Catálogo de publicaciones - libros

It’s very important for a general-purpose operating system to have a security-tunable feature to meet different security requirements. This can be achieved by supporting diverse security modules, invoking them on demand. However, the security architectures of existing projects on Linux kernels do not support this feature or have some drawbacks in their supporting. Thus we introduce a layered architecture which consists of original kernel layer, module coordination layer and module decision layer. The architecture supports multiple modules register, resolves policy-conflicts of modules by changing their invoking order, and allow user to customize the security by enabling or disabling modules during runtime. The detailed structure and implementation in Linux based system, SECIMOS is described. The caching issue and performance are also discussed. Our practice showed the architecture helps us achieve flexible adaptation in different environments.

Social engineering (SE) is the name used for a bag of tricks used by adversaries to manipulate victims to make them say or do something they otherwise wouldn’t have. Typically this includes making the victims disclose passwords, or give the adversary illegitimate access to buildings or privileged information. The book Art of Deception: Controlling the Human Element of Security by Kevin Mitnick gives several examples of potential attacks. Clearly, countermeasures are needed. Countermeasures may include special hardware, software, improved user interfaces, routines, procedures and staff training. However, in order to assess the effectiveness of these countermeasures, we need a SE resistance metric. This paper de.nes such a metric. We have also implemented software to obtain metric test data. A real life SE experiment involving 120 participants has been completed. The experiment suggests that SE may indeed represent an Achilles heel.

The purpose a security policy is to specify rules to govern access to system resources preferably without considering implementation details. Both policy and its implementation might be altered, and after introducing changes, it is not obvious that they are consistent. Therefore, we need to validate conformance between policy and its implementation. In this paper we describe an approach based on finite-model checking to verify that a RBAC implementation conforms to a security policy. We make use of the model-checking system SPIN, and show how to express RBAC policy constraints by means of LTL and how to model an RBAC implementation in SPIN’s internal modeling language PROMELA.

Access control is a system-wide concern that has both a generic nature and an application dependent characteristic. It is generic as many functions must be protected with restricted access, yet the rule to grant a request is highly dependent on the application state. Hence it is common to see the code for implementing access control scattered over the system and tangled with the functional code, making the system difficult to maintain. This paper addresses this issue for Web applications by presenting a practical access control framework based on aspect-oriented programming (AOP). Our approach accommodates a wide range of access control requirements of different granularity. AOP supports the modular implementation of access control while still enables the code to get a hold of the application state. Moreover, framework technology offers a balanced view between reuse and customization. As a result, our framework is able to enforce fine-grained access control for Web applications in a highly adaptable manner.

One of the shortcomings of the Role-Based Access Control model (RBAC), used in Workflow Management Systems (WfMS), is that it cannot grant permissions to users dynamically while business processes are being executed., We propose a Take-Oriented Access Control (TOAC) model based on RBAC to remedy this problem. In TOAC, permissions are associated with tasks as well as roles. Users can get permissions through tasks that they carry out in certain processes. And when they are out of processes, permissions can be granted by the roles that they are associated with. Moreover, to facilitate delegation in WfMS, we present a task delegation model which is aim at TOAC.

This paper is focused on the analysis of the anomaly-based intrusion detectors’ operational capabilities and drawbacks, from the perspective of their operating environments, instead of the schemes per se. Based on the similarity with the induction problem, anomaly detection is cast in a statistical framework for describing their general anticipated behaviors. Several key problems and corresponding potential solutions about the normality characterization for the observable subjects from hosts and networks are addressed respectively, together with the case studies of several representative detection models. Anomaly detectors’ evaluation are also discussed briefly based on some existing achievements. Careful analysis shows that the fundamental understanding of the operating environments is the essential stage in the process of establishing an effective anomaly detection model, which therefore worth insightful exploration, especially when we face the dilemma between the detection performance and the computational cost.

Although the prevention of Distributed Denial of Service (DDoS) attacks is not possible, detection of such attacks plays main role in preventing their progress. In the flooding attacks, especially new sophisticated DDoS, the attacker floods the network traffic toward the target computer by sending pseudo-normal packets. Therefore, multi-purpose IDSs do not offer a good performance (and accuracy) in detecting such kinds of attacks. In this paper, a novel method for detection of DDoS attacks has been introduced based on a statistical pre-processor and an unsupervised artificial neural net. In addition, SPUNNID system has been designed based on the proposed method. The statistical pre-processing has been used to extract some statistical features of the traffic, showing the behavior of DDoS attacks. The unsupervised neural net is used to analyze and classify them as either a DDoS attack or normal. Moreover, the method has been more investigated using attacked network traffic, which has been provided from a real environment. The experimental results show that SPUNNID detects DDoS attacks accurately and efficiently.

Today the standard means for secure transactions in the World Wide Web (WWW) are the SSL/TLS protocols, which provide secure (i.e., private and authentic) channels between browsers and servers. As protocols SSL/TLS are considered secure. However, SSL/TLS’s protection ends at the “transport/session layer” and it is up to the application (here web browsers) to preserve the security offered by SSL/TLS. In this paper we provide evidence that most web browsers have severe weaknesses in the browser-to-user communication (graphical user interface), which attackers can exploit to fool users about the presence of a secure SSL/TLS connection and make them disclose secrets to attackers. These attacks, known as “Visual Spoofing”, imitate certain parts of the browser’s user interface, pretending that users communicate securely with the desired service, while actually communicating with the attacker. Therefore, most SSL/TLS protected web applications can not be considered secure, due to deficiencies in browser’s user interfaces. Furthermore, we characterise Visual Spoofing attacks and discuss why they still affect today’s WWW browsers. Finally, we introduce practical remedies, which effectively prevent these attacks and which can easily be included in current browsers or (personal) firewalls to preserve SSL/TLS’s security in web applications.

A major problem faced by intrusion detection is the intensive computation in the detection phase, and a possible solution is to reduce model redundancy, and thus economize the detection computation. However, the existing literature lacks any formal evaluation of the significance of model redundancy for intrusion detection. In this paper, we try to do such an evaluation. First, in a general intrusion detection methodology, the model redundancy in the behavior model can be reduced using feature ranking and the proposed concept of ‘ variable-length signature ’. Then, the detection performance of the behavior model before and after model redundancy is compared. The preliminary experimental results show that the model redundancy in the behavior model is useful to detect novel intrusions, but the model redundancy due to the overlapping distinguishability among features is insignificant for intrusion detection.

The automotive industry has developed electronic immobilizers to reduce the number of car thefts since the mid nineties. However, there is not much information on the current solutions in the public domain, and the annual number of stolen cars still causes a significant loss. This generates other costs particularly regarding the increased insurance fees each individual has to pay. In this paper we present a system model that captures a variety of security aspects concerning electronic immobilizers. We consider generic security and functional requirements for constructing secure electronic immobilizers. The main practical problems and limitations are addressed and we give some design guidance as well as possible solutions.