Research

Publications

Researchers associated with the Centre have developed a number of new security techniques and tools. A subset is given below. A list of academic publications associated with these and other projects can be found here.

Defeating CAPTCHAs - Jeff Yan and Ahmad Salah El Ahmad

Defeating CAPTCHAs

CAPTCHA is now almost a standard security technology for protecting web sites from being exploited by computers masquerading as users, by requiring that login involves performing an initial task that is readily performed by humans but difficult to automate. The most widely deployed CAPTCHAs are text-based schemes, which typically require users to solve a text recognition task. This work by Jeff Yan and Ahmad Salah El Ahmad produced successful attacks on a number of text CAPTCHAs, including the schemes designed and deployed by Microsoft, Yahoo and Google, and is now being pursued further in collaboration with Microsoft and Yahoo in particular.

Defeating Shoulder Surfers

The touch screen is fast becoming our favourite way to interact with computers, from sleek smartphones to the upcoming tablet PCs. Brightly lit, responsive screens are certainly pleasing to use, but they also make it easier for "shoulder surfers" to spy your secret pass codes. New methods of secure pass-code entry for touch screens aim to tackle the problem. One example of this, called ColorRings, has been developed by Patrick Olivier and Paul Dunphy, along with colleagues David Kim and psychologist Pam Briggs at Northumbria University, also in Newcastle. It is based on the user remembering a sequence of pictorial icons instead of numbers. When entering this code, they are presented with a screen littered with different icons, including their four secret ones. By simply using one or more fingers to drag four different coloured circles - each representing one of four positions in the pass-code sequence - the user positions them so that each encircles the correct icon.

Graphical Passwords Demo

Graphical Passwords

Computer scientists have developed a program that lets users 'draw' their passwords, improving security and bypassing the need to remember sequences of letters and numbers. Dr Jeff Yan and his PhD student Paul Dunphy developed the 'Background Draw a Secret' software, which allows users to draw their secret password as a free-form image on a grid. In tests, the use of pictures instead of letters and numbers was found to be 1,000 times more secure than text passwords and most users found them easy to remember. The technology, developed initially for computers with a touch screen like iPhones, was displayed at the 2008 Royal Society Summer Science Exhibition in London.

Intrusion Tolerance

Paul Ezhilchelvan and Dylan Clarke have developed an approach for intrusion tolerance. The approach, termed as FORTRESS, involves fortifying a fault-tolerant service using proxies that block clients from accessing servers directly, and periodically refreshing proxies and servers with diverse executables generated using code randomization. These two features make it hard for an attacker to compromise a server when no proxy has been compromised.

Non-repudiation Software

Research by Nick Cook created software that safeguards electronic transactions. Using this software, Internet transactions are protected against false claims of users that payments have been made or have not been received. The research was awarded the 2007 ACM EuroSys Roger Needham PhD Award . The research is continuing, taking into account novel software architectures such as Web 2.0 and to establish additional security features for Internet commerce.

PaCTLab Logo

PaCTLab - Promoting Usable and Inclusive Trust, Privacy and Identity Management

Northumbria University Researchers at the Psychology and Communication Technology Lab (PaCTLab) explore the ways in which new communications media affect our everyday interactions and choices. The work they do revolves around three key questions:

  • What makes us trust a message?
  • Why and when do we feel secure in disclosing information?
  • What types of privacy do we seek to protect?

Indicative projects and research outputs are the Teenage project in which PaCTLab explored bullying and betrayal: assessing the ways in which different technologies were associated with different forms of betrayal and asking whether trust is more easily recovered via certain communications media. In the Bodies Online project PaCTLab investigated trust in e-health and developed a set of design guidelines for trust in e-commerce that was reported in a full-page article in The Times. A new 5 year, £2million NIHR funded project has just begun, exploring trust and disclosure around online patient experience.

Secure e-Voting Schemes

Work by Brian Randell in collaboration with Peter Ryan, addressed the problem of providing secure and voter-verifiable voting, while at the same time retaining public understanding of and trust in the system. It was based on Peter's extensive work on the Prêt à Voter scheme.

In general, there are two types of e-voting scheme: decentralised and centralised. A decentralised e-voting system is run by voters themselves. It can provide the theoretical maximum protection on the voter privacy — the voter does not have to trust anyone but himself to preserve the secrecy of the vote. In 2010, Feng Hao, in collaboration with Peter Ryan and Piotr Zielsini, proposed a decentralised e-voting system called Open Vote network. Their proposal is by far the most efficient among the related schemes in terms of the number of rounds, computational load and bandwidth usage.

A centralised e-voting system employs trusted authorities to centrally administrate the election. It can provide better scalability than the decentralised schemes, though at the expense of weaker voter privacy (as the protection is no longer maximum). Feng Hao, in collaboration with Matthew Kreeger, designed a voting system called Direct Record Electronic with Integrity (DRE-i). Their system is the first centralised e-voting system with self-tallying. In other words, unlike other schemes, the DRE-i allows anyone (voter or observer) to verify the tally of the system without depending on trusted computing or tallying authorities involvement. The self-tallying feature makes the DRE-i system much simpler than many other cryptographic voting schemes.

Security in Dynamic Coalitions

Dynamic Coalitions are virtual organisations involving people, organisations and systems that collaborate, usually over a network, towards a common goal. They arise in business and in government, for example to allow multi-agency response to crises such as flooding or a chemical spill, as well as, increasingly, in military operations. In all these cases, the ability to share information in a controlled way is vitally important, though the collaborators may come from very different backgrounds. Research led by Jeremy Bryans and John Fitzgerald in collaboration with colleagues in the UK Defence Science and Technology Laboratory and the chemical engineering industry has developed formal models that help to perform computer-assisted analysis of dynamic coalitions, their changing memberships, structures, information storage and transmission. This work has helped identify deficiencies in security and information flow policies and has enabled domain experts with no knowledge of formal methods to nevertheless evaluate alternative coalition structures and processes in a range of realistic scenarios.

UMA Group

Student-Managed Access to Online Resources

The SMART project develops an online data access management system based on the User-Managed Access (UMA) Web protocol, a newly proposed technology that builds on OAuth V2.0. UMA is in the process of being standardised by the UMA work group (charter of the Kantara Initiative). The project has defined a Higher Education (HE) case study that exemplifies access management requirements for HE applications, implement UMA-based access management solution and evaluate this through a user study. Through this work, the project aims to ensure that HE requirements for access management are taken into consideration early in the standardisation process, and, at the same time, ensure that UK HE continues to be at the forefront of developments in this area.

The project is being developed by Prof. Aad van Moorsel, Maciej Machulak, Lukasz Moren and Chris Franks and is funded by the JISC organisation.

Spam detection

Work led by Jeff Yan on improved methods of signature-based collaborative spam detection (SCSD) a promising solution that addresses many problems facing statistical spam filters, the most widely adopted technology for detecting junk emails. This research significantly decreased the storage space and improved the performance, of two representative SCSD systems.

Trust Economics Interface Draft

Trust Economics

In collaboration with Hewlett-Packard Laboratories in Bristol and Bank of America/Merrill-Lynch in London, researchers in the School of Computing Science are developing a set of tools that make it easier for IT security officers and administrators to make security investment decisions. The tools are based on trust economics, in which human aspects and business priorities are explained through economic principles. This allows security administrators to trade off in an objective manner the various concerns associated with IT security decisions. At Newcastle, a group of students led by Aad van Moorsel and Simon Parkin provides ontology based software tools for IT security. These tools show the user all relevant issues and their associated trust economic impact.