Enabling declarative security through the use of Java Data Objects

The concept of declarative security allows the separation of security concerns from business logic and enables the development of highly flexible and secure applications. Whereas Hibernate and the Enterprise Java Beans specification provide sufficient authentication and authorization functionalities in the context of object persistence, the Java Data Objects (JDO) specification designed as a lightweight persistence approach doesn’t provide any declarative security capabilities.

The novel security approach, JDOSecure, introduces a role-based permission system to the JDO persistence layer, which is based on the Java Authentication and Authorization Service (JAAS). JDOSecure is based on the dynamic proxy approach and ensures the collaboration with any JDO implementation. It comprises a management solution for users, roles, and permissions and allows storing the authentication and authorization information in any arbitrary JDO resource. Furthermore, a Java-based administration utility with a graphical user interface simplifies the maintenance of security privileges and permissions.     

Search engines as a security threat

Because they implement vulnerable security policies, search engines are excellent tools for helping hackers to attack machines anonymously, search for easy targets or gather confidential data. Securing all channels against hackers trying to penetrate a vulnerable system isn't possible, but there is no reason for search engines to be wide-open channels that continue to help hackers find and penetrate weak systems. Because it is so easy to use a search engine to cloak an attack, search-engine-based hacker abuse has become a real threat that poses serious risks. However, not all blame should fall on those who operate the search engines. Search engines aren't responsible for the huge numbers of poorly configured and insecure machines all over the Internet even if the search engines do aid in identifying them, but the search engines must take some blame if they continue to provide easy ways to locate weak and penetrable machines     

Formal validation of automated policy refinement in the management of network security systems

Policy hierarchies and automated policy refinement are powerful approaches to simplify administration of security services in complex network environments. A crucial issue for the practical use of these approaches is to ensure the validity of the policy hierarchy, i.e. since the policy sets for the lower levels are automatically derived from the abstract policies (defined by the modeller), we must be sure that the derived policies uphold the high-level ones. This paper builds upon previous work on Model-based Management, particularly on the Diagram of Abstract Subsystems approach, and goes further to propose a formal validation approach for the policy hierarchies yielded by the automated policy refinement process. We establish general validation conditions for a multi-layered policy model, i.e. necessary and sufficient conditions that a policy hierarchy must satisfy so that the lower-level policy sets are valid refinements of the higher-level policies according to the criteria of consistency and completeness. Relying upon the validation conditions and upon axioms about the model representativeness, two theorems are proved to ensure compliance between the resulting system behaviour and the abstract policies that are modelled.     

Enabling individualized recommendations and dynamic pricing of value-added services through willingness-to-pay data

When managing their growing service portfolio, many manufacturers in B2B markets face two significant problems: They fail to communicate the value of their service offerings and they lack the capability to generate profits with value-added services. To tackle these two issues, we have built and evaluated a collaborative filtering recommender system which (a) makes individualized recommendations of potentially interesting value-added services when customers express interest in a particular physical product and also (b) leverages estimations of a customer’s willingness to pay to allow for a dynamic pricing of those services and the incorporation of profitability considerations into the recommendation process. The recommender system is based on an adapted conjoint analysis method combined with a stepwise componential segmentation algorithm to collect individualized preference and willingness-to-pay data. Compared to other state-of-the-art approaches, our system requires significantly less customer input before making a recommendation, does not suffer from the usual sparseness of data and cold-start problems of collaborative filtering systems, and, as is shown in an empirical evaluation with a sample of 428 customers in the machine tool market, does not diminish the predictive accuracy of the recommendations offered.     

A dynamic channel assignment policy through Q-learning

One of the fundamental issues in the operation of a mobile communication system is the assignment of channels to cells and to calls. This paper presents a novel approach to solving the dynamic channel assignment (DCA) problem by using a form of real-time reinforcement learning known as Q-learning in conjunction with neural network representation. Instead of relying on a known teacher the system is designed to learn an optimal channel assignment policy by directly interacting with the mobile communication environment. The performance of the Q-learning based DCA was examined by extensive simulation studies on a 49-cell mobile communication system under various conditions. Comparative studies with the fixed channel assignment (FCA) scheme and one of the best dynamic channel assignment strategies, MAXAVAIL, have revealed that the proposed approach is able to perform better than the FCA in various situations and capable of achieving a performance similar to that achieved by the MAXAVAIL, but with a significantly reduced computational complexity.     

Remote dynamic partial reconfiguration: A threat to Internet-of-Things and embedded security applications

The advent of the Internet of Things has motivated the use of Field Programmable Gate Array (FPGA) devices with Dynamic Partial Reconfiguration (DPR) capabilities for dynamic non-invasive modifications to circuits implemented on the FPGA. In particular, the ability to perform DPR over the network is essential in the context of a growing number of Internet of Things (IoT)-based and embedded security applications. However, the use of remote DPR brings with it a number of security threats that could lead to potentially catastrophic consequences in practical scenarios. In this paper, we demonstrate four examples where the remote DPR capability of the FPGA may be exploited by an adversary to launch Hardware Trojan Horse (HTH) attacks on commonly used security applications. We substantiate the threat by demonstrating remotely-launched attacks on Xilinx FPGA-based hardware implementations of a cryptographic algorithm, a true random number generator, and two processor based security applications - namely, a software implementation of a cryptographic algorithm and a cash dispensing scheme. The attacks are launched by on-the-fly transfer of malicious FPGA configuration bitstreams over an Ethernet connection to perform DPR and leak sensitive information. Finally, we comment on plausible countermeasures to prevent such attacks.     

A study of social networking site use from a three-pronged security and privacy threat assessment perspective

This study focuses on how social networking site (SNS) users’ perceived risk is affected by perceptions of the duality of potentially harmful events (cyber-attacks and privacy breaches) on SNS and explores the potential threat sources that influence such perceptions. Further, it examines the effects of perceived risk on SNS members’ site use and the underlying mechanisms through which these effects are cast. The study finds that users’ perceived SNS risk affects site use behavior through attitude as an important mediator and users’ concern regarding cyber-attacks (security) casts a greater impact than the concern regarding privacy breaches in shaping perceived SNS risk.     

Enabling Italian e-government through a cooperative architecture

The Italian government is using the successes and failures of previous e-government networking projects to develop a unitary network that links all public administrations     

Enabling firm performance through business intelligence and analytics: A dynamic capabilities perspective

This study draws on the sense-seize-transform view of dynamic capabilities as the theoretical lens for examining the role of BI&A in organizations. It views BI&A as the sensing and seizing components of dynamic capabilities that contribute to firm performance by enabling business process change. Findings confirm a positive relationship between BI&A and performance, mediated by business process change capabilities. This study answers the call for a theoretically grounded examination of the relationship between BI&A and firm performance by highlighting the significance of the BI&A seizing capabilities, and the importance of business process change in translating BI&A output into improved performance.     

Specification and validation of a security policy model

The paper describes the development of a formal security policy model in Z for the NATO Air Command and Control System (ACCS): a large, distributed, multilevel-secure system. The model was subject to manual validation, and some of the issues and lessons in both writing and validating the model are discussed     

Leveraging cyber threat intelligence for a dynamic risk framework

International Journal of Information Security - One of the most important goals in an organization is to have risks under an acceptance level along the time. All organizations are exposed to...     

浅析网络安全面临的挑战及其主要威胁

随着计算机网络在人类生活领域中的广泛应用,针对重要信息资源和网络基础设施的入侵行为和企图入侵行为的数量仍在持续不断增加,网络攻击对生活造成了极大的威胁。计算机病毒不断地通过网络产生和传播,计算机网络被不断地非法入侵,重要情报、资料被窃取,甚至造成网络系统的瘫痪等等,因此计算机网络安全面临着各种挑战与威胁。     

去同步攻击的检测与动态共享机密的安全协议

基于动态共享身份验证过程中,机密需要共享秘密实例的同步性:双方应将共享同一个的实例保存在议定书中,然后进行运行,并使用相同的实例运行进行身份验证后续协议中彼此之间的秘密。因此,在一个成功在线更新机制里存储共享的机密,由两个主体的演变同步后运行每个协议。     

VOIP the latest security concern: DoS attack the greatest threat

The wall that has divided voice and data is at last being torn down within both enterprise and public carrier networks, yielding massive savings in overall communication costs. Converged networks reduce the total management overhead and also allow enterprises and carriers to develop new applications that exploit the tighter voice/data integration. The technical hurdles appear to have been overcome — until security rears its ugly head.     

浏览器WEB安全威胁检测技术研究与实现

WEB浏览器是一种常见的客户端应用程序,是用户与网络交互的最主要平台之一,WEB应用已经广泛应用到新闻资讯、电子商务、社交网络等多个领域,然而由于WEB应用程序功能性和交互性的不断增强,对应的WEB漏洞和恶意攻击层出不穷,现有的WEB安全措施主要集中于服务端,然而客户端的安全机制相对比较薄弱,因此,对于如何保证WEB应用的安全己成为安全界广泛关注的重点。本文主要研究浏览器端的WEB安全威胁检测技术与实现。     

Organizational computer security policy: the reality

Computer security issues are normally addressed from a technical perspective. Increasingly, however, organizations and computer specialists are coming to realise that applying more technology as the basis of an answer to a problem that derives from technology cannot, in the long term, be a viable solution. This paper shows how it is important that other considerations are taken into account, such as business and management requirements, and practical user issues. In order for this approach to make any progress, we must first establish the current situation in ordinary organizations. This paper describes key results from research carried out to determine the status of computer security in organizations today.     

Method and system for enforcing a communication security policy

A method for enforcing a security policy for selectively preventing the downloading and execution of undesired Executable Objects in an individual workstation, comprising the steps of, (1) providing a security agent suitable to be installed in an individual workstation, said security agent being provided with means for introducing at least one marker in one or more data packet transmitted by a workstation to a server through a gateway, said at least one marker indicating that a security agent is installed in the transmitting workstation, (2) providing means in or coupled to the gateway for analyzing the first one or more data packet(s) received from a transmitting workstation initiating communication to a remote server, to determine whether said first one or more data packet(s) comprise at least one marker indicating that a suitable security agent is installed in the transmitting workstation; (3) If at least one marker indicating that a suitable security agent is installed in the transmitting workstatio     

Combined use of supervised and unsupervised learning for power system dynamic security mapping

This paper proposes a new methodology which combines supervised and unsupervised learning for evaluating power system dynamic security. Based on the concept of stability margin, pre-fault power system conditions are assigned to the output neurons on the two-dimensional grid with the growing hierarchical self-organizing map technique (GHSOM) via supervised artificial neural networks (ANNs) which perform an estimation of post-fault power system state. The technique estimates the dynamic stability index that corresponds to the most critical value of synchronizing and damping torques of multimachine power systems. ANN-based pattern recognition is carried out with the growing hierarchical self-organizing feature mapping in order to provide adaptive neural network architecture during its unsupervised training process. Numerical tests, carried out on a IEEE 9 bus power system are presented and discussed. The analysis using such method provides accurate results and improves the effectiveness of system security evaluation.