@poltekssn.ac.id
Crypto Software Engineering
Politeknik Siber dan Sandi Negara
Artificial Intelligence, Statistics and Probability, Information Systems
Scopus Publications
Scholar Citations
Scholar h-index
Scholar i10-index
Herlambang Rafli Wicaksono, Ihsan Fadli Tampati, Nathanael Berliano Novanka Putra, Hermawan Setiawan, and Dimas Rifqi Firmansyah
IEEE
This paper proposes a holistic framework for the development, management, and monitoring of secure web information systems. Emphasizing a secure software development life cycle (SDLC), resource management, and real-time monitoring, the framework aims to standardize and enhance the process of web application development while prioritizing security at every phase. The framework incorporates threat modeling during planning and design, security guidelines during implementation, and continuous vulnerability scanning. Additionally, it integrates resource management to ensure effective allocation of human, hardware, and software resources. Tools are employed for real-time monitoring, providing usage insights that inform managerial decisions. The proposed framework strives to create a comprehensive approach to web application development that is both secure and well-managed. The implementation results demonstrate the proposed framework’s effectiveness in simplifying development, optimizing resources, and enhancing security for web applications. Furthermore, compared to the secure software development lifecycle (SSDLC) framework, it offers advantages in resource management and real-time monitoring, rendering it more comprehensive.
Pandu Bagus Diancaraka, Hermawan Setiawan, and Syafira Mardhiyah
AIP Publishing
Raden Budiarto Hadiprakoso, Hermawan Setiawan, Ray Novita Yasa, and Girinoto
AIP Publishing
Ihsan Fadli Tampati, I Komang Setia Buana, and Hermawan Setiawan
IEEE
As time progresses, there is growth in the population of internet users, resulting in a rise in digital threats. Among these dangers, the prominence of phishing attacks has become a significant cause for concern due to their increasing frequency. The latest report from the Anti-Phising Working Group (APWG) stated that phishing attacks continued to increase from the third quarter of 2022 to the fourth quarter of 2022. This research contributes to reducing phishing attacks by providing convenience to the public in detecting phishing URLs through a secure mobile application. This study is the first to develop a secure mobile application for detecting phishing URLs using a deep learning-based detection method with the architecture of long short-term memory (LSTM) and gated recurrent unit (GRU). The application is developed using the secure software development lifecycle (SSDLC) agile scrum methodology. This method was selected due to the requirement for rapid and sustainable app development with potential threat mitigation. Threat mitigation is carried out through risk analysis, threat modeling, secure coding, and security testing. Based on the test results, the developed mobile application successfully mitigated 85.7% of potential threats, demonstrated robust security in its program codes, and exhibited 98.1% precision in detecting phishing URLs.
Nathanael Berliano Novanka Putra, Girinoto Girinoto, Hermawan Setiawan, and Arizal Arizal
IEEE
In the current digital era, the security of official documents and digital signatures is becoming increasingly important to prevent the spread of false information or manipulated documents. This research aims to design, develop, and implement a web-based application that we call SIGNIN that addresses the issues of official document validity and digital signature security. The research methodology adopts a Secure RAD (Rapid Application Development) approach involving planning, system design, development, and implementation stages. In the system design stage, the STRIDE concept is used to identify and mitigate security threats in the application. This research shows that the SIGNIN application can provide an effective solution for managing digital signatures, verifying official documents, and enhancing the validity and integrity of records in a digital environment.
Olga Geby Nabila, Herlambang Rafli Wicaksono, Girinoto, Ray Novita Yasa, and Hermawan Setiawan
IEEE
Phishing is an attack that aims to obtain someone's credentials, one of which is done by creating fake websites where the system on the website will ask users to send their personal information. A phishing detection method is developed for dealing with phishing attacks, one of which is using deep learning. The detection method utilizes deep learning and focuses on detection based on the website's Uniform Resource Locator (URL). In similar studies that have been conducted, phishing website detection methods can be carried out based on website URLs, image-based approaches through screenshots of website pages, or a combination of the two methods. This research combined text and image features as input in deep learning algorithms to detect phishing websites. Text features were obtained through URLs, while image features were obtained through screenshots of web pages. Feature extraction was done to process URLs by textual arrangement using a bag of words and finding the characteristics of URLs. The image is processed using transfer learning. This research used GRU, LSTM, and Inception V3 CNN transfer learning algorithms to create a model. The experimental trained model achieved accuracy reaching 98.2% for the combination of textual and image features, while the accuracy for textual features reached 98.8%.
Alya Aiman Salsabila Arif, Rahmat Purwoko, Nurul Qomariasih, and Hermawan Setiawan
IEEE
Data leakage affects confidentiality and integrity, which can harm various parties. According to OWASP (Open Web Application Security Project) research, SQL injection attacks rank first in the top web application vulnerabilities. Moreover, the website is directly connected. SQL injection attacks are common on MySQL databases because they are generally more popular than other database systems. One of the efforts to detect and prevent SQL injection attacks is to use input categorization techniques and input verifiers based on input. Application development using SDLC Waterfall. The analysis is obtained from the test results using sqlmap and manually. This paper provides an overview of detection and prevention efforts with input categorization approaches and input verifiers based on the type of SQL injection attack. All applications without prevention and detection can be attacked, while applications with prevention and detection cannot be attacked. This paper designs and develops a web application with and without SQL injection attack detection and prevention using input categorization and input verifier. The results obtained, input categorization, and input verification techniques can detect and prevent SQL injection attacks based on their type, including union-based SQL injection, error-based SQL injection, and blind SQL injection. Input categorization and input verifier can be used in addition to the use of an encrypted database.
Zidna Wildan Alfain, Hermawan Setiawan, and I Komang Setia Buana
IEEE
Some developed countries, such as America, Switzerland, and Norway, have not implemented an e-voting system. However, several countries have implemented an e-voting system, Estonia by implementing a centralized e-voting application. Now, the e-voting system can be implemented in a decentralized manner by utilizing blockchain and smart contracts. This paper presents a comparative study of centralized and decentralized e-voting applications. This study gives an overview of the features offered by each application and analyzes the performance, security, usability, and user experience of each application. The analysis was obtained from simulations and questionnaires for each application carried out by two groups of respondents. The questionnaires were distributed using a simple randomization technique and then analyzed using tools provided by SUS. The results from security testing show that voting data in decentralized e-voting applications cannot be modified, while centralized ones can. Therefore, a decentralized e-voting application indicates the existence of a guarantee of the integrity of the stored data. However, there are still performance issues that are likely to be fixed in a near future.
Muhammad Irfan Cahyanto, Raden Budiarto Hadiprakoso, Hermawan Setiawan, and Nadia Paramita
IEEE
The final Project is one of the processes for graduation from college studies. However, problems arising during guidance are the limited communication time and the suitability of the schedule between students and lecturers, so the frequency of offline meetings is reduced or even non-existent. We introduced a final-year project system called web-based FIPOS (FInal year PrOject System) to tackle the problems. FIPOS not only maintains communication between lecturers and students but also maintains the confidentiality of the year-end guidance process. Based on OWASP 2021, SQL Injection is still in the top 10. In applications using logins, SQL Injection must be anticipated. Therefore, the development of FIPOS implements security using a two-factor authentication scheme that utilizes email, password, and one-time passcode in the login process. And also implement secure coding to reduce the impact of SQL injection attacks. In addition, because FIPOS is an application that final-year students often use, its usefulness is tested with UAT at XYZ University. From the results, FIPOS can secure the login authentication process and data from SQL injection attacks and useful applications by getting a UAT value of 97.7%, which means that FIPOS can run well and be user-friendly.
Donny Irwansyah, I Komang Setia Buana, Hermawan Setiawan, and Andriani Adi Lestari
IEEE
Every Indonesian society applies health protocols in their daily activities. Therefore, used technology is needed to avoid the spread of the virus and become a solution to face the new normal era. One of the uses of technology is to track attendance using a mobile platform. This method poses several problems in its implementation, such as poor authentication, abuse by other users, and difficulties monitoring by teaching staff. The research will build an application to overcome this problem by utilizing Face Recognition, Disable Multi-Device, and Present Validation features. This application was developed on the Android platform using the Flutter framework and integrating two features: authentication and time for attendance validation. Measuring the accuracy of the face recognition algorithm as a factor of authentication that shows the characteristics, scenario testing occurs with five aspects such; camera quality, distance, light intensity, facial expressions, and image-taking position. The sample taken was 40 respondents. The face recognition system is designed and implemented using the Flutter framework on the Android platform. Compare the experimental results of testing scenarios to verify face recognition, measuring the feasibility of this scheme.
Dikka Aditya Satria Wibawa, Hermawan Setiawan, and Girinoto
IEEE
The main objective of this research is to increase security awareness against phishing attacks in the education sector by teaching users about phishing URLs. The educational media was made based on references from several previous studies that were used as basic references. Development of antiphishing game framework educational media using the extended DPE framework. Participants in this study were vocational and college students in the technology field. The respondents included vocational and college students, each with as many as 30 respondents. To assess the level of awareness and understanding of phishing, especially phishing URLs, participants will be given a pre-test before playing the game, and after completing the game, the application will be given a posttest. A paired t-test was used to answer the research hypothesis. The results of data analysis show differences in the results of increasing identification of URL phishing by respondents before and after using educational media of the anti-phishing game framework in increasing security awareness against URL phishing attacks. More serious game development can be carried out in the future to increase user awareness, particularly in phishing or other security issues, and can be implemented for general users who do not have a background in technology.
Ray Novita Yasa, I Komang Setia Buana, Girinoto, Hermawan Setiawan, and Raden Budiarto Hadiprakoso
IEEE
Privacy-Preserving Data Mining (PPDM) has become an exciting topic to discuss in recent decades due to the growing interest in big data and data mining. A technique of securing data but still preserving the privacy that is in it. This paper provides an alternative perturbation-based PPDM technique which is carried out by modifying the RNP algorithm. The novelty given in this paper are modifications of some steps method with a specific purpose. The modifications made are in the form of first narrowing the selection of the disturbance value. With the aim that the number of attributes that are replaced in each record line is only as many as the attributes in the original data, no more and no need to repeat; secondly, derive the perturbation function from the cumulative distribution function and use it to find the probability distribution function so that the selection of replacement data has a clear basis. The experiment results on twenty-five perturbed data show that the modified RNP algorithm balances data utility and security level by selecting the appropriate disturbance value and perturbation value. The level of security is measured using privacy metrics in the form of value difference, average transformation of data, and percentage of retains. The method presented in this paper is fascinating to be applied to actual data that requires privacy preservation.
Intan Maratus Sholihah, Hermawan Setiawan, and Olga Geby Nabila
IEEE
Cyber attacks are the main focus highlighted in all countries globally, both private and public sectors. It is undeniable that every private and public sector has a significant role in the digital world and cybersecurity. It is a reason for every country to improve and develop everything in cyber technology behind defense or attack. One of the solutions offered is to build a platform that can be used to share information to improve a coordinated and structured cybersecurity defense strategy. Data information, a list of attacks and threats can help stakeholders in each sector identify threats, attacks, and incidents in the cyber world. Therefore, this research will develop a web-based Information Sharing and Analysis Center (ISAC) platform to collect information and view a list of attacks and threats in the cyber world. The list of attacks and threats will be obtained through the Malware Information Sharing Platform (MISP). A two-factor authentication method will be implemented on the login form in the development of the ISAC platform. Two-factor authentication is a method used to secure user data from attackers. The research method used in building this platform is Design Research Methodology (DRM) with a prototyping development method. The results of this study obtained an ISAC portal that can be used to share information and display a list of threats and attacks received from the MISP platform.
Riama Kristallia, Hermawan Setiawan, and Siti Manayra Sabiya
IEEE
Lack of developer knowledge of software security is one of the vulnerability factors in applications, especially the web, so it is necessary to have educational media that can provide an understanding of software security awareness with competencies measurement. In this study, a hands-on vulnerable web application was designed as a media for software security education. The application is developed using a design research methodology with a prototyping development method that produces two parts: the vulnerable and public applications. Both applications were tested using functional testing, security testing, and achievement measurement. Functional and security test results show that the application can run according to the designed functionality and the security case used. The measure of achievement shows that the mean value of the user’s score is 3.86 out of 20, the achievement total being 58 out of 300, with a standard deviation of 3.24. It is influenced by the diversity of basic competencies possessed by the user.
Hermawan Setiawan and Rico Setyawan
IOP Publishing
Abstract The development and growth of data is rapidly increasing and it triggers development on storage technology namely cloud storage. In this research, implementation of Lashkari et al scheme and convergent encryption was conducted on cloud application to provide data confidentiality service and cloud storage space efficiency. Tests were conducted through comparing application that implemented this scheme with application that did not implement scheme within the same condition. Based on statistically significant comparison results, application that implements the scheme reduce 5% of storage space and takes less time for files uploading. Moreover, it can prevent attacker to obtain data illegally by implementing the convergent encryption.
Raden Budiarto Hadiprakoso, Hermawan Setiawan, and Girinoto
IEEE
Biometrics with facial recognition is now widely used. A face identification system should identify not only someone’s faces but also detect spoofing attempts with printed face or digital presentations. A sincere spoofing prevention approach is to examine face liveness, such as eye blinking and lips movement. Nevertheless, this approach is helpless when dealing with video-based replay attacks. For this reason, this paper proposes a combined method of face liveness detection and CNN (Convolutional Neural Network) classifier. The anti-spoofing method is designed with two modules, the blinking eye module that evaluates eye openness and lip movement, and the CCN classifier module. The dataset for training our CNN classification can be from a variety of publicly available sources. We combined these two modules sequentially and implemented them into a simple facial recognition application using the Android platform. The test results show that the module created can recognize various kinds of facial spoof attacks, such as using posters, masks, or smartphones.
Hermawan Setiawan and Achmad Abdul Wafi
IEEE
In the world of education, knowing about the personality of students can help education providers to determine the development of students. If a person's personality is known, of course we can identify the characteristics, thought patterns, feelings, and behaviors of a person that make them unique. However, conventional personality assessment requires several resources, such as interpreters, space, and time which tends to be long. A person's personality is certainly related to and will affect several linguistic aspects that he uses, including word choice and word placement. Twitter is an internet-based social networking service that allows its users to use its linguistic aspects in sending and reading short messages. This study provides solutions to problems in implementing conventional personality assessments, especially the DISC personality type, by using Twitter media to form a predictive model that applies the naïve bayes classifier method to classify the DISC personality types of Twitter users. We used 9,044 tweets from 70 Twitter accounts as training data to build a predictive model. Before forming and evaluating a model, tweets must go through a series of preprocessing stages. The evaluation of the model was carried out by comparing the classification results of the expert and the classification results of the model, so that the data prediction accuracy rate was 76.19%.
Hermawan Setiawan, Lytio Enggar Erlangga, and Ido Baskoro
IEEE
The security of technology, information and communication (ICT) is one of the tasks of government agencies X. The security of government ICT can be achieved by applying the principle of Security by Design. The Open Web Application Security Project (OWASP) publishes a list of potential vulnerability risks that are most common in web applications. Security tests can be carried out by performing a vulnerability assessment. The risk assessment is a series of measures to identify and analyze possible security gaps in the system of an organization or a company. Steps to look for vulnerabilities in the vulnerability assessment phase, starting with target discovery, scanning, results analysis, and reporting. The IAST approach (Interactive Application Security Testing) is used for security tests using a vulnerability assessment. When developing a vulnerability analysis system using the IAST approach, Jenkins tools, the ZAP-API, and SonarQube are used. The results of the vulnerability analysis are grouped based on the OWASP Top Ten 2017. Using the IAST approach, a total of 249 vulnerability risks were identified.
Girinoto, Hermawan Setiawan, Prasetyo Adi Wibowo Putro, and Yogha Restu Pramadi
IEEE
An experimental study of malware and benign classification from Windows API call sequences dataset using a deep learning framework is presented. We conduct a series of Long Short-Term Memory (LSTM) modifications, Bidirectional Long Short-Term Memory (BiLSTM). The proposed one architecture, such a half per half input sequence processed on the Siamese BiLSTM network looks. All three base models are treated fairly with scenario series of modification such a callback, batch normalization, dropout, and attention mechanism. As the results of this experiment, adding dropout and attention mechanisms show improvement from baseline models. In addition, we find that our proposed architecture with dropout and attention mechanism slightly outperform from other models.
Hermawan Setiawan and Rafif Masrur Rauf
IEEE
The increasing number of Android-based smartphone users and the usage of smartphones for electronic payments have led to the threat of shoulder surfing attacks of PIN and password theft. Various methods of preventing shoulder surfing have been created to keep PIN and password confidential, one of which is by customizing the keyboard graphically, textually, and patterns for entering passwords. Some of the existing methods lack complexity, security, and are impractical to use by themselves. Therefore, a shoulder surfing prevention method was created using a multi-entry onscreen keyboard (meosk) model which combines several textual authentication methods with the creation of entry model technique in order to maximize the usability and complexity. In this research, the implementation of multi-entry onscreen keyboard model was carried out on an Android-based mobile application to determine the level of security from shoulder surfing. Testing was done by simulating shoulder surfing attacks on application that has been built. The research results showed that multi-entry onscreen keyboard model can prevent shoulder surfing attacks by combining several methods and the results of chi square test were significant for all test variables.
Galih Wening Werdi Mukti and Hermawan Setiawan
IOP Publishing
Abstract Medical records consist of health data that must be kept confidential and is regulated in Indonesian law. Until now the implementation of electronic medical records in Indonesia has not been clearly regulated in a law, while Regulation of the Minister of Health of the Republic of Indonesia state that medical records must be made in writing, complete, and clearly or electronically. In view of this, another approach than the regulation is needed to be able to meet the confidentiality of the data in the regulation, in electronic form. In this study, an electronic medical record application was designed and built that can meet the requirements of the legislation. The application encrypts patient’s health data stored on medical records using the AES-256 algorithm for data confidentiality. The use of AES-256 has been standardized based on the Federal Information Processing Standards Publication 197 and RSA Digital Signature digital signature because it has been standardized based on Federal Information Processing Standards Publication 186-4 and NIST Special Publication 800-89. The proposed application have been made have passed security testing using 6 testcase based on the reference paper.
Ari Andriansah and Hermawan Setiawan
IEEE
A large number of startups have a big influence on increasing online transactions, especially e-payment. However, the increase in the use of e-payments posing a number of threats and resulting in a decrease level of consumer confidence in e-payment. Therefore in 2018 Daniel proposed a Signcryption scheme based on Conic Curve Cryptography which was stated to be able to fulfill forward secrecy services that could reassure consumers, but still based on mathematical calculations. In this study the implementation of the Signcryption scheme was carried out on the e-payment system on the Android platform. Implementation is done by DRM methodology and prototyping model approach. The e-payment system built consists of an e-payment application with merchant and customer actors and a bank application with bank admin actors. Based on the results of the integration testing and system testing, it was found that the e-payment system (ePaSe) built had fulfilled the design that had been done.
Dwi Jayanti and Hermawan Setiawan
IEEE
This research addresses the implementation of mutual authentication with key agreement scheme for centralized e-prescribing system to prevent illegal access to all data stored on the server. Two-way authentication process between the user and server can prevent the occurrence of disguises either done by users such as administrator, doctors and pharmacies or carried out on the server side. Threats that can occur, such as accessing and reselling doctor's prescriptions can be done by attackers disguising onself or impersonating a physician or pharmacy entity. In this research, the web-based e-prescribing system was developed using the Design Research Methodology (DRM) with WebML software development methods, built using Java script programming language and PHP. The test results prove that the e-prescribing system is resistant to the user impersonation attack.
Anggraeni Shinta Dewi and Hermawan Setiawan
IEEE
Almazrooie verified digital Quran using 3 methods (SHA 256, RIPEMD 160, hexadecimal compression) which produced 3 database tables. However, there is no concern about security database. Hash value on database that is still stored plaintext can be changed by non-users. The vulnerability in the database can be solved by encrypting hash value using AES-256. In this study an Quran verification application was built using the SHA-256 and AES-256 hash values. Application development uses a research experiment Design Research Methodology with WebML modeling. The results of the development of the system were obtained by the digital mushaf reconciliation system which had passed the web testing from Kundu (2012), user acceptance tests, and collision value tests.
Prasetyo Adi Wibowo Putro, Yoga Restu Pramadi, Hermawan Setiawan, Nur Kholis Gunawan, Raden Budiarto Hadiprakoso, and Herman Kabetta
IEEE
Hands-on learning is still one of the learning methods that is considered to support the achievement of learning competencies, especially in vocational education. In addition to learning methods, the achievement of competency levels will be supported by motivation, but there are various types of motivation and its constituent factors. The correlation between motivating factors and the achievement of competencies will make it easier for us to develop learning strategies. In this study, a correlation between motivation and achievement competence for the Hands-On learning method will be sought. The study was composed as a quantitative study with competency measurements using rubrics and motivation measurements using questionnaires. As a result of the study found one factor forming intrinsic motivation supports the achievement of competence of about 62%.