Showing papers presented at "International Conference on Emerging Security Information, Systems and Technologies in 2013"

Incremental certification of cloud services

Abstract: Cloud is becoming fast a critical infrastructure. However, several recent incidents regarding the security of cloud services clearly demonstrate that security rightly remains one of the major concerns of enterprises and the general public regarding the use of the cloud. Despite advancements of research related to cloud security, we are still not in a position to provide a systematic assessment of cloud security based on real operational evidence. As a step towards addressing this problem, in this paper, we propose a novel approach for certifying the security of cloud services. Our approach is based on the incremental certification of security properties for different types of cloud services, including IaaS, PaaS and SaaS services, based on operational evidence from the provision of such services gathered through continuous monitoring. An initial implementation of this approach is presented.

Risk-based Dynamic Access Control for a Highly Scalable Cloud Federation

Abstract: Cloud Computing is already a successful paradigm for distributed computing and is still growing in popularity. However, many problems still linger in the application of this model and some new ideas are emerging to help leverage its features even further. One of these ideas is the cloud federation, which is a way of aggregating different clouds to enable the sharing of resources and increase scalability and availability. One of the great challenges in the deployment of cloud federations is Identity and Access Management. This issue is usually solved by the creation of identity federations, but this approach is not optimal. In this paper, we propose an access control system for a highly scalable cloud federation. The presented system is dynamic and risk-based, allowing the use of cloud federations without the need of identity federations. We also present results of a prototype implementation and show that it is scalable and flexible enough to meet the requirements of this highly dynamic and heterogeneous environment.

Security and Confidentiality Solutions for Public Cloud Database Services

Abstract: The users perception that the confidentiality of their data is endangered by internal and external attacks is limiting the diffusion of public cloud database services. In this context, the use of cryptography is complicated by high computational costs and restrictions on supported SQL operations over encrypted data. In this paper, we propose an architecture that takes advantage of adaptive encryption mechanisms to guarantee at runtime the best level of data confidentiality for any type of SQL operation. We demonstrate through a large set of experiments that these encryption schemes represent a feasible solution for achieving data confidentiality in public cloud databases, even from a performance point of view. Keywords-Cloud; Database; Confidentiality; Adaptivity; Encryption

Efficient Image Encryption and Authentication Scheme Based on Chaotic Sequences

Abstract: Many image encryption algorithms based on chaos have been proposed since 1989. Most of them are slow and use a secret key of encryption/decryption independent of the plain image. We introduce a new fast and secure image encryption and authentication scheme based on the chaotic sequences. The main structure of the proposed algorithm consists of two layers (substitution and permutation) for encryption and decryption image values, and two components: a hash function and a chaotic generator. The hash function generate the secret key of the chaotic generator that provides the dynamic keys for the substitution-permutation layers, while the secret hash key is used to authenticate the decrypted image. The proposed algorithm is at least ten times faster than the AES (Advanced Encryption Standard) algorithm and faster than many chaosbased encryption algorithms of the literature. Furthermore, it is very secure against chosen/known plaintext and statistical attacks because the key of the chaotic generator is dependent on the plain-image. Simulation results show that the efficient performance is reached in only one round. KeywordsChaos-based cryptosystem; Image encryption/authentication algorithm; Chaoti cgenerator; security analysis.

Detecting Social-Network Bots Based on Multiscale Behavioral Analysis

Abstract: Social network services have become one of the dominant human communication and interaction paradigms. However, the emergence of highly stealth attacks perpetrated by bots in social-networks lead to an increasing need for efficient detection methodologies. The bots objectives can be as varied as those of traditional human criminality by acting as agents of multiple scams. Bots may operate as independent entities that create fake (extremely convincing) profiles or hijack the profile of a real person using his infected computer. Detecting social networks bots may be extremely difficult by using human common sense or automated algorithms that evaluate social relations. However, bots are not able to fake the characteristic human behavior interactions over time. The pseudo-periodicity mixed with random and sometimes chaotic actions characteristic of human behavior is still very difficult to emulate/simulate. Nevertheless, this human uniqueness is very easy to differentiate from other behavioral patterns. As so, novel behavior analysis and identification methodologies are necessary for an accurate detection of social network bots. In this work, we propose a new paradigm that, by jointly analyzing the multiple scales of users’ interactions within a social network, can accurately discriminate the characteristic behaviors of humans and bots within a social network. Consequently, different behavior patterns can be built for the different social network bot classes and typical humans interactions, enabling the accurate detection of one of most recent stealth Internet threats.

BSPL: A Language to Specify and Compose Fine-grained Information Flow Policies

Abstract: We tackle the problem of operating systems security. The seriousness of the vulnerabilities in today’s software underlines the importance of using a monitor at the operating system level to check the legality of operations executed by (un)trusted software. Information flow control is one way to track the propagation of information in order to raise an alert when a suspicious flow, consequence of an attack, occurs. We propose here BSPL, a language to specify a fine-grained information flow policy. We present how BSPL enables to precisely specify the expected behavior of applications relatively to sensitive pieces of information. We also propose a way to compose such information flow policies. Keywords—Information flow policies, specification language, composition of information flow policies

Identifying Suitable Attributes for Security and Dependability Metrication

Abstract: In this paper, we suggest a framework for security and dependability metrics that is based on a number of non-functional system attributes. The attributes are the traditional security attributes (the "CIA") and a set of dependability attributes. Based on a system model, we group those attributes into protective attributes and behavioural attributes and propose that metrication should be done in accordance. We also discuss the dependence between these two sets of attributes and how it affects the corresponding metrics. The metrics themselves are only defined to a limited degree. The concepts of security and dependability largely reflect the same basic system meta-property and are partly overlapping. We claim that the suggested approach will facilitate making quantitative assessment of the integrated concept of security and dependability as reflected by those attributes. There exists a large number of suggestions for how to measure (or metricate) security, with different goals and objectives. The application areas range from business management and organizational systems to large software systems. The approaches may be theoretical, technical, administrative or practical. In many cases, the goal is to find a single overall metric of security. Given that security is a complex and multi-faceted property, we believe that there are fundamental problems to find such an overall metric. In this paper, we suggest a restricted view on security (29) as being only the integrity attribute of the dependability- security concept. Thus, we start out from a conceptual system model that integrates security and dependability. Other approaches have been suggested, e.g., by emphasizing the uncertainty dimension (11) or using ontologies (25). Further, an excellent overview and classification is given in (33). Our model is an input-output model in the sense that it describes a system's interaction with its environment via the system boundaries (15, 38). The model identifies the main attributes of security and dependability. It clarifies the relation between malicious environmental influence on the input side and the service output to the users of the system. Based on the model we regroup the traditional security and dependability attributes into protective attributes and behavioural attributes. We argue that metrics for dependability and security attributes can be defined in accordance. Thus, protective attributes can be metricated by protective metrics and the behavioural attributes by behavioural metrics as originally proposed in a short paper (31). Here, we extend and detail this original proposal. Also, we apply a metrication process perspective and discuss the system-related dependencies between different types of metrics. This approach is different from existing approaches to clearly relate the metrics to system input and output attributes and to address the impact of latency aspects. In the following, Section II gives a brief summary of traditional security and dependability attributes. Section III describes the security model. The three defence lines in the model are described in Section IV as well as the causal relationship between the impairments in the system model. In Section V, security metrication according to the model is suggested. Section VI discusses the dependence between protective and behavioural metrics and Section VII briefly describes some benefits with our approach. Finally, we conclude the paper in Section VIII.

Firewalls usability: An experiment investigating the usability of personal firewalls

Abstract: Poor usability of IT security systems and applications represents a serious security vulnerability, which can be exploited to compromise systems that otherwise could be considered technically secure. This problem is of particular concern with the huge number of users regularly connecting to the Internet but who know very little about the principles of IT security. Personal firewalls are important security mechanisms for protecting users against Internet security threats. However, the knowledge and skills required to effectively operate some aspects of a personal firewall may surpass the capability of the average user. In previous work, we conducted a usability evaluation of personal firewall by cognitive walkthrough against a set of security usability principles. We concluded that there are many usability issues of personal firewalls that can cause security vulnerabilities. In this paper, we report the results of a practical usability experiment with participants using commercial firewalls in a controlled environment. The experiment setup is described and participants’ feedback and behaviour are analysed to evaluate the impact of usability of a modern firewall on the overall security of personal workstations. Keywords–Usability; Security; Firewalls.

Semantic Matching of Security Policies to Support Security Experts

Abstract: — Management of security policies has become increasingly difficult given the number of domains to manage, taken into consideration their extent and their complexity. Security experts has to deal with a variety of frameworks and specification languages used in different domains that may belong to any Cloud Computing or Distributed Systems. This wealth of frameworks and languages make the management task and the interpretation of the security policies so difficult. Each approach provides its own conflict management method or tool, the security expert will be forced to manage all these tools, which makes the field maintenance and time consuming expensive. In order to hide this complexity and to facilitate some security expert ’s tasks and automate the others, we propose a security policies aligning based on ontologies process; this process enables to detect and resolve security policies conflicts and to support security experts in managing tasks.