Figure 1 - uploaded by Roy Campbell
Content may be subject to copyright.
Source publication
In this paper we define and provide a general construc- tion for a class of policies we call dynamic policies. In most existing systems, policies are implemented and enforced by changing the operational parameters of shared system ob- jects. These policies do not account for the behavior of the entire system, and enforcing these policies can have u...
Citations
... Note that the compromised measurements "×" can be arbitrary value. Similar to the block sparsity expression in [17], the attack matrices can be expressed in sequences as shown below [1] 0 0 e s [2] × × e s [3] 0 0 ...
Malicious data attacks have raised widespread concerns on data integrity and security of cyber-physical systems. This paper discusses a state recovery problem, where the underlying cyber-physical system is subject to switching location attacks. Compared with the fix location attack, the switching location attack changes the attack locations at a constant/variable frequency. This paper develops nonzero sub-row and nonzero entry sparsity models to characterize the switching location attacks. Moreover, state recovery constraints are deduced for different attack modes, which prove the higher efficient state recovery compared with the fix location and static decoders. According to the different sparsity models, l1/l2 and l1 decoders are designed, respectively, which can recover the initial state accurately within relaxation conditions. Numerical simulations in a randomly chosen system and a 14-bus electric power system show the proposed dynamic decoders can provide effective system resilience under switching location attacks.
... Conditional statements take the form if <conditions to be satisfied>, then <execute an action>. Examples are presented in [7], [8], [18], [19]. Policies described by such statements are verified and validated, as discussed in [20]. ...
The limits of traditional (static) policies are well known in many areas of computer science and information security and are extensively discussed in the literature. Although some flexibility has been achieved with the introduction of dynamic policies, these efforts have only addressed a fraction of the requirements necessary to secure today's enterprises. Currently, no feedback mechanisms are in place to evaluate the effectiveness or economic impacts of static or dynamic policy implementation. Here, we address the requirement for feedback and present a policy for the next generation. This is a policy that includes a dynamic feedback response to the effectiveness of changes. The structure of this new type of policy, called a ‘management system’, is borrowed from discrete event system theory and functions as a control loop. A management system consists of four elements (control system, sensor, controller, and actuator) that are involved in a control law. In this article, we present also an analytical description of the optimal structure through which the three management systems (Information Security Management System (ISMS), Business Continuity Management System, and IT Service Management) should be linked in a company. We define a coupling parameter and, using an equation for the discrete control loop, show that ISMS and IT Service Management should ideally be strongly coupled, and ISMS and Business Continuity Management System should be weakly coupled. Furthermore, two types of management system can be defined. A simple management system (1 st order management system) responds to and regulates only perturbations. An advanced management system (2 nd order management system) has an overarching target function that influences the controller. This target function is usually economically oriented. Copyright © 2011 John Wiley & Sons, Ltd.
... Conditional statements take the form if <conditions to be satisfied>, then <execute an action>. Examples are presented in [7], [8], [18], [19]. Policies described by such statements are verified and validated, as discussed in [20]. ...
The limits of traditional (static) policies are wellknown in many areas of computer science and information security, and are extensively discussed in the literature. Although some flexibility has been achieved with the introduction of dynamic policies, these efforts have only addressed a fraction of the requirements necessary to secure today's enterprises. Currently, no feedback mechanisms are in place to evaluate the effectiveness or economic impacts of static or dynamic policy implementation. Here, we address the requirement for feedback and present a policy for the next generation. This is a policy that includes a dynamic feedback response to the effectiveness of changes. The structure of this new type of policy, called a "management system", is borrowed from discrete event system (DES) theory and functions as a control loop. A management system consists of four elements (control system, sensor, controller, and actuator) that are involved in a control law. Two types of management system can be defined. A simple management system (1st order management system) responds to and regulates only perturbations. An advanced management system (2nd order management system) has an overarching target function that influences the controller. This target function is usually economically oriented. Finally, we compare our new type of policy with two management systems that follows the Plan-Do-Check-Act (PDCA cycle) model. We investigate the two PDCA cycle standards ISO/IEC 27001 (Information Security Management System, ISMS) and BS 25999 (Business Continuity Management System, BCMS). We also show that the new type of policy can be applied to management systems based on a PDCA cycle.
... Conditional statements take the form if <conditions to be satisfied>, then <execute an action>. Examples are presented in [7], [8], [18], [19]. Policies described by such statements are verified and validated, as discussed in [20]. ...
The limits of traditional (static) policies are well-known in many areas of computer science and information security, and are extensively discussed in the literature. Although some flexibility has been achieved with the introduction of dynamic policies, these efforts have only addressed a fraction of the requirements necessary to secure today's enterprises. Currently, no feedback mechanisms are in place to evaluate the effectiveness or economic impacts of static or dynamic policy implementation. Here, we address the requirement for feedback and present a policy for the next generation. This is a policy that includes a dynamic feedback response to the effectiveness of changes. The structure of this new type of policy, called a "management system", is borrowed from discrete event system (DES) theory and functions as a control loop. A management system consists of four elements (control system, sensor, controller, and actuator) that are involved in a control law. Two types of management system can be defined. A simple management systems (1$^textrmst$ management system) responds to and regulates only perturbations. An advanced management system (2$^textrmnd$ management system) has an overarching goal function that influences the controller. This goal function is usually economically oriented. Finally, we compare our new type of policy with two management systems that follows the Plan-Do-Check-Act model (Deming cycle). We investigate the two Deming cycle standards ISO/IEC 27001 (Information Security Management System, ISMS) and BS 25999 (Business Continuity Management System, BCMS). We also show that the new type of policy can be applied to management systems based on a PDCA cycle.
... For example, GRBAC enable to define an environment role corresponding to each day of the week. In his context-aware security system, Campbell et al [CAM03] defined a new implementation methodology for dynamic security policies [NAL02]. They defined the notion of dynamic policy as a program consisting of a set of guards and actions created and installed, on the fly, by the user or the administrator of the system. ...
Abstract 5 Table of Contents 31 List of Figures 35 List of Tables 37 List of Publications 38 Introduction 41 A. Pervasive and Ubiquitous Computing 42 B. Distributed Systems 44 C. Service Oriented Architecture (SOA) 44 D. Web Services 45 E. Peer to Peer Systems 46 F. Workflow Architecture 46 G. Security requirement in Pervasive Systems 46 H. Contributions 48 I. Outline 49 Chapter I. Service Discovery 51 A. Introduction 51 B. Definition 51 C. Service Discovery Components Design 52 D. Service Discovery Protocols 53 1. Salutation 54 2. Service Location Protocol (SLP) 54 3. Jini Lookup Service (JLS) 55 4. UDDI 55 5. UPnP 56 6. WS-Discovery 56 7. Service Discovery Protocol (SDP): Bluetooth 57 8. Service Discovery in Ad-Hoc Networks 58 E. Matching and Semantics 58 1. Matching 58 2. Ontology Based Service Discovery 59 F. Context Awareness and Service Discovery 59 G. Threats and Security Requirements 60 1. Threats and Attacks 60 2. Security Requirements for Service Discovery 64 H. Approaches Secure Service Discovery 66 1. Access Control on the Service Side 66 2. Registry-Based Architecture 66 3. Privacy Issues for the Service Discovery 67 4. Registry-less Architecture 67 Chapter II. Securing Decentralized Service Discovery 69 A. Introduction 69 B. Technical Background 69 1. Identity Based Encryption 69 2. Attribute Based Encryption 70 3. Attribute Based Algorithm 71 4. Private Key Generation: Online Vs Offline 71 C. Enabling Secure Service Discovery with Attribute Based Encryption 72 1. Introduction 72 2. Profiles and Attributes 72 3. Applying Attribute Based Encryption 73 D. Algorithms for Decentralized Secure Service Discovery System 75 E. Private Key Management 76 1. Requesting Private Keys from an Online PKG 76 2. Private Key Generation: Online Vs Offline 77 3. Key Revocation 78 F. Use Case Scenarios 78 G. Security Evaluation 80 1. Proof of Security 80 2. Security Analysis 82 H. Experimental Results 83 I. Alternative Solutions 83 1. Group Encryption 83 2. Policy Based Cryptography 84 J. Conclusion 84 Chapter III. Securing Registry-Based Service Discovery 86 A. Introduction 86 B. Technical Background 86 1. XACML 86 2. X.509 Attribute Certificate 87 C. Service Discovery Policy 87 1. Concept 87 2. Choosing a Service Discovery Policy 88 D. Architecture for a Registry-Based Secure Service Discovery 89 E. Algorithm for a Secure Centralized Service Discovery 90 F. Secure Service Discovery Middleware 91 1. Related Work 91 2. Middleware Stack 92 G. Security Evaluation 93 H. Measurement Results 94 I. Conclusion 95 Chapter IV. Secure Service Discovery with Distributed Registries 97 A. Introduction 97 B. Related Work 97 C. Technical Background 98 1. Onion Routing 99 2. Distributed Hash Tables (DHT) 100 D. Requirements 101 E. A Scalable Distributed Registry-Based Model 101 1. Indexing and Data Retrieval 101 2. Algorithms for inter-registry Indexing and Data Retrieval 102 F. Securing the Access to Distributed Registries 103 1. Need for Anonymity 103 2. Pairing-Based Onion Routing 104 3. Anonymizing Publish / Request Messages for the Service Discovery 104 G. Architecture for a Secure Distributed Registry-Based Service Discovery 106 H. Security Evaluation 107 I. Performance and Results 108 1. Pairing-Based Onion Routing Costs 108 2. Kademlia Request/Response Costs 108 J. Conclusion 109 Chapter V. A Performance Analysis of Secure Service Discovery Solutions 111 A. Introduction 111 B. Related Work 111 1. Matching Strategies 111 2. Fault Tolerance and Crash Robustness 112 3. Publishing and Retrieval Time 112 C. Modeling Secure Service Discovery 112 1. Centralized Discovery 112 2. Decentralized Discovery 113 3. System Model Assumptions 114 D. Markovian Model 114 1. Markovian Centralized Model 114 2. Markovian decentralized Model 116 E. Matching Probabilities 117 F. Model Validation 118 1. Java Simulator 118 2. Rejection Rate 119 3. Server and Resource Usage Rate 120 G. Performance Analysis 122 1. System Setup 122 2. Rejection Rate 123 3. Average Number of Users in the System 124 4. Service Time Duration of a Request in the System 125 5. Summary 127 H. Evaluation of the Impact of DoS Attacks on System Performances 128 1. Introduction 128 2. Attack Model 128 3. Impact of a DoS Attack for a Protected and non Protected System 129 4. Summary 131 I. Conclusion 131 Chapter VI. Context Awareness in Service Discovery 133 A. Definition 133 1. Data Modeling 133 2. Reasoning 134 3. Quality of Context 134 B. Context Awareness and Security 135 1. Context-Aware Access Control 135 2. Privacy and Context Awareness 136 3. Context-Aware Encryption 136 C. Context-Aware Security Policy 136 1. Introduction to Security Policies 136 2. Security Policy and Context-Awareness 137 3. Related Work 137 4. Context-Aware Security Policy Requirements 139 D. Securing Contextual Information 140 1. Confidentiality of context information 141 2. Integrity of context information: 141 3. Trustworthiness of Delivered Context Information 141 E. Context-Aware Security Policy for the Service Discovery 142 1. Context Information Representation 142 2. Reasoning about Context Information 143 3. Health Care Scenario 144 4. Performance and Results 145 F. Conclusion 145 Chapter VII. Conclusion and Perspectives 148 Bibliography 151 Annex 159 1. API description 159 1.1. General Features: 159 1.2. Interface Definition 160 1.2.1. Parameters 160 1.2.2. Methods 160 2. UML specifications 161 2.1. External API 161 2.2. Communication related data structures 161 2.3. Policy handling 162 2.4. Protocol implementation 163 3. WSDL interface specification 166 4. Installation and usage guidelines 168 4.1. Installation 168 4.2. Usage 169
... doc/product/software/ios121/121newft/ 121limit/121e/121e1/eturbacl.pdf). Support for the need for dynamic policies can be found in the recent literature [10, 12, 13, 18]. I argue that the advantage of dynamic access lists is that it allows more flexibility, allowing defence in depth. ...
... Details of the semantics and performance characteristics of Cisco's implementation is not available in the scientific literature and I have been unable to find any quantitative analysis. There has been some recent work on policy or modelbased approaches to semantics [10, 12, 13, 18]. The aim is to allow a very high level specification of system polices and needs. ...
The use of IP filtering to improve system security is well established, and although limited in what it can achieve has proved to be efficient and effective. In the design of a security policy there is always a trade-off between usability and security. Static access lists make finding a balance particularly stark. Dynamic access lists would allow the rules to change for short periods of time, and to allow local changes by non-experts. The network administrator can set basic security guide-lines which allow certain basic services only. All other services are restricted, but users are able to request temporary exceptions in order to allow additional access to the network. These exceptions are granted depending on the privileges of the user. The paper presents and justifies a semantics for dynamic access lists. An efficient method of implementing the dynamic semantics is proposed and experimentally validated. The experiments show that a useful dynamic semantics can be implemented with small memory costs and modest time costs. Keywords: firewalls, TCP/IP filtering, dynamic rules CR Categories: C.2.0, C.2.3, C.2.6, K.6.5
... Regarding active networking projects, the Seraphim project [11,14] must be mentioned. It follows the approach of dynamic policies. ...
To provide security for active networking nodes with respect to avail- ability and controlled access the introduction of an access control mechanism and consequently a policy framework are mandatory. We follow the approach of a scenario-tailored runtime supervision of the service. During the development of the access control mechanism we strongly focused on keeping the mechanism as efficient as possible and to realize a modular design which allows to dynami- cally upgrade and configure the mechanism making use of the active networking technology itself while at the same time ensuring that mandatory security checks cannot be circumvented. Each service has to pass initial checks before it could be executed on an active node. Furthermore, also service-specific adaptive criterions could be included into the initial check. This paper discusses the corresponding flexible and dynamic access control policy framework and we also present results achieved with a first prototype realized for the active networking environment AMnet.
... To address the new challenges in defining and managing security policies in pervasive computing environments, we propose a new class of policies called dynamic policies [22][23][24] that are designed with explicit knowledge of system behavior, focusing on the interactions between various system objects. We develop behavioral descriptions of programs that can be sent across networks to change a system's software state, while preserving certain security and privacy properties. ...
... Dynamic policies enable the creation of customizable programs that can be deployed on-the-fly, to enforce and implement strong security policies that can adapt to a changing software environment. In [24] we present a powerful set of formal methods and mechanisms that can be used to create policies with strong security guarantees, eliminating guesswork in the design and deployment of reactive security systems. ...
Pervasive computing environments with their interconnected devices and services promise seamless integration of digital infrastructure into our everyday lives. While the focus of current research is on how to connect new devices and build useful applications to improve functionality, the security and privacy issues in such environments have not been explored in any depth. While traditional distributed computing research attempts to abstract away physical location of users and resources, pervasive computing applications often exploit physical location and other context information about users and resources to enhance the user experience. The need to share resources and collaborate introduces new types of interaction among users as well as between the virtual and physical worlds. In this context it becomes difficult to separate physical security from digital security. existing policies and mechanisms may not provide adequate guarantees to deal with new exposures and vulnerabilities introduced by the pervasive computing paradigm. In this paper we explore the challenges for building security and privacy into pervasive computing environments, describe our prototype implementation that addresses some of these issues, and propose some directions for future work.
... In contrast, when the set of subjects can change over time, but the resources themselves remain more or less fixed, it is more efficient to use CLs. We have explored such a solution in the context of active networks in our previous work [4,13] and developed a CL-based architecture to enable the dynamic installation and update of policies in real-time, to accommodate different sets of subjects using the same resources for different active network protocols over time. Our security architecture for active networks also incorporated the access control safety and authorization techniques discussed in this paper, in the framework of a CL based implementation. ...
We investigate the cost of changing access control policies dynamically as a response action in computer network defense. We compare and contrast the use of access lists and capability lists in this regard, and develop a quantitative feel for the performance overheads and storage requirements. We also explore the issues related to preserving safety properties and trust assumptions during this process. We suggest augmentations to policy specifications that can guarantee these properties in spite of dynamic changes to system state. Using the lessons learned from this exercise, we apply these techniques in the design of dynamic access controls for dynamic environments.
... To address the new challenges in defining and managing security policies in pervasive computing environments, we propose a new class of policies called dynamic policies [22][23][24] that are designed with explicit knowledge of system behavior, focusing on the interactions between various system objects. We develop behavioral descriptions of programs that can be sent across networks to change a system's software state, while preserving certain security and privacy properties. ...
... Dynamic policies enable the creation of customizable programs that can be deployed on-the-fly, to enforce and implement strong security policies that can adapt to a changing software environment. In [24] we present a powerful set of formal methods and mechanisms that can be used to create policies with strong security guarantees, eliminating guesswork in the design and deployment of reactive security systems. ...
Pervasive computing environments with their interconnected devices and services promise seamless integration of digital infrastructure into our everyday lives. While the focus of current research is on how to connect new devices and build useful applications to improve functionality, the security and privacy issues in such environments have not been explored in any depth. While traditional distributed computing research attempts to abstract away physical location of users and resources, pervasive computing applications often exploit physical location and other context information about users and resources to enhance the user experience. The need to share resources and collaborate introduces new types of interaction among users as well as between the virtual and physical worlds. In this context, it becomes difficult to separate physical security from digital security. Existing policies and mechanisms may not provide adequate guarantees to deal with new exposures and vulnerabilities introduced by the pervasive computing paradigm. In this paper we explore the challenges for building security and privacy into pervasive computing environments, describe our prototype implementation that addresses some of these issues, and propose some directions for future work.
