CAREER: Account Security Against Interpersonal Attacks

职业：针对人际攻击的帐户安全

• 批准号: 2339679
• 负责人: Rahul Chatterjee
• 金额: $ 68.64万
• 依托单位: University of Wisconsin-Madison
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2024
• 资助国家: 美国
• 起止时间: 2024-07-01 至 2029-06-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2339679&HistoricalAwards=false
• 关键词: CAREER; Account; Security; Against; Interpersonal

Account security logs are designed by online services to help users detect if there was an unauthorized login to their accounts. However, current account security logs offer unreliable and coarse-grained information for users to differentiate their logins from attackers' logins. Limited data, such as device model and approximate city or province based on IP addresses, can be easily spoofed by attackers, especially in cases of interpersonal attacks. Interpersonal attackers know the victims personally; they may be an intimate partner, family member, friend, or colleague. An interpersonal attacker may live in the same house or town and possess devices with identical models as the victim, making it challenging for victims to conclusively detect unauthorized logins by their attackers. The key problem here is twofold: (a) there is no unique and non-spoofable device identifier that preserves user privacy, and (b) humans and online services identify physical devices differently. In this project, we aim to tackle these issues by developing a framework of device identifiers that can uniquely identify a device while preserving users' privacy and users are able to recognize and associate those ids with their respective physical device, bridging the disconnect between the methods of identifying devices by humans and software.This project is designing, implementing, and evaluating novel ways to improve account security logs to enhance unauthorized login detection. The objectives of the project are to (a) design and implement a protocol for deriving unique yet privacy preserving identifiers of devices; (b) explore methods to familiarize users with such device identifiers without disrupting their user experience, and (c) redesign account security logs to incorporate such identifiers and measure their efficacy in detecting unauthorized logs. The broader impacts of the project include: (1) producing guidelines and engaging with developers of online services to enhance account security mechanisms, (2) deploying unauthorized login detection with Madison Tech Clinic (MTC) and Clinic to End Tech Abuse (CETA) in New York City to support survivors of IA, (3) teaching students about nuanced threat models, like those of IA, and (4) increasing the participation of students from minority backgrounds, such as women and LGBTQ+ students, by providing a space to engage and influence technologies with real-world impact on their lives.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

帐户安全日志由在线服务设计，用于帮助用户检测其帐户是否有未经授权的登录。然而，活期账户安全日志为用户提供了不可靠和粗粒度的信息，以区分他们的登录和攻击者的登录。有限的数据，如设备型号和基于IP地址的大致城市或省份，很容易被攻击者欺骗，特别是在人际攻击的情况下。人际关系攻击者认识受害者本人；他们可能是亲密的伴侣、家庭成员、朋友或同事。人际关系攻击者可能住在同一所房子或城镇，并拥有与受害者型号相同的设备，这使得受害者很难最终检测到攻击者的未经授权登录。这里的关键问题有两个：(A)没有唯一且不可欺骗的设备标识符来保护用户隐私，以及(B)人类和在线服务识别物理设备的方式不同。在这个项目中，我们的目标是通过开发一个设备识别符框架来解决这些问题，该框架可以唯一地识别设备，同时保护用户的隐私，并且用户能够识别这些ID并将其与各自的物理设备相关联，从而弥合人类识别设备的方法和软件之间的脱节。该项目正在设计、实施和评估改进帐户安全日志的新方法，以增强未经授权的登录检测。该项目的目标是：(A)设计和实施一项协议，以得出设备的独特但保护隐私的识别符；(B)探索在不破坏用户体验的情况下使用户熟悉此类设备识别符的方法；以及(C)重新设计账户安全日志，以纳入此类识别符，并衡量其在检测未经授权的日志方面的有效性。该项目的更广泛影响包括：(1)制定指导方针并与在线服务开发商合作，以增强账户安全机制；(2)与纽约市的Madison Tech Clinic(MTC)和Clinic to End Tech Abuse(CETA)一起部署未经授权的登录检测，以支持IA的幸存者；(3)向学生传授微妙的威胁模型，如IA的威胁模型；以及(4)增加少数族裔背景的学生，如女性和LGBTQ+学生的参与，该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。