WOSIS 2012 Abstracts

Full Papers

Paper Nr:	1
Title:	Public Policy and Regulatory Implications for the Implementation of Opportunistic Cloud Computing Services for Enterprises
Authors:	Eric Kuada, Henning Olesen and Anders Henten
Abstract:	Opportunistic Cloud Computing Services (OCCS) is a social network approach to the provisioning and management of cloud computing services for enterprises. This paper discusses how public policy and regulations will impact on OCCS implementation. We rely on documented publicly available government and corporate policies on the adoption of cloud computing services and deduce the impact of these policies on their adoption of opportunistic cloud computing services. We conclude that there are regulatory challenges on data protection that raises issues for cloud computing adoption in general; and the lack of a single globally accepted data protection standard poses some challenges for very successful implementation of OCCS for companies. However, the direction of current public and corporate policies on cloud computing make a good case for them to try out opportunistic cloud computing services.
Download

Paper Nr:	2
Title:	A New Enterprise Security Pattern: Secure Software as a Service (SaaS)
Authors:	Santiago Moral-Garcia, Santiago Moral-Rubio, Eduardo B. Fernández and Eduardo Fernández-Medina
Abstract:	In recent years, the hiring of Software as a Service (SaaS) from cloud providers has become very popular. The advantages of using these services seem to be many, but organizations need to know and handle a variety of threats. Before using SaaS, organizations should check the security measures offered by the service provider and the defense mechanisms included in their enterprise security architectures. Security patterns are a good way to build and test new security mechanisms, but they have some limitations related to their usability. In order to improve the usability of security patterns, we have defined a new type of security pattern called Enterprise Security Pattern. In this paper, we show a brief description of enterprise security patterns, and document a new pattern that the organizations could apply to protect their information assets when using SaaS.
Download

Paper Nr:	4
Title:	Spamming Botnet Detection using Neural Networks
Authors:	Ickin Vural and Hein Venter
Abstract:	The dramatic revolution in the way that we can share information has come about both through the Internet and through the dramatic increase in the use of mobile phones, especially in developing nations. Mobile phones are now found everywhere in the developing world. In 2002, the total number of mobile phones in use worldwide exceeded the number of landlines and these mobile devices are becoming increasingly sophisticated. For many people in developing countries their primary access point to the internet is a mobile device. Malicious software (malware) currently infects large numbers of mobile devices. Once infected, these mobile devices may be used to send spam SMSs. Mobile networks are now infected by malicious software such as Botnets. This paper studies the potential threat of Botnets based on mobile networks, and proposes the use of computational intelligence techniques to detect Botnets. We then simulate mobile Bot detection by use of a neural network.
Download

Paper Nr:	13
Title:	Zero-knowledge Authentication for Self-managed Vehicular Networks
Authors:	C. Caballero-Gil, P. Caballero-Gil and J. Molina-Gil
Abstract:	This paper proposes a new solution for the practical, fast and secure deployment of vehicular networks. Its main contribution is a self-managed authentication method that does not require the participation of any certification authority because the nodes themselves certify the validity of the public-keys of the nodes they trust, and issue the corresponding certificates that are saved in local key stores according to an algorithm here proposed. In addition, the new node authentication method includes a cryptographic protocol that each node can use to convince another node about the possession of certain secret without revealing anything about it. Thanks to all these tools, cooperation among involved vehicles can be used to detect and warn about abnormal traffic conditions. One of the most interesting aspects of the proposal is that the required devices can be simple existing mobile devices equipped with wireless connection. This work includes a performance analysis of a simulation of the proposed algorithms and the obtained results are promising.
Download

Paper Nr:	20
Title:	Eliciting Security Requirements for Business Processes using Patterns
Authors:	Naved Ahmed, Raimundas Matulevičius and Naiad Hossain Khan
Abstract:	Business process modelling and security engineering are two important concerns when developing information system (IS). However current practices report that security is addressed rather at the later development stages (i.e., design and implementation). This raises a question whether the business processes are performed securely. In this paper, we propose a method to align business process modelling and security engineering. We develop a set of security risk-oriented patterns. Such patterns help to understand security risks that potentially arise within business processes, and to introduce security solutions. To ease the applicability the security risk-oriented patterns are defined using BPMN notations. The proposal is tested in an industrial business model and the findings indicate a positive usefulness to identify important business assets, their security risks and countermeasures.
Download

Short Papers

Paper Nr:	5
Title:	Free Web-based Personal Health Records: An Assessment of Security and Privacy
Authors:	Inma Carrión, José-Luis Fernández-Alemán and Ambrosio Toval
Abstract:	Several obstacles prevent the adoption and use of Personal Health Record (PHR) systems, including users’ concerns regarding the privacy and security of their personal health information. The purpose of this study is to examine current PHR systems in order to verify what privacy and security characteristics are deployed in them, in an American context. The strengths and weaknesses of the PHRs identified will be useful for PHR users, healthcare professionals, decision makers and builders. The myPHR website was reviewed since it contains relevant information related to PHRs. For this end, the Privacy Policy of each PHR selected was reviewed in order to extract the main characteristics of privacy and security. The results show that the Privacy Policies of PHR systems do not provide an in-depth description of the security measures that they use. This may be a problem because users might not believe that their data are really protected. The designs of Privacy Policies should be improved to include more detailed information related to security measures, and this may be one of the reasons why users do not trust in PHR systems.
Download

Paper Nr:	9
Title:	Towards the Extension of Secure Tropos Language to Support Software Product Lines Development
Authors:	Daniel Mellado and Haralambos Mouratidis
Abstract:	The elicitation of security requirements for Software Product Lines (SPL) is a challenging task, mainly due to the varying security properties required in different products, for the diversity of market segments, and the constraint of simultaneously maintaining the cost-effective principle of the SPL paradigm. Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed in the literature as a suitable paradigm for elicitation of security requirements and their analysis on both a social and a technical dimension. Nevertheless, on one hand, security requirements engineering methodologies are not appropriately tailored to the specific demands of SPL, while on the other hand specific proposals of SPL engineering have traditionally ignored security requirements. This paper presents work that fills this gap by proposing an extension to the Secure Tropos language to support SPL.
Download

Paper Nr:	12
Title:	Ontology and Fuzzy Measures based System for Information Security Risk Assessment
Authors:	Raihan Muratkhan, Dauren Kabenov and Dina Satybaldina
Abstract:	Traditionally the information security risk is defined as a combination of probability of negative event and a potential impact. But risk of the breach of information security of the modern organization is the multidimensional complex concept which is including set of interconnected variables. Often values of risk factors cannot be precisely defined. Therefore the information security risk assessment may be defined as a fuzzy problem. In this paper algorithm of the problem decision of alternative's assessment which has network-like estimation criteria structure is considered. Connections in criteria structure are formalized by means of fuzzy integral of Sugeno. Ontology-based information security knowledge domain has net-like structure incorporating the most relevant information security concepts (assets, threats, vulnerabilities and controls) and relations among them. Slots describe properties of concepts and instances. Each property can be set to a specific fuzzy value. The estimation criteria structure is network-like and is formalized as the oriented graph with one source and many drains. The alternative's estimation result is calculated in criterion-source.
Download

Paper Nr:	16
Title:	A Sensitivity Analysis of Common Operating Systems to ROP Attacks
Authors:	Marco Prandini and Marco Ramilli
Abstract:	Return Oriented Programming (ROP) is a well know technique used by attackers to build the last generation of stack-based attacks. ROP uses small code sequences (``gadgets'') to invoke code from the stack, but bypassing the NX bit security protection, allowing attackers to control the execution flow. This paper analyzes some widespread operating systems, profiling the gadgets that can readily be used, and deducing what kind of payloads they allow to build. Understanding which gadgets are usable from the attacker’s perspective is of great practical importance to devise countermeasures to the possible attacks.
Download

Paper Nr:	17
Title:	Security Criteria in Deciding on Migration of Systems to the Cloud
Authors:	Rafael Gómez, David G. Rosado, Daniel Mellado and Eduardo Fernández-Medina
Abstract:	Cloud computing is setting trend in IT world. As it evolves, providers and clients claim their concern about their pros and cons. Some proposals have been made on the methodologies to assess criteria for benefits and risks of the different cloud models. How these proposals deal with security issues (that most IT executives point out as their top concern)? In this paper we go into the issue of how we can incorporate security requirements to a decision making process for whether to migrate legacy systems to the cloud and how to do it. From systems in control of the firms’ data centers to systems working partially, if not totally out of their control.
Download

Paper Nr:	19
Title:	Mining Windows Registry for Data Exfiltration Detection
Authors:	Yi Hu, Rubaiyat Hossain, Papa Seye and Sri Vasireddy
Abstract:	This paper illustrates a novel approach for identifying data exfiltration activities by mining Microsoft Windows Registry. It often takes outsider attackers a significant amount of efforts to identify the vulnerabilities in the system or applications and launch the exploit payloads to compromise a system. However insider attackers with legitimate access control privileges can easily steal data and sell data to a third party. Many companies spend lots of money defending network perimeters and applications from outsider attacks but only pay little attention to the insider threat. Although there are existing research efforts ad-dressing various aspects of insider attacks, little research focuses on data exfil-tration detection. The proposed model in this paper employs a data mining method to profile USB device usage patterns and uses various statistical methods to identify anomalous USB device usages. The effectiveness of the model was tested with USB access history extracted from the Windows Registry.
Download

Paper Nr:	21
Title:	A Grouping Model for Prompt Agent based Damage Assessment
Authors:	Naveen Ramanathan, Brajendra Panda and Yi Hu
Abstract:	Prompt recovery of data after cyber attacks depends on an efficient damage assessment mechanism. This paper presents a grouping model for the agent-based damage assessment method to facilitate quick post information warfare damage assessment. The grouping method proposed is based on the longest-dependency-path-first approach and can significantly reduce the damage assessment latency of the agent based damage assessment process. We also present an improved damage assessment algorithm that uses this grouping model to determine the extent of damage to other data items.
Download

Paper Nr:	22
Title:	A Systematic Review of Methodologies and Models for the Analysis and Management of Associative and Hierarchical Risk in SMEs
Authors:	Antonio Santos-Olmo, Luis Enrique Sánchez, Eduardo Fernández-Medina and Mario Piattini
Abstract:	As a result of the growing dependence of information society on ICTs, the need to know the risks that can affect information is enormously increasing with the purpose of protecting it. This article shows advances in the identification and management of risks in ICTs, particularly in the case of SMEs, along with the first proposal of a methodology for management and analysis of the associative risk in SMEs taking into account not only internal risks derived from SMEs but also other external risks derived from other enterprises in the same sector or collaborating with them. Thus, we will obtain a high quality risk analysis at low cost using advanced concepts such as “associative algorithms” and “enterprise social networks”. In the era of globalization, SMEs no longer work as independent companies but share more and more services, even facilities, with other companies. Therefore, we cannot obtain an adequate risk analysis without considering the risks associated with these collaborations. In this article we present rhe results of a systematic review of methodologies and models for the analysis and management of associative and hierarchical risk in SMEs.
Download