1,896 research outputs found

    Achieving Security by Intrusion-Tolerance Based on Event Correlation

    No full text
    Despite the increased focus on security, complex networked systems remain vulnerable to attacks. Intrusion Tolerance is an emerging paradigm for developing systems, which continue to operate correctly, and provide acceptable services even in the face of an intrusion. The effectiveness of this approach is strongly dependent on the efficiency of the adopted detection and diagnosis mechanisms. In this work, we propose an architectural framework, which collects information at several architectural levels, using multiple security probes, which are deployed as a distributed architecture, to perform event correlation and diagnosis analysis of intrusion symptoms. The experimental results show that the use of different security information sources can improve the detection and the diagnosis of attack

    Developing Secure Cloud Applications

    No full text
    Today the main limit to Cloud adoption is related to the perception of a security loss the users have. Indeed, the existing solutions to provide security are mainly focused on Cloud service provider prospective in order to securely integrate frameworks and Infrastructures as a Services in a Cloud datacenter. Customer could not monitor and evaluate the security mechanisms enforced by service provider. Service Level Agreements mainly focus on performance related terms and no guarantees are given for security mechanisms. Customers are interested in tools to verify and monitor the implemented security requirements. On the other hand, developers need tools to deploy Cloud applications offering measurable security grants to end users. In this paper, we propose an approach to implement security mechanisms as components in the application design process. We modeled security interactions according to the specific threat, the specific security requirements and user/application capabilities trying to improve security. It enables a Service Provider to offer security guarantees to customers. The approach has been designed to fit with different Cloud platforms, but to demonstrate its applicability, we will present a case study on the mOSAIC Platform

    Message from SecureSysComm 2015 Workshop Chairs

    No full text
    Welcome to the first International Workshop on Security and Privacy in Systems and Communication Networks (SecureSysComm 2015), which is held in conjunction with the 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3GPCIC) at Krakow, Poland from November 4th to 6th, 2015. Modern society witnesses a growing pervasiveness of sophisticated computer-based systems and increasingly performance communication networks, whose influence in daily life is huge. Complexity, heterogeneity, scale and interdependence shown by such systems are source of potential vulnerabilities and threats. The Workshop seeks submissions from academia and industry presenting novel research on theoretical and practical spects of data protection, privacy, security, and cryptography. Papers describing new methods or technologies, advanced rototypes, systems, tools and techniques and general survey papers indicating future directions are also encouraged. In particular, the Workshop topics include: inspection and forensics technologies, threat and vulnerability identification and modelling, wireless communications security, network-centric systems and dependability, information security, encryption, privacy, access control and identity management, security and privacy protection mechanisms, cyber-physical threats, vulnerability analysis, and countermeasures, biometrics security and privacy, critical infrastructure protection, formal methods for security, human factors and human behaviour recognition techniques, identification, authentication and non-repudiation, security and privacy in pervasive/ubiquitous computing, security and privacy in smart grids, security and privacy in social networks, security and privacy in the cloud, SLA security in the cloud, security weaknesses and protection of energy-control facilities, energy consumption attacks. For SecureSysComm 2015, we have accepted 11 papers, which will be presented in two sessions. Many people contributed to the success of SecureSysComm 2015. First, we would like to thank the organizing committee of 3GPCIC 2015 International Conference for giving us the opportunity to organize the workshop. Second, we would like to thank our program committee members. Moreover, we would like to thank all the authors of the workshop for submitting their research works and for their participation. Finally, we would like to thank the Local Arrangement Chairs for the 3GPCIC conference. We hope you will enjoy SecureSysComm workshop and 3GPCIC International Conference, and have a great time in Krakow, Poland. Massimo Ficco, Second University of Naples, Italy Francesco Palmieri, University of Salerno

    CIPRNet training lecture: Hybrid simulation of distributed large-scale critical infrastructures

    No full text
    Modern critical infrastructures represent the pivotal assets upon which the current society greatly relies to support welfare, economy, and quality of life. Nowadays, the trend is to re-organize these infrastructures by applying a System of Systems concept, where the sparse islands are progressively interconnected by means of proper middleware solutions through local or wide-area networks. The huge complexity of such systems makes the integration task among components extremely challenging. Indeed, it may introduce unexpected system behaviors, mainly affecting dependability and performance, that usually become evident only during systems operations and, in particular, in presence of stress or unexpected conditions. Additionally, as they cannot be detected earlier, these problems require complex on-site operations resulting in increased maintenance costs and overspending in terms of personnel resources. A promising way to cope with these new complex systems and to reduce maintenance costs, is to reproduce such distributed systems locally, and let them run prior to the actual execution on-site, in order to get knowledge about their real behavior and define mitigation means and improvement actions. On the other hand, the evaluation of this systems requires sophisticated modeling, simulation, and experimentation infrastructure, which needs the integration of existing simulation environments, real sub-systems, and experimental platforms, which have to interact in a coordinated way. Therefore, hybrid and distributed simulation strategies, supported by novel technologies for resources virtualization and working environment reproduction, represent the most promising way to define the needed strategies to actually support such complex paradigms [1,2]

    Security and Resilience in Intelligent Data-Centric Systems and Communication Networks, 1st Edition,

    No full text
    Intelligent data-centric critical systems play a key role into several fundamental human activities. The consequences of an outage can be catastrophic in terms of efficiency, economical losses, and consumer dissatisfaction. In recent years, intelligent systems, complex and distributed have increasingly been used in scenarios, often critical, such as airports, seaports, plants for the provision of water and energy, and business transactional systems. Such systems have been used for interconnection, control, and management. They are in charge of providing support for advanced monitoring and control facilities. These systems from the point of view of security and resilience are of increasing importance in both industrial and corporate. They have to be highly resilient in order to reduce the risk of severe failures. The criticality of such system poses new challenges for computer engineer, which must develop systems to ensure a high level of protection, and at the same time, they must keep low costs and development time. The security and resilience of intelligent data-centric critical systems is hard to achieve for complexity of the system. First, they are designed as the composition of several Off-The-Shelf (OTS) items and/or legacy subsystems, primarily for their ability to reduce development costs. On the other hand, such components potentially introduce new vulnerabilities in the system. Second, their size has significantly grown, and their operational environment, originally planned to be "closed", becomes more and more "open" to allow interoperability and remote and mobile accesses and control. This implies malicious behaviors should be taken into account. On the other hand, such systems use and manage a huge amount of heterogeneous, complex and critical data (sensor data, IoT data, mobile data, monitoring data, forensics data), which can be target of potential threats. Therefore, the book will present current advances in the field, following both theoretical and practical results. Intelligent data-centric critical system development requires appropriate techniques, architectures and tools, having in view the advance of science in this area and the development of secure and resilient solutions. The book aims at disseminating of research efforts in the security and resilience of intelligent data-centric critical systems, in order to support advance research in this area. The Edited Book aims to present security and resilience aspects of current intelligent data-centric critical systems and communication networks, including techniques and tools to prevent and avoid accidental and malicious behaviors. The overall objectives of the book are explain state-of-the-art technological solutions for main issues hindering the development of monitoring and reaction solutions, supporting security and resilience of intelligent data-centric critical systems. In particular, strategies and technique to analysis and processing complex and sensitive data needed to malicious behaviors and attacks against such systems and communication networks are presented. The book aims at making readers familiar with those concepts and technologies that are successfully used in the implementation of more resilient and secure intelligent data-centric critical systems

    Security event correlation approach for cloud computing

    No full text
    Cloud computing is a new business model, which represents an opportunity for users, companies, and public organisations to reduce costs and increase efficiency, as well as an alternative way for providing services and resources. In this pay-by-use model, security plays a key role. Cyber attacks are a serious danger, which can compromise the quality of the service delivered to the customers, as well as the costs of the provided cloud resources and services. In this paper, a hybrid and hierarchical event correlation approach for intrusion detection in cloud computing is presented. It consists of detecting intrusion symptoms by collecting diverse information at several cloud architectural levels, using distributed security probes, as well as performing complex event analysis based on a complex event processing engine. The escalation process from intrusion symptoms to the identified cause and target of the intrusion is driven by a knowledge-base represented by an ontology. A prototype implementation of the proposed intrusion detection solution is also presented

    Could emerging fraudulent energy consumption attacks make the cloud infrastructure costs unsustainable?

    No full text
    Cloud paradigm is vulnerable to emerging breeds of fraudulent energy-related threats, which seek to exploit the cloud elasticity and the multi-tenant model. Recently, several sophisticated attacks have been reported by the cloud customers, which induced sustained and prolonged fraudulent resource consumptions, making the cloud costs unsustainable. If properly orchestrated, such attacks can also significantly affect the cloud service providers, forcing a frequent scaling and migration of virtual machines in the cloud. Such attacks aim at exploiting the elasticity and multi-tenacity of the cloud paradigm, in order to compromise the long-term financial viability of operating in the cloud, and thus, inflicting significant energy cost and loss of reputation to the cloud provider. This paper discusses the vulnerabilities associated to such a new breed of attacks, paying special emphasis to the risks for the cloud service providers. Practical experiments and simulations have been used to demonstrate the vulnerability of the cloud resource manager against emerging energy-related threats, named Fraudulent Energy Consumption attacks. Finally, some countermeasures are also discussed

    Calibration-less Indoor Location Systems Based on Wireless Sensors

    No full text
    In case of a crisis event, it is the responsibility of public and government authorities to manage the response operations. Positioning is a crucial task when managing emergency, which aims at estimating the positions of the first responders that act on the crisis site. On the other hand, the radio-based positioning solutions require a process of site survey, in which radio signatures have to be collected and stored in a radio map for further comparison and matching. Site survey involves intensive manual effort and time, which is no feasible during the crisis event. This paper proposes an approach for rapid site survey of the considered area. A specific tool has been developed to draw the site topography and to define the radio map generated by the wireless sensors located in the considered area, by using an accurate signal attenuation model. Experiment results show that the proposed solution can achieve a position accuracy that can be considered acceptable in the context of the rescuers localization even without a site survey activity
    corecore