Amr Youssef's research while affiliated with Engineering Institute of Canada and other places

Recently, there has been a growing interest in utilizing machine learning for accurate classification of power quality events (PQEs). However, most of these studies are performed assuming an ideal situation, while in reality, we can have measurement noise, DC offset, and variations in the voltage signal's amplitude and frequency. Building on the prior PQE classification works using deep learning, this paper proposes a deep-learning framework that leverages attention-enabled Transformers as a tool to accurately classify PQEs under the aforementioned considerations. The proposed framework can operate directly on the voltage signals with no need for a separate feature extraction or calculation phase. Our results show that the proposed framework outperforms recently proposed learning-based techniques. It can accurately classify PQEs under the aforementioned conditions with an accuracy varying between 99.81%-91.43% depending on the signal-to-noise ratio, DC offsets, and variations in the signal amplitude and frequency.

With the proliferation of edge-computing (EC), Internet-of-things (IoT), and smart applications, many challenging security scenarios arise. For example, a common scenario in the edge-computing paradigm is having many nodes requesting authentication from one edge-server. To this end, Group Authentication Schemes (GASs) were introduced recently in the literature. However, most of the proposed GAS are valid for one-time-authentication, lack of flexibility, and key-agreement feature. In this paper, we exploit the advantages of two security primitives, physically unclonable functions (PUFs) and Shamir's secret sharing scheme (SSS) to design a lightweight group authentication scheme (GAS) for edge-computing applications. Specifically, we apply PUFs on SSS and utilize the SSS-homomorphic property to achieve multiple-time group-authentications with the same set of shares. Our PUF-GAS scheme is lightweight, establishes a new group key-agreement per session, and supports efficient node-evicting mechanism. Furthermore, in PUF-GAS , the group nodes do not store any shares; instead, the nodes derive their secret-shares from their PUF-responses. We formally analyze our protocol theoretically and with AVISPA to show that our scheme achieves message secrecy and authenticity. Additionally, we evaluate our scheme in terms of storage, computational complexity, and communication overhead. Specifically, we evaluate the cryptographic operations used in PUF-GAS on an Arduino-Mega, an 8-bit RISC-based ATmega2560 micro-controller. Finally, we present a comparative evaluation of our scheme with others in terms of security and performance.

The proliferation of cloud computing technologies has paved the way for deploying networked encrypted control systems, offering high performance, remote accessibility and privacy. However, in scenarios where the control algorithms run on third-party cloud service providers, the control logic might be changed by a malicious agent on the cloud. Consequently, it is imperative to verify the correctness of the control signals received from the cloud. Traditional verification methods, like zero-knowledge proof techniques, are computationally demanding in both proof generation and verification, may require several rounds of interactions between the prover and verifier and, consequently, are inapplicable in realtime control system applications. In this paper, we present a novel computationally inexpensive verifiable computing solution inspired by the probabilistic cut-and-choose approach. The proposed scheme allows the plant's actuator to validate the computations accomplished by the encrypted cloud-based networked controller without compromising the control scheme's performance. We showcase the effectiveness and real-time applicability of the proposed verifiable computation scheme using a remotely controlled Khepera IV differential-drive robot.

The use of augmented reality (AR) technology for virtual try-on (VTO) in online shopping is on the rise but its current state of privacy is not well explored. To examine privacy issues in VTO websites and apps, we analyze 138 websites and 28 Android apps that offer VTO. By capturing and analyzing the network traffic, we found that 65% of the websites send user images to a server: 8% to first-party (FP) servers only, and 57% to third-party (TP) servers only or both FP and TP. 18% of apps send user images to a server: 4% to FP servers only, and 14% to TP servers only or both FP and TP. Additionally, 43 websites and 2 apps are confirmed to get the users’ images stored, either by the FP website or a TP. 37% of websites are confirmed to use VTO providers which extract facial geometry from received users’ images. We also found that 11% of websites featuring VTO violate their own privacy policies, and 25% use a VTO provider that violates its own privacy policy. Privacy policy violations include sharing the user’s image to a website’s own server, or to a TP server, despite denying so in the privacy policy. Furthermore, 22% of websites use disclaimers that mislead users about what happens to their data when using VTO. We also found 1446 and 931 TP tracking scripts and cookies, respectively, in the analyzed websites. Finally, we identified security vulnerabilities, such as broken authentication, in a VTO provider that can compromise its merchants. These findings underscore the need for greater transparency and clarity from companies using VTO features, and highlight the potential risks to user privacy, even from top brands.

The proliferation of cloud computing technologies has paved the way for deploying networked encrypted control systems, offering high performance, remote accessibility and privacy. However, in scenarios where the control algorithms run on third-party cloud service providers, the control’s logic might be changed by a malicious agent on the cloud. Consequently, it is imperative to verify the correctness of the control signals received from the cloud. Traditional verification methods, like zero-knowledge proof techniques, are computationally demanding in both proof generation and verification, may require several rounds of interactions between the prover and verifier and, consequently, are inapplicable in real-time control system applications. In this paper, we present a novel computationally inexpensive verifiable computing solution inspired by the probabilistic cut-and-choose approach. The proposed scheme allows the plant’s actuator to validate the computations accomplished by the encrypted cloud-based networked controller without compromising the control scheme’s performance. We showcase the effectiveness and real-time applicability of the proposed verifiable computation scheme using a remotely controlled Khepera-IV differential-drive robot.

Stalkerware is malicious software found in mobile devices that monitors and tracks a victim’s online and offline activity. This harmful technology has become a growing concern, jeopardizing the security and privacy of millions of victims and fostering stalking and Intimate Partner Violence (IPV). In response to this threat, various solutions have emerged, including anti-stalkerware apps that aim to prevent and detect the use of monitoring apps on a user’s device. Organizations dedicated to assisting IPV victims have also enhanced their online presence, offering improved support and easy access to resources and materials. Considering how these tools and support websites handle sensitive personal information of users, it is crucial to assess the privacy risks associated with them. In this paper, we conduct a privacy analysis on 25 anti-stalkerware apps and 323 websites to identify issues such as PII leaks, authentication problems and 3rd-party tracking. Our tests reveal that 14/25 apps and 210/323 websites share user information with 3rd-party services through trackers, cookies or session replay. We also identified 44 domains to which sensitive data is sent, along with 3 services collecting information submitted in forms through session replay.

JavaScript is often rated as the most popular programming language for the development of both client-side and server-side applications. Because of its popularity, JavaScript has become a frequent target for attackers who exploit vulnerabilities in the source code to take control over the application. To address these JavaScript security issues, such vulnerabilities must be identified first. Existing studies in vulnerable code detection in JavaScript mostly consider package-level vulnerability tracking and measurements. However, such package-level analysis is largely imprecise as real-world services that include a vulnerable package may not use the vulnerable functions in the package. Moreover, even the inclusion of a vulnerable function may not lead to a security problem, if the function cannot be triggered with exploitable inputs. In this paper, we develop a vulnerability detection framework that uses vulnerable pattern recognition and textual similarity methods to detect vulnerable functions in real-world JavaScript projects, combined with a static multi-file taint analysis mechanism to further assess the impact of the vulnerabilities on the whole project (i.e., whether the vulnerability can be exploited in a given project). We compose a comprehensive dataset of 1,360 verified vulnerable JavaScript functions using the Snyk vulnerability database and the VulnCode-DB project. From this ground-truth dataset, we build our vulnerable patterns for two common vulnerability types: prototype pollution and Regular Expression Denial of Service (ReDoS). With our framework, we analyze 9,205,654 functions (from 3,000 NPM packages, 1892 websites and 557 Chrome Web extensions), and detect 117,601 prototype pollution and 7,333 ReDoS vulnerabilities. By further processing all 5,839 findings from NPM packages with our taint analyzer, we verify the exploitability of 290 zero-day cases across 134 NPM packages. In addition, we conduct an in-depth contextual analysis of the findings in 17 popular/critical projects and study the practical security exposure of 20 functions. With our semi-automated vulnerability reporting functionality, we disclosed all verified findings to project owners. We also obtained 25 published CVEs for our findings, 19 of them rated as “Critical” severity, and six rated as “High” severity. Additionally, we obtained 169 CVEs that are currently “Reserved” (as of Apr. 2023). As evident from the results, our approach can shift JavaScript vulnerability detection from the coarse package/library level to the function level, and thus improve the accuracy of detection and aid timely patching.