发布求助
文献互助 智能选刊 最新文献

International journal of secure software engineering最新文献

筛选
英文 中文
Optimal Voting Strategy against Random and Targeted Attacks 针对随机和目标攻击的最优投票策略
International journal of secure software engineering Pub Date : 2013-10-01 DOI: 10.4018/ijsse.2013100102
Li Wang, Zheng Li, Shangping Ren, K. Kwiat
{"title":"Optimal Voting Strategy against Random and Targeted Attacks","authors":"Li Wang, Zheng Li, Shangping Ren, K. Kwiat","doi":"10.4018/ijsse.2013100102","DOIUrl":"https://doi.org/10.4018/ijsse.2013100102","url":null,"abstract":"Replication and value selection through voting are commonly used approaches to tolerating naturally caused failures. Without considering intentionally introduced failures, such as failures caused by attacks, having more replication or residency often makes the system more reliable. However, when both the reliability of individual replicas and the existence of attackers are taken into consideration, the number of replicas that participate in a voting process has significant impact on system reliability. In this paper, the authors study the problem of deciding the optimal number of participating voters that maximizes the reliability of voting results under two different types of attacks, i.e., random attack and targeted attack, and develop algorithms to find the optimal voting strategy. A set of experiments are performed to illustrate how the optimal voting strategy varies under different system settings and how the number of voting participants affects the system's reliability.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"69 1","pages":"25-46"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75239515","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Semi-Automatic Annotation of Natural Language Vulnerability Reports 自然语言漏洞报告的半自动标注
International journal of secure software engineering Pub Date : 2013-07-01 DOI: 10.4018/JSSE.2013070102
Yan Wu, R. Gandhi, Harvey P. Siy
{"title":"Semi-Automatic Annotation of Natural Language Vulnerability Reports","authors":"Yan Wu, R. Gandhi, Harvey P. Siy","doi":"10.4018/JSSE.2013070102","DOIUrl":"https://doi.org/10.4018/JSSE.2013070102","url":null,"abstract":"Those who do not learn from past vulnerabilities are bound to repeat it. Consequently, there have been several research efforts to enumerate and categorize software weaknesses that lead to vulnerabilities. The Common Weakness Enumeration CWE is a community developed dictionary of software weakness types and their relationships, designed to consolidate these efforts. Yet, aggregating and classifying natural language vulnerability reports with respect to weakness standards is currently a painstaking manual effort. In this paper, the authors present a semi-automated process for annotating vulnerability information with semantic concepts that are traceable to CWE identifiers. The authors present an information-processing pipeline to parse natural language vulnerability reports. The resulting terms are used for learning the syntactic cues in these reports that are indicators for corresponding standard weakness definitions. Finally, the results of multiple machine learning algorithms are compared individually as well as collectively to semi-automatically annotate new vulnerability reports.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"472 1","pages":"18-41"},"PeriodicalIF":0.0,"publicationDate":"2013-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76359216","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment 利用资产流和处理器部署引出信息系统的安全需求
International journal of secure software engineering Pub Date : 2013-07-01 DOI: 10.4018/jsse.2013070103
H. Kaiya, Junya Sakai, Shinpei Ogata, K. Kaijiri
{"title":"Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment","authors":"H. Kaiya, Junya Sakai, Shinpei Ogata, K. Kaijiri","doi":"10.4018/jsse.2013070103","DOIUrl":"https://doi.org/10.4018/jsse.2013070103","url":null,"abstract":"The authors cannot comprehensively determine all of the vulnerabilities to an attack only from requirements descriptions. To resolve the problem, the authors propose a method for eliciting security requirements using the information about system architecture. The authors convert a use-case description into a variation of a data flow diagram called an asset-flow diagram AFD. The authors then refine the AFDs based on a processor deployment diagram PDD, which gives information about a system architecture. By using vulnerabilities patterns to an attack, the authors distinguish vulnerabilities to the attack that can be identifiable in AFDs from remaining vulnerabilities to the attack. To prohibit the former vulnerabilities, security requirements are defined as countermeasures and/or modification of existing requirements. To prevent the latter vulnerabilities, security requirements are defined as design and implementation constraints. Through an evaluation of a web application, the authors show that our method enables us to elicit security requirements against several different attacks in different system architectures.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"46 1","pages":"42-63"},"PeriodicalIF":0.0,"publicationDate":"2013-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82668185","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Assessing the Value of Formal Control Mechanisms on Strong Password Selection 评估形式控制机制对强密码选择的价值
International journal of secure software engineering Pub Date : 2013-07-01 DOI: 10.4018/jsse.2013070101
J. Crawford
{"title":"Assessing the Value of Formal Control Mechanisms on Strong Password Selection","authors":"J. Crawford","doi":"10.4018/jsse.2013070101","DOIUrl":"https://doi.org/10.4018/jsse.2013070101","url":null,"abstract":"Applications often use behavior control mechanisms in order to ensure that individuals create sufficiently strong passwords. Behavior controls, which force individuals to utilize specific password characteristics, are assumed to be the best mechanism to encourage strong password creation. However, an over reliance on them could lead to counterproductive security behaviors. This study examines the efficacy of formal controls in the password creation process to determine if their use does indeed result in meaningfully stronger passwords than informal control techniques. Findings demonstrate that controls used during the password creation process do indeed shape password strength, but that behavior controls do not produce significantly stronger passwords than informal controls. Using an Agency Theory perspective, control techniques are considered in their ability to align principal-agent goal and risk perceptions. Findings illustrate the importance of using both informal and formal controls as a means of creating strong and effective passwords.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"151 1","pages":"1-17"},"PeriodicalIF":0.0,"publicationDate":"2013-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77588954","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
Mean Failure Cost as a Measurable Value and Evidence of Cybersecurity: E-Learning Case Study 平均故障成本作为网络安全的可测量值与证据:电子学习案例研究
International journal of secure software engineering Pub Date : 2013-07-01 DOI: 10.4018/jsse.2013070104
N. Rjaibi, Latifa Ben Arfa Rabai, Anis Ben Aissa, A. Mili
{"title":"Mean Failure Cost as a Measurable Value and Evidence of Cybersecurity: E-Learning Case Study","authors":"N. Rjaibi, Latifa Ben Arfa Rabai, Anis Ben Aissa, A. Mili","doi":"10.4018/jsse.2013070104","DOIUrl":"https://doi.org/10.4018/jsse.2013070104","url":null,"abstract":"Addressing Cybersecurity within e-Learning systems becomes empowered to make online information more secure. Certain competences need to be identified as necessary skills to manage security online such the ability to assess sources and architectural components, understanding the privacy, confidentiality and user authentication. Security management approaches quantifying security threats in e-learning are common with other e-services. It is of our need to adopt a quantitative security risk management process in order to determine the worthiest attack and the ignored one, based on financial business risk measure which is the measure of the mean failure cost.This paper proposes a cyber security measure called the Mean Failure Cost MFC suitable for e-Learning systems. It is based on the identification of system's architecture, the well-defined classes of stakeholders, the list of possible threats and vulnerabilities and the specific security requirements related to e-Learning systems and applications. In the mean time, security requirements are considered as appropriate mechanisms for preventing, detecting and recovering security attacks, for this reason an extension of the MFC measure is presented in order to detect the most critical security requirements. Also this paper highlights the security measures and guidelines for controlling e-Learning security policies regarding the most critical security requirements.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"PP 1","pages":"64-81"},"PeriodicalIF":0.0,"publicationDate":"2013-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84871647","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
Threat Representation Methods for Composite Service Process Models 组合服务过程模型的威胁表示方法
International journal of secure software engineering Pub Date : 2013-04-01 DOI: 10.4018/jsse.2013040101
P. H. Meland, Erlend Andreas Gjære
{"title":"Threat Representation Methods for Composite Service Process Models","authors":"P. H. Meland, Erlend Andreas Gjære","doi":"10.4018/jsse.2013040101","DOIUrl":"https://doi.org/10.4018/jsse.2013040101","url":null,"abstract":"The Business Process Modeling Notation (BPMN) has become a popular standard for expressing high level business processes as well as technical specifications for software systems. However, the specification does not contain native support to express security information, which should not be overlooked in today’s world where every organization is exposed to threats and has assets to protect. Although a substantial amount of work enhancing BPMN 1.x with security related information already exists, the opportunities provided by version 2.0 have not received much attention in the security community so far. This paper gives an overview of security in BPMN and investigates several possibilities of representing threats in BPMN 2.0, in particular for design-time specification and runtime execution of composite services with dynamic behavior. Enriching BPMN with threat information enables a process-centric threat modeling approach that complements risk assessment and attack scenarios. We have included examples showing the use of error events, escalation events and text annotations for process, collaboration, choreography and conversation diagrams.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"199 1","pages":"1-18"},"PeriodicalIF":0.0,"publicationDate":"2013-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87170789","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 6
A Taxonomy Built on Layers of Abstraction for Time and State Vulnerabilities 基于时间和状态漏洞抽象层的分类法
International journal of secure software engineering Pub Date : 2013-04-01 DOI: 10.4018/jsse.2013040103
Horia V. Corcalciuc
{"title":"A Taxonomy Built on Layers of Abstraction for Time and State Vulnerabilities","authors":"Horia V. Corcalciuc","doi":"10.4018/jsse.2013040103","DOIUrl":"https://doi.org/10.4018/jsse.2013040103","url":null,"abstract":"Software classifications have been created before with the purpose of keeping track of attack patterns as well as providing a history for the various vulnerable software packages. This article focuses on one single class of such attacks, conventionally known as “Time and State†attacks. The authors offer a more fine-grained analysis of the anatomy of such attacks. They reason about vulnerabilities by using “swimlane†diagrams which are loosely derived from UML diagrams, annotated with semantics of concurrent programming, such as the notions of traces and stability. The authors offer a taxonomy based on abstraction layers, implying thereby some form of tree hierarchy where vulnerabilities inherit properties from the upper abstract layers and share code-level flaws on the lower layers. That allows them to classify attacks by what they share in common, which is a different approach than other related classification attempts.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"21 1","pages":"40-66"},"PeriodicalIF":0.0,"publicationDate":"2013-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89651864","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Mitigating Type Confusion on Java Card 减轻Java卡上的类型混淆
International journal of secure software engineering Pub Date : 2013-04-01 DOI: 10.4018/jsse.2013040102
Jean Dubreuil, Guillaume Bouffard, Bhagyalekshmy N. Thampi, Jean-Louis Lanet
{"title":"Mitigating Type Confusion on Java Card","authors":"Jean Dubreuil, Guillaume Bouffard, Bhagyalekshmy N. Thampi, Jean-Louis Lanet","doi":"10.4018/jsse.2013040102","DOIUrl":"https://doi.org/10.4018/jsse.2013040102","url":null,"abstract":"One of the challenges for smart card deployment is the security interoperability. A smart card resistant to an attack on a given platform should be able to guarantee the same behavior on another platform. But the current implementations do not comply with this requirement. In order to improve such standardization we propose a framework based on annotations with an external pre-processing to switch the Java Card Virtual Machine (JCVM) into a secure mode by activating a set of countermeasures. An example has been proposed in this paper for implementing a countermeasure against type confusion with a fault attack. Smart cards are often the target of software, hardware or combined attacks. In recent days most of the attacks are based on fault injection which can modify the behavior of applications loaded onto the card, changing them into mutant applications. This countermeasure requires a transformation of the original program byte codes which remain semantically equivalent. It needs a modification of the JCVM which stays backward compatible and a dedicated framework to deploy these applications. Thus, the proposed platform can resist to a fault enabled mutant.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"47 1","pages":"19-39"},"PeriodicalIF":0.0,"publicationDate":"2013-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87260054","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 14
Analyzing Human Factors for an Effective Information Security Management System 分析有效信息安全管理体系的人为因素
International journal of secure software engineering Pub Date : 2013-01-01 DOI: 10.4018/JSSE.2013010104
Reza Alavi, Shareeful Islam, H. Jahankhani, Ameer Al-Nemrat
{"title":"Analyzing Human Factors for an Effective Information Security Management System","authors":"Reza Alavi, Shareeful Islam, H. Jahankhani, Ameer Al-Nemrat","doi":"10.4018/JSSE.2013010104","DOIUrl":"https://doi.org/10.4018/JSSE.2013010104","url":null,"abstract":"","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"26 1","pages":"50-74"},"PeriodicalIF":0.0,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74077747","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Principles and Measurement Models for Software Assurance 软件保证的原理和度量模型
International journal of secure software engineering Pub Date : 2013-01-01 DOI: 10.4018/JSSE.2013010101
N. Mead, D. Shoemaker, Carol Woody
{"title":"Principles and Measurement Models for Software Assurance","authors":"N. Mead, D. Shoemaker, Carol Woody","doi":"10.4018/JSSE.2013010101","DOIUrl":"https://doi.org/10.4018/JSSE.2013010101","url":null,"abstract":"Ensuring and sustaining software product integrity requires that all project stakeholders share a common understanding of the status of the product throughout the development and sustainment processes. Accurately measuring the product’s status helps achieve this shared understanding. This paper presents an effective measurement model organized by seven principles that capture the fundamental managerial and technical concerns of development and sustainment. These principles guided the development of the measures presented in the paper. Data from the quantitative measures help organizational stakeholders make decisions about the performance of their overall software assurance processes. Complementary risk-based data help them make decisions relative to the assessment of risk. The quantitative and risk-based measures form a comprehensive model to assess program and organizational performance. An organization using this model will be able to assess its performance to ensure secure and trustworthy products.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"278 1","pages":"1-10"},"PeriodicalIF":0.0,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77577648","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
首页 上一页 下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信