Model the System from Adversary Viewpoint: Threats Identification and Modeling

Security attacks are hard to understand, often expressed with unfriendly and limited details, making it difficult for security experts and for security analysts to create intelligible security specifications. For instance, to explain Why (attack objective), What (i.e., system assets, goals, etc.), and How (attack method), adversary achieved his attack goals. We introduce in this paper a security attack meta-model for our SysML-Sec framework, developed to improve the threat identification and modeling through the explicit representation of security concerns with knowledge representation techniques. Our proposed meta-model enables the specification of these concerns through ontological concepts which define the semantics of the security artifacts and introduced using SysML-Sec diagrams. This meta-model also enables representing the relationships that tie several such concepts together. This representation is then used for reasoning about the knowledge introduced by system designers as well as security experts through the graphical environment of the SysML-Sec framework.Comment: In Proceedings AIDP 2014, arXiv:1410.322

Confidentiality-Preserving Publish/Subscribe: A Survey

Publish/subscribe (pub/sub) is an attractive communication paradigm for large-scale distributed applications running across multiple administrative domains. Pub/sub allows event-based information dissemination based on constraints on the nature of the data rather than on pre-established communication channels. It is a natural fit for deployment in untrusted environments such as public clouds linking applications across multiple sites. However, pub/sub in untrusted environments lead to major confidentiality concerns stemming from the content-centric nature of the communications. This survey classifies and analyzes different approaches to confidentiality preservation for pub/sub, from applications of trust and access control models to novel encryption techniques. It provides an overview of the current challenges posed by confidentiality concerns and points to future research directions in this promising field

Security models in Vehicular ad-hoc networks: a survey

The security and privacy issues of vehicular ad-hoc networks (VANETs) must be addressed before they are implemented. For this purpose, several academic and industrial proposals have been developed. Given that several of them are intended to co-exist, it is necessary that they consider compatible security models. This paper presents a survey on the underlying security models of 41 recent proposals. Four key aspects in VANET security are studied, namely trust on vehicles, trust on infrastructure entities, existence of trusted third parties and attacker features. Based on the survey analysis, a basic mechanism to compare VANET security models is also proposed, thus highlighting their similarities and differences.This work is partially founded by Ministerio de Ciencia e Innovacion of Spain under grant TIN2009-13461 (project E-SAVE).Publicad

Design and Implementation of an Intranet Security and Access Control System in Ubi-Com

Currently, most enterprise intranet systems process user information for security and access authentication purposes. However, this information is often captured by unauthorized users who may edit, modify, delete or otherwise corrupt this data. In addition, corruption can result from inaccurate communication protocols in the web browser. Therefore, a method is needed to prevent unauthorized or erroneous access and modification of data through the intranet. This paper proposes an efficient security procedure that incorporates a new model that allows flexible web security access control in securing information over the intranet in UC. The proposed web security access control system improves the intranet data and access security by using encryption and decryption techniques. It further improves the security access control by providing authentication corresponding to different security page levels relevant to public ownership and information sensitivity between different enterprise departments. This approach reduces processing time and prevents information leakage and corruption caused by mistakes that occur as a result of communication protocol errors between client PC's or mail security methods

An MDA approach for developing Secure OLAP applications: metamodels and transformations

Decision makers query enterprise information stored in Data Warehouses (DW) by using tools (such as On-Line Analytical Processing (OLAP) tools) which employ specific views or cubes from the corporate DW or Data Marts, based on multidimensional modelling. Since the information managed is critical, security constraints have to be correctly established in order to avoid unauthorized access. In previous work we defined a Model-Driven based approach for developing a secure DW repository by following a relational approach. Nevertheless, it is also important to define security constraints in the metadata layer that connects the DW repository with the OLAP tools; that is, over the same multidimensional structures that end users manage. This paper incorporates a proposal for developing secure OLAP applications within our previous approach: it improves a UML profile for conceptual modelling; it defines a logical metamodel for OLAP applications; and it defines and implements transformations from conceptual to logical models, as well as from logical models to secure implementation in a specific OLAP tool (SQL Server Analysis Services).This research is part of the following projects: SIGMA-CC (TIN2012-36904), GEODAS-BC (TIN2012-37493-C01) and GEODAS-BI (TIN2012-37493-C03) funded by the Ministerio de Economía y Competitividad and Fondo Europeo de Desarrollo Regional FEDER. SERENIDAD (PEII11-037-7035) and MOTERO (PEII11- 0399-9449) funded by the Consejería de Educación, Ciencia y Cultura de la Junta de Comunidades de Castilla La Mancha, and Fondo Europeo de Desarrollo Regional FEDER

A Redundancy-based Security Model for Smart Home

Recent developments in smart devices, Cloud Computing and Internet of Things (IoT) are introducing network of intelligent devices. These intelligent devices can be used to develop smart home network. The home appliance in a smart home forms an ad-hoc network. A smart home network architecture can be exploited by compromising the devices it is made up of. Various malicious activities can be performed through such exploitation. This paper presents a security approach to combat this. By using a collaborative and redundant security approach, the ad-hoc network of a smart home would be able to prevent malicious exploitation. The security approach discussed in this paper is a conceptual representation on the proposed security model for smart home networks

An MDA approach for developing secure OLAP applications: Metamodels and transformations

Decision makers query enterprise information stored in DataWarehouses (DW) by using tools (such as On-Line Analytical Processing (OLAP) tools) which employ specific views or cubes from the corporate DW or Data Marts, based on multidimensional modelling. Since the information managed is critical, security constraints have to be correctly established in order to avoid unauthorized access. In previous work we defined a Model-Driven based approach for developing a secure DW repository by following a relational approach. Nevertheless, it is also important to define security constraints in the metadata layer that connects the DW repository with the OLAP tools; that is, over the same multidimensional structures that end users manage. This paper incorporates a proposal for developing secure OLAP applications within our previous approach: it improves a UML profile for conceptual modelling; it defines a logical metamodel for OLAP applications; and it defines and implements transformations from conceptual to logical models, as well as from logical models to secure implementation in a specific OLAP tool (SQL Server Analysis Services). © 2015 ComSIS Consortium. All rights reserved.This research is part of the following projects: SIGMA-CC (TIN2012-36904), GEODAS-BC (TIN2012-37493-C01) and GEODAS-BI (TIN2012-37493-C03) funded by the Ministerio de Economía y Competitividad and Fondo Europeo de Desarrollo Regional FEDER

Information Security Models are a Solution or Puzzle for SMEs? A Systematic Literature Review

Effective information security management is necessary in the success of any organisation, including Small-and-Medium-Sized Enterprises (SMEs). Nonetheless, keeping their security needs met is always a challenge for SMEs. One of the proven ways to manage information security is through applying available international standards, frameworks and best practices. However, choosing a suitable model that addresses the SMEs holistic needs may be an overwhelming task. This systematic literature review formed the initial phase of a larger analytical project of existing models in three categories: risk management models, standards-based models and ‘other’ models. The review showed that most of models are theoretically conceived but have not been further tested empirically. Hence, their usability is unknown. More in-depth research is required to find a suitable model that may be applicable to all SMEs

Combined Security and Schedulability Analysis for MILS Real-Time Critical Architectures

Real-time critical systems have to comply with stringent timing constraints, otherwise, disastrous consequences can occur at runtime. A large effort has been made to propose models and tools to verify timing constraints by schedulability analysis at the early stages of system designs. Fewer efforts have been made on verifying the security properties in these systems despite the fact that sinister consequences can also happen if these properties are compromised. In this article, we investigate how to jointly verify security and timing constraints. We show how to model a security architecture (MILS) and how to verify both timing constraints and security properties. Schedulability is investigated by the mean of scheduling analysis methods implemented into the Cheddar scheduling analyzer. Experiments are conducted to show the impact that improving security has on the schedulability analysis