Symposium and Bootcamp on the Science of Security最新文献

筛选
英文 中文
Evidence-based trust reasoning 基于证据的信任推理
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600193
Jingwei Huang, D. Nicol
{"title":"Evidence-based trust reasoning","authors":"Jingwei Huang, D. Nicol","doi":"10.1145/2600176.2600193","DOIUrl":"https://doi.org/10.1145/2600176.2600193","url":null,"abstract":"Trust is a necessary component in cybersecurity. It is a common task for a system to make a decision about whether or not to trust the credential of an entity from another domain, issued by a third party. Generally, in the cyberspace, connected and interacting systems largely rely on each other with respect to security, privacy, and performance. In their interactions, one entity or system needs to trust others, and this \"trust\" frequently becomes a vulnerability of that system. Aiming at mitigating the vulnerability, we are developing a computational theory of trust, as a part of our efforts towards Science of Security. Previously, we developed a formal-semantics-based calculus of trust [3, 2], in which trust can be calculated based on a trustor's direct observation on the performance of the trustee, or based on a trust network. In this paper, we construct a framework for making trust reasoning based on the observed evidence. We take privacy in cloud computing as a driving application case [5].","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131976999","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Preemptive intrusion detection 抢占式入侵检测
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600197
Phuong Cao, Key-whan Chung, Z. Kalbarczyk, R. Iyer, A. Slagell
{"title":"Preemptive intrusion detection","authors":"Phuong Cao, Key-whan Chung, Z. Kalbarczyk, R. Iyer, A. Slagell","doi":"10.1145/2600176.2600197","DOIUrl":"https://doi.org/10.1145/2600176.2600197","url":null,"abstract":"This paper presents a system named SPOT to achieve high accuracy and preemptive detection of attacks. We use security logs of real-incidents that occurred over a six-year period at National Center for Supercomputing Applications (NCSA) to evaluate SPOT. Our data consists of attacks that led directly to the target system being compromised, i.e., not detected in advance, either by the security analysts or by intrusion detection systems. Our approach can detect 75 percent of attacks as early as minutes to tens of hours before attack payloads are executed.","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132419892","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 6
An analysis method for medical device security 医疗器械安全性分析方法
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600192
A. Ray, R. Cleaveland
{"title":"An analysis method for medical device security","authors":"A. Ray, R. Cleaveland","doi":"10.1145/2600176.2600192","DOIUrl":"https://doi.org/10.1145/2600176.2600192","url":null,"abstract":"This paper is a proposal for a poster. In it we describe a medical device security approach that researchers at Fraunhofer used to analyze different kinds of medical devices for security vulnerabilities. These medical devices were provided to Fraunhofer by a medical device manufacturer whose name we cannot disclose due to non-disclosure agreements.","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"57 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130839070","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Trustworthy context-dependent services 可信的依赖于上下文的服务
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600196
N. Ibrahim
{"title":"Trustworthy context-dependent services","authors":"N. Ibrahim","doi":"10.1145/2600176.2600196","DOIUrl":"https://doi.org/10.1145/2600176.2600196","url":null,"abstract":"With the wide popularity of Cloud Computing, Service-oriented Computing is becoming the de-facto approach for the development of distributed systems. This has introduced the issue of trustworthiness with respect to the services being provided. Service Requesters are provided with a wide range of services that they can select from. Usually the service requester compare between these services according to their cost and quality. One essential part of the quality of a service is the trustworthiness properties of such services. Traditional service models focuses on service functionalities and cost when defining services. This paper introduces a new service model that extends traditional service models to support trustworthiness properties.","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132536307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Architecture-based self-protection: composing and reasoning about denial-of-service mitigations 基于体系结构的自我保护:关于拒绝服务缓解的组合和推理
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600181
B. Schmerl, J. Cámara, Jeffrey Gennari, D. Garlan, P. Casanova, Gabriel A. Moreno, Thomas J. Glazier, Jeffrey M. Barnes
{"title":"Architecture-based self-protection: composing and reasoning about denial-of-service mitigations","authors":"B. Schmerl, J. Cámara, Jeffrey Gennari, D. Garlan, P. Casanova, Gabriel A. Moreno, Thomas J. Glazier, Jeffrey M. Barnes","doi":"10.1145/2600176.2600181","DOIUrl":"https://doi.org/10.1145/2600176.2600181","url":null,"abstract":"Security features are often hardwired into software applications, making it difficult to adapt security responses to reflect changes in runtime context and new attacks. In prior work, we proposed the idea of architecture-based self-protection as a way of separating adaptation logic from application logic and providing a global perspective for reasoning about security adaptations in the context of other business goals. In this paper, we present an approach, based on this idea, for combating denial-of-service (DoS) attacks. Our approach allows DoS-related tactics to be composed into more sophisticated mitigation strategies that encapsulate possible responses to a security problem. Then, utility-based reasoning can be used to consider different business contexts and qualities. We describe how this approach forms the underpinnings of a scientific approach to self-protection, allowing us to reason about how to make the best choice of mitigation at runtime. Moreover, we also show how formal analysis can be used to determine whether the mitigations cover the range of conditions the system is likely to encounter, and the effect of mitigations on other quality attributes of the system. We evaluate the approach using the Rainbow self-adaptive framework and show how Rainbow chooses DoS mitigation tactics that are sensitive to different business contexts.","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122226619","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 53
Log your CRUD: design principles for software logging mechanisms 记录您的CRUD:软件日志机制的设计原则
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600183
J. King, L. Williams
{"title":"Log your CRUD: design principles for software logging mechanisms","authors":"J. King, L. Williams","doi":"10.1145/2600176.2600183","DOIUrl":"https://doi.org/10.1145/2600176.2600183","url":null,"abstract":"According to a 2011 survey in healthcare, the most commonly reported breaches of protected health information involved employees snooping into medical records of friends and relatives. Logging mechanisms can provide a means for forensic analysis of user activity in software systems by proving that a user performed certain actions in the system. However, logging mechanisms often inconsistently capture user interactions with sensitive data, creating gaps in traces of user activity. Explicit design principles and systematic testing of logging mechanisms within the software development lifecycle may help strengthen the overall security of software. The objective of this research is to observe the current state of logging mechanisms by performing an exploratory case study in which we systematically evaluate logging mechanisms by supplementing the expected results of existing functional black-box test cases to include log output. We perform an exploratory case study of four open-source electronic health record (EHR) logging mechanisms: OpenEMR, OSCAR, Tolven eCHR, and WorldVistA. We supplement the expected results of 30 United States government-sanctioned test cases to include log output to track access of sensitive data. We then execute the test cases on each EHR system. Six of the 30 (20%) test cases failed on all four EHR systems because user interactions with sensitive data are not logged. We find that viewing protected data is often not logged by default, allowing unauthorized views of data to go undetected. Based on our results, we propose a set of principles that developers should consider when developing logging mechanisms to ensure the ability to capture adequate traces of user activity.","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122230877","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 16
Characterizing the power of moving target defense via cyber epidemic dynamics 通过网络流行动力学表征移动目标防御的力量
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600180
Yujuan Han, Wenlian Lu, Shouhuai Xu
{"title":"Characterizing the power of moving target defense via cyber epidemic dynamics","authors":"Yujuan Han, Wenlian Lu, Shouhuai Xu","doi":"10.1145/2600176.2600180","DOIUrl":"https://doi.org/10.1145/2600176.2600180","url":null,"abstract":"Moving Target Defense (MTD) can enhance the resilience of cyber systems against attacks. Although there have been many MTD techniques, there is no systematic understanding and quantitative characterization of the power of MTD. In this paper, we propose to use a cyber epidemic dynamics approach to characterize the power of MTD. We define and investigate two complementary measures that are applicable when the defender aims to deploy MTD to achieve a certain security goal. One measure emphasizes the maximum portion of time during which the system can afford to stay in an undesired configuration (or posture), without considering the cost of deploying MTD. The other measure emphasizes the minimum cost of deploying MTD, while accommodating that the system has to stay in an undesired configuration (or posture) for a given portion of time. Our analytic studies lead to algorithms for optimally deploying MTD.","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115079443","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 51
Type-specific languages to fight injection attacks 特定于类型的语言来对抗注入攻击
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600194
Darya Kurilova, Cyrus Omar, L. Nistor, Benjamin Chung, A. Potanin, Jonathan Aldrich
{"title":"Type-specific languages to fight injection attacks","authors":"Darya Kurilova, Cyrus Omar, L. Nistor, Benjamin Chung, A. Potanin, Jonathan Aldrich","doi":"10.1145/2600176.2600194","DOIUrl":"https://doi.org/10.1145/2600176.2600194","url":null,"abstract":"Injection vulnerabilities have topped rankings of the most critical web application vulnerabilities for several years [1, 2]. They can occur anywhere where user input may be erroneously executed as code. The injected input is typically aimed at gaining unauthorized access to the system or to private information within it, corrupting the system's data, or disturbing system availability. Injection vulnerabilities are tedious and difficult to prevent.","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121311353","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
A new approach to modeling and analyzing security of networked systems 一种网络系统安全建模与分析的新方法
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600184
Gaofeng Da, Maochao Xu, Shouhuai Xu
{"title":"A new approach to modeling and analyzing security of networked systems","authors":"Gaofeng Da, Maochao Xu, Shouhuai Xu","doi":"10.1145/2600176.2600184","DOIUrl":"https://doi.org/10.1145/2600176.2600184","url":null,"abstract":"Modeling and analyzing security of networked systems is an important problem in the emerging Science of Security and has been under active investigation. In this paper, we propose a new approach towards tackling the problem. Our approach is inspired by the shock model and random environment techniques in the Theory of Reliability, while accommodating security ingredients. To the best of our knowledge, our model is the first that can accommodate a certain degree of adaptiveness of attacks, which substantially weakens the often-made independence and exponential attack inter-arrival time assumptions. The approach leads to a stochastic process model with two security metrics, and we attain some analytic results in terms of the security metrics.","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"64 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127529936","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 25
Modeling and sensing risky user behavior on mobile devices 在移动设备上建模和感知危险的用户行为
Symposium and Bootcamp on the Science of Security Pub Date : 2014-04-08 DOI: 10.1145/2600176.2600209
Qianting Liu, Juhee Bae, Benjamin Watson, A. McLaughlin, W. Enck
{"title":"Modeling and sensing risky user behavior on mobile devices","authors":"Qianting Liu, Juhee Bae, Benjamin Watson, A. McLaughlin, W. Enck","doi":"10.1145/2600176.2600209","DOIUrl":"https://doi.org/10.1145/2600176.2600209","url":null,"abstract":"As mobile technology begins to dominate computing, understanding how their use impacts security becomes increasingly important. Fortunately, this challenge is also an opportunity: the rich set of sensors with which most mobile devices are equipped provide a rich contextual dataset, one that should enable mobile user behavior to be modeled well enough to predict when users are likely to act insecurely, and provide cognitively grounded explanations of those behaviors. We will evaluate this hypothesis with a series of experiments designed first to confirm that mobile sensor data can reliably predict user stress, and that users experiencing such stress are more likely to act insecurely.","PeriodicalId":193860,"journal":{"name":"Symposium and Bootcamp on the Science of Security","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121757016","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信