, V. Diamantopoulou, A Framework for Utilizing Web 2.0 Social Media for Participative Governance, Proceedings of the EMCIS 2013 European, Mediterranean, and Middle Eastern Conference on Information Systems, A. Ghoneim, M. Kamal , (eds), Oct, 2013, Windsor, UK, EMCIS
Abstract

The Web 2.0 social media have been initially exploited by private sector firms, in order to support mainly their marketing and customer relations functions, and there has been considerable research for developing frameworks and practices for the effective utilization of these new communication media in the private sector. Government started exploiting the high capabilities and popularity of the social media much later, so there has been much less research concerning their effective utilization by government agencies. This paper contributes to filling this research gap, presenting a novel framework for the effective utilization of the Web 2.0 social media by government agencies for promoting participative governance and applying crowdsourcing ideas. It is based on the centralised automated publishing of content and micro-applications to multiple Web 2.0 social media, and then collection of citizens’ interactions (e.g. comments, ratings) with them, based on central platform that uses efficiently the application programming interfaces (APIs) of these social media. Finally, citizens’ interactions are processed in this central platform using a variety of techniques (web analytics, opinion mining, simulation modelling) in order to provide finally useful analytics that offer substantial support to government decision and policy makers. Furthermore, an application and an evaluation model for the proposed framework are described, as well as an extension of it that combines active/moderated and passive/non-moderated crowdsourcing.

G. Fotiadis, E. Konstantinou, On the Efficient Generation of Generalized MNT Elliptic Curves, 5th International Conference on Algebraic Informatics - CAI 2013, T. Muntean, D. Poulakis, R. Rolland, (eds), pp. 147-159, Sep, 2013, Porquerolles Island, FR, Springer, Berlin, Heidelberg, https://doi.org/10.1007/978-3-642-406...
D. Kostopoulos, V. Tsoulkas, G. Leventakis, P. Drogkaris, V. Politopoulou, Real Time Threat Prediction, Identification and Mitigation for Critical Infrastructure Protection using Semantics, Event Processing and Sequential Analysis, 8th International Conference on Critical Information Infrastructures Security (CRITIS 2013), E. Luiijf and P. Hartel, (eds), pp. 133-141, Sep, 2013, Amsterdam, Springer LNCS, http://link.springer.com/chapter/10.1...
Abstract

Seamless and faultless operational conditions of multi stakeholder Critical Infrastructures (CIs) are of high importance for today’s societies on a global scale. Due to their population impact, attacks against their interconnected components can create serious damages and performance degradation which eventually can result in a societal crisis. Therefore it is crucial to effectively and timely protect these high performance - critical systems against any type of ma-licious cyber-physical intrusions. This can be realized by protecting CIs against threat consequences or by blocking threats to take place at an early stage and preventing further escalation or predicting threat occurrences and have the ability to rapidly react by eliminating its roots. In this paper a novel architecture is proposed in which these three ways of confronting with cyber – physical threats are combined using a novel semantics based risk methodology that relies on real time behavioral analysis. The final prototype provides the CI operator with a decision tool (DST) that imprints the proposed approach and which is capable of alerting on new unknown threats, generate suggestions of the required counter-actions and alert of probable threat existence. The implemented architecture has been tested and validated in a proof of concept scenario of an airport CI with simulated monitoring data.

Z. Tsiatsikas, D. Geneiatakis, G. Kambourakis, A. Keromytis, Privacy-Preserving Entropy-Driven Framework for Tracing DoS Attacks in VoIP, The 8th International Conference on Availability, Reliability and Security (ARES 2013), pp. 224-229, Sep, 2013, Regensburg, Germany, IEEE Press, http://ieeexplore.ieee.org/xpl/login....
Abstract

Network audit trails, especially those composed of application layer data, can be a valuable source of information regarding the investigation of attack incidents. Nevertheless, the analysis of log files of large volume is usually both complex (slow) and privacy-neglecting. Especially, when it comes to VoIP, the literature on how audit trails can be exploited to identify attacks remains scarce. This paper provides an entropy-driven, privacy-preserving, and practical framework for detecting resource consumption attacks in VoIP ecosystems. We extensively evaluate our framework under various attack scenarios involving single and multiple assailants. The results obtained show that the proposed scheme is capable of identifying malicious traffic with a false positive alarm rate up to 3.5%.

K. Vemou, M. Karyda, Α classification of factors influencing low adoption of PETs among SNS users, 10th International Conference on Trust, Privacy & Security in Digital Business, S. Furnell, C. Lambrinoudakis, and J. Lopez, (eds), pp. 74-84, Aug, 2013, Prague, Czech Republic, Springer, http://link.springer.com/chapter/10.1...
Abstract

Privacy concerns are rising among SNS users. However, privacy enhancing technologies are not, yet, widely deployed, moreover the rate at which their deployment has grown over the last few years has not been substantial. This is surprising given the fact that PETs are widely recognized as effective at reducing privacy risks. This paper discusses this paradox and tries to answer the question why PETs adoption by social network users is limited. It presents a framework of key factors that facilitates understanding of the issue and can serve as a guide for future research and practice.

[112]
M. Kandias, L. Mitrou, V. Stavrou, D. Gritzalis, Which side are you on? A new Panopticon vs. privacy, 10th International Conference on Security and Cryptography (SECRYPT 2013), Samarati P., et al. , (eds), pp. 98-110, Jul, 2013, Iceland
K. Anastasopoulou, S. Kokolakis, T. Tryfonas, Analysis of strategic stakeholder interactions in cloudbased mobile app use by privacy-sensitive end users (invited paper), 15th International Conference on Human-Computer Interaction (HCII2013), Jul, 2013, Las Vegas, Nevada, USA, [The HCII 2013 Conference Proceedings will be published by Springer
Abstract

Free mobile applications of cloud computing offer a range of diverse services (e.g. gaming, storage etc.) usally in return for delivering personalized advertising to their consenting end-users. In order to do so they may retain a range of personal information such as location and personal preferences. Thus, privacy-related interactions between service providers and end users are important to be studied as personal data are valuable in a subscription-based cloud system. In this paper, game theory is used as a tool to identify and analyze such interactions in order to understand stakeholder choices, as well as how to improve the quality of the service offered in a cloud computing setting.

[114]
M. Kandias, K. Galbogini, L. Mitrou, D. Gritzalis, Insiders trapped in the mirror reveal themselves in social media, 7th International Conference on Network and System Security (NSS 2013), LNCS 7873, pp. 220-235, Jun, 2013, Spain, Springer
D. Kostopoulos, V. Tsoulkas, G. Leventakis, P. Drogkaris, V. Politopoulou, A Blend of Semantic Monitoring and Intrusion Detection Systems for the Protection of Critical Infrastructures: Research efforts within the Greek Cybercrime Center, Fifth International Conference on Computanional Intelligence, Communication Systems and Networks (CICSYN 2013), G. Romero, A. Orsoni, (eds), Jun, 2013, Spain, IEEE CPS
[116]
E. Konstantinou, An Efficient Constant Round ID-based Group Key Agreement Protocol for Ad hoc Networks, 7th International Conference on Network and System Security - NSS 2013, Jun, 2013, Madrid, Spain, Springer
[117]
F. Giannakas, Didactical and Pedagogical use of I.C.T. at Primary School with S.R.E.P : Understand, communicate, seek, collaborate and implement, 3rd Pan-Hellenic Conference "Integration and Use of ICTs to the Education Process", May, 2013, Piraeus, Greece
S. Arvanitis, E. Loukis, V. Diamantopoulou, Are ICT, Workplace Organization and Human Capital Relevant for Innovation? A Comparative Study Based on Swiss and Greek Micro Data, 10th Annual International Industrial Organization Conference, pp. 32, May, 2013, Boston, USA
Abstract

This paper examined the relationship between indicators for the intensity of use of ICT, several forms of workplace organization, and human capital and several measures of innovation performance at firm level in an innovation equation framework, in which was also controlled for standard innovation determinants such as demand, competition and firm size. The empirical part is based on data of Swiss and Greek firms. based on the same questionnaire for both countries and took place in 2005. This paper contributes to literature in three ways: first, it analyzes the three most important factors, i.e. information technology, organization, human capita, that are considered to be drivers of innovation performance in the last fifteen to twenty years in the same setting, it uses several innovation indicators that cover both the input and the output side of the innovation process and, third, it does the analysis in a comparative setting for two countries, Greece and Switzerland, with quite different levels of technological and economic development.

D. Kostopoulos, V. Tsoulkas, G. Leventakis, P. Drogkaris, V. Politopoulou, Semantic Systems Modeling and Monitoring for Real Time Decision Making: Results and Next Steps within the Greek Cyber Security Center of Excellence, AMSS 15th International Conference on Modelling and Simulation (UK-SIM 2013), Apr, 2013, Cambridge UK, IEEE CPS
P. Rizomiliotis, S. Gritzalis, Revisiting Lightweight Authentication Protocols based on Hard Learning Problems, ACM WiSec 2013 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks, A.-R. Sadeghi, M. Gruteser, (eds), pp. 125-130, Apr, 2013, Budapest, Hungary, ACM Press, http://dl.acm.org/ft_gateway.cfm?id=2...
Abstract

At the 2011 Eurocrypt, Kiltz et al., in their best paper price awarded paper, proposed an ultra-lightweight authentication protocol, called AUTH. This new protocol is supported by a delegated security proof, against passive and active attacks, based on the conjectured hardness of the Learning Parity with Noise (LPN) problem. However, AUTH has two shortcomings. The security proof does not include man-in-the-middle (MIM) attacks and the communication complexity is high. The weakness against MIM attacks was recently verified as a very efficient key recovery MIM attack was introduced with only linear complexity with respect to the length of the secret key. Regarding the communication overhead, Kiltz et al. proposed a modified version of AUTH where the communication complexity is reduced at the expense of higher storage complexity. This modified protocol was shown to be at least as secure as AUTH. In this paper, we revisit the security of AUTH and we show, somehow surprisingly, that its communication efficient version is secure against the powerful MIM attacks. This issue was left as an open problem by Kiltz et al. We provide a security proof that is based on the hardness of the LPN problem to support our security analysis.

G. Kambourakis, D. Damopoulos, A competent post-authentication and non-repudiation biometric-based scheme for m-Learning, The 10th IASTED International Conference on Web-based Education (WBE 2013), V. Uskov, (ed), pp. 821-827, Feb, 2013, Innsbruck, Austria, ACTA Press, http://www.actapress.com/Abstract.asp...
Abstract

As mobile learning (mLearning) gains momentum, so does the worry of the parties involved to mLearning activities regarding the security and privacy level of the underlying systems and practices. Indeed, the basically spontaneous nature of mLearning and the variety of out-of-control devices that are used for supporting its activities, makes it prone to a plethora of attacks such as masquerading and man-in-the-middle. Thus, the provision of some sort of post- authentication and non-repudiation service in an effort to deter and repel ill-motivated activities may be of particular value in such realms. Compelled by this fact, in this paper, we introduce a dynamic signature-based biometric scheme to enable the offering of both of the aforementioned services in mLearning domains. We argue that our solution is both practical and lightweight. Its feasibility is also demonstrated through the use of machine learning techniques.

[122]
E. Lalas, L. Mitrou, C. Lambrinoudakis, ProCAVE: Privacy-Preserving Collection and Authenticity Validation of Online Evidence, 10th International Conference on Trust, Privacy & Security in Digital Business (TRUSTBUS 2013), LNCS 8058, S. Furnell, C. Lambrinoudakis, J. Lopez, (eds), pp. 137-148, 2013, Chech Republic, Springer
[123]
M. Kandias, V. Stavrou, N. Bozovic, L. Mitrou, D. Gritzalis, Predicting the insider threat via social media: The YouTube case, 12th Workshop on Privacy in the Electronic Society (WPES 2013), 2013, Berlin, ACM Press
[124]
M. Kandias, V. Stavrou, N. Bozovic, L. Mitrou, D. Gritzalis, Can we trust this user? Predicting insider’s attitude via YouTube usage profiling, 10th IEEE International Conference on Autonomous and Trusted Computing (ATC 2013), 2013, Italy, IEEE Press
[125]
L. Mitrou, Naming and Blaming in Greece: Social Control as Law Enforcement Tool, Living in Surveillance Societies (LISS 2013), Webster W. et al., (eds), pp. 247-258, 2013, Great Britain
[126]
Oh J., Lee H., A. Tsohou, Relational Versus Structural Embeddedness in IT Outsourcing Networks: The Role Of Requirement Unpredictability And Measurement Difficulty, 17th Pacific Asia Conference on Information Systems (PACIS 2013), 2013, Jeju Island, Korea
[127]
K. Ntalianis, E. Sardis, N. Tsapatsoulis, A. Doulamis, P. Rizomiliotis, Multiocular Surveillance of Wide Dynamic Environments Based on Optical Vision, Event Modeling and End-to-End Data Encryption - A Cloud-based Monitoring approach of Maritime Activities, IEEE GlobeCom 2012, Man-Sec Workshop, H. Eslambolchi, (ed), Dec, 2012, Anaheim, California, USA, IEEE Press
N.Marangos, P. Rizomiliotis, L. Mitrou, Digital Forensics in the Cloud Computing Era, IEEE GlobeCom 2012, Man-Sec Workshop, H. Eslambolchi, (ed), Dec, 2012, Anaheim, California, USA, IEEE Press
Abstract

Cloud Computing (CC) is a promising next-generation computing paradigm providing network and computing resources on demand via the web. The cloud market is still in its infancy and all major issues, ranging from interoperability and standardization, to legislation and SLA contracts are still wide open. However, the main obstacle for a more catholic acceptance of the cloud model is security. In the CC model, the client has limited control over her data and computations as she outsources everything to the cloud provider. This basic CC feature influences several security related areas.

K. Anastasopoulou, S. Kokolakis, T. Tryfonas, Analysis of strategic stakeholder interactions in cloudbased mobile app use by privacy-sensitive end users, Conference on Decision and Game Theory for Security (GameSec2012), Nov, 2012, Budapest, Hungary
Abstract

Abstract. Free mobile applications of cloud computing offer a range of diverse services (e.g. gaming, storage etc.) usally in return for delivering personalized advertising to their consenting endusers. In order to do so they may retain a range of personal information such as location and personal preferences. Thus, privacy-related interactions between service providers and end users are important to be studied as personal data are valuable in a subscription-based cloud system. In this paper, game theory is used as a tool to identify and analyze such interactions in order to understand stakeholder choices, as well as how to improve the quality of the service offered in a cloud computing setting. \r\n\r\nKeywords: Privacy, mobile apps, cloud, game theory, strategic interactions.

C. Kalyvas, E. Konstantinou, G. Kambourakis, Modeling Multiple Modes of Operation with Alloy, International Conference on Security Technology (SecTech 2012), T.H. Kim et al., (eds), pp. 78-85, Nov, 2012, Jeju, Korea, CCIS 339, Springer, http://link.springer.com/chapter/10.1...
Abstract

Speci fication (or modeling) languages can be very handy in describing certain aspects of a system and check properties of interest about it. Also, once a model is constructed, one is able to use the associated analyzer to create examples and/or counterexamples to explore hypotheses posed about the system. In the context of cryptography this veri fication process is of great importance as it can contribute towards finding weaknesses and assessing system's robustness. This paper capitalizes on the well-known Alloy language to model and analyze attacks on DES triple modes namely ECB|ECB|CBC^-1 and ECB|OFB|OFB. We model attacks described in [9] and show that they can be fruitful in the general case. This work can serve as a framework in modeling similar cryptosystems and assessing certain attacks on them.

E. Loukis, S. Arvanitis, V. Diamantopoulou, An Empirical Investigation of the Effect of Hard and Soft ICT Investment on Innovation Performance of Greek Firms, Proceedings of the PCI 2012 16th Pan-Hellenic Conference on Informatics, Vergados D., Lambrinoudakis C. , (eds), pp. 31-36, Oct, 2012, Piraeus, Greece, IEEE CPS Conference Publishing Services
Abstract

Firms have been making big investments in information and communication technologies (ICT) in the last twenty years. Therefore the investigation of their effect on various aspects of business performance is necessary. This paper presents an empirical investigation and comparison of the effects of hard and soft ICT investment, and also of four ‘traditional’ innovation drivers (demand expectation, price and non-price competition, market concentration), on the innovation performance of Greek firms. In particular, we examine from this perspective four different types of soft ICT investment in ICT structures, personnel, skills and processes. Our results indicate that while in the innovation averse Greek national context none of the examined traditional innovation drivers have a statistically significant impact on the innovation performance of Greek firms, both hard ICT investment, and three of the examined types of soft ICT investment, have such positive impacts. Our results provide empirical evidence that both hard and soft ICT investment can be strong drivers of innovation, even in such innovation averse contexts, in which the classical innovation drivers do not affect innovation performance.

S. Kokolakis, K. Anastasopoulou, M. Karyda, An Analysis of Privacy-related Strategic Choices of Buyers and Sellers in e-Commerce Transactions, 16th Panhellenic Conference on Informatics (PCI2012), Oct, 2012, Piraeus, CPS
Abstract

E-commerce transactions, in addition to the exchange of goods and services for payment, often entail an indirect transaction, where personal data are exchanged for better services or lower prices. This paper analyses buyer’s and seller’s privacy-related strategic choices in e-commerce transactions through game theory. We demonstrate how game theory can explain why buyers mistrust internet privacy policies and relevant technologies (e.g. P3P) and sellers hesitate to invest in data protection.

[133]
P. Rizomiliotis, C. Skianis, PASSIVE: Policy-Assessed system-level Security, 9th International Conference on Trust, Privacy & Security in Digital Business (TrustBus 2012 ), S. Fischer-Hübner, S. Katsikas , (eds), Sep, 2012, Vienna, Austria, Springer
[134]
A. Katsiotis, N. Kalouptsidis, P. Rizomiliotis, Recursive Flexible Convolutional Encoders for Parallel Concatenation, International Symposium on Turbo Codes & Iterative Information Processing (ISTC), E. Agrell, J. B. Anderson, E. G. Larsson, (eds), Aug, 2012, Gothenburg, Sweden, IEEE Press
Maria Eleni Skarkala, Hannu Toivonen, Pirjo Moen, M. Maragoudakis, S. Gritzalis, L. Mitrou, Privacy Preservation by k-Anonymization of Weighted Social Networks, 2012 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, P. Yu, K. Carley et al., (eds), pp. 423-428, Aug, 2012, Istanbul, Turkey, IEEE CPS Conference Publishing Services, http://dl.acm.org/ft_gateway.cfm?id=2...
Abstract

Privacy preserving analysis of a social network aims at a better understanding of the network and its behavior, while at the same time protecting the privacy of its individuals. We propose an anonymization method for weighted graphs, i.e., for social networks where the strengths of links are important. This is in contrast with many previous studies which only consider unweighted graphs. Weights can be essential for social network analysis, but they pose new challenges to privacy preserving network analysis. In this paper, we mainly consider prevention of identity disclosure, but we also touch on edge and edge weight disclosure in weighted graphs. We propose a method that provides k-anonymity of nodes against attacks where the adversary has information about the structure of the network, including its edge weights. The method is efficient, and it has been evaluated in terms of privacy and utility on real word datasets.

E. Loukis, Y. Charalabidis, V. Diamantopoulou, Different Digital Moderated and Non-Moderated Mechanisms for Public Participation, Proceedings of the EMCIS 2012 European, Mediterranean, and Middle Eastern Conference on Information Systems, Late Breaking Papers, A. Ghoneim, R. Klischewski, H. Schrödl, M. Kamal, (eds), pp. 63-73, Jun, 2012, Munich, Germany, EMCIS
Abstract

Several off-line mechanisms have been developed and applied for the participation of citizens in government policy making and services design. The increasing adoption of ICT, and especially the Internet, by individuals allows the development of a new generation of digital mechanisms for public participation (e-participation). The dominant digital mechanism has been in the last ten years the development of official e-participation websites by government agencies, which provide to the citizens information on government activities and also policies and services under formulation, and allow them to participate in relevant consultations in electronic fora. However, the effectiveness of this mechanism has been much lower than expectations. In this paper are presented three different digital mechanisms for public participation, which have been developed by the authors as part of European research projects. The first of them is based on the use of structured e-forum, in which citizens can enter only annotated postings according to a predefined discussion ontology. The second is based on the use of a central platform which can publish policy-related content and micro-applications to multiple social media simultaneously, and also collect and process data on citizens’ interaction with them (e.g. views, comments, ratings, votes, etc.). While the previous mechanisms were moderated by government, the third one – still under development as part of the European research project NOMAD - is non-moderated. It is based on the search by government agencies for content on a public policy under formulation, which has been created in numerous social media and other sources (e.g. blogs and micro-blogs, news sharing sites, online forums, etc.) by citizens freely, without any government initiation, stimulation or moderation, and the advanced processing of this content.

S. Arvanitis, E. Loukis, V. Diamantopoulou, Soft ICT and Innovation Performance – An Empirical Investigation, Proceedings of the EMCIS 2012 European, Mediterranean, and Middle Eastern Conference on Information Systems, A. Ghoneim, R. Klischewski, H. Schrödl, M. Kamal , (eds), pp. 426-440, Jun, 2012, Munich, Germany, EMCIS
Abstract

The limited number of previous empirical investigations of the effect of information and communication technologies (ICT) on innovation focus mainly on the ‘hard’ dimensions of ICT (i.e. firm’s ICT equipment). This paper presents an empirical investigation of the effect of five important ‘soft’ dimensions of ICT at firm level (ICT structure, personnel, skills, strategy, processes) on firm’s innovation performance (concerning both products/services and processes innovation). It is based on firm-level data collected through a survey of 271 Greek firms, which have been used for estimating regressions of product/service innovation and process innovation on measures of the hard ICT, the above five soft dimensions of ICT, and also four important ‘traditional’ innovation determinants identified from the long previous research in this area (demand expectation, price and non-price competition, market concentration). It is concluded that four of the examined soft dimensions of ICT (ICT personnel, skills, strategy and processes) have positive effects on firm’s innovation performance. Our results indicate that the soft dimensions of ICT at firm level are strong drivers of innovation, which increase considerably the positive contribution of ICT to firms’ innovation performance.

L. Mitrou, M. Karyda, EU΄s Data Protection Reform and the right to be forgotten - A legal response to a technological challenge?, 5th International Conference of Information Law and Ethics, Available at SSRN: http://ssrn.com/abstract=2165245, Jun, 2012, Corfu, Greece
Abstract

Technological and social phenomena like cloud computing, behavioural advertising, online social networks as well as globalisation (of data flows) have profoundly transformed the way in which personal data are processed and used. This paper discusses the efficiency of the legislation in force and the impact of PETs and the concept of privacy by design on the enforcement of data protection rules. By recognizing the need to update the data protection regulation as a result of current technological trends that threaten to erode core principles of data protection, the paper addresses the question if the Draft-Regulation presents an adequate and efficient response to the challenges that technological changes pose to regulators. In this context the paper focuses on the right to be forgotten as a comprehensive set of existing and new rules to better cope with privacy risks online in the age of “perfect remembering” and we how persistency and high availability of information limit the right of individuals to be forgotten. The paper deals with both the normative and the technical instruments and requirements so as to ensure that personal information will not be permanently retained.

[139]
A. Tsohou, Lee H., Z. Irani, V. Weerakkody , I. Osman, A. Latif, T. Medeni, Evaluating E-Government Services From A Citizens’ Perspective: A Reference Process Model, European, Mediterranean & Middle Eastern Conference on Information Systems , Ghoneim A., Klischewski R., Schrödl H., Muhammed K., (eds), pp. 146-153, Jun, 2012, Munich, Germany
[140]
A. Tsohou, Lee H., K. Al-Yafi, Evaluating M-Government Applications: An Elaboration Likelihood Model Framework, European, Mediterranean & Middle Eastern Conference on Information Systems , Ghoneim A., Klischewski R., Schrödl H., Muhammed K., (eds), pp. 154-160, Jun, 2012, Munich, Germany
R. El-Haddadeh , A. Tsohou, M. Karyda, Implementation challenges for information security awareness initiatives in e-Government, European Conference on Information Systems, Paper 179, Jun, 2012, Barcelona, Spain, AIS Electronic Library (AISeL)
Abstract

With the widespread adoption of electronic government services, there has been a need to ensure a seamless flow of information across public sector organizations, while at the same time, maintaining confidentiality, integrity and availability. Governments have put in place various initiatives and programs including information security awareness to provide the needed understanding on how public sector employees can maintain security and privacy. Nonetheless, the implementation of such initiatives often faces a number of challenges that impede further take-up of e-government services. This paper aims to provide a better understanding of the challenges contributing towards the success of information security awareness initiatives implementation in the context of e-government. Political, organizational, social as well as technological challenges have been utilized in a conceptual framework to signify such challenges in e-government projects. An empirical case study conducted in a public sector organization in Greece was exploited in this research to reflect on these challenges. While, the results from this empirical study confirm the role of the identified challenges for the implementation of security awareness programs in e-government, it has been noticed that awareness programmers often pursue different targets of preserving security and privacy, which sometimes results in adding more complexity to the organization.

D. Damopoulos, G. Kambourakis, S. Gritzalis, Sang Oh Park, Lifting the veil on mobile malware: A complete dynamic solution for iOS, The 2012 Summer FTRA International Symposium on Advances in Cryptography, Security and Applications for Future Computing (ACSA-Summer), Jun, 2012, Vancouver, Canada, FTRA, http://www.icsd.aegean.gr/publication...
Abstract

It is without a doubt that malware especially designed for modern mobile platforms is rapidly becoming a serious threat. So far, research for dealing with this risk has concentrated on the Android platform and mainly considered static solutions rather than dynamic ones. Compelled by this fact, in this paper, we contribute a fully-fledged tool able to dynamically analyze any iOS software in terms of method invocation (i.e., which API methods the application invokes and under what order), and produce exploitable results that can be used to manually or automatically trace its behavior to decide if it contains malicious code or not. By employing real life malware we assessed our tool both manually as well as via heuristic techniques and the results we obtained are highly accurate in detecting malicious code.

P. Rizomiliotis, S. Gritzalis, GHB#: a provably secure HB-like lightweight authentication protocol, ACNS 2012 10th International Conference on Applied Cryptography and Network Security, F.Bao, P. Samarati, (eds), pp. 489-506, Jun, 2012, Singapore, Springer Lecture Notes in Computer Science LNCS, http://link.springer.com/content/pdf/...
Abstract

RFID technology constitutes a fundamental part of what is known as the Internet of Things; i.e. accessible and interconnected machines and everyday objects that form a dynamic and complex environment. In order to secure RFID tags in a cost-efficient manner, the last few years several lightweight cryptography-based tag management protocols have been proposed. One of the most promising proposals is the HB+ protocol, a lightweight authentication protocol that is supported by an elegant security proof against all passive and a subclass of active attackers based on the hardness of the Learning Parity with Noise (LPN) problem. However, the HB+ was shown to be weak against active man-in-the-middle (MIM) attacks and for that several variants have been proposed. Yet, the vast majority of them has been broken. In this paper, we introduce a new variant of the HB+ protocol that can provably resist MIM attacks. More precisely, we improve the security of another recently proposed variant, the HB# protocol by taking advantage of the properties of the well studied Gold power functions. The new authentication protocol is called GHB# and its security can be reduced to the LPN problem. Finally, we show that the GHB# remains practical and lightweight.

D. Damopoulos, G. Kambourakis, M. Anagnostopoulos, S. Gritzalis, J. H. Park, User-privacy and modern smartphones: A Siri(ous) dilemma, FTRA AIM 2012 International Conference on Advanced IT, Engineering and Management, S. Rho, N. Chilamkurti, W.-E. Chen, S.-O. Park, (eds), Feb, 2012, Seoul, FTRA, http://download.springer.com/static/p...
Abstract

The focus of this paper is on iPhone platform security and especially on user’s data privacy. We are designing and implementing a new malware that takes over the iOS mDNS protocol and exposes user's privacy information by capitalizing on the new Siri facility. The attack architecture also includes a proxy server which acts as man-in-themiddle between the device and the Apple's original Siri server.

[145]
A. Tsohou, Lee H., M. Barbos, A location based persuasive information system for public consultation: An elaboration likelihood mode approach, 2nd International Workshop on Advanced Service Management, 2012, Matsmoto, Japan
[146]
P. Makris, D. N. Skoutas, P. Rizomiliotis, C. Skianis, A User-Oriented, Customizable Infrastructure Sharing Approach for Hybrid Cloud Computing Environments, IEEE International Conference on Cloud Computing Technology and Science 2011 (IEEE CloudCom), pp. 432-439, Nov, 2011, Athens, Greece, IEEE Press, https://doi.org/10.1109/CloudCom.2011.64
S. Arvanitis, E. Loukis, V. Diamantopoulou, Information Systems and Innovation in Greek Firms – An Empirical Investigation, Proceedings of the PCI 2011 15th Pan-Hellenic Conference on Informatics, N. Karanikolasν C. Douligeris, (eds), pp. 315-320 , Sep, 2011, Kastoria, Greece, IEEE CPS Conference Publishing Services
Abstract

There has been an extensive theoretical literature during the last 20 years supporting that information and communication technologies (ICT) have a huge potential to drive significant innovations in firms’ processes, products and services, which can result in big performance improvements. However, limited empirical investigation of this innovation potential of ICT has been conducted. This paper presents an empirical investigation of the impact of two widely used types of information systems (IS) (internal and e-sales ones), and also of four important ‘traditional’ innovation determinants (demand expectation, price and non-price competition, market concentration) for comparison purposes, on innovation in Greek firms. It has been concluded that in the ‘innovation averse’ Greek national context both these IS types have a strong positive impact on innovation, whilst this does not hold for any of the examined ‘traditional’ innovation determinants.

P. Rizomiliotis, E. Rekleitis, S. Gritzalis, Designing secure RFID authentication protocols is (still) a non-trivial task, NSS 2011 5th International Conference on Network and Systems Security, P. Samarati, S. Foresti, J. Hu, (eds), pp. 73-80, Sep, 2011, Milan, Italy, IEEE CPS Conference Publishing Services, http://ieeexplore.ieee.org/xpl/login....
Abstract

In the last few years, a plethora of RFID authentication protocols have been proposed and several security analyses have been published creating the impression that designing such a protocol must be, more or less, a straightforward task. In this paper, we investigate the security of two recently proposed schemes, showing that designing a secure RFID authentication protocol is still a demanding process. One is a mature work; in the sense that it has predecessors that have been extensively analyzed, while the other is a fresh proposal. Our security analysis demonstrates that both are weak, as they suffer from a similar desychronization attack. In addition we prove the existence of a fatal tag impersonation attack against the second one.

E. Loukis, S. Kokolakis, K. Anastasopoulou, Factors of PKI adoption in European firms, The 6th Mediterranean Conference on Information Systems (MCIS) 2011, Sep, 2011, Cyprus
Abstract

Public Key Infrastructure (PKI) is an established technology that has been around for more than fifteen years. However, its adoption follows a very slow pace. Previous research, based either on a theoretical analysis of PKI or on specific cases of PKI implementation, has indicated several possible reasons for PKI non-adoption. In this paper we examine the effect of specific organizational factors on PKI adoption using empirical data from 14065 European firms collected through the e-Business Watch Survey of the European Commission. We have shown that it is still addressed as innovative technology that requires an innovation culture. Moreover, small and medium –sized firms are rather reluctant to adopt it and it is mostly implemented in firms with a large number of employees and tele-workers. Also, the extensive use of IS for supporting internal functions and cooperation with the external environment (e.g. customers and prospects), and the high dependence on them, are drivers of PKI adoption.

Maria Eleni Skarkala, M. Maragoudakis, S. Gritzalis, L. Mitrou, Privacy Preserving Tree Augmented Naïve Bayesian Multi – party Implementation on Horizontally Partitioned Databases, TrustBus 2011 8th International Conference on Trust, Privacy and Security of Digital Business, S. Furnell, C. Lambrinoudakis, and G. Pernul, (eds), pp. 62 - 73, Aug, 2011, Toulouse, France, Lecture Notes in Computer Science LNCS, Springer, http://link.springer.com/content/pdf/...
Abstract

The evolution of new technologies and the spread of the Internet have led to the exchange and elaboration of massive amounts of data. Simultaneously, intelligent systems that parse and analyze patterns within data are gaining popularity. Many of these data contain sensitive information, a fact that leads to serious concerns on how such data should be managed and used from data mining techniques. Extracting knowledge from statistical databases is an essential step towards deploying intelligent systems that assist in making decisions, but also must preserve the privacy of parties involved. In this paper, we present a novel privacy preserving data mining algorithm from statistical databases that are horizontally partitioned. The novelty lies to the multi-candidate election schema and its capabilities of being a basic foundation for a privacy preserving Tree Augmented Naïve Bayesian (TAN) classifier, in order to obviate disclosure of personal information.

[151]
E. Konstantinou, E. Klaoudatou, P. Kamparmpakis, Performance Evaluation of ID-based Group Key Agreement Protocols, Sixth International Conference on Availability, Reliability and Security (AReS 2011), Aug, 2011, Vienna, Austria, IEEE CPS
[152]
I. Agudo, D. Nunez , G. Giammatteo, P. Rizomiliotis, C. Lambrinoudakis, Cryptography goes to the Cloud, Secure and Trust Computing, data management, and Applications (STA) 2011, STAVE workshop, J. Lopez, (ed), (to appear), Jun, 2011, Loutraki, Greece, Springer CCIS
D. Nunez , I. Agudo, P. Drogkaris, S. Gritzalis, Identity Management Challenges for Intercloud Applications, STAVE 2011 1st International Workshop on Security & Trust for Applications in Virtualised Environments, C. Skianis, (ed), pp. 198-204, Jun, 2011, Loutraki, Greece, Springer CCIS, http://link.springer.com/content/pdf/...
Abstract

Intercloud notion is gaining a lot of attention lately from both enterprise and academia, not only because of its benefits and expected results but also due to the challenges that it introduces regarding interoperability and standardisation. Identity management services are one of the main candidates to be outsourced into the Intercloud, since they are one of the most common services needed by companies and organisations. This paper addresses emerging identity management challenges that arise in intercloud formations, such as naming, identification, interoperability, identity life cycle management and single sign-on.

D. Damopoulos, G. Kambourakis, S. Gritzalis, iSAM: An iPhone Stealth Airborne Malware, IFIP SEC 2011 26th IFIP TC-11 International Information Security Conference, J. Camenisch, S. Fischer-Huebner, Y. SJ Murayama, (eds), pp. 17-28, Jun, 2011, Lucerne, Switzerland, IFIP Advances in Information and Communication Technology, Vol. 354, Springer, http://link.springer.com/content/pdf/...
Abstract

Modern and powerful mobile devices comprise an attractive target for any potential intruder or malicious code. The usual goal of an attack is to acquire user’s sensitive data or compromise the device so as to use it as a stepping stone (or bot) to unleash a number of attacks to other targets. In this paper, we focus on the popular iPhone device. We create a new stealth and airborne malware namely iSAM able to wirelessly infect and self-propagate to iPhone devices. iSAM incorporates six different malware mechanisms, and is able to connect back to the iSAM bot master server to update its programming logic or to obey commands and unleash a synchronized attack. Our analysis unveils the internal mechanics of iSAM and discusses the way all iSAM components contribute towards achieving its goals. Although iSAM has been specifically designed for iPhone it can be easily modified to attack any iOS-based device.

S. Arvanitis, E. Loukis, V. Diamantopoulou, The Impact of Different Types of ICT On Innovation Performance of Greek Firms, Proceedings of the EMCIS 2011 European, Mediterranean, and Middle Eastern Conference on Information Systems, A. Ghoneim, M. Themistocleous, D. Koufopoulos, M. Kamal , (eds), pp. 609-623, May, 2011, Athens, Greece, EMCIS
Abstract

It is widely recognised that innovation is of critical importance for the competitiveness and growth of firms, sectors and countries, so understanding its determinants is a critical research question. Beyond the ‘traditional’ innovation determinants identified by previous relevant research, there has been extensive theoretical literature on the potential of information and communication technologies (ICT) to drive innovation; however limited empirical investigation of it has been conducted. This paper presents an empirical investigation of the impact of three different ICT (internal information systems (IS), e-sales and e-procurements), and also - for comparison purposes – of four important ‘traditional’ innovation determinants (demand expectation, price and non-price competition, market concentration), on the innovation performance of Greek firms. It is based on firm-level data collected through a survey of 271 Greek firms. The results show that in the Greek ‘innovation averse’ national context (characterised by low level of innovation and uncertainly avoidance culture), though none of the examined ‘traditional’ innovation determinants has an impact on product and process innovation of firms, the internal IS have a strong positive impact on both product and process innovation, and the e-sales only on process innovation; on the contrary, e-procurement is not a driver of innovation. Our results indicate the high potential of ICT as innovation driver even in innovation averse contexts, which however varies between different types of ICT.

[156]
Lim J., Lee H., A. Tsohou, What makes online brand community prosperous? The mediating role of sense of belonging and brand loyalty, LG CNS / KrAIS Workshop 2011, a post ICIS 2011 program, Shanghai, China, (to appear), 2011
E. Rekleitis, P. Rizomiliotis, S. Gritzalis, A holistic approach to RFID security and privacy, SecIoT 2010 1st International Workshop on the Security of the Internet of Things, J. Zhou. et al., (eds), Dec, 2010, Tokyo, Japan, http://www.researchgate.net/publicati...
Abstract

RFID technology constitutes an important part of what has become known as the IoT; i.e accessible and interconnected machines and everyday objects that form a dynamic and complex environment. In order to be able to secure the IoT in a cost-efficient manner we need to build security and privacy into the design of its components. Thus, in this paper, we first introduce the use of security and privacy policies that can offer fine granularity and context-aware information control in RFID systems, and with this in mind, we propose a novel secure and privacy preserving tag management protocol to implement such policies. The new protocol has a modular design in order to support all the basic management operations (tag authentication, delegation and ownership transfer), while imposing minimal hardware and computational requirements on the tag side.

[158]
F. Giannakas, K. Papanikolaou, Interaction Analysis at synchronous educational environments, 7th Pan-Hellenic Conference with International participation, Sep, 2010, Korinthos, Greece, http://korinthos.uop.gr/~hcicte10/
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Analyzing Information Security Awareness through Networks of Association, 7th International Conference on Trust, Privacy & Security in Digital Business (TrustBus 2010), pp. 227-237, Sep, 2010, Bilbao, Spain, Lecture Notes in Computer Science, Springer
Abstract

Information security awareness is a continuous effort to raise attention to information security and its importance, in order to stimulate securityoriented behaviors. Despite the increasing interest of researchers on the topic and the continuous notifications of global security surveys for its significance, awareness remains a critical issue of information security. Related approaches propose techniques and methods for promoting security without theoretical grounding and separately from the overall information security management framework. The aim of this paper is to suggest a theoretical and methodological framework which facilitates the analysis and understanding of the issues that are intertwined with awareness activities, in order to support the organization’s security management.

P. Drogkaris, S. Gritzalis, Attaching Multiple Personal Identifiers in X.509 Digital Certificates, EuroPKI 2010 7th European Workshop on Public Key Services, Applications and Infrastructures, J. Camenisch and C. Lambrinoudakis, (eds), pp. 171-177, Sep, 2010, Athens, Greece, Springer LNCS, http://download.springer.com/static/p...
Abstract

The appeals for interoperable and decentralized Electronic Identity Management are rapidly increasing, especially since their contribution towards interoperability across the entire “electronic” public sector, effective information sharing and simplified access to electronic services, is unquestioned. This paper presents an efficient and user-centric method for storing multiple users’ identifiers in X.509 digital certificates while preserving their confidentiality, allowing for interoperable user identification in environments where users cannot be identified by an all embracing unique identifier.

P. Drogkaris, S. Gritzalis, C. Lambrinoudakis, Transforming the Greek e-Government Environment towards the e-Gov 2.0 Era, EGOVIS 2010 International Conference on Electronic Government and the Information Systems Perspective, R.Wagner, (ed), pp. 142-149, Sep, 2010, Bilbao, Spain, Springer LNCS, http://link.springer.com/content/pdf/...
Abstract

Modern e-Government environments across the public sector have achieved significant interoperability and coherence but are now in front of the next leap forward, which is the adaptation of Web 2.0 technologies. This transition towards e-Government 2.0 will not only improve participation, transparency and integration but it will also speed up the pace of innovation through collaboration and consultation. This paper presents an enhanced Greek e-Government Framework that fully incorporates Web 2.0 technologies along with an identification mechanism that retains compliance with existing authentication sub-framework taking into account the specific needs and requirements of the Greek Governmental Agencies.

E. Rekleitis, P. Rizomiliotis, S. Gritzalis, An Agent Based Back-end RFID Tag Management System, TrustBus’10 7th International Conference on Trust, Privacy and Security in Digital Business, S.Katsikas, J.Lopez, M. Soriano , (eds), pp. 165-176, Aug, 2010, Bilbao, Spain, Springer Berlin Heidelberg, http://link.springer.com/content/pdf/...
Abstract

Motivated by the plethora of RFID security protocols and the interoperability problems that this diversity causes, we propose a software agent-based platform that allows an RFID back-end subsystem to integrate and manage heterogeneous tags that are based on non-standardized implementations. In addition, we introduce a new suite of lightweight tag management protocols that support tag authentication, time-based tag delegation and ownership transfer. The protocols can take advantage of the proposed agent-based platform and do satisfy all the standard security and privacy requirements.

[163]
N. Vrakas, C. Kalloniatis, A. Tsohou, C. Lambrinoudakis, Privacy Requirements Engineering for Trustworthy e-Government Services, 3rd International Conference on Trust and Trustworthy Computing (TRUST 2010), pp. 298-307, Jun, 2010, Berlin, Germany, Lecture Notes in Computer Science series, Springer
[164]
R. Evans, A. Tsohou, T. Tryfonas, T. Morgan, Architecting Secure Systems with the ISO standards 26702 and 27001, 5th IEEE International Conference on Systems of Systems Engineering (SoSE 2010), Jun, 2010, Loughborough, UK, IEEE Computer Society Press
A. Tsohou, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Unifying ISO Security Standards Practices into a Single Security Framework, 2010 South African Information Security Multi-Conference, May, 2010, Port Elisabeth, South Africa, https://www.google.gr/url?sa=t&rct=j&...
Abstract

Compliance to standards is quite important for numerous reasons, including interoperability, conformity assessment etc. However, even though recent surveys indicate that international security standards do gain acceptance and that a continuously increasing number oforganizations adopt them, still the majority do not know them or do not fully implement them. In this paper we facilitate the awareness of security practitioners on ISO security standards and we propose a security framework that is based on them. In order to explain the different layers of the framework and illustrate its applicability we have used as a case study a Payroll and Pensioner Information System.

[166]
F. Giannakas, An alternative proposal with the design of electronic games for the teaching of Multimedia-Networks lesson to the Secondary Education, 5th Pan-Hellenic Conference at the Didactic of Informatics, Apr, 2010, Athens, Greece, http://hermes2.di.uoa.gr:8080/didinf5/
P. Rizomiliotis, Misusing universal hash functions: security analysis of a hardware efficient stream cipher using LFSR based hash function, IEEE Information Theory Workshop, Jan, 2010, Cairo, Egypt, IEEE Press
Abstract

Hardware efficient encryption algorithms are necessary for applications like low cost Radio Frequency Identification (RFID) tags. In order to keep the cost as low as possible, the designers of lightweight algorithms are using simplified versions of well studied components. Unfortunately, in most cases this simplification leads to weak constructions. In this paper, we investigate one such case. Recently, a low hardware complexity binary additive stream cipher was proposed in the Computers & Security journal. This stream cipher is based on a simplified version of a family of universal hash functions. The new family is called Toeplitz hash. The Toeplitz hash functions can be very efficiently implemented on hardware and for that the proposed stream cipher is suitable for low cost applications. However, we demonstrate that the security of the cipher is much weaker than it was claimed. More precisely, we introduce a known-plaintext attack that can retrieve the secret key with very low computational complexity that requires only a few known keystream bits by taking advantage of the low cost.

G. Kambourakis, E. Konstantinou, S. Gritzalis, Revisiting WiMAX MBS Security, FTRG ACSA 2009 International Workshop on Advances in Cryptography, Security and Applications for Future Computing, Y. Mu, J. H. Park, (eds), pp. 181-190, Dec, 2009, Deju, Korea, IEEE Press, http://www.sciencedirect.com/science/...
Abstract

IEEE 802.16 technology also well known as WiMax is poised to deliver the next step in the wireless evolution. This is further fostered by the 802.16e specification which, amongst other things, introduces support for mobility. The Multicast/Broadcast Service (MBS) is also an integral part of 802.16e destined to deliver next generation services to subscribers. In this paper we concentrate on the Multicast and Broadcast Rekeying Algorithm (MBRA) of 802.16e. This algorithm has been recently criticized for various vulnerabilities and security inefficiencies, as its designers are trying to balance wisely between performance and security. After surveying related work, we extensively discuss MBRA security issues and propose the use of a novel asymmetric group key agreement protocol based on the work in Wu et al. (2009) [3]. Our scheme guarantees secure delivery of keys to all the members of a given group and mandates rekeying upon join and leave events. It can prevent insider attacks since only the Base Station possesses a secret encryption key while all other members in the network acquire the transmitted data by using their secret decryption keys. We compare our scheme with related work and demonstrate that although heavier in terms of computing costs, it compensates when scalability and security come to the foreground.

P. Drogkaris, C. Lambrinoudakis, S. Gritzalis, Introducing Federated Identities to One-Stop-Shop e-Government Environments: The Greek Case, 19th Conference on eChallenges 2009, P. Cunningham, (ed), pp. 88 - 93, Oct, 2009, Istanbul, Turkey, eChallenges Pub., http://www.icsd.aegean.gr/publication...
Abstract

Even though e-Government environments have achieved a certain interoperability level and coherence across public sector, there are several approaches, technologies and mechanisms that could aid these environments towards delivering more user-centric electronic services. This paper focuses on the aspect of identity management. More specifically it presents a framework that incorporates the notion of federation and federated identities in order to overcome the impediment of per-sector identifiers. Moreover, it provides Single Sign-On access to electronic services through the utilization of a linking mechanism. This framework has been based on the Greek Interoperability Framework and its specific requirements and limitations.

[170]
A.-M. Piskopani, L. Mitrou, Facebook: Reconstructing Communication and decostructing privacy law? , 4th Mediterranean Conference on Information Systems, Polymenakou/Pouloudi/Pramatari (eds.), Sep, 2009, Athens- Greece
A. Tsohou, M. Karyda, S. Kokolakis, E. Kiountouzis, Aligning Security Awareness with Information Systems Security Management, 4th Mediterranean Conference on Information Systems (MCIS09), Sep, 2009, Athens, Greece
Abstract

This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions. The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.

A. Tsohou, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Information Systems Security Management: A review and a classification of the ISO standards, e-Democracy 2009 , A. Sideridis and C. Patrikakis , (eds), pp. 220-235, Sep, 2009, Athens, Greece, Springer Lecture Notes of the ICSSIT Institute for Computer Sciences, Social Informatics, & Telecom, http://link.springer.com/content/pdf/...
Abstract

The need for common understanding and agreement of functional and non-functional requirements is well known and understood by information system designers. This is necessary for both: designing the “correct” system and achieving interoperability with other systems. Security is maybe the best example of this need. If the understanding of the security requirements is not the same for all involved parties and the security mechanisms that will be implemented do not comply with some globally accepted rules and practices, then the system that will be designed will not necessarily achieve the desired security level and it will be very difficult to securely interoperate with other systems. It is therefore clear that the role and contribution of international standards to the design and implementation of security mechanisms is dominant. In this paper we provide a state of the art review on information security management standards published by the International Organization for Standardization and the International Electrotechnical Commission. Such an analysis is meaningful to security practitioners for an efficient management of information security. Moreover, the classification of the standards in the clauses of ISO/IEC 27001:2005 that results from our analysis is expected to provide assistance in dealing with the plethora of security standards.

C. Kolias, V. Kolias, G. Kambourakis, A Secure and Efficient Authentication Protocol for Passive RFID Tags, Sixth International Symposium on Wireless Communication Systems 2009 (ISWCS’09), pp. 36-40, Sep, 2009, Siena, Italy, IEEE Press
Abstract

At the onset of the ubiquitous computing era, systems need to respond to a variety of challenges, in order to capitalize on the benefits of pervasiveness. One of the pivotal enablers of pervasive computing is the RFID technology which can be successfully applied in numerous applications. However, the interaction of such applications with sensitive personal data renders the need for assuring confidentiality a sine qua non. The native limitations in computing resources, i.e., computational power, memory etc, that characterize nearly all classes of RFID tags make the development of custom-tailored RFID security protocols a troublesome yet challenging task. In this paper we propose a mutual authentication protocol for low cost RFID tags and readers. We also demonstrate that our scheme is more efficient in terms of resource utilization on the backend server, and under identical conditions, more secure when compared with existing congruent protocols.

P. Rizomiliotis, HB −MAC: Improving the Random− HB# authentication protocol, Trustbus 2009, Fischer-Huebner S., Lambrinoudakis C., (eds), pp. 159-168, Sep, 2009, Linz, Austria, Springer
Abstract

The Random−HB# protocol is a significant improvement of the HB+ protocol introduced by Juels and Weis for the authentication of low-cost RFID tags. Random − HB# improves HB+ in terms of both security and practicality. It is provably resistant against man-inthe- middle attacks, where the adversary can modify messages send from the reader to the tag and performs significantly better than HB+, since it reduces the transmission costs and provides more practical error rates. The only problem with Random − HB# is that the storage costs for the secret keys are insurmountable to low cost tags. The designers of the protocol have proposed also an enhanced variant which has less storage requirements, but it is not supported by a security proof. They call this variant just HB#. In this paper we propose a variant of the Random− HB#. The new proposal maintains the performance of the Random − HB#, but it requires significantly less storage for the key. To achieve that we add a lightweight message authentication code to protect the integrity of all the exchanged messages.

P. Drogkaris, S. Gritzalis, C. Lambrinoudakis, Enabling Secure Data Management in e-Government Environments: The Greek Case, EGOV 2009 8th International Conference on Electronic Government, E. Ferro, J. Scholl, M. Wimmer, (eds), pp. 138 - 144, Sep, 2009, Linz, Austria, Trauner Verlag
Abstract

Modern e-Government environments adopt technologies that can support interoperability across the entire “electronic” public sector and thus new improved electronic services. At the same time new requirements are raised from the users. This paper presents ongoing research on a secure user data management architecture for e-Government environments. More specifically the utilization of Privacy Preferences and Privacy Policies along with the introduction of two entities responsible for administrating user documents and data management is proposed. The research work presented has been based on the Greek Interoperability Framework and it’s specific requirements and limitations.

E. Klaoudatou, E. Konstantinou, G. Kambourakis, S. Gritzalis, A Cluster-based Framework for the Security of Medical Sensor Environments, TrustBus’09 6th International Conference on Trust, Privacy and Security in Digital Business, S. Fischer-Huebner, C. Labrinoudakis, (eds), Sep, 2009, Linz, Austria, Lecture Notes in Computer Science LNCS, Springer, http://link.springer.com/content/pdf/...
Abstract

The adoption of Wireless Sensor Networks (WSNs) in the healthcare sector poses many security issues, mainly because medical information is considered particularly sensitive. The security mechanisms employed are expected to be more efficient in terms of energy consumption and scalability in order to cope with the constrained capabilities of WSNs and patients’ mobility. Towards this goal, cluster-based medical WSNs can substantially improve efficiency and scalability. In this context, we have proposed a general framework for cluster-based medical environments on top of which security mechanisms can rely. This framework fully covers the varying needs of both in-hospital environments and environments formed ad hoc for medical emergencies. In this paper, we further elaborate on the security of our proposed solution. We specifically focus on key establishment mechanisms and investigate the group key agreement protocols that can best fit in our framework.

A. Tsohou, P. Rizomiliotis, C. Lambrinoudakis, S. Gritzalis, Security and Privacy Issues in Bipolar Disorder Research, ICICTH 7th International Conference on Information and Communication Technologies in Health, A. Hasman et al., (eds), Jul, 2009, Samos, Greece, INEAG
Abstract

Most mental illnesses, including bipolar disorder (BD), cause disability. BD is one of the world’s 10 most disabling conditions, characterized by episodes of full-blown mania and major depression, with devastating consequences on the professional and social life of the patient. A major problem in BD diagnosis and treatment is the absence of objective criteria and lack of understanding of the underlying pathological mechanisms and symptoms linked to episodes. The need for a central repository that will maintain BD related data is therefore a prerequisite for triggering BD-research and address the aforementioned problem. Specifically, it will collect healthcare data for BD cases in Europe, phenotypical information (clinical, cognitive, electrophysiological, brain imaging and biochemical evaluations), genotype information, and other information like sleep activity, actimeter, speech characteristics etc. Even though this approach is highly beneficial for medical research, the processing of medical data raises, by definition, security and privacy issues; protection of data confidentiality and integrity as well as inability to identify the patient. This paper presents an anonymity-preserving mechanism for disclosing electronic health care records to the research community without revealing the identity of the BD patient while taking into account local and international data protection legislation and other related ethical issues. Finally, we will identify the parts of the system where access control is required and will specify the rights that each user role should exhibit over the system resources.

[178]
K. Prousalis, E. Konstantinou, N. Konofaos, A. A. Iliadis, Developing Quantum Nanocomputing for Pervasive Health Environments, Nanohealth 2009 Workshop in Nanoengineering and Nanocomputing Applications for Pervasive Health Environments of the Future in conjuction with Petra 2009 2nd International Conference on PErvasive Technologies Related to Assistive Environments, Jun, 2009, Corfu, Greece, ACM Press
D. Geneiatakis, C. Lambrinoudakis, G. Kambourakis, A. Kafkalas, S. Ehlert, A First Order Logic Security Verification Model for SIP, IEEE International Conference on Communications (ICC 2009), Jun, 2009, Dresden, Germany, IEEE Press, http://ieeexplore.ieee.org/xpl/login....
Abstract

It is well known that no security mechanism can provide full protection against a potential attack. There is always a possibility that a security incident may happen, mainly as a result of a new or modified attack that the employed countermeasures cannot handle or identify. It is therefore useful to perform a deferred analysis of logged network data, in an attempt to identify abnormal behavior/traffic that flags some type of security incident that has not been detected by the security countermeasures. Such an analysis of logged data for critical real time applications, like VoIP services, is certainly a valuable tool for enhancing the security level of the provided service. In this paper we introduce a practical tool that can be employed for the analysis of logged VoIP data and thus validate the effectiveness of the security mechanisms and the conformance with the corresponding security policy rules. For the analysis of the data we capitalize on our security model for VoIP services [25] that is based on First Order Logic concepts, while the Protégé API and the Semantic Web Rule Language (SWRL) are also exploited. The proposed tool has been evaluated in terms of an experimental environment, while the results obtained confirm the validity of its operation and demonstrate its effectiveness.

G. Kambourakis, C. Kolias, S. Gritzalis, J. H. Park, Signaling-oriented DoS Attacks in UMTS Networks, ISA 2009 3rd International Conference on Information Security and Assurance, J. Zhan et al., (eds), pp. 280-289, Jun, 2009, Seoul, Korea, Lecture Notes in Computer Science LNCS, Springer, http://link.springer.com/content/pdf/...
Abstract

The Universal Mobile Telecommunication Standard (UMTS) is the Third Generation (3G) mobile technology with the widest public acceptance. Although, enhanced in matters of security, comparing to its predecessor i.e., the GSM, it still has vulnerabilities that can lead to security breach. In this paper we investigate the vulnerabilities of the UMTS architecture that can be exploited by a malicious entity to launch Denial of Service (DoS) attacks. We examine the methodologies that an attacker would possibly follow, as well as the possible outcome of such class of attacks. We also give some suggestions that would provide greater tolerance to the system against DoS attacks.

[181]
E. Kosta, C. Kalloniatis, L. Mitrou, E. Kavakli, Search engines: gateway to a new “Panopticon”, TRUSTBUS -Trust, Privacy and Security in Digital Business, Lecture Notes in Computer Science, pp. 11-21, 2009, Berlin Heidelberg , Springer 2009
A. Katsiotis, P. Rizomiliotis, N. Kalouptsidis, New Constructions of Low-Complexity Convolutional Codes, IEEE International Conference on Communications 2009 , 2009, Dresden, Germany, IEEE Press
Abstract

In this paper new constructions of low trellis complexity convolutional codes are presented. New codes are found by searching into a specific class of time varying convolutional codes, which is shaped by some basic properties and search restrictions. An efficient technique for obtaining minimal trellis modules for the proposed codes is provided. Finally, more than 80 new low complexity convolutional codes of various code rates and memory sizes are tabulated

P. Rizomiliotis, A. Bogris, D. Syvridis, Message Origin Authentication and Integrity Protection in Chaos-based Optical Communication, IEEE International Conference on Communications 2009 , 2009, Dresden, Germany, IEEE Press
Abstract

The construction of quantum computers forms the major threat against the security of modern communication systems, as anyone who can build a large quantum computer can break today's most popular cryptosystems. Given the central role of information security in the deployment of modern systems, the preparation of the cryptographic world for a future of quantum computers is imperative. In this context, several alternatives have been proposed, mainly basing their security on the laws of physics. One of the most promising technologies is the optically generated chaos-based cryptography. One of its main advantages is that it can be combined with the technology of optical communication networks in a natural way. In this paper, we propose a message authentication and integrity protection scheme based on optically generated chaos. The new scheme is coming to complete a recently introduced solution, for data confidentiality based on optical chaos.

P. Rizomiliotis, Vectorial Boolean Functions: algebraic immunity and annihilators, Enhancing Crypto-Primitives with Techniques from Coding Theory, NATO Advanced Research Workshop, 2009, Veliko Turnovo, Bulgaria, IOS Press
Abstract

The algebraic immunity AI(f) of a Boolean function f is defined as the minimum degree of all annihilators of f. The high value of algebraic immunity consists a necessary condition for Boolean functions used in stream ciphers to resist algebraic attacks. of the two values. In this paper, we introduce the notion of extended algebraic immunity AI(f) defined as the maximum of pAI(f) and pAI(f © 1), where pAI(f) is the minimum degree of all annihilators of f (pAI(f © 1) of f © 1 respectively). We introduce a lower bound of the r-th order nonlinearity of a Boolean function f with given AI(f) and AI(f). The bound is tighter than all known lower bounds, where only the algebraic immunity AI(f) is used. The value of AI(f) can be computed as part of the calculation of AI(f), with no extra computational cost.

C. Kolias, V. Kolias, J. Anagnostopoulos, G. Kambourakis, E. Kayafas, A Speech-Enabled Assistive Collaborative Platform for Educational Purposes with User Personalization, 3rd International Workshop on Semantic Media Adaptation and Personalization (SMAP 2008), pp. 157-163, Dec, 2008, Prague, Czech Republic, IEEE Computer Society Press, http://ieeexplore.ieee.org/xpl/articl...
Abstract

With the proliferation of Web 2.0 applications, collaborative learning has gathered a lot of attention due its potentiality in the e-learning field. Forums, Wikis and Blogs for example are only some of the applications that exploit the collaborative nature of e-learning. However, these applications are originally designed for access from desktop systems and access to them when on the move can prove a challenging task. This paper elaborates on the design and implementation of an assistive collaborative platform for educational purposes that can be accessed by heterogeneous hardware platforms such as PCs, PDAs, mobile or traditional phones due to its capability of representing data in vocal manner. Its main purpose is to provide a platform for collaboration between university students and teachers in a way that enhances students’ access to educational resources and their overall learning experience. This is achieved by personalizing its content at least to some degree. Furthermore, its acoustic/vocal characteristics may also prove valuable for learners with visual or kinetic impairments.

C. Kolias, V. Kolias, J. Anagnostopoulos, G. Kambourakis, E. Kayafas, Enhancing User Privacy in Adaptive Web Sites with Client-Side User Profiles, 3rd International Workshop on Semantic Media Adaptation and Personalization (SMAP 2008) , Dec, 2008, Prague, Czech Republic, IEEE Computer Society Press, http://ieeexplore.ieee.org/xpl/articl...
Abstract

Web personalization is an elegant and flexible process of making a web site responsive to the unique needs of each individual user. Data that reflects user preferences and likings, comprising therefore a user profile, are gathered to an adaptive web site in a non transparent manner. This situation however raises serious privacy concerns to the end user. When browsing a web site, users are not aware of several important privacy parameters i.e., which behavior will be monitored and logged, how it will be processed, how long it will be kept, and with whom it will be shared in the long run. In this paper we propose an abstract architecture that enhances user privacy during interaction with adaptive web sites. This architecture enables users to create and update their personal privacy preferences for the adaptive web sites they visit by holding their (user) profiles in the client side instead of the server side. By doing so users will be able to self-confine the personalization experience the adaptive sites offer, thus enhancing privacy.

G. Kambourakis, E. Konstantinou, S. Gritzalis, Binary Tree Based Public-Key Management for Mobile Ad Hoc Networks, ISWCS, K. Gudmundsson, B. S. Yeo, (eds), pp. 687-692, Oct, 2008, Reykjavik, Iceland, IEEE CPS, http://ieeexplore.ieee.org/xpl/articl...
Abstract

The establishment of a public key infrastructure (PKI) in mobile ad hoc networks (MANETs) is considered a difficult task because of the intrinsic characteristics of these networks. The absence of centralized services and the possible network partitions make traditional security solutions not straightforwardly applicable in MANETs. In this paper, we propose a public key management scheme based on a binary tree formation of the network¿s nodes. Using the binary tree structure, certificate chains are easily built between communicating nodes that are multi-hops away and the cumbersome problem of certificate chain discovery is avoided. We argue that our mechanism has several advantages over similar solutions, especially when a fair balancing between security and performance is terminus.

D. Geneiatakis, G. Kambourakis, C. Lambrinoudakis, A Mechanism for Ensuring the Validity and Accuracy of the Billing Services in IP Telephony, 5th International Conference on Trust, Privacy and Security in Digital Business (TrustBus 2008), S. Furnell, S. Katsikas, A. Lioy, (eds), pp. 59-68, Sep, 2008, Turin, Italy, Lecture Notes in Computer Science LNCS 5185, Springer, http://link.springer.com/chapter/10.1...
Abstract

The current penetration, but also the huge potential, of Voice over IP (VoIP) telephony services in the market, boosts the competition among telecommunication service providers who promote new services through many different types of offers. However, this transition from the closed Public Switched Telephone Network (PSTN) architecture to the internet based VoIP services, has resulted in the introduction of several threats both intrinsic i.e. VoIP specific, and Internet oriented. In the framework of this paper, we are considering threats that may affect the accuracy and validity of the records of the billing system that the service provider is using for charging the users. We are proposing a simple, practical and effective mechanism for protecting telecommunication service providers and end users from malicious activities originated from the end users and telecommunication service providers respectively. In both cases the malicious activity concerns fraud through the billing system. The proposed mechanism focuses on VoIP services that are based on the Session Initiation Protocol (SIP). However, it can be easily amended to cover other VoIP signaling protocols, as it takes advantage of the underlying AAA network infrastructure to deliver robust time stamping services to SIP network entities.

P. Drogkaris, D. Geneiatakis, S. Gritzalis, C. Lambrinoudakis, L. Mitrou, Towards an Enhanced Authentication Framework for eGovernment Services: The Greek case, EGOV’08 7th International Conference on Electronic Government, E. Ferro, J. Scholl, M. Wimmer, (eds), pp. 189-196, Sep, 2008, Torino, Italy, Trauner Verlag, http://www.icsd.aegean.gr/publication...
Abstract

It is widely accepted that electronic Government environments have caused a complete transformation of the way individuals, businesses and governmental agencies interact with central government. However, the acceptance and success of e-Government services largely depend on the level of trust and confidence developed by the users to the provided services and the overall system security. Thus the employment of the appropriate authentication framework is a crucial factor. This paper focuses on the way to determine the appropriate trust level of an electronic service. Specifically, it provides guidelines according to the data required for a transaction, as well as to the available authentication and registration mechanisms. Moreover, a Single Sign-On architecture is proposed, supporting a uniform authentication procedure that depends on the level of trust required by the service. In the aforementioned research work specific requirements and limitations for Greece have been taken into account.

A. Tsakountakis, G. Kambourakis, S. Gritzalis, A new Accounting Mechanism for Modern and Future AAA Services, IFIP SEC 2008 23rd International Information Security Conference , S. Jajodia, P. Samarati, (eds), pp. 693-697, Sep, 2008, Milan, Italy, Springer, http://link.springer.com/content/pdf/...
Abstract

Accounting along with Authentication and Authorization comprise the concept of AAA provided by IETF (Internet Engineering Task Force). In heterogeneous environments, where different administrative domains and different wired and wireless technologies are utilized, those principles are often hard and complex to correctly implement and evaluate. Specifically, accounting which is our topic of interest, is in many cases a complicated procedure since many aspects need to be taken into consideration. In this respect, a distributed, flexible, robust, secure and generic accounting system needs to be implemented in order to provide the ability to determine which user has acquired which services and for how long at each operator domain. This work examines different scenarios applicable to such 3G/4G hybrid mobile environments and suggests a novel, generic mechanism to support accounting.

C. Kolias, V. Kolias, J. Anagnostopoulos, G. Kambourakis, E. Kayafas, A pervasive Wiki application based on VoiceXML, 1st International Conference on Pervasive Technologies in e/m-Learning and Internet-based Experiments (PTLIE , Jul, 2008, Athens, Greece, ACM press
Abstract

In this paper, we describe the design and implementation of an audio wiki application accessible via the Public Switched Telephone Network (PSTN) and the Internet for educational purposes. The application exploits mature World Wide Web Consortium standards such as VoiceXML, Speech Synthesis Markup Language (SSML) and Speech Recognition Grammar Specification (SRGS). The purpose of such an application is to assist visually impaired, technologically uneducated, and underprivileged people in accessing information originally intended to be accessed visually via a Personal Computer. Users may access wiki content via wired or mobile phones, or via a Personal Computer using a Web Browser or a Voice over IP service. This feature promotes pervasiveness to educational material to an extremely large population, i.e. those who simply own a telephone line.

G. Karopoulos, G. Kambourakis, S. Gritzalis, Caller Identity Privacy in SIP heterogeneous realms: A practical solution, MediaWin 2008 3rd Workshop on Multimedia Applications over Wireless Networks (in conjunction with ISCC 2008 13th IEEE Symposium on Computers and Communications), A. Zanella et al., (eds), pp. 37 - 43, Jul, 2008, Marakkech, Morocco, IEEE CPS, http://ieeexplore.ieee.org/xpl/articl...
Abstract

The growing demand for voice services and multimedia delivery over the Internet has raised SIPpsilas popularity making it a subject of extensive research. SIP is an application layer control signaling protocol, whose main purpose is to create, modify and terminate multimedia sessions. Research has shown that SIP has a number of security issues that must be solved in order to increase its trustworthiness and supersede or coexist with PSTN. In this paper our purpose is to address such a weakness, namely the caller identity privacy issue. While some solutions to this problem do exist, we will show that they are inadequate in a number of situations. Furthermore, we will propose a novel scheme for the protection of callerpsilas identity which can also support roaming between different administrative domains. Finally, we provide some performance results, which demonstrate that the proposed solution is efficient even in low-end mobile devices.

[193]
E. Konstantinou, Cluster-based Group Key Agreement for Wireless Ad hoc Networks, ARES 2008, 3rd International Conference on Availability, Reliability and Security, Mar, 2008, Barcelona, Spain, IEEE Computer Society Press
C. Kolias, S. Demertzis, G. Kambourakis, Design and Implementation of a Secure Mobile Wiki System, Seventh IASTED International Conference on Web-based Education (WBE 2008), Uskov V., (ed), pp. 212-217, Mar, 2008, Innsbruck, Austria, ACTA press
Abstract

During the last few years wikis have emerged as one of the most popular tool shells. Wikipedia has boosted their popularity, but they also keep a significant share in elearning, intranet-based applications such as defect tracking, requirements management, test-case management, and project portals. However, existing wiki systems cannot fully support mobile clients due to several incompatibilities that exist. On the top of that, an effective secure mobile wiki system must be lightweight enough to support low-end mobile devices having several limitations. In this paper we analyze the requirements for a novel multiplatform secure wiki implementation. XML Encryption and Signature specifications are employed to realize endto- end confidentiality and integrity services. Our scheme can be applied selectively and only to sensitive wiki content, thus diminishing by far computational resources needed at both ends; the server and the client. To address authentication of wiki clients a simple one-way authentication and session key agreement protocol is also introduced. The proposed solution can be easily applied to both centralized and forthcoming P2P wiki implementations.

E. Klaoudatou, E. Konstantinou, G. Kambourakis, S. Gritzalis, Clustering Oriented Architectures in Medical Sensor Environments, WSPE 2008 International Workshop on Security and Privacy in e-Health (in conjunction with ARES 2008 3rd International Conference on Availability, Reliability, and Security), T. Muck, (ed), pp. 929-934, Mar, 2008, Barcelona, Spain, IEEE CPS, http://ieeexplore.ieee.org/xpl/login....
Abstract

Wireless sensor networks are expected to make a significant contribution in the healthcare sector by enabling continuous patient monitoring. Since medical services and the associated to them information are considered particularly sensitive, the employment of wireless sensors in medical environments poses many security issues and challenges. However, security services and the underlying key management mechanisms cannot be seen separately from the efficiency and scalability requirements. Network clustering used in both routing and group key management mechanisms can improve the efficiency and scalability and therefore can also be envisioned in medical environments. This paper introduces a general framework for cluster-based wireless sensor medical environments on the top of which efficient security mechanisms can rely. We describe two different scenarios for infrastructure and infrastructure- less application environments, covering this way a wide area of medical applications (in-hospital and medical emergencies). We also examine the existing group-key management schemes for cluster-based wireless networks and discuss which protocols fit best for each proposed scenario.

G. Karopoulos, G. Kambourakis, S. Gritzalis, Privacy Protection in Context Transfer Protocol, PDP 2008 16th Euromicro International Conference on Parallel, Distributed and Network based Processing – Special Session on Security in Networked and Distributed Systems, D. El Baz, J. Bourgeois, F. Spies, (eds), pp. 590-596, Feb, 2008, Toulouse, France, IEEE CPS, http://ieeexplore.ieee.org/xpl/articl...
Abstract

In the future 4G wireless networks will span across different administrative domains. In order to provide secure seamless handovers in such an environment the context transfer protocol is an attractive solution. However, the aforementioned protocol arises some privacy issues concerning the location and movement of users roaming between administrative domains. The purpose of this paper is to present and analyze these privacy issues and propose two privacy enhanced context transfer schemes that alleviate these problems. In the first scheme the Mobile Node (MN) is responsible for the transmission of the context to the new domain. In the second scheme the Home Domain (HD) of the user forwards the context acting as a proxy between the old and the new domain. While the second scheme is expected to be more useful towards realizing seamless handovers, the first one poses less signaling load to the HD. In addition, assuming that the most appropriate form of user identity for the context is the Network Access Identifier (NAI), we show how the employment of temporary NAIs can further increase the privacy of our schemes.

P. Rizomiliotis, Remarks on the New Attack on the Filter Generator and the Role of High Order Complexity, 11th IMA International Conference on Cryptography and Coding, pp. 204-219, Dec, 2007, Cirencester, UK, Springer
Abstract

Filter generators are important building blocks of stream ciphers and have been studied extensively. Recently, a new attack has been proposed. In this paper, we analyze this attack using the trace representation of the output sequence y and we prove that the attack does not work always as expected. We propose a new algorithm that covers the cases that the attack cannot be applied. The new attack is as efficient as the original attack. Finally, trying to motivate the research on the nonlinear complexity of binary sequences, we present a scenario where the knowledge of the quadratic complexity of a sequence can decrease significantly the necessary for the attack amount of known keystream bits.

A. Tsakountakis, G. Kambourakis, S. Gritzalis, On RSN-oriented Wireless Intrusion Detection, 2nd OTM International Symposium on Information Security (IS), M. Freire, S. M. de Sousa, V. Santos, H. J. Park, (eds), pp. 1601-1615, Dec, 2007, Algarve, Portugal, Lecture Notes in Computer Science LNCS, Springer, http://link.springer.com/content/pdf/...
Abstract

Robust Security Network (RSN) epitomised by IEEE 802.11i substandard is promising what it stands for; robust and effective protection for mission critical Wireless Local Area Networks (WLAN). However, despite the fact that 802.11i overhauls the IEEE’s 802.11 security standard several weaknesses still remain. In this context, the complementary assistance of Wireless Intrusion Detection Systems (WIDS) to deal with existing and new threats is greatly appreciated. In this paper we focus on 802.11i intrusion detection, discuss what is missing, what the possibilities are, and experimentally explore ways to make them intertwine and co-work. Our experiments employing well known open source attack tools and custom made software reveal that most 802.11i specific attacks can be effectively recognised, either directly or indirectly. We also consider and discuss Distributed Wireless Intrusion Detection (DIDS), which seems to fit best in RSN networks.

M. Karyda, S. Gritzalis, J. H. Park, A Critical Approach to Privacy Research in Ubiquitous Environments: Issues and Underlying Assumptions, TRUST’07 2nd International Workshop on Trustworthiness, Reliability, and Services in Ubiquitous and Sensor Networks, L. Yang et al., (eds), pp. 12-21, Dec, 2007, Taipei, Taiwan, Lecture Notes in Computer Science LNCS, Springer, http://link.springer.com/content/pdf/...
Abstract

This paper explores the different aspects of ubiquitous environments with regard to the protection of individuals’ private life. A critical review of the relative research reveals two major trends. First, that there is a shift in the perception of privacy protection, which is increasingly considered as a responsibility of the individual, instead of an individual right protected by a central authority, such as a state and its laws. Second, it appears that current IT research is largely based on the assumption that personal privacy is quantifiable and bargainable. This paper discusses the impact of these trends and underlines the issues and challenges that emerge. The paper stresses that, for the time being, IT research approaches privacy in ubiquitous environments without taking into account the different aspects and the basic principles of privacy. Finally the paper stresses the need for multidisciplinary research in the area, and the importance that IT research receives input from other related disciplines such as law and psychology. The aim of the paper is to contribute to the on-going discourse about the nature of privacy and its role in ubiquitous environments and provide insights for future research.

G. Kambourakis, T. Moschos, D. Geneiatakis, S. Gritzalis, Detecting DNS Amplifications Attacks, IFIP IEEE CRITIS’07 2nd International Workshop on Critical Information Infrastructures Security, J. Lopez, B. Hammerli, (eds), pp. 185-196, Oct, 2007, Malaga, Spain, Lecture Notes in Computer Science LNCS 5141, Springer, http://link.springer.com/content/pdf/...
Abstract

DNS amplification attacks massively exploit open recursive DNS servers mainly for performing bandwidth consumption DDoS attacks. The amplification effect lies in the fact that DNS response messages may be substantially larger than DNS query messages. In this paper, we present and evaluate a novel and practical method that is able to distinguish between authentic and bogus DNS replies. The proposed scheme can effectively protect local DNS servers acting both proactively and reactively. Our analysis and the corresponding real-usage experimental results demonstrate that the proposed scheme offers a flexible, robust and effective solution.

G. Karopoulos, G. Kambourakis, S. Gritzalis, Two privacy-enhanced context transfer schemes, ACM Q2SWinet 2007 3rd ACM International Workshop on Quality of Service and Security for Wireless and Mobile Networks (in conjunction with the 10th ACM/IEEE International Symposium on Modeling, Analysis and Simulation of Wireless and Mobile Systems), L. Bononi, (ed), pp. 172-175, Oct, 2007, Chania, Greece, ACM Press, http://dl.acm.org/ft_gateway.cfm?id=1...
Abstract

Foreseeable 4G environments will extensively take advantage of the concept of context transfer to provide seamless secure handovers between different administrative domains. However, the utilization of context transfer comes with a cost in the users' privacy. The purpose of this paper is to elaborate on these privacy issues and propose two privacy enhanced context transfer schemes that alleviate these problems. In the first scheme the Mobile Node (MN) is responsible for the transmission of the context to the new domain. In the second scheme the Home Domain (HD) of the user forwards the context acting as a proxy between the old and the new domain. In addition, assuming that the most appropriate form of user identity for the context is the Network Access Identifier (NAI), we show how the employment of temporary NAIs can further increase the privacy of our schemes.

C. Fragos, M. Karyda, E. Kiountouzis, Using the Lens of Circuits of Power in Information Systems Security Management, 4th International Conference on Trust, Privacy and Security in Digital Business (TrustBus ‘07), C. Lambrinoudakis , G. Pernul, A Min Tjoa, (eds), pp. 228-236, Sep, 2007, Regensburg, Germany, Springer
Abstract

This paper uses the perspective of power in the study of IS security management. We explore the role of power in the implementation of an information systems security policy, using the Circuits of Power as a Framework for the analysis. A case study research was conducted in a public sector organization that introduced a security policy in order to comply with the law. The authors interviewed members of the organization to explore the different aspects of power relations which were intertwined with the implementation of the policy and used the Circuits of Power to analyze the data gathered. The conclusions derived from the analysis illustrate the role of power in the policy implementation process and indicate that a power perspective provides useful insight in the study of factors affecting the implementation of security policies.

[203]
A. Tsohou, M. Theoharidou, S. Kokolakis, D. Gritzalis, Addressing Cultural Dissimilarity in the Information Security Management Outsourcing Relationship, TrustBus’07 4th International Conference on Trust, Privacy and Security in Digital Business, G. Pernul, C. Lambrinoudakis, M. Tjoa, (eds), Sep, 2007, Lecture Notes in Computer Science LNCS, Springer
G. Karopoulos, G. Kambourakis, S. Gritzalis, Privacy Preserving Context Transfer in All-IP Networks, MMM-ACNS-07 International Conference Mathematical Methods, Models and Architectures, I. Kotenko et al., (eds), pp. 390-395, Sep, 2007, St. Petersburg, Russia, CCIS Communications in Computer and Information Science, Springer, http://link.springer.com/content/pdf/...
Abstract

In an all-IP environment, the concept of context transfer is used to provide seamless secure handovers between different administrative domains. However, the utilization of context transfer arises some privacy issues concerning the location and movement of users roaming between domains. In this paper we elaborate on these privacy issues and propose an alternative context transfer protocol that protects user’ location privacy as well. In addition, assuming that the context carries a user identity in the form of a Network Access Identifier (NAI), we show how the employment of temporary NAIs can further increase the privacy of our scheme.

G. Kambourakis, S. Gritzalis, On Device Authentication in Wireless Networks: Present issues and future challenges, TrustBus’07 4th International Conference on Trust, Privacy and Security in Digital Business, G. Pernul, C. Lambrinoudakis, M. Tjoa, (eds), pp. 135-144, Sep, 2007, Regensburg, Germany, Lecture Notes in Computer Science LNCS, Springer, http://link.springer.com/content/pdf/...
Abstract

Whilst device authentication must be considered as a cardinal security issue, complementary and of equal importance to user authentication, in today’s wireless networks, only a few papers address it patchily. This paper identifies and analyses possible major solutions towards solving the device authentication problem. We discuss key issues and future challenges that characterize each solution examining its pros and cons. We also offer a short qualitative comparative analysis for the device authentication schemes in question, examining its applicability for both infrastructure and ad-hoc deployments.

G. Kambourakis, T. Moschos, D. Geneiatakis, S. Gritzalis, A Fair Solution to DNS Amplification Attacks, WDFIA, S. Kokolakis, T. Tryfonas, (eds), pp. 38-47, Aug, 2007, Samos, Greece, IEEE CPS, http://ieeexplore.ieee.org/xpl/articl...
Abstract

Recent serious security incidents reported several attackers employing IP spoofing to massively exploit recursive name servers to amplify DDoS attacks against numerous networks. DNS amplification attack scenarios utilize DNS servers mainly for performing bandwidth consumption DoS attacks. This kind of attack takes advantage of the fact that DNS response messages may be substantially larger than DNS query messages. In this paper we present a novel, simple and practical scheme that enable administrators to distinguish between genuine and falsified DNS replies. The proposed scheme, acts proactively by monitoring in real time DNS traffic and alerting security supervisors when necessary. It also acts reactively in co-operation with the firewalls by automatically updating rules to ban bogus packets. Our analysis and the corresponding experimental results show that the proposed scheme offers an effective solution, when the specific attack unfolds.

A. Tsakountakis, G. Kambourakis, S. Gritzalis, Towards Effective Wireless Intrusion Detection in IEEE 802.11i, 3rd International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (in conjunction with the IEEE ICPS, P. Georgiadis, J. Lopez, S. Gritzalis, G.Marias, (eds), pp. 37-42, Jul, 2007, Istanbul, Turkey, IEEE CPS, http://ieeexplore.ieee.org/xpl/articl...
Abstract

The proliferation of wireless devices and the availability of wireless applications and services constantly raise new security concerns. Towards this direction, wireless intrusion detection systems (WIDS) can assist a great deal to proactively and reactively protect wireless networks, thus discouraging or repealing potential adversaries. In this paper we discuss the major wireless attack categories concerning IEEE 802.11 family networks and in particular the latest 802.11i security standard. We elaborate on 802.11 specific attacks and experimentally explore how these outbreaks can be effectively mitigated or thwarted by a properly designed WIDS. Among specially crafted software for both WIDS's modules as well as for attack generators, our test-bed embraces the majority of well known open source attack tools. Test results show that the proposed WIDS modules are able to effectively detect, either directly or indirectly, most attacks.

[208]
I. Chatzigiannakis, E. Konstantinou, V. Liagkou, P. Spirakis, Agent-based Distributed Group Key Establishment in WirelessSensor Networks, 3rd IEEE International Workshop on Trust,Security, and Privacy for Ubiquitous Computing (TSPUC 2007), Jun, 2007, ISBN 1-4244-0992-6
G. Kambourakis, A. Andreadis, C. Paganos, A. Rouskas, S. Gritzalis, Bluetooth Security Mechanisms for Handheld Devices: A Performance Evaluation Study, EW 2007 13th European Wireless Conference, M. Terre, (ed), Apr, 2007, Paris, France, VDE, http://www.icsd.aegean.gr/publication...
Abstract

Bluetooth standard has been long criticized for various vulnerabilities and security inefficiencies, as its designers are trying to balance wisely between performance and complementary services including security. On the other hand, well respected security protocols like IP secure (IPsec) and Secure Shell (SSH) provide robust, low cost and easy to implement solutions for exchanging data over insecure communication links. Although, the deployment of these mechanisms is a well established and accustomed practice in the wireline world, more research effort is needed for wireless links, due to several limitations of the radio-based connections especially for handheld devices e.g. link unreliability, bandwidth, low processing power and battery consumption. This paper focuses on performance rather than on security, evaluating the efficiency of these de-facto security protocols over Bluetooth connections when low-end handheld devices are utilized. Several Personal Area Network (PAN) parameters, including absolute transfer times, link capacity and throughput, are evaluated. Our experiments employ both Bluetooth native security mechanisms as well as the two aforementioned protocols. Through a plethora of scenarios we offer a comprehensive in-depth comparative analysis of each of the aforementioned security mechanisms when deployed over Bluetooth links.

G. Kambourakis, E. Klaoudatou, S. Gritzalis, Securing Medical Sensor Environments: The Codeblue framework case, ARES 2007 The 2nd International Conference on Availability, Reliability, and Security - FARES 2007 1st International Symposium on Frontiers in Availability, Reliability and Security, R. Wagner, A. M. Tjoa et al., (eds), pp. 637-643, Apr, 2007, Vienna, Austria, IEEE CPS, http://ieeexplore.ieee.org/xpl/login....
Abstract

Research on wireless sensor networks targeting to medical environments has gathered a great attention. In this context, the most recent and perhaps the most promising complete scheme is the CodeBlue hardware and software combined platform, developed in the context of the self-titled Harvard's University project. CodeBlue relies on miniature wearable sensors to monitor real-time patients' vital activities and collecting data for further processing. Apart from the essential query interface for medical monitoring, CodeBlue offers protocols for hardware discovery and multihop routing. This paper contributes to the CodeBlue security, which until now is considered as pending or left out for future work by its designers. We identify and describe several security issues and attack incidents that can be directly applied on CodeBlue compromising its trustworthiness. We also discuss possible solutions for both internal and external attacks and the key-management mechanisms that these solutions presume.

M. Karyda, L. Mitrou, Internet Forensics: Legal and Technical issues, 2nd Annual Workshop on Digital Forensics and Incident Analysis (WDFIA 2007), pp. 3-12, 2007, Samos, Greece, IEEE
Abstract

This paper provides a combined approach on the major issues pertaining to the investigation of cyber crimes and the deployment of Internet forensics techniques. It discusses major issues from a technical and legal perspective and provides general directions on how these issues can be tackled. The paper also discusses the implications of data mining techniques and the issue of privacy protection with regard to the use of forensics methods.

T. Balopoulos, L. Gymnopoulos, M. Karyda, S. Kokolakis, S. Gritzalis, S. K. Katsikas, A Framework for Exploiting Security Expertise in Application Development, TrustBus’06 3rd International Conference on Trust, Privacy, and Security in the Digital Business, S. Furnell, C. Lambrinoudakis, S. Fischer-Huebner, (eds), pp. 62-70, Sep, 2006, Krakow, Poland, Lecture Notes in Computer Science LNCS Vol. 4083, Springer, http://www.icsd.aegean.gr/publication...
Abstract

This paper presents a framework that enables application developers make use of security expertise. This is succeeded with the help of security ontologies and the employment of security patterns. Through the development of a security ontology developers can locate the major security-related concepts and locate those relevant to the application context. Security patterns provide tested solutions for accommodating security requirements. Finally, the main features of the framework are listed with respect to related work.

[213]
I. Chatzigiannakis, E. Konstantinou, V. Liagkou, P. Spirakis, Design, Analysis and Performance Evaluation of Group Key Establishment in Wireless Sensor Networks, 2nd Workshop on Cryptography for Ad hoc Networks - WCAN 2006, Jul, 2006
D. Geneiatakis, T. Dagiuklas, C. Lambrinoudakis, G. Kambourakis, S. Gritzalis, Novel Protecting Mechanism for SIP-Based Infrastructure against Malformed Message Attacks: Performance Evaluation Study, CSNDSP , M. Logothetis et al. , (eds), Jul, 2006, Patras, Greece, http://www.wcl.ece.upatras.gr/CSNDSP/...
Abstract

This paper presents a novel mechanism to protect Session Initiation Protocol (SIP)-based infrastructure against malformed message attacks. The basic characteristics of this mechanism are the following: lightweight and easy to adapt to various SIP implementations. The proposed mechanism has been evaluated in terms of overhead processing. It is demonstrated that the employment of appropriate IDS against malformed messages impose minimum overhead in terms of events’ processing.

L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Dritsas, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Developing a Security Patterns Repository for Secure Applications Design, ECIW 2006 5thEuropean Conference on Information Warfare and Security, C. Candolin et al., (eds), pp. 51-60, Jun, 2006, Helsinki, Finland, ACL Academic Conferences Limited, http://www.icsd.aegean.gr/publication...
Abstract

Application developers are often confronted with difficulties in choosing or embedding security mechanisms that are necessary for building secure applications, since this demands possessing expertise in security issues. This problem can be circumvented by involving security experts early in the development process. This practice, however, entails high costs; moreover communication between developers and security experts is usually problematic and security expertise is difficult to be captured and exploited by developers. This paper proposes that the process of building secure applications can be facilitated through the use of security patterns. It presents a security patterns repository that can provide developers with an effective mechanism to address the issue of incorporating security requirements and mechanisms in application development. The paper also specifies a list of patterns and describes their basic elements. For describing and managing the patterns, the paper proposes a structure that is especially suitable for the case of security patterns. The method followed for developing the security patterns repository entails the employment of a security ontology. Finally, the paper presents a set of exemplary cases where the repository can support the software development process. The paper’s contribution is an enhanced security patterns repository that allows application developers to benefit from the accumulated knowledge and expertise in the area of security, so that they are able to develop secure applications.

G. Kambourakis, D. Geneiatakis, T. Dagiuklas, C. Lambrinoudakis, S. Gritzalis, Towards Effective SIP load balancing, 3rd Annual VoIP Security Workshop, D. Sisalem et al., (eds), Jun, 2006, Berlin, Germany, ACM Press, http://www.iptel.org/voipsecurity/doc...
Abstract

Session Initiation Protocol (SIP) high availability, reliability and redundancy are determined by the ability of the core SIP network components to offer high quality SIP services in the event(s) of high call transactions, link outages, device failures, misconfigurations and security attacks. In this context, load balancers can be used to achieve redundancy and active load balancing of SIP transactions. In load balancing schemes, new requests are allocated across available servers using a selection algorithm. Although considerable work has been already done for Web traffic balancing, little research effort is primarily aiming to SIP load balancing. This paper proposes a SIP dedicated load balancing solution, which is currently under development within the EC funded project SNOCER. We describe in detail our balancing scheme, its associated architecture elements and provide implementation details showing that it is simple to realize, effective, flexible, robust and secure.

M. Karyda, T. Balopoulos, S. Dritsas, L. Gymnopoulos, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, An Ontology for Secure e-Government applications, DeSeGov’06 Workshop on Dependability and Security in eGovernment, A. Tjoa, E. Schweighofer, (eds), pp. 1033-1037, Apr, 2006, Vienna, Austria, IEEE CPS, http://ieeexplore.ieee.org/xpl/login....
Abstract

This paper addresses the issue of accommodating security requirements in application development. It proposes the use of ontologies for capturing and depicting the security experts' knowledge. In this way developers can exploit security expertise in order to make design choices that help them fulfil security requirements more effectively. We have developed a security ontology for two different application scenarios to illustrate its use. To validate the ontology we have used queries.

G. Kambourakis, D. Geneiatakis, S. Gritzalis, T. Dagiuklas, C. Lambrinoudakis, Security and Privacy issues towards ENUM Protocol, ISSPIT ‘05 5th IEEE International Symposium on Signal Processing and Information Technology, D. Serpanos et al., (eds), pp. 478-483, Dec, 2005, Athens, Greece, IEEE CPS, http://ieeexplore.ieee.org/xpl/articl...
Abstract

Public ENUM is used until now in trials and some "test-bed" or "production" VoIP environments with small volume. Very lately, another application of the ENUM protocol has emerged namely the "Carrier ENUM", becoming popular among VoIP and mobile providers. In this context, a new competitive to public and carrier ENUM, peer-to-peer approach promotes itself, stating to be more reliable and secure, called DUNDi. Although considerable arguing has been generated among various ENUM forums and standardization fora on ENUM implementations, until now, several issues remain obscured and unresolved. In this paper we address security and privacy issues raised by all the aforementioned solutions, presenting implementation details, general concerns, future trends, and possible solution.

G. Kambourakis, D. P. Kontoni, I. Sapounas, Modeling Learners’ Perceptions towards Educational Portals and Collaborative Learning Tools Usage: The Hellenic Open University Case, Third International Conference on Open and Distance Learning: , pp. 209-220, Nov, 2005, Patra, Greece, Propompos publications
Abstract

The educational collaborative virtual distance learning environment is supposed to promote the active participation of teachers and students, interacting one another, exchanging knowledge and creating new abilities. Consequently, the learning process is anticipated to be promoted on both sides, by exchanging experiences, discussing new ideas and accomplishment of group, thus allowing the creation of knowledge, based on the collective involvement. On the other hand, in the context of eLearning, many standard software platforms, so called portal servers, have appeared on the market integrating various and often advanced synchronous and asynchronous collaborative tools and features. In this paper, we conduct a preliminary analysis measuring the Hellenic Open University’s (HOU) students’ perceptions toward the educational portal’s learning tools focusing mainly on collaborative activities. We make an attempt to identify whether the learners are using the portal, the tools it provides and to what degree. The study takes into account a plethora of variables to estimate whether these variables and at what degree are affecting significantly portal usability. Apart from normal descriptive analysis, we furnish two different linear regression models illustrating the various cross-dependencies among different dependent and independent variables and conducting two disparate Analyses of Variance (one-way ANOVA).

S. Dritsas, L. Gymnopoulos, M. Karyda, T. Balopoulos, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis, Employing Ontologies for the Developmentof Security Critical Applications: The Secure e-Poll Paradigm, IFIP I3E International Conference on eBusiness,eCommerce, and eGovernemnt, M. Funabashi, A. Grzech, (eds), pp. 187-201, Oct, 2005, Poznan, Poland, Springer, http://link.springer.com/content/pdf/...
Abstract

Incorporating security in the application development process is a fundamental requirement for building secure applications, especially with regard to security sensitive domains, such as e-government. In this paper we follow a novel approach to demonstrate how the process of developing an e-poll application can be substantially facilitated by employing a specialized security ontology. To accomplish this, we describe the security ontology we have developed, and provide a set of indicative questions that developers might face, together with the solutions that ontology deployment provides.

P. Rizomiliotis, Periodic Binary Sequences of Maximum Nonlinear Span, 2005 IEEE International Symposium on Information Theory, pp. 469-473, Sep, 2005, Adelaide, Australia, IEEE Press
Abstract

A new approach on the computation of the nonlinear span of periodic binary sequences, i.e. the length of shortest feedback shift register that generates the given sequence, is presented. The problem of designing binary sequences with the maximum possible span is considered and solved

S. Gritzalis, P. Belsis, M. Karyda, M. Chalaris, C. Skourlas, I. Chalaris, Designing the Provision of PKI services for eGovernment, HERCMA 2005 7th Hellenic European Research on Computer Mathematics and its Applications Conference, E. Lypitakis, (ed), Sep, 2005, Athens, Greece, LEA publisher, http://www.aueb.gr/pympe/hercma/proce...
Abstract

The European Union has launched a comprehensive strategy framework and emerging actions on security and privacy issues. To this direction, a number of relevant initiatives have been put on (e.g. cyber security task force, awareness campaigns, promotion of good practices, improved exchange of information mechanisms, etc.). Their results will provide the basis for the work towards a secure information infrastructure. The key actions proposed for a secure information infrastructure, under the eEurope-2005 umbrella, include, between others, “Secure Communication between Public Services”, e.g. examination of the possibilities to establish a secure communications environment for the ex-change of government information. An important aspect towards this direction is the deployment of a Public Key Infrastructure (PKI). In this paper a good-practice guidance is described, on how a secure and efficient PKI can be developed to support secure and efficient Government-to-Government and Government-to-Citizen electronic communication.

D. Geneiatakis, G. Kambourakis, T. Dagiuklas, C. Lambrinoudakis, S. Gritzalis, A Framework for Detecting Malformed Messages in SIP Networks, 14th IEEE International Workshop on Local and Metropolitan Area Networks (LANMAN ‘05), Sep, 2005, Chania, Greece, IEEE CPS, http://ieeexplore.ieee.org/xpl/login....
Abstract

Internet telephony like any other Internet service suffers from security flaws caused by various implementation errors (e.g. in end-users terminals, protocols, operating systems, hardware, etc). These implementation problems usually lead VoIP subsystems (e.g. SIP servers) to various unstable operations whenever trying to process a message not conforming to the underlying standards. As Internet telephony becomes more and more popular, attackers will attempt to exhaustively "test" implementations' robustness, transmitting various types of malformed messages to them. Since it is almost infeasible to avoid or predict every potential error caused during the developing process of these subsystems, it is necessary to specify an appropriate and robust, from the security point of view, framework that will facilitate the successful detection and handling of any kind of malformed messages aiming to destruct the provided service. In this paper, we adequately present malformed message attacks against SIP network servers and/or SIP end-user terminals and we propose a new detection "framework" of prototyped attacks' signatures that can assist the detection procedure and provide effective defence against this category of attacks

D. Geneiatakis, G. Kambourakis, T. Dagiuklas, C. Lambrinoudakis, S. Gritzalis, SIP Message Tampering: THE SQL code INJECTION attack, 13th IEEE International Conference on Software, Telecommunications and Computer Networks (SoftCOM ‘05), N. Rozic et al., (eds), pp. 176-181, Sep, 2005, Split, Croatia, IEEE CPS, http://www.cs.columbia.edu/~dgen/pape...
Abstract

As Internet Telephony and Voice over IP (VoIP) are considered advanced Internet applications/services, they are vulnerable to attacks existing in Internet applications/services. For instance HTTP digest authentication attacks, malformed messages, message tampering with malicious code, SQL injection and more, can be launched against any Internet application/service. In this paper, we describe, analyze and demonstrate the inheritance of message tampering attacks, focusing on SQL injection, in the SIP protocol. This type of attack has been successfully launched in Internet environments, with very little cost, effort and specialized knowledge. However, in the context of the SIP protocol, no works or research efforts are reported until now. The paper provides an in-depth analysis of SQL injection in SIP realms, discussing implementation details, constraints and possibilities for the attacker. In addition, we provide some indicative experimental results by triggering this style of attack against a properly designed SIP-based testbed environment. Finally, specific countermeasures, remedies and new signature-oriented framework are suggested for identifying and counter fight against this attack.

N. Doukas, E. Klaoudatou, G. Kambourakis, A. Rouskas, S. Gritzalis, Evaluation of digital certificates acquisition in large-scale 802.11-3GPP Hybrid Environments, 14th IEEE International Workshop on Local and Metropolitan Area Networks (LANMAN ‘05), pp. 176-181, Sep, 2005, Chania, Greece, IEEE CPS, http://ieeexplore.ieee.org/xpl/articl...
Abstract

This paper evaluates the performance of a hybrid WLAN-3GPP network architecture for delivering subscribers' certificates. Two main categories of simulation scenarios are implemented and evaluated based on the underlying access network technology used; 802.11b and UMTS. Each of the scenarios is categorized further in numerous sub-cases. Results showed that AC acquisition when deployed in large scale between several heterogeneous networks is feasible within acceptable time limits.

D. Geneiatakis, G. Kambourakis, A. Dagiouklas, C. Lambrinoudakis, S. Gritzalis, Session Initiation Protocol Security Mechanisms: A state-of-the-art review, INC, S. Furnell, S. K. Katsikas, (eds), pp. 147-156, Jul, 2005, Samos, Greece, Ziti Pubs, http://startrinity.com/VoIP/Resources...
Abstract

The commercial deployment of VoIP necessitates the employment of security mechanisms that can assure availability, reliability, confidentiality and integrity. The Session Initiation Protocol (SIP) is considered as the dominant signalling protocol for calls over the Internet. SIP, like other Internet protocols, is vulnerable to known Internet attacks, while at the same time it introduces new security problems in the VoIP system. This paper lists the existing security problems in SIP and provides a brief description, followed by a critical analysis, of the security mechanisms it employs.

T. Balopoulos, S. Dritsas, L. Gymnopoulos, M. Karyda, S. Kokolakis, S. Gritzalis, Incorporating Security Requirements into the Software Development Process, ECIW 2005 4th European Conference on Information Warfare and Security, pp. 21-28, Jul, 2005, Glamorgan, United Kingdom, Academic Conferences Limited, http://www.google.gr/books?hl=en&lr=&...
Abstract

Security requirements, such as authentication, confidentiality, authorization, availability, integrity and privacy, are becoming extremely common in software development processes. However, in practical terms, it has been proved that only rarely the developed software fulfils the related security requirements. The reason for this is twofold. On one hand software developers are not security experts and thus they are not competent in selecting and applying the appropriate security countermeasures. On the other hand, many security requirements are intrinsically difficult to deal with. This paper aims to address both of the aforementioned issues and to introduce potential solutions. It starts by analysing the major security requirements, and goes on to explore how they can be mapped into concrete security solutions or/and mechanisms. Then, it examines how the fulfilment of security requirements influences the choice of development methodologies and paradigms (with the emphasis being on the design phase), so that the requirements are effectively satisfied. The discussion covers object-oriented and aspect-oriented programming, the Rational Unified Process, UML and UMLsec, as well as security patterns, with regard to the ways they can support the use of security solutions or/and mechanisms.

[228]
E. Konstantinou, V. Liagkou, P. Spirakis, Y. Stamatiou, M. Yung, Trust Engineering: from requirements to system design and maintenance - a working national lottery system experience, Information Security Conference - ISC 2005, pp. 44-58, 2005, LNCS Vol. 3650, Springer - Verlag
[229]
E. Konstantinou, A. Kontogeorgis, Y. Stamatiou, C. Zaroliagis, Generating Prime Order Elliptic Curves: Difficulties and Efficiency Considerations, International Conference on Information Security and Cryptology - ICISC 2004, pp. 261-278, 2005, LNCS Vol. 3506, Springer - Verlag
P. Rizomiliotis, Family of p-ary sequences with oprimal correlation property and large linear span from Helleseth-Gong sequences, International Symposium on Information Theory and its Applications, Oct, 2004, Parma
Abstract

A new family of balanced sequences over Fp, p odd prime, with the optimal correlation property is presented. The construction is based on p-ary Helleseth-Gong sequences with ideal autocorrelation. The family contains pn balanced sequences of period p2n−1. The correlation spectrum peak nontrivial value does not exceed 1 + pn, i.e. it is optimal in terms of Welch’s lower bound. The linear span of the sequences is 2n( n k + 2), where k is a divisor of n such that n/k is odd.

[231]
L. Mitrou, E-voting: Constitutional and Legal Requirements in the Recommendation of the Council of Europe , 2nd Votobit International Conference, J. Barrat, (ed), pp. 20, Oct, 2004, Leon-Spain, University of Leon
P. Rizomiliotis, N. Kalouptsidis, Result on the nonlinear span of binary sequences, 2004 IEEE International Symposium on Information Theory, pp. 124, Jun, 2004, Chicago, IL USA, IEEE Press
Abstract

A new family of balanced sequences over Fp, p odd prime, with optimal correlation property is presented. The construction is based on p-ary Helleseth-Gong sequences with ideal autocorrelation. The family contains pn balanced sequences of period N = p2n − 1. The correlation spectrum peak nontrivial value does not exceed 1 + pn, i.e. it is optimal in terms of Welch’s lower bound. The linear span of the sequences is 2n( n k + 2), where k is a divisor of n such that n/k is odd.

G. Kambourakis, A. Rouskas, D. Gritzalis, Performance Evaluation of Certificate Based Authentication in Integrated Emerging 3G and Wi-Fi Networks, 1st European PKI Workshop, pp. 287-296, Jun, 2004, Samos, Greece, LNCS 3093, http://link.springer.com/chapter/10.1...
Abstract

Certificate based authentication of parties provides a powerful means for verifying claimed identities, avoiding the necessity of distributing shared secrets beforehand. Whereas Wi-Fi networks present security deficiencies, they manage to highly penetrate into the wireless market in a great degree due to their low cost, easy administration, great capacity, IP-oriented nature, etc. Con-sidering Wi-Fi networking settings, administrated by different operators, as parts of a common core 3G infrastructure, the paper proposes and evaluates the potential application of enhanced TLS-based authentication mechanisms in in-tegrated emerging-3G and Wi-Fi networks. We propose to use EAP-TLS proto-col seconded by Public Key Infrastructure entities, to provide users with robust authentication mechanisms in hybrid WLAN-3G heterogeneous environment. Our alternative solution is discussed against EAP-AKA procedures as they ap-pear in the latest 3G and integrated 3G/Wi-Fi specifications. Finally, the pro-posed mechanism is evaluated through a properly designed experimental test bed setup.

G. Kambourakis, A. Rouskas, S. Gritzalis, Inter/Intra Core Network Security with PKI for 3G-and-Beyond Systems, 3rd IFIP NETWORKING TC-6 International Conference on Networking, N. Mitrou et al., (eds), pp. 13-24, May, 2004, Athens, Greece, Springer, LNCS 3042, http://link.springer.com/content/pdf/...
Abstract

With a large number of different heterogeneous network technologies (e.g. UMTS, WLAN, HIPERLAN) and operators expected in the future mobile communications environment, that should frequently and seamlessly interwork with each other and a constantly increasing population of communication parties, capturing the full benefits of open channel key transfers and scaling public key methods requires Public Key Infrastructure (PKI). In this paper, we discuss and investigate different ways to take advantage of a proposed PKI system. Focusing on UMTS Release 6 IP multimedia subsystem, we analyze the ongoing 3GPP specifications and its limitations and examine how PKI can provide robust security solutions to both 3G-and-beyond inter/intra core network and the mobile user. Public key security mechanisms to protect operator’s core networks seem to gain ground and protocols like IPsec and SSL, seconded by PKI, can support the continuous growth of diverse technologies and solve inter-operator many-to-many modeled trust relationships. From the user’s side we present solutions, which far enhance authentication procedures and end-to-end communication model trust. We argue that PKI can become a promising candidate, which offers the competitive framework to overcome symmetric key based security inefficiencies and provide powerful solutions to protect both network core signalling and user’s data from potential intruders.

G. Kambourakis, A. Rouskas, S. Gritzalis, Delivering Attribute Certificates over GPRS, ACM SAC 2004 19th International ACM Symposium on Applied Computing - Mobile Computing and Applications Track, H. V. Leong, A. Chan , (eds), pp. 1166-1170, May, 2004, Nicosia, Cyprus, ACM Press, http://dl.acm.org/ft_gateway.cfm?id=9...
Abstract

Attribute Certificates (ACs) have been developed and standardized by the ANSI X9 committee as an alternative and better approach, to X.509 public key certificates, for carrying authorization information. Attribute Authorities (AA) bind the characteristics of an entity (called attributes) to that entity by signing the appropriate AC. Therefore, ACs can be used for controlling access to system resources and employing role-based authorization and access controls policies accordingly. Although ACs are widely used and standardized, to the best of our knowledge, no mobile infrastructure or service currently utilizes them. In this paper, we first examine how basic Public Key Infrastructure (PKI) can be incorporated into mobile networks and especially the Universal Mobile Telecommunications System (UMTS). As a case study, we then experiment with ACs in the GPRS network, using a prototype implementation. In particular, we investigate and measure the performance in terms of service and transfer times when ACs are introduced in the mobile environment. Our measurements show that ACs technology not only is feasible to implement in present and future mobile networks, but at the same time can deliver flexible and relatively fast services to the subscribers, without compromising security.

M. Karyda, S. Kokolakis, E. Kiountouzis, Information Systems Security and the Structuring of Organisations, 7th International Conference on the Social and Ethical Impacts of Information and Communication Technologies (ETHICOMP 2004), T. Bynum, N. Pouloudi, S. Rogerson, T. Spyrou, (eds), pp. 451-461, Apr, 2004, Syros, Greece, University of the Aegean
Abstract

This study explores the consequences of the introduction of a security plan into organisations by means of a case study of a non-governmental organisation for the treatment of individuals with drug addiction. The paper mainly focuses on the implications of the application of a security plan to the social system in the organisation. The framework for analysis used for the case study is based on the fundamental tenets of A. Giddens’ structuration theory. Structuration theory can be used as an analysis tool for studying the interplay between social structures and human agency and also provides the framework for taking into account aspects of organisational change. This study contributes to the stream of research on the implications of implementing security plans and policies in the organisational context, which is still in a very early stage.

G. Kambourakis, D. P. Kontoni, I. Sapounas, Introducing Attribute Certificates to Secure Distributed eLearning or mLearning Services, 4th IASTED Web Based Education (WBE , pp. 436-440, Feb, 2004, Innsbruck, Austria, ACTA Press, http://www.actapress.com/Abstract.asp...
Abstract

Motivating by the fact that public key cryptography is continuously evolving and its installed base is growing singniffically, very recent research works examine the potential use of it in eLearning or mLearning services. Attribute or temporary Certificates (ACs) seconded by Public Key Infrastructure (PKI) can provide the appropriate framework to secure distributed interactive eLearning applications, offering mutual “trust” to both learners and service providers. Considering PKI requirements for eLearning networks, the paper discusses the potential application of ACs in a proposed trust model. In the concept of that model, typical eLearning trusts interactions between eLearners and providers are presented, which demonstrate that robust security mechanisms and effective trust control can be obtained and implemented. The application of ACs to support mLearning are also presented and evaluated through an experimental test bed setup.

[238]
E. Konstantinou, Y. Stamatiou, C. Zaroliagis, On the Use of Weber Polynomials in Elliptic Curve Cryptography, Public Key Infrastructure - EuroPKI 2004, pp. 335-349, 2004, LNCS Vol. 3093
[239]
E. Konstantinou, V. Liagkou, P. Spirakis, Y. Stamatiou, M. Yung, Electronic National Lotteries, Financial Cryptography - FC 2004, pp. 147-163, 2004, LNCS Vol. 3110, Springer - Verlag
E. Loukis, S. Kokolakis, Computer supported collaboration in the public sector: the ICTE-PAN project, 2nd EGOV Conference , Sep, 2003, Prague, Czech Republic
Abstract

Electronic Government today focuses mainly on offering citizens and enterprises the capability to perform electronically their transactions with the Public Administration and also on the electronic delivery of the currently existing public services over the Internet. However, the huge potential of ICTs has only to a small extent been exploited in the higher level and most critical functions of Public Administration, such as the development, monitoring and evaluation of public policies and programmes, the decision-making for difficult and complex social problems, or for granting licenses and permissions with high social impact, etc. This paper is dealing with the exploitation of the meth-odologies and technologies of Computer Supported Collaborative Work (CSCW) in these directions. A general functional and technological architecture of a Government to Government (G2G) collaborative environment is de-scribed, for supporting the above high level functions of Public Administration, which has been designed as part of the ICTE-PAN Project. It is based on an ex-tension of the classical Workflow Model, in order to include both ‘Single Per-son Activities’ and ‘Collaborative Activities’, and also on the use of modelling techniques and ontologies, in order to achieve a high level of adaptability to diverse requirements.

[241]
L. Mitrou, K. Moulinos, Privacy and Data Protection in Electronic Communications, MMM-ACNS, V. Gorodetsky, L. Popyack, V. Shormin, (eds), pp. 432-436, Sep, 2003, St. Petersburg, Springer
C. Lambrinoudakis, S. Kokolakis, M. Karyda, V. Tsoumas, D. Gritzalis, S. K. Katsikas, Electronic Voting Systems: Security Implications of the Administrative Workflow, 14th International Workshop on Database and Expert Systems Applications (DEXA 2003), W06: International Workshop on Trust and Privacy in Digital Business (TrustBus), pp. 467-471, Sep, 2003, Prague, Czech, IEEE Computer Society Press
Abstract

With the rapid growth of the Internet, online voting appears to be a reasonable alternative to conventional elections and other opinion expressing processes. Current research focuses on designing and building “voting protocols” that can support the voting process, while implementing the security mechanisms required for preventing fraud and protecting voter's privacy. However, not much attention has been paid to the administrative part of an electronic voting system that supports the actors of the system. Possible “security gaps” in the administrative workflow may result in deteriorating the overall security level of the system, even if the voting protocol implemented by the system succeeds to fully comply with the security requirements set for voting. To this direction, this paper describes the responsibilities and privileges of the actors involved in the electronic voting process. The description of the role of each actor, together with the clear indication of what each actor is expected - and thus allowed - to do with the system, formulate an operational framework that complements the technological security features of the system and allows us to talk about “secure electronic voting systems”.

[243]
S. Kokolakis, C. Lambrinoudakis, D. Gritzalis, A Knowledge-Based Repository Model for Security Policies Management, MMM-ACNS-2003 2nd International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, V. Gorodetski, L. Popyack, V. Skormin , (eds), pp. 112-121, Sep, 2003, St. Petersburg, Russia, Springer, LNCS 2776
P. Rizomiliotis, N. Kolokotronis, N. Kalouptsidis, On the quadratic span of binary sequences, 2003 IEEE International Symposium on Information Theory, pp. 377, Jul, 2003, Yokohama, Japan, IEEE Press
Abstract

We present an efficient algorithm for finding the shortest feedback shift register, with quadratic feedback function, that generates a given finite--length sequence. This algorithm exploits the special structure of the coefficient matrix formed when the problem is expressed in terms of matrix equations.

M. Karyda, S. Kokolakis, E. Kiountouzis, Content, Context, Process Analysis of IS Security Policy Formation, 18th IFIP International Conference on Information Security, D. Gritzalis, S. de Capitani di Vimercati, P. Samarati, S.K.Katsikas , (eds), pp. 145-156, May, 2003, Athens, Greece, Kluwer Academic Publishers
Abstract

Security management is now acknowledged as a key constituent of Information Systems (IS) management. IS security management traditionally relies on the formation and application of security policies. Most of the research in this field address issues regarding the structure and content of security policies; whereas the context within which security policies are conceived and developed remains rather unexplored. However, security policies that are formed without taking into account the specific social and organisational environment within which they will be applied, are often proven to be inapplicable or ineffective. In this paper we explore the issues pertaining to the formation of security policies under the perspective of contextualism. Within the framework of contextualism, we study the context, content and process of IS security policies development. This paper aims to contribute to IS security research by bringing forth the issue of context-dependent formation of security policies. In addition, it provides a contextual framework, which we expect to improve the effectiveness of IS security policies development.

G. Kambourakis, A. Rouskas, S. Gritzalis, Introducing PKI to enhance Security in Future Mobile Networks, IFIPSEC’2003 18th IFIP International Information Security Conference, D. Gritzalis P. Samarati, S. K. Katsikas, S. De Capitani di Vimercati, (eds), pp. 109-120, May, 2003, Athens, Greece, Kluwer Academic Publishers, http://link.springer.com/chapter/10.1...
Abstract

Current wireless network standards perform user authentication, signaling and data encryption, as well as message integrity protection, by utilizing only symmetric key methods. However, as mobile networks are evolving into full-IP and the communication is envisaged to change from second generation (2G) person-to-person model to fourth generation (4G) machine-to-machine model, there is greater demand to provide more flexible, reconfigurable and scalable security mechanisms that can advance in a many-to-many trust relationship model. Employing public key methods in many-to-many schemes drops the requirement for a secure channel to transfer keys between two communication parties, thus providing the appropriate scalability to the whole system. With a large number of different network technologies and operators, expected in the future mobile communications environment, that should frequently and seamlessly interwork with each other, and a constantly increasing population of communication parties, capturing the full benefits of open channel key transfers and scaling public key methods requires Public Key Infrastructure (PKI). In this paper, we discuss and investigate different ways to take advantage of a proposed PKI system. From the network side, we investigate how PKI can provide future inter/intra mobile core network security, while from the user’s perspective we present solutions that far enhance authentication procedures and end-to-end communication model trust. We show that PKI offers the appropriate framework to overcome symmetric key based security inefficiencies, providing powerful solutions to protect both network core signaling and user’s data from potential intruders.

[247]
E. Konstantinou, Y. Stamatiou, C. Zaroliagis, On the Construction of Prime Order Elliptic Curves, Progress in Cryptology - INDOCRYPT 2003, pp. 309-322, 2003, LNCS Vol. 2904, Springer - Verlag
G. Kambourakis, A. Rouskas, S. Gritzalis, Using SSL/TLS in Authentication and Key Agreement Procedures of Future Mobile Networks, 4th International IEEE Workshop on Mobile and Wireless Communications Networks, pp. 152-156, Sep, 2002, Stockholm, Sweden, IEEE CPS Conference Publishing Services, http://ieeexplore.ieee.org/xpl/articl...
Abstract

Existing security schemes in 2G and 3G systems are inadequate, as there is a greater demand to provide a more flexible, reconfigurable and scalable security mechanism that can advance as fast as mobile hosts are evolving into full-IP enabled devices. Work has already begun on such an "all-IP" end-to-end solution, commonly referred to as 4G systems. Fully-fledged integration between mobile networks and the Internet demands fully compatible, time-tested and reliable mechanisms to depend on. SSL/TLS protocol has proved its effectiveness in wired Internet and it will probably be the most promising candidate for future wireless environments. We discuss existing problems related to authentication and key agreement procedures (AKA), such as compromised authentication vectors attacks, as they appear in 2G and 3G systems, and propose how SSL/TLS can be used to overcome these inefficiencies. Further on, we mark down additional benefits that stem from the introduction of SSL/TLS combined with the appropriate PKI elements in the 4G wireless environment.

P. Rizomiliotis, N. Kolokotronis, N. Kalouptsidis, Construction of sequences with four-valued autocorrelation from GMW sequences, 2002 IEEE International Symposium on Information Theory, pp. 183, Jun, 2002, Lausanne, Switzerland, IEEE Press
Abstract

In this paper GMW sequences with relatively prime periods are employed to develop large families of balanced sequences with four–valued autocorrelation

D. Gritzalis, M. Karyda, L. Gymnopoulos, Elaborating Quantitative Approaches for IT Security Evaluation, 17th International Conference on Information Security (SEC 2002), M. Adeeb Ghonaimy, Mahmoud T. El-Hadidi, and Heba K. Aslan , (eds), pp. 67-77, May, 2002, Cairo, Egypt, Kluwer Academic Publishers
Abstract

Information Systems security evaluation is a sine qua non requirement for effective IT security management, as well as for establishing trust among different but cooperating business partners. This paper initially provides a critical review of traditionally applied evaluation and certification schemes. Based upon this review, the paper stresses the need for an approach that is quantitative in nature and can address the problem of IS operational security. Then, such an approach is presented, mainly based on an existing complex of models (CEISOQ) for evaluating IS operation quality. It is argued that there are certain benefits if this approach is applied in combination with the traditional qualitative ones.

[251]
S. Ikonomopoulos, C. Lambrinoudakis, D. Gritzalis, S. Kokolakis, K. Vassiliou, Functional Requirements for a Secure Electronic Voting System, IFIP TC11 17th International Conference on Information Security (IFIP/SEC2002), M.A. Ghonaimy, M. El-Hadidi, H. K. Aslan , (eds), pp. 507-519, May, 2002, Cairo, Egypt, Kluwer Academic Publisher
[252]
L. Mitrou, D. Gritzalis, S. K. Katsikas, Revisiting legal and regulatory requirements for secure e-voting , Proceedings, IFIP SEC 2002, pp. 469-480, 2002, Cairo, Egypt
[253]
E. Konstantinou, Y. Stamatiou, C. Zaroliagis, On the Efficient Generation of Elliptic Curves over Prime Fields, Cryptographic Hardware and Embedded Systems - CHES 2002, pp. 333-348, 2002, LNCS Vol. 2523, Springer - Verlag
[254]
E. Konstantinou, Y. Stamatiou, C. Zaroliagis, A Software Library for Elliptic Curve Cryptography, European Sumposium in Algorithms - ESA 2002, pp. 625-636, 2002, LNCS 2461, Springer - Verlag
[255]
L. Mitrou, Data Protection: a new constitutional right, Center for European Consitutional Law - Conferences, D. Tsatsos, V. Venizelos, X. Kontiadis, (eds), pp. 143-157, Oct, 2001, Athens, Ekdoseis Sakkoula
M. Karyda, S. Kokolakis, E. Kiountouzis, Redefining Information Systems Security: Viable Information Systems, 16th IFIP International Conference on Information Security (SEC 2001), M. Dupuy, P. Paradinas , (eds), pp. 453-467, Jun, 2001, Paris, France, Kluwer Academic Publishers
Abstract

Research on Information Security has been based on a well-established definition of the subject. Consequently, it has delivered a plethora of methods, techniques, mechanisms and tools to protect the so-called security attributes (i.e. availability, confidentiality and integrity) of information. However, modern Information Systems (IS) appear rather vulnerable and people show mistrust on their ability to deliver the services expected. This phenomenon leads us to the conclusion that information security does not necessarily equal IS security. In this paper, we argue that IS security, contrary to information security, remains a confusing term and a neglected research area. We attempt to clarify the meaning and aims of IS security and propose a framework for building secure information systems, or as we suggest them to be called, viable information systems.

[257]
C. Lambrinoudakis, S. Kokolakis, D. Gritzalis, Recurrent IT Security Issues and Recommendations: Learning from Risk Assessment Reviews, IFIP WG 9.6/11.7 Working Conference on Security and Control of IT in Society II (SCITS-II), pp. 185-195, Jun, 2001, Bratislava, Slovakia
N. Kolokotronis, P. Rizomiliotis, N. Kalouptsidis, First-order optimal approximation of binary sequences, 2001 Conference on Sequences and Their Applications, T. Helleseth, P. V. Kumar, and K. Yang , (eds), pp. 242-256, May, 2001, Bergen, Norway, Series in Discrete Mathematics and Theoretical Computer Science, Springer
Abstract

A new family of balanced sequences over Fp, p odd prime, with the optimal correlation property is presented. The construction is based on p-ary Helleseth-Gong sequences with ideal autocorrelation. The family contains pn balanced sequences of period p2n−1. The correlation spectrum peak nontrivial value does not exceed 1 + pn, i.e. it is optimal in terms of Welch’s lower bound. The linear span of the sequences is 2n( n k + 2), where k is a divisor of n such that n/k is odd.

D. Gritzalis, K. Moulinos, J. Iliadis, C. Lambrinoudakis, S. Xarhoulacos, PyTHIA: Towards Anonymity in Authentication, IFIP 16th International Conference on Information Security, M. Dupuy, P. Paradinas, (eds), pp. 1-17, 2001, Paris, France, Kluwer Academic Publishers
Abstract

There is a scale between authentication and anonymity, which is currently leaning towards the side of authentication, when it comes to e-commerce. Service providers and merchants are usually keeping track of user-related information in order to construct behavioural profiles of their customers. Service providers and merchants also correlate profiles of this kind, stemming from different sources, in order to increase their profit. This correlation is usually performed with the use of Unified Codes. Authentication, confidentiality, integrity, authentication, and non-repudiation are necessary functionalities for enabling e-commerce. Most of the currently used mechanisms that support these services do not provide anonymity. This paper presents PyTHIA, a mechanism, which is based on the use of Message Digest Algorithms and the intermediation of Trusted Third Parties in order to provide anonymity to e-commerce users who have to authenticate themselves in order to access services or buy goods from service providers and merchants respectively. With PyTHIA e-commerce users are able to authenticate without giving away any personal data and without using Unified Codes. In addition, PyTHIA ensures that service providers and merchants can effectively trace a customer in case he behaves maliciously.

S. Kokolakis, M. Karyda, D. Gritzalis, Information systems security management in virtual organizations, 4th International Conference on Security in Information Systems (SIS2000), (eds), pp. 109-125, Oct, 2000, Zurich, Switzerland
Abstract

The virtual organization is a new form of organization possessing the characteristic of incorporating business units with a high degree of autonomy. This form of organization, which is expected to become the dominant organizational paradigm for the 21st century, strongly depends on the effectiveness of cooperation among the autonomous Information Systems (IS) of each business unit. Developing a security policy and installing security controls for each IS appears as a prerequisite for the survival of the virtual organization, but on the other hand it may severely hinder IS cooperation, as policies and controls often give rise to conflicts and interoperability problems. In this paper, we analyse the problem of managing IS security in multi-policy environments and introduce a Security Policies Management System (SPMS) that facilitates the management of IS security in virtual organizations and supports the resolution of conflicts between security policies.

J. Iliadis, D. Spinellis, S. K. Katsikas, D. Gritzalis, B. Preneel, Evaluating Certificate Status Information Mechanisms, Information Security Solutions Europe ISSE 2000, European Forum for Electronic Business, Sep, 2000, Barcelona, Spain
Abstract

A number of mechanisms have been proposed for generating and disseminating information on the status of certificates. Their operation is different, if not contradicting sometimes, and advantages and disadvantages depend on the requirements of the underlying PKI. PKI designers and implementors should perform a small scale study before deploying such a mechanism in a specific PKI, in order to select the most suitable mechanism for their environment. This paper presents a method for categorising Certificate Status Information mechanisms, depending on their elementary functionality. This taxonomy can be used as a guide for selecting CSI mechanisms to be used in large-scale PKI deployment efforts.

[262]
T. Tryfonas, D. Gritzalis, S. Kokolakis, A qualitative approach to information availability, 15th International Information Security Conference (IFIP/SEC 00), (eds), Aug, 2000, Beijing, China
[263]
L. Mitrou, Privacy Protection on the Internet, EETT, pp. 71-85, May, 1999, Athens, EETT
[264]
L. Mitrou, Technology, Commerce and Data Proetction, Conference of the Association of the Greek Commercialista, pp. 173-198, Nov, 1998, Delfoi
J. Iliadis, S. Gritzalis, V. Oikonomou, Towards Secure Downloadable Executable Content: The Java Paradigm, SAFECOMP, W. D. Ehrenberger, (ed), pp. 117-127, Oct, 1998, Heidelberg, Germany, Springer LNCS 1516, http://link.springer.com/content/pdf/...
Abstract

Java is a programming language that conforms to the concept of downloadable, executable content. Java offers a wide range of capabilities to the application programmer, the most important being that a program may be executed remotely, without any modification, on almost any computer regardless of hardware configuration and operating system differences. However, this advantage raises a serious concern : security. When one downloads and executes code from various Internet sources, he is vulnerable to attacks by the code itself. A security scheme must be applied in order to secure the operations of Java programs. In this paper, the Java security scheme is examined and current implementations are evaluated on the basis of their efficiency and flexibility. Finally, proposed enhancements and upcoming extensions to the security model are described.

S. Gritzalis, J. Iliadis, V. Oikonomou, Security issues surrounding the Java programming language, 14th IFIPSEC , G. Papp, R. Posch, (eds), pp. 3-14, Sep, 1998, Vienna, Austria, IFIP & Austrian Computer Society, http://delivery.acm.org/10.1145/51000...
Abstract

JAVA is claimed to be a programming language that introduces new methods for platform?independent development and remote execution. However, the ability to download, integrate, and execute code from a remote computer raises serious concerns about JAVA's effect on network security. In this paper, a brief introduction to the JAVA programming language is given, the potential security risks of downloadable executable content is discussed, the details of the proposed JAVA security mechanism are presented, and an evaluation of the current implementations is discussed. Finally, proposed enhancements and upcoming extensions to the security model are described.

S. Gritzalis, J. Iliadis, Addressing security issues in programming languages for mobile code, DEXA 1998, R. Wagner, (ed), pp. 288-293, Aug, 1998, Vienna, Austria, IEEE CPS Conference Publishing Services, http://ieeexplore.ieee.org/xpl/login....
Abstract

The services offered to the Internet community have been constantly increasing the last few years. This is mainly due to the fact that mobile code has matured enough in order to provide the Internet users with high quality applications that can be executed remotely. When a user downloads and executes code from various Internet sources, security issues arise. In this paper, we are addressing the latter and we present a comparative evaluation of the methods used by Java, Safe-Tcl and ActiveX in order to confront with these issues, based on current security functions and implementations as well as on future adjustments and extensions.

[268]
L. Mitrou, Privacy: The hesitant and uncertain course of personal data protection, Twenty years of the Greek Constitution, Sakkoulas, (ed), pp. 33-52, 1998, Athens-Komotini
S. K. Katsikas, D. Spinellis, J. Iliadis, B. Blobel, Using trusted third parties for secure telemedical applications over the WWW: The EUROMED-ETS approach, Pre-Proceedings of the IMIA WG4 working Conference on Common Security Solutions for Communicating Patient Data, International Medical Informatics Association (IMIA), Nov, 1997, Osaka/Kobe, Japan
Abstract

This paper reports on the results obtained by the pilot operation of Trusted Third Parties (TTP) for secure telemedical applications over the WWW The work reported on herein was carried out within the context of EUROMED-ETS, a R&D project funded by the INFOSEC office of Directorate General XIII of the European Union. The paper discusses the platform used, the security needs of the specific application, the TTP solution provided, the steps taken in order to implement the solution at a pilot scale and the results of the pilot opreration; it is compiled using material included in the project deliverables.

[270]
S. Kokolakis, Is there a need for new information security models?, 2nd Communications and Multimedia Security Conference (CMS 96), (eds), Sep, 1996, Hessen, Germany
[271]
E. Kiountouzis, S. Kokolakis, An analyst's view of information systems security, 12th International Information Security Conference (IFIP/SEC 96), (eds), May, 1996, Samos, Greece