Automated Integrated Examination System: A Security Concern

ABSTRACT

Revolution in information and communication technology (ICT) has made a remarkable impact on the society. Countries across the world are using ICT to facilitate information dissemination and communication in all areas of education, training, and administration. In Indian education institutions, over the years there has been a rapid increase in the gross enrollment ratio (GER). The existing manpower in universities is unable to cope with the increased workload. To bring efficiency, accuracy, and transparency to the system, many Indian universities are using ICT in teaching, learning, and administration processes, and management of examination system is one of them. In addition to sharing information and infinite access, ICT has exposed certain security threats that were exposed by connecting to a large network. This paper discusses the importance of an automated integrated examination system in Indian universities vis-à-vis security threats. These threats can thwart the very purpose of ICT if left unattended. The measures to handle data are discussed, and network architecture is suggested to handle the examination of data to preclude security threats.     

TPS3: A privacy preserving data collection protocol for smart grids

Smart grid (SG) allows for two-way communication between the utility and its consumers and hence they are considered as an inevitable future of the traditional grid. Since consumers are the key component of SGs, providing security and privacy to their personal data is a critical problem. In this paper, a security protocol, namely TPS3, is based on Temporal Perturbation and Shamir’s Secret Sharing (SSS) schemes that are proposed to ensure the privacy of SG consumer’s data. Temporal perturbation is employed to provide temporal privacy, while the SSS scheme is used to ensure data confidentiality. Temporal perturbation adds random delays to the data collected by smart meters, whereas the SSS scheme fragments these data before transmitting them to the data collection server. Joint employment of both schemes makes it hard for attackers to obtain consumer data collected in the SG. The proposed protocol TPS3 is evaluated in terms of privacy, reliability, and communication cost using two different SG topologies. The performance evaluation results clearly show that the TPS3 protocol ensures the privacy and reliability of consumer data in SGs. The results also show that the tradeoff between the communication cost and security of TPS3 is negligible.     

Secure—I*: Engineering Secure Software Systems through Social Analysis

Engineering secure software systems requires a thorough understanding of the social setting within which the system-to-be will eventually operate. To obtain such an understanding, one needs to identify the players involved in the system's operation, and to recognize their personal preferences, agendas and powers in relation to other players. The analysis also needs to identify assets that need to be protected, as well as vulnerabilities leads to system failures when attacked. Equally important, the analyst needs to take rational steps to predict most likely attackers, knowing their possible motivations, and capabilities enabled by latest technologies and available resources. Only an integrated social analysis of both sides (attackers/protectors) can reveal the full space of tradeoffs among which the analyst must choose. Unfortunately, current system development practices treat design decisions on security in an ad-hoc way, often as an afterthought. This paper introduces a methodological framework based on i^*, for dealing with security and privacy requirements, namely, Secure-i^*. The framework supports a set of analysis techniques. In particular, attacker analysis helps identify potential system abusers and their malicious intents. Dependency vulnerability analysis helps detect vulnerabilities in terms of organizational relationships among stakeholders. Countermeasure analysis supports the dynamic decision-making process of defensive system players in addressing vulnerabilities and threats. Finally, access control analysis bridges the gap between security requirement models and security implementation models. The framework is illustrated with an example involving security and privacy concerns in the design of electronic health information systems.In addition, we discuss model evaluation techniques, including qualitative goal model analysis and property verification techniques based on model checking.     

车载信息系统的安全测评体系及方法

汽车信息系统的安全工作主要集中在分析、挖掘车载信息系统及其功能组件现存的安全漏洞及可行攻击方式的实验验证,缺乏全面、系统的车载信息系统安全测评体系及评估方法。论文在分析车载信息系统安全现状的基础之上,提出将车载信息系统的安全等级划分为：家用车载信息系统和商用车载信息系统,定义了两个等级车载信息系统的保护能力,并借鉴通用信息系统的安全等级保护要求,提出车载信息系统不同保护等级的基本安全要求,首次建立车载信息系统的安全等级测评体系。进一步建立层次化安全评估模型及算法,实现车载信息系统的定量安全评估。通过奥迪C6的安全测评案例证明,提出的等级测评体系及评估方法是可行、合理的,为分析车辆信息系统的安全状况提供支撑,填补了国内车载信息系统安全测评体系及评估方法的空白。     

基于云边协同的数字电网通信信息网络安全策略研究

本研究旨在探讨基于云边协同的数字电网通信信息网络安全策略。首先,通过大量文献分析、调查问卷等方法,确定了数字电网通信信息网络面临的主要安全威胁和保障需求。其次,在此基础上提出以云边协同为核心的网络安全保障策略,包括资源共享、实时监测、数据加密等多层次的解决方案。接着,我们从安全性、可靠性和易用性三个角度对该策略进行评价,并通过仿真实验验证了其有效性和可行性。最后,结论表明,基于云边协同的数字电网通信信息网络安全策略可以有效地提高数字电网的安全性和稳定性,具有很强的实际应用价值。     

智能电网中的数据聚合方案分类研究

智能电网中其安全的通信架构是保证电网安全、稳定运行的基础,隐私保护的数据聚合是保证机密性、提高效率的有效途径。对最近面向智能电网通信系统的数据聚合的五种功能类型的方案进行了总结和分析。在聚合阶段,大部分的方案在系统架构上基本相差不大,不过在聚合方法的选取上,则各自有不同的考虑。诸如Paillier加密体制和ElGamal加密体制,是两种较为常规的加密体制,差分隐私、双线性对技术和数据签名技术也在一些文章中得到应用。通过安全性分析证明,这些方案不仅具有隐私保护、消息的认证性和完整性验证等功能;而且通过对这些方案进行性能比较分析,所述的方案在计算开销和用户的访问控制方面及通信开销都各有优势,对于智能电网多维数据的收集和云端的访问控制提供了更多的参考依据。     

智能电网脆弱性综合评价模型构建及仿真

解决当前我国智能电网连锁故障导致的脆弱性问题,加强对电网的脆弱性评估是提高电网运行能力的重点。对此,结合当前智能电网脆弱性评估方法,提出一种基于TOPSIS的脆弱性综合评估方法。为提高综合评价的客观性,引入熵权法-AHP层次分析法对权重计算进行优化,然后通过TOPSIS模型完成对智能电网脆弱性的整体性评价。最后通过某实例,验证了上述方案的可行性,并得出我国电网在防御人为威胁等方面具有加强的优势,但是在信息安全方面存在一定的劣势。     

浅析新时期网络安全的威胁与防御

现如今,计算机病毒、网络黑客攻击、软件漏洞等正严重威胁着我国网络运行的安全。该文就从网络安全面临的威胁和如何防御两个方面进行简单的阐述,以期为我国的网络信息安全略尽绵薄之力。     

基于攻击图的复合入侵关联及预测方法

当前的大多数漏洞扫描器和入侵检测系统只能检测汇报孤立的漏洞和攻击。但网络中真正的威胁来自那些技术精湛的黑客,他们综合利用各种攻击手段绕开安全策略,逐步获得权限。这种复合攻击能渗透进看似防御严密的网络。攻击图是一种重要的网络安全漏洞分析工具,能用来关联警报,假设漏报,预测下一步的警报,对系统管理员理解威胁的本质从而采取适当对策是关键的。本文提出一种基于攻击图来关联并预测复合网络入侵的方法,该方法在实际网络环境中有良好的表现。     

Challenges and research directions for heterogeneous cyber–physical system based on IEC 61850: Vulnerabilities,security requirements,and security architecture

IEC 61850, an international standard for communication networks, is becoming prevalent in the cyber–physical system (CPS) environment, especially with regard to the electrical grid. Recently, since cyber threats in the CPS environment have increased, security matters for individual protocols used in this environment are being discussed at length. However, there have not been many studies on the types of new security vulnerabilities and the security requirements that are required in a heterogeneous protocol environment based on IEC 61850. In this paper, we examine the electrical grid in Korea, and discuss security vulnerabilities, security requirements, and security architectures in such an environment.     

Classifying resilience approaches for protecting smart grids against cyber threats

Smart grids (SG) draw the attention of cyber attackers due to their vulnerabilities, which are caused by the usage of heterogeneous communication technologies and their distributed nature. While preventing or detecting cyber attacks is a well-studied field of research, making SG more resilient against such threats is a challenging task. This paper provides a classification of the proposed cyber resilience methods against cyber attacks for SG. This classification includes a set of studies that propose cyber-resilient approaches to protect SG and related cyber-physical systems against unforeseen anomalies or deliberate attacks. Each study is briefly analyzed and is associated with the proper cyber resilience technique which is given by the National Institute of Standards and Technology in the Special Publication 800-160. These techniques are also linked to the different states of the typical resilience curve. Consequently, this paper highlights the most critical challenges for achieving cyber resilience, reveals significant cyber resilience aspects that have not been sufficiently considered yet and, finally, proposes scientific areas that should be further researched in order to enhance the cyber resilience of SG.

     

移动互联网安全威胁研究

移动智能终端的广泛应用以及其与互联网技术的融合,推动了移动互联网时代的到来。移动互联网带来新技术、新用户体验和新商业模式的同时,也面临着一系列的安全威胁。移动终端和通信网络等构成了移动互联网的基本架构,攻击可能发生在系统中的每个层面。文章通过广泛调研,在理解移动互联网不同层次的安全机制的基础上,总结并简要分析各个层次所面临的安全威胁。     

智能电网ICS系统信息安全研究简

智能电网的应用改变了原有电网的网络通信结构和应用模式,如何全面的保障新形式下电网ICS系统的信息安全是一个必须深入探讨和研究并亟待解决的关键问题之一。本文首先剖析了智能电网中ICS系统与传统IT的区别,在分析ICS系统所面临的信息安全漏洞后提出了针对以上信息安全威胁的安全防护建议。     

电力移动智能终端安全技术研究

电力移动智能终端中存储的用户身份、电力运维数据、电网管理数据等大量重要信息使其具有巨大的攻击价值。Android作为目前全球最广泛使用的移动终端操作系统,也为相当规模的电力移动智能终端所应用,然而,其开放性（第三方开发）等特征在增强其功能和提升应用灵活性的同时也为系统漏洞、恶意应用等多种类型的攻击提供了渠道。文章通过对Android系统安全模型和安全威胁的研究,总结了针对Android平台上的电力移动智能终端的远程和本地攻击、隐私窃取、通信劫持和远程控制技术及方法。最后,提出了在基于Android系统的电力移动智能终端上加载恶意代码检测模块和操作系统加固的建议方案。     

Secure Software Engineering: Learning from the Past to Address Future Challenges

ABSTRACT

This paper provides a taxonomy of secure software systems engineering (SSE) by surveying and organizing relevant SSE research and presents current trends in SSE, on-going challenges, and models for reasoning about threats and vulnerabilities. Several challenging questions related to risk assessment/mitigation (e.g., “what is the likelihood of attack”) as well as practical questions (e.g., “where do vulnerabilities originate” and “how can vulnerabilities be prevented”) are addressed.     

A load control method for small data centers participating in demand response programs

This paper presents a load control method for small data centers, which are rarely studied although they account for more than 50% of all data centers. The method utilizes the data network and the electrical network to control power usage for participation in demand response (DR) programs, which are regarded as the killer applications of the emerging smart grid (SG). Traditional data center power management often directly manipulates energy usage, which may be ineffective or impractical for small data centers due to their limited resources. Both the SG and the data centers are considered to be the cyber-physical systems (CPSs). This article proposes an approach that performs the data center DR load management through the cyberspaces of the SG and the targeted data center. The proposed method instructs the workload dispatcher to select the best-suited algorithm when a DR event is issued. Additionally, this method also adjusts the temperature set-points of the air conditioners. The simulation result shows that this approach can achieve a 30% power reduction for DR.     

无线局域网安全威胁及解决方法

随着无线通信技术的不断发展,无线网络已经得以广泛使用,同时无限局域网的安全缺陷也快速地体现出来,这对无线网络的应用产生了一定的阻碍。由此对无限局域网的安全性提出了更高的要求。本文针对无线局域网络使用中出现的主要安全威胁提出相应的解决方案。     

The influence of information security on the adoption of web-based integrated information systems: an e-government study in Peru

This study analyzes the determinants of information security that influence the adoption of Web-based integrated information systems (IIS) by government agencies in Peru. The study introduces Web-based information systems designed to formulate strategic plans for the Peruvian government. A theoretical model is proposed to test the impact of organizational factors such as deterrent efforts, severity efforts, and preventive efforts and individual factors such as perceived information security threats and security awareness on intentions to use Web-based IIS. The empirical results indicate that deterrent efforts and deterrent severity have no significant influence on use intentions of IIS, whereas preventive efforts play an important role in such intentions. Information security awareness and perceived information security threats as individual factors have a significant effect on intentions to use the system. This suggests that organizations should implement preventive efforts by introducing various information security solutions, and improve information security awareness while reducing perceived information security threats.     

智能电网通信安全技术研究

智能电网的通信安全技术不仅能够有效对电网运行进行实时监控,还能够降低通信事故的频发并且有效清除通信故障。在此基础之上,本文对智能电网通信技术的发展现状进行简要阐述,针对智能电网通信安全技术发展中出现的问题提出了相应的信息技术研究策略。     

Secure network coding for wireless mesh networks: Threats, challenges, and directions

In recent years, network coding has emerged as a new communication paradigm that can significantly improve the efficiency of network protocols by requiring intermediate nodes to mix packets before forwarding them. Recently, several real-world systems have been proposed to leverage network coding in wireless networks. Although the theoretical foundations of network coding are well understood, a real-world system needs to solve a plethora of practical aspects before network coding can meet its promised potential. These practical design choices expose network coding systems to a wide range of attacks.We identify two general frameworks (inter-flow and intra-flow) that encompass several network coding-based systems proposed in wireless networks. Our systematic analysis of the components of these frameworks reveals vulnerabilities to a wide range of attacks, which may severely degrade system performance. Then, we identify security goals and design challenges in achieving security for network coding systems. Adequate understanding of both the threats and challenges is essential to effectively design secure practical network coding systems. Our paper should be viewed as a cautionary note pointing out the frailty of current network coding-based wireless systems and a general guideline in the effort of achieving security for network coding systems.