A Dynamic Profile Questions Approach to Mitigate Impersonation in Online Examinations

A Dynamic Profile Questions Approach to Mitigate Impersonation in Online Examinations J Grid Computing https://doi.org/10.1007/s10723-018-9442-6 A Dynamic Profile Questions Approach to Mitigate Impersonation in Online Examinations Abrar Ullah · Hannan Xiao · Trevor Barker Received: 29 January 2018 / Accepted: 9 May 2018 © The Author(s) 2018 Abstract Online examinations are an integral com- an online test and the response time of an imper- ponent of many online learning environments, which sonator was significantly different (p < 0.01) than face many security challenges. Collusion is seen as a student. The study also revealed that a response a major security threat to such examinations, when a time factor may be implemented to identify and report student invites a third party to impersonate or abet in a impersonation attacks. test. This work aims to strengthen the authentication of students via the use of dynamic profile questions. The Keywords Authentication · Security · Usability · study reported in this paper involved 31 online partici- Online examinations pants from five countries over a five-week period. The results of usability and security analysis are reported. The dynamic profile questions were more usable than 1 Introduction both the text-based and image-based questions (p < 0.01). An impersonation abuse scenario was simulated In typical online learning environments, students are using email and mobile phone. The impersonation assessed from remote locations, which raise the secu- attack via email was not successful, however, students rity concerns of stakeholders about the integrity of online examinations [1]. Cheating is one of the major were able to share answers to dynamic profile ques- tions with a third party impersonator in real time, threats due to vulnerable authentication approaches and the degree of difficulty to verify the identity of which resulted in 93% correct answers. The sharing of information via phone took place in real time during remote users. Face-to-face invigilation can be expen- sive and logistically challenging in dispersed geo- graphical locations. However, many educational insti- tutions prefer supervised examinations to the use of Abrar Ullah () high stake online examinations largely because of the Llandaff Campus, Cardiff Metropolitan University, difficulty in the authentication of a remote user with Cardiff, CF5 2YB, UK e-mail: aaaullah@cardiffmet.ac.uk no face-to-face interaction [2]. Student cheats in online examinations using a num- Hannan Xiao · Trevor Barker ber of methods. The work presented in this paper College Lane Campus, University of Hertfordshire, investigates collusion attacks i.e. impersonation, when Hatfield, AL10 9AB, UK e-mail: h.xiao@herts.ac.uk a student invites a third party to take the test on his/her behalf. The student shares their access credentials Trevor Barker e-mail: t.1.barker@herts.ac.uk via two methods: email, and instant messaging using A. Ullah et al. mobile phone. Collusion is a challenging threat which student. It has an ongoing issue reported in a num- is difficult to detect and report after the completion of ber of recent studies [6–8]. Collusion can be classified an online examination. in the following categories based on its occurrence in This paper presents the findings of an empirical different scenarios [9] study conducted in a real online course with remote international participants. The work focuses on 2.1 Impersonation research that aims to strengthen the authentication of examinees via the use of a challenge questions In an impersonation attack, a student shares his or her approach [3]. The traditional text-based challenge access credentials with a third party who takes the questions approach requires students to register their online test. It is difficult to detect impersonation once answers before authentication. an online test is completed [10]. These attacks are pre- This allows students to store, memorize, and share planned and consensual, involving legitimate students these questions with a third party to perform an imper- with valid access credentials. Moini and Madni [2] sonation attack. To discourage students from sharing state that impersonation and illegal sharing or disclo- their credentials, this study proposes dynamic profile sure of authentication secrets is challenging to defend questions, which are created in the background when against in a remote online setting. They identified that a student per-forms learning activities. This study will students invite third parties to take their online tests investigate the following: for extra benefit. Such attacks are evolving with the advent of new communication technology. A num- 1. The effectiveness of the proposed dynamic profile ber of scenarios are presented below to describe the question approach. potential impersonation attacks [9] 2. Whether a student could share dynamic pro- file questions with a third party impersonator 2.1.1 Credential Sharing with a Third Party via Email using asynchronous and real-time communica- (Asynchronously) tion methods (i.e. email and mobile phone) and successfully perform impersonation. The conventional login-identifier and password is a The paper is organized into multiple sections start- widely used approach for the authentication of students ing with introduction to highlight the overview and in online tests. This method may provide adequate objectives. Section 2 provides a literature review, dis- security in many online applications. However, it is cussion on security threats and justification for the vulnerable to attacks when students invite third parties research work presented in this paper. Section 3 out- to take their examinations. A student is able to share lines detail of research methodology. Usability and his or her access credentials prior to the test via email, security findings are discussed in Sections 4 and 5. phone and instant message. Rowe [11] states that indi- viduals share credentials with collaborators, who take the online test on behalf of the intended test taker. 2 Background and Related Work 2.1.2 Credential Sharing with a Third Party The threat level of collusion in online examinations is via Phone (Real Time) different from other online applications such as bank- ing where implicit collusion is unlikely to happen [4]. The mobile phone has become an increasingly used Students are motivated by varying reasons to collude communication technology and an essential personal in online examinations. Evans and Craig [5] identified accessory. McGee [12] identified that students may different reasons to collude including desire for bet- use smartphones for information exchange during ter grades, fear of failure, pressure from parents to do online examinations. Howell et al. [13] reported that well, unclear instructional objectives and being graded students exchange answers to questions using their on a curve. phones and take photographs of exams and transmit A collusion attack is an organized form of cheating them to others. Paullet et al. [14] identified phone use which involves collaboration between a student and as a new method of cheating. They argue that the use a third party to solve examination problems. It is a of browser-locking techniques may become irrelevant consensual and pre-planned cheating attack by a A Dynamic Profile Questions Approach to Mitigate Impersonation... if a student has access to a smartphone during their computer), Internet browser access, and remote desk- exam. There are two possible scenarios where a smart top sharing during an examination session [24]. How- phone may be used to cheat in an online test, i.e. ever, students may still circumvent the security and sharing answers to questions, and sharing access cre- share their credentials with a third party using email dentials for impersonation. and mobile phone. 2.2 Authentication Approaches 2.1.3 Credential Sharing with a Third Party via Instant Messaging (IM) The conventional authentication approaches fall into three categories based on “what you know” e.g. pass- Instant Messaging (IM) is another potential method to word and secret information “what you have?” e.g. a communicate during an online examination session. smart card and “what you are” e.g. biometrics [25]. The growth of IM services is a global phenomenon, These methods are driven by knowledge, objects and which is rapidly changing the way people interact. human characteristics. The existing methods satisfy IM applications are easily available on mobile phones, identity and authentication to ensure that the correct tablets and computers for little or no cost. Ease of student has access to an online test. However, based on access makes it a potential tool for cheating in online the literature review and evaluation of potential threats examinations. Examples of instant messaging appli- above, it has been identified that an authenticated cations include Skype, Viber, WhatsApp, and Phone [15]. The prevalence and free availability of these student is sometimes not the expected student, or an expected student may start a test but does not complete applications means they are gradually replacing short it. Hence, the existing mechanisms are not sufficient messaging service (SMS) communication [16]. As of to ensure that the correct student takes the online test. 2016, chat service WhatsApp has reached 1 billion Table 1 shows an overview of the existing meth- registered users [17]. Technology has been a useful ods in the context of impersonation threats. In the tool for advanced learning; however, it may also be majority of features, students may be able to share used by people in promoting their personal objectives, access credentials with an impersonator. For exam- including cheating. McGee [12] state that technol- ple, students reveal their passwords to third parties ogy is the most commonly used strategy to cheat in for impersonation [26]. Apampa et al. [6] state that online examinations. Research studies reported that an impersonator could produce correct login details students with access to phones and computers use instant messages during online examinations [18, 19]. on behalf of a student, which raises the question “is the student really who he/she claims to be?” Authen- tication methods provide a different level of security 2.1.4 Remote Desktop Sharing assurances, reliability and deterrence to impersonation threats. According to guidelines the proposed method Using remote desktop sharing applications, a remote needs to [27]: user can access and control a desktop with permission to all programs [20]. By combining remote desktop support, not prevent or disrupt, learning (usable) sharing and an online examination session, a student be integrated in the learning process (secure) may login and invite a third party to impersonate him be simple and flexible to deploy (usable) in an online test. Desktop sharing is reported as one of be secure, non-invasive and not diminish privacy the ten most inventive cheating attempts in eCampus (secure and usable) News [21]. Heussner [22] state that it could be tempt- be low-cost (feasible). ing to accept help from a friend or helper remotely using technology including remote desktop sharing. Knowledge Based Authentication (KBA) is the sim- This enables a third party in the next room, or even in plest technique to fulfill the security requirements. a different city, country and time zone, to impersonate This is an easy to use method, and expected to provide a test taker. This type of attack is pre-planned and the secure authentication in online examinations. This is student and attacker agree a time to perform the test. a low-cost, accessible, widely acceptable and pre- ferred authentication method [28]. However, a review The security measures such as “secure browser” [23] can mitigate the use of instant messaging (on personal of KBA methods suggests impersonation attacks are A. Ullah et al. Table 1 Authentication Authentication methods Impersonation approaches and impersonation Knowledge-based Authentication (KBA) Login identifier and password Can be shared with a third party Personal challenge questions Can be shared with a third party Object-based Authentication (OBA) Smartcard, or magnetic card Can be shared with a third party Biometrics Fingerprint recognition Cannot be shared with a third party Face recognition Cannot be shared with a third party Signature recognition Cannot be shared with a third party Web video recording Cannot be shared with a third party Human invigilation Face-to-face invigilation Cannot impersonate with identity verification Remote monitoring (Web cam) Cannot impersonate with identity verification inevitable. Using both challenge questions based on hardware and broadband Internet to transmit the required personal information, and login-identifier and pass- input. Unlike KBA, biometric features are associated word, students may be able to share credentials with with an individual’s physical or behavioral character- third party impersonators using phone, IMs, remote istics, which cannot be updated if compromised. For desktop and email. example, some studies indicated that an individual’s Object Based Authentication (OBA) method uti- fingerprint can be lifted from the surfaces of objects lizes physical objects such as smart cards and mag- without one’s knowledge and used for replay attacks netic strip cards [29]. This method is widely used [2, 33]. False Reject Rate (FRR) and False Accept in the banking, transport and hospitality sectors Rate (FAR) are widely known issues with these fea- with a purpose-built infrastructure. Implementation of tures: Ratha et al. [34] stated that fingerprint matching these features requires special purpose input devices faces two common and competing errors, these being and infrastructure, which incurs additional costs and FRR and FAR. The same issues were reported in human resources. Smart cards can be shared in per- other biometric features, including face recognition. son or by post with impersonators before online tests, In a recent study, Sahoo and Choubisa [35] identified meaning the method is fallible, and vulnerable to that the video recording feature may enhance secu- impersonation attacks. Furthermore, implementation rity, but it will require post-assessment monitoring of the OBA method may be challenging to imple- of exam sessions for all students, which incurs addi- ment in dispersed geographical locations with students tional resources and demands extra effort [31]. This needing to access online learning and examinations discussion implies that biometrics is more reliable in from their homes and offices. terms of identification; however, they are unreason- Biometric features such as fingerprint and face ably intrusive, expensive and may cause difficulties in recognition methods are suggested to enhance secu- wider implementation where students are situated in rity in online examinations [30]. Thus, it is anticipated dispersed geographical locations. that only the correct student can authenticate, due to A human invigilator is an example of a secondary unique physical attributes associated with individuals. authentication method which can be used to ensure Ko and Cheng [31] proposed the use of video record- the presence of the correct student. This includes ing of an online examination session, which may face-to-face proctoring and remote monitoring via a countermeasure impersonation attacks. These features web cam. Face-to-face proctoring requires test cen- are reported to be more reliable than KBA and OBA. ters and human invigilators in all locations (different However, some studies identified issues with the use cities worldwide) where students are enrolled on an of biometrics. Balie and Jortber [32] state that bio- online course. In addition, each test center requires metrics require proprietary software, special purpose a review by academic staff to ensure proctor quality A Dynamic Profile Questions Approach to Mitigate Impersonation... and compliance with the institution’s test center stan- In response to impersonation attacks identified in the dards [32]. Student authentication that relies upon a previous section and the issues identified above asso- human invigilator will require extra human resources, ciated with the use of text-based and image-based costs and allocated test centers. Remote monitoring challenge questions, this research study proposes via webcam may be a feasible alternative to phys- dynamic profile questions. ical invigilation. A dedicated proctor is assigned to authenticate identity and monitor an online test [36]. 2.4 Dynamic Profile Questions Students can access their tests from the home or office without needing to go to an allocated test center. This In an earlier study, Babic et al. (2009) proposed a theo- approach may be cost-efficient compared to face-to- retical approach for activity-based security questions, face invigilation, but there is a cost attached to remote which programmatically generates a security profile proctoring [36]. This approach requires one-to-one based on an individual’s network and search activi- monitoring and, therefore, would be expensive and ties for authentication of users in web applications. In challenging in testing a large number of students in another study, Jortberg and Baile (2009) implemented dispersed geographical locations. challenge questions from a US consumer database The above discussion suggests a need for an for identification of online students in online exam- authentication approach which is accessible, usable, inations. However, the database was limited to the cost effective, and prevents collusion attacks in online US consumers’ market and does not hold information examinations. about prospective students from across the world. The authors developed and researched text-based, image- based and activity-based questions as discussed above 2.3 Previous Research in the previous research section. Findings of these studies were encouraging. However, there were secu- In the previous work, the authors conducted multiple rity challenges with these approaches which led to the studies to analyze usability and security of text-based creation of dynamic profile questions. and image-based challenge questions in an online Figure 1 shows an overview of dynamic profile ques- examination context [37–41]. The overall findings tions approach, which is an adaptable method. A profile of the earlier studies reported varying results. The is created dynamically based on a student’s learning following usability and security issues were identified. activities. Questions are created non-intrusively and The conventional text-based questions with clar- non-distractingly in the background during the learn- ity, relevance and ambiguity issues were less ing process. These questions are extracted from a stu- usable. This influenced efficiency and effective- dent’s learning activities, content submissions, grades, ness during the authentication process. lessons, and forum posts in order to build and con- In a guessing attack, questions in some areas were solidate a profile. In order to access an online exam- reported with security vulnerabilities as specific ination, the student is required to answer a subset of questions were successfully guessed. questions randomly presented from his or her profile. The usability of image-based questions was better This study implemented multiple choice ques- tions using a combination of distractors and correct than the text-based questions due to memorability of pictures and use of multiple-choice questions answers. A total of 18 dynamic profile questions were utilized in this study which is discussed later in the [42]. • results section. One key issue with pre-defined text-based and image-based questions was the ability of a stu- dent to store, memorize and share them with an impersonator. 3 Research Methodology A study [43] by authors identified that an increase in the number of questions shared, increased The study was conducted in a real online learning the success of an impersonation attack. Also, an course. A usability test method was adopted to eval- increase in the profile (database) size decreased uate the effectiveness of dynamic profile questions. the success of an impersonation attack. It is a usability inspection method, which tends to A. Ullah et al. Fig. 1 An overview of profile based authentication using dynamic profile questions focus on the interaction between humans and comput- interactions. A total of five weekly quizzes were ers [44]. Using this method, the representative users, set up for summative assessment. The participants i.e. students, interact with online learning and exami- were recommended to invest 10 hours weekly nations using dynamic profile question authentication. learning effort over a span of five weeks. Multiple abuse case scenarios were simulated to Participant Recruitment: In order to recruit and test impersonation attacks. A risk-based security motivate participants, the course was offered free of charge and advertised on the University of assessment method was adopted to perform the imper- Hertfordshire online portal (StudyNet). A total of sonation abuse case scenarios. This approach focuses 31 students were enrolled onto the course; how- on the test of features and functions of artifacts based ever, only 21 completed the five-week course. on the risk of their failure using abuse case scenarios Of the 21 students, the majority 17(80%) were [45]. Abuse case scenarios were simulated to analyze students from United Kingdom and 1(5%) each impersonation attacks when students and imperson- were from Slovakia, Kenya, Malta, and Trinidad ators communicated asynchronously (via email) and and Tobago. They were already enrolled in differ- in real time (via a mobile phone) to share access cre- ent programs at the University of Hertfordshire dentials (dynamic profile questions). The study was as distance learners. This was helpful for the conducted in multiple phases, which are described in participants’ engagement due to their existing the following sections. knowledge of using a remote online learning envi- Designing PHP & MySQL Course: Online ronment. In order to motivate students to perform course design plays an important role in setting the security abuse case scenarios a free advanced up learning goals and assessment for students. PHP course was offered on completion of the five The dynamic profile question approach utilized a week course. Due to specialized programming student’s learning interactions during the course context, the course targeted computer science stu- work to create and consolidate a profile; there- dents. The participation was voluntary and per- fore, the course design was highly relevant. A formed with real students in order to create a real remote “PHP and MySQL” online course was learning context. This led to a smaller sample size. organized in five weekly modules, which included Registration: The students were required to email lessons, forum submissions, assignments and stu- a short introduction before registration. Guidance dents’ reflections at the end of each week. The notes on the registration process and an enrol- course was set up and deployed in the MOO- ment key were emailed to all participants. It was DLE Learning Management System (LMS) on a a standard MOODLE sign up process, which was remote web server accessible on the Internet. The essential to create login credentials to access the course content was released on a daily basis to learning material. Upon successful registration, maximize participants’ engagement and learning the participants received a confirmation email to A Dynamic Profile Questions Approach to Mitigate Impersonation... access the course. The course was only available Given the above scenario, this study simulated two to registered users. types of collusion attacks: i) a student shares dynamic Online Coursework: An instructor-led course profile questions with a third party impersonator thr- was taught over a period of five weeks. To collect ough email (asynchronously) before an online examin- pertinent data for the evaluation of usability and ation session; and ii) a student shares dynamic profile security, authentication results were stored in the questions with a third party impersonator in real time database. The participants were required to submit through the mobile phone during an online examination their assignments in order to access their quizzes. session. Before simulating the abuse case scenarios: Each assignment was associated with each week’s Two impersonators were recruited to attempt to im- course content. The participants were required to personate students in an online examination session. complete a quiz at the end of each week. The Each impersonator was assigned a group of 10 course content of the following weeks were con- students to simulate the abuse cases in allocated ditionally released to those who completed their time slots. quizzes – e.g. week 2 content was released to Skype accounts and email addresses for each participants who completed the week 1 quiz. impersonator were shared with his/her allocated Creating Dynamic Profile Questions:Inorder students. to conduct the experiment in a controlled environ- Each impersonator was required to access a sim- ment, dynamic profile questions were created ulation quiz (online examination) created on the manually for each individual student and uploaded course on behalf of each allocated student in the to the database in their profiles via the user scheduled time slot. interface in MOODLE. As shown in “Appendix – Each impersonator was required to answer all 18 Dynamic profile questions”, these questions were dynamic profile questions associated with each of created on a daily basis for each participant after his/her allocated students in order to complete the access to course content and lessons, assignment simulation. submissions, assignment grades, quiz completions, feedback and reflection, and forum discussions. 3.1.1 Credential Sharing with an Impersonator via Email (Asynchronously) 3.1 Simulating Abuse Case Scenarios Email attack was simulated as described below: The following collusion abuse case scenario was sim- ulated toward the end of week five in order to evaluate 1) Students were asked to share their dynamic pro- impersonation attacks using email and phone: file questions via email. Threat Scenario- A student is registered on a PHP 2) Students emailed their dynamic profile questions & MySQL programming course, which is delivered and login details to their allocated impersonator. in an online learning environment. The course uses 3) The impersonator accessed the online course dynamic profile questions for the authentication of using the allocated student’s login details. students in summative assessments, which are acces- 4) In order to access the online quiz on behalf of sible on a secure browser with no access to unwanted a student, the impersonator was randomly pre- software e.g. Internet browser, chat sessions, etc. The sented with three dynamic profile questions. student is due to write his/her final semester online 5) The impersonator answered the dynamic pro- test. He or she wants to boost his/her grades and file questions using the shared information. The recruits a third party impersonator to help him/her to impersonator was required to search and locate take his test. However, to satisfy the authentication, the the correct answer from the shared information student needs to share his/her dynamic profile ques- and to guess answers to questions if they were not tions and answers (access credentials) with the imper- shared. The authentication results were stored in sonator. The impersonator would use the shared infor- the database for analysis. mation to answer the randomly presented dynamic 6) Steps 4 to 5 were repeated until all of the 18 profile challenge questions during authentication in dynamic profile questions were answered by the order to access the online test. impersonator. A. Ullah et al. 3.1.2 Credential Sharing With an Impersonator 4.1 Effectiveness of Dynamic Profile Questions via Phone (in Real-time) The effectiveness is considered to be the degree of A student may share answers to his dynamic pro- accuracy of the participants’ responses. In the context file questions with a third party impersonator in real of this study, it means that participants were able to submit correct answers to dynamic profile questions time during an online examination session using a smart phone. The participants were emailed the guid- effectively with a low error rate. This was analyzed from the data collected from the participants’ answers ance notes. The impersonator was taking the test on to dynamic profile questions during weekly quizzes. a PC computer and communicated with the student Table 2 shows the analysis of dynamic profile ques- using Skype messenger installed on a smart phone. tions and the mean correct and incorrect answers. The The attack was simulated as described below: results show that a large number of answers were 1) At a scheduled time, an impersonator and a stu- correct. Out of 378 questions answered by 21 par- dent started a chat session on the phone using the ticipants, 376 (99.5 %) were correct, which shows Skype instant messaging service. satisfactory effectiveness. 2) A student shared his login details with the imper- As shown in Table 2, the dynamic profile ques- sonator who accessed the online course on a PC tions were based on the introduction and objectives, using the shared login details. assignment submissions, forum discussions, assign- 3) In order to access the simulation online quiz, ment content, student reflection and grades. Each the impersonator was randomly presented with question was presented with five multiple choice three dynamic profile questions on behalf of the options i.e. four distraction and a correct answer. For student. example: 4) The impersonator shared these questions and mul- tiple choice options with the student on a mobile phone using Skype in real time to collect the Table 2 Usability analysis: Effectiveness of dynamic profile correct answers. questions 5) The student identified and shared a correct answer Questions Correct Incorrect on Skype. The impersonator answered the ques- tions and the authentication results were stored in 1 Course objectives 1 21(100%) 0(0%) the database for analysis. 2 Course objectives 2 21(100%) 0(0%) 6) Steps 4 to 5 were repeated until all of the 18 3 Course objectives 3 21(100%) 0(0%) dynamic profile questions were answered by the 4 Assignment 1 21(100%) 0(0%) impersonator. 5 Assignment 2 21(100%) 0(0%) 6 Assignment 3 21(100%) 0(0%) 7 Assignment 4 21(100%) 0(0%) 4 Usability Results 8 Assignment 5 23 20(95.2%) 1(4.8%) 9 Forum Post 1 21(100%) 0(0%) This section presents the usability analysis of dynamic 10 Forum Post 2 21(100%) 0(0%) profile questions in the context of online learning and 11 Forum Post 3 21(100%) 0(0%) examinations. A total of 21 participants answered 378 12 Assignment content 1 20(95.2%) 1(4.8%) questions for authentication in five weekly quizzes. 13 Assignment content 2 21(100%) 0(0%) The response time to questions was not recorded as 14 Assignment content 3 21(100%) 0(0%) they were created non-intrusively, non-distractingly in 15 Assignment content 4 21(100%) 0(0%) the background. This method shows an increased effi- 16 Student Reflection 21(100%) 0(0%) ciency compared to pre-defined text-based and image- 17 Grades 1 21(100%) 0(0%) based questions which require students to register their 18 Grades 2 21(100%) 0(0%) answers. The effectiveness analysis is presented in the Total 376(99.5%) 2(0.5%) following section. A Dynamic Profile Questions Approach to Mitigate Impersonation... Which one of the following statements below was dynamic profile questions on behalf of allocated stu- written by you as a course objective? dents and the information was shared asynchronously through email. Table 3 “Email Impersonation” shows 1. Distraction statement the list of participants and the mean of correct and 2. Distraction statement incorrect answers submitted by an impersonator. The 3. Distraction statement email attack was performed before the phone attack to 4. Correct Answer evaluate participants’ ability to recall and share their 5. None of the above dynamic profile questions, which would help a third The participants were required to recognize the party to impersonate them in an online examination. correct answer among the multiple choice options in Dynamic profile questions implemented five mul- order to authenticate. The multiple choice options pro- tiple choice options and the probability of a correct vided cues to the participants in order to identify their answer by chance would be 1/5th or 20%. In the abuse answers, which resulted in 99.5% correct answers. As case scenario, the impersonators answered 29 (8%) presented in our previous study [42], the percent of challenge questions correctly. This was largely based correct answers to pre-defined text-based and image- on information shared via email and guessing by the based questions were 66% and 85% respectively. The impersonators. current results for dynamic profile questions suggest Of the 21 participants, only 7 were able to share a further increase. This is likely to be a result of at least one correct question and answer with a third using multiple choice options and creating questions party impersonator. In order to test the significance associated with the students’ learning activities. of any differences in the means of correct answers According to the usability scale described by [46], between students (during authentication) and third 70%-79% usability is acceptable, 80%-89% good, and party impersonators in an email abuse case scenario on more than 90% exceptional. Therefore, 99.5% correct answers to dynamic profile questions is an exceptional Table 3 Security analysis: Impersonation via phone effectiveness. Question no. Content type Authentication Correct Incorrect 5 Security Results 1 Course objectives 1 20(95%) 1(5%) This section reports the security analysis of dynamic 2 Course objectives 2 20(95%) 1(5%) profile questions to evaluate impersonation attacks 3 Course objectives 3 21(100%) 0(0%) when students and impersonators communicate through 4 Assignment 1 20(95%) 1(5%) email and mobile phone. The analysis was performed 5 Assignment 2 20(95%) 1(5%) on the data collected from simulation abuse case sce- 6 Assignment 3 20(95%) 1(5%) narios. In total, 21 participants performed email and 7 Assignment 4 21(100%) 0(0%) phone collusion attacks with two impersonators. The 8 Assignment 5 19(90%) 2(10%) findings of impersonation using email resulted in 29 9 Forum Post 1 18(86%) 3(14%) (8%) correct answers. The findings of impersonation 10 Forum Post 2 20(95%) 1(5%) using a mobile phone (Skype) resulted in 351 (93%) 11 Forum Post 3 21(100%) 0(0%) correct answers. A detailed discussion on the findings 12 Assignment content 1 17(81%) 4(19%) of the abuse case scenarios is presented below: 13 Assignment content 2 18(86%) 3(14%) 14 Assignment content 3 20(95%) 1(5%) 5.1 Impersonation Using Asynchronous Sharing 15 Assignment content 4 19(90%) 2(10%) via Email 16 Student Reflection 18(86%) 3(14%) 17 Grades 1 (Assignment) 21(100%) 0(0%) The security analysis of an impersonation attack in 18 Grades 2 (Quiz) 18(86%) 3(14%) this section is based on the number of correct answers Total 351(93%) 27(7%) received when third party impersonators answered A. Ullah et al. Table 4 Security Analysis: Impersonation via Email/Phone the data shown in Table 2 “Email Impersonation” and Table 3, a paired-sample t-test was performed. There Participants Email impersonation Phone impersonation was a significant difference in the correct answers by students (M = 99.5, SD = 2.4) and impersonators in Correct Incorrect Correct Incorrect email abuse case attack (M = 7.8, SD = 14.9) con- 1 9(50%) 9(50%) 18(100%) 0(0%) ditions t (20) = 28.41, p < 0.01. This suggests that 2 0(0%) 18(100%) 12(67%) 6(33%) students were significantly less likely to share their 3 0(0%) 18(100%) 13(72%) 5(28%) dynamic profile questions with a third party imperson- 4 1(6%) 17(94%) 18(100%) 0(0%) ator via email; however, they recognized their correct 5 0(0%) 18(100%) 18(100%) 0(0%) answers when presented with multiple choice options 6 1(6%) 17(94%) 14(78%) 4(22%) during weekly quizzes reported in the effectiveness 7 0(0%) 18(100%) 16(89%) 2(11%) analysis above. 8 0(0%) 18(100%) 18(100%) 0(0%) 9 0(0%) 18(100%) 18(100%) 0(0%) 5.2 Impersonation Using Real-time Sharing via Phone 10 5(28%) 13(72%) 16(89%) 2(11%) 11 0(0%) 18(100%) 18(100%) 0(0%) The security analysis of an impersonation attack in this section is based on the number of correct answers 12 0(0%) 18(100%) 18(100%) 0(0%) 13 0(0%) 18(100%) 17(94%) 1(6%) received when third party impersonators answered dynamic profile questions on behalf of allocated stu- 14 0(0%) 18(100%) 16(89%) 2(11%) dents and the information was shared in real time 15 5(28%) 13(72%) 16(89%) 2(11%) through a mobile phone. Table 3 “Phone Imperson- 16 1(6%) 17(94%) 18(100%) 0(0%) ation” shows the analysis of the dynamic profile 17 0(0%) 18(100%) 17(94%) 1(6%) questions and the mean correct and incorrect answers. 18 0(0%) 18(100%) 16(89%) 2(11%) The findings revealed that a third party imperson- 19 0(0%) 18(100%) 18(100%) 0(0%) ator answered 351 (93%) questions correctly. This 20 0(0%) 18(100%) 18(100%) 0(0%) suggests that students were able to share correct 21 7(39%) 11(61%) 18(100%) 0(0%) answers to their dynamic profile questions on the Total 29 (8%) 349 (92%) 351 (93%) 27 (7%) mobile phone in real time. In order to test the signifi- cance of any difference between correct answers sub- mitted by students (during authentication) in weekly on or before the allocated time. In a practical situation, quizzes and third party impersonators using mobile when a third party impersonator communicates with a phone, a paired-sample t-test was performed on the student to share answers to dynamic profile questions data shown in Tables 2 and 4. There was a signif- using a mobile phone or email, the response time may icant difference in the correct answers by students change. It is anticipated that the response time of a (M=99.47, SD=2.4) and impersonators by phone genuine student and an impersonator may be different (M=92.8, SD=10) conditions t (20) = 3.49, p = when answering these questions. 0.002. However, the mean of correct answers by In order to test the significance of any differences in phone (M=92.8) indicates a high percentage of the the mean response time to dynamic profile questions total answers. This identified a vulnerability of the between a genuine student and a third party imper- dynamic profile questions. A student can circum- sonator, a paired-sample t-test was performed on the vent this approach if an online examination process datashowninTables 2 and 4. There was a signif- is not monitored or the response to questions during icant difference in the scores for the response time authentication is not timed. of a genuine student during authentication (M=39.69, SD=104.07) and a third party during impersonation 5.3 Security Performance and Response-time Factor by phone (M=290.47, SD=90.39) conditions t (377) = -35.55, p < 0.01. Traditional online examinations are often required to The impersonation abuse case scenario via phone be completed in an allocated time. Students are ex- was simulated using Skype instant messaging. It is pected to authenticate and complete their online tests anticipated that verbal communication via phone may A Dynamic Profile Questions Approach to Mitigate Impersonation... Fig. 2 Example of dynamic profile questions be quicker than texting. However, reading a ques- questions were created non-intrusively and non- tion with 5 multiple choice options may still require distractingly in the background during a student’s extra time for an impersonator, compared to a gen- learning period. This increased the efficiency com- uine student who could choose a correct answer in a pared to text-based and image-based questions. The shorter time. Furthermore, dependent upon the ques- findings revealed a significantly increased effective- tion design, some questions may be challenging to ness, i.e. 99.5% correct answers. These questions are describe verbally as shown in Fig. 2. usable and influence impersonation when a student In order to test the significance of any trend in the and impersonator communicate asynchronously via response time on the data presented in Tables 2 and 4, email. The security analysis revealed that dynamic a one-way ANOVA was performed with linear con- profile questions may not influence impersonation trasts. A trend was found for response time by students attacks when a student and an impersonator use a and a third party impersonator F (1,754) = 1250.96, smart phone to communicate in real time during the p < 0.01. A Pearson correlation was performed on exam session. However, there was a significant differ- the data presented in Tables 2 and 4 to test the direc- ence (p < 0.01) in response time between a genuine tion of the trend in response time by a student and a student and a third party impersonator. This may be third party r = 0.79, n = 756, p < 0.01. This indicates implemented as an additional factor on which to base an increasing trend. The above findings show that the reports of impersonation attacks. The response time response time of a genuine student is shorter than that factor can influence students from sharing access cre- of a third party impersonator. dentials with impersonators in real time to perform collusion attacks. Acknowledgments A special thank you to those who con- 6Conclusion tributed to this paper: Paul Kirk Business Manager and Jay Beavan, MARS Programmer, School of Postgraduate Medical The study reported in this paper implemented dynamic and Dental Education, Cardiff University for their help and profile questions in a real online course. These support with the study. A. Ullah et al. Open Access This article is distributed under the terms of the I work in a non-IT related field- I am a Creative Commons Attribution 4.0 International License (http:// cook. creativecommons.org/licenses/by/4.0/), which permits unre- Have already got the basics in HND for stricted use, distribution, and reproduction in any medium, PHP and MySQL but thought this would provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, be a good opportunity to refresh memory and indicate if changes were made. and expand on this Recently my employer have introduced software products and web pages written Appendix: Dynamic Profile Questions in PHP and using MySQL databases so it will be highly beneficial for my career to Q.1 which one of the following statement below familiarize myself with this technologies. were written by you? None of the above I am currently in second year of Eco- Q.4 which one of the following discussion posts nomics Degree were made by you? I have a degree in Chemistry from Trinity I just completed the week 1 quiz and all College Dublin, Ireland and pursued a part- the contents of week 1. I can’t access to time research MSc in Computational Chem- week 2, Am I too late for it, or is there any istry with Trinity College. 3 publications. • specific reason for it? I used SQL during the second year of my When I run the page that should execute course a few years ago, along with Java Hello World. I’m getting an error saying (JDBC) the URL was not found on the server Currently I’m enrolled at the MSc Com- I’ve tried the following: Test after starting puter Science course, previously I studied of Apache (and MySQL), go to the address BSC (Hons) in Computers and Electronics http://localhost/ or http://127.0.0.1/ in your at the Northampton University. browser and examine all of the XAMPP None of the above examples and tools. but all I get is a HTTP Q.2 which one of the following statement below 404 not found page were written by you as a course objective Did you save the example1.php in your • xampp folder correctly? (i.e. make a new I have over seven year experience in the IT folder called myproject in the htdocs folder) sector, I’m currently working as database None of the above administrator/programmer I am doing this course as part of my CPD Q.5 which one of the following discussion posts required in my workplace were made by you? I would like to pursue this course in order I have now completed week 1 assignment. to learn more for my field of work and Can I have access to week 1 quiz? have more knowledge for advancement. • I have managed to install XAMPP but I I want to do this course because i can cannot connect to MySQL module. I have work as a freelancer after doing php as i tried to uninstall and reinstall but noth- have seen so many projects in Freelancer, ing is working. I had installed MYSQL Odesk and Elance and i already have some database previously. experience of Sql. • Thanks Mr Abrar but I do not think that is None of the above going to be necessary. I have managed to Q.3 which of the following statement were written install XAMPP on another computer. in your introduction email? Hi Evens, It works for me but it is not is For networking I need to know some of English. AND. Many thanks Chelsea, not scripting languages and so I want to learn a great start but you cracked it. php. None of the above A Dynamic Profile Questions Approach to Mitigate Impersonation... Q.6 which one of the following discussion posts Write a php program for traffic lights control were made by you? Write a php program to submit data using form $ POST and insert into MySQL I found this too. Googling it, as I under- database? stand it what is happening is when the None of the above script first runs the $i variable is not initial- ized, effectively resulting in a null being Q.10 which one of the following assignments have passed in to the switch statement you submitted in week 1? You have stated that the second example is Write a PHP program to assign any num- the same as the first one. So how come you ber to a variable and display the value have used quotation marks for the second using pre-decrement operator (–). Check example? PHP operators for help. Normally port 443 is used for secure host Write a PHP program to compute factorial and accessible using https of a number n? You nailed it. Perfect. Actually if the port Write a PHP program to demonstrate post is used by another service, apache won’t decrement start as the port is already taken. Write a PHP program to compare pre- None of the above increment with post-increment Q.7 your score for the week 1 quiz was: None of the above Within the 60%-69% range Q.11 which one of the following PHP code belongs Within the 80%-100% range to your assignment? Within the 40% -59% Range while ($minNum < $maxNum){ Within the 70%-79% range echo ”Perform addition: $a + $b = Less than 40% ”.$addition.””; Q.8 which one of the following assignments have foreach($data s $dataitem) you submitted in week 1? $sum = $numberone + $numbertwo; None of the above Write a PHP program to assign your name to $myname and qualification to $qualifi- Q.12 which one of the following PHP code belongs cation variables and display the output on to your assignment? page with on two separate lines. $a=++$a; List examples of logical operators and pro- $sum(a+b); vide evidence with php programs? $addition = $a + $b; Write a php function to compute standard addFunction(10,10); deviation of data array? None of the above Write a php program to connect to database using PDO and retrieve data Q.13 your score for the assignment 1 was: using select statement? Within the 40% -69% Range None of the above Within the 70%-79% range Q.9 which one of the following assignments have Within the 80%-89% range you submitted in week 1? Within the 90%-100% range None of the above Write a php program to demonstrate dif- Q.14 which one of the following reflection posts ference between static, private and public were made by you? class? Write a PHP program to assign any two numbers to two variables and display their I have learnt to create php classes and sum on screen. objects A. Ullah et al. • • I have learnt to create my first PHP page echo $find favorite fruite($fruitArray); and coding, assign variables and the differ- Do While ($num[0] < $num[1]) ent arithmetic operations. None of the above I have learnt to create database connection to backend using PHP in week 6 I have learnt email function using php, which References is very relevant to my ongoing project None of the above 1. Watson, G., Sottile, J.: Cheating in the Digital Age: Do Stu- dents Cheat More in Online Courses? Online J. Dist. Learn. Q.15 which one of the following assignments have Adm. 13(1), n1 (2010) you submitted in week 2? 2. Moini, A., Madni, A.M.: Leveraging Biometrics for User Authentication in Online Learning: A Systems Perspective. Write a PHP program to develop grade- IEEE Syst. J. 3(4), 469–76 (2009) 3. Ullah, A., Xiao, H., Lilley, M.: Profile Based Student book using array Authentication in Online Examination. In: International Con- Write a PHP program to display your ference on Information Society 2012. IEEE, London (2012) favorite fruit from the given choices: Mango, 4. Rabkin, A.: Personal knowledge questions for fallback Orange, Apple, Plum, Cherry, pineapple, authentication: Security questions in the era of Facebook. In: SOUPS 2008: Proceedings of the 4th Symposium on kewi using PHP Switch statement. Usable Privacy and Security 2008, p. 23. ACM, New York Write a PHP program to display odd num- (2008) ber for array list 5. Evans, E.D., Craig, D.: Teacher and student perceptions of Write a PHP program to sort an array list academic cheating in middle and senior high schools. J. • Educ. Res. 84(1), 44–53 (1990) None of the above 6. Apampa, K.M., Wills, G., Argles, D.: User security issues Q.16 which one of the following assignments have in summative e-assessment security. Int. J. Digit. Soc. (IJDS) 1(2), 1–13 (2010) you submitted in week 2? 7. Ayodele, T., Shoniregun, C., Akmayeva, G.: Towards • E-Learning Security: A Machine Learning Approach. Write a PHP program using an indexed In: International Conference on Information Society (i- array to store name of cars: Honda, BMW, Society) 2011, IEEE (2011) Toyota, Ford, Audi and Fiat and print them 8. Sonhera, N., Kritzinger, E., Loock, M.: A Proposed Cyber all on screen line by line. Threat Incident Handling Framework for Schools in South Develop a bubble sort program using PHP Africa. In: Proceedings of the South African Institute for Computer Scientists and Information Technologists Con- Develop push and pop functions of stack ference, ACM (2012) using PHP program 9. Ullah, A., Xiao, H., Barker, T.: A Classification of Threats Write a php program to connect to to Remote Online Examinations. In: International Confer- database using PDO and retrieve data ence and Workshop on Computing and Communication (IEMCON) 2016, IEEE (2016) using select statement? 10. Kerka, S., Wonacott, M.E.: Assessing Learners Online. None of the above Practitioner File, Washington (2000) 11. Rowe N. C.: Cheating in online student assessment: Beyond Q.17 which one of the following PHP code belongs plagiarism. Online Journal of Distance Learning Adminis- to your assignment 2? tration VII N2 (2004) 12. Mcgee, P.: Supporting Academic Honesty in Online print largest($array); Courses. J. Educ. Online 10(1), n1 (2013) While(NOT $thelargetnumber) 13. Howell, S., Sorenson, D., Tippets, H.: The news about function getLarget($array =array()); cheating for distance educators. Faculty Focus Specialty Report [serial on the Internet]. 2010: Available from: $cars[0]=”Honda”; http://www.facultyfocus.com/wp-content/uploads/images/ None of the above promoting-academic-integrity-in-online-edu1.pdf 14. Paullet, K., Chawdhry, A.A., Douglas, D.M., Pinchot, J.: Q.18 which one of the following PHP code belongs Assessing Faculty perceptions and techniques to combat to your assignment 2? academic dishonesty in online courses. In: Proceedings of the EDSIG Conference (2015) echo $cars[0].” ”.$cars[1].” ”.$cars[2].” 15. Church, K., De Oliveira, R.: What’s up with whatsapp?: ”.$cars[3].” ”.$cars[4].” ”.$cars[5]; comparing mobile instant messaging behaviors with tra- foreach($numbers in $numbersArray()) ditional SMS. In: Proceedings of the 15th international A Dynamic Profile Questions Approach to Mitigate Impersonation... conference on Human-computer interaction with mobile 32. Bailie, J.L., Jortberg, M.A.: Online learner authentication: devices and services 2013, ACM (2013) Verifying the identity of online users. Bull.-Board Postings 16. Oghuma, A.P., Chang, Y., Libaque-Saenz, C.F., Park, M.- 547, 17 (2009) C., Rho, J.J.: Benefit-confirmation model for post-adoption 33. Derakhshani, R., Schuckers, S.a.C., Hornak, L.A., behavior of mobile instant messaging applications: A O’gorman, L.: Determination of vitality from a non- comparative analysis of KakaoTalk and Joyn in Korea. invasive biomedical measurement for use in fingerprint Telecommun. Policy 39(8), 658–77 (2015) scanners. Pattern Recogn. 36(2), 383–96 (2003) 17. Mccarthy, N.: Whatsapp Reaches One Billion Users. New 34. Ratha, N.K., Bolle, R.M., Pandit, V.D., Vaish, V.: Robust Jersey: Forbes LLC; 2016 [cited 2016 03/02/2016]; Avail- Fingerprint Authentication Using Local Structural Simi- able from: http://www.forbes.com/sites/niallmccarthy/2016/ larity. In: 2000 Fifth IEEE Workshop on Applications of 02/02/whatsapp-reaches-one-billion-users-infographic/#14 Computer Vision, IEEE (2000) 158bb0520b 35. Sahoo, S.K., Choubisa, T.: Multimodal Biometric Person 18. Dee, T.S., Jacob, B.A.: Rational ignorance in education: A Authentication: A Review IETE. Techn. Rev. 29(1), 54 field experiment in student plagiarism. J. Human Resour. (2012) 47(2), 397–434 (2012) 36. Mahmood, N.: Remote Proctoring Software Means Stu- 19. Rogers, C.F.: Faculty perceptions about e-cheating during dents Can Now Take Exams From Home. Technological online testing. J. Comput. Sci. Coll. 22(2), 206–12 (2006) News Portal; 2010 [cited 2011 13/07/2011]; Available 20. Manion, T.R., Kim, R.Y., Patiejunas, K.: inventors; Google from: http://thetechjournal.com/science/remote-proctoring- Patents, assignee. Remote desktop access2014 software-means-students-can-now-take-exams-from-home. 21. Barbour, A.: The 10 most inventive cheating attempts on xhtml online exams (2014) 37. Ullah, A., Xiao, H., Barker, T., Lilley, M.: Evaluating 22. Heussner, K.M.: 5 ways online education can keep its stu- security and usability of profile based challenge ques- dents honest. GIGAM Research [serial on the Internet]. tions authentication in online examinations. J. Internet Serv. 2012: Available from: https://gigaom.com/2012/11/17/ Appl. 5(1), 2 (2014) 5-ways-online-education-can-keep-its-students-honest/ 38. Ullah, A., Xiao, H., Lilley, M., Barker, T.: Usability of Pro- 23. Respondus. Respondus Assessment Tools for Learn- file Based Student Authentication and Traffic Light System ing Systems. Redmond, WA2016 [01/04/2016]; Availa- in Online Examination. In: The 7Th International Con- ble from: https://www.respondus.com/products/lockdown- ference for Internet Technology and Secured Transactions browser/ (ICITST). IEEE, London (2012) 24. Kitahara, R., Westfall, F., Mankelwicz, J.: New, multi- 39. Ullah, A., Xiao, H., Lilley, M., Barker, T.: Using Challenge faceted hybrid approaches to ensuring academic integrity. Questions for Student Authentication in Online Examina- J. Acad.Bus.Ethics 3(1), 1–12 (2011) tion. Int. J. Infonomics (IJI) 5(3/4), 9 (2012) 25. Jin, A.T.B., Ling, D.N.C., Goh, A.: Biohashing: two fac- 40. Ullah, A.: Security and Usability of Authentication by tor authentication featuring fingerprint data and tokenised Challenge Questions in Online Examination (2017) random number. Pattern Recogn. 37(11), 2245–55 (2004) 41. Ullah, A., Barker, T., Xiao, H.: A focus group study: 26. Weippl, E.R.: Security in e-learning eLearn. Magazine Usability and security of challenge question authe- 2005(3), 3 (2005) ntication in online examinations. In: International Con- 27. Jortberg, M.A.: Methods to verify the identity of distance ference on Information Technology and Applications learning students. Acxiom; 2009 [cited 2011 01/04/2011]; (ICITA); Sydney Australia: Academic Alliance Interna- Available from: http://u.cs.biu.ac.il/ariel/download/de666/ tional (2017) resources/dependable distributed testing/verify students.pdf 42. Ullah, A., Xiao, H., Barker, T., Lilley, M.: Graphical and 28. Hafiz, M.D., Abdullah, A.H., Ithnin, N., Mammi, H.K.: Text Based Challenge Questions for Secure and Usable Towards Identifying Usability and Security Features of Authentication in Online Examinations. In: The 9Th Inter- Graphical Password in Knowledge Based Authentication national Conference for Internet Technology and Secured Technique. In: 2008 AICMS 08 Second Asia International Transactions (ICITST). IEEE, London (2014) Conference on Modeling & Simulation, IEEE (2008) 43. Ullah, A., Xiao, H., Barker, T.: A study into the usability 29. Deo, V., Seidensticker, R.B., Simon, D.R.: inventors; and security implications of text and image based challenge Google Patents, assignee. Authentication system and questions in the context of online examination unpublished method for smart card transactions. US1998 (2017) 30. Agulla, E.G., Rifon, ´ L.A., Castro, J.L.A., Mateo, C.G.: Is 44. Corry, M.D., Frick, T.W., Hansen, L.: User-centered design My Student at the Other Side? Applying Biometric Web and usability testing of a web site: An illustrative case Authentication to E-Learning Environments. In: Eighth study. Educ. Technol. Res. Dev. 45(4), 65–76 (1997) IEEE International Conference on Advanced Learning 45. Mcgraw, G.: Software security Security & Privacy. IEEE Technologies, IEEE (2008) 2(2), 80–3 (2004) 31. Ko, C.C., Cheng, C.D.: Secure Internet examination sys- 46. Bangor, A., Kortum, P., Miller, J.: Determining what indi- tem based on video monitoring. Internet Res. 14(1), 48–61 vidual SUS scores mean: Adding an adjective rating scale. (2004) J. Usability Stud. 4(3), 114–23 (2009) http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Journal of Grid Computing Springer Journals

A Dynamic Profile Questions Approach to Mitigate Impersonation in Online Examinations

Free
15 pages

Loading next page...
 
/lp/springer_journal/a-dynamic-profile-questions-approach-to-mitigate-impersonation-in-JZUEaQRTeh
Publisher
Springer Journals
Copyright
Copyright © 2018 by The Author(s)
Subject
Computer Science; Processor Architectures; Management of Computing and Information Systems; User Interfaces and Human Computer Interaction
ISSN
1570-7873
eISSN
1572-9184
D.O.I.
10.1007/s10723-018-9442-6
Publisher site
See Article on Publisher Site

Abstract

J Grid Computing https://doi.org/10.1007/s10723-018-9442-6 A Dynamic Profile Questions Approach to Mitigate Impersonation in Online Examinations Abrar Ullah · Hannan Xiao · Trevor Barker Received: 29 January 2018 / Accepted: 9 May 2018 © The Author(s) 2018 Abstract Online examinations are an integral com- an online test and the response time of an imper- ponent of many online learning environments, which sonator was significantly different (p < 0.01) than face many security challenges. Collusion is seen as a student. The study also revealed that a response a major security threat to such examinations, when a time factor may be implemented to identify and report student invites a third party to impersonate or abet in a impersonation attacks. test. This work aims to strengthen the authentication of students via the use of dynamic profile questions. The Keywords Authentication · Security · Usability · study reported in this paper involved 31 online partici- Online examinations pants from five countries over a five-week period. The results of usability and security analysis are reported. The dynamic profile questions were more usable than 1 Introduction both the text-based and image-based questions (p < 0.01). An impersonation abuse scenario was simulated In typical online learning environments, students are using email and mobile phone. The impersonation assessed from remote locations, which raise the secu- attack via email was not successful, however, students rity concerns of stakeholders about the integrity of online examinations [1]. Cheating is one of the major were able to share answers to dynamic profile ques- tions with a third party impersonator in real time, threats due to vulnerable authentication approaches and the degree of difficulty to verify the identity of which resulted in 93% correct answers. The sharing of information via phone took place in real time during remote users. Face-to-face invigilation can be expen- sive and logistically challenging in dispersed geo- graphical locations. However, many educational insti- tutions prefer supervised examinations to the use of Abrar Ullah () high stake online examinations largely because of the Llandaff Campus, Cardiff Metropolitan University, difficulty in the authentication of a remote user with Cardiff, CF5 2YB, UK e-mail: aaaullah@cardiffmet.ac.uk no face-to-face interaction [2]. Student cheats in online examinations using a num- Hannan Xiao · Trevor Barker ber of methods. The work presented in this paper College Lane Campus, University of Hertfordshire, investigates collusion attacks i.e. impersonation, when Hatfield, AL10 9AB, UK e-mail: h.xiao@herts.ac.uk a student invites a third party to take the test on his/her behalf. The student shares their access credentials Trevor Barker e-mail: t.1.barker@herts.ac.uk via two methods: email, and instant messaging using A. Ullah et al. mobile phone. Collusion is a challenging threat which student. It has an ongoing issue reported in a num- is difficult to detect and report after the completion of ber of recent studies [6–8]. Collusion can be classified an online examination. in the following categories based on its occurrence in This paper presents the findings of an empirical different scenarios [9] study conducted in a real online course with remote international participants. The work focuses on 2.1 Impersonation research that aims to strengthen the authentication of examinees via the use of a challenge questions In an impersonation attack, a student shares his or her approach [3]. The traditional text-based challenge access credentials with a third party who takes the questions approach requires students to register their online test. It is difficult to detect impersonation once answers before authentication. an online test is completed [10]. These attacks are pre- This allows students to store, memorize, and share planned and consensual, involving legitimate students these questions with a third party to perform an imper- with valid access credentials. Moini and Madni [2] sonation attack. To discourage students from sharing state that impersonation and illegal sharing or disclo- their credentials, this study proposes dynamic profile sure of authentication secrets is challenging to defend questions, which are created in the background when against in a remote online setting. They identified that a student per-forms learning activities. This study will students invite third parties to take their online tests investigate the following: for extra benefit. Such attacks are evolving with the advent of new communication technology. A num- 1. The effectiveness of the proposed dynamic profile ber of scenarios are presented below to describe the question approach. potential impersonation attacks [9] 2. Whether a student could share dynamic pro- file questions with a third party impersonator 2.1.1 Credential Sharing with a Third Party via Email using asynchronous and real-time communica- (Asynchronously) tion methods (i.e. email and mobile phone) and successfully perform impersonation. The conventional login-identifier and password is a The paper is organized into multiple sections start- widely used approach for the authentication of students ing with introduction to highlight the overview and in online tests. This method may provide adequate objectives. Section 2 provides a literature review, dis- security in many online applications. However, it is cussion on security threats and justification for the vulnerable to attacks when students invite third parties research work presented in this paper. Section 3 out- to take their examinations. A student is able to share lines detail of research methodology. Usability and his or her access credentials prior to the test via email, security findings are discussed in Sections 4 and 5. phone and instant message. Rowe [11] states that indi- viduals share credentials with collaborators, who take the online test on behalf of the intended test taker. 2 Background and Related Work 2.1.2 Credential Sharing with a Third Party The threat level of collusion in online examinations is via Phone (Real Time) different from other online applications such as bank- ing where implicit collusion is unlikely to happen [4]. The mobile phone has become an increasingly used Students are motivated by varying reasons to collude communication technology and an essential personal in online examinations. Evans and Craig [5] identified accessory. McGee [12] identified that students may different reasons to collude including desire for bet- use smartphones for information exchange during ter grades, fear of failure, pressure from parents to do online examinations. Howell et al. [13] reported that well, unclear instructional objectives and being graded students exchange answers to questions using their on a curve. phones and take photographs of exams and transmit A collusion attack is an organized form of cheating them to others. Paullet et al. [14] identified phone use which involves collaboration between a student and as a new method of cheating. They argue that the use a third party to solve examination problems. It is a of browser-locking techniques may become irrelevant consensual and pre-planned cheating attack by a A Dynamic Profile Questions Approach to Mitigate Impersonation... if a student has access to a smartphone during their computer), Internet browser access, and remote desk- exam. There are two possible scenarios where a smart top sharing during an examination session [24]. How- phone may be used to cheat in an online test, i.e. ever, students may still circumvent the security and sharing answers to questions, and sharing access cre- share their credentials with a third party using email dentials for impersonation. and mobile phone. 2.2 Authentication Approaches 2.1.3 Credential Sharing with a Third Party via Instant Messaging (IM) The conventional authentication approaches fall into three categories based on “what you know” e.g. pass- Instant Messaging (IM) is another potential method to word and secret information “what you have?” e.g. a communicate during an online examination session. smart card and “what you are” e.g. biometrics [25]. The growth of IM services is a global phenomenon, These methods are driven by knowledge, objects and which is rapidly changing the way people interact. human characteristics. The existing methods satisfy IM applications are easily available on mobile phones, identity and authentication to ensure that the correct tablets and computers for little or no cost. Ease of student has access to an online test. However, based on access makes it a potential tool for cheating in online the literature review and evaluation of potential threats examinations. Examples of instant messaging appli- above, it has been identified that an authenticated cations include Skype, Viber, WhatsApp, and Phone [15]. The prevalence and free availability of these student is sometimes not the expected student, or an expected student may start a test but does not complete applications means they are gradually replacing short it. Hence, the existing mechanisms are not sufficient messaging service (SMS) communication [16]. As of to ensure that the correct student takes the online test. 2016, chat service WhatsApp has reached 1 billion Table 1 shows an overview of the existing meth- registered users [17]. Technology has been a useful ods in the context of impersonation threats. In the tool for advanced learning; however, it may also be majority of features, students may be able to share used by people in promoting their personal objectives, access credentials with an impersonator. For exam- including cheating. McGee [12] state that technol- ple, students reveal their passwords to third parties ogy is the most commonly used strategy to cheat in for impersonation [26]. Apampa et al. [6] state that online examinations. Research studies reported that an impersonator could produce correct login details students with access to phones and computers use instant messages during online examinations [18, 19]. on behalf of a student, which raises the question “is the student really who he/she claims to be?” Authen- tication methods provide a different level of security 2.1.4 Remote Desktop Sharing assurances, reliability and deterrence to impersonation threats. According to guidelines the proposed method Using remote desktop sharing applications, a remote needs to [27]: user can access and control a desktop with permission to all programs [20]. By combining remote desktop support, not prevent or disrupt, learning (usable) sharing and an online examination session, a student be integrated in the learning process (secure) may login and invite a third party to impersonate him be simple and flexible to deploy (usable) in an online test. Desktop sharing is reported as one of be secure, non-invasive and not diminish privacy the ten most inventive cheating attempts in eCampus (secure and usable) News [21]. Heussner [22] state that it could be tempt- be low-cost (feasible). ing to accept help from a friend or helper remotely using technology including remote desktop sharing. Knowledge Based Authentication (KBA) is the sim- This enables a third party in the next room, or even in plest technique to fulfill the security requirements. a different city, country and time zone, to impersonate This is an easy to use method, and expected to provide a test taker. This type of attack is pre-planned and the secure authentication in online examinations. This is student and attacker agree a time to perform the test. a low-cost, accessible, widely acceptable and pre- ferred authentication method [28]. However, a review The security measures such as “secure browser” [23] can mitigate the use of instant messaging (on personal of KBA methods suggests impersonation attacks are A. Ullah et al. Table 1 Authentication Authentication methods Impersonation approaches and impersonation Knowledge-based Authentication (KBA) Login identifier and password Can be shared with a third party Personal challenge questions Can be shared with a third party Object-based Authentication (OBA) Smartcard, or magnetic card Can be shared with a third party Biometrics Fingerprint recognition Cannot be shared with a third party Face recognition Cannot be shared with a third party Signature recognition Cannot be shared with a third party Web video recording Cannot be shared with a third party Human invigilation Face-to-face invigilation Cannot impersonate with identity verification Remote monitoring (Web cam) Cannot impersonate with identity verification inevitable. Using both challenge questions based on hardware and broadband Internet to transmit the required personal information, and login-identifier and pass- input. Unlike KBA, biometric features are associated word, students may be able to share credentials with with an individual’s physical or behavioral character- third party impersonators using phone, IMs, remote istics, which cannot be updated if compromised. For desktop and email. example, some studies indicated that an individual’s Object Based Authentication (OBA) method uti- fingerprint can be lifted from the surfaces of objects lizes physical objects such as smart cards and mag- without one’s knowledge and used for replay attacks netic strip cards [29]. This method is widely used [2, 33]. False Reject Rate (FRR) and False Accept in the banking, transport and hospitality sectors Rate (FAR) are widely known issues with these fea- with a purpose-built infrastructure. Implementation of tures: Ratha et al. [34] stated that fingerprint matching these features requires special purpose input devices faces two common and competing errors, these being and infrastructure, which incurs additional costs and FRR and FAR. The same issues were reported in human resources. Smart cards can be shared in per- other biometric features, including face recognition. son or by post with impersonators before online tests, In a recent study, Sahoo and Choubisa [35] identified meaning the method is fallible, and vulnerable to that the video recording feature may enhance secu- impersonation attacks. Furthermore, implementation rity, but it will require post-assessment monitoring of the OBA method may be challenging to imple- of exam sessions for all students, which incurs addi- ment in dispersed geographical locations with students tional resources and demands extra effort [31]. This needing to access online learning and examinations discussion implies that biometrics is more reliable in from their homes and offices. terms of identification; however, they are unreason- Biometric features such as fingerprint and face ably intrusive, expensive and may cause difficulties in recognition methods are suggested to enhance secu- wider implementation where students are situated in rity in online examinations [30]. Thus, it is anticipated dispersed geographical locations. that only the correct student can authenticate, due to A human invigilator is an example of a secondary unique physical attributes associated with individuals. authentication method which can be used to ensure Ko and Cheng [31] proposed the use of video record- the presence of the correct student. This includes ing of an online examination session, which may face-to-face proctoring and remote monitoring via a countermeasure impersonation attacks. These features web cam. Face-to-face proctoring requires test cen- are reported to be more reliable than KBA and OBA. ters and human invigilators in all locations (different However, some studies identified issues with the use cities worldwide) where students are enrolled on an of biometrics. Balie and Jortber [32] state that bio- online course. In addition, each test center requires metrics require proprietary software, special purpose a review by academic staff to ensure proctor quality A Dynamic Profile Questions Approach to Mitigate Impersonation... and compliance with the institution’s test center stan- In response to impersonation attacks identified in the dards [32]. Student authentication that relies upon a previous section and the issues identified above asso- human invigilator will require extra human resources, ciated with the use of text-based and image-based costs and allocated test centers. Remote monitoring challenge questions, this research study proposes via webcam may be a feasible alternative to phys- dynamic profile questions. ical invigilation. A dedicated proctor is assigned to authenticate identity and monitor an online test [36]. 2.4 Dynamic Profile Questions Students can access their tests from the home or office without needing to go to an allocated test center. This In an earlier study, Babic et al. (2009) proposed a theo- approach may be cost-efficient compared to face-to- retical approach for activity-based security questions, face invigilation, but there is a cost attached to remote which programmatically generates a security profile proctoring [36]. This approach requires one-to-one based on an individual’s network and search activi- monitoring and, therefore, would be expensive and ties for authentication of users in web applications. In challenging in testing a large number of students in another study, Jortberg and Baile (2009) implemented dispersed geographical locations. challenge questions from a US consumer database The above discussion suggests a need for an for identification of online students in online exam- authentication approach which is accessible, usable, inations. However, the database was limited to the cost effective, and prevents collusion attacks in online US consumers’ market and does not hold information examinations. about prospective students from across the world. The authors developed and researched text-based, image- based and activity-based questions as discussed above 2.3 Previous Research in the previous research section. Findings of these studies were encouraging. However, there were secu- In the previous work, the authors conducted multiple rity challenges with these approaches which led to the studies to analyze usability and security of text-based creation of dynamic profile questions. and image-based challenge questions in an online Figure 1 shows an overview of dynamic profile ques- examination context [37–41]. The overall findings tions approach, which is an adaptable method. A profile of the earlier studies reported varying results. The is created dynamically based on a student’s learning following usability and security issues were identified. activities. Questions are created non-intrusively and The conventional text-based questions with clar- non-distractingly in the background during the learn- ity, relevance and ambiguity issues were less ing process. These questions are extracted from a stu- usable. This influenced efficiency and effective- dent’s learning activities, content submissions, grades, ness during the authentication process. lessons, and forum posts in order to build and con- In a guessing attack, questions in some areas were solidate a profile. In order to access an online exam- reported with security vulnerabilities as specific ination, the student is required to answer a subset of questions were successfully guessed. questions randomly presented from his or her profile. The usability of image-based questions was better This study implemented multiple choice ques- tions using a combination of distractors and correct than the text-based questions due to memorability of pictures and use of multiple-choice questions answers. A total of 18 dynamic profile questions were utilized in this study which is discussed later in the [42]. • results section. One key issue with pre-defined text-based and image-based questions was the ability of a stu- dent to store, memorize and share them with an impersonator. 3 Research Methodology A study [43] by authors identified that an increase in the number of questions shared, increased The study was conducted in a real online learning the success of an impersonation attack. Also, an course. A usability test method was adopted to eval- increase in the profile (database) size decreased uate the effectiveness of dynamic profile questions. the success of an impersonation attack. It is a usability inspection method, which tends to A. Ullah et al. Fig. 1 An overview of profile based authentication using dynamic profile questions focus on the interaction between humans and comput- interactions. A total of five weekly quizzes were ers [44]. Using this method, the representative users, set up for summative assessment. The participants i.e. students, interact with online learning and exami- were recommended to invest 10 hours weekly nations using dynamic profile question authentication. learning effort over a span of five weeks. Multiple abuse case scenarios were simulated to Participant Recruitment: In order to recruit and test impersonation attacks. A risk-based security motivate participants, the course was offered free of charge and advertised on the University of assessment method was adopted to perform the imper- Hertfordshire online portal (StudyNet). A total of sonation abuse case scenarios. This approach focuses 31 students were enrolled onto the course; how- on the test of features and functions of artifacts based ever, only 21 completed the five-week course. on the risk of their failure using abuse case scenarios Of the 21 students, the majority 17(80%) were [45]. Abuse case scenarios were simulated to analyze students from United Kingdom and 1(5%) each impersonation attacks when students and imperson- were from Slovakia, Kenya, Malta, and Trinidad ators communicated asynchronously (via email) and and Tobago. They were already enrolled in differ- in real time (via a mobile phone) to share access cre- ent programs at the University of Hertfordshire dentials (dynamic profile questions). The study was as distance learners. This was helpful for the conducted in multiple phases, which are described in participants’ engagement due to their existing the following sections. knowledge of using a remote online learning envi- Designing PHP & MySQL Course: Online ronment. In order to motivate students to perform course design plays an important role in setting the security abuse case scenarios a free advanced up learning goals and assessment for students. PHP course was offered on completion of the five The dynamic profile question approach utilized a week course. Due to specialized programming student’s learning interactions during the course context, the course targeted computer science stu- work to create and consolidate a profile; there- dents. The participation was voluntary and per- fore, the course design was highly relevant. A formed with real students in order to create a real remote “PHP and MySQL” online course was learning context. This led to a smaller sample size. organized in five weekly modules, which included Registration: The students were required to email lessons, forum submissions, assignments and stu- a short introduction before registration. Guidance dents’ reflections at the end of each week. The notes on the registration process and an enrol- course was set up and deployed in the MOO- ment key were emailed to all participants. It was DLE Learning Management System (LMS) on a a standard MOODLE sign up process, which was remote web server accessible on the Internet. The essential to create login credentials to access the course content was released on a daily basis to learning material. Upon successful registration, maximize participants’ engagement and learning the participants received a confirmation email to A Dynamic Profile Questions Approach to Mitigate Impersonation... access the course. The course was only available Given the above scenario, this study simulated two to registered users. types of collusion attacks: i) a student shares dynamic Online Coursework: An instructor-led course profile questions with a third party impersonator thr- was taught over a period of five weeks. To collect ough email (asynchronously) before an online examin- pertinent data for the evaluation of usability and ation session; and ii) a student shares dynamic profile security, authentication results were stored in the questions with a third party impersonator in real time database. The participants were required to submit through the mobile phone during an online examination their assignments in order to access their quizzes. session. Before simulating the abuse case scenarios: Each assignment was associated with each week’s Two impersonators were recruited to attempt to im- course content. The participants were required to personate students in an online examination session. complete a quiz at the end of each week. The Each impersonator was assigned a group of 10 course content of the following weeks were con- students to simulate the abuse cases in allocated ditionally released to those who completed their time slots. quizzes – e.g. week 2 content was released to Skype accounts and email addresses for each participants who completed the week 1 quiz. impersonator were shared with his/her allocated Creating Dynamic Profile Questions:Inorder students. to conduct the experiment in a controlled environ- Each impersonator was required to access a sim- ment, dynamic profile questions were created ulation quiz (online examination) created on the manually for each individual student and uploaded course on behalf of each allocated student in the to the database in their profiles via the user scheduled time slot. interface in MOODLE. As shown in “Appendix – Each impersonator was required to answer all 18 Dynamic profile questions”, these questions were dynamic profile questions associated with each of created on a daily basis for each participant after his/her allocated students in order to complete the access to course content and lessons, assignment simulation. submissions, assignment grades, quiz completions, feedback and reflection, and forum discussions. 3.1.1 Credential Sharing with an Impersonator via Email (Asynchronously) 3.1 Simulating Abuse Case Scenarios Email attack was simulated as described below: The following collusion abuse case scenario was sim- ulated toward the end of week five in order to evaluate 1) Students were asked to share their dynamic pro- impersonation attacks using email and phone: file questions via email. Threat Scenario- A student is registered on a PHP 2) Students emailed their dynamic profile questions & MySQL programming course, which is delivered and login details to their allocated impersonator. in an online learning environment. The course uses 3) The impersonator accessed the online course dynamic profile questions for the authentication of using the allocated student’s login details. students in summative assessments, which are acces- 4) In order to access the online quiz on behalf of sible on a secure browser with no access to unwanted a student, the impersonator was randomly pre- software e.g. Internet browser, chat sessions, etc. The sented with three dynamic profile questions. student is due to write his/her final semester online 5) The impersonator answered the dynamic pro- test. He or she wants to boost his/her grades and file questions using the shared information. The recruits a third party impersonator to help him/her to impersonator was required to search and locate take his test. However, to satisfy the authentication, the the correct answer from the shared information student needs to share his/her dynamic profile ques- and to guess answers to questions if they were not tions and answers (access credentials) with the imper- shared. The authentication results were stored in sonator. The impersonator would use the shared infor- the database for analysis. mation to answer the randomly presented dynamic 6) Steps 4 to 5 were repeated until all of the 18 profile challenge questions during authentication in dynamic profile questions were answered by the order to access the online test. impersonator. A. Ullah et al. 3.1.2 Credential Sharing With an Impersonator 4.1 Effectiveness of Dynamic Profile Questions via Phone (in Real-time) The effectiveness is considered to be the degree of A student may share answers to his dynamic pro- accuracy of the participants’ responses. In the context file questions with a third party impersonator in real of this study, it means that participants were able to submit correct answers to dynamic profile questions time during an online examination session using a smart phone. The participants were emailed the guid- effectively with a low error rate. This was analyzed from the data collected from the participants’ answers ance notes. The impersonator was taking the test on to dynamic profile questions during weekly quizzes. a PC computer and communicated with the student Table 2 shows the analysis of dynamic profile ques- using Skype messenger installed on a smart phone. tions and the mean correct and incorrect answers. The The attack was simulated as described below: results show that a large number of answers were 1) At a scheduled time, an impersonator and a stu- correct. Out of 378 questions answered by 21 par- dent started a chat session on the phone using the ticipants, 376 (99.5 %) were correct, which shows Skype instant messaging service. satisfactory effectiveness. 2) A student shared his login details with the imper- As shown in Table 2, the dynamic profile ques- sonator who accessed the online course on a PC tions were based on the introduction and objectives, using the shared login details. assignment submissions, forum discussions, assign- 3) In order to access the simulation online quiz, ment content, student reflection and grades. Each the impersonator was randomly presented with question was presented with five multiple choice three dynamic profile questions on behalf of the options i.e. four distraction and a correct answer. For student. example: 4) The impersonator shared these questions and mul- tiple choice options with the student on a mobile phone using Skype in real time to collect the Table 2 Usability analysis: Effectiveness of dynamic profile correct answers. questions 5) The student identified and shared a correct answer Questions Correct Incorrect on Skype. The impersonator answered the ques- tions and the authentication results were stored in 1 Course objectives 1 21(100%) 0(0%) the database for analysis. 2 Course objectives 2 21(100%) 0(0%) 6) Steps 4 to 5 were repeated until all of the 18 3 Course objectives 3 21(100%) 0(0%) dynamic profile questions were answered by the 4 Assignment 1 21(100%) 0(0%) impersonator. 5 Assignment 2 21(100%) 0(0%) 6 Assignment 3 21(100%) 0(0%) 7 Assignment 4 21(100%) 0(0%) 4 Usability Results 8 Assignment 5 23 20(95.2%) 1(4.8%) 9 Forum Post 1 21(100%) 0(0%) This section presents the usability analysis of dynamic 10 Forum Post 2 21(100%) 0(0%) profile questions in the context of online learning and 11 Forum Post 3 21(100%) 0(0%) examinations. A total of 21 participants answered 378 12 Assignment content 1 20(95.2%) 1(4.8%) questions for authentication in five weekly quizzes. 13 Assignment content 2 21(100%) 0(0%) The response time to questions was not recorded as 14 Assignment content 3 21(100%) 0(0%) they were created non-intrusively, non-distractingly in 15 Assignment content 4 21(100%) 0(0%) the background. This method shows an increased effi- 16 Student Reflection 21(100%) 0(0%) ciency compared to pre-defined text-based and image- 17 Grades 1 21(100%) 0(0%) based questions which require students to register their 18 Grades 2 21(100%) 0(0%) answers. The effectiveness analysis is presented in the Total 376(99.5%) 2(0.5%) following section. A Dynamic Profile Questions Approach to Mitigate Impersonation... Which one of the following statements below was dynamic profile questions on behalf of allocated stu- written by you as a course objective? dents and the information was shared asynchronously through email. Table 3 “Email Impersonation” shows 1. Distraction statement the list of participants and the mean of correct and 2. Distraction statement incorrect answers submitted by an impersonator. The 3. Distraction statement email attack was performed before the phone attack to 4. Correct Answer evaluate participants’ ability to recall and share their 5. None of the above dynamic profile questions, which would help a third The participants were required to recognize the party to impersonate them in an online examination. correct answer among the multiple choice options in Dynamic profile questions implemented five mul- order to authenticate. The multiple choice options pro- tiple choice options and the probability of a correct vided cues to the participants in order to identify their answer by chance would be 1/5th or 20%. In the abuse answers, which resulted in 99.5% correct answers. As case scenario, the impersonators answered 29 (8%) presented in our previous study [42], the percent of challenge questions correctly. This was largely based correct answers to pre-defined text-based and image- on information shared via email and guessing by the based questions were 66% and 85% respectively. The impersonators. current results for dynamic profile questions suggest Of the 21 participants, only 7 were able to share a further increase. This is likely to be a result of at least one correct question and answer with a third using multiple choice options and creating questions party impersonator. In order to test the significance associated with the students’ learning activities. of any differences in the means of correct answers According to the usability scale described by [46], between students (during authentication) and third 70%-79% usability is acceptable, 80%-89% good, and party impersonators in an email abuse case scenario on more than 90% exceptional. Therefore, 99.5% correct answers to dynamic profile questions is an exceptional Table 3 Security analysis: Impersonation via phone effectiveness. Question no. Content type Authentication Correct Incorrect 5 Security Results 1 Course objectives 1 20(95%) 1(5%) This section reports the security analysis of dynamic 2 Course objectives 2 20(95%) 1(5%) profile questions to evaluate impersonation attacks 3 Course objectives 3 21(100%) 0(0%) when students and impersonators communicate through 4 Assignment 1 20(95%) 1(5%) email and mobile phone. The analysis was performed 5 Assignment 2 20(95%) 1(5%) on the data collected from simulation abuse case sce- 6 Assignment 3 20(95%) 1(5%) narios. In total, 21 participants performed email and 7 Assignment 4 21(100%) 0(0%) phone collusion attacks with two impersonators. The 8 Assignment 5 19(90%) 2(10%) findings of impersonation using email resulted in 29 9 Forum Post 1 18(86%) 3(14%) (8%) correct answers. The findings of impersonation 10 Forum Post 2 20(95%) 1(5%) using a mobile phone (Skype) resulted in 351 (93%) 11 Forum Post 3 21(100%) 0(0%) correct answers. A detailed discussion on the findings 12 Assignment content 1 17(81%) 4(19%) of the abuse case scenarios is presented below: 13 Assignment content 2 18(86%) 3(14%) 14 Assignment content 3 20(95%) 1(5%) 5.1 Impersonation Using Asynchronous Sharing 15 Assignment content 4 19(90%) 2(10%) via Email 16 Student Reflection 18(86%) 3(14%) 17 Grades 1 (Assignment) 21(100%) 0(0%) The security analysis of an impersonation attack in 18 Grades 2 (Quiz) 18(86%) 3(14%) this section is based on the number of correct answers Total 351(93%) 27(7%) received when third party impersonators answered A. Ullah et al. Table 4 Security Analysis: Impersonation via Email/Phone the data shown in Table 2 “Email Impersonation” and Table 3, a paired-sample t-test was performed. There Participants Email impersonation Phone impersonation was a significant difference in the correct answers by students (M = 99.5, SD = 2.4) and impersonators in Correct Incorrect Correct Incorrect email abuse case attack (M = 7.8, SD = 14.9) con- 1 9(50%) 9(50%) 18(100%) 0(0%) ditions t (20) = 28.41, p < 0.01. This suggests that 2 0(0%) 18(100%) 12(67%) 6(33%) students were significantly less likely to share their 3 0(0%) 18(100%) 13(72%) 5(28%) dynamic profile questions with a third party imperson- 4 1(6%) 17(94%) 18(100%) 0(0%) ator via email; however, they recognized their correct 5 0(0%) 18(100%) 18(100%) 0(0%) answers when presented with multiple choice options 6 1(6%) 17(94%) 14(78%) 4(22%) during weekly quizzes reported in the effectiveness 7 0(0%) 18(100%) 16(89%) 2(11%) analysis above. 8 0(0%) 18(100%) 18(100%) 0(0%) 9 0(0%) 18(100%) 18(100%) 0(0%) 5.2 Impersonation Using Real-time Sharing via Phone 10 5(28%) 13(72%) 16(89%) 2(11%) 11 0(0%) 18(100%) 18(100%) 0(0%) The security analysis of an impersonation attack in this section is based on the number of correct answers 12 0(0%) 18(100%) 18(100%) 0(0%) 13 0(0%) 18(100%) 17(94%) 1(6%) received when third party impersonators answered dynamic profile questions on behalf of allocated stu- 14 0(0%) 18(100%) 16(89%) 2(11%) dents and the information was shared in real time 15 5(28%) 13(72%) 16(89%) 2(11%) through a mobile phone. Table 3 “Phone Imperson- 16 1(6%) 17(94%) 18(100%) 0(0%) ation” shows the analysis of the dynamic profile 17 0(0%) 18(100%) 17(94%) 1(6%) questions and the mean correct and incorrect answers. 18 0(0%) 18(100%) 16(89%) 2(11%) The findings revealed that a third party imperson- 19 0(0%) 18(100%) 18(100%) 0(0%) ator answered 351 (93%) questions correctly. This 20 0(0%) 18(100%) 18(100%) 0(0%) suggests that students were able to share correct 21 7(39%) 11(61%) 18(100%) 0(0%) answers to their dynamic profile questions on the Total 29 (8%) 349 (92%) 351 (93%) 27 (7%) mobile phone in real time. In order to test the signifi- cance of any difference between correct answers sub- mitted by students (during authentication) in weekly on or before the allocated time. In a practical situation, quizzes and third party impersonators using mobile when a third party impersonator communicates with a phone, a paired-sample t-test was performed on the student to share answers to dynamic profile questions data shown in Tables 2 and 4. There was a signif- using a mobile phone or email, the response time may icant difference in the correct answers by students change. It is anticipated that the response time of a (M=99.47, SD=2.4) and impersonators by phone genuine student and an impersonator may be different (M=92.8, SD=10) conditions t (20) = 3.49, p = when answering these questions. 0.002. However, the mean of correct answers by In order to test the significance of any differences in phone (M=92.8) indicates a high percentage of the the mean response time to dynamic profile questions total answers. This identified a vulnerability of the between a genuine student and a third party imper- dynamic profile questions. A student can circum- sonator, a paired-sample t-test was performed on the vent this approach if an online examination process datashowninTables 2 and 4. There was a signif- is not monitored or the response to questions during icant difference in the scores for the response time authentication is not timed. of a genuine student during authentication (M=39.69, SD=104.07) and a third party during impersonation 5.3 Security Performance and Response-time Factor by phone (M=290.47, SD=90.39) conditions t (377) = -35.55, p < 0.01. Traditional online examinations are often required to The impersonation abuse case scenario via phone be completed in an allocated time. Students are ex- was simulated using Skype instant messaging. It is pected to authenticate and complete their online tests anticipated that verbal communication via phone may A Dynamic Profile Questions Approach to Mitigate Impersonation... Fig. 2 Example of dynamic profile questions be quicker than texting. However, reading a ques- questions were created non-intrusively and non- tion with 5 multiple choice options may still require distractingly in the background during a student’s extra time for an impersonator, compared to a gen- learning period. This increased the efficiency com- uine student who could choose a correct answer in a pared to text-based and image-based questions. The shorter time. Furthermore, dependent upon the ques- findings revealed a significantly increased effective- tion design, some questions may be challenging to ness, i.e. 99.5% correct answers. These questions are describe verbally as shown in Fig. 2. usable and influence impersonation when a student In order to test the significance of any trend in the and impersonator communicate asynchronously via response time on the data presented in Tables 2 and 4, email. The security analysis revealed that dynamic a one-way ANOVA was performed with linear con- profile questions may not influence impersonation trasts. A trend was found for response time by students attacks when a student and an impersonator use a and a third party impersonator F (1,754) = 1250.96, smart phone to communicate in real time during the p < 0.01. A Pearson correlation was performed on exam session. However, there was a significant differ- the data presented in Tables 2 and 4 to test the direc- ence (p < 0.01) in response time between a genuine tion of the trend in response time by a student and a student and a third party impersonator. This may be third party r = 0.79, n = 756, p < 0.01. This indicates implemented as an additional factor on which to base an increasing trend. The above findings show that the reports of impersonation attacks. The response time response time of a genuine student is shorter than that factor can influence students from sharing access cre- of a third party impersonator. dentials with impersonators in real time to perform collusion attacks. Acknowledgments A special thank you to those who con- 6Conclusion tributed to this paper: Paul Kirk Business Manager and Jay Beavan, MARS Programmer, School of Postgraduate Medical The study reported in this paper implemented dynamic and Dental Education, Cardiff University for their help and profile questions in a real online course. These support with the study. A. Ullah et al. Open Access This article is distributed under the terms of the I work in a non-IT related field- I am a Creative Commons Attribution 4.0 International License (http:// cook. creativecommons.org/licenses/by/4.0/), which permits unre- Have already got the basics in HND for stricted use, distribution, and reproduction in any medium, PHP and MySQL but thought this would provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, be a good opportunity to refresh memory and indicate if changes were made. and expand on this Recently my employer have introduced software products and web pages written Appendix: Dynamic Profile Questions in PHP and using MySQL databases so it will be highly beneficial for my career to Q.1 which one of the following statement below familiarize myself with this technologies. were written by you? None of the above I am currently in second year of Eco- Q.4 which one of the following discussion posts nomics Degree were made by you? I have a degree in Chemistry from Trinity I just completed the week 1 quiz and all College Dublin, Ireland and pursued a part- the contents of week 1. I can’t access to time research MSc in Computational Chem- week 2, Am I too late for it, or is there any istry with Trinity College. 3 publications. • specific reason for it? I used SQL during the second year of my When I run the page that should execute course a few years ago, along with Java Hello World. I’m getting an error saying (JDBC) the URL was not found on the server Currently I’m enrolled at the MSc Com- I’ve tried the following: Test after starting puter Science course, previously I studied of Apache (and MySQL), go to the address BSC (Hons) in Computers and Electronics http://localhost/ or http://127.0.0.1/ in your at the Northampton University. browser and examine all of the XAMPP None of the above examples and tools. but all I get is a HTTP Q.2 which one of the following statement below 404 not found page were written by you as a course objective Did you save the example1.php in your • xampp folder correctly? (i.e. make a new I have over seven year experience in the IT folder called myproject in the htdocs folder) sector, I’m currently working as database None of the above administrator/programmer I am doing this course as part of my CPD Q.5 which one of the following discussion posts required in my workplace were made by you? I would like to pursue this course in order I have now completed week 1 assignment. to learn more for my field of work and Can I have access to week 1 quiz? have more knowledge for advancement. • I have managed to install XAMPP but I I want to do this course because i can cannot connect to MySQL module. I have work as a freelancer after doing php as i tried to uninstall and reinstall but noth- have seen so many projects in Freelancer, ing is working. I had installed MYSQL Odesk and Elance and i already have some database previously. experience of Sql. • Thanks Mr Abrar but I do not think that is None of the above going to be necessary. I have managed to Q.3 which of the following statement were written install XAMPP on another computer. in your introduction email? Hi Evens, It works for me but it is not is For networking I need to know some of English. AND. Many thanks Chelsea, not scripting languages and so I want to learn a great start but you cracked it. php. None of the above A Dynamic Profile Questions Approach to Mitigate Impersonation... Q.6 which one of the following discussion posts Write a php program for traffic lights control were made by you? Write a php program to submit data using form $ POST and insert into MySQL I found this too. Googling it, as I under- database? stand it what is happening is when the None of the above script first runs the $i variable is not initial- ized, effectively resulting in a null being Q.10 which one of the following assignments have passed in to the switch statement you submitted in week 1? You have stated that the second example is Write a PHP program to assign any num- the same as the first one. So how come you ber to a variable and display the value have used quotation marks for the second using pre-decrement operator (–). Check example? PHP operators for help. Normally port 443 is used for secure host Write a PHP program to compute factorial and accessible using https of a number n? You nailed it. Perfect. Actually if the port Write a PHP program to demonstrate post is used by another service, apache won’t decrement start as the port is already taken. Write a PHP program to compare pre- None of the above increment with post-increment Q.7 your score for the week 1 quiz was: None of the above Within the 60%-69% range Q.11 which one of the following PHP code belongs Within the 80%-100% range to your assignment? Within the 40% -59% Range while ($minNum < $maxNum){ Within the 70%-79% range echo ”Perform addition: $a + $b = Less than 40% ”.$addition.””; Q.8 which one of the following assignments have foreach($data s $dataitem) you submitted in week 1? $sum = $numberone + $numbertwo; None of the above Write a PHP program to assign your name to $myname and qualification to $qualifi- Q.12 which one of the following PHP code belongs cation variables and display the output on to your assignment? page with on two separate lines. $a=++$a; List examples of logical operators and pro- $sum(a+b); vide evidence with php programs? $addition = $a + $b; Write a php function to compute standard addFunction(10,10); deviation of data array? None of the above Write a php program to connect to database using PDO and retrieve data Q.13 your score for the assignment 1 was: using select statement? Within the 40% -69% Range None of the above Within the 70%-79% range Q.9 which one of the following assignments have Within the 80%-89% range you submitted in week 1? Within the 90%-100% range None of the above Write a php program to demonstrate dif- Q.14 which one of the following reflection posts ference between static, private and public were made by you? class? Write a PHP program to assign any two numbers to two variables and display their I have learnt to create php classes and sum on screen. objects A. Ullah et al. • • I have learnt to create my first PHP page echo $find favorite fruite($fruitArray); and coding, assign variables and the differ- Do While ($num[0] < $num[1]) ent arithmetic operations. None of the above I have learnt to create database connection to backend using PHP in week 6 I have learnt email function using php, which References is very relevant to my ongoing project None of the above 1. Watson, G., Sottile, J.: Cheating in the Digital Age: Do Stu- dents Cheat More in Online Courses? Online J. Dist. Learn. Q.15 which one of the following assignments have Adm. 13(1), n1 (2010) you submitted in week 2? 2. Moini, A., Madni, A.M.: Leveraging Biometrics for User Authentication in Online Learning: A Systems Perspective. Write a PHP program to develop grade- IEEE Syst. J. 3(4), 469–76 (2009) 3. Ullah, A., Xiao, H., Lilley, M.: Profile Based Student book using array Authentication in Online Examination. In: International Con- Write a PHP program to display your ference on Information Society 2012. IEEE, London (2012) favorite fruit from the given choices: Mango, 4. Rabkin, A.: Personal knowledge questions for fallback Orange, Apple, Plum, Cherry, pineapple, authentication: Security questions in the era of Facebook. In: SOUPS 2008: Proceedings of the 4th Symposium on kewi using PHP Switch statement. Usable Privacy and Security 2008, p. 23. ACM, New York Write a PHP program to display odd num- (2008) ber for array list 5. Evans, E.D., Craig, D.: Teacher and student perceptions of Write a PHP program to sort an array list academic cheating in middle and senior high schools. J. • Educ. Res. 84(1), 44–53 (1990) None of the above 6. Apampa, K.M., Wills, G., Argles, D.: User security issues Q.16 which one of the following assignments have in summative e-assessment security. Int. J. Digit. Soc. (IJDS) 1(2), 1–13 (2010) you submitted in week 2? 7. Ayodele, T., Shoniregun, C., Akmayeva, G.: Towards • E-Learning Security: A Machine Learning Approach. Write a PHP program using an indexed In: International Conference on Information Society (i- array to store name of cars: Honda, BMW, Society) 2011, IEEE (2011) Toyota, Ford, Audi and Fiat and print them 8. Sonhera, N., Kritzinger, E., Loock, M.: A Proposed Cyber all on screen line by line. Threat Incident Handling Framework for Schools in South Develop a bubble sort program using PHP Africa. In: Proceedings of the South African Institute for Computer Scientists and Information Technologists Con- Develop push and pop functions of stack ference, ACM (2012) using PHP program 9. Ullah, A., Xiao, H., Barker, T.: A Classification of Threats Write a php program to connect to to Remote Online Examinations. In: International Confer- database using PDO and retrieve data ence and Workshop on Computing and Communication (IEMCON) 2016, IEEE (2016) using select statement? 10. Kerka, S., Wonacott, M.E.: Assessing Learners Online. None of the above Practitioner File, Washington (2000) 11. Rowe N. C.: Cheating in online student assessment: Beyond Q.17 which one of the following PHP code belongs plagiarism. Online Journal of Distance Learning Adminis- to your assignment 2? tration VII N2 (2004) 12. Mcgee, P.: Supporting Academic Honesty in Online print largest($array); Courses. J. Educ. Online 10(1), n1 (2013) While(NOT $thelargetnumber) 13. Howell, S., Sorenson, D., Tippets, H.: The news about function getLarget($array =array()); cheating for distance educators. Faculty Focus Specialty Report [serial on the Internet]. 2010: Available from: $cars[0]=”Honda”; http://www.facultyfocus.com/wp-content/uploads/images/ None of the above promoting-academic-integrity-in-online-edu1.pdf 14. Paullet, K., Chawdhry, A.A., Douglas, D.M., Pinchot, J.: Q.18 which one of the following PHP code belongs Assessing Faculty perceptions and techniques to combat to your assignment 2? academic dishonesty in online courses. In: Proceedings of the EDSIG Conference (2015) echo $cars[0].” ”.$cars[1].” ”.$cars[2].” 15. Church, K., De Oliveira, R.: What’s up with whatsapp?: ”.$cars[3].” ”.$cars[4].” ”.$cars[5]; comparing mobile instant messaging behaviors with tra- foreach($numbers in $numbersArray()) ditional SMS. In: Proceedings of the 15th international A Dynamic Profile Questions Approach to Mitigate Impersonation... conference on Human-computer interaction with mobile 32. Bailie, J.L., Jortberg, M.A.: Online learner authentication: devices and services 2013, ACM (2013) Verifying the identity of online users. Bull.-Board Postings 16. Oghuma, A.P., Chang, Y., Libaque-Saenz, C.F., Park, M.- 547, 17 (2009) C., Rho, J.J.: Benefit-confirmation model for post-adoption 33. Derakhshani, R., Schuckers, S.a.C., Hornak, L.A., behavior of mobile instant messaging applications: A O’gorman, L.: Determination of vitality from a non- comparative analysis of KakaoTalk and Joyn in Korea. invasive biomedical measurement for use in fingerprint Telecommun. Policy 39(8), 658–77 (2015) scanners. Pattern Recogn. 36(2), 383–96 (2003) 17. Mccarthy, N.: Whatsapp Reaches One Billion Users. New 34. Ratha, N.K., Bolle, R.M., Pandit, V.D., Vaish, V.: Robust Jersey: Forbes LLC; 2016 [cited 2016 03/02/2016]; Avail- Fingerprint Authentication Using Local Structural Simi- able from: http://www.forbes.com/sites/niallmccarthy/2016/ larity. In: 2000 Fifth IEEE Workshop on Applications of 02/02/whatsapp-reaches-one-billion-users-infographic/#14 Computer Vision, IEEE (2000) 158bb0520b 35. Sahoo, S.K., Choubisa, T.: Multimodal Biometric Person 18. Dee, T.S., Jacob, B.A.: Rational ignorance in education: A Authentication: A Review IETE. Techn. Rev. 29(1), 54 field experiment in student plagiarism. J. Human Resour. (2012) 47(2), 397–434 (2012) 36. Mahmood, N.: Remote Proctoring Software Means Stu- 19. Rogers, C.F.: Faculty perceptions about e-cheating during dents Can Now Take Exams From Home. Technological online testing. J. Comput. Sci. Coll. 22(2), 206–12 (2006) News Portal; 2010 [cited 2011 13/07/2011]; Available 20. Manion, T.R., Kim, R.Y., Patiejunas, K.: inventors; Google from: http://thetechjournal.com/science/remote-proctoring- Patents, assignee. Remote desktop access2014 software-means-students-can-now-take-exams-from-home. 21. Barbour, A.: The 10 most inventive cheating attempts on xhtml online exams (2014) 37. Ullah, A., Xiao, H., Barker, T., Lilley, M.: Evaluating 22. Heussner, K.M.: 5 ways online education can keep its stu- security and usability of profile based challenge ques- dents honest. GIGAM Research [serial on the Internet]. tions authentication in online examinations. J. Internet Serv. 2012: Available from: https://gigaom.com/2012/11/17/ Appl. 5(1), 2 (2014) 5-ways-online-education-can-keep-its-students-honest/ 38. Ullah, A., Xiao, H., Lilley, M., Barker, T.: Usability of Pro- 23. Respondus. Respondus Assessment Tools for Learn- file Based Student Authentication and Traffic Light System ing Systems. Redmond, WA2016 [01/04/2016]; Availa- in Online Examination. In: The 7Th International Con- ble from: https://www.respondus.com/products/lockdown- ference for Internet Technology and Secured Transactions browser/ (ICITST). IEEE, London (2012) 24. Kitahara, R., Westfall, F., Mankelwicz, J.: New, multi- 39. Ullah, A., Xiao, H., Lilley, M., Barker, T.: Using Challenge faceted hybrid approaches to ensuring academic integrity. Questions for Student Authentication in Online Examina- J. Acad.Bus.Ethics 3(1), 1–12 (2011) tion. Int. J. Infonomics (IJI) 5(3/4), 9 (2012) 25. Jin, A.T.B., Ling, D.N.C., Goh, A.: Biohashing: two fac- 40. Ullah, A.: Security and Usability of Authentication by tor authentication featuring fingerprint data and tokenised Challenge Questions in Online Examination (2017) random number. Pattern Recogn. 37(11), 2245–55 (2004) 41. Ullah, A., Barker, T., Xiao, H.: A focus group study: 26. Weippl, E.R.: Security in e-learning eLearn. Magazine Usability and security of challenge question authe- 2005(3), 3 (2005) ntication in online examinations. In: International Con- 27. Jortberg, M.A.: Methods to verify the identity of distance ference on Information Technology and Applications learning students. Acxiom; 2009 [cited 2011 01/04/2011]; (ICITA); Sydney Australia: Academic Alliance Interna- Available from: http://u.cs.biu.ac.il/ariel/download/de666/ tional (2017) resources/dependable distributed testing/verify students.pdf 42. Ullah, A., Xiao, H., Barker, T., Lilley, M.: Graphical and 28. Hafiz, M.D., Abdullah, A.H., Ithnin, N., Mammi, H.K.: Text Based Challenge Questions for Secure and Usable Towards Identifying Usability and Security Features of Authentication in Online Examinations. In: The 9Th Inter- Graphical Password in Knowledge Based Authentication national Conference for Internet Technology and Secured Technique. In: 2008 AICMS 08 Second Asia International Transactions (ICITST). IEEE, London (2014) Conference on Modeling & Simulation, IEEE (2008) 43. Ullah, A., Xiao, H., Barker, T.: A study into the usability 29. Deo, V., Seidensticker, R.B., Simon, D.R.: inventors; and security implications of text and image based challenge Google Patents, assignee. Authentication system and questions in the context of online examination unpublished method for smart card transactions. US1998 (2017) 30. Agulla, E.G., Rifon, ´ L.A., Castro, J.L.A., Mateo, C.G.: Is 44. Corry, M.D., Frick, T.W., Hansen, L.: User-centered design My Student at the Other Side? Applying Biometric Web and usability testing of a web site: An illustrative case Authentication to E-Learning Environments. In: Eighth study. Educ. Technol. Res. Dev. 45(4), 65–76 (1997) IEEE International Conference on Advanced Learning 45. Mcgraw, G.: Software security Security & Privacy. IEEE Technologies, IEEE (2008) 2(2), 80–3 (2004) 31. Ko, C.C., Cheng, C.D.: Secure Internet examination sys- 46. Bangor, A., Kortum, P., Miller, J.: Determining what indi- tem based on video monitoring. Internet Res. 14(1), 48–61 vidual SUS scores mean: Adding an adjective rating scale. (2004) J. Usability Stud. 4(3), 114–23 (2009)

Journal

Journal of Grid ComputingSpringer Journals

Published: May 31, 2018

References

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off