Sensitive User Data Research Articles

A privacy-preserving framework with multi-modal data for cross-domain recommendation

Cross-domain recommendation (CDR) aims to enhance the recommendation accuracy in a target domain with sparse data by leveraging rich information in a source domain, thereby addressing the data-sparsity problem. Some existing CDR methods highlight the advantages of extracting domain-common and domain-specific features to learn comprehensive user and item representations. However, these methods cannot effectively disentangle these components, as they often rely on simple user-item historical interaction information (such as ratings, clicks, and browsing), neglecting the rich multi-modal features. In addition, they do not protect user-sensitive data from potential leakage during knowledge transfer between domains. To address these challenges, we propose a Privacy-Preserving Framework with Multi-Modal Data for Cross-Domain Recommendation, called P2M2-CDR. Specifically, we first design a multi-modal disentangled encoder that utilizes multi-modal information to disentangle more informative domain-common and domain-specific embeddings. Furthermore, we introduce a privacy-preserving decoder to mitigate user privacy leakage during knowledge transfer. Local differential privacy (LDP) is used to obfuscate disentangled embeddings before the inter-domain exchange, thereby enhancing privacy protection. To ensure both consistency and differentiation among these obfuscated disentangled embeddings, we incorporate contrastive learning-based domain-inter and domain-intra losses. Extensive experiments conducted on six CDR tasks from two real-world datasets demonstrate that P2M2-CDR outperforms other state-of-the-art single- and cross-domain baselines. The code is available at https://github.com/Lili1013/P2M2-CDR.

P-Chain: Towards privacy-aware smart contract using SMPC

Smart contract, as the representative application of blockchain, has recently fueled extensive research interests from both academia and industry. However, with its wide applications, the weaknesses of smart contract have been gradually revealed. The major barrier to the widespread adoption of smart contract involves concerns about on-chain privacy which refers to the details of input/output privacy. To address privacy concerns, we propose in this paper, P-Chain, a privacy-aware framework for smart contracts of permissioned blockchain to protect sensitive data of users based on Secure Multi-party Computation (SMPC). Unlike existing work that suffer several key drawbacks, including introducing a third party who could get the details of the deal, and high overhead for on-chain and off-chain communication, as well as lacking a privacy protection for output data, we enhance the privacy protection for smart contracts system by adding a new secure multi-party computation layer in P-Chain. Through secure multi-party computing, sensitive inputs of smart contracts are divided into multiple sub-inputs and sent to computing participants for operation respectively, which ensures that each participant can only access part of the user’s information. A stochastic strategy based on (t;n) threshold secret sharing to select calculating parties is also been proposed, which makes it difficult for an attacker to aggregate t of n participants for launching a collusive attack. In addition, we propose the output privacy protection method that makes it possible to reach a consensus without the need to know the output. The extensive experimental evaluation and analysis demonstrate that our scheme enjoys the advantages of calculation correctness, input–output privacy as well as anti-collusion.

Integrating Cloud Services with Mobile Applications for Seamless User Experience

In the modern digital era, the integration of cloud services with mobile applications has emerged as a pivotal strategy for delivering a seamless and dynamic user experience. This approach not only enhances the functionality of mobile applications but also ensures that users can access services and data in real-time, regardless of their location. As mobile devices continue to dominate the technology landscape, the demand for responsive, scalable, and user-centric applications has skyrocketed. Cloud services, with their inherent capabilities such as storage, computing power, and advanced analytics, provide the backbone for developing applications that meet these demands. The integration of cloud services with mobile applications offers numerous advantages. It allows for the offloading of heavy computational tasks to cloud servers, thereby preserving the limited processing power and battery life of mobile devices. This capability enables mobile applications to perform complex tasks such as real-time data processing, machine learning inference, and multimedia content rendering without compromising user experience. Additionally, cloud services facilitate the synchronization of data across multiple devices, ensuring that users have consistent access to their data and settings regardless of the device they are using. This is particularly important in scenarios where users switch between devices, such as moving from a smartphone to a tablet or laptop. Moreover, the use of cloud services in mobile applications enhances security and reliability. Cloud providers typically offer robust security features, including data encryption, identity and access management, and continuous monitoring, which are essential for protecting sensitive user data. By leveraging these features, mobile applications can offer a higher level of security than would be feasible with on-device storage and processing. Furthermore, the reliability of cloud services ensures that applications remain available and functional even during peak usage times or when the user is in a location with poor network connectivity. Through techniques such as caching and offline access, cloud-integrated mobile applications can continue to operate smoothly even when real-time access to cloud resources is temporarily unavailable.

Empowering IoT Developers with Privacy-Preserving End-User Development Tools

Internet of Things applications (IoT) have the potential to derive sensitive user data, necessitating adherence to privacy and data protection laws. However, developers often struggle with privacy issues, resulting in personal data misuse. Despite the proposed Privacy by Design (PbD) approach, criticism arises due to its ambiguity and lack of practical tools for educating software engineers. We introduce Canella, an integrated IoT development ecosystem with privacy-preserving components leveraging End-User Development (EUD) tools Blockly@rduino and Node-RED, to help developers build end-to-end IoT applications that prioritize privacy and comply with regulations. It helps developers integrate privacy during the development process and rapid prototyping phases, offering real-time feedback on privacy concerns. We start by conducting a focus group study to explore the applicability of designing and implementing PbD schemes within different development environments. Based on this, we implemented a proof-of-concept prototype of Canella and evaluated it in controlled lab studies with 18 software developers. The findings reveal that developers using Canella created more privacy-preserving applications, gained a deeper understanding of personal data management, and achieved better privacy compliance. Our results also highlight Canella's role in educating and promoting privacy awareness, enhancing productivity, streamlining privacy implementation, and significantly reducing cognitive load. Overall, developers found Canella and its privacy-preserving components useful, easy to use, and easy to learn, which could potentially improve IoT application privacy. Watch the demo video.

An efficient anonymous authentication scheme for blockchain assisted and fog-enabled smart grid

The growing integration of blockchain and fog computing with Smart Grid (SG) technologies highlights the need for strong security protocols, dependable communication channels, and sensitive user data protection. In order to meet the unique needs of SG, this research paper presents a novel and effective anonymous authentication scheme enhanced by fog computing and blockchain. The suggested scheme makes use of blockchain's decentralized structure to strengthen security protocols and ensure user privacy and anonymity within the SG ecosystem. Through the combination of fog computing's low latency benefits and blockchain's immutability, the suggested scheme creates a robust framework for secure authentication. The suggested approach gives considerable weight to reducing computational overhead and optimizing user identity privacy. Through comprehensive analysis, the study highlights the scheme's efficiency concerning authentication speed, resource utilization, and resilience against potential attacks. These results offer an important remedy for the ever-changing landscape of energy management systems and substantially advance the development of safe and privacy-preserving SG architectures.

A Secure Authentication Scheme with Local Differential Privacy in Edge Intelligence-Enabled VANET

Edge intelligence is a technology that integrates edge computing and artificial intelligence to achieve real-time and localized model generation. Thus, users can receive more precise and personalized services in vehicular ad hoc networks (VANETs) using edge intelligence. However, privacy and security challenges still exist, because sensitive data of the vehicle user is necessary for generating a high-accuracy AI model. In this paper, we propose an authentication scheme to preserve the privacy of user data in edge intelligence-enabled VANETs. The proposed scheme can establish a secure communication channel using fuzzy extractor, elliptic curve cryptography (ECC), and physical unclonable function (PUF) technology. The proposed data upload process can provide privacy of the data using local differential privacy and symmetric key encryption. We validate the security robustness of the proposed scheme using informal analysis, the Real-Or-Random (ROR) model, and the Scyther tool. Moreover, we evaluate the computation and communication efficiency of the proposed and related schemes using Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL) software development kit (SDK). We simulate the practical deployment of the proposed scheme using network simulator 3 (NS-3). Our results show that the proposed scheme has a performance improvement of 10∼48% compared to the state-of-the-art research. Thus, we can demonstrate that the proposed scheme provides comprehensive and secure communication for data management in edge intelligence-enabled VANET environments.

Security and Privacy Challenges in Software as a Service (SaaS)

This document In the rapidly evolving landscape of cloud computing, Software as a Service (SaaS) has emerged as a dominant model for delivering software applications over the internet. However, this model introduces significant security and privacy challenges. This research paper delves into these issues, highlighting the unique risks associated with SaaS platforms. The study explores common vulnerabilities such as data breaches, unauthorized access, data loss, and identity theft, which are exacerbated by the centralized nature of SaaS solutions where data is stored on remote servers managed by service providers. To address these challenges, the paper underscores the importance of robust security measures, including encryption, access controls, and secure software development practices. Additionally, it emphasizes the necessity for SaaS providers to adopt advanced privacy protection techniques like data anonymization and differential privacy to meet user expectations and comply with stringent legal regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Through a comprehensive review of literature and analysis of current SaaS security practices, the research identifies critical risks and provides strategic recommendations for enhancing security and privacy in SaaS environments. By integrating multiple layers of security throughout the software development lifecycle, enforcing strict access management protocols, and ensuring compliance with regulatory standards, SaaS providers can significantly mitigate risks and safeguard sensitive user data. The findings of this study highlight the imperative for continuous improvement in SaaS security strategies to keep pace with emerging threats and technological advancements. Ultimately, by prioritizing security and privacy, SaaS providers can not only protect their users but also gain a competitive edge in the increasingly crowded market of cloud services.

Cloud-Based Access Control Including Time and Location

Location-based services (LBS) offer various functionalities, but ensuring secure access to sensitive user data remains a challenge. Traditional access control methods often need more detail to enforce location-specific restrictions. This paper proposes a new approach that utilizes the Generalized Spatio-Temporal Role-Based Access Control Model (GSTRBAC) within the context of LBS. GSTRBAC grants access based on user credentials, authorized locations, and access times, providing a detailed approach to securing LBS data. We introduce an optimized cloud-based GSTRBAC implementation suitable for deployment in modern LBS architectures. The system uses two secure communication protocols tailored to different security requirements. This allows for efficient communication for less-sensitive data while offering robust protection for highly sensitive information. Additionally, a proof-of-concept mobile application demonstrates the system’s functionality and efficiency within an LBS environment. Our evaluation confirms the effectiveness of the cloud-based GSTRBAC implementation in enforcing location-specific access control while maintaining resource and time efficiency.

Development of Mathematical Algorithm for Detecting XSS Attacks on Web Applications

The widespread usage of web applications has led to an increase in security threats, with Cross-Site Scripting (XSS) attacks being one of the most prevalent and damaging. Detecting and mitigating XSS attacks is crucial to ensure the integrity and confidentiality of sensitive user data. This article presents the mathematical algorithm and a way to identify XSS attacks using a bounded function from below, which depends on the input string, and highlights its potential impact in bolstering web application security. To construct this function, we used special characters and keywords that are frequently found in the construction of XSS attacks.

A Survey of Machine Learning in Edge Computing: Techniques, Frameworks, Applications, Issues, and Research Directions

Internet of Things (IoT) devices often operate with limited resources while interacting with users and their environment, generating a wealth of data. Machine learning models interpret such sensor data, enabling accurate predictions and informed decisions. However, the sheer volume of data from billions of devices can overwhelm networks, making traditional cloud data processing inefficient for IoT applications. This paper presents a comprehensive survey of recent advances in models, architectures, hardware, and design requirements for deploying machine learning on low-resource devices at the edge and in cloud networks. Prominent IoT devices tailored to integrate edge intelligence include Raspberry Pi, NVIDIA’s Jetson, Arduino Nano 33 BLE Sense, STM32 Microcontrollers, SparkFun Edge, Google Coral Dev Board, and Beaglebone AI. These devices are boosted with custom AI frameworks, such as TensorFlow Lite, OpenEI, Core ML, Caffe2, and MXNet, to empower ML and DL tasks (e.g., object detection and gesture recognition). Both traditional machine learning (e.g., random forest, logistic regression) and deep learning methods (e.g., ResNet-50, YOLOv4, LSTM) are deployed on devices, distributed edge, and distributed cloud computing. Moreover, we analyzed 1000 recent publications on “ML in IoT” from IEEE Xplore using support vector machine, random forest, and decision tree classifiers to identify emerging topics and application domains. Hot topics included big data, cloud, edge, multimedia, security, privacy, QoS, and activity recognition, while critical domains included industry, healthcare, agriculture, transportation, smart homes and cities, and assisted living. The major challenges hindering the implementation of edge machine learning include encrypting sensitive user data for security and privacy on edge devices, efficiently managing resources of edge nodes through distributed learning architectures, and balancing the energy limitations of edge devices and the energy demands of machine learning.

Security Considerations in iOS App Development: Encryption, Authentication, and Secure Data Storage

Abstract: Security is a paramount concern in iOS app development, as sensitive user data must be protected from unauthorized access and breaches. This scholarly article explores essential security measures, focusing on encryption protocols, authentication mechanisms, and secure data storage techniques specific to iOS platforms. By examining industry-standard encryption algorithms, secure authentication methods, and best practices for data storage, this study aims to provide developers with the knowledge and tools necessary to build robust and resilient iOS applications. Real-world case studies and practical implementation guidelines are presented to illustrate the effective application of these security measures. The findings emphasize the importance of adopting a comprehensive security approach to foster user trust and confidence in mobile applications

AI-powered malware detection with Differential Privacy for zero trust security in Internet of Things networks

The widespread usage of Android-powered devices in the Internet of Things (IoT) makes them susceptible to evolving cybersecurity threats. Most healthcare devices in IoT networks, such as smart watches, smart thermometers, biosensors, and more, are powered by the Android operating system, where preserving the privacy of user-sensitive data is of utmost importance. Detecting Android malware is thus vital for protecting sensitive information and ensuring the reliability of IoT networks. This article focuses on AI-enabled Android malware detection for improving zero trust security in IoT networks, which requires Android applications to be verified and authenticated before providing access to network resources. The zero trust security model requires strict identity verification for every entity trying to access resources on a private network, regardless of whether they are inside or outside the network perimeter. Our proposed solution, DP-RFECV-FNN, an innovative approach to Android malware detection that employs Differential Privacy (DP) within a Feedforward Neural Network (FNN) designed for IoT networks under the zero trust model. By integrating DP, we ensure the confidentiality of data during the detection process, setting a new standard for privacy in cybersecurity solutions. By combining the strengths of DP and zero trust security with the powerful learning capacity of the FNN, DP-RFECV-FNN demonstrates the ability to identify both known and novel malware types and achieves higher accuracy while maintaining strict privacy controls compared with recent papers. DP-RFECV-FNN achieves an accuracy ranging from 97.78% to 99.21% while utilizing static features and 93.49% to 94.36% for dynamic features of Android applications to detect whether it is malware or benign. These results are achieved under varying privacy budgets, ranging from ϵ=0.1 to ϵ=1.0. Furthermore, our proposed feature selection pipeline enables us to outperform the state-of-the-art by significantly reducing the number of selected features and training time while improving accuracy. To the best of our knowledge, this is the first work to categorize Android malware based on both static and dynamic features through a privacy-preserving neural network model.

Content and interaction-based mapping of Reddit posts related to information security

Ensuring the privacy and safety of platform users has become a complex objective due to the emerging threats that surround any type of network, software, and hardware. Scams, malwares, hackers, and security vulnerabilities form the epicenter of cyber threats causing severe damage to the affected systems and sensitive data of users. Thus, users turn to online social networks to report cyber threats, discuss topics of their interest, and obtain knowledge concerning the various perspectives of information security. In this study, we aim to address the concepts of social interactions surrounding information security-related content by retrieving and analyzing Reddit posts from 45 relevant subreddits. In this regard, a word clustering approach is employed, based on the Affinity Propagation algorithm, that leads to the extraction and interpretation of 54 concepts. These concepts are relevant to information security and some more generic areas of interest including social media, software vendors, and labors. Furthermore, to provide a more comprehensive overview of users’ activity in the different Reddit communities/subreddits, a knowledge map associating subreddits and concepts based on their conceptual similarities is also established. The analysis shows that the descriptions of the examined subreddits are strongly related to their underlying concepts. At the same time, the outcomes also assess the conceptual associations between the different subreddits, offering knowledge related to similar and distant communities. Ultimately, two post metrics are utilized to explore how the concepts may impact user interactions. This allows us to differentiate between concepts associated with posts typically endorsed by communities, resulting in increased information exchange (via comments), or contributing as news/announcements. Overall, the findings of this study can be used as a knowledge basis in determining user interests, opinions, perspectives, and responsiveness, when it comes to cyber threats, attacks, and malicious activities. Also, the respective outcomes can contribute as a guide for identifying similar communities/subreddits and themes. Regarding the methodological contributions of this study, the proposed framework can be adapted to similar datasets and research goals as it does not depend on the special characteristics of the imported data, offering, in turn, a practical approach for future research.

The Impact of Artificial Intelligence (AI) on mobile App Development

Artificial Intelligence (AI) has revolutionized the landscape of mobile app development, bringing about transformative changes in functionality, user experience, and capabilities. This paper aims to explore and analyze the impact of AI on mobile app development, highlighting its significant contributions and potential implications. The integration of AI technologies such as machine learning, natural language processing, and computer vision has empowered mobile applications to offer personalized experiences, enhanced decision-making capabilities, and predictive functionalities. AI-driven algorithms enable apps to analyze vast amounts of data, allowing for real-time insights and intelligent responses, thereby optimizing user engagement and satisfaction. Moreover, AI has facilitated the development of innovative features like voice assistants, recommendation systems, and augmented reality experiences, fostering a more intuitive and interactive user interface. These advancements have not only enriched the user experience but also opened new avenues for businesses to better understand their users and tailor services accordingly. However, with these advancements come challenges, including privacy concerns, ethical considerations, and the need for robust security measures to safeguard sensitive user data. As AI-powered mobile apps become more prevalent, it is imperative to address these challenges to ensure responsible and ethical use of AI technologies. This paper examines the evolution of AI in mobile app development, evaluates its impact on user experience and functionality, discusses the challenges and ethical considerations, and provides insights into the future trends and opportunities that AI presents in shaping the landscape of mobile app development. Understanding the profound impact of AI on mobile app development is crucial for developers, businesses, and stakeholders to harness its full potential while navigating the associated challenges responsibly.

Blockchain-Enhanced Privacy Protection in Social Network Research and Applications

While social networks offer users unprecedented convenience and connectivity, they inadvertently risk exposing sensitive user data. To address the juxtaposition of utility and vulnerability, this paper delves into the potential of blockchain technology as a tool for enhancing privacy protection within social networks. By first critiquing the limitations of current protective measures, it becomes clear where traditional methods fall short in counteracting common avenues of privacy breaches. This paves the way for the integration of blockchain technology into the privacy infrastructure of social networks. The paper elucidates the core cryptographic principles underpinning blockchain and, by drawing from real-world applications such as ShoCard, underscores the advantages that this nascent technology brings to the fore. Despite the evident merits, challenges remain, especially as the technology becomes a potential target for advanced cyber-attacks. The incorporation of elements like smart contracts, digital signatures, and decentralized storage manifests blockchain's promise in building a robust digital fortress, safeguarding user privacy. However, as the technology is still in its evolutionary phase, ongoing research must address vulnerabilities and ensure a holistic defense against potential threats.

Security-enhanced firmware management scheme for smart home IoT devices using distributed ledger technologies

With the increase of IoT devices generating large amounts of user-sensitive data, improper firmware harms users’ security and privacy. Latest home appliances are integrated with features to assure compatibility with smart home IoT. However, applying complex security mechanisms to IoT is limited by device hardware capabilities, making them vulnerable to attacks. Such attacks have recently become frequent. To address this issue, we developed a secure verification mechanism for firmware released by the device’s manufacturer. We proposed an IoT gateway for secure firmware verification and updating for smart home IoT devices utilizing the IOTA MAM (Masked Authenticated Messaging) protocol and a distributed file system with IPFS (Inter-Planetary File System) protocol. These two communication protocols ensure decentralized communication and firmware file distribution between the IoT device vendor and the IoT end device. The proposed scheme securely shares latest firmware content over IOTA and IPFS networks, performs a secure firmware update on IoT end devices and ensures authenticity and integrity of the firmware. Two types of validation methods were proposed for firmware updating and validation. We implemented the proposed scheme using three entities, Vendor, IoT gateway, and IoT end device. Our system yielded promising results in performing secure automated firmware updates on IoT end devices with very low computational power. The system’s functionality was implemented using IOTA’s MAM run on Raspberry Pi as an IoT gateway along with an ESP8266 Wi-Fi microcontroller, demonstrating the effectiveness of our approach. Our proposed methodology can be used for secure firmware distribution on home IoT applications.

Research on Blockchain-Enabled Smart Grid for Anti-Theft Electricity Securing Peer-to-Peer Transactions in Modern Grids.

Electricity theft presents a significant financial burden to utility companies globally, amounting to trillions of dollars annually. This pressing issue underscores the need for transformative measures within the electrical grid. Accordingly, our study explores the integration of block chain technology into smart grids to combat electricity theft, improve grid efficiency, and facilitate renewable energy integration. Block chain's core principles of decentralization, transparency, and immutability align seamlessly with the objectives of modernizing power systems and securing transactions within the electricity grid. However, as smart grids advance, they also become more vulnerable to attacks, particularly from smart meters, compared to traditional mechanical meters. Our research aims to introduce an advanced approach to identifying energy theft while prioritizing user privacy, a critical aspect often neglected in existing methodologies that mandate the disclosure of sensitive user data. To achieve this goal, we introduce three distributed algorithms: lower-upper decomposition (LUD), lower-upper decomposition with partial pivoting (LUDP), and optimized LUD composition (OLUD), tailored specifically for peer-to-peer (P2P) computing in smart grids. These algorithms are meticulously crafted to solve linear systems of equations and calculate users' "honesty coefficients," providing a robust mechanism for detecting fraudulent activities. Through extensive simulations, we showcase the efficiency and accuracy of our algorithms in identifying deceitful users while safeguarding data confidentiality. This innovative approach not only bolsters the security of smart grids against energy theft, but also addresses privacy and security concerns inherent in conventional energy-theft detection methods.

A verifiable EVM-based cross-language smart contract implementation scheme for matrix calculation

The wide application of smart contracts allows industry companies to implement some complex distributed collaborative businesses, which involve the calculation of complex functions, such as matrix operations. However, complex functions such as matrix operations are difficult to implement on Ethereum Virtual Machine (EVM)-based smart contract platforms due to their distributed security environment limitations. Existing off-chain methods often result in a significant reduction in contract execution efficiency, thus a platform software development kit interface implementation method has become a feasible way to reduce overheads, but this method cannot verify operation correctness and may leak sensitive user data. To solve the above problems, we propose a verifiable EVM-based smart contract cross-language implementation scheme for complex operations, especially matrix operations, which can guarantee operation correctness and user privacy while ensuring computational efficiency. In this scheme, a verifiable interaction process is designed to verify the computation process and results, and a matrix blinding technology is introduced to protect sensitive user data in the calculation process. The security analysis and performance tests show that the proposed scheme can satisfy the correctness and privacy of the cross-language implementation of smart contracts at a small additional efficiency cost.

Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery

Cross-site request forgery (CSRF) vulnerabilities pose a significant threat to web application security, enabling attackers to execute unauthorized actions on behalf of authenticated users. Conventional CSRF detection methods, such as manual code review and static analysis, are often time-consuming, error-prone, and inefficient. Proposes Mitch, a novel machine learning (ML)-based solution for the black-box detection of CSRF vulnerabilities. Mitch employs supervised learning, trained on a comprehensive dataset of HTTP requests and responses, to effectively identify security-sensitive HTTP requests and uncover CSRF vulnerabilities within them. Rigorous evaluations on a diverse set of real-world web applications demonstrate Mitch's remarkable ability to detect CSRF vulnerabilities with high accuracy, outperforming traditional methods. Mitch's automated nature eliminates the need for manual code review and static analysis, saving time and effort while reducing the risk of human error. Additionally, Mitch's scalability allows seamless integration into continuous integration and continuous delivery (CI/CD) pipelines, enabling continuous security monitoring and vulnerability detection. Mitch's efficacy extends beyond detecting known CSRF vulnerabilities. Its ability to identify patterns and relationships enables it to uncover obscure CSRF vulnerabilities that may have been overlooked by traditional methods, including zero-day vulnerabilities. In conclusion, Mitch emerges as a powerful tool for enhancing web application security, offering a comprehensive and automated solution for detecting CSRF vulnerabilities. Its ability to handle complex web applications, uncover hidden CSRF vulnerabilities, and integrate into CI/CD pipelines makes it an indispensable tool for web security professionals. Mitch's adoption has the potential to significantly reduce the risk of CSRF attacks and safeguard sensitive user data. We propose a methodology to leverage machine learning (ML) for the detection of web application vulnerabilities. We use it in the design of Mitch, the first ML solution for the black-box detection of cross-site request forgery vulnerabilities. Finally, we show the effectiveness of Mitch on real software. In this project, we propose a methodology to leverage Machine Learning (ML) for the detection of web application vulnerabilities. Web applications are particularly challenging to analyses, due to their diversity and the widespread adoption of custom programming practices. ML is thus very helpful for web application security it can take advantage of manually labeled data to bring the human understanding of the web application semantics into automated analysis toolsMitch allowed us to identify 35 new CSRFs on 20 major websites and 3 new CSRFs on production software. Keywords: Mitch, CSRF, CI/CD pipelines, Security Token Service (STS), Same-Origin Policy (SOP).

Privacy-preserving recommendation system based on social relationships

In the era of internet-based data, recommendation systems are crucial for helping users access personalized content and facilitating business promotion and sales. Recommendation systems based on social relationships have gained popularity due to their ability to use social influence and enhance the impact and credibility of recommendations. However, building a successful recommendation system faces the challenge of protecting user data privacy, as it requires a significant amount of sensitive user data. For this challenge, we propose a privacy-preserving recommendation system based on social relationships in the dual-cloud model. To achieve the secure computation of this system, we also design and improve some underlying secure protocols such as secure equality protocol and secure comparison protocol. Our underlying protocol has the advantages of high efficiency and provable security. As a result, our recommendation system can provide excellent recommendations while ensuring privacy protection. Experiments show that our system can perform secure recommendation calculations on 128-bit data with semi-honest security in approximately 5.5 s.