Showing 1–9 of 9 results for author: Shirvanian, M

Compact: Approximating Complex Activation Functions for Secure Computation

Authors: Mazharul Islam, Sunpreet S. Arora, Rahul Chatterjee, Peter Rindal, Maliheh Shirvanian

Abstract: Secure multi-party computation (MPC) techniques can be used to provide data privacy when users query deep neural network (DNN) models hosted on a public cloud. State-of-the-art MPC techniques can be directly leveraged for DNN models that use simple activation functions such as ReLU. However, these techniques are ineffective and/or inefficient for the complex and highly non-linear activation functi… ▽ More Secure multi-party computation (MPC) techniques can be used to provide data privacy when users query deep neural network (DNN) models hosted on a public cloud. State-of-the-art MPC techniques can be directly leveraged for DNN models that use simple activation functions such as ReLU. However, these techniques are ineffective and/or inefficient for the complex and highly non-linear activation functions used in cutting-edge DNN models. We present Compact, which produces piece-wise polynomial approximations of complex AFs to enable their efficient use with state-of-the-art MPC techniques. Compact neither requires nor imposes any restriction on model training and results in near-identical model accuracy. To achieve this, we design Compact with input density awareness and use an application-specific simulated annealing type optimization to generate computationally more efficient approximations of complex AFs. We extensively evaluate Compact on four different machine-learning tasks with DNN architectures that use popular complex AFs silu, gelu, and mish. Our experimental results show that Compact incurs negligible accuracy loss while being 2x-5x computationally more efficient than state-of-the-art approaches for DNN models with large number of hidden layers. Our work accelerates easy adoption of MPC techniques to provide user data privacy even when the queried DNN models consist of a number of hidden layers and trained over complex AFs. △ Less

Submitted 17 March, 2024; v1 submitted 8 September, 2023; originally announced September 2023.

Comments: Accepted to Proceedings on Privacy Enhancing Technologies (PoPETs)

How Interactions Influence Users' Security Perception of Virtual Reality Authentication?

Authors: Jingjie Li, Sunpreet Singh Arora, Kassem Fawaz, Younghyun Kim, Can Liu, Sebastian Meiser, Mohsen Minaei, Maliheh Shirvanian, Kim Wagner

Abstract: Users readily embrace the rapid advancements in virtual reality (VR) technology within various everyday contexts, such as gaming, social interactions, shopping, and commerce. In order to facilitate transactions and payments, VR systems require access to sensitive user data and assets, which consequently necessitates user authentication. However, there exists a limited understanding regarding how u… ▽ More Users readily embrace the rapid advancements in virtual reality (VR) technology within various everyday contexts, such as gaming, social interactions, shopping, and commerce. In order to facilitate transactions and payments, VR systems require access to sensitive user data and assets, which consequently necessitates user authentication. However, there exists a limited understanding regarding how users' unique experiences in VR contribute to their perception of security. In our study, we adopt a research approach known as ``technology probe'' to investigate this question. Specifically, we have designed probes that explore the authentication process in VR, aiming to elicit responses from participants from multiple perspectives. These probes were seamlessly integrated into the routine payment system of a VR game, thereby establishing an organic study environment. Through qualitative analysis, we uncover the interplay between participants' interaction experiences and their security perception. Remarkably, despite encountering unique challenges in usability during VR interactions, our participants found the intuitive virtualized authentication process beneficial and thoroughly enjoyed the immersive nature of VR. Furthermore, we observe how these interaction experiences influence participants' ability to transfer their pre-existing understanding of authentication into VR, resulting in a discrepancy in perceived security. Moreover, we identify users' conflicting expectations, encompassing their desire for an enjoyable VR experience alongside the assurance of secure VR authentication. Building upon our findings, we propose recommendations aimed at addressing these expectations and alleviating potential conflicts. △ Less

Submitted 3 June, 2023; v1 submitted 20 March, 2023; originally announced March 2023.

"Tell me, how do you know it's me?" Expectations of security and personalization measures for smart speaker applications

Authors: Maliheh Shirvanian, Sebastian Meiser

Abstract: Voice-controlled smart speaker devices have gained a foothold in many modern households. Their prevalence combined with their intrusion into core private spheres of life has motivated research on security and privacy intrusions, especially those performed by third-party applications used on such devices. In this work, we take a closer look at such third-party applications from a less pessimistic a… ▽ More Voice-controlled smart speaker devices have gained a foothold in many modern households. Their prevalence combined with their intrusion into core private spheres of life has motivated research on security and privacy intrusions, especially those performed by third-party applications used on such devices. In this work, we take a closer look at such third-party applications from a less pessimistic angle: we consider their potential to provide personalized and secure capabilities and investigate measures to authenticate users (``PIN'', ``Voice authentication'', ``Notification'', and presence of ``Nearby devices''). To this end, we asked 100 participants to evaluate 15 application categories and 51 apps with a wide range of functions. The central questions we explored focused on: users' preferences for security and personalization for different categories of apps; the preferred security and personalization measures for different apps; and the preferred frequency of the respective measure. After an initial pilot study, we focused primarily on 7 categories of apps for which security and personalization are reported to be important; those include the three crucial categories finance, bills, and shopping. We found that ``Voice authentication'', while not currently employed by the apps we studied, is a highly popular measure to achieve security and personalization. Many participants were open to exploring combinations of security measures to increase the protection of highly relevant apps. Here, the combination of ``PIN'' and ``Voice authentication'' was clearly the most desired one. This finding indicates systems that seamlessly combine ``Voice authentication'' with other measures might be a good candidate for future work. △ Less

Submitted 4 December, 2022; originally announced December 2022.

Privacy-Preserving Application-to-Application Authentication Using Dynamic Runtime Behaviors

Authors: Mihai Christodorescu, Maliheh Shirvanian, Shams Zawoad

Abstract: Application authentication is typically performed using some form of secret credentials such as cryptographic keys, passwords, or API keys. Since clients are responsible for securely storing and managing the keys, this approach is vulnerable to attacks on clients. Similarly a centrally managed key store is also susceptible to various attacks and if compromised, can leak credentials. To resolve suc… ▽ More Application authentication is typically performed using some form of secret credentials such as cryptographic keys, passwords, or API keys. Since clients are responsible for securely storing and managing the keys, this approach is vulnerable to attacks on clients. Similarly a centrally managed key store is also susceptible to various attacks and if compromised, can leak credentials. To resolve such issues, we propose an application authentication, where we rely on unique and distinguishable application's behavior to lock the key during a setup phase and unlock it for authentication. Our system add a fuzzy-extractor layer on top of current credential authentication systems. During a key enrollment process, the application's behavioral data collected from various sensors in the network are used to hide the credential key. The fuzzy extractor releases the key to the server if the application's behavior during the authentication matches the one collected during the enrollment, with some noise tolerance. We designed the system, analyzed its security, and implemented and evaluated it using 10 real-life applications deployed in our network. Our security analysis shows that the system is secure against client compromise, vault compromise, and feature observation. The evaluation shows the scheme can achieve 0 percent False Accept Rate with an average False Rejection Rate 14 percent and takes about 51 ms to successfully authenticate a client. In light of these promising results, we expect our system to be of practical use, since its deployment requires zero to minimal changes on the server. △ Less

Submitted 23 November, 2022; originally announced November 2022.

2D-2FA: A New Dimension in Two-Factor Authentication

Authors: Maliheh Shirvanian, Shashank Agrawal

Abstract: We propose a two-factor authentication (2FA) mechanism called 2D-2FA to address security and usability issues in existing methods. 2D-2FA has three distinguishing features: First, after a user enters a username and password on a login terminal, a unique $\textit{identifier}$ is displayed to her. She $\textit{inputs}$ the same identifier on her registered 2FA device, which ensures appropriate engag… ▽ More We propose a two-factor authentication (2FA) mechanism called 2D-2FA to address security and usability issues in existing methods. 2D-2FA has three distinguishing features: First, after a user enters a username and password on a login terminal, a unique $\textit{identifier}$ is displayed to her. She $\textit{inputs}$ the same identifier on her registered 2FA device, which ensures appropriate engagement in the authentication process. Second, a one-time PIN is computed on the device and $\textit{automatically}$ transferred to the server. Thus, the PIN can have very high entropy, making guessing attacks infeasible. Third, the identifier is also incorporated into the PIN computation, which renders $\textit{concurrent attacks}$ ineffective. Third-party services such as push-notification providers and 2FA service providers, do not need to be trusted for the security of the system. The choice of identifiers depends on the device form factor and the context. Users could choose to draw patterns, capture QR codes, etc. We provide a proof of concept implementation, and evaluate performance, accuracy, and usability of the system. We show that the system offers a lower error rate (about half) and better efficiency (2-3 times faster) compared to the commonly used PIN-2FA. Our study indicates a high level of usability with a SUS of 75, and a high perception of efficiency, security, accuracy, and adoptability. △ Less

Submitted 29 October, 2021; originally announced October 2021.

Comments: In the proceedings of Annual Computer Security Applications Conference (ACSAC) 2021

PASSAT: Single Password Authenticated Secret-Shared Intrusion-Tolerant Storage with Server Transparency

Authors: Kiavash Satvat, Maliheh Shirvanian, Nitesh Saxena

Abstract: In this paper, we introduce PASSAT, a practical system to boost the security assurance delivered by the current cloud architecture without requiring any changes or cooperation from the cloud service providers. PASSAT is an application transparent to the cloud servers that allows users to securely and efficiently store and access their files stored on public cloud storage based on a single master p… ▽ More In this paper, we introduce PASSAT, a practical system to boost the security assurance delivered by the current cloud architecture without requiring any changes or cooperation from the cloud service providers. PASSAT is an application transparent to the cloud servers that allows users to securely and efficiently store and access their files stored on public cloud storage based on a single master password. Using a fast and light-weight XOR secret sharing scheme, PASSAT secret-shares users' files and distributes them among n publicly available cloud platforms. To access the files, PASSAT communicates with any k out of n cloud platforms to receive the shares and runs a secret-sharing reconstruction algorithm to recover the files. An attacker (insider or outsider) who compromises or colludes with less than k platforms cannot learn the user's files or modify the files stealthily. To authenticate the user to multiple cloud platforms, PASSAT crucially stores the authentication credentials, specific to each platform on a password manager, protected under the user's master password. Upon requesting access to files, the user enters the password to unlock the vault and fetches the authentication tokens using which PASSAT can interact with cloud storage. Our instantiation of PASSAT based on (2, 3)-XOR secret sharing of Kurihara et al., implemented with three popular storage providers, namely, Google Drive, Box, and Dropbox, confirms that our approach can efficiently enhance the confidentiality, integrity, and availability of the stored files with no changes on the servers. △ Less

Submitted 26 February, 2021; originally announced February 2021.

Practical Speech Re-use Prevention in Voice-driven Services

Authors: Yangyong Zhang, Maliheh Shirvanian, Sunpreet S. Arora, Jianwei Huang, Guofei Gu

Abstract: Voice-driven services (VDS) are being used in a variety of applications ranging from smart home control to payments using digital assistants. The input to such services is often captured via an open voice channel, e.g., using a microphone, in an unsupervised setting. One of the key operational security requirements in such setting is the freshness of the input speech. We present AEOLUS, a security… ▽ More Voice-driven services (VDS) are being used in a variety of applications ranging from smart home control to payments using digital assistants. The input to such services is often captured via an open voice channel, e.g., using a microphone, in an unsupervised setting. One of the key operational security requirements in such setting is the freshness of the input speech. We present AEOLUS, a security overlay that proactively embeds a dynamic acoustic nonce at the time of user interaction, and detects the presence of the embedded nonce in the recorded speech to ensure freshness. We demonstrate that acoustic nonce can (i) be reliably embedded and retrieved, and (ii) be non-disruptive (and even imperceptible) to a VDS user. Optimal parameters (acoustic nonce's operating frequency, amplitude, and bitrate) are determined for (i) and (ii) from a practical perspective. Experimental results show that AEOLUS yields 0.5% FRR at 0% FAR for speech re-use prevention upto a distance of 4 meters in three real-world environments with different background noise levels. We also conduct a user study with 120 participants, which shows that the acoustic nonce does not degrade overall user experience for 94.16% of speech samples, on average, in these environments. AEOLUS can therefore be used in practice to prevent speech re-use and ensure the freshness of speech input. △ Less

Submitted 12 January, 2021; originally announced January 2021.

Camouflaged with Size: A Case Study of Espionage using Acquirable Single-Board Computers

Authors: Kiavash Satvat, Mahshid Hosseini, Maliheh Shirvanian

Abstract: Single-Board Computers (SBC) refer to pocket-sized computers built on a single circuit board. A number of studies have explored the use of these highly popular devices in a variety of domains, including military, agriculture, healthcare, and more. However, no attempt was made to signify possible security risks that misuse of these devices may bring to organizations. In this study, we perform a ser… ▽ More Single-Board Computers (SBC) refer to pocket-sized computers built on a single circuit board. A number of studies have explored the use of these highly popular devices in a variety of domains, including military, agriculture, healthcare, and more. However, no attempt was made to signify possible security risks that misuse of these devices may bring to organizations. In this study, we perform a series of experiments to validate the possibility of using SBCs as an espionage gadget. We show how an attacker can turn a Raspberry Pi device to an attacking gadget and benefit from short-term physical access to attach the gadget to the network in order to access unauthorized data or perform other malicious activities. We then provide experimental results of placing such tools in two real-world networks. Given the small size of SBCs, traditional physical security measures deployed in organizations may not be sufficient to detect and restrict the entrance of SBCs to their premises. Therefore, we reiterate possible directions for network administrators to deploy defensive mechanisms for detecting and preventing such attacks. △ Less

Submitted 11 September, 2018; originally announced September 2018.

Comments: accepted in netcom 2018

On the Pitfalls of End-to-End Encrypted Communications: A Study of Remote Key-Fingerprint Verification

Authors: Maliheh Shirvanian, Nitesh Saxena, Jesvin James George

Abstract: Many widely used Internet messaging and calling apps, such as WhatsApp, Viber, Telegram, and Signal, have deployed an end-to-end encryption functionality. To defeat potential MITM attackers against the key exchange protocol, the approach relies on users to perform a code verification task whereby each user must compare the code (a fingerprint of the cryptographic keys) computed by her app with the… ▽ More Many widely used Internet messaging and calling apps, such as WhatsApp, Viber, Telegram, and Signal, have deployed an end-to-end encryption functionality. To defeat potential MITM attackers against the key exchange protocol, the approach relies on users to perform a code verification task whereby each user must compare the code (a fingerprint of the cryptographic keys) computed by her app with the one computed by the other user's app and reject the session if the two do not match. In this paper, we study the security and usability of this human-centered code verification task for a setting where the end users are remotely located, and compare it as a baseline to a less frequent scenario where the users are in close proximity. We consider several variations of the code presentation and verification methods, incorporated into representative real-world apps, including codes encoded as numbers or images, displayed on the screen, and verbally spoken by the users. We perform a human factors study in a lab setting to quantify the security and usability of these different methods. Our study results expose key weaknesses in the security and usability of the code verification methods employed in the apps. First, we show that most code verification methods offer poor security (high false accepts) and low usability (high false rejects and low user experience ratings) in the remote setting. Second, we demonstrate that, security and usability under the remote code verification setting is significantly lower than that in the proximity setting. We attribute this result to the increased cognitive overhead associated with comparing the codes across two apps on the same device (remote setting) rather than across two devices (proximity setting). Overall, our work serves to highlight a serious vulnerability of Internet-based communication apps in the remote setting stemming from human errors. △ Less

Submitted 17 July, 2017; originally announced July 2017.