Virtual Machine Introspection (VMI) is a technique that enables monitoring virtual machines at the hypervisor layer. This monitoring concept has gained recently a considerable focus in computer security research due to its complete but semantic less visibility on virtual machines activities and isolation from them. VMI works range from addressing the semantic gap problem to leveraging explored VMI techniques in order to provide novel hypervisor-based services that belong to different fields. This paper aims to survey and classify existing VMI techniques and their applications.
{"title":"Virtual Machine Introspection: Techniques and Applications","authors":"Yacine Hebbal, S. Laniepce, Jean-Marc Menaud","doi":"10.1109/ARES.2015.43","DOIUrl":"https://doi.org/10.1109/ARES.2015.43","url":null,"abstract":"Virtual Machine Introspection (VMI) is a technique that enables monitoring virtual machines at the hypervisor layer. This monitoring concept has gained recently a considerable focus in computer security research due to its complete but semantic less visibility on virtual machines activities and isolation from them. VMI works range from addressing the semantic gap problem to leveraging explored VMI techniques in order to provide novel hypervisor-based services that belong to different fields. This paper aims to survey and classify existing VMI techniques and their applications.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128863768","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Network covert channels have become a sophisticated means for transferring hidden information over the network, and thereby breaking the security policy of a system. Covert channel-internal control protocols, called micro protocols, have been introduced in the recent years to enhance capabilities of network covert channels. Micro protocols are usually placed within the hidden bits of a covert channel's payload and enable features such as reliable data transfer, session management, and dynamic routing for network covert channels. These features provide adaptive and stealthy communication channels for malware, especially bot nets. Although many techniques are available to counter network covert channels, these techniques are insufficient for countering micro protocols. In this paper, we present the first work to categorize and implement possible countermeasures for micro protocols that can ultimately break sophisticated covert channel communication. The key aspect of proposing these countermeasures is based on the interaction with the micro protocol. We implemented the countermeasures for two micro protocol-based tools: Ping Tunnel and Smart Covert Channel Tool. The results show that our techniques are able to counter micro protocols in an effective manner compared to current mechanisms, which do not target micro protocol-specific behavior.
{"title":"Countermeasures for Covert Channel-Internal Control Protocols","authors":"J. Kaur, S. Wendzel, M. Meier","doi":"10.1109/ARES.2015.88","DOIUrl":"https://doi.org/10.1109/ARES.2015.88","url":null,"abstract":"Network covert channels have become a sophisticated means for transferring hidden information over the network, and thereby breaking the security policy of a system. Covert channel-internal control protocols, called micro protocols, have been introduced in the recent years to enhance capabilities of network covert channels. Micro protocols are usually placed within the hidden bits of a covert channel's payload and enable features such as reliable data transfer, session management, and dynamic routing for network covert channels. These features provide adaptive and stealthy communication channels for malware, especially bot nets. Although many techniques are available to counter network covert channels, these techniques are insufficient for countering micro protocols. In this paper, we present the first work to categorize and implement possible countermeasures for micro protocols that can ultimately break sophisticated covert channel communication. The key aspect of proposing these countermeasures is based on the interaction with the micro protocol. We implemented the countermeasures for two micro protocol-based tools: Ping Tunnel and Smart Covert Channel Tool. The results show that our techniques are able to counter micro protocols in an effective manner compared to current mechanisms, which do not target micro protocol-specific behavior.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114349174","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Some of the most rampant problems in software security originate from improper input validation. This is partly due to ad hoc approaches taken by software developers when dealing with user inputs. Therefore, it is a crucial research question in software security to ask how to effectively apply well-known input validation and sanitization techniques against security attacks exploiting the user input-related weaknesses found in software. This paper examines the current ways of how input validation is conducted in major open-source projects and attempts to confirm the main source of the problem as these ad hoc responses to the input validation-related attacks such as SQL injection and cross-site scripting (XSS) attacks through a case study. In addition, we propose a more systematic software security approach by promoting the adoption of proactive, architectural design-based solutions to move away from the current practice of chronic vulnerability-centric and reactive approaches.
{"title":"Securing Web Applications with Better \"Patches\": An Architectural Approach for Systematic Input Validation with Security Patterns","authors":"J.-W. Sohn, J. Ryoo","doi":"10.1109/ARES.2015.106","DOIUrl":"https://doi.org/10.1109/ARES.2015.106","url":null,"abstract":"Some of the most rampant problems in software security originate from improper input validation. This is partly due to ad hoc approaches taken by software developers when dealing with user inputs. Therefore, it is a crucial research question in software security to ask how to effectively apply well-known input validation and sanitization techniques against security attacks exploiting the user input-related weaknesses found in software. This paper examines the current ways of how input validation is conducted in major open-source projects and attempts to confirm the main source of the problem as these ad hoc responses to the input validation-related attacks such as SQL injection and cross-site scripting (XSS) attacks through a case study. In addition, we propose a more systematic software security approach by promoting the adoption of proactive, architectural design-based solutions to move away from the current practice of chronic vulnerability-centric and reactive approaches.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"96 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122554611","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The electronic payment transaction involves the use of a smart card. A card application is a software, corresponding to standards and non-proprietary and proprietary specifications, and is stored in the smart card. Despite increased security with Euro pay Mastercard Visa (EMV) specifications, attacks still exist due to anomalies in the card application. The validation of the card application enables the detection of any anomaly, improving the overall security of electronic payment transactions. Among the different ways of validating a card application, we can use the verification of required behaviors. These behavior can be materialized as properties of commands sent by the terminal and responses from the smart card, using the Application Protocol Data Unit (APDU) from the ISO/IEC 7816 standard [1]. However, the creation of these behaviors is complicated. We propose in this article a way to automatically create such behaviors by using a genetic algorithm technique.
{"title":"Generation of Local and Expected Behaviors of a Smart Card Application to Detect Software Anomaly","authors":"G. Jolly, B. Hemery, C. Rosenberger","doi":"10.1109/ARES.2015.76","DOIUrl":"https://doi.org/10.1109/ARES.2015.76","url":null,"abstract":"The electronic payment transaction involves the use of a smart card. A card application is a software, corresponding to standards and non-proprietary and proprietary specifications, and is stored in the smart card. Despite increased security with Euro pay Mastercard Visa (EMV) specifications, attacks still exist due to anomalies in the card application. The validation of the card application enables the detection of any anomaly, improving the overall security of electronic payment transactions. Among the different ways of validating a card application, we can use the verification of required behaviors. These behavior can be materialized as properties of commands sent by the terminal and responses from the smart card, using the Application Protocol Data Unit (APDU) from the ISO/IEC 7816 standard [1]. However, the creation of these behaviors is complicated. We propose in this article a way to automatically create such behaviors by using a genetic algorithm technique.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"154 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132482763","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A set of challenges of developing secure software using the agile development approach and methods are reported in the literature. This paper reports about a systematic literature review to identify these challenges and evaluates the causes of each of these challenges, with respect to the agile values, the agile principles, and the security assurance practices. We identified in this study 20 challenges, which are reported in 10 publications. We found that 14 of these challenges are valid and 6 are neither caused by the agile values and principles, nor by the security assurance practices. We also found that 2 of the the valid challenges are related to the software development life-cycle, 4are related to incremental development, 4 are related to security assurance, 2 are related to awareness and collaboration, and 2 are related to security management. These results justify the need for research to make developing secure software smooth.
{"title":"Literature Review of the Challenges of Developing Secure Software Using the Agile Approach","authors":"H. Oueslati, M. M. Rahman, L. B. Othmane","doi":"10.1109/ARES.2015.69","DOIUrl":"https://doi.org/10.1109/ARES.2015.69","url":null,"abstract":"A set of challenges of developing secure software using the agile development approach and methods are reported in the literature. This paper reports about a systematic literature review to identify these challenges and evaluates the causes of each of these challenges, with respect to the agile values, the agile principles, and the security assurance practices. We identified in this study 20 challenges, which are reported in 10 publications. We found that 14 of these challenges are valid and 6 are neither caused by the agile values and principles, nor by the security assurance practices. We also found that 2 of the the valid challenges are related to the software development life-cycle, 4are related to incremental development, 4 are related to security assurance, 2 are related to awareness and collaboration, and 2 are related to security management. These results justify the need for research to make developing secure software smooth.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"86 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126162995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Security engineering and agile development are often perceived as a clash of cultures. To address this clash, several approaches have been proposed that allow for agile security engineering. Unfortunately, agile development organization differ in their actual procedures and environmental properties resulting in varying requirements. We propose an approach to compare and select methods for agile security engineering. Furthermore, our approach addresses adaptation or construction of a tailored method taking the existing development culture into account. We demonstrate the feasibility of our proposal and report early experiences from its application within a small development organization for digital solutions in the automotive domain.
{"title":"Method Selection and Tailoring for Agile Threat Assessment and Mitigation","authors":"Stephan Renatus, C. Teichmann, Jörn Eichler","doi":"10.1109/ARES.2015.96","DOIUrl":"https://doi.org/10.1109/ARES.2015.96","url":null,"abstract":"Security engineering and agile development are often perceived as a clash of cultures. To address this clash, several approaches have been proposed that allow for agile security engineering. Unfortunately, agile development organization differ in their actual procedures and environmental properties resulting in varying requirements. We propose an approach to compare and select methods for agile security engineering. Furthermore, our approach addresses adaptation or construction of a tailored method taking the existing development culture into account. We demonstrate the feasibility of our proposal and report early experiences from its application within a small development organization for digital solutions in the automotive domain.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123677842","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose in this work an error detection process for wireless networks, applied to a previously published transmitter/Receiver system model. This model is based on a bit interleaved coded modulation (BICM) scheme over a frequency selective channel. The detection process is able to discern the attacked block: encoder, modulator or channel. We prove using simulations that the deployed intrusion detection system (IDS) is competitive by comparing it to existing intrusion detection systems.
{"title":"Error/Intrusion Target Identification on the Physical Layer over a BICM Scheme","authors":"Sihem Châabouni, A. Meddeb-Makhlouf","doi":"10.1109/ARES.2015.46","DOIUrl":"https://doi.org/10.1109/ARES.2015.46","url":null,"abstract":"We propose in this work an error detection process for wireless networks, applied to a previously published transmitter/Receiver system model. This model is based on a bit interleaved coded modulation (BICM) scheme over a frequency selective channel. The detection process is able to discern the attacked block: encoder, modulator or channel. We prove using simulations that the deployed intrusion detection system (IDS) is competitive by comparing it to existing intrusion detection systems.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131798482","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Marc Antoine Gosselin-Lavigne, Hugo Gonzalez, Natalia Stakhanova, A. Ghorbani
IP reputation lookup is one of the traditional methods for recognition of blacklisted IPs, i.e., IP addresses known to be sources of spam and malware-related threats. Its use however has been rapidly increasing beyond its traditional domain reaching various IP filtering tasks. One of the solutions able to provide a necessary scalability is a Bloom filter. Efficient in memory consumption, Bloom filters provide a fast membership check, allowing to confirm a presence of set elements in a data structure with a constant false positive probability. With the increased usage of IP reputation check and an increasing adoption of IPv6 protocol, Bloom filters quickly gained popularity. In spite of their wide application, the question of what hash functions to use in practice remains open. In this work, we investigate a 10 cryptographic and non-cryptographic functions for on their suitability for Bloom filter analysis for IP reputation lookup. Experiments are performed with controlled, randomly generated IP addresses as well as a real dataset containing blacklisted IP addresses. Based on our results we recommend two hash functions for their performance and acceptably low false positive rate.
{"title":"A Performance Evaluation of Hash Functions for IP Reputation Lookup Using Bloom Filters","authors":"Marc Antoine Gosselin-Lavigne, Hugo Gonzalez, Natalia Stakhanova, A. Ghorbani","doi":"10.1109/ARES.2015.101","DOIUrl":"https://doi.org/10.1109/ARES.2015.101","url":null,"abstract":"IP reputation lookup is one of the traditional methods for recognition of blacklisted IPs, i.e., IP addresses known to be sources of spam and malware-related threats. Its use however has been rapidly increasing beyond its traditional domain reaching various IP filtering tasks. One of the solutions able to provide a necessary scalability is a Bloom filter. Efficient in memory consumption, Bloom filters provide a fast membership check, allowing to confirm a presence of set elements in a data structure with a constant false positive probability. With the increased usage of IP reputation check and an increasing adoption of IPv6 protocol, Bloom filters quickly gained popularity. In spite of their wide application, the question of what hash functions to use in practice remains open. In this work, we investigate a 10 cryptographic and non-cryptographic functions for on their suitability for Bloom filter analysis for IP reputation lookup. Experiments are performed with controlled, randomly generated IP addresses as well as a real dataset containing blacklisted IP addresses. Based on our results we recommend two hash functions for their performance and acceptably low false positive rate.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115093763","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Richard M. Zahoransky, C. Brenig, Thomas G. Koslowski
The turbulent organizational environment and the intensive use of interconnected, complex IT-systems incur operational risks with increasingly severe and uncertain disruptive effects. The increasing reliance on Information Systems (IS)such as Business Process Management (BPM) systems brought up an urgent need to ensure continuous business operations despite unexpected challenging conditions. In contrast to well-established risk-aware BPM which mainly addresses risk mitigation at design-time and only for known risks, we propose resilient BPM as a complementary approach focusing either at run-time or off-time. Such approaches seek the adjustment and maintenance of operations under disruption. We report on our ongoing work towards the development of a decision support framework to realize resilience in the BPM context. For this approach, measuring resilience on a process level is crucial, since it provides information that allow for better decision-making, learning, and improvement. Nevertheless, there are no suitable holistic measurement systems for resilient BPM available by now. Specifically, this paper motivates the need for operational resilience measurement at the level of processes. It presents the components and operation of our measurement framework, which helps to detect resilience properties of processes based on measures by analyzing process-logs. This information is then exploited to drive a resilience-oriented decision support to increase process resilience.
{"title":"Towards a Process-Centered Resilience Framework","authors":"Richard M. Zahoransky, C. Brenig, Thomas G. Koslowski","doi":"10.1109/ARES.2015.68","DOIUrl":"https://doi.org/10.1109/ARES.2015.68","url":null,"abstract":"The turbulent organizational environment and the intensive use of interconnected, complex IT-systems incur operational risks with increasingly severe and uncertain disruptive effects. The increasing reliance on Information Systems (IS)such as Business Process Management (BPM) systems brought up an urgent need to ensure continuous business operations despite unexpected challenging conditions. In contrast to well-established risk-aware BPM which mainly addresses risk mitigation at design-time and only for known risks, we propose resilient BPM as a complementary approach focusing either at run-time or off-time. Such approaches seek the adjustment and maintenance of operations under disruption. We report on our ongoing work towards the development of a decision support framework to realize resilience in the BPM context. For this approach, measuring resilience on a process level is crucial, since it provides information that allow for better decision-making, learning, and improvement. Nevertheless, there are no suitable holistic measurement systems for resilient BPM available by now. Specifically, this paper motivates the need for operational resilience measurement at the level of processes. It presents the components and operation of our measurement framework, which helps to detect resilience properties of processes based on measures by analyzing process-logs. This information is then exploited to drive a resilience-oriented decision support to increase process resilience.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129784652","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
G. Canfora, F. Mercaldo, G. Moriano, C. A. Visaggio
We present a novel model of malware for Android, named composition-malware, which consists of composing fragments of code hosted on different and scattered locations at run time. An key feature of the model is that the malicious behavior could dynamically change and the payload could be activated under logic or temporal conditions. These characteristics allow a malware written according to this model to evade current malware detection technologies for Android platform, as the evaluation has demonstrated. The aim of the paper is to propose new approaches to malware detection that should be adopted in anti-malware tools for blocking a composition-malware.
{"title":"Composition-Malware: Building Android Malware at Run Time","authors":"G. Canfora, F. Mercaldo, G. Moriano, C. A. Visaggio","doi":"10.1109/ARES.2015.64","DOIUrl":"https://doi.org/10.1109/ARES.2015.64","url":null,"abstract":"We present a novel model of malware for Android, named composition-malware, which consists of composing fragments of code hosted on different and scattered locations at run time. An key feature of the model is that the malicious behavior could dynamically change and the payload could be activated under logic or temporal conditions. These characteristics allow a malware written according to this model to evade current malware detection technologies for Android platform, as the evaluation has demonstrated. The aim of the paper is to propose new approaches to malware detection that should be adopted in anti-malware tools for blocking a composition-malware.","PeriodicalId":331539,"journal":{"name":"2015 10th International Conference on Availability, Reliability and Security","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-08-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133568356","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: