A framework for the protection of mobile agents against malicious hosts

The mobility attribute of a mobile agent implies deployment thereof in untrustworthy environments, which introduces malicious host threats. The research question deals with how a security framework could be constructed to address the mentioned threats without introducing high costs or restraining the mobile agent's autonomy or performance. Available literature have been studied, analysed and discussed. The salient characteristics as well as the drawbacks of current solutions were isolated. Through this knowledge a dynamic mobile agent security framework was defined. The framework is based on the definition of multiple security levels, depending on type of deployment environment and type of application. A prototype was constructed and tested and it was found to be lightweight and efficient, giving developers insight into possible security threats as well as tools for maximum protection against malicious hosts. The framework outperformed other frameworks / models as it provides dynamic solutions without burdening a system with unnecessary security gadgets and hence paying for it in system cost and performanceComputingD.Phil

Assessing Business Value of IT and IS Risk: Security Issues

Enterprise systems have taken full advantage of Information Technology (IT) and Information Systems (IS) to innovate and to create business value. The principal business value for system is utility. System utility is a complex factor that has many contributing variables and the resultant of business value. The metrics of utility are measures such as up-time, customer satisfaction, and so on. In this paper the concern of security as the protection of information assets is discussed in relation to managing the risk of utility. Risk modeling has come under greater scrutiny since the collapse of global financial markets in 2008. A common criticism is that risk models disengage business layers and foster surrogates that anesthetize prudent virtues within the enterprise system. The discussion in this essay proceeds by elaborating current risk modeling trends and concludes by promoting an awareness of the changing scope and expectations for effective business security risk analysis

Extensible Java based agent framework

Agentska paradigma predstavlja najprirodniji i najdosledniji postojeći pristup implementaciji distribuiranih sistema. Uz pomoć agenata moguće je u potpunosti realizovati koncept distribuiranih softverskih komponenti, koje će, osim rešenja zadatka na distribuiranom nivou, pružiti i određenu količinu autonomnosti i inteligencije da bi se zadati cilj ostvario. Agentsko okruženje predstavlja programsko okruženje koje upravlja životnim tokom agenata i obezbeđuje mu sve potrebne mehanizme za realizaciju zadatka. U ovoj doktorskoj disertaciji predložen je model agentskog okruženja baziran na tehnologiji distribuiranih komponenti, koji podržava FIPA specifikaciju i sledeće koncepte: razmenu poruka, mobilnost agenata, sigurnosne mehanizme i direktorijume agenata i servisa. Model agentskog okruženja je implementiran u J2EE tehnologiji. Podržan je sistem plug-in-ova za sve bitne komponente agentskog okruženja (menadžere). Modelovan je i implementiran koncept mobilnih zadataka. Dat je model i implementacija sistema međusobnog uređenja odnosa agentskih centara. Predloženo rešenje agentskog okruženja verifikovano je na bibliotečkom informacionom sistemu BISIS. Verifikacija je izvršena na sledećim agentskim zadacima: pretraživanje bibliotečke mreže, ocenjivanje kvaliteta zapisa i inteligentna raspodela opterećenja.Agent technology is one of the most consistent approaches to the distributed computing implementation. Agents can be used to fully implement distributed software component concept. Agents can solve distributed problems utilizing certain degree of autonomy and intelligence. Agent framework represents programming environment that controls agent life cycle and provides all necessary mechanisms for task execution. The subject of the dissertation is formal specification of an agent framework based on distributed component technology. This framework supports FIPA specification and following concepts: message interchange, agent mobility, security and agent and service directory. Agent framework is implemented in J2EE technology. Plug-in system is designed for all key elements of agent framework. Mobile tasks were specified and implemented. Also, inter-facilitator connectivity mechanism is specified and implemented. The framework is verified by a case study on the library information system BISIS. Following agent tasks were performed: library network search, library record quality estimation and intelligent load balansing.

Extensible Java based agent framework

Agentska paradigma predstavlja najprirodniji i najdosledniji postojeći pristup implementaciji distribuiranih sistema. Uz pomoć agenata moguće je u potpunosti realizovati koncept distribuiranih softverskih komponenti, koje će, osim rešenja zadatka na distribuiranom nivou, pružiti i određenu količinu autonomnosti i inteligencije da bi se zadati cilj ostvario. Agentsko okruženje predstavlja programsko okruženje koje upravlja životnim tokom agenata i obezbeđuje mu sve potrebne mehanizme za realizaciju zadatka. U ovoj doktorskoj disertaciji predložen je model agentskog okruženja baziran na tehnologiji distribuiranih komponenti, koji podržava FIPA specifikaciju i sledeće koncepte: razmenu poruka, mobilnost agenata, sigurnosne mehanizme i direktorijume agenata i servisa. Model agentskog okruženja je implementiran u J2EE tehnologiji. Podržan je sistem plug-in-ova za sve bitne komponente agentskog okruženja (menadžere). Modelovan je i implementiran koncept mobilnih zadataka. Dat je model i implementacija sistema međusobnog uređenja odnosa agentskih centara. Predloženo rešenje agentskog okruženja verifikovano je na bibliotečkom informacionom sistemu BISIS. Verifikacija je izvršena na sledećim agentskim zadacima: pretraživanje bibliotečke mreže, ocenjivanje kvaliteta zapisa i inteligentna raspodela opterećenja.Agent technology is one of the most consistent approaches to the distributed computing implementation. Agents can be used to fully implement distributed software component concept. Agents can solve distributed problems utilizing certain degree of autonomy and intelligence. Agent framework represents programming environment that controls agent life cycle and provides all necessary mechanisms for task execution. The subject of the dissertation is formal specification of an agent framework based on distributed component technology. This framework supports FIPA specification and following concepts: message interchange, agent mobility, security and agent and service directory. Agent framework is implemented in J2EE technology. Plug-in system is designed for all key elements of agent framework. Mobile tasks were specified and implemented. Also, inter-facilitator connectivity mechanism is specified and implemented. The framework is verified by a case study on the library information system BISIS. Following agent tasks were performed: library network search, library record quality estimation and intelligent load balansing.

Perceived security in mobile authentication

Nykypäivän kehittyneet matkapuhelimet ja mobiilipalvelut tarjoavat käyttäjille joustavuutta mahdollistamalla monien tehtävien suorittamisen matkapuhelimella. Käyttäjät eivät kuitenkaan ole olleet laajasti halukkaita ottamaan käyttöön uusia mobiilipalveluja. Eräänä suurimmista syistä tähän on käyttäjien huoli käytön turvallisuudesta. Mobiilitunnistautumisen koettua turvallisuutta ei olla aikaisemmin suoraan tutkittu, vaikka sen merkitys on kiistaton tunnistautumisen kuuluessa olennaisena osana moniin uusiin mobiilipalveluihin. Tästä syystä tämän diplomityön tarkoituksena oli muodostaa käsitys koetusta turvallisuudesta mobiilitunnistautumisessa. Koettuun turvallisuuteen perehdyttiin tässä diplomityössä sekä kirjallisuuskatsauksen avulla että kyselytutkimuksena toteutetun empiirisen tutkimuksen keinoin. Empiirisessä tutkimuksessa kerättiin sekä määrällistä että laadullista aineistoa, ja aineisto analysoitiin huolellisesti tarkoitukseen soveltuvia työkaluja hyödyntäen. Tulosten analyysiä seurasi kirjallisuuskatsauksesta nousseiden havaintojen ja empiirisen tutkimuksen tulosten rinnakkainen tarkastelu mahdollisten yhtäläisyyksien ja eroavaisuuksien tunnistamiseksi. Tämän diplomityön löydökset osoittavat, että koetulla turvallisuudella on käyttäjille suuri merkitys ja se vaikuttaa merkittävästi aikomukseen käyttää mobiilitunnistautumista. Koetun turvallisuuden merkityksessä havaittiin kuitenkin selkeitä eroja palvelutyypistä riippuen. Merkittävää oli huomata, että puolet käyttäjistä ei käyttänyt pankkipalveluja matkapuhelimella turvallisuuteen liittyvistä huolista johtuen. Koetun turvallisuuden ja käyttöaikomuksen välisen yhteyden lisäksi diplomityössä selvitettiin myös tekijöitä, jotka vaikuttavat koetun turvallisuuden muodostumiseen. Diplomityön löydösten pohjalta laadittiin joukko suosituksia, joita noudattamalla koettu turvallisuus voidaan tehokkaasti huomioida suunnitteluprosessissa. Tämä diplomityö osoittaa selkeästi, että objektiivisesti turvallisten tunnistautumisratkaisujen kehittäminen ei itsessään takaa käyttäjähyväksyntää. Käyttöaikomuksen kannalta olennaista on käyttäjän subjektiivisesti kokema turvallisuudentunne. Siksi käyttäjien vakuuttaminen tunnistautumisen turvallisuudesta on erittäin tärkeää. Diplomityö osoittaa, että koettu turvallisuus on monimutkainen käsite, jonka muodostumiseen vaikuttavat useat tekijät, kuten käyttökonteksti, käyttökokemus mobiilipalveluista sekä palveluntarjoajan brändi ja maine. Tämä on syytä huomioida kehitettäessä uusia ratkaisuja mobiilitunnistautumiseen.New advanced mobile phones and services enable users to handle a great number of tasks with their mobile phones, bringing increased flexibility. However, users have been reluctant to widely adopt the new mobile services. One of the most significant reasons for this are the security concerns of the users. Perceived security in mobile authentication has not been directly studied before, although it can be considered to have a great importance, as many of the new mobile services involve user authentication as an essential element. Therefore, this thesis aimed to form a good conception of this important topic. The subject of perceived security in mobile authentication is approached through a literature review on the related research and an empirical study that was realized as a web survey. In the empirical study, both qualitative and quantitative data was collected, and it was carefully analyzed with proper tools. After analyzing the study results, a synthesis of the literature findings and the findings of the empirical study was performed. The examination of this thesis revealed that perceived security is important for users and it considerably affects the intention to use mobile authentication. However, it was noticed that the effect significantly varies based on the service in question. A noteworthy observation was that half of the users are not using mobile banking services due to security concerns. In addition to generally determining the effect of perceived security on the use intention, this thesis identified factors that affect the formation of perceived security. A number of recommendations for taking perceived security into account in the design process were made based on the findings. This thesis provides clear evidence that developing objectively secure authentication solutions does not alone guarantee user acceptance. The crucial factor affecting the users' intention to use mobile services is the subjective perception of security. Thereby, assuring users of the authentication security is of utmost importance. The thesis clearly highlights that perceived security is a complex concept and it is affected by various factors such as use context, service usage experience, and brand and reputation of service provider. This should be carefully considered when developing new mobile authentication solutions

Policy and policy formulation considerations for incorporation of secure mobile devices in USMC ground combat units

Modern information technology evolves at a rapid pace, and the U.S.Marine Corps ground combat units require cutting-edge capabilities in order to maintain a competitive advantage. The advent and military application of smartphones and smartphone applications provide a plethora of advantages that these forces seek to leverage, yet the very rapidity of their development presents a host of network security problems. This thesis examines the conceptual risk framework for incorporating smartphones into ground combat units, and uses a cutting-edge smartphone capability, the Field Information Support Tool, as a case study. Furthermore, the comparatively slow policy-making process of the DOD ensures that policy requirements will lag behind the emerging technologies and the novel threats these technologies introduce. This thesis conducts a policy review of existing DOD policies that apply to smartphones and network security, as well as examines and models the policy formulation process in an effort to reform it in a way more conducive to the incorporation of fast-growing capabilities.http://archive.org/details/policyndpolicyfo1094543908Outstanding ThesisCaptain, United States Marine CorpsApproved for public release; distribution is unlimited

Evidence-based Accountability Audits for Cloud Computing

Cloud computing is known for its on-demand service provisioning and has now become mainstream. Many businesses as well as individuals are using cloud services on a daily basis. There is a big variety of services that ranges from the provision of computing resources to services such as productivity suites and social networks. The nature of these services varies heavily in terms of what kind of information is being out-sourced to the cloud provider. Often, that data is sensitive, for instance when PII is being shared by an individual. Also, businesses that move (parts of) their processes to the cloud are actively participating in a major paradigm shift from having data on-premise to transfering data to a third-party provider. However, many new challenges come along with this trend, which are closely tied to the loss of control over data. When moving to the cloud, direct control over geographical storage location, who has access to it and how it is shared and processed is given up. Because of this loss of control, cloud customers have to trust cloud providers that they treat their data in an appropriate and responsible way. Cloud audits can be used to check how data has been processed in the cloud (i.e., by whom, for what purpose) and whether or not this happened in compliance with what has been defined in agreed-upon privacy and data storage, usage and maintenance (i.e., data handling) policies. This way, a cloud customer can regain some of the control he has given up by moving to the cloud. In this thesis, accountability audits are presented as a way to strengthen trust in cloud computing by providing assurance about the processing of data in the cloud according to data handling and privacy policies. In cloud accountability audits, various distributed evidence sources need to be considered. The research presented in this thesis discusses the use of various heterogeous evidence sources on all cloud layers. This way, a complete picture of the actual data handling practices that is based on hard facts can be presented to the cloud consumer. Furthermore, this strengthens transparency of data processing in the cloud, which can lead to improved trust in cloud providers, if they choose to adopt these mechanisms in order to assure their customers that their data is being handled according to their expectations. The system presented in this thesis enables continuous auditing of a cloud provider's adherence to data handling policies in an automated way that shortens audit intervals and that is based on evidence that is produced by cloud subsystems. An important aspect of many cloud offerings is the combination of multiple distinct cloud services that are offered by independent providers. Data is thereby freuqently exchanged between the cloud providers. This also includes trans-border flows of data, where one provider may be required to adhere to more strict data protection requirements than the others. The system presented in this thesis addresses such scenarios by enabling the collection of evidence at providers and evaluating it during audits. Securing evidence quickly becomes a challenge in the system design, when information that is needed for the audit is deemed sensitive or confidential. This means that securing the evidence at-rest as well as in-transit is of utmost importance, in order not to introduce a new liability by building an insecure data heap. This research presents the identification of security and privacy protection requirements alongside proposed solutions that enable the development of an architecture for secure, automated, policy-driven and evidence-based accountability audits