Requirements and Recommendations for IoT/IIoT Models to automate Security Assurance through Threat Modelling, Security Analysis and Penetration Testing

The factories of the future require efficient interconnection of their physical machines into the cyber space to cope with the emerging need of an increased uptime of machines, higher performance rates, an improved level of productivity and a collective collaboration along the supply chain. With the rapid growth of the Internet of Things (IoT), and its application in industrial areas, the so called Industrial Internet of Things (IIoT)/Industry 4.0 emerged. However, further to the rapid growth of IoT/IIoT systems, cyber attacks are an emerging threat and simple manual security testing can often not cope with the scale of large IoT/IIoT networks. In this paper, we suggest to extract metadata from commonly used diagrams and models in a typical software development process, to automate the process of threat modelling, security analysis and penetration testing, without detailed prior security knowledge. In that context, we present requirements and recommendations for metadata in IoT/IIoT models that are needed as necessary input parameters of security assurance tools.Comment: 8 pages, Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES 2019) (ARES '19), August 26-29, 2019, Canterbury, United Kingdo

"Replacing Teachers? Doubt it." : Practitioners' Views on Adaptive Learning Technologies' Impact on the Teaching Profession

Novel learning technologies have potential in reshaping the teaching profession by automating some parts of the work. However, teachers' perspectives towards automation have generally been critical. In the present study, we examine Finnish education practitioners’ thoughts on adaptive learning technologies and their impact on the teaching profession. Using thematic and epistemic network analysis (ENA), we analyzed 114 social media posts. Supportive posts connected technological capabilities and self-directed or self-regulated learning, emphasizing that technology can also guide and support students. Critical posts connected human presence, educational arrangements, and pupil diversity and equality, emphasizing the importance of teachers’ presence in addressing pupils’ varying needs. Overall, the role of a human teacher was seen as necessary even with adaptive learning technologies available. Our findings reveal themes relevant when discussing the development of adaptive learning technologies and their potential impact on the teaching profession. Moreover, our findings increase the understanding of how supportive and critical argumentation on technology differ.Peer reviewe

BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection

We introduce BotSwindler, a bait injection system designed to delude and detect crimeware by forcing it to reveal during the exploitation of monitored information. The implementation of BotSwindler relies upon an out-of-host software agent that drives user-like interactions in a virtual machine, seeking to convince malware residing within the guest OS that it has captured legitimate credentials. To aid in the accuracy and realism of the simulations, we propose a low overhead approach, called virtual machine verification, for verifying whether the guest OS is in one of a predefined set of states. We present results from experiments with real credential-collecting malware that demonstrate the injection of monitored financial bait for detecting compromises. Additionally, using a computational analysis and a user study, we illustrate the believability of the simulations and we demonstrate that they are sufficiently human-like. Finally, we provide results from performance measurements to show our approach does not impose a performance burden

Translation and human-computer interaction

This paper seeks to characterise translation as a form of human-computer interaction. The evolution of translator-computer interaction is explored and the challenges and benefits are enunciated. The concept of cognitive ergonomics is drawn on to argue for a more caring and inclusive approach towards the translator by developers of translation technology. A case is also made for wider acceptance by the translation community of the benefits of the technology at their disposal and for more humanistic research on the impact of technology on the translator, the translation profession and the translation process

A review of cyber-ranges and test-beds:current and future trends

Cyber situational awareness has been proven to be of value in forming a comprehensive understanding of threats and vulnerabilities within organisations, as the degree of exposure is governed by the prevailing levels of cyber-hygiene and established processes. A more accurate assessment of the security provision informs on the most vulnerable environments that necessitate more diligent management. The rapid proliferation in the automation of cyber-attacks is reducing the gap between information and operational technologies and the need to review the current levels of robustness against new sophisticated cyber-attacks, trends, technologies and mitigation countermeasures has become pressing. A deeper characterisation is also the basis with which to predict future vulnerabilities in turn guiding the most appropriate deployment technologies. Thus, refreshing established practices and the scope of the training to support the decision making of users and operators. The foundation of the training provision is the use of Cyber-Ranges (CRs) and Test-Beds (TBs), platforms/tools that help inculcate a deeper understanding of the evolution of an attack and the methodology to deploy the most impactful countermeasures to arrest breaches. In this paper, an evaluation of documented CR and TB platforms is evaluated. CRs and TBs are segmented by type, technology, threat scenarios, applications and the scope of attainable training. To enrich the analysis of documented CR and TB research and cap the study, a taxonomy is developed to provide a broader comprehension of the future of CRs and TBs. The taxonomy elaborates on the CRs/TBs dimensions, as well as, highlighting a diminishing differentiation between application areas

SecREP : A Framework for Automating the Extraction and Prioritization of Security Requirements Using Machine Learning and NLP Techniques

Gathering and extracting security requirements adequately requires extensive effort, experience, and time, as large amounts of data need to be analyzed. While many manual and academic approaches have been developed to tackle the discipline of Security Requirements Engineering (SRE), a need still exists for automating the SRE process. This need stems mainly from the difficult, error-prone, and time-consuming nature of traditional and manual frameworks. Machine learning techniques have been widely used to facilitate and automate the extraction of useful information from software requirements documents and artifacts. Such approaches can be utilized to yield beneficial results in automating the process of extracting and eliciting security requirements. However, the extraction of security requirements alone leaves software engineers with yet another tedious task of prioritizing the most critical security requirements. The competitive and fast-paced nature of software development, in addition to resource constraints make the process of security requirements prioritization crucial for software engineers to make educated decisions in risk-analysis and trade-off analysis. To that end, this thesis presents an automated framework/pipeline for extracting and prioritizing security requirements. The proposed framework, called the Security Requirements Extraction and Prioritization Framework (SecREP) consists of two parts: SecREP Part 1: Proposes a machine learning approach for identifying/extracting security requirements from natural language software requirements artifacts (e.g., the Software Requirement Specification document, known as the SRS documents) SecREP Part 2: Proposes a scheme for prioritizing the security requirements identified in the previous step. For the first part of the SecREP framework, three machine learning models (SVM, Naive Bayes, and Random Forest) were trained using an enhanced dataset the “SecREP Dataset” that was created as a result of this work. Each model was validated using resampling (80% of for training and 20% for validation) and 5-folds cross validation techniques. For the second part of the SecREP framework, a prioritization scheme was established with the aid of NLP techniques. The proposed prioritization scheme analyzes each security requirement using Part-of-speech (POS) and Named Entity Recognition methods to extract assets, security attributes, and threats from the security requirement. Additionally, using a text similarity method, each security requirement is compared to a super-sentence that was defined based on the STRIDE threat model. This prioritization scheme was applied to the extracted list of security requirements obtained from the case study in part one, and the priority score for each requirement was calculated and showcase

Is automation changing the translation profession?

La traducción y la interpretación, como profesiones que requieren un alto nivel de conocimientos lingüísticos, están en primera línea en la era de la automatización del lenguaje. En particular, el desarrollo de sistemas neuronales de traducción automática desde 2016 ha traído consigo el temor de que pronto no haya más traductores o intérpretes humanos. Sin embargo, si se considera en términos de la historia de la automatización, cualquier efecto de este tipo está lejos de ser obvio: la industria de la traducción sigue creciendo. Sin embargo, los datos sobre la remuneración indican una dispersión salarial estructural en los servicios profesionales de traducción e interpretación, y hay indicios de que esta dispersión está aumentando debido a la creciente automatización, que está siendo incorporada por los grandes proveedores de servicios lingüísticos más que por las empresas más pequeñas y los autónomos individuales. No obstante, una lista de comprobación de los conocimientos y habilidades de los traductores e intérpretes puede ayudar a identificar aquellos que son resistentes a la automatización en todos los niveles de servicio y que, por tanto, pueden permitir a los futuros traductores e intérpretes beneficiarse de la automatización. Se ha comprobado que las competencias resistentes a la automatización no se corresponden claramente con el éxito en el mercado de los grandes proveedores de servicios lingüísticos. Lo más útil es que pueden subrayar varios principios para la formación y la promoción profesional basados en los valores de la fiabilidad, el compromiso con la automatización y la capacidad de combinar la traducción con otras formas de comunicación.As a language-intensive profession, translation is of frontline interest in the era of language automation. In particular, the development of neural machine translation systems since 2016 has brought with it fears that soon there will be no more human translators. When considered in terms of the history of automation, however, any such direct effect is far from obvious: the translation industry is still growing and machine translation is only one instance of automation. At the same time, data on remuneration indicate structural wage dispersion in professional translation services, with some signs that this dispersion may increase in certain market segments as automated workflows and translation technologies are adopted more by large language-service providers more than by smaller companies and individual freelancers. An analysis of recent changes in discourses on and in the translation profession further indicates conceptual adjustments in the profession that may be attributed to growing automation, particularly with respect to expanding skills set associated with translation, the tendency to combine translation with other forms of communication, and the use of interactive communication skills to authorize and humanize the results of automatio