Knowledge dependencies in fuzzy information systems evaluation

Experience and research within the field of Information Systems Evaluation (ISE), has traditionally centered on providing tools and techniques for investment justification and appraisal, based upon explicit knowledge which encodes financial and other direct situational factors (such as accounting, costing and risk metrics). However, such approaches tend not to include additional causal interdependencies that are based upon tacit knowledge and are inherent within such a decision-making task. The authors show the results of applying a cognitive mapping approach, in the guise of a Fuzzy Cognitive Mapping (FCM) simulation, i.e. Fuzzy Information Systems Evaluation (F-ISE), in order to highlight the usefulness of applying such a technique. The authors highlight those contingent and necessary knowledge dependencies, in an exploratory sense, which relate to the investment appraisal decision-making task, in terms of the interplay between tacit and explicit knowledge, in this regard

Securing Databases from Probabilistic Inference

Databases can leak confidential information when users combine query results with probabilistic data dependencies and prior knowledge. Current research offers mechanisms that either handle a limited class of dependencies or lack tractable enforcement algorithms. We propose a foundation for Database Inference Control based on ProbLog, a probabilistic logic programming language. We leverage this foundation to develop Angerona, a provably secure enforcement mechanism that prevents information leakage in the presence of probabilistic dependencies. We then provide a tractable inference algorithm for a practically relevant fragment of ProbLog. We empirically evaluate Angerona's performance showing that it scales to relevant security-critical problems.Comment: A short version of this paper has been accepted at the 30th IEEE Computer Security Foundations Symposium (CSF 2017

Vulnerable Open Source Dependencies: Counting Those That Matter

BACKGROUND: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. AIMS: In this paper we aim to present a precise methodology, that combines the code-based analysis of patches with information on build, test, update dates, and group extracted from the very code repository, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. METHOD: To understand the industrial impact of the proposed methodology, we considered the 200 most popular OSS Java libraries used by SAP in its own software. Our analysis included 10905 distinct GAVs (group, artifact, version) when considering all the library versions. RESULTS: We found that about 20% of the dependencies affected by a known vulnerability are not deployed, and therefore, they do not represent a danger to the analyzed library because they cannot be exploited in practice. Developers of the analyzed libraries are able to fix (and actually responsible for) 82% of the deployed vulnerable dependencies. The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version, while 1% of the vulnerable dependencies in our sample are halted, and therefore, potentially require a costly mitigation strategy. CONCLUSIONS: Our case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements.Comment: This is a pre-print of the paper that appears, with the same title, in the proceedings of the 12th International Symposium on Empirical Software Engineering and Measurement, 201

FUNCTIONAL DEPENDENCIES AND INCOMPLETE INFORMATION

Functional dependencies play an important role in relational database design. They are defined in the context of a single relation which at all times must contain tuples with non-null entries. In this paper we examine an extension of the functional dependency interpretation to handle null values, that is, entries in tuples that represent incomplete information in a relational database. A complete axiomatization of inference rules for extended functional dependencies is also presented. Only after having such results is it possible to talk about decompositions and normalization theory in a context of incomplete information. Finally, we show that there are several practical advantages in using nulls and a weaker notion of constraint satisfiability.Information Systems Working Papers Serie