Adaptive, model-based cloud computing security management

The cloud computing model introduces novel features, resources elasticity and pay-as-you-go model, that motivate IT community to outsource their assets to cloud platforms. However, securing outsourced cloud-hosted assets is still an open issue. Cloud tenants complain from the loss-of-control, lack-of-trust, and lack-of-security-controls-adaptors problems. In this research, we introduce a novel cloud security management platform that successfully mitigates these problems. Our platform enables cloud tenants to define their security requirements, integrate their security controls, and monitor assets' security status at runtime. The platform delivers an online, automated security analysis and patching services to keep tenants' assets always secure

SecDSVL: a domain-specific visual language to support enterprise security modelling

Enterprise security management requires capturing different security and IT systems\u27 details, analyzing and enforcing these security details, and improving employed security to meet new risks. Adopting structured models greatly helps in simplifying and organizing security specification and enforcement processes. However, existing security models are generally limited to specific security details and do not deliver a comprehensive security model. They also often do not have user-friendly notations, being complicated extensions of existing modeling languages (such as UML). In this paper, we introduce a comprehensive Security Domain Specific Visual Language (SecDSVL), which enables capturing of key security details to support enterprise systems security management process. We discuss our SecDSVL, tool support and the model-based enterprise security management approach it supports, give a usage example, and present evaluation experiments of SecDSVL

Gemcitabine–oxaliplatin (GEMOX) for epithelial ovarian cancer patients resistant to platinum-based chemotherapy

Background: Patients with platinum-resistant epithelial ovarian cancer (EOC) experience poor outcome. Currently, no clearly superior management strategy exists for platinum-resistant EOC patients. Purpose: Analyze the efficacy and safety of gemcitabine–oxaliplatin (GEMOX) in platinum resistant EOC patients. Patients and methods: Thirty-two patients with platinum-based resistant EOC were included. Studied patients had received GEM at the dose of 1000 mg/m2 on days 1 and 8 and OX 100 mg/m2 on day 1, administered over 2 h 30 min after GEM infusion of 3 week treatment cycle. Results: In the evaluation of tumor response, none of patients had achieved CR while PR, SD, were observed in 7 (21.9%), 9 (28.1%) respectively, clinical benefit (CR + PR + SD) was recorded in 50% of patients while PD was observed in 16 (50%) patients. In regard to survival, the median value of OS was 10.5 months (range, 2.2–17.5 months). The median value of PFS was 6.37 months (range, 1–17.5 months). The one-year OS rate was 34.4% and the one-year PFS rate was 12.5%. Concerning hematological toxicity grade 3 neutropenia was recorded in 4 (12.5%) patients while grade 4 febrile neutropenia was recorded in 2 (6.3%) patients and grade 4 anemia was represented by 3.1%. Grade 1–2 fatigue was the most common non-hematological toxicity and represented by 65.6% of patients. Grade 3 non hematological toxicity was recorded with nausea/vomiting and hepatic toxicity represented by 3.1% for both. Conclusion: The GEMOX combination is a regimen with a moderate therapeutic efficacy and tolerable toxic side effects in patients with platinum-resistant EOC

HorusCML: context-aware domain-specific visual languages designer

The objective behind building domain-specific visual languages (DSVLs) is to provide users with the most appropriate concepts and notations that best fit with their domain and experience. However, the existing DSVL designers do not support integrating environment and user context information when modeling, editing or viewing DSVL models at different locations, permissions, devices, etc. In this paper, we introduce HorusCML, a context-aware DSVL designer, which supports DSVL experts in integrating necessary context details within their DSVLs. The resultant DSVLs can reflect different facets, layouts, and behaviours according to context it is used in. We show a case study on developing a context-aware data flow diagram DSVL tool using HorusCML

GUITAR: An ontology-based automated requirements analysis tool

Combining goal-oriented and use case modeling has been proven to be an effective method in requirements elicitation and elaboration. However, current requirements engineering approaches generally lack reliable support for automated analysis of such modeled artifacts. To address this problem, we have developed GUITAR, a tool which delivers automated detection of incorrectness, incompleteness and inconsistency between artifacts. GUITAR is based on our goal-use case integration meta-model and ontologies of domain knowledge and semantics. GUITAR also provides comprehensive explanations for detected problems and can suggest resolution alternatives

MDSE@R: model-driven security engineering at runtime

New security threats arise frequently and impact on enterprise software security requirements. However, most existing security engineering approaches focus on capturing and enforcing security requirements at design time. Many do not address how a system should be adapted to cope with new unanticipated security requirements that arise at runtime. We describe a new approach - Model Driven Security Engineering at Runtime (MDSE@R) - enabling security engineers to dynamically specify and enforce system security requirements based on current needs. We introduce a new domain-specific visual language to model customer security requirements in a given application. Moreover, we introduce a new UML profile to help capturing system architectural characteristics along with security specifications mapped to system entities. Our MDSE@R toolset supports refinement and merger of these visual models and uses model-driven engineering to take the merged model and specify security controls to be enforced on the target system components. A combination of interceptors (via generated configurations) and injected code (using aspect-oriented programming) are used to integrate the specified security controls within the target system. We describe MDSE@R, give an example of using it in securing an ERP system, describe its implementation, and discuss an evaluation of applying MDSE@R on a set of open source applications

Adaptable, model-driven security engineering for SaaS cloud-based applications

Software-as-a-service (SaaS) multi-tenancy in cloud-based applications helps service providers to save cost, improve resource utilization, and reduce service customization and maintenance time. This is achieved by sharing of resources and service instances among multiple "tenants" of the cloud-hosted application. However, supporting multi-tenancy adds more complexity to SaaS applications required capabilities. Security is one of these key requirements that must be addressed when engineering multi-tenant SaaS applications. The sharing of resources among tenants - i.e. multi-tenancy - increases tenants\u27 concerns about the security of their cloud-hosted assets. Compounding this, existing traditional security engineering approaches do not fit well with the multi-tenancy application model where tenants and their security requirements often emerge after the applications and services were first developed. The resultant applications do not usually support diverse security capabilities based on different tenants\u27 needs, some of which may change at run-time i.e. after cloud application deployment. We introduce a novel model-driven security engineering approach for multi-tenant, cloud-hosted SaaS applications. Our approach is based on externalizing security from the underlying SaaS application, allowing both application/service and security to evolve at runtime. Multiple security sets can be enforced on the same application instance based on different tenants\u27 security requirements. We use abstract models to capture service provider and multiple tenants\u27 security requirements and then generate security integration and configurations at runtime. We use dependency injection and dynamic weaving via Aspect-Oriented Programming (AOP) to integrate security within critical application/service entities at runtime. We explain our approach, architecture and implementation details, discuss a usage example, and present an evaluation of our approach on a set of open source web applications

A muti-agent based framework for managing security policy

No abstract available

Adaptive security management in SaaS applications

Despite the potential benefits, cost savings and revenues that can be gained from adopting the cloud computing model, a downside is that it increases malicious attackers’ interest and ability to find vulnerabilities to exploit in cloud software and/or infrastructure

Supporting automated software re-engineering using re-aspects

System maintenance, including omitting an existing system feature e.g. buggy or vulnerable code, or modifying existing features, e.g. replacing them, is still very challenging. To address this problem we introduce the 're-aspect' (re-engineering aspect), inspired from traditional AOP. A re-aspect captures system modification details including signatures of entities to be updated; actions to apply including remove, modify, replace, or inject new code; and code to apply. Re-aspects locate entities to update, entities that will be impacted by the given update, and finally propagate changes on the system source code. We have applied our re-aspects technique to the security re-engineering problem and evaluated it on a set of open source .NET applications to demonstrate its usefulness