Privacy – STRICT SociaLab

A Risk Estimation Mechanism for Android Apps based on Hybrid Analysis

STRICT SociaLab members Prof. Elena Ferrari, Prof. Barbara Carminati, and Ha Xuan Son have published their new paper entitled: “A Risk Estimation Mechanism for Android Apps based on Hybrid Analysis” in the Data Science and Engineering journal.

The following is the abstract of the new publication:

Mobile apps represent essential tools in our daily routines, supporting us in almost every task. However, this assistance might imply a high cost in terms of privacy. Indeed, mobile apps gather a massive amount of data about individuals (e.g., users’ profiles and habits) and their devices (e.g., locations), where not all are strictly needed for app execution. According to privacy laws, apps’ providers must inform end-users on adopted data usage practices (e.g., which data are collected and for which purpose). Unfortunately, understanding these practices is a complex task for average end-users. The result is that they install apps without understanding their privacy implications. To support users in making more privacy-aware decisions on app usage, we propose a risk estimation approach based on an analysis of the app’s code. This analysis adopts a hybrid strategy, exploiting static and dynamic code analyses. Static analysis aims at discovering which personal data an app is collecting to determine whether the target app is asking more than required. This gives the first estimation of the app’s risk level. In addition, we also perform a dynamic analysis of the target app’s code. This further analysis helps determining whether the collected personal data is consumed locally on the mobile device or sent out to external services. If this happens, the risk level has to be increased, as personal data are more exposed. To prove the proposal’s effectiveness, we run several experiments involving different groups of participants. The obtained accuracy results are promising and outperform those obtained with static analysis only.

Research Papers Android, Mobile Applications, Privacy, Research

PAutoBotCatcher: A blockchain-based privacy-preserving botnet detector for Internet of Things

STRICT SociaLab members Prof. Elena Ferrari, Prof. Barbara Carminati, and Ahmed Lekssays have published their new paper entitled: “PAutoBotCatcher: A blockchain-based privacy-preserving botnet detector for Internet of Things” at Computer Networks journal.

The following is the abstract of the new publication:

Botnets have become a major threat in the Internet of Things (IoT) landscape, due to the damages that these sets of compromised IoT devices may cause. To increase their attacks’ success, modern botnets are designed in a distributed manner, following a P2P structure. Recently, several botnet detection solutions have been proposed. Among them, community behavior analysis solutions seem to be promising because of their high detection accuracy. However, such solutions are not optimized for real life scenarios since they only run in a static mode, that is, reading all network traffic at once. As such, they do not support real-time data analysis. In order to handle such issue, these solutions should run in a dynamic distributed environment where different actors participate in the detection process. However, this collaborative environment brings up the issue of trust among the actors.

To address this issue, in this paper, we present PAutoBotCatcher, a dynamic botnet detection framework based on community behavior analysis among peers managed by different actors. PAutoBotCatcher leverages on blockchain to ensure immutability and transparency among all actors. To optimize continuous detection while keeping good accuracy, we design a set of optimization techniques, such as caching detection’s output and pre-processing the shared network traffic. In addition, we leverage on different privacy-preserving techniques to protect devices from re-identification during the botnet detection process. We have extensively tested our solution to show its effectiveness and to demonstrate that blockchain is a good solution for dynamic botnet detection.

security and privacy Blockchain, Iot, Privacy, Security

Blockchain-based Privacy Enforcement in the IoT domain

STRICT SociaLab members Prof. Elena Ferrari, Prof. Barbara Carminati, and Federico Daidone have published their new paper entitled: “Blockchain-based Privacy Enforcement in the IoT domain” at the IEEE Transactions on Dependable and Secure Computing.

The following is the abstract of the new publication:

The Internet of Things (IoT) pervades our lives every day and has given end users the opportunity of accessing personalized and advanced services based on the analysis of the sensed data. However, IoT services are also characterized by new challenges related to security and privacy because end users often share sensitive data with different consumers without precise knowledge of how they will be managed and used. To cope with these issues, we propose a blockchain-based privacy enforcement framework where users can define how their data can be used and check if their will is respected without relying on a centralized manager. The preliminary tests we performed, simulating different scenarios, show the feasibility of our approach.

security and privacy Blockchain, Iot, Privacy

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.