In this paper, the Grooming Attack Recognition System (GARS) is presented. The main objectives of GARS are the real-time identification, assessment and control of cyber grooming attacks in favor of child protection. The system utilizes the processes of document classification, personality recognition, user history and exposure time recording to calculate specific risks children are exposed to during chat conversations. The above processes are repeated after each new message and three of them feed corresponding fuzzy logic controllers that provide particular but homogenized risk values as outputs. The weighted sum of the particular risk values results in a total value that indicates the current cyber grooming risk the child is exposed to, as the conversation evolves. Depending on predefined thresholds, the total risk value can be used to trigger alarms for various scopes (children, parents, etc). The practical use of GARS is demonstrated with a case study based on real grooming dialogs. Furthermore, an evaluation of the proposed approach through the discussion of applicability and performance results is discussed.
Recent advances in sciences and business models required the invention of new and innovative types of systems in order for them to be used as a development and deployment platform for applications. Examples of such systems are the Grid and Cloud computing paradigms. Both of them are evolutionary distributed and collaborative systems, which have currently become the de facto platforms for the development and deployment of various types of applications. Despite the different nature of these two types of systems, several requirements and principles remain the same in both of them. Security is an essential principle and it is required to be maintained during any collaboration among participants. Despite the benefits of existing security solutions there are few proposals that addressed the problem of how to maintain security among domains where each implement its own access control (AC) policy. Moreover, the majority of existing solutions are static in nature and not suitable for the examined systems.
In this dissertation, the notions of AC requirements engineering, AC modeling and verification of security properties are fully integrated within a common systems engineering methodology. In summary, the contribution of this dissertation is multifold: we initially describe a systems engineering methodology for the development of AC systems; we describe our proposed steps; then we define an AC model; and lastly we define a verification technique for the verification of security properties. Specifically, looking towards a holistic approach on the definition of AC requirements, we propose a four-layer conceptual categorization for the identification of security requirements and an evaluation framework. In a comparative review of the examined AC models and mechanisms using the conceptual categorization, their pros and cons are exposed. Apart from the mapping of the AC area in Grid and Cloud systems, the given comparison renders valuable information for further enhancement of current approaches.
Moreover, we define an enhanced Role-Based Access Control (RBAC) model entitled domRBAC for collaborative systems, which is based on the ANSI INCITS 359-2004 AC model. The domRBAC is capable of differentiating the security policies that need to be enforced in each domain and to support collaboration under secure inter-operation. Cardinality constraints along with context information are incorporated to provide the ability of applying simple usage management of resources for the first time in a RBAC model. Furthermore, secure inter-operation is assured among collaborating domains during inter-domain role assignments, gradually and automatically. Yet, domRBAC, as an RBAC approach, intrinsically inherits all of its virtues such as ease of management, and Separation of Duty (SoD) with the latter also being supported in multiple domains. As a proof of concept, we implemented a simulator based on the definitions of our proposed AC model and conducted with experimental studies to demonstrate the feasibility and performance of our approach.
Lastly, we provide a formal definition of secure inter-operation properties in temporal logic, which can be verified using model checking techniques. The proposed technique consists of a generic one, and thus, can be used in any RBAC model to verify indirectly the correctness of the secure inter-operation functions that implement the global security policy. As a proof of concept, we provide examples that illustrate the enforcement of the defined secure inter-operation properties, which have to be verified in RBAC policies, and a performance analysis of the proposed technique.
The cloud is a modern computing paradigm with the ability to support a business model by providing multitenacy, scalability, elasticity, pay as you go and self provisioning of resources by using broad network access. Yet, cloud systems are mostly bounded to single domains and collaboration among different cloud systems is an active area of research. Over time, such collaboration schemas are becoming of vital importance since they allow companies to diversify their services on multiple cloud systems to increase both up-time and usage of services.
The existence of an efficient management process for the enforcement of security policies among the participating cloud systems would facilitate the adoption of multi-domain cloud systems. An important issue in collaborative environments is secure inter-operation.
Stemmed from the absence of relevant work in the area of cloud computing, we define a model checking technique that can be used as a management service/tool for the verification of multi-domain cloud policies. Our proposal is based on NIST’s (National Institute of Standards and Technology) generic model checking technique and has been enriched with RBAC reasoning. Current approaches, in Grid systems, are capable of verifying and detect only conflicts and redundancies between two policies. However, the latter cannot overcome the risk of privileged user access in multi-domain cloud systems. In this paper, we provide the formal definition of the proposed technique and security properties that have to be verified in multi-domain cloud systems. Furthermore, an evaluation of the technique through a series of performance tests is provided.
This work integrates with hazards for minor users while they are exposed to social networks.
In particular, it contributes with the statistical relationship of these hazards with the exposure
time as well as the amount of published personal information. Working on this direction, an
experiment was conducted that has revealed a huge number of personal information exposed
by users of social network applications. Moreover, a significant amount of suspicious activity
against minors has been recorded. Experimental data led to the hypothesis that online hazards
can be modeled with known statistical distributions. In order to examine this hypothesis,
survival analysis techniques, which involve the estimation of certain functions that reflect the
relation of a disastrous event with time, were applied. In particular, the distribution of the rate
at which suspicious activities towards children occur in social networks, as they were recorded
through the experiment, was derived. The results show that the incoming hazards for minor
female profiles follow the Logistic distribution, while the corresponding hazards for minor
male profiles follow the Normal distribution. Such knowledge is considered to be crucial for
developing an effective system for automated grooming recognition in real time by optimizing
the detection threshold as a function of time. Thus, the threshold sensitivity can be
appropriately adjusted such that lower frequencies of occurrence lead to lower threshold
sensitivities, and higher frequencies of occurrence lead to higher threshold sensitivities.
The increased complexity of modern access control (AC) systems stems partly from the need to support diverse and multiple administrative domains. Systems engineering is a key technology to manage this complexity since it is capable to assure that an operational system will adhere to the initial conceptual design and defined requirements. Specifically, the verification stage of an AC system should be based on techniques that have a sound and mathematical underpinning. Working on this assumption, model checking techniques are applied for the verification of predefined system properties, and thus, conducting a security analysis of a system. In this paper, we propose the utilization of automated and error-free model checking techniques for the verification of security properties in multi-domain AC systems. Therefore, we propose a formal definition in temporal logic of four AC system properties regarding secure inter-operation with Role-Based Access Control (RBAC) policies, in order to be verified using model checking. For this purpose, we demonstrate the implementation of a tool chain for expressing RBAC security policies, reasoning on role hierarchies and properly feeding the model checking process. The proposed approach can be applied in any RBAC model to detect non-conformance between an AC system and its security specifications as efficiently as possible. As a proof of concept, we provide examples that illustrate the verification of the defined secure inter-operation properties in multi-domain RBAC policies.
Cloud computing is an emergent technology that has generated significant interest in the marketplace and is forecasted for high growth. Moreover, Cloud computing has a great impact on different type of users from individual consumers and businesses to small and medium size (SMBs) and enterprise businesses. Although there are many benefits to adopting Cloud computing, there are significant barriers to adoption, viz. security and privacy. In this paper, we focus on carefully planning security aspects regarding access control of Cloud computing solutions before implementing them and, furthermore, on ensuring they satisfy particular organizational security requirements. Specifically, we propose a methodology for the development of access control systems. The methodology is capable of utilizing existing security requirements engineering approaches for the definition and evaluation of access control models, and verification of access control systems against organizational security requirements using techniques that are based on formal methods. A proof of concept example is provided that demonstrates the application of the proposed methodology on Cloud computing systems.
There are several hazards for children while they are exposed to social networks. This work integrates with the amount of personal information published on social networks as well as the statistical relation of these hazards with the exposure time. In particular, an experiment was made in Facebook lasting 24 weeks. This experiment has revealed that users expose a huge number of personal information on social networks. Moreover, during the experiment a significant amount of suspicious activity against minors has been recorded. Experimental data led to the hypothesis that online hazards can be modeled with known statistical distributions.
In order to examine this hypothesis, survival analysis techniques have been used. These techniques involve the estimation of certain functions which reflect the relation of a disastrous event with time. In particular, we derive the distribution of the rate at which suspicious activities towards children occur in social networks as they were recorded through the experiment. The results show that the incoming hazards for minor female profiles follow the Logistic distribution, while the corresponding hazards for minor male profiles follow the Normal distribution. This knowledge is then utilized for developing an effective system for automated grooming recognition, by optimizing the detection threshold as a function of time. Thus, the threshold sensitivity can be appropriately adjusted such that lower frequencies of occurrence lead to lower threshold sensitivities, and higher frequencies of occurrence lead to higher threshold sensitivities.
A Use-based Approach for Enhancing UCON
In: Security and Trust Management, pp. 81-96. Springer BerlinHeidelberg (2013).
Authors: Chris Grompanopoulos, Antonios Gouglidis, Ioannis Mavridis
The security related characteristics of entities, the contextual information that describes them and the previous or concurrent usages exercised in the system are the criteria that the Usage CONtrol (UCON) family of models utilizes in the usage decision process. In this paper, a detailed classication of the aforementioned criteria along with a representative usage scenario for each category is presented, unveiling a number of UCON’s limitations. In turn, a Use-based Usage CONtrol (UseCON) model is proposed that provides, for the creation of a usage decision, enhanced handling of information regarding context and previ- ous or current usages exercised in the system. The enhanced capabilities of the proposed approach are demonstrated and discussed with the use of detailed application examples.
Usage CONtrol (UCON) is a next generation access control model enhanced with capabilities presented in trust and digital rights management. However, modern computing environments are usually introducing complex usage scenarios. Such a complexity results in involving a large number of entities and in utilizing multi party contextual information during the decision making process of a particular usage. Moreover, usage control is demanded to support novel access modes on single or composite resources, while taking into account new socio-technical abstractions and relations. In this paper, a number of challenging issues faced when UCON is applied in modern computing environments are highlighted through the utilization of representative usage scenarios. The results of this study are revealing various limitations in contextual information handling, lack to support complicated usage modes of subjects on objects, and weaknesses in utilizing information concerning previous or current usages of system resources.
Towards Use-Based Usage Control
In Proc. 27th IFIP International Information Security and Privacy Conference (SEC 2012), Heraklion, Crete, Greece, June 2012.
Authors: Grompanopoulos C., Mavridis I.
In this paper, a new Use-based usage CONtrol (UseCON) approach that supports recording of usages with the help of a new entity, named use, is presented. Uses provide information for the latest state (requested, active, denied, completed or terminated) of every usage and facilitate the fine-grained definition and proper association of attributes to various system entities. The proposed approach provides enhanced contextual information modeling, support of complicated access modes and an alternative approach in obligations modeling. Moreover, UseCON is characterized by high expressiveness and ability to define policy rules in almost natural language.
Modern collaborative systems such as the Grid computing paradigm are capable of providing resource sharing between users and platforms. These collaborations need to be done in a transparent way among the participants of a virtual organization (VO). A VO may consist of hundreds of users and heterogeneous resources. In order to have a successful collaboration, a list of vital importance requirements should be fulfilled, viz. collaboration among domains, to ensure a secure environment during a collaboration, the ability to enforce usage constraints upon resources, and to manage the security policies in an easy and efficient way. In this article, we propose an enhanced role based access control model entitled domRBAC for collaborative applications, which is based on the ANSI INCITS 359-2004 access control model. The domRBAC is capable of differentiating the security policies that need to be enforced in each domain and to support collaboration under secure inter-operation. Cardinality constraints along with context information are incorporated to provide the ability of applying simple usage management of resources for the first time in a role-based access control model. Furthermore, secure inter-operation is assured among collaborating domains during role assignment automatically and in real-time. Yet, domRBAC, as an RBAC approach, intrinsically inherits all of its virtues such as ease of management, and separation of duty relationships with the latter also being supported in multiple domains. As a proof of concept, we implement a simulator based on the definitions of our proposed access control model and conduct experimental studies to demonstrate the feasibility and performance of our approach.
Artemis application is designed for mobile devices which support the Adnroid operating system. It takes its name from Artemis, the ancient Greek goodness who was responsible for protecting children. The application is developed to protect minors from sexual exploitation hazards. After its installation, Artemis is running as service monitoring incoming sms messages for potential threat. With interactive collaboration with our server, Artemis calculates risk levels and sends a warning signal directly to the parent when it is necessary. Indeed, Artemis informs the parent for the potential threat without including additional information about the conversation. Afterwards the parent has full responsibility of taking all necessary actions for child’s protection. In current version, Artemis supports only English language text messages, however our future plans include supporting in more languages.
Web 2.0 consists one of the most emergent technologies of the World Wide Web. This type of technologies can be made available to consumers through a series of web services. Nevertheless, as a relative new approach, it is prone to various security issues. One of these is the potential to use web services provided by search engines such as Google’s and Microsoft’s Bing, in order to identify and attack vulnerable systems. In this paper, we describe a 3-step methodology that can be fully automated in order to deploy massive attacks against vulnerable systems. The methodology described takes advantage of the Google Hacking technique and extends it with two more steps that of information manipulation and the deployment of an exploit. An implementation of a python script demonstrates the applicability and the efficiency of the proposed attack. A real-world example, taking advantage of the JBoss JMX Management Console faulty configuration, indicates the extension of the problem. We anticipate this initiative to help in the identification of similar attack methods and the development of newly and more effective countermeasures against this type of attack methods.
2011 Deploying Privacy Improved RBAC in Web Information Systems
International Journal of Information Technologies and the Systems Approach (IJITSA), Special Issue on Privacy and Security Issues in IT, 4(2), pp.70-87, July-December 2011, ISSN: 1935-570X.
Authors: Ioannis Mavridis
Access control technology holds a central role in achieving trustworthy management of personally identifiable information in modern information systems. In this article, a privacy-sensitive model that extends Role- Based Access Control (RBAC) to provide privacy protection through fine-grained and just-in-time access control in Web information systems is proposed. Moreover, easy and effective mapping of corresponding components is recognized as an important factor for succeeding in matching security and privacy objectives. Such a process is proposed to be accomplished by capturing and modeling privacy requirements in the early stages of information system development. Therefore, a methodology for deploying the mechanisms of an access control system conforming to the proposed Privacy Improved Role-Based Access Control (PIRBAC) model is presented. To illustrate the application of the proposed methodology, an application example in the healthcare domain is described.
Grooming attack recognition is a complex issue that is difficult to address using simple word matching in order to identify potential hazard for minor users. In this paper, the utilization of document classification to create patterns from real dialogs is proposed. Furthermore, a decision making method that results in generating proper warning signals based on the classification results is introduced. The decision making method is then applied using the best ranked algorithm with a comparative evaluation which conducted on seven document classification algorithms.
Dynamic inter-domain collaborations and resource sharing comprise two key characteristics of mobile Grid systems. However, inter-domain collaborations have proven to be vulnerable to conflicts that can lead to privilege escalation. These conflicts are detectable in inter-operation policies, and occur due to cross-domain role relationships. In addition, resource sharing requires to be enhanced with resource usage management in virtual organizations where mobile nodes act as resource providers. In this case the enforcement of resource usage policies and quality of service policies are required to be supported due to the limited capabilities of the devices. Yet, the ANSI INCITS 359-2004 standard RBAC model provides neither any policy conflict resolution mechanism among domains, nor any resource usage management functionality. In this paper, we propose the domRBAC model for access control in mobile Grid systems at a low administrative overhead. The domRBAC is defined as an extension of the standardized RBAC by incorporating additional functionality to cope with requirements posed by the aforementioned systems. As a result, domRBAC facilitates collaborations among domains under secure inter-operation, and provides support for resource usage management in the context of multi-domain computing environments, where mobile nodes operate as first-class entities.
Grid access control models and architectures
Computational and Data Grids:Principles, Designs, and Applications, IGI Global, September 2011
Authors: Antonios Gouglidis, Ioannis Mavridis
In recent years, grid computing has become the focal point of science and enterprise computer environments. Access control in grid computing systems is an active research area given the challenges and complex applications. First, a number of concepts and terminology related to the area of grid access control are provided. Next, an analysis of the Role Based Access Control (RBAC) and Usage Control ABC (UCONABC) models is given, due to their adaption from the grid computing systems. Additionally, a presentation of well known grid access control architectures illustrates how the theoretical access control models are implemented into mechanisms. In a comparative review of the examined access control models and mechanisms, their pros and cons are exposed. Apart from the mapping of the access control area in grid computer systems, the given comparison renders valuable information for further advancement of current approaches.
Cloud computing is a composition of existing technologies viz. virtualization technology, disk storage, processors and so on, which gained considerable attention mostly from the enterprise. Cloud security is an active research area, due to the newly introduced SPI service model and the different deployment models that require the revision of several security concepts. Specifically, in this paper we give a brief presentation of Cloud computing and the terminology of access control concepts used in the Cloud. Additionally, we elaborate on the identification of access control’s distinctive characteristics in the aforementioned systems. We use a conceptual categorization, which is a systems engineering methodology, in order to identify a series of characteristics for access control in the Cloud computing paradigm. Furthermore, we present a comparative review of two prominent access control models for the Cloud, namely the Role-based Access Control model (RBAC) and the Usage Control model (UCONABC). We anticipate this initiative to help for the definition of concrete access control requirements and the design and implementation of new access control models, in order to accelerate the adoption of Cloud technologies.
Η ολοένα αυξανόμενη χρήση των διαδικτυακών διακομιστών απαιτεί την ύπαρξη κατάλληλων μηχανισμών και τεχνικών για την απρόσκοπτη και ελεγχόμενη λειτουργία τους. Η επιθυμία για πρόβλεψη και αποτροπή κακόβουλων ενεργειών που επιχειρούν να απειλήσουν την ομαλή λειτουργία υπολογιστικών συστημάτων στο διαδίκτυο, συνήθως με τη χρήση κατάλληλων διατάξεων αναχωμάτων ασφάλειας, οδηγεί στην ανάγκη για συνεχή καταγραφή και ανάλυση σε πραγματικό χρόνο των δεδομένων που δημιουργούνται κατά τη λειτουργία τους και τη χρήση των παρεχόμενων υπηρεσιών. Σε αυτή την εργασία, παρουσιάζεται η ανάπτυξη ενός κινητού συστήματος οπτικής επιθεώρησης ασφάλειας σε πραγματικό χρόνο, με την ονομασία ΚΑΣΣΙΟΠΕΙΑ (CASSIOPEIA), που αποσκοπεί στη βελτίωση των συνθηκών επίβλεψης και ελέγχου ενός διαδικτυακού διακομιστή από το διαχειριστή του, ώστε να ενισχύεται η δυνατότητα άμεσης αντίδρασης, ακόμη και από απόσταση, σε περίπτωση κρίσιμων για την ασφάλεια του συστήματος συμβάντων.
Information is an important key business asset, which can exist in many forms, it involves various risks and it is essential that is suitably protected. Therefore, it requires the involvement of proper management ensuring that information assets are sufficiently secured and controlled. Truth is that the risk management discipline has received increasing attention in recent years due to increased regulations, ongoing changes and greater economic volatility that all affect the business environment. The purpose of a proper risk management action is to ensure transparency at all levels of the organization by taking the appropriate measures to reduce costs and manage financial, organizational and personal risk all at once, satisfying business objectives. However, due to misleading fallacies around its concept and the complexity that derive from governance, risk and compliance (GRC) activities, risk management falls short of assuring information assets. In this paper the results of our work on studying government, compliance and human factors in information security risk management are presented. The scope is to develop strategic perspectives around risk management implementation related to the concept of information security, helping minimize risks and cost. Sustaining security value over long term necessitates the realization of the information security lifecycle and the recognition of an imperative factor, the human involvement. Security spending remains a main concern despite the current economic crisis showing challenges that need to be confronted. Such challenges include maintaining a strong IT workforce, addressing growing foreign and domestic competition, developing critical infrastructure protection, balancing automated and manual controls and controlling intellectual property rights. The road ahead is the recognition of an enterprise risk management (ERM) strategy able to maintain security assurance and challenge ongoing changes that impact on the effectiveness of risk management. In addition, it is high time to consider a wider risk management approach, that of the societal risk management. For optimized results, the organization should foster a culture based on communication and feedback, recognizing training and security awareness a top priority. Creating a holistic picture of an enterprise as part of risk management and compliance efforts, it will provide a comprehensive platform for capturing and integrating multiple perspectives on processes, thus controlling information flow. Information assurance depends on the level of collaboration across internal and external parties and the correlation of disperse information. To avoid unpleasant circumstances, the risk management principle should engage into a dual approach of operability, that is maintaining performance and periodically re-evaluate itself to tackle with upcoming trends and risks.
A study on user behaviour and acceptance of electronic banking services
In the Proceedings of the Special Session on “Performance analysis of Computer Networks (PaCoNet)” organized in conjunction with the 14th Panhellenic Conference on Informatics (PCI 2010), September 2010 Tripoli, Greece.
Authors: Aristeidis Chatzipoulidis, Ioannis Mavridis
This paper presents a study which investigates user behavior towards electronic banking (e-banking) and particularly in internet banking based on behavioral theoretical models and scales such as the theory of planned behavior (TPB), the diffusion of innovations theory, the technology acceptance model (TAM) and Kirton’s adaptor-innovator scale (KAI). In this study, behavioral and personality patterns lead to certain hypothesis regarding adoption towards internet banking. In addition, we categorize the most important factors affecting e-banking and propose the use of dependencies among different factors within the e-banking infrastructure in order to assess potential impacts and risks.
An ICT Security Management Framework
In the Proceedings of the International Conference on Security and Cryptography (SECRYPT 2010), poster, Athens, Greece, July 2010.
Authors: Aristeidis Chatzipoulidis, Ioannis Mavridis
Recently, organizations started to realize that managing information security is more than a software solution; it is a strategic discipline. This realization has emerged a major challenge in the business and technology field, the integration of all governance, risk, and compliance (GRC) activities to operate in synergy and balance in configuration with the business and security objectives. The goal of this paper is to develop a comprehensive ICT security management framework as a unified platform against the evolving GRC complexity. Considering the endemic nature of risk, the risk approach requires periodical rethinking in order to keep pace with security changes and prevent undesirable incidents while preserving the stakeholders’ interests continuously. Such an approach depends on the risk management maturity level, and the portfolio of monitoring controls.
This paper presents a survey on social networks’ privacy leaks and the potential hazards for users, especially teenagers. In particular, the profiles of two teenagers, one male and one female, with fake names were created. Using a suitable software tool, friend requests were sent massively. As a result, two networks of friends were created and access was granted to a significant amount of users’ personal information. Both profiles received requests for friendship and personal chat by adults aged up to 53 years old. In general the survey leads to results that reveal several hazards for children and critical issues about privacy of social network users.
The increasing incidents of children sexual exploitation through cyberspace demand for proper protection with technological defense mechanisms. This paper aims to present and evaluate methods and tools that are appropriate towards the prevention of child sexual abuse through Internet based communications. Attacking categories and strategies that predators follow are analyzed and modeled. Moreover, a comparative review of existing risk modeling methods, which is based on a set of proposed criteria, is presented. This comparison results in the conclusion that only two of the reviewed risk modeling methods can be adapted on the intended grooming attack detection system: Bayesian and Markovian. The proposed approach is concluded with a discussion on particular methods and tools for accurate attack probability calculation.
During recent years the number of online communication means between teenagers has been growing rapidly. However, the hazards that follow these new types of communication are growing as well. Predators use Internet conversations to attract minor users, usually resulting in catastrophic consequences. In this paper, a new risk management based approach is proposed, which aims to monitor internet-based conversations and identify possible attacks. In particular, a wide research on the area of children exploitation is first conducted, in order to identify the methods and the techniques that are used. Then, the implementation of a system capable of capturing and analyzing chat dialogs is proposed. The proposed system is under development and has not be implemented yet. It is based on three different sensors. The first one performs text analysis on captured traffic, as an attempt to look for known patterns that may indicate a possible attack. The Naive Bayes classifier method then follows, based upon the initial training set. In addition, this training set is enhanced and adopted to specific users’ needs via the proposed “supervised learning technique”. The second sensor captures files or web links that are sent through the chat conversation, indicating possible personal information leak or exposing unwanted material to minors. The third sensor counts how many times the same users talk with a particular child. As a result, a total risk factor is calculated as a weighted sum of the three risk factors, through applying the proper weight coefficients. In case the risk factor is above the predefined threshold, a warning signal is sent in order to warn on time that there is a possible grooming attack. The main challenge in the proposed system implementation is related to natural language processing, due to the fact that teenagers use their own acronyms and idioms when chatting, creating their own language. A deep research on these dialogs might result into different linguistic sets. Another important challenge is related with the privacy in internet related communications.
The operational characteristics of ubiquitous computing environments (UbiCom) generate new access control requirements which existing classical access control models fail to support efficiently. However, the Usage Control (UCON) family of models introduces components and mechanisms that seem to be able to partially match the specific requirements imposed by UbiCom environments. In this paper, an evaluation of current access control models based on a brief study of UbiCom access control requirements is presented. Then, a new access control approach that extends UCON towards a differentiated utilization of attribute mutability for easiness of administration, better performance and lower operational cost in UbiCom environments is proposed.
The emergence of grid and cloud computing systems has introduced new security concepts, so it requires new access control approaches. Traditional systems engineering processes can be enriched with helper approaches that can facilitate the definition of access control requirements in such complex environments. Looking towards a holistic approach on the definition of access control requirements, we propose a four-layer conceptual categorization. In addition, an example is given so that to demonstrate the utilization of the proposed categorization in a grid scenario for defining access control requirements, and evaluate their fulfilment vis-a-vis contemporary employed access control approaches.
2009 Evolving challenges in information security compliance
In Proceedings of the 4th Mediterranean Conference on Information Systems (MCIS 2009), Athens, Greece, September 2009.
Authors: Aristeidis Chatzipoulidis, Ioannis Mavridis
With the proliferation of computer-driven organizations and internet-based business information systems, the need for security has increased significantly. In addition, information security compliance is becoming a controversial issue among IT professionals. This paper aims to address the concerns arising from compatibility of security standards, compliance cost, certification approval and human involvement that affect compliance management. A unified approach to information security compliance is suggested for organizations seeking to build strong relationships across business and IT departments, improving in that way a company’s security value.
Despite the wide adoption by the scientific community, grid technologies have not been given the appropriate attention by enterprises. This is merely due to the lack of enough studying and defining security requirements of grid computing systems. More specifically, access control in grid systems has been addressed with the same models for collaborative systems based on distributed computing across multiple administrative domains. However, existing solutions are not based on a foundation for a holistic approach in grid access control. This paper aims to provide an adequate approach in this direction. Additionally, a comparative review of current access control models is provided in the context of our proposed four-layer conceptual grid categorization.
Publications
GARS: Real-time system for identification, assessment and control of cyber grooming attacks
Computers & Security, Vol. 42, pp.177 – 190 DOI:10.1016/j.cose.2013.12.004
Authors: Dimitrios Michalopoulos, Ioannis Mavridis, Marija Jankovic
2013
Access Control Requirements Engineering, Modeling and Verification in Multi-Domain Grid and Cloud Computing Systems
Ph.D. Dissertation
Author: Antonios Gouglidis
Supervisor: Ioannis Mavridis
Recent advances in sciences and business models required the invention of new and innovative types of systems in order for them to be used as a development and deployment platform for applications. Examples of such systems are the Grid and Cloud computing paradigms. Both of them are evolutionary distributed and collaborative systems, which have currently become the de facto platforms for the development and deployment of various types of applications. Despite the different nature of these two types of systems, several requirements and principles remain the same in both of them. Security is an essential principle and it is required to be maintained during any collaboration among participants. Despite the benefits of existing security solutions there are few proposals that addressed the problem of how to maintain security among domains where each implement its own access control (AC) policy. Moreover, the majority of existing solutions are static in nature and not suitable for the examined systems.
In this dissertation, the notions of AC requirements engineering, AC modeling and verification of security properties are fully integrated within a common systems engineering methodology. In summary, the contribution of this dissertation is multifold: we initially describe a systems engineering methodology for the development of AC systems; we describe our proposed steps; then we define an AC model; and lastly we define a verification technique for the verification of security properties. Specifically, looking towards a holistic approach on the definition of AC requirements, we propose a four-layer conceptual categorization for the identification of security requirements and an evaluation framework. In a comparative review of the examined AC models and mechanisms using the conceptual categorization, their pros and cons are exposed. Apart from the mapping of the AC area in Grid and Cloud systems, the given comparison renders valuable information for further enhancement of current approaches.
Moreover, we define an enhanced Role-Based Access Control (RBAC) model entitled domRBAC for collaborative systems, which is based on the ANSI INCITS 359-2004 AC model. The domRBAC is capable of differentiating the security policies that need to be enforced in each domain and to support collaboration under secure inter-operation. Cardinality constraints along with context information are incorporated to provide the ability of applying simple usage management of resources for the first time in a RBAC model. Furthermore, secure inter-operation is assured among collaborating domains during inter-domain role assignments, gradually and automatically. Yet, domRBAC, as an RBAC approach, intrinsically inherits all of its virtues such as ease of management, and Separation of Duty (SoD) with the latter also being supported in multiple domains. As a proof of concept, we implemented a simulator based on the definitions of our proposed AC model and conducted with experimental studies to demonstrate the feasibility and performance of our approach.
Lastly, we provide a formal definition of secure inter-operation properties in temporal logic, which can be verified using model checking techniques. The proposed technique consists of a generic one, and thus, can be used in any RBAC model to verify indirectly the correctness of the secure inter-operation functions that implement the global security policy. As a proof of concept, we provide examples that illustrate the enforcement of the defined secure inter-operation properties, which have to be verified in RBAC policies, and a performance analysis of the proposed technique.Security policy verification for multi-domains in cloud systems
International Journal of Information Security (IJIS), Springer, 10.1007/s10207-013-0205-x.
Authors: Antonios Gouglidis, Ioannis Mavridis, Vincent C. Hu
The existence of an efficient management process for the enforcement of security policies among the participating cloud systems would facilitate the adoption of multi-domain cloud systems. An important issue in collaborative environments is secure inter-operation.
Stemmed from the absence of relevant work in the area of cloud computing, we define a model checking technique that can be used as a management service/tool for the verification of multi-domain cloud policies. Our proposal is based on NIST’s (National Institute of Standards and Technology) generic model checking technique and has been enriched with RBAC reasoning. Current approaches, in Grid systems, are capable of verifying and detect only conflicts and redundancies between two policies. However, the latter cannot overcome the risk of privileged user access in multi-domain cloud systems. In this paper, we provide the formal definition of the proposed technique and security properties that have to be verified in multi-domain cloud systems. Furthermore, an evaluation of the technique through a series of performance tests is provided.
A method to calculate social networking hazard probability in definite time
Information Management & Computer Security, Vol. 21 Iss: 1, pp.16 – 29 DOI:10.1108/ 09685221311314392
Authors: Dimitrios Michalopoulos, Ioannis Mavridis
In particular, it contributes with the statistical relationship of these hazards with the exposure
time as well as the amount of published personal information. Working on this direction, an
experiment was conducted that has revealed a huge number of personal information exposed
by users of social network applications. Moreover, a significant amount of suspicious activity
against minors has been recorded. Experimental data led to the hypothesis that online hazards
can be modeled with known statistical distributions. In order to examine this hypothesis,
survival analysis techniques, which involve the estimation of certain functions that reflect the
relation of a disastrous event with time, were applied. In particular, the distribution of the rate
at which suspicious activities towards children occur in social networks, as they were recorded
through the experiment, was derived. The results show that the incoming hazards for minor
female profiles follow the Logistic distribution, while the corresponding hazards for minor
male profiles follow the Normal distribution. Such knowledge is considered to be crucial for
developing an effective system for automated grooming recognition in real time by optimizing
the detection threshold as a function of time. Thus, the threshold sensitivity can be
appropriately adjusted such that lower frequencies of occurrence lead to lower threshold
sensitivities, and higher frequencies of occurrence lead to higher threshold sensitivities.
Verification of Secure Inter-operation Properties in Multi-domain RBAC Systems
International Workshop on Trustworthy Computing (TC 2013), co-located at the SERE 2013, Washington D.C. USA.
Authors: Antonios Gouglidis, Ioannis Mavridis, Vincent C. Hu
A Methodology for the Development and Verification of Access Control Systems in Cloud Computing
12th IFIP Conference on e-Business, e-Services, e-Society (IFIP I3E 2013).
Authors: Antonios Gouglidis, Ioannis Mavridis
+ Abstract
2012
Modeling Child Hazards and Privacy Leaks of Social Networking using Survival Analysis
Sixth International Symposium on Human Aspects of Information Security & Assurance, HAISA
Authors: Dimitrios Michalopoulos, Ioannis Mavridis
In order to examine this hypothesis, survival analysis techniques have been used. These techniques involve the estimation of certain functions which reflect the relation of a disastrous event with time. In particular, we derive the distribution of the rate at which suspicious activities towards children occur in social networks as they were recorded through the experiment. The results show that the incoming hazards for minor female profiles follow the Logistic distribution, while the corresponding hazards for minor male profiles follow the Normal distribution. This knowledge is then utilized for developing an effective system for automated grooming recognition, by optimizing the detection threshold as a function of time. Thus, the threshold sensitivity can be appropriately adjusted such that lower frequencies of occurrence lead to lower threshold sensitivities, and higher frequencies of occurrence lead to higher threshold sensitivities.
A Use-based Approach for Enhancing UCON
In: Security and Trust Management, pp. 81-96. Springer BerlinHeidelberg (2013).
Authors: Chris Grompanopoulos, Antonios Gouglidis, Ioannis Mavridis
Challenging Issues of UCON in Modern Computing Environments
In: Proceedings of the fifth Balkan Conference in Informatics. pp 156-161. BCI’12, ACM, New York, NY, USA (2012)
Authors: Christos Grompanopoulos and Ioannis Mavridis.
Towards Use-Based Usage Control
In Proc. 27th IFIP International Information Security and Privacy Conference (SEC 2012), Heraklion, Crete, Greece, June 2012.
Authors: Grompanopoulos C., Mavridis I.
domRBAC:An Access Control Model for Modern Collaborative Systems
Computers & Security, Available online 10 February 2012, ISSN 0167-4048, 10.1016/j.cose.2012.01.010.
Authors: Antonios Gouglidis, Ioannis Mavridis
+ Abstract
A mobile application towards preventing online sexual exploitation attacks
Kaspersky Lab, IT Security for the Next Generation – European Cup 2012
Authors: Dimitrios Michalopoulos, Eustathios Papadopoulos, Ioannis Mavridis
An effective attack method based on information exposed by search engines
Kaspersky Lab, IT Security for the Next Generation – European Cup 2012
Authors: Antonios Gouglidis
+ Abstract
2011
Deploying Privacy Improved RBAC in Web Information Systems
International Journal of Information Technologies and the Systems Approach (IJITSA), Special Issue on Privacy and Security Issues in IT, 4(2), pp.70-87, July-December 2011, ISSN: 1935-570X.
Authors: Ioannis Mavridis
ΚΑΣΣΙΟΠΕΙΑ: Κινητό Σύστημα Επιθεώρησης Ασφαλείας
Συνέδριο ΕΛ/ΛΑΚ 2011, 22 Μαίου 2011, Θεσσαλονίκη.
Authors: Βασίλειος Μαυρουδής, Ιωάννης Μαυρίδης
Utilizing Document Classification for Grooming Attack Recognition
In proceedings of IEEE ISCC international conference
Authors: Dimitrios Michalopoulos, Ioannis Mavridis
Role-based Secure Inter-operation and Resource Usage Management in Mobile Grid Systems
Workshop in Information Security Theory and Practice, WISTP’11 2011
Authors: Antonios Gouglidis, Ioannis Mavridis
+ Abstract
Grid access control models and architectures
Computational and Data Grids:Principles, Designs, and Applications, IGI Global, September 2011
Authors: Antonios Gouglidis, Ioannis Mavridis
+ Abstract
Towards new access control models for Cloud computing systems
Kaspersky Lab – IT Security for the Next Generation, Conference for Young Professionals, European Cup 2011
Authors: Antonios Gouglidis, Ioannis Mavridis
+ Abstract
2010
Ανάπτυξη κινητού συστήματος οπτικής επιθεώρησης ασφάλειας σε πραγματικό χρόνο
Authors: Βασίλειος Μαυρουδής, Ιωάννης Μαυρίδης
Developing Strategic Perspectives for Enterprise Risk Management towards Information Assurance
In the Proceedings of the 9th European Conference on Information Warfare and Security (ECIW’10), Thessaloniki, Greece, July 2010.
Authors: Aristeidis Chatzipoulidis, Ioannis Mavridis and Theodoros Kargidis
A study on user behaviour and acceptance of electronic banking services
In the Proceedings of the Special Session on “Performance analysis of Computer Networks (PaCoNet)” organized in conjunction with the 14th Panhellenic Conference on Informatics (PCI 2010), September 2010 Tripoli, Greece.
Authors: Aristeidis Chatzipoulidis, Ioannis Mavridis
An ICT Security Management Framework
In the Proceedings of the International Conference on Security and Cryptography (SECRYPT 2010), poster, Athens, Greece, July 2010.
Authors: Aristeidis Chatzipoulidis, Ioannis Mavridis
Surveying Privacy Leaks Through Online Social Networks
PCI 2010 International conference
Authors: Dimitrios Michalopoulos, Ioannis Mavridis
Towards risk based prevention of grooming attacks
Secrypt 2010 International conference
Authors: Dimitrios Michalopoulos, Ioannis Mavridis
Towards a Risk Management Based Approach for Protecting Internet Conversations
In proceedings of ECIW 2010 International conference
Authors: Dimitrios Michalopoulos, Ioannis Mavridis and Vasileios Vitsas
Towards Differentiated Utilization of Attribute Mutability for Access Control in Ubiquitous Computing
14th Panhellenic Conference on Informatics (PCI)
Authors: Christos Grompanopoulos, Ioannis Mavridis
On the Definition of Access Control Requirements for Grid and Cloud Computing Systems
LNICST , Networks for Grid Applications, Springer 2010
Authors: Antonios Gouglidis, Ioannis Mavridis
+ Abstract
2009
Evolving challenges in information security compliance
In Proceedings of the 4th Mediterranean Conference on Information Systems (MCIS 2009), Athens, Greece, September 2009.
Authors: Aristeidis Chatzipoulidis, Ioannis Mavridis
A Foundation for Defining Security Requirements in Grid Computing
IEEE Computer Society, 13th Panhellenic Conference on Informatics 2009
Authors: Antonios Gouglidis, Ioannis Mavridis
+ Abstract