Skip to main content
main-content

Über dieses Buch

This book constitutes the refereed proceedings of the 12th International Conference on Trust, Privacy and Security in Digital Business, TrustBus 2015, held in Valencia, Spain, in September 2015 in conjunction with DEXA 2015. The 17 revised full papers presented were carefully reviewed and selected from 45 submissions. The papers are organized in the following topical sections: access control; trust and reputation in pervasive environments; trust and privacy issues in mobile environments; security and privacy in the cloud; security policies/usability issues; and privacy requirements and privacy audit.

Inhaltsverzeichnis

Frontmatter

Access Control

Frontmatter

Attributes Enhanced Role-Based Access Control Model

Attribute-based access control (ABAC) and role-based access control (RBAC) are currently the two most popular access control models. Yet, they both have known limitations and offer features complimentary to each other. Due to this fact, integration of RBAC and ABAC has recently emerged as an important area of research. In this paper, we propose an access control model that combines the two models in a novel way in order to unify their benefits. Our approach provides a fine-grained access control mechanism that not only takes contextual information into account while making the access control decisions but is also suitable for applications where access to resources is controlled by exploiting contents of the resources in the policy.
Qasim Mahmood Rajpoot, Christian Damsgaard Jensen, Ram Krishnan

Ontology-Based Delegation of Access Control: An Enhancement to the XACML Delegation Profile

Delegation of access control (i.e. transferring access rights on a resource to another tenant) is crucial to efficiently decentralize the access control management in large and dynamic scenarios. Most of the delegation methods available in the literature are based on the RBAC or ABAC models. However, their applicability can be hampered by: (i) the effort required to manage and enforce multiple roles for each delegatee (i.e. access roles and delegated roles) and (ii) the efforts required to specify constraints for the enforcement of the delegated roles or policies. Moreover, the performance of these methods decreases proportionally as the number of users increase. To tackle these issues, we propose an ontology-based delegation framework that enhances the standard XACML delegation profile by modeling the delegation logics in an ontological way. By means of the ontology, the operations of delegation, verification and revocation of access rights can be performed on the workflow generated by instantiating the ontology classes and their interrelations according to the entities involved in the delegation. By exploiting these workflows, we propose a cost-effective algorithm that performs delegation operations without involving any human intervention.
Malik Imran Daud, David Sánchez, Alexandre Viejo

Trust and Reputation in Pervasive Environments

Frontmatter

VISIO: A Visual Approach for Singularity Detection in Recommendation Systems

Reviews are a powerful decision-making tool for potential new customers, since they can significantly influence consumer purchase decisions, hence resulting in financial gains or losses for businesses. In striving for trustworthy review systems, validating reviews that could negatively or positively bias new customers is of utmost importance. To this goal, we propose VISIO: a visualization based representation of reviews that enables quick analysis and elicitation of interesting patterns and singularities. In fact, VISIO is meant to amplify cognition, supporting the process of singling out those reviews that require further analysis. VISIO is based on a theoretically sound approach, while its effectiveness and viability is demonstrated applying it to real data extracted from Tripadvisor and Booking.com.
Alessandro Colantonio, Roberto Di Pietro, Marinella Petrocchi, Angelo Spognardi

Hidden in Plain Sight. SDP-Based Covert Channel for Botnet Communication

Covert channels pose a significant threat for networking systems. In this paper, we examine the exploitation of Session Description Protocol (SDP) information residing in Session Initiation Protocol (SIP) requests with the aim to hide data in plain sight. While a significant mass of works in the literature cope with covert communication channels, only a very limited number of them rely on SIP to realize its goals. Also, none of them concentrates on SDP data contained in SIP messages to implement and evaluate such a hidden communication channel. Motivated by this fact, the work at hand proposes and demonstrates the feasibility of a simple but very effective in terms of stealthiness and simplicity SIP-based covert channel for botnet Command and Control (C&C). As a side contribution, we assess the soundness and the impact of such a deployment at the victim’s side via the use of two different types of flooding attacks.
Zisis Tsiatsikas, Marios Anagnostopoulos, Georgios Kambourakis, Sozon Lambrou, Dimitris Geneiatakis

The Design of a Configurable Reputation Service

Novel trust and reputation models are frequently proposed by the research community to suit the needs of a specific environment. From the plethora of models that are available, it becomes difficult to know which features can be combined in general-purpose models suitable for commercial use. In order to address this problem, the focus of recent research on trust and reputation systems has been on the identification of common features in order to enable reuse. Organizations who need to use a reputation system within their application domain have to custom build it, which may be challenging for novice developers. This paper defines a strategy to develop a configurable SaaS reputation service that has the ability to support common features, but at the same time accommodate the unique requirements of a variety of online communities. A domain analysis reveals common features that can be arranged and re-organized using variability modeling to enable a SaaS providers to support the configuration of a SaaS reputation service.
Channel Hillebrand, Marijke Coetzee

Trust and Privacy Issues in Mobile Environments

Frontmatter

Attacking GSM Networks as a Script Kiddie Using Commodity Hardware and Software

With the emergence of widely available hardware and software tools for GSM hacking, the security of cellular networks is threatened even by script kiddies. In this paper we present four different attacks in GSM networks, using commodity hardware as well as open source and freely available software tools. All attacks are performed using a common DVB-T TV tuner, which is used as a sniffer for the GSM radio interface, as well as an Arduino combined with a GSM shield that is used as a software programmable mobile phone. The attacks target both mobile users and the network, ranging from sniffing the signaling traffic to tracking and performing denial of service to the subscribers. Despite the script kiddie style of the attacks, their consequences are critical and threaten the normal operation of the cellular networks.
Christoforos Ntantogian, Grigoris Valtas, Nikos Kapetanakis, Faidon Lalagiannis, Georgios Karopoulos, Christos Xenakis

On the Efficacy of Static Features to Detect Malicious Applications in Android

The Android OS environment is today increasingly targeted by malwares. Traditional signature based detection algorithms are not able to provide complete protection especially against ad-hoc created malwares. In this paper, we present a feasibility analysis for enhancing the detection accuracy on Android malware for approaches relying on machine learning classifiers and Android applications’ static features. Specifically, our study builds on the basis of machine learning classifiers operating over different fusion rules on Android applications’ permissions and APIs. We analyse the performance of different configurations in terms of false alarms tradeoff. Results demonstrate that malware detection accuracy could be enhanced in case that detection approaches introduce additional fusion rules e.g., squared average score over the examined features.
Dimitris Geneiatakis, Riccardo Satta, Igor Nai Fovino, Ricardo Neisse

Protecting Android Apps Against Reverse Engineering by the Use of the Native Code

Having about 80 % of the market share, Android is currently the clearly dominating platform for mobile devices. Application theft and repackaging remains a major threat and a cause of significant losses, affecting as much as 97 % of popular paid apps. The ease of decompilation and reverse engineering of high-level bytecode, in contrast to native binary code, is considered one of the main reasons for the high piracy rate. In this paper, we address this problem by proposing four static obfuscation techniques: native opaque predicates, native control flow flattening, native function indirection, and native field access indirection. These techniques provide a simple and yet effective way of reducing the task of bytecode reverse engineering to the much harder task of reverse engineering native code. For this purpose, native function calls are injected into an app’s bytecode, introducing artificial dependencies between the two execution domains. The adversary is forced to analyze the native code in order to be able to comprehend the overall app’s functionality and to successfully launch static and dynamic analyses. Our evaluation results of the proposed protection methods witness an acceptable cost in terms of execution time and application size, while significantly complicating the reverse-engineering process.
Mykola Protsenko, Tilo Müller

Security and Privacy in the Cloud

Frontmatter

Designing Privacy-Aware Systems in the Cloud

Nowadays most Internet users use resources and services belonging to the cloud. Without a doubt elasticity of cloud environments offer a wide range of advantages to users and IT companies through a wide range of pay-as-you-go services, platforms and infrastructure facilities. However, Internet users express great concerns about the sufficient protection of their privacy when accessing cloud services and more specifically over public clouds. The structure of the cloud environment hinders new privacy issues that designers and developers need to consider when realising cloud services in order for the latter to be trusted by the prospective users. This paper presents a number of privacy-oriented technical concepts that analysts need to consider when designing and modeling privacy-aware systems in a cloud environment. Also it extends the PriS method by presenting a new conceptual model and a respective process for assisting in cloud services’ design and implementation.
Christos Kalloniatis

Accountability-Preserving Anonymous Delivery of Cloud Services

Cloud computing is an emerging paradigm whose importance both in large and small business is more and more increasing. As one of the reasons motivating the adoption of cloud computing solutions is to alleviate the load of companies related to the solution of security and disaster recovery issues, security is one of the main features to fulfill in a cloud computing system. Moreover, a number of new security and privacy problems arise, such as threats to user’s privacy due to the realistic possibility of having honest-but-curious cloud providers. In this scenario, we propose an authentication scheme supporting full anonymity of users and unlinkability of service requests. This is done by combining a multi-party cryptographic protocol with the use of a cooperative P2P-based approach to access services in the cloud. As the solution is thought to be adopted in e-government scenarios, accountability of user accesses is always preserved, to prevent misuse and illegal actions of users.
F. Buccafurri, G. Lax, S. Nicolazzo, A. Nocera

Till All Are One: Towards a Unified Cloud IDS

Recently there is a trend to use cloud computing on service deployment, enjoying various advantages that it offers with emphasis on the economy which is achieved in the era of the financial crisis. However, along with the transformation of technology, several security issues are raised and especially the threat of malicious insiders. For instance, insiders can use their privileged position to accomplish an attack against the cloud infrastructure. In this paper we introduce a practical and efficient intrusion detection system solution for cloud based on the advantages of CUDA technology. The proposed solution audits the deployed virtual machines operation, and correlates the collected information to detect uncommon behavior based on Smith-Waterman algorithm. To do so, we collect the system calls of cloud virtual machines and compare them with pre-defined attack signatures. We implement the core of the detection module both sequentially and in parallel on CUDA technology. We evaluate our solution on experimental CUDA enabled cloud system in terms of performance using well known attack patterns. Results indicate that our approach improve highly the efficiency of detection in terms of processing time compared to a sequential implementation.
Nikolaos Pitropakis, Costas Lambrinoudakis, Dimitris Geneiatakis

Security Policies / Usability Issues

Frontmatter

Security, Privacy and Usability – A Survey of Users’ Perceptions and Attitudes

Users are now in possession of an ever-growing number of advance digital devices with a wide range of capabilities which are used for accessing, storing and processing enormous information. A significant proportion of it is often considered sensitive and confidential. Accordingly, each device has its own associated security requirements and configurations. This paper presents the survey results of 302 digital device users, which aimed at exploring their technology usage and security practices, and at investigating their perceptions and satisfaction of associated current and alternative authentication approaches alongside their usability. Furthermore, it sought to analyse users’ awareness and attitudes towards related privacy issues. It is revealed that an inconsistency between users’ perceptions and real practices exists. Despite the widespread interest in more security, there is a quite low number of respondents using or maintaining the available security measures. However, it is apparent that users do not avoid applying the concept of authentication security but avoid the inconvenience of its current common techniques (biometrics are having growing practical interest). The respondents’ perceptions towards Trusted Third-Party (TTP) enable utilising biometrics for a novel authentication solution managed by a TTP working on multi devices to access multi services. However, it must be developed and implemented considerately.
Abdulwahid Al Abdulwahid, Nathan Clarke, Ingo Stengel, Steven Furnell, Christoph Reich

Identifying Factors that Influence Employees’ Security Behavior for Enhancing ISP Compliance

Organizations apply information security policies to foster secure use of information systems but very often employees fail to comply with them. Employees’ security behavior has been the unit of analysis of research from different theoretical approaches, in an effort to identify the factors that influence security policy compliance. Through a systematic analysis of extant literature this paper identifies and categorizes critical factors that shape employee security behavior and proposes security management practices that can enhance security compliance. Research findings inform theory by identifying research gaps and support security management.
Ioanna Topa, Maria Karyda

Dynamic Deployment and Monitoring of Security Policies

INTER-TRUST is a framework for the specification, negotiation, deployment and dynamic adaptation of interoperable security policies, in the context of pervasive systems where devices are constantly exchanging critical information through the network. The dynamic adaptation of the security policies at runtime is addressed using Aspect-Oriented Programming (AOP) that allows enforcing security requirements by dynamically weaving security aspects into the applications. However, a mechanism to guarantee the correct adaptation of the functionality that enforces the changing security policies is needed. In this paper, we present an approach with monitoring and detection techniques in order to maintain the correlation between the security policies and the associated functionality deployed using AOP, allowing the INTER-TRUST framework automatically reacts when needed.
Jose-Miguel Horcas, Mónica Pinto, Lidia Fuentes, Wissam Mallouli, Edgardo Montes de Oca

Privacy Requirements and Privacy Audit

Frontmatter

A Taxonomy of Requirements for the Privacy Goal Transparency

Privacy is a growing concern during software development. Transparency–in the sense of increasing user’s privacy-awareness–is a privacy goal that is not as deeply studied in the literature as the properties anonymity and unlinkability. To be compliant with legislation and standards, requirements engineers have to identify the requirements on transparency that are relevant for the software to be developed. To assist the identification process, we provide a taxonomy of transparency requirements derived from legislation and standards. This taxonomy is validated using related research which was identified using a systematic literature review. Our proposed taxonomy can be used by requirements engineers as basis to systematically identify the relevant transparency requirements leading to a more complete and coherent set of requirements.
Rene Meis, Roman Wirtz, Maritta Heisel

A Privacy Preserving Framework for Big Data in e-Government Environments

Big data is widely considered as the next big trend in e-Government environments but at the same time one of the most emerging and critical issues due to the challenges it imposes. The large amount of data being retained by governmental Service Providers that can be (potentially) exploited during Data Mining and analytics processes, include personal data and personally identifiable information, raising privacy concerns, mostly regarding data minimization and purpose limitation. This paper addresses the consideration of Central Government to aggregate information without revealing personal identifiers of individuals and proposes a privacy preserving methodology that can be easily incorporated into already deployed electronic services and e-Government frameworks through the adoption of scalable and adaptable salted hashing techniques.
Prokopios Drogkaris, Aristomenis Gritzalis

Privacy Principles: Towards a Common Privacy Audit Methodology

A lot of privacy principles have been proposed in the literature with the aim to preserve users’ privacy through the protection of the personal data collected by service providers. Despite the fact that there were remarkable efforts to gather all privacy principles and use them on a common privacy-by-design system, to the best of our knowledge, there is no published methodology that combines in a clear and structured way the existing privacy principles for supporting the design of a Privacy Preserving System. The absence of a widely accepted structured representation of the privacy principles makes their adoption or/and satisfaction difficult and in some cases inconsistent. Considering that privacy protection on its own is not an easy task for an organisation, the “scattered” privacy principles impose significant additional complexity. Consequently, very frequently organizations fail to effectively protect the privacy of their users. In this paper a structured privacy audit methodology that consists of discrete steps that organizations can follow for deciding or/and auditing the privacy protection measures is proposed. Every step is based on the significance of a privacy principle and on the sequence of the audit procedure.
Eleni-Laskarina Makri, Costas Lambrinoudakis

Backmatter

Weitere Informationen

Premium Partner

BranchenIndex Online

Die B2B-Firmensuche für Industrie und Wirtschaft: Kostenfrei in Firmenprofilen nach Lieferanten, Herstellern, Dienstleistern und Händlern recherchieren.

Whitepaper

- ANZEIGE -

Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung

Unternehmen haben das Innovationspotenzial der eigenen Mitarbeiter auch außerhalb der F&E-Abteilung erkannt. Viele Initiativen zur Partizipation scheitern in der Praxis jedoch häufig. Lesen Sie hier  - basierend auf einer qualitativ-explorativen Expertenstudie - mehr über die wesentlichen Problemfelder der mitarbeiterzentrierten Produktentwicklung und profitieren Sie von konkreten Handlungsempfehlungen aus der Praxis.
Jetzt gratis downloaden!

Bildnachweise