- Bodies.dissemination-committee

[SPARTA - bodies.dissemination-committee] New paper at ISSRE21 Conference

by Pedro Adão

Dear all, I would like to inform you that the following paper A Comparative Study of Automatic Software Repair Techniques for Security Vulnerabilities Eduard Pinconschi, Rui Abreu, and Pedro Adão will be published in the conference (core-A ranking) The 32nd International Symposium on Software Reliability Engineering (ISSRE 2021) http://2021.issre.net/ Oct 25 - 28, 2021, Wuhan, China and will acknowledge SPARTA. I will make the paper available as soon as we have the camera ready version (28th of August). Do let me know if you need a draft in advance. Best regards, Pedro Abstract: In the past years, research on automatic program repair (APR), in particular on test-suite-based approaches, has significantly attracted the attention of researchers. Despite the advances in the field, it remains unclear how these techniques fare in the context of security---most approaches are evaluated using benchmarks of bugs that do not (\textit{only}) contain security vulnerabilities. In this paper, we present our observations using 10 state-of-the-art test-suite-based automatic program repair tools on the DARPA Cyber Grand Challenge benchmark of vulnerabilities in C/C++. Our intention is to have a better understanding of the current state of automatic program repair tools when addressing security issues. In particular, our study is guided by the hypothesis that the efficiency of repair tools may not generalize to security vulnerabilities. We found that the 10 analyzed tools can only fix 30 out of 55 vulnerable programs---54.5\% of the considered issues. In particular, we found that APR tools with atomic change operators and brute-force search strategy (\emph{AE} and \emph{GenProg}) and brute-force functionality deletion (\emph{Kali}) overall perform better at repairing security vulnerabilities (considering both efficiency and effectiveness). \emph{AE} is the tool that individually repairs most programs with 20 out of 55 programs (36.4\%). The causes for failing to repair are discussed in the paper, which can help repair tool designers to improve their techniques and tools.

4 years, 2 months

1
0
0 0

[SPARTA - bodies.dissemination-committee] Paper Submission - CINI - Request for Acknowledgment

by Gianluca Roascio

Dear All, As CINI (Italy) WP6.2 members, we are submitting a paper named "PROLEPSIS: Binary Analysis and Instrumentation of IoT Software for Control-Flow Integrity” to the IEEE International Conference on Electrical, Computer, Communications and Mechatronic Engineering (ICECCME) 2021. Authors and abstract of the paper are below. If accepted, we would like to have your consent to acknowledge SPARTA. Authors: Valentina FORTE, Nicolò MAUNERO, Paolo PRINETTO, Gianluca ROASCIO Abstract: Nowadays, the growing pervasiveness of digital components and their interconnection in the so-called Internet of Things, raises serious questions regarding security and integrity not only of the data exchanged, but also of the devices themselves and the software they run. Code-Reuse Attacks (CRA) are one of the most powerful binary attack paradigms, aiming to exploit memory vulnerabilities such as buffer overflows to force the application to execute an unintended sequence of instructions present in memory. To counter such a kind of attacks, ensuring the program's control-flow integrity (CFI) appears to be the most promising solution presented so far. A plethora of CFI implementations have been offered in the literature and by vendors, based on control-flow monitors located at the software level or even into hardware extensions. However, many proposed solutions opt for coarse-grained checks, or insert enforcement before all flow transfers. For software running on IoT platforms, where resources are usually limited, protections can increase the footprint in an unsustainable way. This paper presents PROLEPSIS, an automated binary code analysis tool for IoT applications written for ARM platforms. With an optimised search, the tool is able to identify only those executable point (control-flow instructions) that are really at risk of control-flow hijacking. Each recognised insecure point is instrumented according to a custom technique of choice, either based on a software or a hardware monitor, depending on the specific application needs. All the best, Gianluca Roascio -- *Gianluca ROASCIO* *CINI* - Laboratorio Nazionale Cybersecurity Sede di Torino c/o LINKS - Leading Innovation & Knowledge for Society Via Pier Carlo Boggio 61, I-10138 Torino TO - Italy Tel: +39 334 3762427 gianluca.roascio(a)consorzio-cini.it Skype: gianluca.roascio www.cybersecnatlab.it <http://www.consorzio-cini.it/>

4 years, 3 months

1
0
0 0

[SPARTA - bodies.dissemination-committee] article submission

by Algimantas Venckauskas

Dear all, We are submitting a paper “A Novel Approach for Network Intrusion Detection using Multistage Deep Learning Image Recognition” to the journal Electronics MDPI. The paper’s abstract is below. If accepted we will acknowledge SPARTA. The authors are Jevgenijus Toldinas, Algimantas Venčkauskas, Robertas Damaševičius, Šarūnas Grigaliūnas, Nerijus Morkevičius, Edgaras Baranauskas. All the best, Algimantas Venčkauskas ______________________________________________________ Abstract: The current rise in hacking and computer network attacks throughout the world has heightened the demand for improved intrusion detection and prevention solutions. The intrusion detection system (IDS) is critical in identifying abnormalities and assaults on the network, which have grown in size and pervasiveness. The paper proposes a novel method for network intrusion detection using multistage deep learning image recognition. The dataset network features are normalized and transformed into four-channel (Red, Green, Blue, and Alpha) images. The images are used to train and test the pre-trained deep learning model ResNet50. The proposed approach is evaluated using two benchmark datasets, UNSW-NB15 and BOUN Ddos. On the UNSW-NB15 dataset, the proposed method achieved 99.8% accuracy in the detection of the Generic attack. On the BOUN DDos dataset, the suggested method achieves 99.7% accuracy in the detection of the DDos attack and 99.7% accuracy in the detection of the normal traffic.

4 years, 3 months

1
0
0 0

[SPARTA - bodies.dissemination-committee] Submission

by Algimantas Venckauskas

Dear all, We have submitted the paper „Technical Threat Intelligence Analytics: What and How to Visualize for Analytic Process“ to the 24th International Conference ELECTRONICS 2020 Abstract: Visual Analytics uses data visualization methods for enabling compelling analysis of data by engaging graphical and visual representation. In the domain of cybersecurity, convincing visual representation of data enables to ascertain valuable observations that allow the domain experts to construct efficient cyberattack mitigation strategies and provide useful decision support. In this paper, we present a survey of the visual analytics tools and methods in the domain of cybersecurity. We explore and discuss Technical Threat Intelligence visualization tools using the Five Question Method. We conclude the analysis of the works using Moody’s Physics of Notations, and VIS4ML ontology as a methodological background of visual analytics process. This paper is still under evaluation. If it gets accepted, we will acknowledge SPARTA. Best, Algimantas Venčkauskas Kauno technologijos universitetas

4 years, 3 months

3
8
0 0

[SPARTA - bodies.dissemination-committee] SPARTA-related PhD positions in IMT Lucca

by Gabriele Costa

Dear Dissemination Committee, we would like to advertise the IMT Lucca PhD call among the SPARTA community. Students with the right profile that pass the selection process may be involved in the SPARTA activities. Could you please indicate which is the right mailing list for this kind of communication? I am attaching the call below for your convenience. Thank you Gabriele Costa === Fully-funded four-year PhD scholarships at IMT Lucca IMT School for Advanced Studies Lucca invites applications for PhD positions in the Systems Science program, and specifically for its Computer Science and Systems Engineering track. We carry out foundational, applied, and interdisciplinary research on the modeling and analysis of systems, broadly construed. The SySMA research unit welcomes applications from candidates in Computer Science with an interest in any of the following topics: - computational methods for the analysis of cyber-physical systems; - cybersecurity; - modeling and verification of concurrent, distributed, and self-adaptive systems; - program analysis; - smart contracts and blockchain technology; - software performance modeling and control; - machine learning - online social networks security (disinformation and social bot detection) A (not exhaustive) list of possible research projects for PhD candidates is available at: https://sysma.imtlucca.it/services/5_phd_projects/ Prospective candidates are warmly encouraged to get in touch with members of the SySMA unit for informal enquiries. The scholarship is for 4 years and consists of a gross grant amounting to € 15,300/year, in addition to free accommodation and board at the IMT Campus. PhD candidates have the possibility to defend their thesis from the beginning of the fourth year of the program, but no earlier as per Italian legislation. The initial start date of the PhD program is 2nd November 2021. The official language of the PhD program is English. Application deadline is June 30th, 2021, 12.00 pm CEST. Note that candidates who have not obtained their undergraduate degree by the deadline can still apply, and can be admitted if they graduate no later than 31 October 2021. Applications must be submitted through the online form at: https://pica.cineca.it/imtlucca/imtlucca-phd-2021/ Further information can be found at: https://www.imtlucca.it/en/phd/information-for-students -- Prof. Gabriele Costa IMT School for Advanced Studies Piazza S. Francesco, 19 - 55100 Lucca gabriele.costa(a)imtlucca.it

4 years, 3 months

1
1
0 0

[SPARTA - bodies.dissemination-committee] SPARTA acknowledgement for accepted paper

by Hofer-Schmitz, Katharina

Dear all, I have submitted a paper to SP2I'21 (ARES'21) and it was accepted. It acknowledges the SPARTA project. Title: A Formal Analysis of EnOcean's Teach-in and Authentication Author: Katharina Hofer-Schmitz Abstract: The security of protocols and the absence of design-related weaknesses and vulnerabilities is crucial for the prevention of cyber attacks. This paper provides the first formal model for EnOcean, an IoT protocol widely used in home automation systems. Based on EnOcean's security specification a formal model of its teach-in and high security authentication is created in the applied pi calculus. In an automated security analysis with the security protocol model checker ProVerif several security requirements are checked. While the analysis shows that all the secrecy statements can be verified, it identifies some weaknesses for the authentication. Based on an analysis of the potential attacks, we suggest a provable fix for the detected attacks. Best regards, Katharina Hofer-Schmitz Dipl.-Ing. Dr. Katharina Hofer-Schmitz Senior Researcher - Cyber Security & Defence JOANNEUM RESEARCH Forschungsgesellschaft mbH DIGITAL - Institute for Information and Communication Technologies Steyrergasse 17, 8010 Graz, Austria phone: +43 316 876-5702 E-Mail: katharina.hofer-schmitz(a)joanneum.at<mailto:katharina.hofer-schmitz@joanneum.at> Headquarters: JOANNEUM RESEARCH Forschungsgesellschaft mbH, Leonhardstrasse 59, 8010 Graz, Austria Company register: FN 48282 d Landesgericht für Zivilrechtssachen Graz ¦ VAT number: ATU28781306 ¦ www.joanneum.at/en Data Protection: www.joanneum.at/en/joanneum/imprint/dataprotection

4 years, 3 months

1
0
0 0

[SPARTA - bodies.dissemination-committee] two papers accepted at ARES workshops

by Raimundas Matulevicius

Dear all, The aforementioned papers are now accepted at the the venues. We will acknowledge the SPARTA project in the camera ready version. Both studies contribute to the WP6.5 result. Best greetings, Raimundas Hello, I would like to report that we have submitted two papers. Details of the papers are below. If accepted, we will acknowledge SPARTA. Best greetings, Raimundas ————————— Title: Information Security Analysis in the Passenger-Autonomous Vehicle Interaction Authors: Mariia Bakhtina, Raimundas Matulevičius Venue: International Workshop on Security and Privacy in Intelligent Infrastructures (SP2I 2021) co-organised at ARES 2021. Abstract: Autonomous vehicles (AV) are becoming a part of humans' everyday life. There are numerous pilot projects of driverless public buses; some car manufacturers deliver their premium-level automobiles with advanced self-driving features. Thus, assuring the security of a Passenger--Autonomous Vehicle interaction arises as an important research topic, as along with opportunities, new cybersecurity risks and challenges occur that potentially may threaten Passenger's privacy and safety on the roads. This study proposes an approach of the security requirements elicitation based on the developed threat model. Thus, information security risk management helps to fulfil one of the principles needed to protect data privacy - information security. We demonstrate the process of security requirements elicitation to mitigate arising security risks. The findings of the thesis are case-oriented and are based on the literature review. They are applicable for AV system implementation used by ride-hailing service providers that enable supervisory AV control. ————————— Title: Risk-Oriented Design Approach For Forensic-Ready Software Systems Authors: Lukas Daubner, Raimundas Matulevičius Venue: the 14th International Workshop on Digital Forensics (WSDF 2021) co-organised at ARES 2021. Abstract: Digital forensic investigation is a complex and time-consuming activity in response to a cybersecurity incident or cybercrime to answer questions related to it. These typically are what happened, when, where, how, and who is responsible. However, answering them is often very laborious and sometimes outright impossible due to a lack of useable data. The forensic-ready software systems are designed to produce valuable on-point data for use in the investigation with potentially high evidence value. Still, the particular ways to develop these systems are currently not explored. This paper proposes consideration of forensic readiness within security risk management to refine specific requirements on forensic-ready software systems. The idea is to re-evaluate the taken security risk decisions with the aim to provide trustable data when the security measures fail. Additionally, it also considers possible disputes, which the digital evidence can solve. Our proposed approach, risk-oriented forensic-ready design, composes of two parts: (1) process guiding the identification of the requirements in the form of potential evidence sources, and (2) supporting BPMN notation capturing the potential evidence sources and their relationship. Together they are aimed to provide a high-level overview of the forensic-ready requirements within the system. Finally, the approach is demonstrated on an automated valet parking scenario, followed by a discussion regarding its impact and usefulness within the forensic readiness effort. -------- Information Security Research Group: <https://infosec.cs.ut.ee> -------- Dr. Raimundas Matulevičius, Professor of Information Security Institute of Computer Science University of Tartu Narva mnt 18, 51009 Tartu Estonia

4 years, 4 months

1
0
0 0

[SPARTA - bodies.dissemination-committee] two papers submitted

by Raimundas Matulevicius

Hello, I would like to report that we have submitted two papers. Details of the papers are below. If accepted, we will acknowledge SPARTA. Best greetings, Raimundas ————————— Title: Information Security Analysis in the Passenger-Autonomous Vehicle Interaction Authors: Mariia Bakhtina, Raimundas Matulevičius Venue: International Workshop on Security and Privacy in Intelligent Infrastructures (SP2I 2021) co-organised at ARES 2021. Abstract: Autonomous vehicles (AV) are becoming a part of humans' everyday life. There are numerous pilot projects of driverless public buses; some car manufacturers deliver their premium-level automobiles with advanced self-driving features. Thus, assuring the security of a Passenger--Autonomous Vehicle interaction arises as an important research topic, as along with opportunities, new cybersecurity risks and challenges occur that potentially may threaten Passenger's privacy and safety on the roads. This study proposes an approach of the security requirements elicitation based on the developed threat model. Thus, information security risk management helps to fulfil one of the principles needed to protect data privacy - information security. We demonstrate the process of security requirements elicitation to mitigate arising security risks. The findings of the thesis are case-oriented and are based on the literature review. They are applicable for AV system implementation used by ride-hailing service providers that enable supervisory AV control. ————————— Title: Risk-Oriented Design Approach For Forensic-Ready Software Systems Authors: Lukas Daubner, Raimundas Matulevičius Venue: the 14th International Workshop on Digital Forensics (WSDF 2021) co-organised at ARES 2021. Abstract: Digital forensic investigation is a complex and time-consuming activity in response to a cybersecurity incident or cybercrime to answer questions related to it. These typically are what happened, when, where, how, and who is responsible. However, answering them is often very laborious and sometimes outright impossible due to a lack of useable data. The forensic-ready software systems are designed to produce valuable on-point data for use in the investigation with potentially high evidence value. Still, the particular ways to develop these systems are currently not explored. This paper proposes consideration of forensic readiness within security risk management to refine specific requirements on forensic-ready software systems. The idea is to re-evaluate the taken security risk decisions with the aim to provide trustable data when the security measures fail. Additionally, it also considers possible disputes, which the digital evidence can solve. Our proposed approach, risk-oriented forensic-ready design, composes of two parts: (1) process guiding the identification of the requirements in the form of potential evidence sources, and (2) supporting BPMN notation capturing the potential evidence sources and their relationship. Together they are aimed to provide a high-level overview of the forensic-ready requirements within the system. Finally, the approach is demonstrated on an automated valet parking scenario, followed by a discussion regarding its impact and usefulness within the forensic readiness effort.

4 years, 4 months

1
1
0 0

[SPARTA - bodies.dissemination-committee] Request for SPARTA acknowledgement for accepted paper

by Giorgio Bernardinetti

Dear all, We submitted a paper to ETACS ’21 (ARES ’21) and it was accepted. We plan to acknowledge the SPARTA project as this paper is in strong relationship with what was done in the WP9 recent work. Kind regards, Giorgio Bernardinetti Details of the paper: Title: Nautilus: A Tool For Automated Deployment And Sharing Of Cyber Range Scenarios By: G. Bernardinetti, S. Iafrate and G. Bianchi Abstract: In any cybersecurity training program, a non-marginal fraction of the activities are usually devoted to "hands-on" practice, typically in the form of vulnerable scenarios that the trainee must evaluate/penetrate. The manual setup and implementation of such training scenarios is a significant burden on trainers, and takes away valuable time. In order to automate this step and enable reuse of components or even entire scenarios, this paper proposes Nautilus, a Cyber Range with extended capabilities that at the same time provides a training environment and a "marketplace" platform to share scenarios, pre-implemented vulnerabilities/CVEs, scripts, etc. Nautilus leverages advanced cloud technologies to semi-automate deployment of vulnerable configurations of virtualized networks and systems, provides a graphical interface and a scenario description language, and integrates easy-to-use data/knowledge sharing facilities. In this respect, we believe that Nautilus can foster collaboration among different training teams and programs, and stimulate less skilled trainers, which alone would have perhaps prepared only basic scenarios, to access and reuse more advanced exercises prepared by others. Finally, we preliminary show the effectiveness and ease of use of the Nautilus Cyber Range via the results of a (so far) small-scale usability test conducted among different perspective trainers.

4 years, 4 months

3
2
0 0

[SPARTA - bodies.dissemination-committee] Information about accepted paper

by Ulrich Schöpp

Dear all, I would like to share information about a recent publication by fortiss. Our paper has been accepted for publication at SSIV+'2021 (Safety and Security of Intelligent Vehicles), a workshop at DSN 2021. It acknowledges the SPARTA project. Title: CyberGSN: A Semi-formal Language for Specifying Safety Cases Authors: Tewodros A. Beyene (fortiss, Germany) and Carmen Carlan (fortiss, Germany) Abstract: The use of safety cases to explicitly present safety argumentation considerations and decisions is a common practice in the safety-critical domain. A safety case can be used to scrutinize the safety assessment approach used by practitioners internally, or as an input for the certification process for an external certifying authority. However, safety cases are still created manually using notations such as the Goal Structuring Notation (GSN) to explicate the followed safety assessment and assurance measures. In addition, although safety cases may be created in a modular way by multiple entities, and it may be critical for each entity to digitally sign its part of the assurance for accountability, the common notations such as GSN are not expressive enough to include the notion of entity. Especially in cyber-security applications, the notion of entity is very critical. In this paper, we propose a formal logic based language called CyberGSN, with an explicit notion of entity, that can be used for specifying safety cases and safety case patterns, enabling the automated creation and maintenance of safety cases. Best, Ulrich fortiss GmbH Landesforschungsinstitut des Freistaats Bayern für softwareintensive Systeme An-Institut Technische Universität München Guerickestraße 25, 80805 München, Germany T: +49 (89) 3603522 166<tel:+49%20(89)%203603522%20166> F: +49 (89) 3603522 50 schoepp(a)fortiss.org<mailto:schoepp@fortiss.org> https://www.fortiss.org/ Amtsgericht München: HRB: 176633 USt-IdNr.: DE263907002, Steuer-Nr.: 143/237/25900 Rechtsform: gemeinnützige GmbH Sitz der Gesellschaft: München Geschäftsführer: Dr. Harald Rueß, Thomas Vallon Vorsitzender des Aufsichtsrats: Dr. Manfred Wolter

4 years, 4 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

Bodies.dissemination-committee