Refine
Departments, institutes and facilities
- Institut für Cyber Security & Privacy (ICSP) (307) (remove)
Document Type
- Conference Object (201)
- Article (60)
- Part of a Book (13)
- Book (monograph, edited volume) (7)
- Contribution to a Periodical (7)
- Doctoral Thesis (5)
- Conference Proceedings (4)
- Preprint (4)
- Report (3)
- Lecture (2)
Year of publication
Keywords
- Usable Security (11)
- DPA (6)
- Privacy (6)
- Robotics (6)
- HTTP (5)
- security (5)
- Cloud (4)
- GDPR (4)
- Machine Learning (4)
- Power Analysis (4)
- REST (4)
- Risk-based Authentication (4)
- Usable Privacy (4)
- Web (4)
- Authentication (3)
- Big Data Analysis (3)
- Cooperative Awareness Message (3)
- Fault analysis (3)
- IP protection (3)
- Intelligent Transport System (3)
- Java <Programmiersprache> (3)
- Pseudonym Concept (3)
- Python <Programmiersprache> (3)
- SOA (3)
- Security (3)
- Side Channel Analysis (3)
- Stochastic Model (3)
- Vehicular Ad hoc Networks (3)
- visualization (3)
- web caching (3)
- web services (3)
- Basic Access Control (2)
- Boolean Masking (2)
- Cloud Security (2)
- Computersicherheit (2)
- E-Passport (2)
- Embedded software (2)
- Host-Based Code Injection Attacks (2)
- Human-Centered Design (2)
- LOTUS Sensor Node (2)
- MESD (2)
- MRTD (2)
- Malware (2)
- Malware analysis (2)
- Memory forensics (2)
- Mobility modeling (2)
- Password (2)
- Public Key Infrastructure (2)
- Rapid Prototyping (2)
- Risk-based Authentication (RBA) (2)
- SEMA (2)
- SOAP (2)
- Side Channel Cryptanalysis (2)
- Side-channel analysis (2)
- Smart Card (2)
- Software (2)
- TLS (2)
- Template Attack (2)
- Testing (2)
- TinyECC 2.0 (2)
- Usable Security and Privacy (2)
- User Interface Design (2)
- Vehicle-to-Vehicle Communication (2)
- WS-Security (2)
- Wireless Sensor Network (2)
- XML Signature (2)
- XML Signature Wrapping (2)
- knowledge learning (2)
- neural networks (2)
- usable privacy (2)
- virtual reality (2)
- AES (1)
- AES hardware (1)
- AMD Family 15h (1)
- API Documentation (1)
- API usability (1)
- ARM Cortex M3 Processor (1)
- Account (Datenverarbeitung) (1)
- Account Security (1)
- Adaptive Media Streaming (1)
- Adaptive Streaming (1)
- Advance Encryption Standard (1)
- Adversarial Model (1)
- Affective computing (1)
- Agent-oriented software engineering (1)
- Analysis (1)
- Antifuse memory (1)
- Artificial Intelligence (1)
- Assistive robots (1)
- Attacks and Attack Implementations (1)
- Authentication features (1)
- Authentifikation (1)
- Authorship watermark (1)
- Autonomous Systems (1)
- Bag of Features (1)
- Beacon Chain (1)
- Behaviour-Driven Development (1)
- Benchmarking (1)
- Biometrics (1)
- Black Hole (1)
- Block cipher (1)
- Boolean and arithmetic operations (1)
- Botnet tracking (1)
- Botnets (1)
- Browser cache (1)
- COPACOBANA (1)
- CPA (1)
- CPUID instruction (1)
- CRT (1)
- CUDA (1)
- Cache Poisoning (1)
- Cache line fingerprinting (1)
- Cache-independent (1)
- Certificates (1)
- Chip ID (1)
- Cipher Block Chain (1)
- Cloud Computing security (1)
- Cloud Malware Injection (1)
- Cloud Standards (1)
- CoAP (1)
- Code Generation (1)
- Code similarity analysis (1)
- Common Criteria (1)
- Component Models (1)
- Computer Security (1)
- Conficker (1)
- Conformance Testing (1)
- Content Security Policies (1)
- Conversational Interface (1)
- Cooperative Intelligent Transport Systems (ITS) (1)
- Counterfeit protection (1)
- Countermeasures (1)
- Covert channel (1)
- Cross-core (1)
- Cryptography (1)
- Cyber Attacks (1)
- Cyber Security (1)
- Cybercrime (1)
- Cybercrime Legislation (1)
- Cypher (1)
- D [Software] (1)
- DASH (1)
- DEMA (1)
- DES (1)
- DFA Lab (1)
- DNSSEC (1)
- DPA Lab (1)
- Data Compression (1)
- Data Generation (1)
- Data Protection Officer (1)
- Data Reduction (1)
- Data Tiles (1)
- Denial of Service (1)
- Design patterns (1)
- Developer Centered Security (1)
- Difference-coding (1)
- Differential Side Channel Cryptanalysis (1)
- Differential analysis (1)
- Differential side-channel analysis (1)
- Differentielle Kryptoanalyse (1)
- Digital Ecosystem (1)
- Digital signatures (1)
- Digital watermarking (1)
- Disaster Area (1)
- Disaster area scenario (1)
- Distance Bounding (1)
- Domain Expert (1)
- Domain-Specific Modeling Languages, (1)
- Domestic service robots (1)
- E-Health (1)
- EM Algorithm (1)
- EM leakage (1)
- Earth Observation (1)
- Eclipse Modeling Framework (1)
- Eingebettetes System (1)
- Electromagnetic Analysis (1)
- Electronic Immobilizer (1)
- Elliptic Curve Cryptography (1)
- Employee Privacy (1)
- Employee data protection (1)
- Ethereum (1)
- Evaluation (1)
- Expert Interviews (1)
- Explainability (1)
- FPGA implementation (1)
- Fake Link (1)
- Fault Channel Watermarking Lab (1)
- Fault-channel watermarks (1)
- Fehlerbehandlung (1)
- File carving (1)
- Fingerprint watermark (1)
- Fragmented files (1)
- Frontend architecture (1)
- Full-text Search (1)
- Gaussian Mixture Models (1)
- Graphics Cards (1)
- HMAC-construction (1)
- HTML5 (1)
- HTTPS (1)
- Hardware Testbed (1)
- Header whitelisting (1)
- High-Order Attacks (1)
- Higher-Order Analysis (1)
- Higher-Order Side Channel Analysis (1)
- Human factors (1)
- Human robot interaction (1)
- Human-Robot Interaction (1)
- Human-Robot-Interaction (HRI) (1)
- Human-agent interaction (1)
- Humanoid Robot (1)
- IC identification (1)
- IDEA (1)
- ISO 27000 (1)
- IT-Sicherheitsanforderungen (1)
- Implementation Attack (1)
- Implementation Challenges (1)
- Information Privacy (1)
- Information hiding (1)
- Informational self-determination (1)
- Informationssicherheit (1)
- Instruction scheduling (1)
- Integrate Development Environment (1)
- Interactive Smart Card Applications (1)
- Intermediaries (1)
- Internet Technology (1)
- IoT services security (1)
- JOSE (1)
- JPEGs (1)
- JSON (1)
- Key Search Machine (1)
- Language Engineering (1)
- Large-Scale Online Services (1)
- Leakage circuits (1)
- Legal metrology (1)
- Live Streaming (1)
- Login (1)
- MRTD Cracker (1)
- Mafia Attack (1)
- Malware Detection (1)
- Manipulation tasks (1)
- Maximum Likelihood Principle (1)
- Mental Models (1)
- Message Authentication (1)
- Microarchitectural Data Sampling (MDS) (1)
- Microservices (1)
- Minimum Principle (1)
- Mobility Model (1)
- Model-Based Software Development (1)
- Model-Driven Engineering (1)
- Model-based Approach (1)
- Model-based engineering approaches to AI safety (1)
- Model-driven Development (1)
- Model-driven engineering (1)
- Motion Generator (1)
- Motor Control Unit (1)
- Multi-hop Net-works (1)
- Multimedia Communication (1)
- Multimedia forensics (1)
- Multithreaded and multicore architecture (1)
- Multivariate Analyse (1)
- Multivariate Side Channel Analysis (1)
- Neural Machine Translation (1)
- Online Services (1)
- OpenStack (1)
- PHR (1)
- Partial Data Protection (1)
- Partial Signature (1)
- PartialEncryption (1)
- Password Masking (1)
- Password Visualization (1)
- Passwords (1)
- Passwort (1)
- People Detection (1)
- Performance (1)
- Performance Analysis (1)
- Performance Evaluation (1)
- Periodic structures (1)
- Personal Health Record (1)
- Phishing (1)
- Physical Security (1)
- Physikalischer Effekt (1)
- Plagiat (1)
- Privacy engineering (1)
- Privacy in the workplace (1)
- Privacy patterns (1)
- Privacy perceptions (1)
- Process Models (1)
- Proof of Stake (1)
- Public Key Infrastructures (1)
- Push-based Streaming (1)
- QoS (1)
- RACS (1)
- RBAR (1)
- RC6 (1)
- REST security (1)
- RF Eavesdropper (1)
- RFID (1)
- RGB-D (1)
- RSA (1)
- Rank correlation (1)
- Re-authentication (1)
- Reference Architectural Model Automotive (RAMA) (1)
- Requirements (1)
- Requirements Engineering (1)
- Restful Web Services (1)
- Reusable Software (1)
- Right to Informational Self-Determination (1)
- Risk-Based Account Recovery (1)
- Robot Perception (1)
- Robot software (1)
- Robotics competitions (1)
- Robots (1)
- Runtime AI safety monitoring (1)
- Runtime Adaptation (1)
- SAML (1)
- SELMA (1)
- SHA-1 (1)
- SQL (1)
- SaaS (1)
- ScalarMultiplication (1)
- Schutzobjekte (1)
- Second-Order DPA (1)
- Secure Cloud Storage (1)
- Secure Coding Practices (1)
- Secure data transfer (1)
- Security APIs (1)
- Security Approaches (1)
- Security Protocol (1)
- Seitenkanalattacke (1)
- Semantic gap (1)
- Semantic scene understanding (1)
- Semi-Virtual Testbed (1)
- Service-Oriented Architecture (1)
- Sichere Kommunikation Kritische Infrastrukturen (1)
- Side Channel Countermeasures (1)
- Side Channel Cryptanalysis, Stochastic Methods (1)
- Side Channel Watermarking Lab (1)
- Side channel attack (1)
- Side channels (1)
- Side-channel watermarking (1)
- Similarity matrix (1)
- Simulator (1)
- Smart Card User Interface Design, Interactive Smart Card Applications (1)
- SmartMANET Jamming (1)
- Software Architectures (1)
- Software Development Process (1)
- Software IP protection (1)
- Software Security (1)
- Software and Architecture (1)
- Software reverse engineering (1)
- Stream cipher (1)
- Stuxnet (1)
- Support Vector Machine (1)
- TOGBAD (1)
- Tactical Wireless Multi-hop Networks (1)
- Tamper-Proof Hardware (1)
- Tampering (1)
- Template Attacks (1)
- Template attacks (1)
- Templates (1)
- Testing Tool (1)
- Thin Client (1)
- Timing analysis (1)
- Timing channel (1)
- Transponder (1)
- Trusted Computing (1)
- Two-factor Authentication (1)
- UAV teleoperation (1)
- UI-Dressing (1)
- URI (1)
- Usability (1)
- User experience design (1)
- User-Centered Design (1)
- User-centered privacy engineering (1)
- VLSI (1)
- Variability Management (1)
- Variability Resolution (1)
- Vehicle-2-Infrastructure Kommunikation (1)
- Vehicle-2-Vehicle Communication (1)
- Vehicle-2-Vehicle Kommunikation (1)
- Vehicle-to- Vehicle Communication (V2V) (1)
- Vehicle-to-Infrastructure Communication (1)
- Vehicle-to-Infrastructure Communication (V2I) (1)
- Vehicle-to-Vehicle Com- munication (1)
- Vehicular Ad hoc Networks (VANETs) (1)
- Video (1)
- Warnings (1)
- Watermarking (1)
- Web Browser (1)
- Web Browser Cache (1)
- Web Information Systems and Technologies (1)
- Web Interfaces and Applications (1)
- Web Portal (1)
- Web Security (1)
- Web Service (1)
- Web Service Security (1)
- Web Services and Web Engineering (1)
- WebSocket (1)
- WebSockets (1)
- Wind Fields (1)
- Wind Flow Visualization (1)
- Wireless multi-hop networks (1)
- Wizard of Oz (1)
- Workflow (1)
- Worm Hole (1)
- XAI (1)
- XML (1)
- XML Security (1)
- XSpRES (1)
- ZombieLoad (1)
- analyses (1)
- analysis (1)
- attacks (1)
- benchmarking (1)
- blockchain (1)
- caching (1)
- classifier combination (1)
- clustering (1)
- cognitive agents (1)
- component based (1)
- cooperation (1)
- crawling (1)
- cryptanalytic attacks (1)
- cryptographic apis (1)
- denial-of-service (1)
- developer console (1)
- distributed systems (1)
- domestic robots (1)
- eavesdropping (1)
- embedded systems (1)
- emotion recognition (1)
- employee privacy (1)
- end-to-end security (1)
- factor analysis (1)
- feature extraction (1)
- focus groups (1)
- force sensing (1)
- human-centred design (1)
- humanoidrobot (1)
- industrial robots (1)
- informational self-determination (1)
- interactive-learning (1)
- intervention mechanisms (1)
- intrusion detection (1)
- latent class analysis (1)
- link quality (1)
- machine learning (1)
- manipulation (1)
- mental models (1)
- model-driven engineering (1)
- modular reduction (1)
- multi robot systems (1)
- network (1)
- neural-networks (1)
- object categorization (1)
- participatory design (1)
- privacy at work (1)
- privacy by design (1)
- property-based testing for robots (1)
- radio-frequency identification (RFID) systems (1)
- remote-controlled robots (1)
- reproducible node motion (1)
- reverse engineering, malware, machine learning (1)
- robot competitions (1)
- robotics (1)
- routing attacks (1)
- routing metrics (1)
- run-time adaptation (1)
- security and privacy literacy (1)
- security warning design (1)
- sensor fusion (1)
- services (1)
- signature (1)
- simulation (1)
- simulation-based robot testing (1)
- slip detection (1)
- smartcard (1)
- social robots (1)
- software development (1)
- software variability (1)
- structural equation modeling (1)
- tactical environments (1)
- tactical multi-hop networks (1)
- tactile sensing (1)
- transparency-enhancing technologies (1)
- usable privacy controls (1)
- usable secure email (1)
- user interface design (1)
- verification and validation of robot action execution (1)
- virtual-reality (1)
- web (1)
- web services security (1)
- website (1)
- wormhole detection (1)
Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication
(2024)
Risk-based authentication (RBA) aims to protect users against attacks involving stolen passwords. RBA monitors features during login, and requests re-authentication when feature values widely differ from those previously observed. It is recommended by various national security organizations, and users perceive it more usable than and equally secure to equivalent two-factor authentication. Despite that, RBA is still used by very few online services. Reasons for this include a lack of validated open resources on RBA properties, implementation, and configuration. This effectively hinders the RBA research, development, and adoption progress.
To close this gap, we provide the first long-term RBA analysis on a real-world large-scale online service. We collected feature data of 3.3 million users and 31.3 million login attempts over more than 1 year. Based on the data, we provide (i) studies on RBA’s real-world characteristics plus its configurations and enhancements to balance usability, security, and privacy; (ii) a machine learning–based RBA parameter optimization method to support administrators finding an optimal configuration for their own use case scenario; (iii) an evaluation of the round-trip time feature’s potential to replace the IP address for enhanced user privacy; and (iv) a synthesized RBA dataset to reproduce this research and to foster future RBA research. Our results provide insights on selecting an optimized RBA configuration so that users profit from RBA after just a few logins. The open dataset enables researchers to study, test, and improve RBA for widespread deployment in the wild.
Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example
(2023)
Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attack patterns such as credential stuffing.
Risk-Based Authentication (RBA) can serve as an interim solution to increase password-based account security until better methods are in place. Unfortunately, RBA is currently used by only a few major online services, even though it is recommended by various standards and has been shown to be effective in scientific studies. This paper contributes to the hypothesis that the low adoption of RBA in practice can be due to the complexity of implementing it. We provide an RBA implementation for the open source cloud management software OpenStack, which is the first fully functional open source RBA implementation based on the Freeman et al. algorithm, along with initial reference tests that can serve as a guiding example and blueprint for developers.
Ziel der neunten Ausgabe des wissenschaftlichen Workshops "Usable Security und Privacy" auf der Mensch und Computer 2023 ist es, aktuelle Forschungs- und Praxisbeiträge auf diesem Gebiet zu präsentieren und mit den Teilnehmer:innen zu diskutieren. Getreu dem Konferenzmotto "Building Bridges" soll mit dem Workshop ein etabliertes Forum fortgeführt und weiterentwickelt werden, in dem sich Expert:innen, Forscher:innen und Praktiker:innen aus unterschiedlichen Domänen transdisziplinär zum Thema Usable Security und Privacy austauschen können. Das Thema betrifft neben dem Usability- und Security-Engineering unterschiedliche Forschungsgebiete und Berufsfelder, z. B. Informatik, Ingenieurwissenschaften, Mediengestaltung und Psychologie. Der Workshop richtet sich an interessierte Wissenschaftler:innen aus all diesen Bereichen, aber auch ausdrücklich an Vertreter:innen der Wirtschaft, Industrie und öffentlichen Verwaltung.
Risikobasierte Authentifizierung (RBA) ist ein adaptiver Ansatz zur Stärkung der Passwortauthentifizierung. Er überwacht eine Reihe von Merkmalen, die sich auf das Loginverhalten während der Passworteingabe beziehen. Wenn sich die beobachteten Merkmalswerte signifikant von denen früherer Logins unterscheiden, fordert RBA zusätzliche Identitätsnachweise an. Regierungsbehörden und ein Erlass des US-Präsidenten empfehlen RBA, um Onlineaccounts vor Angriffen mit gestohlenen Passwörtern zu schützen. Trotz dieser Tatsachen litt RBA unter einem Mangel an offenem Wissen. Es gab nur wenige bis keine Untersuchungen über die Usability, Sicherheit und Privatsphäre von RBA. Das Verständnis dieser Aspekte ist jedoch wichtig für eine breite Akzeptanz.
Diese Arbeit soll ein umfassendes Verständnis von RBA mit einer Reihe von Studien vermitteln. Die Ergebnisse ermöglichen es, datenschutzfreundliche RBA-Lösungen zu schaffen, die die Authentifizierung stärken bei gleichzeitig hoher Menschenakzeptanz.
Der Programmier-Trainingsplan für alle, die weiter kommen wollen.
In diesem Übungsbuch trainierst du anhand von kurzweiligen und praxisnahen Aufgaben deine Programmierfähigkeiten. Jedes Kapitel beginnt mit einem kurzen Warmup zum behandelten Programmierkonzept; die Umsetzung übst du dann anhand von zahlreichen Workout-Aufgaben. Du startest mit einfachen Aufgaben und steigerst dich hin zu komplexeren Fragestellungen. Damit dir nicht langweilig wird, gibt es über 150 praxisnahe Übungen. So lernst du z. B. einen BMI-Rechner oder einen PIN-Generator zu programmieren oder wie du eine Zeitangabe mit einer analogen Uhr anzeigen kannst. (Verlagsangaben)
Users should always play a central role in the development of (software) solutions. The human-centered design (HCD) process in the ISO 9241-210 standard proposes a procedure for systematically involving users. However, due to its abstraction level, the HCD process provides little guidance for how it should be implemented in practice. In this chapter, we propose three concrete practical methods that enable the reader to develop usable security and privacy (USP) solutions using the HCD process. This chapter equips the reader with the procedural knowledge and recommendations to: (1) derive mental models with regard to security and privacy, (2) analyze USP needs and privacy-related requirements, and (3) collect user characteristics on privacy and structure them by user group profiles and into privacy personas. Together, these approaches help to design measures for a user-friendly implementation of security and privacy measures based on a firm understanding of the key stakeholders.
The European General Data Protection Regulation requires the implementation of Technical and Organizational Measures (TOMs) to reduce the risk of illegitimate processing of personal data. For these measures to be effective, they must be applied correctly by employees who process personal data under the authority of their organization. However, even data processing employees often have limited knowledge of data protection policies and regulations, which increases the likelihood of misconduct and privacy breaches. To lower the likelihood of unintentional privacy breaches, TOMs must be developed with employees’ needs, capabilities, and usability requirements in mind. To reduce implementation costs and help organizations and IT engineers with the implementation, privacy patterns have proven to be effective for this purpose. In this chapter, we introduce the privacy pattern Data Cart, which specifically helps to develop TOMs for data processing employees. Based on a user-centered design approach with employees from two public organizations in Germany, we present a concept that illustrates how Privacy by Design can be effectively implemented. Organizations, IT engineers, and researchers will gain insight on how to improve the usability of privacy-compliant tools for managing personal data.
Digital ecosystems are driving the digital transformation of business models. Meanwhile, the associated processing of personal data within these complex systems poses challenges to the protection of individual privacy. In this paper, we explore these challenges from the perspective of digital ecosystems' platform providers. To this end, we present the results of an interview study with seven data protection officers representing a total of 12 digital ecosystems in Germany. We identified current and future challenges for the implementation of data protection requirements, covering issues on legal obligations and data subject rights. Our results support stakeholders involved in the implementation of privacy protection measures in digital ecosystems, and form the foundation for future privacy-related studies tailored to the specifics of digital ecosystems.
Graph databases employ graph structures such as nodes, attributes and edges to model and store relationships among data. To access this data, graph query languages (GQL) such as Cypher are typically used, which might be difficult to master for end-users. In the context of relational databases, sequence to SQL models, which translate natural language questions to SQL queries, have been proposed. While these Neural Machine Translation (NMT) models increase the accessibility of relational databases, NMT models for graph databases are not yet available mainly due to the lack of suitable parallel training data. In this short paper we sketch an architecture which enables the generation of synthetic training data for the graph query language Cypher.
We benchmark the robustness of maximum likelihood based uncertainty estimation methods to outliers in training data for regression tasks. Outliers or noisy labels in training data results in degraded performances as well as incorrect estimation of uncertainty. We propose the use of a heavy-tailed distribution (Laplace distribution) to improve the robustness to outliers. This property is evaluated using standard regression benchmarks and on a high-dimensional regression task of monocular depth estimation, both containing outliers. In particular, heavy-tailed distribution based maximum likelihood provides better uncertainty estimates, better separation in uncertainty for out-of-distribution data, as well as better detection of adversarial attacks in the presence of outliers.