Current Issue : April - June Volume : 2015 Issue Number : 2 Articles : 4 Articles
SCADA (supervisory control and data acquisition)\nsystems are used for controlling and monitoring industrial\nprocesses.We propose a methodology to systematically\nidentify potential process-related threats in SCADA. Process-\nrelated threats take place when an attacker gains user\naccess rights and performs actions, which look legitimate,\nbut which are intended to disrupt the SCADA process. To\ndetect such threats, we propose a semi-automated approach\nof log processing. We conduct experiments on a real-life\nwater treatment facility. A preliminary case study suggests\nthat our approach is effective in detecting anomalous events\nthat might alter the regular process workflow....
Many papers have already provided models to formally specify security policies. In this paper, security policies are\nmodeled using deontic concepts of permission and obligation. Permission rules are used to specify access control\npolicies, while obligation rules are useful to specify other security requirements corresponding to usage control\npolicies as the availability of information in its allotted time. However, when both permission and obligation concepts\nare used to express security policies, several different types of conflict can be raised and should be detected and\nmanaged. We are interested in this work in managing conflicts between obligations with deadlines and permissions.\nThus, we first begin by formally defining the conflicting situations using the situation calculus. Afterwards, we provide\nan algorithm for searching a plan of actions, when it exists, which fulfills all the active obligations in a given situation in\ntheir deadlines with respect to the permission rules. The length of the plan is set in advance and can be calculated in\nthe case where the sets of actions and fluents are finite to ensure the decidability of the solution search. Furthermore,\nin the plan search, the choice of the execution time of the elected actions obeys to equations and inequalities which\nneed to be solved. For this purpose, we need a component allowing these equations and inequalities resolution. To\nillustrate our approach, we take an example inspired from existing laws in hospitals regulating deadlines for\ncompletion of patient medical records. The example is formally specified in our language and implemented in ECRC\nCommon Logic Programming System ECLIPSE 3.5.2, which is equipped with Simplex algorithm for solving linear\nequations and inequalities over the reals. In the implementation, we show how the plan search can be optimized\nthrough the use of some heuristics and make some evaluation tests....
Domain Name System (DNS) cache poisoning is a stepping stone towards advanced (cyber) attacks. DNS cache\npoisoning can be used to monitor users� activities for censorship, to distribute malware and spam and to subvert\ncorrectness and availability of Internet clients and services. Currently, the DNS infrastructure relies on challengeresponse\ndefences against attacks by (the common) off-path adversaries. Such defences do not suffice against\nstronger, man-in-the-middle (MitM), adversaries. However, MitM is not believed to be common; hence, there seems to\nbe little motivation to adopt systematic, cryptographic mechanisms. We show that challenge-response do not protect\nagainst cache poisoning. In particular, we review common situations where (1) attackers can frequently obtain MitM\ncapabilities and (2) even weaker attackers can subvert DNS security. We also experimentally study dependencies in\nthe DNS infrastructure, in particular, dependencies within domain registrars and within domains, and show that\nmultiple dependencies result in more vulnerable DNS. We review domain name system security extensions (DNSSEC),\nthe defence against DNS cache poisoning, and argue that not only it is the most suitable mechanism for preventing\ncache poisoning but it is also the only proposed defence that enables a posteriori forensic analysis of attacks....
Online social networks (OSNs) have become an integral part of social interaction and communication between\npeople. Reasons include the ubiquity of OSNs that is offered through mobile devices and the possibility to bridge\nspatial and temporal communication boundaries. However, several researchers have raised privacy concerns due to\nthe large amount of user data shared on OSNs. Yet, despite the large body of research addressing OSN privacy issues,\nlittle differentiation of data types on social network sites is made and a generally accepted classification and\nterminology for such data is missing. The lack of a terminology impedes comparability of related work and discussions\namong researchers, especially in the case of privacy implications of different data types. To overcome these\nshortcomings, this paper develops a well-founded terminology based on a thorough literature analysis and a\nconceptualization of typical OSN user activities. The terminology is organized hierarchically resulting in a taxonomy of\ndata types. The paper furthermore discusses and develops a metric to assess the privacy relevance of different data\ntypes. Finally, the taxonomy is applied to the five major OSNs to evaluate its generalizability...
Loading....