References of "Computers and Security"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailAttribute evaluation on attack trees with incomplete information
Buldas, Ahto; Gadyatskaya, Olga UL; Lenin, Aleksandr et al

in Computers and Security (2020), 88(101630),

Attack trees are considered a useful tool for security modelling because they support qualitative as well as quantitative analysis. The quantitative approach is based on values associated to each node in ... [more ▼]

Attack trees are considered a useful tool for security modelling because they support qualitative as well as quantitative analysis. The quantitative approach is based on values associated to each node in the tree, expressing, for instance, the minimal cost or probability of an attack. Current quantitative methods for attack trees allow the analyst to, based on an initial assignment of values to the leaf nodes, derive the values of the higher nodes in the tree. In practice, however, it shows to be very difficult to obtain reliable values for all leaf nodes. The main reasons are that data is only available for some of the nodes, that data is available for intermediate nodes rather than for the leaf nodes, or even that the available data is inconsistent. We address these problems by developing a generalisation of the standard bottom-up calculation method in three ways. First, we allow initial attributions of non-leaf nodes. Second, we admit additional relations between attack steps beyond those provided by the underlying attack tree semantics. Third, we support the calculation of an approximative solution in case of inconsistencies. We illustrate our method, which is based on constraint programming, by a comprehensive case study. [less ▲]

Detailed reference viewed: 88 (5 UL)
Full Text
Peer Reviewed
See detailQualifying and Measuring Transparency: A Medical Data System Case Study
Spagnuelo, Dayana; Bartolini, Cesare UL; Lenzini, Gabriele UL

in Computers and Security (2020)

Transparency is a data processing principle enforced by the GDPR but purposely left open to interpretation. As such, the means to adhere to it are left unspecified. Article 29 Working Party provides ... [more ▼]

Transparency is a data processing principle enforced by the GDPR but purposely left open to interpretation. As such, the means to adhere to it are left unspecified. Article 29 Working Party provides practical guidance on how to interpret transparency, however there are no defined requirements nor ways to verify the quality of the implementation of transparency. We address this problem. We discuss and define applicable metrics for transparency, propose how measurement can be conducted in an operative system, and suggest a practical way in which these metrics can be interpreted in order to increase confidence that transparency is realised in a system. [less ▲]

Detailed reference viewed: 91 (3 UL)
Full Text
Peer Reviewed
See detailCollateral damage of Facebook third-party applications: a comprehensive study
Symeonidis, Iraklis UL; Biczók, Gergely; Shirazi, Fatemeh et al

in Computers and Security (2018), 77

Third-party applications on Facebook can collect personal data of the users who install them, but also of their friends. This raises serious privacy issues as these friends are not notified by the ... [more ▼]

Third-party applications on Facebook can collect personal data of the users who install them, but also of their friends. This raises serious privacy issues as these friends are not notified by the applications nor by Facebook and they have not given consent. This paper presents a detailed multi-faceted study on the collateral information collection of the applications on Facebook. To investigate the views of the users, we designed a questionnaire and collected the responses of 114 participants. The results show that participants are concerned about the collateral information collection and in particular about the lack of notification and of mechanisms to control the data collection. Based on real data, we compute the likelihood of collateral information collection affecting users: we show that the probability is significant and greater than 80% for popular applications such as TripAdvisor. We also demonstrate that a substantial amount of profile data can be collected by applications, which enables application providers to profile users. To investigate whether collateral information collection is an issue to users’ privacy we analysed the legal framework in light of the General Data Protection Regulation. We provide a detailed analysis of the entities involved and investigate which entity is accountable for the collateral information collection. To provide countermeasures, we propose a privacy dashboard extension that implements privacy scoring computations to enhance transparency toward collateral information collection. Furthermore, we discuss alternative solutions highlighting other countermeasures such as notification and access control mechanisms, cryptographic solutions and application auditing. To the best of our knowledge this is the first work that provides a detailed multi-faceted study of this problem and that analyses the threat of user profiling by application providers. [less ▲]

Detailed reference viewed: 151 (9 UL)
Full Text
Peer Reviewed
See detailA training-resistant anomaly detection system
Muller, Steve UL; Lancrenon, Jean; Harpes, Carlo et al

in Computers and Security (2018), 76

Modern network intrusion detection systems rely on machine learning techniques to detect traffic anomalies and thus intruders. However, the ability to learn the network behaviour in real-time comes at a ... [more ▼]

Modern network intrusion detection systems rely on machine learning techniques to detect traffic anomalies and thus intruders. However, the ability to learn the network behaviour in real-time comes at a cost: malicious software can interfere with the learning process, and teach the intrusion detection system to accept dangerous traffic. This paper presents an intrusion detection system (IDS) that is able to detect common network attacks including but not limited to, denial-of-service, bot nets, intrusions, and network scans. With the help of the proposed example IDS, we show to what extent the training attack (and more sophisticated variants of it) has an impact on machine learning based detection schemes, and how it can be detected. © 2018 Elsevier Ltd [less ▲]

Detailed reference viewed: 190 (7 UL)
Full Text
Peer Reviewed
See detailEfficiently computing the likelihoods of cyclically interdependent risk scenarios
Muller, Steve UL; Harpes, Carlo; Le Traon, Yves UL et al

in Computers and Security (2017), 64

Quantitative risk assessment provides a holistic view of risk in an organisation, which is, however, often biased by the fact that risk shared by several assets is encoded multiple times in a risk ... [more ▼]

Quantitative risk assessment provides a holistic view of risk in an organisation, which is, however, often biased by the fact that risk shared by several assets is encoded multiple times in a risk analysis. An apparent solution to this issue is to take all dependencies between assets into consideration when building a risk model. However, existing approaches rarely support cyclic dependencies, although assets that mutually rely on each other are encountered in many organisations, notably in critical infrastructures. To the best of our knowledge, no author has provided a provably efficient algorithm (in terms of the execution time) for computing the risk in such an organisation, notwithstanding that some heuristics exist. This paper introduces the dependency-aware root cause (DARC) model, which is able to compute the risk resulting from a collection of root causes using a poly-time randomised algorithm, and concludes with a discussion on real-time risk monitoring, which DARC supports by design. © 2016 Elsevier Ltd [less ▲]

Detailed reference viewed: 106 (5 UL)
Full Text
Peer Reviewed
See detailFormal modelling and analysis of receipt-free auction protocols in applied pi
Dong, Naipeng; Jonker, Hugo; Pang, Jun UL

in Computers and Security (2017), 65

Detailed reference viewed: 174 (2 UL)
Full Text
Peer Reviewed
See detailEmpirical analysis of cyber-attacks to an indoor real time localization system for autonomous robots
Guerrero-Higueras, Ángel Manuel; DeCastro-García, Noemí; Rodriguez Lera, Francisco Javier UL et al

in Computers and Security (2017), 70(Supplement C), 422-435

Detailed reference viewed: 118 (7 UL)
Full Text
Peer Reviewed
See detailA new access control scheme for Facebook-style social networks
Pang, Jun UL; Zhang, Yang UL

in Computers and Security (2015), 54

Detailed reference viewed: 117 (7 UL)
Full Text
Peer Reviewed
See detailStealing Bandwidth from BitTorrent Seeders
Adamsky, Florian UL; Khayam, Syed Ali; Jäger, Rudolf et al

in Computers and Security (2014)

Detailed reference viewed: 124 (3 UL)
Full Text
Peer Reviewed
See detailA Comprehensive Study of Multiple Deductions-based Algebraic Trace Driven Cache Attacks on AES
Zhao, Xinjie; Guo, Shize; Zhang, Fan et al

in Computers and Security (2013), 39

Detailed reference viewed: 133 (4 UL)
Full Text
Peer Reviewed
See detailEVIV: An end-to-end verifiable Internet voting system
Joaquim, Rui UL; Ferreira, Paulo; Ribeiro, Carlos

in Computers and Security (2013), 32(0), 170-191

Traditionally, a country’s electoral system requires the voter to vote at a specific day and place, which conflicts with the mobility usually seen in modern live styles. Thus, the widespread of Internet ... [more ▼]

Traditionally, a country’s electoral system requires the voter to vote at a specific day and place, which conflicts with the mobility usually seen in modern live styles. Thus, the widespread of Internet (mobile) broadband access can be seen as an opportunity to deal with this mobility problem, i.e. the adoption of an Internet voting system can make the live of voter’s much more convenient; however, a widespread Internet voting systems adoption relies on the ability to develop trustworthy systems, i.e. systems that are verifiable and preserve the voter’s privacy. Building such a system is still an open research problem. Our contribution is a new Internet voting system: EVIV, a highly sound End-to-end Verifiable Internet Voting system, which offers full voter’s mobility and preserves the voter’s privacy from the vote casting PC even if the voter votes from a public PC, such as a PC at a cybercafe´ or at a public library. Additionally, EVIV has private vote verificationmechanisms, in which the voter just has to perform a simple match of two small strings (4-5 alphanumeric characters), that detect and protect against vote manipulations both at the insecure vote client platform and at the election server side. [less ▲]

Detailed reference viewed: 141 (13 UL)
Full Text
Peer Reviewed
See detailEnforcing privacy in e-commerce by balancing anonymity and trust
Bella, Giampaolo; Giustolisi, Rosario UL; Riccobene, Salvatore

in Computers and Security (2011), 30(8), 705-718

Detailed reference viewed: 142 (6 UL)