Publications

Protecting Cloud-based CIs: Covert Channel Vulnerabilities at the Resource Level

Core-private caches represent a convenient and practical way for exfiltrating secret information and endanger ICT systems, including CIs. Attacks abusing the caches as covert channels are hard to be detected, as the caches are easily accessible without any privileges. To address this threat and enhance the security in CIs and other ICT systems, we proposed the usage of feasibility metrics to assess the probability of a covert channel exploit happening in the system or, to conduct post mortem analysis.

Authors: 
Tsvetoslava Vateva-Gurova
Ruben Trapero
Neeraj Suri
Author (ESR): 
Salman Manzoor (Technische Universitaet Darmstadt)

Threat Modeling the Cloud: An Ontology Based Approach

In this paper, we have explored the relation among different actors involved in the Cloud ecosystem to develop an ontology. This ontology is further mapped to a design structure matrix for evaluating threats from varied actors’ perspectives. Our DSM-based threat analysis can be utilized to identify the most critical/influential as well as least critical/influential actor in the Cloud. However, our DSM-based approach is flexible and thus, it can be used to reveal other critical information such as classifying vulnerabilities that achieve a common goal.

Authors: 
Tsvetoslava Vateva-Gurova
Ruben Trapero
Neeraj Suri
Author (ESR): 
Salman Manzoor (Technische Universitaet Darmstadt)

SNAPAUTH: A Gesture-based Unobtrusive Smartwatch User Authentication Scheme

In this paper, we present a novel motion-based unobtrusive behavioral biometric-based user authentication solution-SnapAuth, for Android-based smartwatch. SnapAuth requires the user to perform a fingersnapping action, while wearing the smartwatch (in the gesture performing arm), to perform the authentication. SnapAuth profiles the arm-movements by collecting data from smartwatch’s built-in accelerometer and gyroscope sensors, while the user performs this action. We implemented and evaluated SnapAuth on Motorolla Moto 3G smartwatch.

Authors: 
Attaullah Buriro
Bruno Crispo
Mojtaba Eskandri
Athar Mahboob
Rutger Van Acker
Author (ESR): 
Sandeep Gupta (Universita Degli Studi Di Trento)

Risks of Sharing Cyber Incident Information
[27/Aug/2018]

Incident information sharing is being encouraged and mandated as a way of improving overall cyber intelligence and defense, but its take up is slow. Organisations may well be justified in perceiving risks in sharing and disclosing cyber incident information, but they tend to express such worries in broad and vague terms. This paper presents a specific and granular analysis of the risks in cyber incident information sharing, looking in detail at what information may be contained in incident reports and which specific risks are associated with its disclosure.

Authors: 
Adham Albakri, Eerke Boiten, Rogério De Lemos
Author (ESR): 
Adham Albakri (University of Kent)

Policy Languages and Their Suitability for Trust Negotiation
[16/Jul/2018]

Entities, such as people, companies, institutions, authorities and web sites live and exist in a conjoined world. In order to live and enjoy social benefits, entities need to share knowledge, resources and to cooperate together. The cooperation brings with it many new challenges and problems, among which one is the problem of trust. This area is also important for the Computer Science. When unfamiliar entities wish to cooperate, they do not know what to expect nor whether they can trust each other.

Authors: 
Martin Kolar, Carmen Fernandez-Gago, Javier Lopez
Author (ESR): 
Martin Kolar (Universidad De Malaga)

Towards General scheme for Data Sharing Agreements empowering Privacy-Preserving Data Analysis of structured CTI
[3/Sep/2018]

This paper proposes an extension to the standard STIX representation for Cyber Threat Information (CTI) which couples specific data attributes with privacy-preserving conditions expressed through Data Sharing Agreements (DSA). The proposed scheme allows, in fact, to define sharing and anonymization policies in the form of a human-readable DSA, bound to the specific CTI. The whole scheme is designed to be completely compatible with the STIX 2.0 standard for CTI representation.

Authors: 
Fabio Martinelli
Oleksii Osliak
Andrea Saracino
Author (ESR): 
Oleksii Osliak (Consiglio Nazionale Delle Ricerche)

Enhancing Usage Control for Performance: A Proposal for Systems of Systems
[16/Jul/2018]

Modern interconnected systems of systems, such as the Internet of Things (IoT), demand the presence of access and usage control mechanisms which will be able to manage the right of access to the corresponding services, and the plethora of information being generated in a daily basis. The Usage Control (UCON) model offers the means for fine-grained dynamic control of access to specific resources, by monitoring and evaluating the attributes defined within a dedicated security policy.

Authors: 
Athanasios Rizos
Vasileios Gkioulos
Paolo Mori
Andrea Saracino
Author (ESR): 
Christina Michailidou (Consiglio Nazionale Delle Ricerche)

Enhancing Usage Control for Performance: An Architecture for Systems of Systems
[3/Sep/2018]

The distributiveness and heterogeneity of today’s systems of systems, such as the Internet of Things (IoT), on-line banking systems, and contemporary emergency information systems, require the integration of access and usage control mechanisms, for managing the right of access both to the corresponding services, and the plethora of information that is generated in a daily basis. Usage Control (UCON) is such a mechanism, allowing the fine-grained policy based management of system resources, based on dynamic monitoring and evaluation of object, subject, and environmental attributes.

Authors: 
Athanasios Rizos
Vasileios Gkioulos
Paolo Mori
Andrea Saracino
Author (ESR): 
Christina Michailidou (Consiglio Nazionale Delle Ricerche)

Enhancing Usage Control for Performance: An Architecture for Systems of Systems
[3/Sep/2018]

The distributiveness and heterogeneity of today’s systems of systems, such as the Internet of Things (IoT), on-line banking systems, and contemporary emergency information systems, require the integration of access and usage control mechanisms, for managing the right of access both to the corresponding services, and the plethora of information that is generated in a daily basis. Usage Control (UCON) is such a mechanism, allowing the fine-grained policy based management of system resources, based on dynamic monitoring and evaluation of object, subject, and environmental attributes.

Authors: 
Vasileiow Gkioulos
Christina Michailidou
Paolo Mori
Andrea Saracino
Author (ESR): 
Athanasios Rizos (Consiglio Nazionale Delle Ricerche)

Enhancing Usage Control for Performance: A Proposal for Systems of Systems
[16/Jul/2018]

Modern interconnected systems of systems, such as the Internet of Things (IoT), demand the presence of access and usage control mechanisms which will be able to manage the right of access to the corresponding services, and the plethora of information being generated in a daily basis. The Usage Control (UCON) model offers the means for fine-grained dynamic control of access to specific resources, by monitoring and evaluating the attributes defined within a dedicated security policy.

Authors: 
Vasileios Gkioulos
Christina Michailidou
Fabio Martinelli
Paolo Mori
Author (ESR): 
Athanasios Rizos (Consiglio Nazionale Delle Ricerche)

Pages