82,366 research outputs found
Handling Policy Conflicts in Call Control
Policies are becoming increasingly important in modern computer systems as a mechanism for end users and organisations to exhibit a level of control over software. Policies have long been established as an effective mechanism for enabling appropriate access control over resources, and for enforcing security considerations. However they are now becoming valued as a more general management mechanism for large-scale heterogeneous systems, including those exhibiting adaptive or autonomic behaviour. In the telecommunications domain, features have been widely used to provide users with (limited) control over calls. However, features have the disadvantage that they are low-level and implementation-oriented in nature. Furthermore, apart from limited parameterisation of some features, they tend to be very inflexible. Policies, in contrast, have the potential to be much higher-level, goaloriented, and very flexible. This paper presents an architecture and its realisation for distributed and hierarchical policies within the telecommunications domain. The work deals with the important issue of policy conflict – the analogy of feature interaction
Recommended from our members
Capability-based access control for cyber physical systems
Cyber Physical Systems (CPS)
couple digital systems with the physical environment, creating
technical, usability, and economic security challenges beyond those of
information systems. Their distributed and
hierarchical nature, real-time and safety-critical requirements, and limited
resources create new vulnerability classes and severely constrain the security
solution space. This dissertation explores these challenges, focusing on
Industrial Control Systems (ICS), but demonstrating broader applicability to
the whole domain.
We begin by systematising the usability and economic challenges to secure ICS.
We fingerprint and track more than 10\,000 Internet-connected devices over four years and show
the population is growing, continuously-connected, and unpatched. We then
explore adversarial interest in this vulnerable population. We track 150\,000
botnet hosts, sift 70 million underground forum posts, and perform the
largest ICS honeypot study to date to demonstrate that the cybercrime community
has little competence or interest in the domain. We show that the current
heterogeneity, cost, and level of expertise required for large-scale attacks on
ICS are economic deterrents when targets in the IoT domain are
available.
The ICS landscape is changing, however, and we demonstrate the imminent
convergence with the IoT domain as inexpensive hardware, commodity operating
Cyber Physical Systems (CPS) couple digital systems with the physical environment, creating technical, usability, and economic security challenges beyond those of information systems. Their distributed and hierarchical nature, real-time and safety-critical requirements, and limited resources create new vulnerability classes and severely constrain the security solution space. This dissertation explores these challenges, focusing on Industrial Control Systems (ICS), but demonstrating broader applicability to the whole domain.
We begin by systematising the usability and economic challenges to secure ICS. We fingerprint and track more than 10,000 Internet-connected devices over four years and show the population is growing, continuously-connected, and unpatched. We then explore adversarial interest in this vulnerable population. We track 150,000 botnet hosts, sift 70 million underground forum posts, and perform the largest ICS honeypot study to date to demonstrate that the cybercrime community has little competence or interest in the domain. We show that the current heterogeneity, cost, and level of expertise required for large-scale attacks on ICS are economic deterrents when targets in the IoT domain are available.
The ICS landscape is changing, however, and we demonstrate the imminent convergence with the IoT domain as inexpensive hardware, commodity operating systems, and wireless connectivity become standard. Industry's security solution is boundary defence, pushing privilege to firewalls and anomaly detectors; however, this propagates rather than minimises privilege and leaves the hierarchy vulnerable to a single boundary compromise.
In contrast, we propose, implement, and evaluate a security architecture based on distributed capabilities. Specifically, we show that object capabilities, representing physical resources, can be constructed, delegated, and used anywhere in a distributed CPS by composing hardware-enforced architectural capabilities and cryptographic network tokens. Our architecture provides defence-in-depth, minimising privilege at every level of the CPS hierarchy, and both supports and adds integrity protection to legacy CPS protocols. We implement distributed capabilities in robotics and ICS demonstrators, and we show that our architecture adds negligible overhead to realistic integrations and can be implemented without significant modification to existing source code.
In contrast, we propose, implement, and evaluate a security architecture based on distributed capabilities. Specifically, we show that object capabilities, representing physical resources, can be constructed, delegated, and used anywhere in a distributed CPS by composing hardware-enforced architectural capabilities and cryptographic network tokens. Our architecture provides defence-in-depth, minimising privilege at every level of the CPS hierarchy, and both supports and adds integrity protection to legacy CPS protocols. We implement distributed capabilities in robotics and ICS demonstrators, and we show that our architecture adds negligible overhead to realistic integrations and can be implemented without significant modification to existing source code
A Taxonomy of Data Grids for Distributed Data Sharing, Management and Processing
Data Grids have been adopted as the platform for scientific communities that
need to share, access, transport, process and manage large data collections
distributed worldwide. They combine high-end computing technologies with
high-performance networking and wide-area storage management techniques. In
this paper, we discuss the key concepts behind Data Grids and compare them with
other data sharing and distribution paradigms such as content delivery
networks, peer-to-peer networks and distributed databases. We then provide
comprehensive taxonomies that cover various aspects of architecture, data
transportation, data replication and resource allocation and scheduling.
Finally, we map the proposed taxonomy to various Data Grid systems not only to
validate the taxonomy but also to identify areas for future exploration.
Through this taxonomy, we aim to categorise existing systems to better
understand their goals and their methodology. This would help evaluate their
applicability for solving similar problems. This taxonomy also provides a "gap
analysis" of this area through which researchers can potentially identify new
issues for investigation. Finally, we hope that the proposed taxonomy and
mapping also helps to provide an easy way for new practitioners to understand
this complex area of research.Comment: 46 pages, 16 figures, Technical Repor
Emergent behaviors in the Internet of things: The ultimate ultra-large-scale system
To reach its potential, the Internet of Things (IoT) must break down the silos that limit applications' interoperability and hinder their manageability. Doing so leads to the building of ultra-large-scale systems (ULSS) in several areas, including autonomous vehicles, smart cities, and smart grids. The scope of ULSS is both large and complex. Thus, the authors propose Hierarchical Emergent Behaviors (HEB), a paradigm that builds on the concepts of emergent behavior and hierarchical organization. Rather than explicitly programming all possible decisions in the vast space of ULSS scenarios, HEB relies on the emergent behaviors induced by local rules at each level of the hierarchy. The authors discuss the modifications to classical IoT architectures required by HEB, as well as the new challenges. They also illustrate the HEB concepts in reference to autonomous vehicles. This use case paves the way to the discussion of new lines of research.Damian Roca work was supported by a Doctoral Scholarship provided by Fundación La Caixa. This work has been supported by the Spanish Government (Severo Ochoa
grants SEV2015-0493) and by the Spanish Ministry of Science and Innovation (contracts TIN2015-65316-P).Peer ReviewedPostprint (author's final draft
A Survey of Distributed Intrusion Detection Approaches
Distributed intrustion detection systems detect attacks on computer systems
by analyzing data aggregated from distributed sources. The distributed nature
of the data sources allows patterns in the data to be seen that might not be
detectable if each of the sources were examined individually. This paper
describes the various approaches that have been developed to share and analyze
data in such systems, and discusses some issues that must be addressed before
fully decentralized distributed intrusion detection systems can be made viable
- …