Embed Size (px)
Citation preview
SPSymposium13:A Report on Symposium of Security and Privacy
Practitioners in India
Date of Symposium: Feb 28 - March 2, 2013
Symposium Organizers
Sanjeev Aggarwal, IIT-KanpurPonnurangam Kumaraguru, IIIT-Delhi
Palani Kodeswaran, IBM-IRL
Report Authors
Paridhi JainIIIT-Delhi
Sanjeev AggarwalIIT-Kanpur
Ponnurangam KumaraguruIIIT-Delhi
Date of Report: March 22, 2013
c©2013 SPSAll rights reserved
Contents
1 Introduction 3
2 Keynotes 32.1 Secure Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2 The Future of Access Control: Attributes, Automation and Adaptation . . . . . . . 42.3 A Semantically Rich approach to Cybersecurity . . . . . . . . . . . . . . . . . . . . 4
3 Session: System Security 53.1 Software Certification and Attestation . . . . . . . . . . . . . . . . . . . . . . . . . . 53.2 Security and Privacy at Scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.3 Emerging Security and Privacy Challenges in a Disruptive Technology Environment 6
4 Session: Network Security 64.1 Wireless Vulnerabilities in the Wild: View from the Trenches . . . . . . . . . . . . . 74.2 Peer-to-Peer Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74.3 Managing BYOD networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5 Session: Security in Finance World 85.1 Information Security Challenges Faced by a Large Financial Services Firm . . . . . . 85.2 The People Problem in Security of Financial Transactions in India . . . . . . . . . . 95.3 Evolution of Security Standards in Indian Banking Industry . . . . . . . . . . . . . . 9
6 Session: Security in Social Media 96.1 Privacy and Security in Online Social Media . . . . . . . . . . . . . . . . . . . . . . . 96.2 Split Personality Malware Detection and Defeating in Popular Virtual Machines . . 10
7 Panel Discussion 107.1 Research in Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107.2 Education in Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8 Poster Session 12
9 Discussion and Concluding Remarks 13
10 Acknowledgement 14
2
1 Introduction
Topics of security and privacy have been of interest to a wide research community since 40 years.Researchers have been driving their focus from exposing security issues in programming codesand logic to security issues in complex infrastructures such as networks, cloud, web applications,etc. Privacy practitioners and researchers have been investigating methods to define, and preserveprivacy, build privacy-centric systems and devise methods to increase privacy awareness among itsusers. To discuss such topics and trends of privacy and security, conferences and summits providean international platform, which flourish collaborations across international academic institutionsand industry and facilitate exchange of ideas, however there exists no such platform within thecountry to develop an Indian fraternity, with special interest in security and privacy.
Security and Privacy Symposium was held at Institute of Information Technology (IIT-Kanpur),during Feb 28 - March 2, 2013. The symposium brought together students, faculty, and researchersin India, to discuss the latest trends, and open challenges in the area of security and privacy. Thesymposium successfully developed an Indian community inclined towards security and privacy is-sues and facilitated collaborations across various academic and industrial institutions. Around 111participants from academia, and industry took part in the symposium. The symposium was orga-nized over a span of three days, with keynotes, focused research discussions on varied dimensions(System Security, Network Security, Security in Finance World and Security in Social Media), andpanel discussions. To further showcase ongoing research work in the area of security and privacyand allow expert feedback, a three-hour poster session was organized in the symposium. Posterswere pre-selected to encourage mature and interesting work with logical conclusions. Talk slides areavailable at http://www.cse.iitk.ac.in/users/sps2013/agenda.html. All the session arrange-ments were made in Outreach Auditorium, IIT-Kanpur whereas accommodation arrangements weremade in Visitor’s Hostel.
2 Keynotes
2.1 Secure Programming
Speaker: Matt Bishop, University of California at Davis
Matt Bishop presented a keynote talk on secure programming styles to create fault-tolerant and safecodes. Dr. Bishop motivated his talk by highlighting his concerns on insecure traditional program-ming styles which do not incorporate security by design. A system programmer makes assumptionswhile defining the logic, inputs, outputs, and accessibility of the code. Invalid assumptions aboutthe trustworthiness of input, output parameters and of user authenticity may expose vulnerabilitiesleading to plausible attacks. To look for such vulnerabilities, he suggested four venues – NetworkServers, Local Servers, Shared resources, and Clients. Each of these venues assume characteristicsof an authenticated and authorized user, input parameters and output parameters, however theassumptions are weak and loose which can be easily exploited by an attacker. For instance, a useraccessing a shared resource via an authenticated IP, is a valid user, however an IP can be forged /faked by an attacker to portray as an authenticated user and to access the shared resource. There-fore, he suggested a set of principles to avoid such vulnerabilities e.g. parameters sanity check,restricted authorizations, etc. Apart from knowing the assumptions, he emphasized on not to trustblindly on system calls, and library functions. Library functions and system calls are samples of
3
code written by unknown coders who incorporated different secure design principles. There is apossibility of presence of vulnerabilities present in pre-defined libraries, making one’s own codeinsecure.
Dr. Bishop further emphasized on imbibing secure programming styles while teaching thebeginner’s level of program logic and code to security students and practitioners. Internships,advanced courses and workshops are a good medium to encourage not only students but alsoresearchers to participate in learning secure programming tools, he suggested.
2.2 The Future of Access Control: Attributes, Automation and Adap-tation
Speaker: Ravi Sandhu, University of Texas, San Antonio
Ravi Sandhu discussed his ideas on a specific assumption a coder makes i.e. who is an authenticatedand authorized user to consume restricted resources, as introduced by Matt Bishop in his keynotetalk. Dr. Sandhu discussed the evolution of authentication and authorization schemes (accesscontrol) based on defined rules or attributes of the user. Starting from Discretionary Access control(DAC), where owner of the information controls who can access the information, and MandatoryAccess Control (MAC), where system administration controls who can access the information,researchers now focus on more automated access control methods, leading to Role-based AccessControl (RBAC) and Attribute-based Access Control (ABAC), where role or attributes of a userallow access to a resource or information. He argues that research is now driving towards flexible,automated and adaptive access control mechanisms than fixed, human, and non-adaptive ones.The success stories of ABAC imply the scope of research in devising policy based complex ABACschemes, which further are resilient to fake authorization attempts by an attacker. He argued thatany cyber security system can never be fully secure, however it can be secure “enough”. A securitypractitioner therefore has to decide the balancing level to attain good functionality with sufficientsecurity.
2.3 A Semantically Rich approach to Cybersecurity
Speaker: Anupam Joshi, University of Maryland, Baltimore County
Anupam Joshi presented his views on how semantic knowledge can be used to address privacy andsecurity issues. He motivated that security and privacy issues are not limited to one’s system,network or enterprise, it is a concern of national security, be it espionage, or malware hit. Heemphasized that solutions build to address security and privacy concerns, must take inputs frommultiple disciplines since cybersecurity includes law, psychology, sociology, computer science, pol-itics etc. As an expert on semantics, he mentioned that a semantically rich approach where basisassumptions of a security and privacy system are explicitly mentioned in an organized language,can be helpful in deriving better reasoning, alerts and services to the community. Some of the inter-esting research domains he discussed which use semantic knowledge are – intrusion detection (viaintegration of multiple sensors / resources to create a knowledge base and make inferences out of itto allow alerts), context-aware privacy sharing (via designing inference rules for multiple contexts,to share location), and privacy preserving information integration (via implementing policies toallow inferences in order to control private information collation). He suggested that semantically
4
rich approaches have been successful so far to create better and context aware systems and suchapproaches can be further exploited for other security domains.
Figure 1: Dr. Joshi talking about semantic based approach to security and privacy issues.
3 Session: System Security
In this session, researchers talked about the methods to preserve and enhance security of variety ofsystems – from embedded systems to network servers. Speakers discussed open research problemsand challenges pertaining to system security domain, and motivated research in such areas.
3.1 Software Certification and Attestation
Speaker: Rajat Moona, C-DAC India
Rajat Moona presented his ideas on Software Certification and Attestation. Software certificationrefers to the process of validating if the software satisfies its functionality requirements and does notcontain any malicious code. Software attestation refers to the process of validating if the softwarerunning in an embedded device is the certified software or not. In his talk, he discussed that sinceit is hard to retrieve the software running in an embedded device and read its memory contents,software attestation face major challenges. Researchers have devised heuristic based approaches forsoftware attestation, for instance, byte-by-byte code comparison of reference (certified) software andrunning software, challenge responses comparison, time to respond comparison for a challenge, etc.Dr. Moona argued that even though naive software attestation schemes have been proposed, thereexists a huge opportunity to devise better formal and focused solutions for software attestation andverification.
5
3.2 Security and Privacy at Scale
Speaker: Geetanjali Sampemane, Google USA
Geetanjali Sampemane shared her thoughts on security and privacy issues when applied to largescale web services such as cloud. Over last few years, cloud has become immensely popular amongits users, since it facilitates large data storage, data sharing and processing which is accessibleanywhere and anytime to its users. Dr. Sampemane explained that even though cloud basedservices are popular among its users, they are increasingly becoming a target for sophisticatedattackers. Owing to huge user data on the cloud, attackers keep attacking such services to getaccess to users’ data and to hinder normal functioning of cloud services. As a solution to it, shediscussed the need of secure user authentication mechanisms. Passwords have been introduced foruser authentication, however they have failed to provide secure authentication, since users keepeasy to remember passwords, which are also easy to guess by automated methods or by attackers.Further, to help with forgotten passwords, cloud based services have introduced mechanisms torecover passwords, which are again vulnerable to attacks since allowing easy hints to guess thepassword may leak the password itself. To avoid that, two step authentication and device basedauthentication have been proposed. Dr. Sampemane emphasized her opinion that immense scopeexists in understanding and experimenting with new approaches of user authentication, in turnto get rid of the passwords completely. She constantly argued that the challenge does not lie inbuilding secure systems, but in building “usable” secure systems. She also mentioned other threatsto cloud based services as network attacks, malware distribution, insecure web apps and insiderattacks. Fast and robust mechanisms applicable at scale to a cloud service is the necessity of thehour, she concluded.
3.3 Emerging Security and Privacy Challenges in a Disruptive Technol-ogy Environment
Speaker: Arvind Benegal, Persistent System, India
Arvind Benegal talked about latest trends in security and privacy domain. He mentioned that cloudcomputing, mobility, social collaborations and big data are the major emerging domains, whichdemand rigorous research efforts. He motivated that research in this domain should be timely andshould have real-world impact. He quoted an example where his team analyzed an Indian TV show“Satyamev Jayate” to understand its impact on online social networks and its users. Similar tosuch research scenarios, he mentioned tremendous scope in life sciences, marketing, media, etc.
4 Session: Network Security
In this session, speakers discussed various security challenges in wireless, wired, peer-to-peer net-works, and BYOD. We summarize each talk as below.
4.1 Wireless Vulnerabilities in the Wild: View from the Trenches
Speaker: Deepak Gupta, AirTight Networks, India
6
Deepak Gupta spoke on wireless network vulnerabilities specifically in enterprise networks. Withan overwhelming increase in the usage of wifi devices over the last few years, threats related toinsecure wifi connections, rogue access points and attackers’ intrusions in the authorized enterprisenetworks, have been of concern to IT security professionals. He suggested methods for such threats’detection and ranking to understand which threat is the most common and most lethal – Threatpresence, Threat duration and Threat likelihood. Threat presence checks which threats are presentin the enterprise wireless networks. A survey of IT security professionals suggests that presence ofRogue APs and Client Extrusions are the most common threats present in an enterprise network.Dr. Gupta pointed out that about 70% of the access points (APs) available within the enterprisenetworks are rogue, and about 87% of the clients accessing the enterprise access points are unau-thorized / malicious, therefore becoming major threats to enterprise data security. Most of thesethreats have threat duration ranging from a few minutes to days. Short-life of such threats makethem difficult to detect, he pointed. About 20% of rogue APs were detected malicious out of 70%present in the network. Further high frequency of client extrusions tagged them as the most com-mon threat. He emphasized on open research challenges to detect the presence of such threats inlimited amount of time. He argues that detection methods should take into account the likelihoodor frequency of such attacks. Detection methods are followed by mitigation methods. Dr. Guptasuggested to mitigate wireless threats via applying defense-in-depth security mechanisms, disallowexternal connections, allow remote access via VPN, clean up the connection profiles of the clients,etc. He concluded his talk by pointing that researchers should focus now on devising safer methodsto access wireless functionalities.
4.2 Peer-to-Peer Network Security
Speaker: Chittaranjan Hota, BITS Hyderabad, India
Moving from wireless threats and vulnerabilities in an enterprise network, Chittranjan Hota pre-sented a talk on a generic (wired or wireless) peer-to-peer network security. He motivated his ideasby highlighting the growth of Internet based services (e.g. cloud) via varied terminals (system,mobile, embedded systems). With the growth of data shared by a user on Internet based services,peer-to-peer networks have become popular to avoid storage costs of redundant data on the serversand to provide a platform for requesting and sharing information anytime / anywhere. However, theflip side is peer-to-peer networks have been a target for attacks too. Attacks such as, file pollution(sharing malicious files on P2P networks), index pollution (tampering index of routers to direct toa polluted peer), fake block (serving fake blocks of information via compromised peers), distributeddenial-of-service (repeated file requests by malicious to a targeted server / peer), etc. Dr. Hotadiscussed that detection of such attacks and prevention of such attacks is an interesting researcharea to pursue. He suggested that such attacks can be avoided by implementing better trust man-agement schemes in P2P networks, to disallow any tampering with data, requests or network usageby unauthorized and un-trustworthy user.
4.3 Managing BYOD networks
Speaker: Raghu Iyer, Nevis Networks, India
7
Raghu Iyer presented his talk on an emerging security and privacy threat to enterprises - BYOD,short for Bring Your Own Device. It is an emerging trend in which employees of an enterprise oran organization are allowed to bring their personalized devices in their working zones and accesscorporate data on them. BYOD provides benefits to both employees in terms of less overhead ofcarrying multiple devices, flexible working hours and places, and working on environments users aremost comfortable with, and to employers, in terms of low support costs for devices, increased pro-ductivity and access to employees , etc. However BYOD has its own risks too. BYOD invites risksto the leakage of private and corporate data (secrets), may lead to violation of intellectual rightsvia stolen information, may allow intrusive or rogues software codes to penetrate the enterprise safenetwork, and then percolate to bring down the enterprise infrastructure, demands for better supportfor multiple devices incurring higher support costs to the enterprise. Looking at both benefits andrisks, he suggested to build a plan for BYOD adoption. He proposed a solution architecture com-prising of following modules – registration portals, device registration via certificates, periodicallyauthenticate, regulate access, monitor and regulate the traffic. He further discussed each of thesemodules in detail and concluded with a suggestion for researchers to make contributions in buildingsuch frameworks more concrete, secure and usable and validate them in an enterprise setting.
5 Session: Security in Finance World
In this session, speakers discussed open security challenges faced by banking and enterprise firms.
5.1 Information Security Challenges Faced by a Large Financial ServicesFirm
Speaker: Gaurav Gupta, Goldman Sachs, India
Gaurav Gupta highlighted major security threats challenges in a financial firm. He motivated histalk by mentioning recent attacks on large enterprises, and discussed the level of sophistication eachattack carried. Over the last decade, the trends have been changed to launch more sophisticated andpersistent attacks rather than traditional and quick access attacks. Such sophisticated attacks areunknown to the defending systems and therefore the attacks are successful. Majorly enterprises andfinancial firms are facing advanced persistent threats and malware, ease of attacks via boundlessnetworks, better distributed denial-of-service attacks, and lack of adaptive security intelligence.Dr. Gupta discussed that threats and malware are increasingly becoming more sophisticated, andtherefore difficult to detect. Advance malware and threats disallow answers to “first break-in”,“penetration”, “behavior”, thereby hindering development of mitigation methods. Further, thedistribution network of such malware is varied, ranging from an enterprise network to cloud, socialand mobile networks. To mitigate such threats at an entry level, security professionals shouldmonitor the traffic on a daily basis to avoid full-fledged attacks, block the unintended traffic, logeverything to analyze later, develop better visualization techniques to monitor threat outbreaksand anomalies, and develop scalable security solutions to meet the needs of the future.
5.2 The People Problem in Security of Financial Transactions in India
Speaker: Nandkumar Saravade, Citi Security and Investigative Services, India
8
As discussed by other speakers, Nandkumar Saravade spoke about threats and vulnerabilities intro-duced with the growth of Internet and penetration of mobile devices, however in context of bankingfirms. He mentioned that online banking transactions are not only popular among its users, butalso in attackers. Number of banking frauds have increased tremendously over time. The cost ofsuch frauds is multi-fold – direct loss (loss of money, time, etc.), indirect loss (loss of trust, business,etc.) and defense cost (cost for education, security infrastructure, remedies, etc.). Defense costs areinevitable for banking firms (or enterprise firms as discussed by Gaurav Gupta and Deepak Gupta),however the speaker argued that costs to impart security education to its users can be saved, sincethe benefit is low and restricted to those who fall victim. He suggested to have a centralized se-curity infrastructure incorporating several checkpoints, restricted banking operations and multipleauthentications, however with least involvement of people, to ensure “secure by default” banking.
5.3 Evolution of Security Standards in Indian Banking Industry
Speaker: V Radha, IDRBT, India
V Radha presented her views on security mechanisms and standards evolution in the bankingindustry as suggested by the earlier speaker Nandkumar Saravade. She mentioned the measuresbanking industry used to deploy, present deploy and should deploy in future. Previously, securityaudits, CISA certifications, and training programs on security were introduced to detect and avoidsecurity flaws in the banking industry. Presently, apart from regular audits and training programs,professionals have suggested and designed mobile banking and internet banking security guidelinesto allow safe banking transactions. She insisted to strengthen weak security protocols, reviewsoftware (compulsory source code reviews), monitor unauthorized access and implement multi-stage user authentication to avoid tampering and spoofing, integrate passwords with the domainto avoid phishing attacks, design new payment protocols, etc. She emphasized that if the technicalstaff and bank users are aware of such attacks via educating them, they will be able to safeguardthemselves better from such attacks. In future, there is a huge need of security experts in bank todeploy better technical security prototypes.
6 Session: Security in Social Media
This session covers security and privacy issues in online social media. Online social media isrelatively a new domain, where users connect to other users and share variety of information.It is increasingly becoming a platform for user’s sensitive and confidential information, malwaredistribution, social engineering attacks and others. In this session, speakers highlights each of thesecurity issues and discuss major defenses against such attacks.
6.1 Privacy and Security in Online Social Media
Speaker: Ponnurangam Kumaraguru, IIIT-Delhi, India
Ponnurangam Kumaraguru discussed few security and privacy research problems which are difficultthough important in context of online social networks. He talked about three major researchproblems – credibility measurement on online social networks (esp. Twitter), privacy breachesvia open government data, and measuring privacy perceptions of users in India. Motivating each
9
research problem and its solution in detail, he emphasized that tools build out of each research isimportant to make users understand the implications of security and privacy breaches as well asgiving them mechanisms to safeguard themselves. He showcased demos of two of three projects hediscussed – Twit-digest, and OCEAN. Twit-digest gives users the capability of knowing what hasbeen talked about a topic on Twitter, who are the people who are talking about it, influencers,geographical distribution of users and tweets, credibility of tweets and many more. OCEAN collatesdata from open-government websites in India, to demonstrate that specific and sensitive detailsabout a person can be known e.g. family tree, address, PAN card number, phone number, etc.Some parts of critical information is essential to open, alter and close the bank accounts, forinstance, and therefore any such information leaked (or publicly available), may invite damagingconsequences. Further, he highlighted measurements of user’s privacy perceptions in India. Heshowed that 27% of social network users included in the measurement of privacy perceptions inIndia, accept friend requests of opposite gender, even when they don’t know the person, and 42%of social network users believe that since they have mentioned their privacy settings, there cannotbe any privacy breach. Dr. Kumaraguru highlighted that such users’ perceptions allow privacyleaks and invite security threats. He emphasized that legal bills, and privacy preserving systemsfor India must take such perceptions into account, rather than copying western models of privacyand reasoning.
6.2 Split Personality Malware Detection and Defeating in Popular Vir-tual Machines
Speaker: Alwyn Roshan Pais, NITK, India
Alwyn Roshan Pais discussed techniques to detect malware in a software system. Security practi-tioners use virtual machine (VM) environment to detect malware, to avoid running the maliciouscode on the actual system. However, attackers have further devised sophisticated malware whohave the capability to detect a VM environment to understand a testing scenario, and thereforeto stop the malicious behavior and change their behavior to normal. Such malware is termed asSplit-personality malware. Dr. Pais discussed a focused technique to detect split-personality mal-ware and developed a tool named as “VMwareDetect”. However, he mentioned that the domainof detecting specialized and sophisticated malware in a passive virtual environment is yet to beexplored.
7 Panel Discussion
7.1 Research in Security and Privacy
Panelists: Ravi Sandhu, Matt Bishop, Anand Kashyap, Nandkumar Saravade, Raghu IyerConvenor: Ponnurangam Kumaraguru, IIIT-Delhi
Experienced panelists were asked to provide their insights and opinions on most exciting and mosttimely research topics in security and privacy domain, students, researchers and faculty should lookat, the opportunities students and researchers should look for to produce high quality research,and the ways to translate the research into usable and deployable tools. Major research challengeshighlighted by the panelists, in security and privacy domain are –
10
• Effective mechanisms to decide if a system is secure “enough”.
• Methods to implement and deploy attribute based access controls in real-time and managechanging attributes with time.
• Effective anomaly, probe and intrusion detection in real-time.
• Effective formal methods to detect vulnerabilities.
• Effective network management and usage with BYOD devices.
• Build ”Defense-in-Depth” security mechanisms than perimeter security mechanisms.
• Modeling privacy expectations, and vulnerabilities of systems.
• Investigation of disaster and rumor attacks in online social networks.
• Investigation of trends in online social media.
• Examining security mechanisms for bottom of the pyramid (e.g. IT adoption by non-Englishcommunity, voter machines)
Most panelists suggested to look for opportunities in industry and government to work with themon live projects and live data, to get the sense of security threats and attacks in real-world, un-derstanding of which can help in building better mitigation methods. Communication with otherdiscipline researchers, further helps in developing methods incorporating feedback from varied as-pects, thereby producing good research. Panelists suggested that a user-centric systems shouldinclude users at all stages of research, starting from framing the research problem. This makesthe research outcomes more impactful, trustworthy and generic and help in developing more usablesystems out of the research outcomes. Panelists proposed that research should be translated todeployable tools by making easy but practical assumptions.
7.2 Education in Security and Privacy
Panelists: Anupam Joshi, Matt Bishop, Chittaranjan Hota, V RadhaConvenor: H Karnick, IIT Kanpur
To discuss how to improve and promote security and privacy education in academic institutionsand industrial training programs, panelists suggested to design courses which intend to first exposelearners to real-time demonstrations of security attacks (e.g., within the institutional territory)and methods to safeguard themselves from such attacks, further should teach them theory of suchattacks and then mitigation and prevention methods from such attacks. Students often forgetthat end-users should be able to make sense of the security systems developed to mitigate anddetect attacks and therefore should be taught the usability aspects of security and privacy systems.Further offering a course to a class with students from different majors, helps the understandingof security and privacy practices via different viewpoints. Students must be exposed to legal andethical aspects of security and privacy practices e.g. IT Act 2004 / 2008 and must constantly beencourage to self-aware about new incidents of such attacks across the globe. Beginners should betaught secure programming styles along with the basic programming styles. Apart from students,teachers and faculty should also be imparted education of cyber-hygiene and they should revisit the
11
taught courses with an added dimension of security and privacy. To promote security and privacyeducation, institutions should start specialized programs in security and privacy e.g. Masters inSecurity, Masters in Privacy, etc.
8 Poster Session
A poster session was organized at the symposium to allow expert feedback and evaluation of theresearch work being done by the students, researchers and faculty in the domain of security andprivacy (see Figure 2) . Each poster went through a review filter to be a part of symposium.Posters which had the highest impact, comprehensive analysis and deep understanding of the areawere given the best poster awards and were evaluated by four-member committee comprised ofAnupam Joshi, Ravi Sandhu, NandKumar Saravade, Geetanjali Sampemane. Following is thelist of the posters presented at SPSymposium 2013 with best poster awards mentioned. Postersabstracts are available at http://www.cse.iitk.ac.in/users/sps2013/submitting.html.
1. A Crowdsourcing and Data Mining-based System for Content Tagging
2. A New Framework for Privacy Preserving Secure Data Aggregation in Wireless Sensor Net-works
3. A Novel Privacy Preserving Game Theoretic Repeated Rational Secret Sharing Scheme forDistributed Data Mining
4. A Secured and Authenticated Message Passing Interface for Distributed Clusters
5. An Application for secure calling in mobile communication
6. ChaMAILeon: Usable email sharing like never before!
7. Client Side Forensics Investigation of Google Services
8. Collaborative Model for Privacy Preservation and Data Integrity Verification in Cloud Com-puting
9. Combined Approach to prevent XSS Attacks and SQL injection
10. Comparative Analysis of Anomaly Based and Signature Based Intrusion Detection SystemsUsing PHAD and Snort
11. Current Status of Information Security for Electronic Health Record Services in India
12. Detection of Repackaged Smartphone Applications On Android
13. ECBEC: Erasure Coding Block Encryption using Cryptography
14. Finding Nemo: Entity Search and Resolution in Online Social Networks
15. Flash of Two Worlds
16. Flow Based Aspect Oriented Continuous Monitoring Methodology for Cloud Applications
17. Harnessing Specifications to Identify Security Issues
12
18. Hey Tweet!!! Where You Came From
19. Investigating the Approaches for improving the Ciphertext Policy Attribute Based Encryptionschemes
20. Language Based Security for Smartphones
21. Mining CFG as API Call-grams to Detect Portable Executable Malware [Best Poster - 2]
22. OCEAN: Open source Collation of eGovernment data and Networks [Best Poster - 1]
23. P2P Traffic classification for Intrusion Detection Systems
24. Pinterest: Case study on a picturesque network
25. Privacy Preserving Distributed K-Means Clustering in Malicious Model
26. Privacy Preserving Packet Anonymization in P2P Realm
27. Security Verification Using Crowd Sourcing
28. U2P2: Understanding User Privacy Perceptions [Best Poster - 3]
29. VHDL Implementation of AES Algorithm
30. VHDL Implementation of Twofish Algorithm
Figure 2: Poster session at Outreach auditorium, IIT-Kanpur
Students and researchers were further evaluated on the basis on their participation level in thesymposium. A committee of x members awarded Niharika Sachdeva (IIIT-Delhi), Paridhi Jain(IIIT-Delhi) and Ashish Mishra (IISc Bangalore) on the basis of their interaction level with otherstudents, and speakers at symposium, their interactions during the sessions and the quality ofquestions raised by them.
13
9 Discussion and Concluding Remarks
Symposium on Security and Privacy brought together students, faculty and researchers from variousparts of the country to discuss security and privacy threats growing in the online world. Speakersmotivated the research gaps and directions to work with, to provide better security infrastructuresand tools, panel discussions emphasized on the need for inter-disciplinary and academic collab-orations and education mechanisms to impart focused knowledge to the learners, while posterssessions provided the presenters to take home valuable feedback on their work and improvise itfurther. Further, a consensus on re-organizing such events either once in a year or twice a yearwas put forward. In the meantime, researchers were suggested to keep building better security andprivacy mechanisms to satisfy the needs of the present as well as of future.
10 Acknowledgement
The symposium would not have been successful without the student and faculty volunteers whoparticipated from the very website designing to logistics arrangement at IIT-Kanpur. We wouldlike to thank volunteers from IIT-Kanpur – Navpreet Singh, Kamlesh Tiwari, Aditya Nigam, TejasGandhi, Sumit Kalra, Vinay Rawal, Ajay Kumar, Akshay Kabra, Jayesh Choudhari, Shahbaz Khanfor taking care of the logistics and local arrangements at IIT-Kanpur and volunteers from IIIT-Delhi – Niharika Sachdeva, Prateek Dewan, Anupama Aggarwal, Paridhi Jain, for taking care oftechnical organization of the workshop and volunteers. Special thanks to Prabhu Goel ResearchCentre for Computer & Internet Security and Research-I Foundation at IIT-Kanpur for supportingthe symposium.
14
