Hossein Siadati

We describe a preference-based authentication scheme in which both security and usability of previous approaches are dramatically improved upon. We report on experimental findings supporting a false negative rate on the order (For precise estimates of error rates, large-scale testing is necessary.) of 0.9% and a false positive rate on the order of 0.5% for a choice of parameters that result in a registration time of 100 s and an authentication time of 40 s.

User reported experiences and opinions are used by peers to make decisions about where to go and what to buy. Unfortunately, not all users or opinions are honest. Many opinions are fabricated and may be submitted by automated systems or by people who are recruited by businesses and search engine optimizers to write good reviews. Such reviews and ratings are called spam reviews. These are misleading for users and troublesome for honest businesses. While most cur- rent efforts to tackle this problem are focused on spam review detection, in this paper we focused on detecting authentic and valuable reviews for a front-end application that reorders the reviews. In this manner, we have identified several features based upon the content of the reviews as well as identifying behavioral features of reviewers to pinpoint useful reviews with 80% accuracy.

Android Pattern, form of graphical passwords used on Android smartphones, is widely adopted by users. In theory, Android Pattern is more secure than a 5-digit PIN scheme. Users’ graphical passwords, however, are known to be very skewed. They often include predictable shapes (e.g., Z and N), biases in selection of starting point, and predictable sequences of the points that make them easy to guess. In practice, this decreases the security of Android Pattern to that of a 3-digit PIN scheme for at least half of the users. In this paper, we effectively increase the strength of Android Patterns by using a persuasive security framework, a set of principles to get users to behave more securely. Using these principles, we have designed two user interfaces that persuade users to choose stronger patterns. One of the user interfaces is called BLINK, where the starting point of the pattern is suggested to user, effectively nudging her to create a pattern with a significantly less predictable starting point. The other user interface is called EPSM, where the system gives continuous feedback to user while she is creating a new pattern, effectively persuading her to create a complex pattern. Security and usability of our proposed designs evaluated by conducting a user study on 270 participants recruited from Amazon MTurk demonstrated that while only 49% of subjects choose strong patterns in Android Pattern user interface, our suggested designs increase it to 60% in BLINK and 77% in EPSM version.

Phishing is an increasing web attack both in volume and techniques sophistication. Blacklists are used to resist this type of attack, but fail to make their lists up- to-date. This paper proposes a new technique and architecture for a blacklist generator that maintains an up-to-date blacklist of phishing sites. When a page claims that it belongs to a given company, the company's name is searched in a powerful search engine like Google. The domain of the page is then compared with the domain of each of the Google's top- 10 searched results. If a matching domain is found, the page is considered as a legitimate page, and otherwise as a phishing site. Preliminary evaluation of our technique has shown an accuracy of 91% in detecting legitimate pages and 100% in detecting phishing sites.