Architecture-based Qualitative Risk Analysis for Availability of IT Infrastructures

An IT risk assessment must deliver the best possible quality of results in a time-effective way. Organisations are used to customise the general-purpose standard risk assessment methods in a way that can satisfy their requirements. In this paper we present the QualTD Model and method, which is meant to be employed together with standard risk assessment methods for the qualitative assessment of availability risks of IT architectures, or parts of them. The QualTD Model is based on our previous quantitative model, but geared to industrial practice since it does not require quantitative data which is often too costly to acquire. We validate the model and method in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results w.r.t. the goals of the stakeholders of the system. We also perform a review of the most popular standard risk assessment methods and an analysis of which one can be actually integrated with our QualTD Model

Risk and Business Goal Based Security Requirement and Countermeasure Prioritization

Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security” but need to be able to justify their security investment plans. Currently companies achieve this by means of checklist-based security assessments, but these methods are a way to achieve consensus without being able to provide justifications of countermeasures in terms of business goals. But such justifications are needed to operate securely and effectively in networked businesses. In this paper, we first compare a Risk-Based Requirements Prioritization method (RiskREP) with some requirements engineering and risk assessment methods based on their requirements elicitation and prioritization properties. RiskREP extends misuse case-based requirements engineering methods with IT architecture-based risk assessment and countermeasure definition and prioritization. Then, we present how RiskREP prioritizes countermeasures by linking business goals to countermeasure specification. Prioritizing countermeasures based on business goals is especially important to provide the stakeholders with structured arguments for choosing a set of countermeasures to implement. We illustrate RiskREP and how it prioritizes the countermeasures it elicits by an application to an action case

Smart Grid Security: Threats, Challenges, and Solutions

The cyber-physical nature of the smart grid has rendered it vulnerable to a multitude of attacks that can occur at its communication, networking, and physical entry points. Such cyber-physical attacks can have detrimental effects on the operation of the grid as exemplified by the recent attack which caused a blackout of the Ukranian power grid. Thus, to properly secure the smart grid, it is of utmost importance to: a) understand its underlying vulnerabilities and associated threats, b) quantify their effects, and c) devise appropriate security solutions. In this paper, the key threats targeting the smart grid are first exposed while assessing their effects on the operation and stability of the grid. Then, the challenges involved in understanding these attacks and devising defense strategies against them are identified. Potential solution approaches that can help mitigate these threats are then discussed. Last, a number of mathematical tools that can help in analyzing and implementing security solutions are introduced. As such, this paper will provide the first comprehensive overview on smart grid security

An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons such as mismatched processes, inadequate information, differing use of language and philosophies, etc.. Many co-assurance techniques rely on disregarding some of these challenges in order to present a unified methodology. Even with this simplification, no methodology has been widely adopted primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to unified co-assurance which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. With this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronisation activities

A Survey on Wireless Security: Technical Challenges, Recent Advances and Future Trends

This paper examines the security vulnerabilities and threats imposed by the inherent open nature of wireless communications and to devise efficient defense mechanisms for improving the wireless network security. We first summarize the security requirements of wireless networks, including their authenticity, confidentiality, integrity and availability issues. Next, a comprehensive overview of security attacks encountered in wireless networks is presented in view of the network protocol architecture, where the potential security threats are discussed at each protocol layer. We also provide a survey of the existing security protocols and algorithms that are adopted in the existing wireless network standards, such as the Bluetooth, Wi-Fi, WiMAX, and the long-term evolution (LTE) systems. Then, we discuss the state-of-the-art in physical-layer security, which is an emerging technique of securing the open communications environment against eavesdropping attacks at the physical layer. We also introduce the family of various jamming attacks and their counter-measures, including the constant jammer, intermittent jammer, reactive jammer, adaptive jammer and intelligent jammer. Additionally, we discuss the integration of physical-layer security into existing authentication and cryptography mechanisms for further securing wireless networks. Finally, some technical challenges which remain unresolved at the time of writing are summarized and the future trends in wireless security are discussed.Comment: 36 pages. Accepted to Appear in Proceedings of the IEEE, 201

Byzantine Attack and Defense in Cognitive Radio Networks: A Survey

The Byzantine attack in cooperative spectrum sensing (CSS), also known as the spectrum sensing data falsification (SSDF) attack in the literature, is one of the key adversaries to the success of cognitive radio networks (CRNs). In the past couple of years, the research on the Byzantine attack and defense strategies has gained worldwide increasing attention. In this paper, we provide a comprehensive survey and tutorial on the recent advances in the Byzantine attack and defense for CSS in CRNs. Specifically, we first briefly present the preliminaries of CSS for general readers, including signal detection techniques, hypothesis testing, and data fusion. Second, we analyze the spear and shield relation between Byzantine attack and defense from three aspects: the vulnerability of CSS to attack, the obstacles in CSS to defense, and the games between attack and defense. Then, we propose a taxonomy of the existing Byzantine attack behaviors and elaborate on the corresponding attack parameters, which determine where, who, how, and when to launch attacks. Next, from the perspectives of homogeneous or heterogeneous scenarios, we classify the existing defense algorithms, and provide an in-depth tutorial on the state-of-the-art Byzantine defense schemes, commonly known as robust or secure CSS in the literature. Furthermore, we highlight the unsolved research challenges and depict the future research directions.Comment: Accepted by IEEE Communications Surveys and Tutoiral

Digital system of quarry management as a SAAS solution: mineral deposit module

Purpose. Improving the efficiency of functioning the mining enterprises and aggregation of earlier obtained results into a unified digital system of designing and operative management by quarry operation. Methods. Both the traditional (analysis of scientific and patent literature, analytical methods of deposit parameters research, analysis of experience and exploitation of quarries, conducting the passive experiment and processing the statistical data) and new forms of scientific research - deposit modeling on the basis of classical and neural network methods of approximation – are used in the work. For the purpose of the software product realization on the basis of cloud technologies, there were used: for back-end implementation – server-based scripting language php; for the front-end – multi-paradigm programming language javascript, javascript framework jQuery and asynchronous data exchange technology Ajax. Findings. The target audience of the system has been identified, SWOT-analysis has been carried out, conceptual directions of 3D-quarry system development have been defined. The strategies of development and promotion of the software product, as well as the strategies of safety and reliability of the application both for the client and the owner of the system have been formulated. The modular structure of the application has been developed, and the system functions have been divided to implement both back-end and front-end applications. The Mineral Deposit Module has been developed: the geological structure of the deposit has been simulated and its block model has been constructed. It has been proved that the use of neural network algorithms does not give an essential increase in the accuracy of the block model for the deposits of 1 and 2 groups in terms of the geological structure complexity. The possibility and prospects of constructing the systems for subsoil users on the basis of cloud technologies and the concept of SaaS have been substantiated. Originality. For the first time, the modern software products for solving the problems of designing and operational management of mining operations have been successfully developed on the basis of the SaaS concept. Practical implications. The results are applicable for enterprises-subsoil users, working with deposits of 1 and 2 groups in terms of the geological structure complexity: design organizations, as well as mining and processing plants.Мета. Підвищення ефективності функціонування гірничорудних підприємств та агрегація раніше отриманих результатів в єдину цифрову систему проектування і оперативного управління роботою кар’єрів. Методика. У роботі використані як традиційні (аналіз науково-патентної літератури, аналітичні методи дослідження параметрів родовища, аналіз досвіду й експлуатації кар’єрів, проведення пасивного експерименту та статистичної обробки даних), так і нові форми наукового дослідження – моделювання родовища на основі класичних і нейромережевих методів апроксимації. Для реалізації програмного продукту на основі хмарних технологій використані: для реалізації back-end – серверна скриптова мова програмування php; для front-end – мультипарадігменна мова програмування javascript, javascript framework jQuery і технологія асинхронного обміну даними Ajax. Результати. Виявлено цільову аудиторію системи, проведено SWOT-аналіз, визначено концептуальні напрями розвитку системи 3D-кар’єр, розроблені стратегії розвитку та просування програмного продукту, розроблені стратегії безпеки й надійності додатки як для клієнта, так і власника системи. Розроблено модульну структуру програми, вироблено розподіл функцій системи для реалізації як back-end і front-end додатки. Розроблено модуль “Родовище”: проведено моделювання геологічної структури родовища та побудована його блокова модель. Доведено, що використання нейромережевих алгоритмів не дає принципового підвищення точності блокової моделі для родовищ 1 і 2 груп за складністю геологічної будови. Виявлено недоліки нейромережевих алгоритмів, такі як високі витрати обчислювальних ресурсів сервера і проблеми візуалізації великих масивів геоданих при використанні web-рішень, знайдені шляхи їх вирішення. Доведено можливість і перспективність побудови систем для надрокористувачів на основі хмарних технологій і концепції SaaS. Наукова новизна. Вперше на основі концепції ASP успішно побудовані сучасні програмні продукти для вирішення завдань проектування та оперативного керування гірничими роботами. Практична значимість. Результати корисні для підприємств-надрокористувачів, які працюють з родовищами 1 і 2 груп за складністю геологічної будови – проектних організацій і ГЗК.Цель. Повышение эффективности функционирования горнорудных предприятий и агрегация ранее полученных результатов в единую цифровую систему проектирования и оперативного управления работой карьеров. Методика. В работе использованы как традиционные (анализ научно-патентной литературы, аналитические методы исследования параметров месторождения, анализ опыта и эксплуатации карьеров, проведение пассивного эксперимента и статистической обработкой данных), так и новые формы научного исследования – моделирование месторождения на основе классических и нейросетевых методов аппроксимации. Для реализации программного продукта на основе облачных технологий использованы: для реализации back-end – серверный скриптовый язык программирования php; для front-end – мультипарадигменный язык программирования javascript, javascript framework jQuery и технология асинхронного обмена данными Ajax. Результаты. Выявлена целевая аудитория системы, проведен SWOT-анализ, определены концептуальные направления развития системы 3D-карьер, разработаны стратегии развития и продвижения программного продукта, разработаны стратегии безопасности и надежности приложения как для клиента, так и владельца системы. Разработана модульная структура приложения, произведено деление функций системы для реализации как back-end и front-end приложения. Разработан модуль “Месторождение”: проведено моделирование геологической структуры месторождения и построена его блочная модель. Доказано, что использование нейросетевых алгоритмов не дает принципиального повышения точности блочной модели для месторождений 1 и 2 групп по сложности геологического строения. Выявлены недостатки нейросетевых алгоритмов, такие как высокие затраты вычислительных ресурсов сервера и проблемы визуализации больших массивов геоданных при использовании web-решений, найдены пути их решения. Доказана возможность и перспективность построения систем для недропользователей на основе облачных технологий и концепции SaaS. Научная новизна. Впервые на основе концепции ASP успешно построены современные программные продукты для решения задач проектирования и оперативного управления горными работами. Практическая значимость. Результаты применимы для предприятий-недропользователей, работающих с месторождениями 1 и 2 групп по сложности геологического строения – проектных организаций и ГОКов.We express our profound gratitude to A.B. Naizabekov for his assistance in scientific research, to A.F. Tsekhovoy, P.A. Tsekhovoy, D.Sh. Akhmedov, V. V. Yankovenko and D.V. Nikitas for scientific advice in implementation of the program code. The research was carried out within the framework of the initiative research theme “Improving the Efficiency of Mining Enterprises” on the basis of the RSE at the Rudny Industrial Institute of the Ministry of Education and Science of the Republic of Kazakhstan