The Information Security and Privacy (ISP) Group

• Dr Ian Wood
• Dr Nardine Basta
• Dr Ben Zhao

• Shashie Dilhara, PhD candidate
• Zeeshan Zulkifl Shah, PhD candidate
• Muhammad Salman, PhD candidate
• Budi Sentana, PhD candidate
• Hina Qayyum, PhD candidate
• Michal Kepkowski, PhD candidate

The drive to share datasets is gaining momentum owing to its potential benefits to businesses and the community alike. Despite its appeal, sharing datasets, especially when they contain sensitive information about individuals, has serious privacy implications such as the risk of being able to link information to specific individuals, and hence learning sensitive information. Our approach for privacy-preserving access to data is to rely on mathematically rigorous notions of privacy such as differential privacy. These notions provide a formal privacy guarantee that successfully addresses the conundrum of learning nothing about an individual while learning useful trends from the dataset.

Research papers:

• Asghar, H.J., Ding, M., Rakotoarivelo, T., Mrabet, S. and Kaafar, M.A., 2018. Differentially Private Release of High-Dimensional Datasets using the Gaussian Copula. Manyscript.
• Kamalaruban, P., Perrier, V., Asghar, H.J. and Kaafar, M.A., 2018. dx-Private Mechanisms for Linear Queries. Manuscript.
• Perrier, V., Asghar, H.J. and Kaafar, M.A., 2018. Improved Private Release of Real Time Statistics. Accepted for publication at NDSS 2019.
• Friedman, A., Berkovsky, S. and Kaafar, M.A., 2016. A differential privacy framework for matrix factorization recommender systems. User Modeling and User-Adapted Interaction, 26(5), pp.425-458.

Our online presence and participation leaves digital footprints behind which can be used in a variety of ways to compromise our privacy. It also leaves us vulnerable to security issues under the hood. This project aims to (a) detect personal information sent to third parties, (b) identify new instances of user tracking, (c) assessing vulnerabilities in security protocols, and (d) developing alternative solutions that enhance web security and privacy.

Research papers:

• Masood, R., Vatsalan, D., Ikram, M. and Kaafar, M.A., 2018, April. Incognito: A Method for Obfuscating Web Data. In Proceedings of the 2018 World Wide Web Conference on World Wide Web (pp. 267-276). International World Wide Web Conferences Steering Committee.
• Masood, R., Zhao, B.Z.H., Asghar, H.J. and Kaafar, M.A., 2018. Touch and You’re Trapp (ck) ed: Quantifying the Uniqueness of Touch Gestures for Tracking. Proceedings on Privacy Enhancing Technologies, 2018(2), pp.122-142.
• Ikram, M., Asghar, H.J., Kaafar, M.A., Mahanti, A. and Krishnamurthy, B., 2017. Towards seamless tracking-free web: Improved detection of trackers via one-class learning. Proceedings on Privacy Enhancing Technologies, 2017(1), pp.79-99.

Millions of users worldwide resort to mobile Ad-Blocking apps to block third-party tracking and ads services as well as use VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. However, are Ad-Blocking apps efficient and VPN services trustworthy? Do they guarantee user’s privacy or instead compromise it? We illuminate on these questions by build tools for collecting and analyzing source codes of mobile Ad-Blocking apps and VPN clients as well as inspect their runtime dynamic behaviours.

Research papers:

• Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M.A. and Paxson, V., 2016, November. An analysis of the privacy and security risks of android VPN permission-enabled apps. In Proceedings of the 2016 Internet Measurement Conference (pp. 349-364). ACM.
• Ikram, M. and Kaafar, M.A., 2017, October. A First Look at Mobile Ad-Blocking Apps. In 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA) (pp. 1-8). IEEE.

Can we have a provably observation-resistant user authentication scheme that is as usable as password-based authentication? The next generation of authentication systems aims to overcome the security issues in password-based systems, such as susceptibility to shoulder-surfing and difficulty to memorise strong passwords, by using alternative modes and means for authentication. These include authentication via behavioural biometrics and authentication relying on human cognitive abilities.

Research Papers (recent):

• Asghar, H.J. and Kaafar, M.A., 2017. When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack. Journal of Mathematical Cryptology, 11(3), pp.177-194.
• Chauhan, J., Zhao, B.Z.H., Asghar, H.J., Chan, J. and Kaafar, M.A., 2017, April. BehavioCog: An Observation Resistant Authentication Scheme. In International Conference on Financial Cryptography and Data Security (pp. 39-58). Springer, Cham.
• Chauhan, J., Asghar, H.J., Mahanti, A. and Kaafar, M.A., 2016, June. Gesture-based continuous authentication for wearable devices: The smart glasses use case. In International Conference on Applied Cryptography and Network Security (pp. 648-665). Springer, Cham.
• Asghar, H.J., Steinfeld, R., Li, S., Kaafar, M.A. and Pieprzyk, J., 2015. On the linearization of human identification protocols: Attacks based on linear algebra, coding theory, and lattices. IEEE Transactions on Information Forensics and Security, 10(8), pp.1643-1655.

Internet of Things (IoT) devices are resource constrained having low memory, communication and computational power. Lightweight security and cryptographic protocols are beneficial for such devices as they free up resources for other functionalities and potentially increase the life time of these battery-powered devices. This project aims at constructing lightweight security protocols using new cryptographic primitives with applications for IoT devices.

Research Papers:

• Monteiro, M., Kahatapitiya, K., Asghar, H.J., Thilakarathna, K., Rakotoarivelo, T., Kaafar, M.A., Li, S., Pieprzyk, J. and Steinfeld, R., 2018. Foxtail+: A New Identification Protocol for Resource Constrained Devices. Manuscript.