发布求助
文献互助 智能选刊 最新文献

2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)最新文献

筛选
英文 中文
Security Risk Analysis of Multi-Stage Attacks based on Data Criticality 基于数据临界性的多阶段攻击安全风险分析
2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) Pub Date : 2021-06-01 DOI: 10.1109/EnCyCriS52570.2021.00010
Charilaos Skandylas, Luyuan Zhou, Narges Khakpour, Simon Roe
{"title":"Security Risk Analysis of Multi-Stage Attacks based on Data Criticality","authors":"Charilaos Skandylas, Luyuan Zhou, Narges Khakpour, Simon Roe","doi":"10.1109/EnCyCriS52570.2021.00010","DOIUrl":"https://doi.org/10.1109/EnCyCriS52570.2021.00010","url":null,"abstract":"In recent years, it has become more challenging for organizations to assess the security risks of their assets properly, as more vulnerabilities are discovered, exploited, and weaponized. Further, attackers usually use complex multi-stage attack strategies to compromise a system and achieve their goals by exploiting several vulnerabilities. The number of affected assets and the strategy used to create the compromises by the threat actor will often dictate the costs and damages to the organization. When performing risk analysis, in addition to existing vulnerabilities, it is important, but often neglected, to consider the criticality of the data residing in the vulnerable asset. However, graphical threat modeling techniques often do not offer suitable tools for this type of analysis. In this paper, we propose a class of security risk metrics to estimate the cost of an attack that considers the criticality of data in addition to the dependencies among vulnerabilities. Our metrics are based on graphical modeling techniques in which we incorporate data criticality. We applied our approach to a real-life case study and obtained promising results.","PeriodicalId":409275,"journal":{"name":"2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116082248","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Understanding Developer Security Archetypes 理解开发人员安全原型
2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) Pub Date : 2021-06-01 DOI: 10.1109/EnCyCriS52570.2021.00013
Ita Ryan, U. Roedig, Klaas-Jan Stol
{"title":"Understanding Developer Security Archetypes","authors":"Ita Ryan, U. Roedig, Klaas-Jan Stol","doi":"10.1109/EnCyCriS52570.2021.00013","DOIUrl":"https://doi.org/10.1109/EnCyCriS52570.2021.00013","url":null,"abstract":"As software systems penetrate our everyday lives, security has risen to be a key concern. Despite decades of research leading to new tools and practices for writing secure code, achieving security as a key attribute remains highly challenging. We observe that much of the literature considers developers to be homogeneous and interchangeable. The differing circumstances of developers that might play a role in the writing of secure code have not been clearly defined. In this position paper we introduce the concept of developer security archetypes. Specifically, we suggest two key factors: developers’ personal interest in security, and the support that developers receive from their environment. Together, these two dimensions define four archetypes which can be uniquely characterized. By distinguishing developer archetypes, we seek to better understand how developers perceive security-related issues in systems development, as well as how to better support them.","PeriodicalId":409275,"journal":{"name":"2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125315036","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
A Systematic Literature Review on Malicious Use of Reinforcement Learning 关于恶意使用强化学习的系统文献综述
2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) Pub Date : 2021-06-01 DOI: 10.1109/EnCyCriS52570.2021.00011
Torstein Meyer, Nektaria Kaloudi, Jingyue Li
{"title":"A Systematic Literature Review on Malicious Use of Reinforcement Learning","authors":"Torstein Meyer, Nektaria Kaloudi, Jingyue Li","doi":"10.1109/EnCyCriS52570.2021.00011","DOIUrl":"https://doi.org/10.1109/EnCyCriS52570.2021.00011","url":null,"abstract":"Since the inception of reinforcement learning (RL), there has been a growing interest in its application in various complex domains. Although these RL methods offer significant benefits of learning by their own experiences without an accurate system model, RL methods can also be used maliciously. This paper presents a systematic literature review of the state-of-the art RL-based cyberattacks to facilitate and motivate further research to address the potential RL misuse. We reviewed 30 recent primary papers and categorized them into (i) RL for attack planning, (ii) RL for performing intrusions, and (iii) RL for attack optimization. We also proposed an RL-based cyber attacks framework. Our insights on the status and limitations of the existing studies can help motivate related future studies.","PeriodicalId":409275,"journal":{"name":"2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","volume":"287 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114187963","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Attack-driven Test Case Generation Approach using Model-checking Technique for Collaborating Systems 协作系统使用模型检查技术的攻击驱动测试用例生成方法
2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) Pub Date : 2021-06-01 DOI: 10.1109/EnCyCriS52570.2021.00008
Zelalem Mihret, Lingjun Liu
{"title":"Attack-driven Test Case Generation Approach using Model-checking Technique for Collaborating Systems","authors":"Zelalem Mihret, Lingjun Liu","doi":"10.1109/EnCyCriS52570.2021.00008","DOIUrl":"https://doi.org/10.1109/EnCyCriS52570.2021.00008","url":null,"abstract":"The formal verification technique of model-checking can be used to derive test cases. This approach has become popular as it provides the capabilities of exhaustively exploring the state space of the modeled system and generates counterexamples for properties specified over the model. However, counterexamples only show states, transitions and the values of their parameters. In addition, its semantics are also dependent on input model specification languages and trace representation notations. In this paper, we present a focused test case generation approach from PAT model checker for collaborating systems. The focus is driven by specific and putative attack behaviours. To this end, we devised test specification rules/algorithm to translate counterexamples to test cases. The translation aims at reducing semantic gaps between counterexamples and the corresponding test cases. We assess the viability of the test cases generated from our approach by using JADE simulation framework for aircraft landing scenario in air traffic control domain.","PeriodicalId":409275,"journal":{"name":"2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132789449","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
‘Under-reported’ Security Defects in Kubernetes Manifests Kubernetes中“未被报告的”安全缺陷
2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) Pub Date : 2021-06-01 DOI: 10.1109/EnCyCriS52570.2021.00009
Dibyendu Brinto Bose, A. Rahman, Md. Shazibul Islam Shamim
{"title":"‘Under-reported’ Security Defects in Kubernetes Manifests","authors":"Dibyendu Brinto Bose, A. Rahman, Md. Shazibul Islam Shamim","doi":"10.1109/EnCyCriS52570.2021.00009","DOIUrl":"https://doi.org/10.1109/EnCyCriS52570.2021.00009","url":null,"abstract":"With the advent of the fourth industrial revolution, industry practitioners are moving towards container-based infrastructure for managing their digital workloads. Kubernetes, a container orchestration tool, is reported to help industry practitioners in automated management of cloud infrastructure and rapid deployment of software services. Despite reported benefits, Kubernetes installations are susceptible to security defects, as it occurred for Tesla in 2018. Understanding how frequently security defects appear in Kubernetes installations can help cybersecurity researchers to investigate security-related vulnerabilities for Kubernetes and generate security best practices to avoid them. In this position paper, we first quantify how frequently security defects appear in Kubernetes manifests, i.e., configuration files that are use to install and manage Kubernetes. Next, we lay out a list of future research directions that researchers can pursue.We apply qualitative analysis on 5,193 commits collected from 38 open source repositories and observe that 0.79% of the 5,193 commits are security-related. Based on our findings, we posit that security-related defects are under-reported and advocate for rigorous research that can systematically identify undiscovered security defects that exist in Kubernetes manifests. We predict that the increasing use of Kubernetes with unresolved security defects can lead to large-scale security breaches.","PeriodicalId":409275,"journal":{"name":"2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115193611","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
Practitioner Perception of Vulnerability Discovery Strategies 从业者对漏洞发现策略的感知
2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) Pub Date : 2021-06-01 DOI: 10.1109/EnCyCriS52570.2021.00014
Farzana Ahamed Bhuiyan, Justin Murphy, P. Morrison, A. Rahman
{"title":"Practitioner Perception of Vulnerability Discovery Strategies","authors":"Farzana Ahamed Bhuiyan, Justin Murphy, P. Morrison, A. Rahman","doi":"10.1109/EnCyCriS52570.2021.00014","DOIUrl":"https://doi.org/10.1109/EnCyCriS52570.2021.00014","url":null,"abstract":"The fourth industrial revolution envisions industry manufacturing systems to be software driven where mundane manufacturing tasks can be automated. As software is perceived as an integral part of this vision, discovering vulnerabilities is of paramount of importance so that manufacturing systems are secure. A categorization of vulnerability discovery strategies can inform practitioners on how to identify undiscovered vulnerabilities in software. Recently researchers have investigated and identified vulnerability discovery strategies used in open source software (OSS) projects. The efficacy of the derived strategy needs to be validated by obtaining feedback from practitioners. Such feedback can be helpful to assess if identified strategies are useful for practitioners and possible directions the derived vulnerability discovery strategies can be improvised. We survey 51 practitioners to assess if four vulnerability discovery strategies: diagnostics, malicious payload construction, misconfiguration, and pernicious execution can be used to identify undiscovered vulnerabilities. Practitioners perceive the strategies to be useful: for example, we observe 88% of the surveyed practitioners to agree that diagnostics could be used to discover vulnerabilities. Our work provides evidence of usefulness for the identified strategies.","PeriodicalId":409275,"journal":{"name":"2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122440986","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Asset-driven Security Assurance Cases with Built-in Quality Assurance 资产驱动的安全保障案例,内置质量保证
2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) Pub Date : 2021-06-01 DOI: 10.1109/EnCyCriS52570.2021.00012
Mazen Mohamad, Örjan Askerdal, Rodi Jolak, Jan-Philipp Steghöfer, R. Scandariato
{"title":"Asset-driven Security Assurance Cases with Built-in Quality Assurance","authors":"Mazen Mohamad, Örjan Askerdal, Rodi Jolak, Jan-Philipp Steghöfer, R. Scandariato","doi":"10.1109/EnCyCriS52570.2021.00012","DOIUrl":"https://doi.org/10.1109/EnCyCriS52570.2021.00012","url":null,"abstract":"Security Assurance Cases (SAC) are structured arguments and evidence bodies used to reason about security of a certain system. SACs are gaining focus in the automotive domain as the needs for security assurance are growing. In this study, we present an approach for creating SAC. The approach is inspired by the upcoming security standards ISO/SAE-21434 as well as the internal needs of automotive Original Equipment Manufacturers (OEMs). We created the approach by extracting relevant requirements from ISO/SAE-21434 and illustrated it using an example case of the head lamp items provided in the standard. We found that the approach is applicable and helps to satisfy the requirements for security assurance in the standard as well as the internal compliance needs in an automotive OEM.","PeriodicalId":409275,"journal":{"name":"2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130016293","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Message from the Workshop Committee 车间委员会的致辞
2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) Pub Date : 2021-06-01 DOI: 10.1109/encycris52570.2021.00005
{"title":"Message from the Workshop Committee","authors":"","doi":"10.1109/encycris52570.2021.00005","DOIUrl":"https://doi.org/10.1109/encycris52570.2021.00005","url":null,"abstract":"","PeriodicalId":409275,"journal":{"name":"2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133775884","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Title Page iii 第三页标题
2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) Pub Date : 2018-07-01 DOI: 10.1109/srdsw.2018.00002
{"title":"Title Page iii","authors":"","doi":"10.1109/srdsw.2018.00002","DOIUrl":"https://doi.org/10.1109/srdsw.2018.00002","url":null,"abstract":"","PeriodicalId":409275,"journal":{"name":"2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS)","volume":"150 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134482144","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信