Página 15 dos resultados de 8247 itens digitais encontrados em 0.018 segundos

Risk assessment of the Naval Postgraduate School gigabit network

Shumaker, Todd; Rowlands, Dennis
Fonte: Monterey, California. Naval Postgraduate School Publicador: Monterey, California. Naval Postgraduate School
Tipo: Tese de Doutorado
Português
Relevância na Pesquisa
37.210757%
Approved for public release; distribution is unlimited; This research thoroughly examines the current Naval Postgraduate School Gigabit Network security posture, identifies any possible threats or vulnerabilities, and recommends any appropriate safeguards that may be necessary to counter the found threats and vulnerabilities. The research includes any portion of computer security, physical security, personnel security, and communication security that may be applicable to the overall security of both the .mil and .edu domains. The goal of the research was to ensure that the campus network is operating with the proper amount of security safeguards to protect the confidentiality, integrity, availability, and authenticity adequately from both insider and outsider threats. Risk analysis was performed by assessing all of the possible threat and vulnerability combinations to determine the likelihood of exploitation and the potential impact the exploitation could have on the system, the information, and the mission of the Naval Postgraduate School. The results of the risk assessment performed on the network are to be used by the Designated Approving Authority of the Naval Postgraduate School Gigabit network when deciding whether to accredit the system.

The characteristics of user-generated passwords

Sawyer, Darren Antwon
Fonte: Monterey, California: Naval Postgraduate School Publicador: Monterey, California: Naval Postgraduate School
Tipo: Tese de Doutorado Formato: viii, 100 p.
Português
Relevância na Pesquisa
37.210757%
Approved for public release; distribution is unlimited.; The most widely used mechanism for access control to information systems is passwords. Passwords can be machine-generated using a list of words stored in a memory bank, machine-generated using a sophisticated algorithm to create a pseudo-random combination of characters or they can be user-generated. User-generated passwords typically take on the characteristics of some type of meaningful detail that is simple in structure and easy to remember. Memorability and security pose a difficult trade-off in password generation. A system security administrator wants passwords that are unpredictable, frequently changed and provide the greatest degree of system security achievable while users want passwords that are simple and easy to remember. When they become difficult to remember they are likely to be written down. Once written down a compromise to security occurs because users tend to store them in insecure places. This thesis looks at user-generated password characteristics. Of particular interest is how password selection, memorability and predictability are affected by the number of characters in a password, the importance and sensitivity of a user's data, a user's work location...

The Algorithm Analysis of E-Commerce Security Issues for Online Payment Transaction System in Banking Technology

Barskar, Raju; Deen, Anjana Jayant; Bharti, Jyoti; Ahmed, Gulfishan Firdose
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 24/05/2010 Português
Relevância na Pesquisa
37.210757%
E-Commerce offers the banking industry great opportunity, but also creates a set of new risks and vulnerability such as security threats. Information security, therefore, is an essential management and technical requirement for any efficient and effective Payment transaction activities over the internet. Still, its definition is a complex endeavor due to the constant technological and business change and requires a coordinated match of algorithm and technical solutions. Ecommerce is not appropriate to all business transactions and, within e-commerce there is no one technology that can or should be appropriate to all requirements. E-commerce is not a new phenomenon; electronic markets, electronic data interchange and customer e-commerce. The use of electronic data interchanges as a universal and non-proprietary way of doing business. Through the electronic transaction the security is the most important phenomena to enhance the banking transaction security via payment transaction.; Comment: IEEE Publication format, International Journal of Computer Science and Information Security, IJCSIS, Vol. 8 No. 1, April 2010, USA. ISSN 1947 5500, http://sites.google.com/site/ijcsis/

A Survey on Wireless Sensor Network Security

Sen, Jaydip
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 05/11/2010 Português
Relevância na Pesquisa
37.210757%
Wireless sensor networks (WSNs) have recently attracted a lot of interest in the research community due their wide range of applications. Due to distributed nature of these networks and their deployment in remote areas, these networks are vulnerable to numerous security threats that can adversely affect their proper functioning. This problem is more critical if the network is deployed for some mission-critical applications such as in a tactical battlefield. Random failure of nodes is also very likely in real-life deployment scenarios. Due to resource constraints in the sensor nodes, traditional security mechanisms with large overhead of computation and communication are infeasible in WSNs. Security in sensor networks is, therefore, a particularly challenging task. This paper discusses the current state of the art in security mechanisms for WSNs. Various types of attacks are discussed and their countermeasures presented. A brief discussion on the future direction of research in WSN security is also included.; Comment: 24 pages, 4 figures, 2 tables

Optimizing the Replay Protection at the Link Layer Security Framework in Wireless Sensor Networks

Jinwala, Devesh C.; Patel, Dhiren R.; Patel, Sankita; Dasgupta, Kankar S.
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 21/03/2012 Português
Relevância na Pesquisa
37.210757%
Ensuring communications security in Wireless Sensor Networks (WSNs) is very vital because the security protocols therein, should be devised to work at the link layer. Theoretically, any link layer security protocol must support three vital security attributes viz. Confidentiality, Message Integrity and Replay protection. However, in order to ensure lesser overhead, replay protection is often not incorporated as part of the link layer security framework. We argue here, that it is essential to implement replay protection at the link layer only and devise a simple scheme to do so. We first survey the common approaches to ensuring replay protection in conventional networks. We also implement the conventional algorithms for replay protection using the link layer framework for WSNs viz. TinySec as the underlying platform. Subsequently analyzing their limitations, we propose a novel Bloom-filter based replay protection algorithm for unicast communications. We show that our algorithm is better than the other contemporary approaches for ensuring replay protection in unicast communications in the WSNs.; Comment: 12 pages, Accepted for publication in International Journal of Computer Science, IAENG Publication - BUT NOT PUBLISHED

Reliable Process for Security Policy Deployment

Preda, Stere; Cuppens-Boulahia, Nora; Cuppens, Frederic; Garcia-Alfaro, Joaquin; Toutain, Laurent
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 08/05/2009 Português
Relevância na Pesquisa
37.210757%
We focus in this paper on the problem of configuring and managing network security devices, such as Firewalls, Virtual Private Network (VPN) tunnels, and Intrusion Detection Systems (IDSs). Our proposal is the following. First, we formally specify the security requirements of a given system by using an expressive access control model. As a result, we obtain an abstract security policy, which is free of ambiguities, redundancies or unnecessary details. Second, we deploy such an abstract policy through a set of automatic compilations into the security devices of the system. This proposed deployment process not only simplifies the security administrator's job, but also guarantees a resulting configuration free of anomalies and/or inconsistencies.; Comment: 12 pages

Security and Privacy Challenges in Cognitive Wireless Sensor Networks

Sen, Jaydip
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 09/02/2013 Português
Relevância na Pesquisa
37.210757%
Wireless sensor networks (WSNs) have attracted a lot of interest in the research community due to their potential applicability in a wide range of real-world practical applications. However, due to the distributed nature and their deployments in critical applications without human interventions and sensitivity and criticality of data communicated, these networks are vulnerable to numerous security and privacy threats that can adversely affect their performance. These issues become even more critical in cognitive wireless sensor networks (CWSNs) in which the sensor nodes have the capabilities of changing their transmission and reception parameters according to the radio environment under which they operate in order to achieve reliable and efficient communication and optimum utilization of the network resources. This chapter presents a comprehensive discussion on the security and privacy issues in CWSNs by identifying various security threats in these networks and various defense mechanisms to counter these vulnerabilities. Various types of attacks on CWSNs are categorized under different classes based on their natures and targets, and corresponding to each attack class, appropriate security mechanisms are also discussed. Some critical research issues on security and privacy in CWSNs are also identified.; Comment: 36 pages...

Cloud Computing Security in Business Information Systems

Ristov, Sasko; Gusev, Marjan; Kostoska, Magdalena
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 05/04/2012 Português
Relevância na Pesquisa
37.210757%
Cloud computing providers' and customers' services are not only exposed to existing security risks, but, due to multi-tenancy, outsourcing the application and data, and virtualization, they are exposed to the emergent, as well. Therefore, both the cloud providers and customers must establish information security system and trustworthiness each other, as well as end users. In this paper we analyze main international and industrial standards targeting information security and their conformity with cloud computing security challenges. We evaluate that almost all main cloud service providers (CSPs) are ISO 27001:2005 certified, at minimum. As a result, we propose an extension to the ISO 27001:2005 standard with new control objective about virtualization, to retain generic, regardless of company's type, size and nature, that is, to be applicable for cloud systems, as well, where virtualization is its baseline. We also define a quantitative metric and evaluate the importance factor of ISO 27001:2005 control objectives if customer services are hosted on-premise or in cloud. The conclusion is that obtaining the ISO 27001:2005 certificate (or if already obtained) will further improve CSP and CC information security systems, and introduce mutual trust in cloud services but will not cover all relevant issues. In this paper we also continue our efforts in business continuity detriments cloud computing produces...

Toward a Research Software Security Maturity Model

Heiland, Randy; Thomas, Betsy; Welch, Von; Jackson, Craig
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 06/09/2013 Português
Relevância na Pesquisa
37.2377%
In its Vision and Strategy for Software for Science, Engineering, and Education the NSF states that it will invest in activities that: "Recognize that software strategies must include the secure and reliable deployment and operation of services, for example by campuses or national facilities or industry, where identity, authentication, authorization and assurance are crucial operational capabilities." and "Result in high-quality, usable, secure, vulnerability-free, sustainable, robust, well-tested, and maintainable/evolvable software; and which promotes the sustainability of solid and useful on-going investments." Such statements evidence that security should indeed be a first-class consideration of the software ecosystem. In this position paper, we share some thoughts related to research software security. Our thoughts are based on the observation that security is not a binary, all-or-nothing attribute, but a range of practices and requirements depending on how the software is expected to be deployed and used. We propose that the community leverage the concept of a maturity model, and work to agree on a research software security maturity model. This model would categorize different sets of security needs of the deployment community...

HyperForce: Hypervisor-enForced Execution of Security-Critical Code

Gadaleta, Francesco; Nikiforakis, Nick; Muhlberg, Jan Tobias; Joosen, Wouter
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 22/05/2014 Português
Relevância na Pesquisa
37.2377%
The sustained popularity of the cloud and cloud-related services accelerate the evolution of virtualization-enabling technologies. Modern off-the-shelf computers are already equipped with specialized hardware that enables a hypervisor to manage the simultaneous execution of multiple operating systems. Researchers have proposed security mechanisms that operate within such a hypervisor to protect the \textit{virtualized} operating systems from attacks. These mechanisms improve in security over previous techniques since the defense system is no longer part of an operating system's attack surface. However, due to constant transitions between the hypervisor and the operating systems, these countermeasures typically incur a significant performance overhead. In this paper we present HyperForce, a framework which allows the deployment of security-critical code in a way that significantly outperforms previous \textit{in-hypervisor} systems while maintaining similar guarantees with respect to security and integrity. HyperForce is a hybrid system which combines the performance of an \textit{in-guest} security mechanism with the security of in-hypervisor one. We evaluate our framework by using it to re-implement an invariance-based rootkit detection system and show the performance benefits of a HyperForce-utilizing countermeasure.; Comment: 12 pages...

Towards a Security Lifecycle Model against Social Engineering Attacks: SLM-SEA

Mataracioglu, Tolga; Ozkan, Sevgi; Hackney, Ray
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 09/07/2015 Português
Relevância na Pesquisa
37.210757%
This research considers the impact of social engineering security attacks which are noted as taking opportunities for critically exploiting user awareness and behavior. The research proposes in this respect a managerial method in an attempt to enhance or even ensure protection. The aim of this study is to construct a security lifecycle model against these eventualities and to analyze the test results that have been carried out within the context of the Turkish public sector. The main objective of the study is to determine why employees shared sensitive information by stating fallacies and related amendments through interviews and thus to understand user actions when they are face to face with a real social engineering attack. The research findings demonstrate that employees in Turkish public organizations are not sufficiently aware of information security and they generally ignore critically important security procedures. This represents an important illustration of the increasing need for further generalized user awareness and responsibilities where individuals and not simply software form a critical element of the security protection portfolio.

Enhancing the Security of Protocols against Actor Key Compromise Problems

Ma, Jing; Zhang, Wenhui
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 11/07/2015 Português
Relevância na Pesquisa
37.210757%
Security of complex systems is an important issue in software engineering. For complex computer systems involving many actors, security protocols are often used for the communication of sensitive data. Actor key compromise (AKC) denotes a situation where the long-term secret key of an actor may be known to an adversary for some reasons. Many protocols are not secure enough for ensuring security in such a situation. In this paper, we further study this problem by looking at potential types of attacks, defining their formal properties and providing solutions to enhance the level of security. As case studies, we analyze the vulnerabilities (with respect to potential AKC attacks) of practical protocols, including PKMv2RSA and Kerberos, and provide solutions to enhance the level of security of such protocols.; Comment: 14 pages, 4 figures

Statistical Analysis of Privacy and Anonymity Guarantees in Randomized Security Protocol Implementations

Jha, Susmit
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 27/06/2009 Português
Relevância na Pesquisa
37.210757%
Security protocols often use randomization to achieve probabilistic non-determinism. This non-determinism, in turn, is used in obfuscating the dependence of observable values on secret data. Since the correctness of security protocols is very important, formal analysis of security protocols has been widely studied in literature. Randomized security protocols have also been analyzed using formal techniques such as process-calculi and probabilistic model checking. In this paper, we consider the problem of validating implementations of randomized protocols. Unlike previous approaches which treat the protocol as a white-box, our approach tries to verify an implementation provided as a black box. Our goal is to infer the secrecy guarantees provided by a security protocol through statistical techniques. We learn the probabilistic dependency of the observable outputs on secret inputs using Bayesian network. This is then used to approximate the leakage of secret. In order to evaluate the accuracy of our statistical approach, we compare our technique with the probabilistic model checking technique on two examples: crowds protocol and dining crypotgrapher's protocol.

A First Look at Firefox OS Security

Defreez, Daniel; Shastry, Bhargava; Chen, Hao; Seifert, Jean-Pierre
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 28/10/2014 Português
Relevância na Pesquisa
37.2377%
With Firefox OS, Mozilla is making a serious push for an HTML5-based mobile platform. In order to assuage security concerns over providing hardware access to web applications, Mozilla has introduced a number of mechanisms that make the security landscape of Firefox OS distinct from both the desktop web and other mobile operating systems. From an application security perspective, the two most significant of these mechanisms are the the introduction of a default Content Security Policy and code review in the market. This paper describes how lightweight static analysis can augment these mechanisms to find vulnerabilities which have otherwise been missed. We provide examples of privileged applications in the market that contain vulnerabilities that can be automatically detected. In addition to these findings, we show some of the challenges that occur when desktop software is repurposed for a mobile operating system. In particular, we argue that the caching of certificate overrides across applications--a known problem in Firefox OS--generates a counter-intuitive user experience that detracts from the security of the system.; Comment: In Proceedings of the Third Workshop on Mobile Security Technologies (MoST) 2014 (http://arxiv.org/abs/1410.6674)

A Predictive Framework for Cyber Security Analytics using Attack Graphs

Abraham, Subil; Nair, Suku
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 04/02/2015 Português
Relevância na Pesquisa
37.210757%
Security metrics serve as a powerful tool for organizations to understand the effectiveness of protecting computer networks. However majority of these measurement techniques don't adequately help corporations to make informed risk management decisions. In this paper we present a stochastic security framework for obtaining quantitative measures of security by taking into account the dynamic attributes associated with vulnerabilities that can change over time. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.; Comment: 17 pages...

Security Assessment of Software Design using Neural Network

Adebiyi, A.; Arreymbi, Johnnes; Imafidon, Chris
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 08/03/2013 Português
Relevância na Pesquisa
37.210757%
Security flaws in software applications today has been attributed mostly to design flaws. With limited budget and time to release software into the market, many developers often consider security as an afterthought. Previous research shows that integrating security into software applications at a later stage of software development lifecycle (SDLC) has been found to be more costly than when it is integrated during the early stages. To assist in the integration of security early in the SDLC stages, a new approach for assessing security during the design phase by neural network is investigated in this paper. Our findings show that by training a back propagation neural network to identify attack patterns, possible attacks can be identified from design scenarios presented to it. The result of performance of the neural network is presented in this paper.; Comment: 7 pages, 1 figure, 4 tables, (IJARAI) International Journal of Advanced Research in Artificial Intelligence, Vol. 1(4), 2012, pp.1-7, ISSN:2165-4069 (Online), ISSN:2165-4050 (Print)

Security Aware Mobile Web Service Provisioning

Srirama, Satish Narayana; Jarke, Matthias; Prinz, Wolfgang; Pendyala, Kiran
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 21/07/2010 Português
Relevância na Pesquisa
37.2377%
Mobile data services in combination with profluent web services are seemingly the path breaking domain in current information research. Effectively, these mobile web services will pave the way for exciting performance and security challenges, the core need-to-be-addressed issues. On security front, though a lot of standardized security specifications and implementations exist for web services in the wired networks, not much has been analysed and standardized in the wireless environments. This paper addresses some of the critical challenges in providing security to the mobile web service domain. We first explore mobile web services and their key security issues, with special focus on provisioning based on a mobile web service provider realized by us. Later we discuss state-of-the-art security awareness in the wired and wireless web services, and finally address the realization of security for the mobile web service provisioning with performance analysis results.; Comment: Proceedings of International Conference for Internet Technology and Secured Transactions (ICITST-2006), September 11-13, 2006, pp. 48-56. Published by e.Centre for Infonomics, ISBN 0-9546628-2-2

Security Incident Response Criteria: A Practitioner's Perspective

Grispos, George; Glisson, William Bradley; Storer, Tim
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 11/08/2015 Português
Relevância na Pesquisa
37.2377%
Industrial reports indicate that security incidents continue to inflict large financial losses on organizations. Researchers and industrial analysts contend that there are fundamental problems with existing security incident response process solutions. This paper presents the Security Incident Response Criteria (SIRC) which can be applied to a variety of security incident response approaches. The criteria are derived from empirical data based on in-depth interviews conducted within a Global Fortune 500 organization and supporting literature. The research contribution of this paper is twofold. First, the criteria presented in this paper can be used to evaluate existing security incident response solutions and second, as a guide, to support future security incident response improvement initiatives.; Comment: The 21st Americas Conference on Information Systems (AMCIS 2015), Puerto Rico, USA. http://aisel.aisnet.org/amcis2015/ISSecurity/GeneralPresentations/35/. August 13-15, 2015

Simulating Side Information: Better Provable Security for Leakage Resilient Stream Ciphers

Skorski, Maciej
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Português
Relevância na Pesquisa
37.2377%
Given a distribution $X$, any correlated information $Z$ can be represented as a randomized function of $X$. However, it might be \emph{extremely inefficient} when: (a) it involves a lot of computations or (b) a huge amount of auxiliary randomness is required. We study this problem in the computational setting, where \emph{efficiently simulating} $Z$ from $X$ becomes possible, if we accept some mistakes and care only about a restricted class of adversaries. We prove the following result: for any $X\in\{0,1\}^n$, any correlated $Z\in\{0,1\}^\ell$ and every choice of $(\epsilon,s)$ there is a randomized $h:\{0,1\}^n\rightarrow \{0,1\}^\ell$ of complexity $O(s\cdot 2^{2\ell}\epsilon^{-2})$ such that $Z$ and $h{X}$ are $(\epsilon,s)$-indistinguishable given $X$. This is better than in the original proof of Pietrzak and Jetchev (TCC'14) and much better for some practically interesting settings than the alternative bound due to Vadhan and Zheng (CRYPTO'13). Our approach is also simpler and modular (the standard min-max theorem combined with an $L_2$-approximation argument). As an application we give a better security analysis for the leakage-resilient stream cipher from EUROCRYPT'09, increasing (at any security level) the maximal leakage length by $33\%$. As a contribution of independent interests...

Balancing the Demands of Reliability and Security with Linear Network Coding in Optical Networks

Engelmann, Anna; Jukan, Admela
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 23/10/2015 Português
Relevância na Pesquisa
37.2377%
Recently, physical layer security in the optical layer has gained significant traction. Security treats in optical networks generally impact the reliability of optical transmission. Linear Network Coding (LNC) can protect from both the security treats in form of eavesdropping and faulty transmission due to jamming. LNC can mix original data to become incomprehensible for an attacker and also extend original data by coding redundancy, thus protecting a data from errors injected via jamming attacks. In this paper, we study the effectiveness of LNC to balance reliable transmission and security in optical networks. To this end, we combine the coding process with data flow parallelization of the source and propose and compare optimal and randomized path selection methods for parallel transmission. The study shows that a combination of data parallelization, LNC and randomization of path selection increases security and reliability of the transmission. We analyze the so-called catastrophic security treat of the network and show that in case of conventional transmission scheme and in absence of LNC, an attacker could eavesdrop or disrupt a whole secret data by accessing only one edge in a network.