WOSIS 2012 Abstracts


Full Papers
Paper Nr: 1
Title:

Public Policy and Regulatory Implications for the Implementation of Opportunistic Cloud Computing Services for Enterprises

Authors:

Eric Kuada, Henning Olesen and Anders Henten

Abstract: Opportunistic Cloud Computing Services (OCCS) is a social network approach to the provisioning and management of cloud computing services for enterprises. This paper discusses how public policy and regulations will impact on OCCS implementation. We rely on documented publicly available government and corporate policies on the adoption of cloud computing services and deduce the impact of these policies on their adoption of opportunistic cloud computing services. We conclude that there are regulatory challenges on data protection that raises issues for cloud computing adoption in general; and the lack of a single globally accepted data protection standard poses some challenges for very successful implementation of OCCS for companies. However, the direction of current public and corporate policies on cloud computing make a good case for them to try out opportunistic cloud computing services.

Paper Nr: 2
Title:

A New Enterprise Security Pattern: Secure Software as a Service (SaaS)

Authors:

Santiago Moral-Garcia, Santiago Moral-Rubio, Eduardo B. Fernández and Eduardo Fernández-Medina

Abstract: In recent years, the hiring of Software as a Service (SaaS) from cloud providers has become very popular. The advantages of using these services seem to be many, but organizations need to know and handle a variety of threats. Before using SaaS, organizations should check the security measures offered by the service provider and the defense mechanisms included in their enterprise security architectures. Security patterns are a good way to build and test new security mechanisms, but they have some limitations related to their usability. In order to improve the usability of security patterns, we have defined a new type of security pattern called Enterprise Security Pattern. In this paper, we show a brief description of enterprise security patterns, and document a new pattern that the organizations could apply to protect their information assets when using SaaS.

Paper Nr: 4
Title:

Spamming Botnet Detection using Neural Networks

Authors:

Ickin Vural and Hein Venter

Abstract: The dramatic revolution in the way that we can share information has come about both through the Internet and through the dramatic increase in the use of mobile phones, especially in developing nations. Mobile phones are now found everywhere in the developing world. In 2002, the total number of mobile phones in use worldwide exceeded the number of landlines and these mobile devices are becoming increasingly sophisticated. For many people in developing countries their primary access point to the internet is a mobile device. Malicious software (malware) currently infects large numbers of mobile devices. Once infected, these mobile devices may be used to send spam SMSs. Mobile networks are now infected by malicious software such as Botnets. This paper studies the potential threat of Botnets based on mobile networks, and proposes the use of computational intelligence techniques to detect Botnets. We then simulate mobile Bot detection by use of a neural network.

Paper Nr: 13
Title:

Zero-knowledge Authentication for Self-managed Vehicular Networks

Authors:

C. Caballero-Gil, P. Caballero-Gil and J. Molina-Gil

Abstract: This paper proposes a new solution for the practical, fast and secure deployment of vehicular networks. Its main contribution is a self-managed authentication method that does not require the participation of any certification authority because the nodes themselves certify the validity of the public-keys of the nodes they trust, and issue the corresponding certificates that are saved in local key stores according to an algorithm here proposed. In addition, the new node authentication method includes a cryptographic protocol that each node can use to convince another node about the possession of certain secret without revealing anything about it. Thanks to all these tools, cooperation among involved vehicles can be used to detect and warn about abnormal traffic conditions. One of the most interesting aspects of the proposal is that the required devices can be simple existing mobile devices equipped with wireless connection. This work includes a performance analysis of a simulation of the proposed algorithms and the obtained results are promising.

Paper Nr: 20
Title:

Eliciting Security Requirements for Business Processes using Patterns

Authors:

Naved Ahmed, Raimundas Matulevičius and Naiad Hossain Khan

Abstract: Business process modelling and security engineering are two important concerns when developing information system (IS). However current practices report that security is addressed rather at the later development stages (i.e., design and implementation). This raises a question whether the business processes are performed securely. In this paper, we propose a method to align business process modelling and security engineering. We develop a set of security risk-oriented patterns. Such patterns help to understand security risks that potentially arise within business processes, and to introduce security solutions. To ease the applicability the security risk-oriented patterns are defined using BPMN notations. The proposal is tested in an industrial business model and the findings indicate a positive usefulness to identify important business assets, their security risks and countermeasures.

Short Papers
Paper Nr: 5
Title:

Free Web-based Personal Health Records: An Assessment of Security and Privacy

Authors:

Inma Carrión, José-Luis Fernández-Alemán and Ambrosio Toval

Abstract: Several obstacles prevent the adoption and use of Personal Health Record (PHR) systems, including users’ concerns regarding the privacy and security of their personal health information. The purpose of this study is to examine current PHR systems in order to verify what privacy and security characteristics are deployed in them, in an American context. The strengths and weaknesses of the PHRs identified will be useful for PHR users, healthcare professionals, decision makers and builders. The myPHR website was reviewed since it contains relevant information related to PHRs. For this end, the Privacy Policy of each PHR selected was reviewed in order to extract the main characteristics of privacy and security. The results show that the Privacy Policies of PHR systems do not provide an in-depth description of the security measures that they use. This may be a problem because users might not believe that their data are really protected. The designs of Privacy Policies should be improved to include more detailed information related to security measures, and this may be one of the reasons why users do not trust in PHR systems.

Paper Nr: 9
Title:

Towards the Extension of Secure Tropos Language to Support Software Product Lines Development

Authors:

Daniel Mellado and Haralambos Mouratidis

Abstract: The elicitation of security requirements for Software Product Lines (SPL) is a challenging task, mainly due to the varying security properties required in different products, for the diversity of market segments, and the constraint of simultaneously maintaining the cost-effective principle of the SPL paradigm. Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed in the literature as a suitable paradigm for elicitation of security requirements and their analysis on both a social and a technical dimension. Nevertheless, on one hand, security requirements engineering methodologies are not appropriately tailored to the specific demands of SPL, while on the other hand specific proposals of SPL engineering have traditionally ignored security requirements. This paper presents work that fills this gap by proposing an extension to the Secure Tropos language to support SPL.

Paper Nr: 12
Title:

Ontology and Fuzzy Measures based System for Information Security Risk Assessment

Authors:

Raihan Muratkhan, Dauren Kabenov and Dina Satybaldina

Abstract: Traditionally the information security risk is defined as a combination of probability of negative event and a potential impact. But risk of the breach of information security of the modern organization is the multidimensional complex concept which is including set of interconnected variables. Often values of risk factors cannot be precisely defined. Therefore the information security risk assessment may be defined as a fuzzy problem. In this paper algorithm of the problem decision of alternative's assessment which has network-like estimation criteria structure is considered. Connections in criteria structure are formalized by means of fuzzy integral of Sugeno. Ontology-based information security knowledge domain has net-like structure incorporating the most relevant information security concepts (assets, threats, vulnerabilities and controls) and relations among them. Slots describe properties of concepts and instances. Each property can be set to a specific fuzzy value. The estimation criteria structure is network-like and is formalized as the oriented graph with one source and many drains. The alternative's estimation result is calculated in criterion-source.

Paper Nr: 16
Title:

A Sensitivity Analysis of Common Operating Systems to ROP Attacks

Authors:

Marco Prandini and Marco Ramilli

Abstract: Return Oriented Programming (ROP) is a well know technique used by attackers to build the last generation of stack-based attacks. ROP uses small code sequences (``gadgets'') to invoke code from the stack, but bypassing the NX bit security protection, allowing attackers to control the execution flow. This paper analyzes some widespread operating systems, profiling the gadgets that can readily be used, and deducing what kind of payloads they allow to build. Understanding which gadgets are usable from the attacker’s perspective is of great practical importance to devise countermeasures to the possible attacks.

Paper Nr: 17
Title:

Security Criteria in Deciding on Migration of Systems to the Cloud

Authors:

Rafael Gómez, David G. Rosado, Daniel Mellado and Eduardo Fernández-Medina

Abstract: Cloud computing is setting trend in IT world. As it evolves, providers and clients claim their concern about their pros and cons. Some proposals have been made on the methodologies to assess criteria for benefits and risks of the different cloud models. How these proposals deal with security issues (that most IT executives point out as their top concern)? In this paper we go into the issue of how we can incorporate security requirements to a decision making process for whether to migrate legacy systems to the cloud and how to do it. From systems in control of the firms’ data centers to systems working partially, if not totally out of their control.

Paper Nr: 19
Title:

Mining Windows Registry for Data Exfiltration Detection

Authors:

Yi Hu, Rubaiyat Hossain, Papa Seye and Sri Vasireddy

Abstract: This paper illustrates a novel approach for identifying data exfiltration activities by mining Microsoft Windows Registry. It often takes outsider attackers a significant amount of efforts to identify the vulnerabilities in the system or applications and launch the exploit payloads to compromise a system. However insider attackers with legitimate access control privileges can easily steal data and sell data to a third party. Many companies spend lots of money defending network perimeters and applications from outsider attacks but only pay little attention to the insider threat. Although there are existing research efforts ad-dressing various aspects of insider attacks, little research focuses on data exfil-tration detection. The proposed model in this paper employs a data mining method to profile USB device usage patterns and uses various statistical methods to identify anomalous USB device usages. The effectiveness of the model was tested with USB access history extracted from the Windows Registry.

Paper Nr: 21
Title:

A Grouping Model for Prompt Agent based Damage Assessment

Authors:

Naveen Ramanathan, Brajendra Panda and Yi Hu

Abstract: Prompt recovery of data after cyber attacks depends on an efficient damage assessment mechanism. This paper presents a grouping model for the agent-based damage assessment method to facilitate quick post information warfare damage assessment. The grouping method proposed is based on the longest-dependency-path-first approach and can significantly reduce the damage assessment latency of the agent based damage assessment process. We also present an improved damage assessment algorithm that uses this grouping model to determine the extent of damage to other data items.

Paper Nr: 22
Title:

A Systematic Review of Methodologies and Models for the Analysis and Management of Associative and Hierarchical Risk in SMEs

Authors:

Antonio Santos-Olmo, Luis Enrique Sánchez, Eduardo Fernández-Medina and Mario Piattini

Abstract: As a result of the growing dependence of information society on ICTs, the need to know the risks that can affect information is enormously increasing with the purpose of protecting it. This article shows advances in the identification and management of risks in ICTs, particularly in the case of SMEs, along with the first proposal of a methodology for management and analysis of the associative risk in SMEs taking into account not only internal risks derived from SMEs but also other external risks derived from other enterprises in the same sector or collaborating with them. Thus, we will obtain a high quality risk analysis at low cost using advanced concepts such as “associative algorithms” and “enterprise social networks”. In the era of globalization, SMEs no longer work as independent companies but share more and more services, even facilities, with other companies. Therefore, we cannot obtain an adequate risk analysis without considering the risks associated with these collaborations. In this article we present rhe results of a systematic review of methodologies and models for the analysis and management of associative and hierarchical risk in SMEs.