UML 2.0 BASED ROUND TRIP ENGINEERING FRAMEWORK FOR THE DEVELOPMENT OF SPF BASED SECURE APPLICATION

This research paper proposes the UML 2.0 based framework for round-trip engineering and use of Security Performance Flexibility model to keep high security in web applications. This model allows system administrators to skip or disable some unnecessary security checks in trusted operating systems through which, they can effectively balance their performance needs without compromising the security of the system. For example, the system admin can tell that video on demand server is allowed to skip only security checks on reading files, while the database server is allowed to skip only security checks on seeking files. Which operation is needed to be skipped and, which operation is not needed to be skipped is very much subjective in nature, this will depend upon the user’s requirement and the particular application’s requirement. The selection of these operations for a particular application is the part of software requirement elicitation process. This UML 2.0 based research work proposes Object-Oriented class-based software development, source code generation in C++ and the integration of security engineering into a model-driven software development. On this source code, Halstead software science measures, etc., can be applied. This helps developers in code restructuring; identify probable bugs or deficiencies for probable improvements and helps from the analysis phase to the maintenance phase

Engineering security into distributed systems: a survey of methodologies

Rapid technological advances in recent years have precipitated a general shift towards software distribution as a central computing paradigm. This has been accompanied by a corresponding increase in the dangers of security breaches, often causing security attributes to become an inhibiting factor for use and adoption. Despite the acknowledged importance of security, especially in the context of open and collaborative environments, there is a growing gap in the survey literature relating to systematic approaches (methodologies) for engineering secure distributed systems. In this paper, we attempt to fill the aforementioned gap by surveying and critically analyzing the state-of-the-art in security methodologies based on some form of abstract modeling (i.e. model-based methodologies) for, or applicable to, distributed systems. Our detailed reviews can be seen as a step towards increasing awareness and appreciation of a range of methodologies, allowing researchers and industry stakeholders to gain a comprehensive view of the field and make informed decisions. Following the comprehensive survey we propose a number of criteria reflecting the characteristics security methodologies should possess to be adopted in real-life industry scenarios, and evaluate each methodology accordingly. Our results highlight a number of areas for improvement, help to qualify adoption risks, and indicate future research directions.Anton V. Uzunov, Eduardo B. Fernandez, Katrina Falkne

Security and Performance Verification of Distributed Authentication and Authorization Tools

Parallel distributed systems are widely used for dealing with massive data sets and high performance computing. Securing parallel distributed systems is problematic. Centralized security tools are likely to cause bottlenecks and introduce a single point of failure. In this paper, we introduce existing distributed authentication and authorization tools. We evaluate the quality of the security tools by verifying their security and performance. For security tool verification, we use process calculus and mathematical modeling languages. Casper, Communicating Sequential Process (CSP) and Failure Divergence Refinement (FDR) to test for security vulnerabilities, Petri nets and Karp Miller trees are used to find performance issues of distributed authentication and authorization methods. Kerberos, PERMIS, and Shibboleth are evaluated. Kerberos is a ticket based distributed authentication service, PERMIS is a role and attribute based distributed authorization service, and Shibboleth is an integration solution for federated single sign-on authentication. We find no critical security and performance issues

Design of knowledge-based systems for automated deployment of building management services

Despite its high potential, the building's sector lags behind in reducing its energy demand. Tremendous savings can be achieved by deploying building management services during operation, however, the manual deployment of these services needs to be undertaken by experts and it is a tedious, time and cost consuming task. It requires detailed expert knowledge to match the diverse requirements of services with the present constellation of envelope, equipment and automation system in a target building. To enable the widespread deployment of these services, this knowledge-intensive task needs to be automated. Knowledge-based methods solve this task, however, their widespread adoption is hampered and solutions proposed in the past do not stick to basic principles of state of the art knowledge engineering methods. To fill this gap we present a novel methodological approach for the design of knowledge-based systems for the automated deployment of building management services. The approach covers the essential steps and best practices: (1) representation of terminological knowledge of a building and its systems based on well-established knowledge engineering methods; (2) representation and capturing of assertional knowledge on a real building portfolio based on open standards; and (3) use of the acquired knowledge for the automated deployment of building management services to increase the energy efficiency of buildings during operation. We validate the methodological approach by deploying it in a real-world large-scale European pilot on a diverse portfolio of buildings and a novel set of building management services. In addition, a novel ontology, which reuses and extends existing ontologies is presented.The authors would like to gratefully acknowledge the generous funding provided by the European Union’s Horizon 2020 research and innovation programme through the MOEEBIUS project under grant agreement No. 680517

How to Conduct Email Phishing Experiments

Õngitsusrünnete hulk on aasta-aastalt kasvanud ja ründed on muutunud keerumkamaks kui kunagi varem, põhjustades ettevõtetele rahalist kahju. Akadeemilistes ringkondades on kasvanud huvi simuleeritud õngitsusrünnete vastu, kuid uuringud keskenduvad peamiselt spetsiifilistele aspektidele, nagu näiteks eetilised kaalutlused ja mitte õngitsuseksperimendi läbiviimisele. Autor ei leidnud olemasolevate teadustööde hulgast konsolideeritud juhised,mis kirjeldaksid, kuidas viia läbi õngituskirjade eksperimenti. Käesoleva lõputöö eesmärgiks on uurida, kuidas viia läbi simuleeritud õngitsuskirjade eksperimenti ja luua konsolideeritud juhiseid, mida ettevõtted saaksid lihtsalt rakendada ettevõtte X2 näitel. Lõputöö uurimisküsimused on järgnevad: mida peaksid ettevõtted arvestama õngitsuseksperimendi läbiviimsel? Mis seos on õngitsuskirja raskusastme ja klikkimise sageduse vahel? Kuidas inimesed reageerivad simuleeritud õngitsuseksperimentidele? Antud uurimistöös kasutati nii kvantitatiivseid kui ka kvalitatiivseid meetodeid. Esiteks sai loodud konsolideeritud juhised simuleeritud õngitsuseksperimentide läbiviimiseks, mis baseeruvad eelevatel uurimustöödel. Teiseks viidi läbi õngitsuseksperiment (Eksperiment I) 53 osaleja hulgas, kasutades ristuva uuringu disaini. Töötajad jaotati juhuslikult kaheks grupiks: (Grupp K) ja (Grupp L).Neile saadeti erinevatel kuupäevadel kaks e-kirja erinevate raskusastemega: (Tüüp X) ja (Tüüp Y). Esimeses kampaanias saadeti Grupile K keerulisem kiri (Tüüp X) ja Grupile L lihtsam kiri (Tüüpi Y) ja teise kampaania ajal oli see vastupidi. Raskemad (Tüüp X) e-kirjad olid sihipärased, grammatiliselt korrektsed ja relevantse sisuga. Kergemad e-kirjad (Tüüp Y) olid üldisemad ja nähtavate grammatikavigadega. Suunatud õngitsuseksperiment (Eksperiment II) viidi läbi kahe osaleja hulgas, kasutades üksikosaleja kvaasi eksperimentaalset uurimustöö disaini. Tüüp Z e-kirjad, mis saadeti välja suunatud õngitsuseksperimendi ajal, olid personaalsed ja relevantse sisuga ning baseerusid kahe osaleja taustauuringutel. Kolmandaks kavandati ja viidi läbi kvalitatiivsed intervjuud osalejatega, kes osalesid simuleeritud õngitsusrünnetes, et uurida, kuidas nad sellistele eksperimentidele reageerivad ja parandada lähtuvalt nende tagasisidest õngituskirjade eksperimendi juhiseid. Antud uurimistöö kinnitas, et väljatöötatud juhised on piisavad, et viia läbi õngituskirjade eksperimenti ettevõttetes. Uurimistöö tulemused näitasid, et 23% töötajatest klikkisid raskemini äratuntavale e-kirjale (Tüüp X) ja 11% lihtsamini ära tuntavale e-kirjale (Tüüp Y). Lisaks raporteeriti lihtsamini ära tuntavat kirja sagedamini (22,6%) kui raskemini ära tuntavat kirja(18.9%). Suunatud õngitsuseksperiment osutus edukas ja osalejad ei saanud aru simuleeritud pettusest. Käesolev lõputöö näitab, et õngitsusrünnede edukus on suurem, kui e-kirja sisu on sihitud ja relevantne. Töötajate raporteerimise teadlikkuse tase oli madal ja üks peamisi klikkimise põhjuseid oli uudishimu. Selle uuringu tulemused viitavad sellele, et inimesed reageerivad simuleeritud õngitsusrünnetele positiivselt, kui need viiakse läbi viisil, mis ei tekita osalejatele psühholoogilist kahju või stressi.Phishing attacks are on the rise and more sophisticated than ever before inflicting major financial damage on businesses. Simulated phishing attacks are of growing interest in academia, however, the studies are mainly focusing on the specific angles of the phenomenon, e.g. ethical considerations; and not on the implementation itself. Author was not able to find consolidated guidelines that would walk through the whole process of conducting email phishing experiments. The aim of this study is to explore how to conduct simulated phishing experiments and to create consolidated guidelines that companies could easily implement on the example of Company X1. The research questions postulated for this study are: What should companies consider when conducting phishing experiments? What is the correlation between the phishing email difficulty level and the click through rate? How people react to simulated email phishing experiments? Both quantitative and qualitative research methodswere applied to find answers to the research questions. Firstly, based on the existing studies, guidelines on how to conduct phishing experiments in companies were created. Secondly, phishing experiment (Experiment I) was designed and conducted among 53 participants applying a crossover research design. The employees were randomly divided into two groups (Group K) and (Group L); and they were sent in two distinct time periods two emails whichcorresponded to the different difficulty levels (Type X and Type Y). During the first campaign Group K was sent Type X email and Group L was sent Type Y email and during the second campaign it was vice versa. Type X email messages were designed to be targeted, grammatically correct and with relevant content. Type Y email messages were designed to be general and with visible grammar mistakes. Additionally, a spear phishing experiment (Experiment II) was conducted among two participants applying a single-subject quasi-experimental research design. The third type of emails (Type Z) that were sent out during thespear phishing experiment were personalized and relevant based on the pre-conducted research about the two targets. Thirdly, qualitative interviews were designed and conducted with the employees who participated in the simulated phishing experiments to investigate how they react to such experiments and to improve the guidelines based on their feedback.This research confirmed that the proposed guidelines are sufficient for conducting phishing experiments in a company setting. The results of this research show that 23% of the employees clicked on the link embedded to the more complex (Type X) phishing email and 11% of the employees clicked on the link embedded to the simpler (Type Y) email. Furthermore, Type Y emails were reported as phishing emails more frequently (22,6%), whereas Type X, emails were reported less (18,9%). The spear phishing experiment was successful,and the participants did not recognize the deceptiveness of the simulated phishing emails.This research shows that the phishing success rate is higher when the content is targeted and relevant. The employee awareness level about reporting phishing was low and the main stimuli for clicking on phishing links was curiosity. The findings of this study imply that people react positively to phishing experiments if these are conducted in a manner that it does not pose psychological damage or distress for the participants