A web-based cooperative tool for risk management with adaptive security

Risk management can benefit from Web-based tools fostering actions for treating risks in an environment, while having several individuals collaborating to face the endeavors related to risks. During the intervention, the security rules in place to preserve resources from unauthorized access, might need to be modified on the fly, e.g., increasing the privileges of risk managers or letting rescue teams view the exact position of the victims. Modifications should respect the overall security policies and avoid security conflicts. This paper presents a dynamic access control model for environmental risks involving physical resources. Data structures included in our Web application to represent both risk and security are given. To keep the dynamic security rules compliant with overall organization security objectives, we consider rules grouped in Access Control Domains so that changes do not create security conflicts during collaboration in risk management. Considering work environments as an example, risk and access control models are introduced. Security is built on the ABAC (Attribute Based Access Control) paradigm. A Risk Management System (RMS) is illustrated: it captures events, signals potential risks, and outputs strategies to prevent the risk. Dynamic authorization is included in the RMS to vary subjects’ privileges on physical resources based on risk level, people position and so on. These concepts are implemented in a prototype Web application appearing as a Web Dashboard for risk management.     

A comprehensive system for semantic spatiotemporal assessment of risk in urban areas

Risk assessment of urban areas aims at limiting the impact of harmful events by increasing awareness of their possible consequences. Qualitative risk assessment allows to figure out possible risk situations and to prioritize them, whereas quantitative risk assessment is devoted to measuring risks from data, in order to improve preparedness in case of crisis situations. We propose an automatic approach to comprehensive risk assessment. This leverages on a semantic and spatiotemporal representation of knowledge of the urban area and relies on a software system including: a knowledge base; two components for quantitative and qualitative risk assessments, respectively; and a WebGIS interface. The knowledge base consists of the TERMINUS domain ontology, to represent urban knowledge, and of a geo‐referenced database, including geographical, environmental and urban data as well as temporal data related to the levels of operation of city services. CIPcast DSS is the component devoted to quantitative risk assessment, and WS‐CREAM is the component supporting qualitative risk assessment based on computational creativity techniques. Two case studies concerning the city of Rome (Italy) show how this approach can be used in a real scenario for crisis preparedness. Finally, we discuss issues related to plausibility of risks and objectivity of their assessment.     

Yet another cybersecurity risk assessment framework

IT systems pervade our society more and more, and we become heavily dependent on them. At the same time, these systems are increasingly targeted in cyberattacks, making us vulnerable. Enterprise and cybersecurity responsibles face the problem of defining techniques that raise the level of security. They need to decide which mechanism provides the most efficient defense with limited resources. Basically, the risks need to be assessed to determine the best cost-to-benefit ratio. One way to achieve this is through threat modeling; however, threat modeling is not commonly used in the enterprise IT risk domain. Furthermore, the existing threat modeling methods have shortcomings. This paper introduces a metamodel-based approach named Yet Another Cybersecurity Risk Assessment Framework (Yacraf). Yacraf aims to enable comprehensive risk assessment for organizations with more decision support. The paper includes a risk calculation formalization and also an example showing how an organization can use and benefit from Yacraf.

     

基于构件组装的信息系统安全评估

安全评估是对信息系统进行风险管理的一个重要步骤.本文讨论的是考虑系统结构影响在内系统级别的安全评估问题,对系统构件等相关概念进行了界定,并给出了相应的研究假设.在此基础上通过一个实例讨论了构件安全性与系统安全性之间的关系,最后提出了基于构件组装的一个安全评估框架.     

基于Agent的分布式防火墙系统的设计与实现

分析了传统防火墙和防火墙安全系统及其局限性。在此基础上引入移动代理技术,利用自治代理的特性对分布式防火墙系统及个体防火墙进行了规范和设计,通过对基于Agent部件的设计阐明了设计和实现一个基于多Agent的分布式防火墙系统的方法和过程。     

航空项目IRMS的分布式结构设计

航空项目风险管理是一个知识信息交换频繁的动态过程,在引入MAS(MultiAgent System)理论来构建IRMS（智能风险管理系统）的同时,设计出一种通用、开放的分布式结构系统来有效解决风险管理任务的动态多变特性,可在不中断系统运行的状况下使得子系统能迅速加入或退出系统;提出了两种Agent的功能构成;最后给出了基于CORBA的分布式结构的实现以及据此设计的通用接口程序。     

谈谈企业ERP系统信息与网络安全性问题

探讨了基于互联网的企业ERP系统安全体系的理论基础，介绍了ERP系统在网络中的安全需求、风险与目标，分析了企业ERP系统的安全体系结构。     

A secure collaboration service for dynamic virtual organizations

Nowadays, various promising paradigms of distributed computing over the Internet, such as Grids, P2P and Clouds, have emerged for resource sharing and collaboration. To enable resources sharing and collaboration across different domains in an open computing environment, virtual organizations (VOs) often need to be established dynamically. However, the dynamic and autonomous characteristics of participating domains pose great challenges to the security of virtual organizations. In this paper, we propose a secure collaboration service, called PEACE-VO, for dynamic virtual organizations management. The federation approach based on role mapping has extensively been used to build virtual organizations over multiple domains. However, there is a serious issue of potential policy conflicts with this approach, which brings a security threat to the participating domains. To address this issue, we first depict concepts of implicit conflicts and explicit conflicts that may exist in virtual organization collaboration policies. Then, we propose a fully distributed algorithm to detect potential policy conflicts. With this algorithm participating domains do not have to disclose their full local privacy policies, and is able to withhold malicious internal attacks. Finally, we present the system architecture of PEACE-VO and design two protocols for VO management and authorization. PEACE-VO services and protocols have successfully been implemented in the CROWN test bed. Comprehensive experimental study demonstrates that our approach is scalable and efficient.     

Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles

Systems and software architects require quantitative dependability evaluations, which allow them to compare the effect of their design decisions on dependability properties. For security, however, quantitative evaluations have proven difficult, especially for component-based systems. In this paper, we present a risk-based approach that creates modular attack trees for each component in the system. These modular attack trees are specified as parametric constraints, which allow quantifying the probability of security breaches that occur due to internal component vulnerabilities as well as vulnerabilities in the component’s deployment environment. In the second case, attack probabilities are passed between system components as appropriate to model attacks that exploit vulnerabilities in multiple system components. The probability of a successful attack is determined with respect to a set of attack profiles that are chosen to represent potential attackers and corresponding environmental conditions. Based on these attack probabilities and the structure of the modular attack trees, risk measures can be estimated for the complete system and compared with the tolerable risk demanded by stakeholders. The practicability of this approach is demonstrated with an example that evaluates the confidentiality of a distributed document management system.     

构件软件变更风险分析技术

构件软件相较于传统软件系统有更快的演化速度,对其变更进行有效的度量将有利于后期的维护活动.本文分别针对代码可见及不可见两种类型的构件,运用改进的构件依赖图建模,表示构件软件系统.分两步分析构件变更所带来的风险:首先在计算变更比例的基础上度量单个构件的变更风险,再通过将构件依赖图转化成构件依赖树来计算变更的构件集给系统所带来的风险.此外,结合实例系统的分析给出了所提出的变更风险度量的若干性质.     

Embracing dynamic evolution in distributed systems

Distributed systems aren't only more widespread than they used to be, but they've become more critical than ever, having moved from client-server systems to multitier heterogeneous systems. Many of these applications - such as telephone exchange systems - must be operational 24 hours a day, so shutting them down isn't a viable option for administrators who must make systemwide changes. As a system becomes larger and more complex, the likelihood of defects increases, which means a greater number of required fixes. Studies have found that nearly half the software development effort in complex distributed systems is devoted to maintenance. Furthermore, the industry currently favors iterative and incremental development approaches over the traditional waterfall approach in software engineering to flexibly handle requirements and reduce project risks by deploying smaller changes. These changes are regular and predictable. So, how can we build distributed systems to handle these kinds of changes? The answer, we argue, is dynamic evolution. From a business perspective, dynamic evolution permits frequent upgrades, which reduces the time between releases. Dynamic evolution also enhances flexibility in implementing changes to unforeseen and fluctuating business requirements. Many specialized distributed systems will benefit from factoring dynamic evolution into their designs. We can easily achieve dynamic evolution in a component-based distributed system. The abstraction of components and their connectors facilitates system structures to accommodate changes.     

A self-updating model for analysing system reconfigurability

Systems are built by connecting different components (e.g., sensors, actuators, process components) that are, in turn, organized to achieve system objectives. But, when a system component fails, the system's objectives can no longer be achieved. For many years, numerous studies have proposed efficient fault detection and isolation (FDI) and fault-tolerant control (FTC) algorithms. This paper considers faults that lead to the complete failure of actuators. In this specific case, the system's physical structure changes, and the system model thus becomes incorrect. The potential that the system has to continue to achieve its objectives has to be re-evaluated from a qualitative point of view, before recalculating or modifying the control algorithms. To this end, this paper proposes a self-updating system model to reflect the current system potential, a formulation of system objectives using temporal logic, and a verification method based on model checking to verify whether the objectives can still be achieved by the faulty system. The systems considered are discrete-continuous systems.     

Backward Inference in Bayesian Networks for Distributed Systems Management

The growing complexity of distributed systems in terms of hardware components, operating system, communication and application software and the huge amount of dependencies among them have caused an increase in demand for distributed management systems. An efficient distributed management system needs to work effectively even in face of incomplete management information, uncertain situations, and dynamic changes. In this paper, Bayesian networks are proposed to model dependencies between managed objects in distributed systems. The strongest dependency route (SDR) algorithm is developed for backward inference in Bayesian networks. The SDR algorithm can track the strongest causes and trace the strongest routes between particular effects and its causes, the strongest dependency of causes can be also achieved by the algorithm. Thus, the backward inference provides an efficient mechanism in fault locating, and is beneficial for performance management.     

Testing the validity of the Networked Hazard Analysis and Risk Management System (Net-HARMS)

Testing the validity of newly developed methods is a critical component of human factors and ergonomics (HFE) practice. The Networked Hazard Analysis and Risk Management System (Net-HARMS) is a recently developed systems thinking-based risk assessment method which supports the identification of task and emergent risks across overall work systems. This article reports on a validity study of the Net-HARMS method in which outputs were compared to an expert analysis developed by the first two authors of this paper, with review by subject matter experts. The findings show that individual participant performance was poor for both groups yet when both group's analyses were pooled, validity significantly improved. Further, a subject matter expert analysis of the false alarms identified by participants showed that they may in fact represent credible risks. It is concluded that the Net-HARMS method achieved high levels of validity when participants analyses are pooled. The implications for risk assessment and the validity of HFE methods are discussed.     

可视化分布组件协调环境

分布组件的协调是基于组件的分布系统开发中的一个基本问题。针对具体应用,提出了一种分布组件协调模型－－Ｃｏｎｃｅｒｔｏ。Ｃｏｎｃｅｒｔｏ模型以Ｐｅｔｒｉ网为理论基础,综合了现有的控制驱动和数据驱动两类协调模型。Ｐｅｔｒｉ网的变迁与分布组件系统中的事件、条件、操作和时间信息结合起来,提供了与计算机系统交互的方法。在Ｃｏｎｃｅｒｔｏ模型基础上,实现了可视化分布组件协调环境,对分布组件系统进行并发死锁验证     

一种分布式系统的设计原理

本文提出了七条设计原理,使一类由离散条件组成系统状态和以分立功能部件组成系统动作机能的分布式系统有了一种设计依据.其中,前五条原理针对分布式系统的特例——顺序系统,后两条原理专对系统的并发性.     

Deadlock detection in distributed database systems: a new algorithm and a comparative performance analysis

This paper attempts a comprehensive study of deadlock detection in distributed database systems. First, the two predominant deadlock models in these systems and the four different distributed deadlock detection approaches are discussed. Afterwards, a new deadlock detection algorithm is presented. The algorithm is based on dynamically creating deadlock detection agents (DDAs), each being responsible for detecting deadlocks in one connected component of the global wait-for-graph (WFG). The DDA scheme is a “self-tuning” system: after an initial warm-up phase, dedicated DDAs will be formed for “centers of locality”, i.e., parts of the system where many conflicts occur. A dynamic shift in locality of the distributed system will be responded to by automatically creating new DDAs while the obsolete ones terminate. In this paper, we also compare the most competitive representative of each class of algorithms suitable for distributed database systems based on a simulation model, and point out their relative strengths and weaknesses. The extensive experiments we carried out indicate that our newly proposed deadlock detection algorithm outperforms the other algorithms in the vast majority of configurations and workloads and, in contrast to all other algorithms, is very robust with respect to differing load and access profiles. Received December 4, 1997 / Accepted February 2, 1999     

A software architecture for distributed computer control systems

Distributed computer control systems have a number of potential advantages over centralized systems, especially where the application is itself physically distributed. A computer station can be placed close to the plant being controlled, and a communications network used to enable the stations to communicate to coordinate their actions. However, the software must be carefully designed to exploit the potential advantages of distribution. This paper describes the software architecture of CONIC, a system to support distributed computer control applications. This architecture emphasizes the distinction between the writing of individual software components and the construction and configuration of a system from a set of components. A modular structure is used to separate programming from configuration. Typed entry and exit ports are used to clearly define module interfaces. Ports, analagous to the plugs and sockets of hardware components, permit modules to be interconnected in different ways. On-line modification and extension of the system is supported by permitting the dynamic creation and interconnection of modules. Message passing primitives are provided to permit modules to coordinate and synchronize control actions.     

融合威胁动态检测的网络安全评估探究

首先对网络系统常规的安全评估做简要分析后,指出静态风险评估存在的不足之处,进而提出通过融入动态威胁检测,增加网络系统的动态安全评估,并给出相应的动态检测系统设计和部署,对改进网络系统的安全评估进行探究。     

Risk assessment for a video surveillance system based on Fuzzy Cognitive Maps

For various IT systems security is considered a key quality factor. In particular, it might be crucial for video surveillance systems, as their goal is to provide continuous protection of critical infrastructure and other facilities. Risk assessment is an important activity in security management; it aims at identifying assets, threats and vulnerabilities, analysis of implemented countermeasures and their effectiveness in mitigating risks. This paper discusses an application of a new risk assessment method, in which risk calculation is based on Fuzzy Cognitive Maps (FCMs) to a complex automated video surveillance system. FCMs are used to capture dependencies between assets and FCM based reasoning is applied to aggregate risks assigned to lower-level assets (e.g. cameras, hardware, software modules, communications, people) to such high level assets as services, maintained data and processes. Lessons learned indicate, that the proposed method is an efficient and low-cost approach, giving instantaneous feedback and enabling reasoning on effectiveness of security system.