-
Alea-BFT: Practical Asynchronous Byzantine Fault Tolerance
Authors:
Diogo S. Antunes,
Afonso N. Oliveira,
André Breda,
Matheus Guilherme Franco,
Henrique Moniz,
Rodrigo Rodrigues
Abstract:
Traditional Byzantine Fault Tolerance (BFT) state machine replication protocols assume a partial synchrony model, leading to a design where a leader replica drives the protocol and is replaced after a timeout. Recently, we witnessed a surge of asynchronous BFT protocols, which use randomization to remove the need for bounds on message delivery times, making them more resilient to adverse network c…
▽ More
Traditional Byzantine Fault Tolerance (BFT) state machine replication protocols assume a partial synchrony model, leading to a design where a leader replica drives the protocol and is replaced after a timeout. Recently, we witnessed a surge of asynchronous BFT protocols, which use randomization to remove the need for bounds on message delivery times, making them more resilient to adverse network conditions. However, existing research proposals still fall short of gaining practical adoption, plausibly because they are not able to combine good performance with a simple design that can be readily understood and adopted. In this paper, we present Alea-BFT, a simple and highly efficient asynchronous BFT protocol, which is gaining practical adoption, namely in Ethereum distributed validators. Alea-BFT brings the key design insight from classical protocols of concentrating part of the work on a single designated replica and incorporates this principle in a simple two-stage pipelined design, with an efficient broadcast led by the designated replica, followed by an inexpensive binary agreement. The evaluation of our research prototype implementation and two real-world integrations in cryptocurrency ecosystems shows excellent performance, improving on the fastest protocol (Dumbo-NG) in terms of latency and displaying good performance under faults.
△ Less
Submitted 14 July, 2024;
originally announced July 2024.
-
QBER: Quantifying Cyber Risks for Strategic Decisions
Authors:
Muriel Figueredo Franco,
Aiatur Rahaman Mullick,
Santosh Jha
Abstract:
Quantifying cyber risks is essential for organizations to grasp their vulnerability to threats and make informed decisions. However, current approaches still need to work on blending economic viewpoints to provide insightful analysis. To bridge this gap, we introduce QBER approach to offer decision-makers measurable risk metrics. The QBER evaluates losses from cyberattacks, performs detailed risk…
▽ More
Quantifying cyber risks is essential for organizations to grasp their vulnerability to threats and make informed decisions. However, current approaches still need to work on blending economic viewpoints to provide insightful analysis. To bridge this gap, we introduce QBER approach to offer decision-makers measurable risk metrics. The QBER evaluates losses from cyberattacks, performs detailed risk analyses based on existing cybersecurity measures, and provides thorough cost assessments. Our contributions involve outlining cyberattack probabilities and risks, identifying Technical, Economic, and Legal (TEL) impacts, creating a model to gauge impacts, suggesting risk mitigation strategies, and examining trends and challenges in implementing widespread Cyber Risk Quantification (CRQ). The QBER approach serves as a guided approach for organizations to assess risks and strategically invest in cybersecurity.
△ Less
Submitted 6 May, 2024;
originally announced May 2024.
-
QuantTM: Business-Centric Threat Quantification for Risk Management and Cyber Resilience
Authors:
Jan von der Assen,
Muriel F. Franco,
Muyao Dong,
Burkhard Stiller
Abstract:
Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily in…
▽ More
Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security controls, thus supporting the threat analysis and prioritization from an economic perspective. QuantTM comprises an overarching process for data collection and aggregation and a method for business impact analysis. The performance and feasibility of the QuantTM approach are demonstrated in a real-world case study conducted in a Swiss SME to analyze the impacts of threats and economic benefits of security controls. Secondly, it is shown that employing business impact analysis is feasible and that the supporting prototype exhibits great usability.
△ Less
Submitted 21 February, 2024;
originally announced February 2024.
-
RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports
Authors:
Muriel Figueredo Franco,
Fabian Künzler,
Jan von der Assen,
Chao Feng,
Burkhard Stiller
Abstract:
Digitization increases business opportunities and the risk of companies being victims of devastating cyberattacks. Therefore, managing risk exposure and cybersecurity strategies is essential for digitized companies that want to survive in competitive markets. However, understanding company-specific risks and quantifying their associated costs is not trivial. Current approaches fail to provide indi…
▽ More
Digitization increases business opportunities and the risk of companies being victims of devastating cyberattacks. Therefore, managing risk exposure and cybersecurity strategies is essential for digitized companies that want to survive in competitive markets. However, understanding company-specific risks and quantifying their associated costs is not trivial. Current approaches fail to provide individualized and quantitative monetary estimations of cybersecurity impacts. Due to limited resources and technical expertise, SMEs and even large companies are affected and struggle to quantify their cyberattack exposure. Therefore, novel approaches must be placed to support the understanding of the financial loss due to cyberattacks. This article introduces the Real Cyber Value at Risk (RCVaR), an economical approach for estimating cybersecurity costs using real-world information from public cybersecurity reports. RCVaR identifies the most significant cyber risk factors from various sources and combines their quantitative results to estimate specific cyberattacks costs for companies. Furthermore, RCVaR extends current methods to achieve cost and risk estimations based on historical real-world data instead of only probability-based simulations. The evaluation of the approach on unseen data shows the accuracy and efficiency of the RCVaR in predicting and managing cyber risks. Thus, it shows that the RCVaR is a valuable addition to cybersecurity planning and risk management processes.
△ Less
Submitted 20 July, 2023;
originally announced July 2023.
-
Traffic Centralization and Digital Sovereignty: An Analysis Under the Lens of DNS Servers
Authors:
Demétrio F. Boeira,
Eder J. Scheid,
Muriel F. Franco,
Luciano Zembruzki,
Lisandro Z. Granville
Abstract:
The Domain Name System (DNS) service is one of the pillars of the Internet. This service allows users to access websites on the Internet through easy-to-remember domain names rather than complex numeric IP addresses. DNS acts as a directory that translates the domain names into a corresponding IP address, allowing communication between computers on different networks. However, the concentration of…
▽ More
The Domain Name System (DNS) service is one of the pillars of the Internet. This service allows users to access websites on the Internet through easy-to-remember domain names rather than complex numeric IP addresses. DNS acts as a directory that translates the domain names into a corresponding IP address, allowing communication between computers on different networks. However, the concentration of DNS service providers on the Internet affects user security, privacy, and network accessibility. The reliance on a small number of large DNS providers can lead to (a) risks of data breaches and disruption of service in the event of failures and (b) concerns about the digital sovereignty of countries regarding DNS hosting. In this sense, this work approaches this issue of DNS concentration on the Internet by presenting a solution to measure DNS hosting centralization and digital sovereignty in countries. With the data obtained through these measurements, relevant questions are answered, such as which are the top-10 DNS providers, if there is DNS centralization, and how dependent countries are on such providers.
△ Less
Submitted 3 July, 2023;
originally announced July 2023.
-
SECAdvisor: a Tool for Cybersecurity Planning using Economic Models
Authors:
Muriel Figueredo Franco,
Christian Omlin,
Oliver Kamer,
Eder John Scheid,
Burkhard Stiller
Abstract:
Cybersecurity planning is challenging for digitized companies that want adequate protection without overspending money. Currently, the lack of investments and perverse economic incentives are the root cause of cyberattacks, which results in several economic impacts on companies worldwide. Therefore, cybersecurity planning has to consider technical and economic dimensions to help companies achieve…
▽ More
Cybersecurity planning is challenging for digitized companies that want adequate protection without overspending money. Currently, the lack of investments and perverse economic incentives are the root cause of cyberattacks, which results in several economic impacts on companies worldwide. Therefore, cybersecurity planning has to consider technical and economic dimensions to help companies achieve a better cybersecurity strategy. This article introduces SECAdvisor, a tool to support cybersecurity planning using economic models. SECAdvisor allows to (a) understand the risks and valuation of different businesses' information, (b) calculate the optimal investment in cybersecurity for a company, (c) receive a recommendation of protections based on the budget available and demands, and (d) compare protection solutions in terms of cost-efficiency. Furthermore, evaluations on usability and real-world training activities performed using SECAdvisor are discussed.
△ Less
Submitted 16 April, 2023;
originally announced April 2023.
-
The Work Avatar Face-Off: Knowledge Worker Preferences for Realism in Meetings
Authors:
Vrushank Phadnis,
Kristin Moore,
Mar Gonzalez Franco
Abstract:
While avatars have grown in popularity in social settings, their use in the workplace is still debatable. We conducted a large-scale survey to evaluate knowledge worker sentiment towards avatars, particularly the effects of realism on their acceptability for work meetings. Our survey of 2509 knowledge workers from multiple countries rated five avatar styles for use by managers, known colleagues an…
▽ More
While avatars have grown in popularity in social settings, their use in the workplace is still debatable. We conducted a large-scale survey to evaluate knowledge worker sentiment towards avatars, particularly the effects of realism on their acceptability for work meetings. Our survey of 2509 knowledge workers from multiple countries rated five avatar styles for use by managers, known colleagues and unknown colleagues.
In all scenarios, participants favored higher realism, but fully realistic avatars were sometimes perceived as uncanny. Less realistic avatars were rated worse when interacting with an unknown colleague or manager, as compared to a known colleague. Avatar acceptability varied by country, with participants from the United States and South Korea rating avatars more favorably. We supplemented our quantitative findings with a thematic analysis of open-ended responses to provide a comprehensive understanding of factors influencing work avatar choices.
In conclusion, our results show that realism had a significant positive correlation with acceptability. Non-realistic avatars were seen as fun and playful, but only suitable for occasional use.
△ Less
Submitted 8 October, 2023; v1 submitted 3 April, 2023;
originally announced April 2023.
-
Context-sensitive neocortical neurons transform the effectiveness and efficiency of neural information processing
Authors:
Ahsan Adeel,
Mario Franco,
Mohsin Raza,
Khubaib Ahmed
Abstract:
Deep learning (DL) has big-data processing capabilities that are as good, or even better, than those of humans in many real-world domains, but at the cost of high energy requirements that may be unsustainable in some applications and of errors, that, though infrequent, can be large. We hypothesise that a fundamental weakness of DL lies in its intrinsic dependence on integrate-and-fire point neuron…
▽ More
Deep learning (DL) has big-data processing capabilities that are as good, or even better, than those of humans in many real-world domains, but at the cost of high energy requirements that may be unsustainable in some applications and of errors, that, though infrequent, can be large. We hypothesise that a fundamental weakness of DL lies in its intrinsic dependence on integrate-and-fire point neurons that maximise information transmission irrespective of whether it is relevant in the current context or not. This leads to unnecessary neural firing and to the feedforward transmission of conflicting messages, which makes learning difficult and processing energy inefficient. Here we show how to circumvent these limitations by mimicking the capabilities of context-sensitive neocortical neurons that receive input from diverse sources as a context to amplify and attenuate the transmission of relevant and irrelevant information, respectively. We demonstrate that a deep network composed of such local processors seeks to maximise agreement between the active neurons, thus restricting the transmission of conflicting information to higher levels and reducing the neural activity required to process large amounts of heterogeneous real-world data. As shown to be far more effective and efficient than current forms of DL, this two-point neuron study offers a possible step-change in transforming the cellular foundations of deep network architectures.
△ Less
Submitted 4 April, 2023; v1 submitted 15 July, 2022;
originally announced July 2022.
-
High-Throughput Virtual Screening of Small Molecule Inhibitors for SARS-CoV-2 Protein Targets with Deep Fusion Models
Authors:
Garrett A. Stevenson,
Derek Jones,
Hyojin Kim,
W. F. Drew Bennett,
Brian J. Bennion,
Monica Borucki,
Feliza Bourguet,
Aidan Epstein,
Magdalena Franco,
Brooke Harmon,
Stewart He,
Max P. Katz,
Daniel Kirshner,
Victoria Lao,
Edmond Y. Lau,
Jacky Lo,
Kevin McLoughlin,
Richard Mosesso,
Deepa K. Murugesh,
Oscar A. Negrete,
Edwin A. Saada,
Brent Segelke,
Maxwell Stefan,
Marisa W. Torres,
Dina Weilhammer
, et al. (7 additional authors not shown)
Abstract:
Structure-based Deep Fusion models were recently shown to outperform several physics- and machine learning-based protein-ligand binding affinity prediction methods. As part of a multi-institutional COVID-19 pandemic response, over 500 million small molecules were computationally screened against four protein structures from the novel coronavirus (SARS-CoV-2), which causes COVID-19. Three enhanceme…
▽ More
Structure-based Deep Fusion models were recently shown to outperform several physics- and machine learning-based protein-ligand binding affinity prediction methods. As part of a multi-institutional COVID-19 pandemic response, over 500 million small molecules were computationally screened against four protein structures from the novel coronavirus (SARS-CoV-2), which causes COVID-19. Three enhancements to Deep Fusion were made in order to evaluate more than 5 billion docked poses on SARS-CoV-2 protein targets. First, the Deep Fusion concept was refined by formulating the architecture as one, coherently backpropagated model (Coherent Fusion) to improve binding-affinity prediction accuracy. Secondly, the model was trained using a distributed, genetic hyper-parameter optimization. Finally, a scalable, high-throughput screening capability was developed to maximize the number of ligands evaluated and expedite the path to experimental evaluation. In this work, we present both the methods developed for machine learning-based high-throughput screening and results from using our computational pipeline to find SARS-CoV-2 inhibitors.
△ Less
Submitted 31 May, 2021; v1 submitted 9 April, 2021;
originally announced April 2021.
-
Proverum: A Hybrid Public Verifiability and Decentralized Identity Management
Authors:
Christian Killer,
Lucas Thorbecke,
Bruno Rodrigues,
Eder Scheid,
Muriel Franco,
Burkhard Stiller
Abstract:
Trust in electoral processes is fundamental for democracies. Further, the identity management of citizen data is crucial, because final tallies cannot be guaranteed without the assurance that every final vote was cast by an eligible voter. In order to establish a basis for a hybrid public verifiability of voting, this work (1) introduces Proverum, an approach combining a private environment based…
▽ More
Trust in electoral processes is fundamental for democracies. Further, the identity management of citizen data is crucial, because final tallies cannot be guaranteed without the assurance that every final vote was cast by an eligible voter. In order to establish a basis for a hybrid public verifiability of voting, this work (1) introduces Proverum, an approach combining a private environment based on private permissioned Distributed Ledgers with a public environment based on public Blockchains, (2) describes the application of the Proverum architecture to the Swiss Remote Postal Voting system, mitigating threats present in the current system, and (3) addresses successfully the decentralized identity management in a federalistic state.
△ Less
Submitted 22 August, 2020;
originally announced August 2020.
-
WeTrace -- A Privacy-preserving Mobile COVID-19 Tracing Approach and Application
Authors:
A. De Carli,
M. Franco,
A. Gassmann,
C. Killer,
B. Rodrigues,
E. Scheid,
D. Schoenbaechler,
B. Stiller
Abstract:
For the protection of people and society against harm and health threats -- especially for the COVID-19 pandemic -- a variety of different disciplines needs to be involved. The data collection of very basic and health-related data of individuals in today's highly mobile society does help to plan, protect, and identify next steps health authorities and governments can, shall, or need to plan for or…
▽ More
For the protection of people and society against harm and health threats -- especially for the COVID-19 pandemic -- a variety of different disciplines needs to be involved. The data collection of very basic and health-related data of individuals in today's highly mobile society does help to plan, protect, and identify next steps health authorities and governments can, shall, or need to plan for or even implement. Thus, every individual, every human, and every inhabitant of the world is the key player -- very different to many past crises'. And since the individual is involved -- all individuals -- his/her (a) health and (b) privacy shall be considered in a very carefully crafted balance, not overruling one aspect with another one or even prioritizing certain aspects. Privacy remains the key. Thus, the solution of the current pandemic's data collection can be based on a fully privacy-preserving application, which can be used by individuals on their mobile devices, such as smartphones, while maintaining at the same time their privacy. Additionally, respective data collected in such a fully distributed setting does help to confine the pandemic and can be achieved in a democratic and very open, but still and especially privacy-protecting world. Therefore, the WeTrace approach and application as described in this paper utilizes the Bluetooth Low Energy (BTE) communication channel, many modern mobile devices offer, where asymmetric cryptography is being applied to allows for the decyphering of a message for that destination it had been intended for. Since literally every other potential participant only listens to random data, even a brute force attack will not succeed. WeTrace and its Open Source implementation is the only known approach so far, which ensures that any receiver of a message knows that this is for him/her, but does not know who the original sender was.
△ Less
Submitted 19 April, 2020;
originally announced April 2020.
-
A Federated Lightweight Authentication Protocol for the Internet of Things
Authors:
Maria L. B. A. Santos,
Jessica C. Carneiro,
Antonio M. R. Franco,
Fernando A. Teixeira,
Marco A. Henriques,
Leonardo B. Oliveira
Abstract:
Considering the world's IoT development and market, it is necessary to guarantee the security of the developed IoT applications as well as the privacy of their end users. In this sense, Federated Identity Management (FIdM) systems can be of great help as they improve user authentication and privacy. In this paper, we claim that traditional FIdM are mostly cumbersome and then ill-suited for IoT. As…
▽ More
Considering the world's IoT development and market, it is necessary to guarantee the security of the developed IoT applications as well as the privacy of their end users. In this sense, Federated Identity Management (FIdM) systems can be of great help as they improve user authentication and privacy. In this paper, we claim that traditional FIdM are mostly cumbersome and then ill-suited for IoT. As a solution to this problem, we come up with a federated identity authentication protocol exclusively tailored to IoT. Federated Lightweight Authentication of Things (FLAT), our solution, replaces weighty protocols and asymmetric cryptographic primitives used in traditional FIdM by lighter ones. For instance, FLAT synergistically combines symmetric cryptosystems and Implicit Certificates. The results show that FLAT can reduce the data exchange overhead by around 31% when compared to a baseline solution. FLAT's Client is also more efficient than the baseline solution in terms of data transmitted, data received, total data exchange, and computation time. Our results indicate that FLAT runs efficiently even on top of resource-constrained devices like Arduino.
△ Less
Submitted 11 July, 2019;
originally announced July 2019.
-
FPGA design of a cdma2000 turbo decoder
Authors:
Maribell Sacanamboy Franco,
Fabio G. Guerrero
Abstract:
This paper presents the FPGA hardware design of a turbo decoder for the cdma2000 standard. The work includes a study and mathematical analysis of the turbo decoding process, based on the MAX-Log-MAP algorithm. Results of decoding for a packet size of two hundred fifty bits are presented, as well as an analysis of area versus performance, and the key variables for hardware design in turbo decoding.
This paper presents the FPGA hardware design of a turbo decoder for the cdma2000 standard. The work includes a study and mathematical analysis of the turbo decoding process, based on the MAX-Log-MAP algorithm. Results of decoding for a packet size of two hundred fifty bits are presented, as well as an analysis of area versus performance, and the key variables for hardware design in turbo decoding.
△ Less
Submitted 23 April, 2014;
originally announced April 2014.