Towards Improved Network Security Requirements and Policy: Domain-Specific Completeness Analysis via Topic Modeling

Numerous Cloud Identity Management (IdM) systems have been designed and implemented to meet the diverse functional and security requirements of various organizations. These requirements are subjective in nature; for instance, some government organizations require security more than efficiency while others prioritize performance and immediate response over security. However, most of the existing IdM systems are incapable of handling the user-centricity, security & technology requirements and are also domain specific. In this regard, this chapter elaborates the need to use Cloud Computing technology for enhancing the effectiveness and transparency of IdM functions and presents a comprehensive and well-structured Extensible IdM Framework for Cloud based e-government institutions. We present the design and implementation details of the proposed framework, followed by a case study which shows how government organizations of Pakistan would use the proposed framework to improve their IdM processes and achieve diverse IdM services.

Download Full-text

A semi-automated BPMN-based framework for detecting conflicts between security, data-minimization, and fairness requirements

Software & Systems Modeling ◽

10.1007/s10270-020-00781-x ◽

2020 ◽

Vol 19 (5) ◽

pp. 1191-1227 ◽

Cited By ~ 2

Author(s):

Qusai Ramadan ◽

Daniel Strüber ◽

Mattia Salnitri ◽

Jan Jürjens ◽

Volker Riediger ◽

...

Keyword(s):

Data Storage ◽

Business Processes ◽

User Study ◽

Query Language ◽

Healthcare Management ◽

Security Requirements ◽

Domain Specific ◽

Trade Offs ◽

Legal Sanctions ◽

Context Specific

Abstract Requirements are inherently prone to conflicts. Security, data-minimization, and fairness requirements are no exception. Importantly, undetected conflicts between such requirements can lead to severe effects, including privacy infringement and legal sanctions. Detecting conflicts between security, data-minimization, and fairness requirements is a challenging task, as such conflicts are context-specific and their detection requires a thorough understanding of the underlying business processes. For example, a process may require anonymous execution of a task that writes data into a secure data storage, where the identity of the writer is needed for the purpose of accountability. Moreover, conflicts not arise from trade-offs between requirements elicited from the stakeholders, but also from misinterpretation of elicited requirements while implementing them in business processes, leading to a non-alignment between the data subjects’ requirements and their specifications. Both types of conflicts are substantial challenges for conflict detection. To address these challenges, we propose a BPMN-based framework that supports: (i) the design of business processes considering security, data-minimization and fairness requirements, (ii) the encoding of such requirements as reusable, domain-specific patterns, (iii) the checking of alignment between the encoded requirements and annotated BPMN models based on these patterns, and (iv) the detection of conflicts between the specified requirements in the BPMN models based on a catalog of domain-independent anti-patterns. The security requirements were reused from SecBPMN2, a security-oriented BPMN 2.0 extension, while the fairness and data-minimization parts are new. For formulating our patterns and anti-patterns, we extended a graphical query language called SecBPMN2-Q. We report on the feasibility and the usability of our approach based on a case study featuring a healthcare management system, and an experimental user study.

Download Full-text

Continuous Verification of Network Security Compliance

10.36227/techrxiv.15029811.v2 ◽

2021 ◽

Author(s):

Claas Lorenz ◽

Vera Clemens ◽

Max Schrötter ◽

Bettina Schnor

Keyword(s):

Network Security ◽

Formal Language ◽

Theorem Prover ◽

Domain Specific ◽

Rule Sets ◽

Rule Set ◽

Verification Tools ◽

Data Structures And Algorithms ◽

Security Compliance ◽

High Level

Continuous verification of network security compliance is an accepted need. Especially, the analysis of stateful packet filters plays a central role for network security in practice. But the few existing tools which support the analysis of stateful packet filters are based on general applicable formal methods like Satifiability Modulo Theories (SMT) or theorem prover and show runtimes in the order of minutes to hours making them unsuitable for continuous compliance verification.<br>In this work, we address these challenges and present the concept of state shell interweaving to transform a stateful firewall rule set into a stateless rule set. This allows us to reuse any fast domain specific engine from the field of data plane verification tools leveraging smart, very fast, and domain specialized data structures and algorithms including Header Space Analysis (HSA). First, we introduce the formal language FPL that enables a high-level human-understandable specification of the desired state of network security. Second, we demonstrate the instantiation of a compliance process using a verification framework that analyzes the configuration of complex networks and devices - including stateful firewalls - for compliance with FPL policies. Our evaluation results show the scalability of the presented approach for the well known Internet2 and Stanford benchmarks as well as for large firewall rule sets where it outscales state-of-the-art tools by a factor of over 41.

Download Full-text

Security in GRID Computing

Advances in Enterprise Information Technology Security ◽

10.4018/978-1-59904-090-5.ch002 ◽

2011 ◽

pp. 20-30

Author(s):

Eric Garcia

Keyword(s):

Network Security ◽

Grid Computing ◽

Heterogeneous Network ◽

Security Requirements ◽

Great Similarity ◽

Grid Security ◽

Grid Environments ◽

Administrative Domains ◽

Heterogeneous Resources

GRID computing implies sharing heterogeneous resources, located in different places belonging to different administrative domains over a heterogeneous network. There is a great similarity between GRID security and classical network security. Moreover, additional requirements specific to GRID environments exist. We present these security requirements and we detail various secured middleware systems. Finally, we give some examples of companies using such systems.

Download Full-text

An Extensible Identity Management Framework for Cloud-Based E-Government Systems

Advances in Electronic Government, Digital Divide, and Regional Development - Cloud Computing Technologies for Connected Government ◽

10.4018/978-1-4666-8629-8.ch007 ◽

2016 ◽

pp. 163-187

Author(s):

Hirra Anwar ◽

Muhammad Awais Shibli ◽

Umme Habiba

Keyword(s):

Cloud Computing ◽

Identity Management ◽

Security Requirements ◽

Computing Technology ◽

Management Framework ◽

Government Organizations ◽

Domain Specific ◽

Government Institutions ◽

Design And Implementation

Numerous Cloud Identity Management (IdM) systems have been designed and implemented to meet the diverse functional and security requirements of various organizations. These requirements are subjective in nature; for instance, some government organizations require security more than efficiency while others prioritize performance and immediate response over security. However, most of the existing IdM systems are incapable of handling the user-centricity, security & technology requirements and are also domain specific. In this regard, this chapter elaborates the need to use Cloud Computing technology for enhancing the effectiveness and transparency of IdM functions and presents a comprehensive and well-structured Extensible IdM Framework for Cloud based e-government institutions. We present the design and implementation details of the proposed framework, followed by a case study which shows how government organizations of Pakistan would use the proposed framework to improve their IdM processes and achieve diverse IdM services.

Download Full-text

Towards Safe and Optimal Network Designs Based on Network Security Requirements

2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications ◽

10.1109/trustcom.2012.279 ◽

2012 ◽

Author(s):

Nihel Ben Youssef Ben Souayeh ◽

Adel Bouhoula

Keyword(s):

Network Security ◽

Security Requirements ◽

Optimal Network

Download Full-text

Security-Focused Prototyping: A Natural Precursor to Secure Development

10.20944/preprints202103.0406.v1 ◽

2021 ◽

Author(s):

Sam Attwood ◽

Nana Onumah ◽

Katie Paxton-Fear ◽

Rupak Kharel

Keyword(s):

Case Studies ◽

Cyber Security ◽

Development Process ◽

Security Requirements ◽

Application Layer ◽

Domain Specific ◽

Proactive Approach ◽

Security Practices ◽

Future Work ◽

Natural Precursor

Secure development is a proactive approach to cyber security. Rather than building a technological solution and then securing it in retrospect, secure development strives to embed good security practices throughout the development process and thereby reduces risk. Unfortunately, evidence suggests secure development is complex, costly, and limited in practice. This article therefore introduces security-focused prototyping as a natural precursor to secure development that embeds security at the beginning of the development process, can be used to discover domain specific security requirements, and can help organisations navigate the complexity of secure development such that the resources and commitment it requires are better understood. Two case studies–one considering the creation of a bespoke web platform and the other considering the application layer of an Internet of Things system–verify the potential of the approach and its ability to discover domain specific security requirements in particular. Future work could build on this work by conducting case studies to further verify the potential of security-focused prototyping and even investigate its capacity to be used as a tool capable of reducing a broader, socio-technical, kind of risk.

Download Full-text

Flow-based Routing Model with Load Balancing on the Traffic Engineering Principles Taking into Account the Information Security Risks

Problemi telekomunìkacìj ◽

10.30837/pt.2020.2.03 ◽

2020 ◽

pp. 32-42

Author(s):

Maryna Yevdokymenko ◽

Maryna Shapoval ◽

Alla Krepko

Keyword(s):

Network Security ◽

Information Security ◽

Load Balancing ◽

Traffic Engineering ◽

Telecommunication Network ◽

Packet Transmission ◽

Secure Routing ◽

Security Requirements ◽

Security Risks ◽

Link Utilization

A practical approach to load balancing in a telecommunication network (TCN) is implementing Traffic Engineering (TE) technology principles to reduce link utilization and improve QoS level. In order to adapt TE solutions with network security requirements, this paper proposes a mathematical model for secure routing, which belongs to the class of flow-based optimization solutions. The model is based on the conditions of multi-flow routing implementation, flow conservation, and TCN link overload prevention. Due to this, the problem of secure routing is formulated in an optimization form. The model’s novelty is the modified conditions of load balancing in TCN. Along with the indicators of link capacity with the help of weighting coefficients, the network security (NS) indicators of TCN elements are also taken into account. The network security (NS) indicators in the TCN modeling process include information security risks of routers and communication links, losses from breach of confidentiality and integrity of information, probability of existing vulnerabilities exploitation, etc. The study confirmed the effectiveness of the proposed solution. On the test TCN topology, it is demonstrated that the use of a secure routing model allows to calculate the routes and provide such an order of load balancing, which compromises meeting the requirements of both QoS and NS. In the routing process, information security risk reduction in packet transmission by about 11.3% was accompanied by an increase (on average by 26%) in the upper bound of the network link utilization

Download Full-text

5-GENERATION NETWORK SECURITY ARCHITECTURE (5G)

Высокие технологии и инновации в науке: сборник избранных статей Международной научной конференции (Санкт-Петербург, Ноябрь 2020). ◽

10.37539/vt188.2020.67.83.016 ◽

2020 ◽

Author(s):

Денис Андреевич Ильин

Keyword(s):

Network Security ◽

Security Requirements ◽

Security Architecture ◽

5G Networks ◽

Generation Network

В статье описывается архитектура сетей 5G, ряд механизмов и процедур безопасности, реализованных в сетях 5-го поколения, охватываются все компоненты сети, а также учтены наиболее важные проблемы в безопасности и требования безопасности. The article examines the architecture of 5G networks, a set of security mechanisms and procedures implemented in 5th-generation networks and covering all network components, and considers the main vulnerabilities and security requirements.

Download Full-text

Analyzing various topic modeling approaches for Domain-Specific language model

2017 International Conference on Networks & Advances in Computational Technologies (NetACT) ◽

10.1109/netact.2017.8076743 ◽

2017 ◽

Author(s):

Disha Kaur Phull ◽

G. Bharadwaja Kumar

Keyword(s):

Topic Modeling ◽

Language Model ◽

Domain Specific Language ◽

Specific Language ◽

Domain Specific ◽

Modeling Approaches

Download Full-text