Information Security Innovation

The increasing demand for online and real-time interaction with IT infrastructures by end users is facilitated by the proliferation of user-centric devices such as laptops, iPods, iPads, and smartphones. This trend is furthermore propounded by the plethora of apps downloadable to end user devices mostly within mobile-cum-cloud environments. It is clear that there are many evidences of innovation with regard to end user devices and apps. Unfortunately, little, if any, information security innovation took place over the past number of years with regard to the consumption of security services by end users. This creates the need for innovative security solutions that are human-centric and flexible. This chapter presents a framework for consuming loosely coupled (but interoperable) cloud-based security services by a variety of end users in an efficient and flexible manner using their mobile devices.

Is It Privacy or Is It Access Control?

With the widespread use of online systems, there is an increasing focus on maintaining the privacy of individuals and information about them. This is often referred to as a need for privacy protection. The author briefly examines definitions of privacy in this context, roughly delineating between keeping facts private and statistical privacy that deals with what can be inferred from data sets. Many of the mechanisms used to implement what is commonly thought of as access control are the same ones used to protect privacy. This chapter explores when this is not the case and, in general, the interplay between privacy and access control on the one hand and, on the other hand, the separation of these models from mechanisms for their implementation.

Necessary Standard for Providing Privacy and Security in IPv6 Networks

Security and privacy have become important issues when dealing with Internet Protocol version 6 (IPv6) networks. On one hand, anonymity, which is related to privacy, makes it hard for current security systems to differentiate between legitimate users and illegitimate users, especially when the users need to be authenticated by those systems whose services they require. On the other hand, a lack of privacy exposes legitimate users to abuse, which can result from the information gained from privacy-related attacks. The current problems inherent within IPv6-enabled networks are due, in part, to the fact that there is no standard available telling companies about the current deficiencies that exist within IPv6 networks. The purpose of this chapter is to show a balance between the use of privacy and security, and to describe a framework that can offer the minimum standard requirement needed for providing security and privacy to IPv6 networks.

Foreground Trust as a Security Paradigm

Security is an interesting area, one in which we may well be guilty of misunderstanding the very people we are working for whilst trying to protect them. It is often said that people (users) are a weak link in the security chain. This may be true, but there are nuances. In this chapter, the authors discuss some of the work they have done and are doing to help users understand their information and device security and make informed, guided, and responsible decisions. This includes Device Comfort, Annoying Technologies, and Ten Commandments for designers and implementers of security and trust systems. This work is exploratory and unfinished (it should in fact never be finished), and this chapter presents a step along the way to better security users.

Experiences with Threat Modeling on a Prototype Social Network

Supported by the Web 3.0 platform that enables dynamic content sharing, social networking applications are a ubiquitous information exchange platform. Content sharing raises the question of privacy with concerns typically centered on vulnerabilities resulting in identity theft. Identifying privacy vulnerabilities is a challenging problem because mitigations are implemented at the end of the software development life cycle, sometimes resulting in severe vulnerabilities. The authors present a prototype experimental social networking platform (HACKMI2) as a case study for a comparative analysis of three popular industry threat-modeling approaches. They focus on identified vulnerabilities, risk impact, and mitigation strategies. The results indicate that software and/or asset-centric approaches provide only a high-level analysis of a system's architecture and are not as effective as attacker-centric models in identifying high-risk security vulnerabilities in a system. Furthermore, attacker-centric models are effective in providing security administrators useful suggestions for addressing security vulnerabilities.

Transform Domain Techniques for Image Steganography

Recent advancement of multimedia technology has posed serious challenges to copyright protection, ownership, and integrity of digital data. This has made information security techniques a vital issue. Cryptography, Steganography, and Watermarking are three major techniques for securing information and ensuring copyright ownership. This chapter presents an overview of transform domain techniques for image steganography. The authors discuss the characteristics and applications of image steganography and briefly review Discrete Cosine and Wavelet transform-based image steganography techniques. They also discuss the various metrics that have been used to assess the performance of steganography techniques and shed light on the future of steganography.

A Security Analysis of MPLS Service Degradation Attacks Based on Restricted Adversary Models

Whilst the security and integrity of exterior gateway protocols such as the Border Gateway Protocol (BGP) and, to a lesser extent, interior gateway protocols, including the Multi-Protocol Label Switching (MPLS), have been investigated previously, more limited attention has been paid to the problem of availability and timeliness that is crucial for service levels needed in critical infrastructure areas such as financial services and electric power (smart grid) networks. The authors describe a method for modeling adversaries for the analysis of attacks on quality of service characteristics underpinning such real-time networks as well as a model of policies employed by MPLS routers based on simplified networks and give an analysis of attack vectors based on assumed adversaries derived from the introduced method.

Solving Security and Availability Challenges in Public Clouds

Cloud Computing as a service-on-demand architecture has grown in importance over the previous few years. One driver of its growth is the ever-increasing amount of data that is supposed to outpace the growth of storage capacity. The usage of cloud technology enables organizations to manage their data with low operational expenses. However, the benefits of cloud computing come along with challenges and open issues such as security, reliability, and the risk to become dependent on a provider for its service. In general, a switch of a storage provider is associated with high costs of adapting new APIs and additional charges for inbound and outbound bandwidth and requests. In this chapter, the authors present a system that improves availability, confidentiality, and reliability of data stored in the cloud. To achieve this objective, the authors encrypt users' data and make use of the RAID-technology principle to manage data distribution across cloud storage providers. Further, they discuss the security functionality and present a proof-of-concept experiment for the application to evaluate the performance and cost effectiveness of the approach. The authors deploy the application using eight commercial cloud storage repositories in different countries. The approach allows users to avoid vendor lock-in and reduces significantly the cost of switching providers. They also observe that the implementation improved the perceived availability and, in most cases, the overall performance when compared with individual cloud providers. Moreover, the authors estimate the monetary costs to be competitive to the cost of using a single cloud provider.

Similarity Measure for Obfuscated Malware Analysis

The threats imposed by metamorphic malware (capable of generating new variants) can easily bypass a detector that uses pattern-matching techniques. Hence, the necessity is to develop a sophisticated signature or non-signature-based scanners that not only detect zero day malware but also actively train themselves to adapt to new malware threats. The authors propose a statistical malware scanner that is effective in discriminating metamorphic malware samples from a large collection of benign executables. Previous research articles pertaining to metamorphic malware demonstrated that Next Generation Virus Kit (NGVCK) exhibited enough code distortion in every new generation to defeat signature-based scanners. It is reported that the NGVCK-generated samples are 10% similar in code structure. In the authors' proposed methodology, frequencies of opcodes of files are analyzed. The opcodes features are transformed to new feature spaces represented by similarity measures (37 similarity measure). Thus, the aim is also to develop a non-signature-based scanner trained with small feature length to classify unseen malware and benign executables.

A State-of-the-Art Review of Data Stream Anonymization Schemes

Streaming data emerges from different electronic sources and needs to be processed in real time with minimal delay. Data streams can generate hidden and useful knowledge patterns when mined and analyzed. In spite of these benefits, the issue of privacy needs to be addressed before streaming data is released for mining and analysis purposes. In order to address data privacy concerns, several techniques have emerged. K-anonymity has received considerable attention over other privacy preserving techniques because of its simplicity and efficiency in protecting data. Yet, k-anonymity cannot be directly applied on continuous data (data streams) because of its transient nature. In this chapter, the authors discuss the challenges faced by k-anonymity algorithms in enforcing privacy on data streams and review existing privacy techniques for handling data streams.