TULiPS

Technology Usability Lab in Privacy and Security

Logo: Technology Usability Lab in Privacy and Security
Research Publications People Student Projects Wiki Outreach

Student Projects

Projects completed by Interns, Undergraduate, and Masters students associated with the TULIPS lab. Projects very widely and typically represent one summer's amount of work. Resources and publications provided where available and appropriate. Projects are sorted by the year they were completed and then alphabetically by student.

2023

Project screenshot.

Automatically Generating Contextualised Responses to Phishing Reports

Sean Strain (2021-2023, Undergraduate Thesis, Internship, Masters Thesis)

Supervisors: Kami Vaniea, Adam Jenkins

I propose a novel system that respons to reports of email phishing with contextualised information and advice. The first year of the project analyses a given email for a range of phishing indicators and dynaically generates a set of features that can be used to create a friendly and educational response. The second year of the project involved creating a simulated inbox interface which showed the output of the system in a realistic setting. A study with 22 participants was then used to evaluate how users interacted with the system and how much it helped users identify and learn about phishing.

2022

Project screenshot.

Correlating Information on Email to Help the User Receive Better Understanding on Identifying Phishing Email

Isa Albashar (2021-2022, Masters Thesis)

Supervisor: Kami Vaniea

Phishing is a popular method to obtain sensitive data from users such as login passwords. Unfortunately automatic detection methods, while quite accurate, are not 100%, so some phishing emails appear in user inboxes. Users are recommended to report such email, but they are unlikely to get a quick response if they do. In this project I create a prototype for an auto responder system that gives a summary of email analysis which consists of the email features identified and has a friendly explaination.

Project screenshot.

BitTrack - Using Game Based Learning to Educate Users on Topics Surrounding the Bitcoin Blockchain

Jahangeer Aslam (2021-2022, Masters Thesis)

Supervisor: Kami Vaniea

Blockchain technology and cryptocurrencies have attracked significant interest both from academia and the public recently. However, despite this interest, the general public has very little understanding of how these technologies actually operate. Game-based learning has been demostrated to be successful in educating people on a variety of topics. This project focuses on teaching users fundamental blockchain concepts using the example of Bitcoin. The goal is to alieviate common misconceptions surrounding Bitcoin's anonymity property. We demonstrate that game based learning is indeed an effective approach for education within this domain.

Project screenshot.

Cyber Security Game: An education game to teach non-technical employees about phishing emails

Wenning Jiang (2021-2022, Masters Thesis)

Supervisor: Kami Vaniea

Phishing emails are one of the most dangerous attacks in recent years, lurking in email inboxes for the unwary. Serious games present a potential way to teach users about phishing in a more fun environment. This project designed a progressive game where the difficultly raises in levels. Thereby increasing the challenge as the player progresses.

Project screenshot.

Measure cookie setting behavior of web pages showing cookie privacy warnings

Daniel Kirkman (2021-2022, Undergraduate Thesis, Intern)

Supervisor: Kami Vaniea

Cookie dialogs are an increasingly common sight across the web but it can still be unclear to users what their true purpose is. These dialogs are intended to allow users to select the level of cookie enablement that matches their personal privacy preferences. However many cookie dialogs use subtle design techniques to nudge users towards accepting more cookies than they need to. These techniques are known as Dark Patterns. In this project I built a tool to automatically detect cookie dialogs and potential dark pattern usage on websites. The reulting system was tested on over 10,000 websites and successfully collected over 2,000 cookie dialogs. It is capable of detecting 10 different types of Dark Pattern and was able to detect over 3,700 instances of Dark Patterns.

Project screenshot.

Data Hunter: A Cyber Security Game about Web Tracking

Fanwei Meng (2021-2022, Masters Thesis)

Supervisor: Kami Vaniea

Tracking of people's online behaviors is more concerning than ever, especially as awareness increases. Due to a lack of education in the area, few people know how they are bein gtracked online or how to avoid those attacks. This project aimed to use game-based learning to teach users about web tracking. A game called 'Data Hunter' was designed to explain web tracking concepts. Players learn terminology around tracking and anti-tracking.

Project screenshot.

Alexa Bystander Privacy

Alejandra Amaro Patino (2022-2022, Internship)

Supervisors: Kami Vaniea, Nicole Meng

Smart speakers like Amazon Alexa are able to hear and interact with anyone in audible range of the speaker but only the speaker's owner may be aware or ok with it being there. This project explores different approaches to awareness and consent in regards to bystanders who come into range of an Amazon Alexa.

Project screenshot.

Analysis of phishing emails for construction of auto-generated advice

Daria Popova (2021-2022, Undergraduate Thesis)

Supervisor: Kami Vaniea

Phishing is an attack that exploits how people interpret email content, in paricular, exploiting: fear of scarcity, authority, guilt, and gullibility. I perform an analysis of an email dataset using deep neural networks and automated classifiers in an effort to provide users with useful predicted guidance.

Project screenshot.

Measure the Cookie-Setting Behavor of Web Pages Showing Privacy Warnings

Zihan Qiao (2020-2022, Undergraduate and Masters Thesis)

Supervisor: Kami Vaniea

After the introduction of regulations like GDPR, it be came necessary for regulators and researchers to be able to track and measure the use of web tracking technologies such as cookies. This project aims to create a platform that enables this type of scientific measurement of cookie dialogs and cookie setting behavior.

Project screenshot.

Measure the Cookie Setting Behavor of Web Pages Showing Privacy Warnings

Bartosz Strunzinski (2020-2022, Undergraduate and Masters Thesis)

Supervisor: Kami Vaniea

Following the introduction of various EU privacy regulations, such as GDPR, many websites started showing cookie privacy warning dialogs to make people aware that the website might be collecting and sharing personal data about them. This project aims to build a tool that can detect these dialogs and determine what happends when a user agrees to the use of cookies (opt-in) and what happens when they choose to disagree (opt-out). The project also looks at a practice called `cookie synchronization' where two trackers synchronize their cookie data with each other thereby making it easier to share personal information about users.

Project screenshot.

Measure cookie setting behavior of web pages showing cookie privacy warnings

Jim Su (2021-2022, Undergraduate Thesis)

Supervisor: Kami Vaniea

The enactment of GDPR means that the use of tracking technologies like cookies should be limited. They should also be accepted by users before websites set them; however, some websites do not comply with GDPR in different ways such as not displaying options on cookie dialogs. In this project I build a Cookie Dialog Crawler Tool to analyze cookie setting behaviours on different websites. The took can identify and classify cookie dialogs, interact with different options on cookie dialogs, and collect cookies. I analyzed 500 popular websites from the Tranco top visited websites list, and 500 less popular websites from the ParaCrawl list. 54.2% of popular websites displayed a cookie dialog, compared to 17.6% of less popular websites.

2021

Project screenshot.

Talk to Google Assistant about Privacy

Nurul Syakirah Binti Ahmad Ghazali (2020-2021, Undergraduate Thesis)

Supervisor: Kami Vaniea

Smart Personal Assistants such as Amazon Echo and Google Home have become prevalent in our daily lives but people still lack the digital literacy and the rights to properly control the information these devices collect and share. One part of the problem is that privacy notices are designed to be read in a written form, but these devices are designed to be interacted with via audio in a queston and answer format. The aim of this project is to explore ways to enable people to interact with the privacy policies of smart personal assitants through their own audio channel. In other words, how do we get Alexa to talk to people about privacy?

Project screenshot.

Measure Cookie Setting Behavior of Web Pages Showing Cookie Privacy Warnings

Yiwen Cui (2020-2021, Masters Thesis)

Supervisor: Kami Vaniea

Web cookies are a common form of web tracking technology which fall under the regulation of GDPR leading to the use of cookie consent dialogs on many websites. This project aims to study the content of cookie consent dialogs in relation to some of the requirements of GDPR. The project involved first building a tool to automatically find cookie dialogs and support human labeling for the remainder, then also to automatically find an interact with clickable elements on the dialogs. These tools were used on 958 websites to determine if they were showing a dialog when they set third party cookies, and if they were following GDPR general requirements by giving users meaningful choices.

Project screenshot.

The Impact of Cross-National Differences on Phishing Email Detection Ability

Mingyang Dong (2020-2021, Masters Thesis)

Supervisor: Kami Vaniea

Phishing is a crime that employs both social engineering and technical methods to steal sensitive personal information. People who relocate from a region or culture where communication is done differently can be particularly vulnerable to phishing. One of the most common phishing avoidance advice is to see if the message `looks odd' which is easy for someone who is established in their community or job, but is very challenging for someone who just relocated. This project aims to better understand the phishing-related challenges faced by students who relocated from China to the UK for their studies. We find that University communication in China is normally done over communication channels that verify the sender's identity, like WeChat. Whereas similar communication in the UK is over email which is not properly authenticated. These differences cause challenges for international students.

Project screenshot.

A Serious Game Designed to Teach Computer Science Students about the Domain Name System

Xuanxuan Du (2020-2021, Masters Thesis)

Supervisor: Kami Vaniea

The Domain Name System (DNS) plays a fundamental role in computer networks, making it relatively easy for people to access websites. However, the principles behind it are often difficult to understand and thus challenging for students to learn. This project’s main goal is to design and build a serious game, which will help computer science students grasp the various kinds of attacks that might occur during the DNS lookup process and its basic concepts.

Project screenshot.

A Survey on Patching Behaviour of System Administrators

Linsen Liu (2021-2021, Internship)

Supervisors: Kami Vaniea, Adam Jenkins

How do system administrators decide whether or not to apply a particular patch? How do they prioritise patches? How are these patches tested and deployed? There is no single best answer to these questions, as any number of factors can influence a system administrator’s patching behaviour. In this project, we designed a survey to understand the prevalence of typical patching behaviours of system administrators, and any deviations that may occur in some instances.

Project screenshot.

Measure the Cookie Setting Behavor of Web Pages Showing Cookie Privacy Warnings

Smilte Petronyte (2020-2021, Undergraduate Thesis)

Supervisor: Kami Vaniea

Websites commonly display cookie privacy warnings to conform to the General Data Protection Regulation (GDPR) and the ePrivacy Directive introduced by the European Union. These regulations require companies to obtain user consent before setting non-essential cookies, such as cookies used for marketing. In this study I performed an emperical analsis of cookie setting behavior and cookies notices found on the top 1000 most visited websites of 2020. I found that approximately 50% of the websites displayed a cookie notice and interacting with the notice usually results in more cookies being set.

Project screenshot.

Creating an Educational Resource for Understanding URLs

Ritwik Sarkar (2020-2021, Undergraduate Thesis)

Supervisor: Kami Vaniea

Everyone who has access to the internet has come across a Uniform Resource Locator (URL) at some point. There are millions of different URLs and it is not possible for anyone to know exactly which web page each URL will open but there are standard practices when it comes to the formation of a URL. Despite this, the average user is not usually able to accurately differentiate between a safe URL which will lead them to the site they wish to go to and a malicious one that will redirect them to a dangerous page. My project teaches individuals the basics of URLs. I do this by creating a singular online resource with a collection of videos made by myself and others that explain how to read a URL and how they help us reach the web pages we want to along with common mistakes to look out for.

Project screenshot.

Measuring Cookie Behaviours Under Different Browser Configurations

Xu Zhang (2020-2021, Masters Thesis)

Supervisor: Kami Vaniea

Cookies play a vital role in the web by offering convenience, but they are still easily exploited by advertising companies. Even though many people do not fully understand how cookies and online-tracking work, they may have installed ad blocker plugins, naively believing that they can protect privacy. In this research, I have implemented a command-line tool for collecting cookie-related data and used it to investigate the effectiveness of many commonly used adblockers and other potentially cookie-blocking solutions. The results were no surprise that some of the most widely used adblockers do not offer the protection that most people believe.

Project screenshot.

Designing an Autoresponder for Phishing Email Reports

Zeyu Zhang (2020-2021, Masters Thesis)

Supervisor: Kami Vaniea

Nowadays, it is common for organizations to support their members recognizing phishing by encouraging them to report any suspicious emails. However, as a kind of human assistance, not every inquirer can be responded in minutes, while speed can matter a lot because phishers often press their targets to make immediate decisions by injecting a sense of urgency. In addition, as the help desk workers might not be phishing experts either, their feedback is not always helpful that it might be very general but not customized to a certain reported email. Therefore, I designed an automatic responder for phishing email reports, which is technical feasible to implement to return immediate feedback to the inquirer. According to the design, the responder can automatically parse the reported emails and notify the findings through specific colors and texts, ranging from safe to dangerous. This solution combines the human autonomous decision and more reliable automated detection methods, which cover a wider range of phishing features compared to most user-support tools, including email headers, internal URLs, and email body. Also it focuses on explaining those features to ordinary users. Through user evaluation with 6 non-experts participants, the feedback is demonstrated to be generally comprehensible, helpful and friendly.

Project screenshot.

An Informational Website for Supporting Students and Researchers Doing Ethics

Ningyu Zhao (2020-2021, Masters Thesis)

Supervisor: Kami Vaniea

Although data scientists are proficient in data set processing and analysis, they may lack an ethical understanding, which may trigger potential loopholes in the research process. This project focuses on the ethical issues in the scope of the school of informatics at the University of Edinburgh and analyzes the pain points of students when filling in Participant Information Sheet and making ethics applications and finally give the response to the design opportunities. The final website is designed to help students write Participant Information Sheet in a good manner and assist them to get ethical approval after the first attempt, it also aims to improve the awareness of data protection in a pedagogical setting and help students engaged in data scientist work in the future.

2020

Project screenshot.

Analysis of Network Traffic to Create an Educational Visualisation of the IoT Ecosystem

Anna Aloshine (2019-2020, Undergraduate Thesis)

Supervisors: Kami Vaniea, Nicole Meng

Assist the general public in understanding how IoT devices communicate within the home by using visualizations; particularly how they interact with other devices such as phones, routers and hubs like Alexa. The project collected packets from a real IoT device and then used the real packet flows to generate a set of scenarios and visualizations that walk a user through what the device is doing.

Project screenshot.

Help Researchers Write Participant Information Sheets for Studies with Humans

Souven Chen (2019-2020, Masters Thesis)

Supervisor: Kami Vaniea

When conducting studies involving human participants, researchers need to make sure participants are informed about the content, risks, and benefits of the study so that participants can make informed choices. However, writing such an information sheet is not necessarily easy for younger researchers, students, or those who have not previously had to direclty work with human participants. In this project, we studied MSc student researchers and built a website tool that would walk them through the process of writing a participant information sheet.

Project screenshot.

Clustering Phishing Emails to Help the Helpdesk

George Gilligan (2019-2020, Undergraduate Thesis)

Supervisors: Kami Vaniea, Kholoud Althobaiti

In this project I unpack, decode, parse, vectorise and cluster malicious emails, with the intention of grouping them into phishing campaigns. The work is motivated by a desire to automate the work of an organisation helpdesk, who are currently consigned to manual labeling of each phishing email individually. The results show promise that phishing campaings can be clustered.

Project screenshot.

Build a test platform for HCI Coursework 1

Edward (Xin) Gui (2019-2020, Masters Thesis)

Supervisor: Kami Vaniea

In the Human-Computer Interaction course of the School of Informatics, students build user interface mockups. Building good mockups without feedback is challenging so the purpose of this project is to allow students to get more feedback from their peers. We developed a website to allow students to conduct usability evaluation tests online and get sufficient feedback in a short time through peer evaluation.

Project screenshot.

Visualize IoT network traffic as a chat conversation

Luqi Li (2019-2020, Masters Thesis)

Supervisor: Kami Vaniea

IoT network traffic can be challenging for people to understand easily or even learn about. In this project we created a website that allows users to upload a network traffic trace file and then view elements of the file using a more user-friendly chat-themed visualization. The website also featured user training and explainations around common network protocols like TCP.

Project screenshot.

Measuring the Cookie-Setting Behaviour of Web Pages Showing Privacy Warnings

Barnabas Molnar (2019-2020, Undergraduate Thesis)

Supervisor: Kami Vaniea

Since the introduction of the GDPR within the European Union, the general web browsing experience for millions of people has changed substantially. A considerable portion of websites have been prompting users to agree to the use of technologies, predominantly cookies, which are aimed to track online behaviour and collect personal data. These prompts are most commonly in the form of privacy dialogs, also known as cookie dialogs. The aim of this study was to develop a research platform, which enables researchers to conduct measurements related to these cookie dialogs. The developed platform, called Cookie Dialog Analysier (CDA), facilitates such measurements to provide an understanding on what effects interactions with these dialogs have in terms of newly placed or removed cookies along with many more useful insights.

Project screenshot.

CatchPhish: A URL and Anti-Phishing Research Platform

Stephen Waddell (2018-2020, Undergraduate and Masters Thesis)

Supervisors: Kami Vaniea, Kholoud Althobaiti

CatchPhish Phishing Learning and Detection Tool is a browser extension and cloud analysis system designed to improve phishing detection by training users to detect malicious URLs. This work represents a novel contribution to anti-phishing research by combining both passive indicators and active warnings into a system which actively aims to train users.

By leveraging Google cloud technologies, a URL analysis server supports the extension with the ability to scalably analyse URLs with a high degree of accuracy. It is built with a Microservices-based architecture deployed on Google App Engine, which integrates a heuristic algorithm with numerous data sources and 46 distinct heuristics, to facilitate the system's analysis requirements.

The research is underpinned by user studies to gather requirements about what solutions would most benefit users. The evaluation of the overall system illustrates the utility of CatchPhish as a versatile research platform for experimenting with different anti-phishing approaches.

2019

Project screenshot.

Vulcan - Firewall Administration Game

Rusab Asher (2018-2019, Undergraduate Thesis)

Supervisor: Kami Vaniea

Firewalls play a fundamental role in Computer Security, but configuring the rules for them may prove challenging to beginners in Computer Security. Vulcan intends to help teach informatics students about different ways firewalls can be configured according to different situations using 'iptables'.

Project screenshot.

Why don't admins patch their systems? Analysis of an email list archive

Pieris Kalligeros (2018-2019, Internship)

Supervisors: Kami Vaniea, Adam Jenkins

Regular application of patches (updates) is vital to the health of computer systems, but many system administrators either patch slowly or not at all. In this project, we looked at a mailing list archive where system administrators share advice about patching. The project involved building tools to automaticall download and parse the corpus, as well as qualitative coding approaches to understand the meaning of the content.

Project screenshot.

Measure how third-party domain connections change across multiple re-loadings of web pages

Yi Liu (2018-2019, Masters Thesis)

Supervisor: Kami Vaniea

First-party websites are usually dynamically connected with third party domains in order to obtain resources such as images, content, and advertisements. This project aims to help privacy makers, researchers and users better understand what privacy-related choices first-party websites are making. To do so, I designed a system to collect traffic information from the top 100 most popular websites and a random selection of 100 popular websites. I measured the connections of each page to third-party websites over several weeks. I found that websites do change which third-party sites they connect to. Websites in the top 100 most popular change their set of third-party websites less often than the less popular websites.

Project screenshot.

Use LDA and AutoNER to analyze and automatically extract patch issues

Jiaming Lyu (2018-2019, Masters Thesis)

Supervisor: Kami Vaniea

Keeping systems up to date and patched is a challenging job for a system administrator. While installing patches quickly is good for security, not all patches are safe to install as they may break important parts of the system. In this project, I propose a combinative method of using heuristics and Latent Dirichlet Allocation to identify which patches being discussed on a forum are safe to install and which patches have problems.

Project screenshot.

Of Smart Speakers and Men - An Exploration of Privacy and Security Perceptions of Smart Speaker Users in Shared Spaces

Nicole Meng (2018-2019, Masters Thesis)

Supervisors: Kami Vaniea, Bettina Nissen

Smart speakers increasingly adopted into our everyday life. Sometimes, they are also placed in shared spaces and automatically turn every person in the room into a user (visitor) even if they do not regularly interact with it. Previous work primarily focuses on smart speaker adoption and owners, but does not consider the implications of smart speakers on visitors. Our research aims to determine differences between owners and visitors in mental and threat models, privacy perceptions, protection strategies, factors of discomfort. Also, we want to identify which areas of smart speakers need to be addressed to improve smart speaker interactions for both owners and visitors.

Project screenshot.

PuppEzy: A Game Based Puppet Programming Teaching Tool

Jaka Mohorko (2018-2019, Undergraduate Thesis)

Supervisor: Kami Vaniea

Many tools used in system administration are often held back by steep learning curves while lacking instructions on how they are to be used. PuppEzy teaches its users how to use one of such tools called Puppet - a configuration management tool. It guides users through the basics of Puppet and teaches them various aspects of the Puppet programming language.

Project screenshot.

Analysing Online Anti-Fraud Advice to Identify Common Anti-Phishing Instructions and Assumptions

Mattia Mossano (2018-2019, Masters Thesis)

Supervisor: Kami Vaniea

There is a wide variety of anti-phishing advice available through many organizations such as banks, universities, law enforcement, and consumer advacacy groups. In this work, I collect advice from 94 web pages across 9 countries. I find that the advice given to users is disorganized with different advice given by different groups and sometimes the same group offering different advice for differenty entities.

Project screenshot.

Use forum posts to detect which updates are experiencing problems

Qingyue Zhu (2018-2019, Masters Thesis)

Supervisor: Kami Vaniea

Patching systems quickly can fix system bugs and prevent security issues, however, it may also create new bugs and issues. In this work, I provide patch-issue information at the post level, stentence level, and feature level. My aim is to identify parts of forum posts that discuss patch issues to enable system adminstrators to quicly review only the information important to them and their system. To accomplish this I, used keyword lists to identify posts discussing problems and sentiment analysis to find sentences that express negative sentiment.

2018

Project screenshot.

Designing a tool to teach password security to future developers

Constance Crowe (2016-2018, Undergraduate and Masters Thesis)

Supervisor: Kami Vaniea

Interactive tutorial that allows people to try out some basic password cracking techniques. My project teaches programmers how to break into a "secure" site by attacking the password, I demonstrate potential vulnerabilities from an attacker's point of view as well as how they can be solved from the defender's perspective.

Project screenshot.

A Usability Evaluation and Re-design of the password manager software KeePass2

Harris Flourentzos (2017-2018, Masters Thesis)

Supervisor: Kami Vaniea

Explored the usability flaws of a password manager application called KeePass2 when used by the average user. Once the usability issues were discovered, a revised version of the software was developed and tested to provide a more usable alternative to the average user population. The revised version was able to remedy many of the discovered usability issues of the original version. However similar to the original, it had some trouble inducing the correct mental model to the users.

Project screenshot.

Usability Analysis and Improvement of Two Cryptographic Prototyping Frameworks

Ma Qing Gao (2017-2018, Masters Thesis)

Supervisor: Markulf Kohlweiss

Cryptography schemes can be the core solution for ensuring computer security. This project focuses on conducting two usability lab study to evaluate the usability of two existing. This project focuses on conducting two usability lab study to evaluate the usability of two existing cryptographic prototyping frameworks, which are the three existing Python cryptography programming libraries: Charm, Petlib and Bplib. The final outcomes of this thesis were: (1) giving the weakness and improvement suggestion of the documentation and error respond of these libraries. (2) identify the syntax of which library is more acceptable and understandable by cryptographers.

Project screenshot.

Visualisation of networking connections traversing a single router

Nicholas Lynch (2017-2018, Undergraduate Thesis)

Supervisor: Kami Vaniea

Interactive demo that allows users to visualize their web traffic live. Users connect their personal mobile device to a special Wifi node and see their traffic displayed on a large demo screen. The goal of the project is to facilitate conversations around privacy, security, networking, and what computer scientists do.

Project screenshot.

A Key to Your Heart: Biometric Authentication Based on ECG Signals

Nikita Samarin (2017-2018, Undergraduate Thesis)

Supervisor: Don Sannella

Over the recent years, there has been a shift of interest towards the field of biometric authentication, which proves the identity of the user using their biological characteristics. In this project, I investigate a biometric based on the electrical activity of the human heart in the form of electrocardiogram (ECG) signals. In order to evaluate the usability and stability of ECG-based biometrics, I perform data collection, signal processing and ECG trace classification.

Project screenshot.

Web-based tool for estimating security training approaches for security decision-makers

Nan Sheng (2017-2018, Masters Thesis)

Supervisor: Kami Vaniea

Cyber security has been a concern for organizations because it can lead to large financial loss. The premise of this project is that the CISO realizes the improtance of cyber security training and is trying to find a suitable training approach for the staff. This project collects essential information about training approaches from academic papers and training companies such as methodology, charateristic, effectiveness, cost and commercial training products. The goal is to help someone like a CISO select a suitable training approache for the staff.

Project screenshot.

Putting the 'S' in HTTPS: Automatically Fixing Insecure HTTP and Flawed HTTPS Connections in Android

Vesko Stefanov (2017-2018, Undergraduate Thesis)

Supervisor: Kami Vaniea

Cryptographic solutions like HTTPS protect information in transit, but only if they are used correctly by developers. In this project, I develop an early prototype of an Android application which checks all outgoing connections from the device and where possible auto-upgrades them to HTTPS connections. I also test how feasible it is to auto-upgrade HTTP connections in terms of the ability of remote servers to accept the upgraded connections.

Project screenshot.

Empirical Evaluation of Users' Ability to Read URLs With and Without a Support Website

Xinding Wang (2017-2018, Masters Thesis)

Supervisor: Kami Vaniea

Reading a URL unaided is challenging. This project had two goals:
1) Determine if people in China and Europe read URLs differently.
2) Build a website that parses and explains a URL to someone in both English and Chinese.

Project screenshot.

User Studies on Bitcoin Hardware Wallets

Filipe Wang (2017-2018, Undergraduate Thesis)

Supervisors: Myrto Arapinis, Kami Vaniea

The popularity of cryptocurrencies grows by the day. In order to use the different cryptocurrencies, users need to create "wallets" to manage their funds. In this project, we take a look at the most secure type of wallets, hardware wallets, and showcase the results of user studies testing whether users are using the wallets correctly in face of a simulated attack.

2017

Project screenshot.

Faheem: Real-time Slack Bot URL Explainer Assists Users in Overcoming Phishing

Kholoud Althobaiti (2016-2017, Masters Thesis)

Supervisors: Stuart Anderson, Kami Vaniea

People have difficulty understanding URLs which makes it harder for them to decide what links are safe to click on or identify potential privacy issues. Faheem is a Slack chat bot designed to help users understand a URL through an interactive discussion with the bot.

Project screenshot.

Usability of Configuration Languages: Online Compiler

Aldo Javier Martinez Bacha (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

Testing the usability of configuration languages as part of a survey is challenging because of the diversity of different languages and the lack of an online compiler to show feedback. In this project, I built an online survey tool where a reseracher can setup a set of tasks and the survey taker can interact and compile their answers in several common configuration languages like L3 and Puppet.

Project screenshot.

Geolocation Inference on Twitter

Alexander Caughey (2016-2017, Masters Thesis)

Supervisors: Kami Vaniea, Liane Guillou

Machine learning systems were developed to predict the location of origin of a tweet to city-level accuracy. Initially, a state-of-the-art neural network system was re-implemented which achieved comparable results. Subsequently, this system was extended to include more features and extra hidden layers resulting in an increase in successful predictions. Additionally, the hyperparameters of the system were optimised and an ablation test was performed on the system's input features to determine the most beneficial inputs. Design requirements for a defensive privacy-protecting plug-in like tool were acquired in a focus group study. This system could be used to raise social media users' awareness of the impact of machine learning using publicly available data on privacy.

Project screenshot.

Firewall administration, the game

Ying-An (Annie) Chen (2016-2017, Undergraduate Thesis)

Supervisors: William Waites, Kami Vaniea

Board game focused on configuration of Firewall rules. Computer security is becoming increasingly important in system administration. For this thesis I focused on firewalls as they are a common component of security management. I built a board game which is engaging and motivates people to learn more about Firewalls.

Project screenshot.

Interactive physical visual aid to support active learning in understanding DDoS concepts

Willy Halim Dinata (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

This project explored a new way to bring security awareness of Distributed Denial of Service (DDoS) attacks to the masses. The project consisted of a physical-visual aid showing participants a set of simulated Internet of Things (IoT) devices. Participants could interact with the IoT devices through a Facebook chat bot and use them to attack the video server in the center of the board. When all four IoT devices attack at once the video slows to a crawl.

Project screenshot.

Encrypt me if you can: Helping developers add Transport Layer Security to Android applications

Dimple Gulrajani (2016-2017, Undergraduate Thesis)

Supervisor: Kami Vaniea

An alarming number of mobile applications on the Google Play store do not encrypt their communications leaving them open to Man In The Middle attacks. This thesis analyzes why this is the case and presents a new tutorial to help developers correctly use TLS.

Project screenshot.

Firewall administration the game

Congcong He (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

Card game that teaches the IPTables command line to players. During the game players gather Learning cards which teach them about different aspects of IPTables such as chains. They then use the Learning cards to construct IPTables commands to accomplish missions.

Project screenshot.

An Educational Game for Computer Security

Yini Huang (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

Card game where each player must manage a personal computer which hosts services (make money) and defend their network (costs money). Players then try and take down rivals by playing well known attacks against them, and they defend by correctly identifing how to prevent the attack. The game is intended for students who are currently taking a computer security course and want a good way to review common computer security material in a fun way.

Project screenshot.

Blue Team : A firewall setup game

Karel Kuzmiak (2017-2017, Internship)

Supervisor: Kami Vaniea

Developed an educational game that can be played in a browser and teaches the basic idea behind firewall administration on a network. The aim of the game is to set up firewall rules in different scenarios, in order to teach the player about iptables syntax, and attack logs from IDS.

Project screenshot.

Meagle - Crowdsourced software data with community-moderated software reviews

Tom Macmichael (2016-2017, Undergraduate Thesis)

Supervisors: Sebastian Maneth, Kami Vaniea

Finding impartial information about a given piece of software is not easy: there is no single place users can visit to find and contribute information in a consistent manner. This project reated a new website called Meagle, that allows a community of users to review pieces of software with moderation so the best reviews are easy to find.

Project screenshot.

Firewall simulator as a WebApp

Patrik Mjartan (2016-2017, Undergraduate Thesis)

Supervisors: William Waites, Kami Vaniea

A firewall is a rather straightforward entity at its core - packets trying to get through get inspected and are either let through, or denied. However, configuring and testing a firewall setup can be rather inaccessable to people like students. In particular, setting up multiple machines and VMs can be error prone and problematic for learning. In this project I sought to create a friewall simulator as a WebApp, hence erasing the potentially difficult and time consuming act of setting up the machines.

Project screenshot.

Identifying Social Media Users Across Platforms and Highlighting Privacy Concerns

Timo Mulder (2016-2017, Masters Thesis)

Supervisors: Kami Vaniea, Liane Guillou

The project helps social media users understand that sharing certain types of information online makes it possible for third parties like advertisers and malicious actors to link supposedly anonymous Facebook and Twitter accounts of the same person together. To accomplish this, I conducted a qualitative study to find the design requirements of a feedback system that informs and helps users to avoid online identity resolution. I also examined and successfully developed several approaches to connect social media accounts together.

Project screenshot.

Building a website for users to rate software updates

Kayode Oduyemi (2016-2017, Undergraduate Thesis)

Supervisors: Sebastian Maneth, Kami Vaniea

End users are not particularly aware of the security implications of not installing updates. This project addresses the problem by creating a website where users can comment on and rate software updates.

Project screenshot.

IoT unboxing

Kaloyan Popstoyanov (2017-2017, Internship)

Supervisor: Kami Vaniea

Developed a systematic process for unboxing IoT devices such that all possible data is captured. I then unboxed 14 devices recording the process from multiple angles, including video of the interactions and packets from both the phone and the IoT device itself.

Project screenshot.

Permission Impossible - the design and evaluation of a video game that teaches beginners about firewalls

Sibylle Sehl (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

Certain topics in Computer Security, for example firewalls, can often seem inaccessible or very difficult to beginners. This project aims to bridge this gap by providing an engaging and friendly environment for beginners to learn about firewalls. Permission Impossible teaches novices about basic firewall terminology and concepts as well as how to build a firewall rule set to enable incoming and outgoing packet traffic.

Project screenshot.

Firewall administration the game

Scott Thompson (2016-2017, Undergraduate Thesis)

Supervisors: Kami Vaniea, William Waites

Managing the Firewall policy rules for a large network is a challenging task, even for a skilled system administrator. Learning these skills can seem insurmountable. In this thesis, I present a Flash game that teaches people how to wirte IPTables rules through a mission-based game.

Project screenshot.

Mailvelope: Evaluate the usability of a security or privacy tool

Qingyu Zhou (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

To be secure, email encryption solutions also need to be usable. In this project I evaluate the usability of the Mailvelope plugin. I find that many of the issues identified by prior work, such as confusion over public/private keys, remain an issue in Mailvelope. I also propose a new user interface design which is more usable.

2016

Project screenshot.

Visualize router traffic

Constantinos Chrysostomou (2016-2016, Internship)

Supervisor: Kami Vaniea

The Internet of Things (IoT) can make it seem like we have lost control over where our data goes. In this project we took IoT traffic passing across a home network router and visualized where in the world the traffic was going in a live display. The system used D3 for the visualization and a system created by Nikolaos Tsirigotakis to do the packet capture.

Project screenshot.

Learn Security

Rory Mathers (2015-2016, Undergraduate Thesis)

Supervisor: Don Sannella

Android app for teaching about the following kinds of web security threats, from the OWASP top 10 list: session attacks, SQL injection, cross-site scripting, cross-site request forgery, and sensitive data exposure. It's designed for smartphones; it works on tablets as well but looks better on 7-inch tablets than on large tablets. It's completely self-contained, demonstrating attacks on a simulated bank website, and countermeasures, and requires no permissions to install - there is no danger to your security.

Project screenshot.

Usability of system configuration langauges: Errors caused by ordering

Adele Mikoliunaite (2015-2016, Masters Thesis)

Supervisors: Paul Anderson, Kami Vaniea

Being a system administrator in todays environment can be quite challenging with a large number of systems to manage and typically minimal formalized training. Configuration languages such as Puppet, SmartFrong, and L3 help administrators manage their large systems but are these languages usable for novices? In this work I administered a survey to look at the intuitive judgements of admins on configuration features such as referencing, inheritance, scope, and ordering. I found that ordering does matterin certain contexts, especially when paired with other features.

Project screenshot.

Measure the churn of Javascript across multiple re-loadings of web pages

Zhouting Ouyang (2015-2016, Masters Thesis)

Supervisor: Kami Vaniea

When a user visits a webpage the contents of the page is retrieved from various other linked pages. Some of the retrieved content is Javascript which is not owned or hosted by the main site being visited. In this thesis I build a web crawler using Java that measured the number and type of Javascript being retrieved from popular websites. I find that after 10 days around 50% of sites have changed the Javascript being loaded.

Project screenshot.

Using static analysis to display privacy properties of apps

Maria Paz Velarde (2015-2016, Masters Thesis)

Supervisor: Kami Vaniea

This project uses static analysis to understand not only what permissions are being used but what an app does with the permissions. We conducted a short user study to identify what types of app permission behaviors worry end users. We found that users care about the contexts in which an app activates permissions. For example, permissions activated with a button press were less concerning than those activated in the background when the app hadn't even been opened. We then created a redesign of the Android permission interface that shows this type of information to the user.

Project screenshot.

Talking Buses: Transport Planning for Blind and Partially Signted People

Craig Snowden (2015-2016, Undergraduate Thesis)

Supervisor: Kami Vaniea

Using public transportation is a necessity for some blind and partially sighted people, but with accessible information not widely available, accessing these public services can be demotivating. The goal of this project was to implement an iOS mobile application to access public transport information in an accessable manner.

Project screenshot.

A framework for an en masse network security evaluation and network flow analysis for the Internet of Things era

Nikolaos Tsirigotakis (2015-2016, Masters Thesis)

Supervisor: Kami Vaniea

Internet of Things (IoT) is characterized by rapid expansion on top of several different standards, protocols, and technologies, making security evaluation on a per-devices scale prohibitively time consuming. This project focused on building a router-based platform to change all that by allowing the automation of security checks.

Project screenshot.

Find conflicting privacy policies on a webpage

Fangkai Wang (2015-2016, Masters Thesis)

Supervisor: Kami Vaniea

When a website loads content from a third-party some information, such as cookies and header data, is also sent to that third party. Both the first and third party websites have their own privacy policies and there is no guarentee that the policies agree with each other. In this thesis I built a privacy policy collector to find privacy policies from both first and third parties. I then use Natural Language Processing to measure similarity as well as measure how long it would take a human to read the policies.

2015

Project screenshot.

Learn Security

Mac Chong (2014-2015, Undergraduate Thesis)

Supervisor: Don Sannella

Android app for teaching about the following kinds of web security threats, from the OWASP top 10 list: session attacks, SQL injection, cross-site scripting, cross-site request forgery, and sensitive data exposure. It's designed for smartphones; it works on tablets as well but looks better on 7-inch tablets than on large tablets. It's completely self-contained, demonstrating attacks on a simulated bank website, and countermeasures, and requires no permissions to install - there is no danger to your security.