{"title":"An Integrated Formal Approach to Usage Control","authors":"P. Bonatti, L. Sauro, M. Faella, Clemente Galdi","doi":"10.1109/SPW.2013.23","DOIUrl":"https://doi.org/10.1109/SPW.2013.23","url":null,"abstract":"Usage control enforcement is currently voluntary, due to a number of technical difficulties that cannot be addressed by means of purely cryptographic techniques. So, it is commonly argued that purely technical measures should be complemented by surveillance activities and sanctions prescribed by law. The effectiveness of such measures can-and should- be formally analyzed through game theoretic techniques. This paper introduces a framework that integrates both cryptographic techniques and a market model. We provide a first formal analysis of a simplified instance of the framework; it illustrates the integrated methodology and its potential applications, and raises some warnings about the effectiveness of naive approaches.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126938725","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Reporting Insider Threats via Covert Channels","authors":"David N. Muchene, Klevis Luli, Craig A. Shue","doi":"10.1109/SPW.2013.30","DOIUrl":"https://doi.org/10.1109/SPW.2013.30","url":null,"abstract":"Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block. In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization. We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133531557","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
W. T. Young, H. Goldberg, Alex Memory, James F. Sartain, T. Senator
{"title":"Use of Domain Knowledge to Detect Insider Threats in Computer Activities","authors":"W. T. Young, H. Goldberg, Alex Memory, James F. Sartain, T. Senator","doi":"10.1109/SPW.2013.32","DOIUrl":"https://doi.org/10.1109/SPW.2013.32","url":null,"abstract":"This paper reports the first set of results from a comprehensive set of experiments to detect realistic insider threat instances in a real corporate database of computer usage activity. It focuses on the application of domain knowledge to provide starting points for further analysis. Domain knowledge is applied (1) to select appropriate features for use by structural anomaly detection algorithms, (2) to identify features indicative of activity known to be associated with insider threat, and (3) to model known or suspected instances of insider threat scenarios. We also introduce a visual language for specifying anomalies across different types of data, entities, baseline populations, and temporal ranges. Preliminary results of our experiments on two months of live data suggest that these methods are promising, with several experiments providing area under the curve scores close to 1.0 and lifts ranging from ×20 to ×30 over random.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125145826","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Understanding Network Forensics Analysis in an Operational Environment","authors":"Elias Raftopoulos, X. Dimitropoulos","doi":"10.1109/SPW.2013.12","DOIUrl":"https://doi.org/10.1109/SPW.2013.12","url":null,"abstract":"The manual forensics investigation of security incidents is an opaque process that involves the collection and correlation of diverse evidence. In this work we conduct a complex experiment to expand our understanding of forensics analysis processes. During a period of four weeks we systematically investigated 200 detected security incidents about compromised hosts within a large operational network. We used data from four commonly-used security sources, namely Snort alerts, reconnaissance and vulnerability scanners, blacklists, and a search engine, to manually investigate these incidents. Based on our experiment, we first evaluate the (complementary) utility of the four security data sources and surprisingly find that the search engine provided useful evidence for diagnosing many more incidents than more traditional security sources, i.e., blacklists, reconnaissance and vulnerability reports. Based on our validation, we then identify and make available a list of 138 good Snort signatures, i.e., signatures that were effective in identifying validated malware without producing false positives. In addition, we compare the characteristics of good and regular signatures and highlight a number of differences. For example, we observe that good signatures check on average 2.14 times more bytes and 2.3 times more fields than regular signatures. Our analysis of Snort signatures is essential not only for configuring Snort, but also for establishing best practices and for teaching how to write new IDS signatures.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"175 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127471613","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Welcome to the world of human rights: please make yourself uncomfortable","authors":"Henry Corrigan-Gibbs, B. Ford","doi":"10.1109/SPW.2013.6915054","DOIUrl":"https://doi.org/10.1109/SPW.2013.6915054","url":null,"abstract":"We draw an ethical analogy between Internet freedom efforts and humanitarian aid work. This parallel motivates a number of ethical questions relating to anonymity and censorship-circumvention research.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127909729","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Quantitative Assessment of Risk Reduction with Cybercrime Black Market Monitoring","authors":"Luca Allodi, W. Shim, F. Massacci","doi":"10.1109/SPW.2013.16","DOIUrl":"https://doi.org/10.1109/SPW.2013.16","url":null,"abstract":"Cybercrime is notoriously maintained and empowered by the underground economy, manifested in black markets. In such markets, attack tools and vulnerability exploits are constantly traded. In this paper, we focus on making a quantitative assessment of the risk of attacks coming from such markets, and investigating the expected reduction in overall attacks against final users if, for example, vulnerabilities traded in the black markets were all to be promptly patched. In order to conduct the analysis, we mainly use the data on (a) vulnerabilities bundled in 90+ attack tools traded in the black markets collected by us; (b) actual records of 9 × 107 attacks collected from Symantec's Data Sharing Programme WINE. Our results illustrate that black market vulnerabilities are an important source of risk for the population of users; we further show that vulnerability mitigation strategies based on black markets monitoring may outperform traditional strategies based on vulnerability CVSS scores by providing up to 20% more expected reduction in attacks.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127924340","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Differentiating User Authentication Graphs","authors":"A. Kent, L. Liebrock, James Wernicke","doi":"10.22667/JOWUA.2014.06.31.024","DOIUrl":"https://doi.org/10.22667/JOWUA.2014.06.31.024","url":null,"abstract":"Authentication using centralized methods is a primary trust mechanism within most large-scale, enterprise computer networks. This paper proposes using graphs to represent user authentication activity within the network. Using this mechanism over a real enterprise network dataset, we find that non-privileged users and users with system administration privileges have distinguishable graph attributes in terms of size and complexity. In addition, we find that user authentication graphs provide intuitive insights into network user behavior. We believe that understanding these differences in even greater detail will lead to improved user behavior profiling and the elusive detection of authentication credential misuse.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133428696","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Steganography in OFDM Symbols of Fast IEEE 802.11n Networks","authors":"S. Grabski, K. Szczypiorski","doi":"10.1109/SPW.2013.20","DOIUrl":"https://doi.org/10.1109/SPW.2013.20","url":null,"abstract":"This paper presents a proposal of covert steganographic channels in high-speed IEEE 802.11n networks. The method is based on the modification of cyclic prefixes in OFDM (Orthogonal Frequency-Division Multiplexing) symbols. This proposal provides the highest hidden transmission known in the state of the art. This paper includes theoretical analysis and simulation results of the presented steganographic system performance. The simulation performance was compared with other known approaches in the literature.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123378093","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Ethics in security research which lines should not be crossed?","authors":"S. Schrittwieser, M. Mulazzani, E. Weippl","doi":"10.1109/SPW.2013.6914700","DOIUrl":"https://doi.org/10.1109/SPW.2013.6914700","url":null,"abstract":"Recently, several research papers in the area of information security were published that may or may not be considered unethical. Looking at these borderline cases is relevant as today's research papers will influence how young researchers conduct their research. In this paper we discuss fundamental ethical principles and their role in recent literature.We argue that the establishment of ethical guidelines or frameworks without prior discussion and consensus in the research community probably would not lead to clarity on which lines in academic research should not be crossed.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"24 3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123654491","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"How Usage Control and Provenance Tracking Get Together - A Data Protection Perspective","authors":"C. Bier","doi":"10.1109/SPW.2013.24","DOIUrl":"https://doi.org/10.1109/SPW.2013.24","url":null,"abstract":"These days, sensitive and personal information is used within a wide range of applications. The exchange of this information is increasingly faster and more and more unpredictable. Hence, the person concerned cannot determine what happens with his personal data after it has been released. It is highly intransparent who is accountable for data misuse. Usage control and provenance tracking are two different approaches to tackle this problem. This work compares the two concepts from a data protection perspective. The support and fulfillment of data protection requirements are analysed. Models and architectures are investigated for commonalities. Combining the two technologies can increase flexibility and effectiveness of provenance tracking and thereby enhance information accountability in practice, if resulting linkability drawbacks are properly handled. A joint architecture is proposed to support this insight.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"48 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124422312","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
