Computer Security: ESORICS 2019 International Workshops, CyberICPS, SECPRE, SPOSE, and ADIoT, Luxembourg City, Luxembourg, September 26–27, 2019 Revised Selected Papers (Security and Cryptology)
معرفی کتاب «Computer Security: ESORICS 2019 International Workshops, CyberICPS, SECPRE, SPOSE, and ADIoT, Luxembourg City, Luxembourg, September 26–27, 2019 Revised Selected Papers (Security and Cryptology)» نوشتهٔ Sokratis Katsikas (editor), Frédéric Cuppens (editor), Nora Cuppens (editor), Costas Lambrinoudakis (editor), Christos Kalloniatis (editor), John Mylopoulos (editor), Annie Antón (editor), Stefanos Gritzalis (editor), Frank Pallas (editor)، منتشرشده توسط نشر Springer International Publishing : Imprint: Springer در سال 2020. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.
This book constitutes the refereed post-conference proceedings of the 5th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2019, the Third International Workshop on Security and Privacy Requirements Engineering, SECPRE 2019, the First International Workshop on Security, Privacy, Organizations, and Systems Engineering, SPOSE 2019, and the Second International Workshop on Attacks and Defenses for Internet-of-Things, ADIoT 2019, held in Luxembourg City, Luxembourg, in September 2019, in conjunction with the 24th European Symposium on Research in Computer Security, ESORICS 2019. The CyberICPS Workshop received 13 submissions from which 5 full papers and 2 short papers were selected for presentation. They cover topics related to threats, vulnerabilities and risks that cyber-physical systems and industrial control systems face; cyber attacks that may be launched against such systems; and ways of detecting and responding to such attacks. From the SECPRE Workshop 9 full papers out of 14 submissions are included. The selected papers deal with aspects of security and privacy requirements assurance and evaluation; and security requirements elicitation and modelling and to GDPR compliance. The SPOSE Workshop received 7 submissions from which 3 full papers and 1 demo paper were accepted for publication. They demonstrate the possible spectrum for fruitful research at the intersection of security, privacy, organizational science, and systems engineering. From the ADIoT Workshop 5 full papers and 2 short papers out of 16 submissions are included. The papers focus on IoT attacks and defenses and discuss either practical or theoretical solutions to identify IoT vulnerabilities and IoT security mechanisms. CyberICPS 2019 Preface CyberICPS 2019 Organization SECPRE 2019 Preface SECPRE 2019 Organization SPOSE 2019 Preface SPOSE 2019 Organization ADIoT 2019 Preface ADIoT 2019 Organization Contents CyberICPS Workshop Anomaly Detection for Industrial Control Systems Using Sequence-to-Sequence Neural Networks 1 Introduction 2 Proposed Method 2.1 SWaT Dataset 2.2 Data Preprocessing 2.3 Sequence-to-Sequence Neural Networks 2.4 Measuring Prediction Error 2.5 Anomaly Decision Using Prediction Errors 3 Experiment 3.1 Training 3.2 Anomaly Detection 4 Analysis of Experimental Results 4.1 Analysis on False Negative (Undetected Attacks) 4.2 Analysis on False Positives (False Alarms) 5 Conclusion References Reflective Attenuation of Cyber-Physical Attacks 1 Introduction 2 Related Work 2.1 Attack Tolerance 2.2 Programmable Networking 2.3 Programmable Reflection 3 Preliminaries 3.1 System Model 3.2 Adversary Model 4 Our Approach 5 Experimental Results 6 Conclusion References Distributed UCON in CoAP and MQTT Protocols 1 Introduction 2 Background 2.1 iot Protocols 2.2 Usage Control 3 Introducing Distributed ucon in coap and mqtt 3.1 Architecture 3.2 ucon in coap 4 Experimental Evaluation of Our Framework 4.1 Example of Use Case 4.2 Implementation 4.3 Testbed and Timing Evaluation 5 Related Work 6 Conclusion References Towards the Creation of a Threat Intelligence Framework for Maritime Infrastructures 1 Introduction 2 Maritime Security 3 MAINFRAME Technologies 3.1 VERACITY 3.2 Threat Detection 3.3 Honeypots 3.4 Blockchain 3.5 Threat Visualization 4 Liquefied Natural Gas Carrier 5 Conclusion References Connect and Protect: Requirements for Maritime Autonomous Surface Ship in Urban Passenger Transportation 1 Introduction 2 Related Work 3 The APS Ecosystem 3.1 System Context 3.2 APS Stakeholders 3.3 Regulations, Standards, and Guidelines 3.4 APS Functions 4 Communication and Cybersecurity Requirements 4.1 Requirements Deriving from the Regulators' Perspective 4.2 Requirements Deriving from the Classification Society's Perspective 4.3 Requirements Deriving from the Service Providers' Perspective 4.4 Requirements Deriving from the Users' Perspective 5 Conclusion and Future Work References Simulation-Based Evaluation of DDoS Against Smart Grid SCADAs Abstract 1 Introduction 2 State-of-the-Art Review 2.1 ICS Security 2.2 Denial of Service 2.3 ICS Testbeds 3 Problem Definition 4 System Architecture 4.1 Smart Grid ICS Testbed 4.2 SCADA Architecture 4.3 ICS DDoS Simulator 5 Experiments 5.1 Experiment #1: Zero Bots 5.2 Experiment #2: 1 Bot 5.3 Experiment #3: 5 Bots 6 Conclusion Acknowledgment References Identifying Safety and Human Factors Issues in Rail Using IRIS and CAIRIS 1 Introduction 2 Related Work 2.1 Security and Safety Challenges in Rail Infrastructure 2.2 Bridging Security, Safety, and Human Factors 2.3 IRIS and CAIRIS 3 Approach 3.1 Asset Modelling and Their Associations 3.2 Roles and Attacker Personas 3.3 Vulnerabilities Identification and Threat Modelling 3.4 Risk Analysis 3.5 Task and Goal-Obstacle Modelling 3.6 Identification of Safety Hazards 3.7 Human Factors Analysis 4 Case Study - Polish Tram Incident 4.1 Asset Modelling and Their Associations 4.2 Roles and Attacker Personas 4.3 Vulnerabilities Identification and Threat Modelling 4.4 Risk Analysis 4.5 Task and Goal-Obstacle Modelling 4.6 Identification of Safety Hazards 4.7 Human Factors Analysis 5 Discussion and Conclusion References SECPRE Workshop How Not to Use a Privacy-Preserving Computation Platform: Case Study of a Voting Application 1 Introduction 2 State of the Art 3 System Architecture 4 Voting 5 Tally 6 Conclusions References A Proposed Privacy Impact Assessment Method Using Metrics Based on Organizational Characteristics Abstract 1 Introduction 2 Literature Review 3 The Proposed Security and Privacy Impact Assessment Method 3.1 Scope of the Proposed Method 3.2 Theoretical Background 3.2.1 Data Sets Definitions 3.2.2 The Role of Privacy Principles, Privacy and Security Requirements 3.3 Quantification of Security and Privacy Requirements 3.3.1 Security Requirements and Data Sets’ Sensitivity 3.3.2 Privacy Requirements and Principles 3.4 The Proposed PIA Method 4 Conclusions Acknowledgment References A Conceptual Redesign of a Modelling Language for Cyber Resiliency of Healthcare Systems Abstract 1 Introduction 2 Background 2.1 Healthcare Cyber Resiliency 2.2 Security-Oriented Modelling Languages 3 Redesign Decisions and Challenges 3.1 Justification for the Use of Secure Tropos 3.2 Redesign Challenges 3.3 Healthcare Cyber Resiliency Challenges 3.4 Conceptual Metamodel Redesign 3.5 Incident Redesign 3.6 Healthcare Redesign 3.7 Resiliency Redesign 4 Case Study 5 Conclusions References Shaping Digital Identities in Social Networks: Data Elements and the Role of Privacy Concerns Abstract 1 Introduction 2 Forming Digital Identities in Social Networks 3 Research Design 3.1 Research Hypotheses 3.2 Research Model 3.3 Survey Design 3.4 Sampling and Survey Execution 3.5 Research Validation 4 Analysis of Survey Results 4.1 Users’ Understanding of Digital Identity 4.2 Findings on H1: The Effect of Privacy Concerns on Digital Identity Formation 4.3 Findings on H2 and H3: Social Network Influence on Digital Identity Formation and Privacy Concerns 5 Discussion 6 Conclusions and Further Research Acknowledgement References GDPR Compliance: Proposed Technical and Organizational Measures for Cloud Providers Abstract 1 Introduction 2 GDPR Requirements 2.1 Material and Territorial Scope 2.2 Data Protection Principles 2.3 Consent 2.4 Children – Parental Consent 2.5 Sensitive Data and Lawful Processing 2.6 Information Notices 2.7 Subject Access, Rectification and Portability 2.8 Rights to Object 2.9 Right to Erasure and Right to Restriction of Processing 2.10 Profiling and Automated Decision-Taking 2.11 Accountability, Security and Breach Notification 3 Countermeasures Depending on the Cloud Architecture 3.1 GDPR Roles and Cloud Architectures 3.2 Infrastructure as a Service 3.3 Platform as a Service 3.4 Software as a Service 4 Conclusions Acknowledgment References On the Applicability of Security and Privacy Threat Modeling for Blockchain Applications 1 Introduction 2 Background 3 Blockchain Threat Types 4 Compatibility Assessment 5 Conclusion References Privacy, Security, Legal and Technology Acceptance Requirements for a GDPR Compliance Platform Abstract 1 Introduction 2 The Defend Project and Its Position in the Industry 2.1 Industry State of the Art 2.2 Literature State of the Art 2.3 The DEFeND Project 3 An Holistic Engineering Approach: Functional, Privacy, Security, Legal and Acceptance Needs 3.1 Stakeholder Analysis 3.2 Privacy and Security Needs 3.3 Legal Needs 3.4 Technology Acceptance Needs 4 A Methodology to Elicit Software Requirements for a GDPR Compliance Platform 4.1 Preparation of Questionnaires 4.2 Validation of Questionnaires 4.3 Data Collection Approach 4.4 Data Analysis Approach 5 Eliciting Requirements for a GDPR Compliance Platform 5.1 Functional and Privacy/Security Requirements 5.2 Legal Requirements 5.3 Acceptance Requirements 6 Requirements’ Engineering for a GDPR Compliance Platform: Lessons Learned 6.1 Academic Implications 6.2 Industrial Implications 7 Conclusions Acknowledgments References Uncertainty-Aware Authentication Model for IoT Abstract 1 Introduction 2 Background and Related Work 3 Proposed Model 4 Methodology 4.1 Dataset Synthesis 4.2 Prediction Models for Authentication 5 Results and Discussion 6 Conclusion and Future Work From ISO/IEC 27002:2013 Information Security Controls to Personal Data Protection Controls: Guidelines for GDPR Compliance 1 Introduction 2 Background Information: Challenges in Personal Data Protection in the GDPR Era 3 ISO27001 Certification and the ISO27k Standards 4 From Information Security Controls to Personal Data Protection Controls 4.1 Enhancing Information Security Policies with Data Protection Policies 4.2 Extending Organisation of Information Security with Personal Data Protection Structures and Roles 4.3 Expanding Controls on Human Resources Security to Protect Personal Data Handled by Employees 4.4 Enhancing Asset Management with Personal Data Management 4.5 Implementing Data Protection-by-Design and -by-Default in Access Control 4.6 Employing Cryptography 4.7 Enhancing Communications Security with Personal Data Protection Objectives 4.8 Acquiring, Developing and Maintaining Systems Following Data Protection Principles 4.9 Managing Supplier Relationships While Protecting Personal Data 4.10 Including Data Breach Notification in Incident Management 4.11 Enhancing Compliance to Satisfy Lawfulness of Processing 4.12 Modules that Support GDPR Compliance 5 Enhancing the ISMS Framework with Personal Data Protection Risks Management 6 Conclusions References SPOSE Workshop On the Trade-Off Between Privacy and Utility in Mobile Services: A Qualitative Study 1 Introduction 2 Motivation and Background 3 Methodology 3.1 Study Approaches and Participants 3.2 Scenarios and Data Collection 4 Results 4.1 Factors Contributing to the Trade-Off 4.2 Desired Adoption of, and Trust in, The Privacy-Preserving Technologies 4.3 Privacy Concerns Across Cultures 5 Discussion References Analysis of Automation Potentials in Privacy Impact Assessment Processes 1 Introduction 2 Related Work 3 Envisioned System Architecture 4 Process Analysis 4.1 Preparation Stage 4.2 Evaluation Stage 4.3 Report and Safeguards Stage 5 Discussion References An Insight into Decisive Factors in Cloud Provider Selection with a Focus on Security 1 Introduction 2 Related Work 2.1 Security Assurance 2.2 CP Selection 2.3 Security, Threat Models and Compliance 3 Methodology 3.1 Sample Selection and Conduction of Interviews 3.2 Data Analysis 4 Interview Results 4.1 The Role of Security in CP Selection 4.2 Reasons for Moderate Interest in Security 4.3 Verification of Providers' Security Measures 4.4 Compliance and the General Data Protection Regulation 5 Discussion 5.1 Threats to Validity and Limitations 6 Conclusion References Discrete Event Simulation of Jail Operations in Pursuit of Organizational Culture Change Abstract 1 Introduction 1.1 Conditions of Confinement and Facility Operations 1.2 Jail Versus Prison 1.3 Drivers of Jail Design 1.4 The New York City Jail System 1.5 Factors Driving the Conceptual Design (See Appendix A, Fig. 1) 1.6 Operational Validation (See Appendix A, Fig. 5) 1.7 How We Proceeded 2 Conceptual Design 2.1 Housing Unit Layout (See Appendix A, Figs. 3 and 4) 2.2 Glazed End Wall (See Appendix A, Figs. 10, 11, 12 and 13) 2.3 Mezzanine Walkways and Stairs (See Appendix A, Figs. 3, 4, 12 and 13) 2.4 Housing Support (See Appendix A, Figs. 3 and 4) 2.5 Contact Visitation (See Appendix A, Fig. 3) 2.6 Services Mall (See Appendix A, Fig. 4) 2.7 Rated Stair Towers (See Appendix A, Fig. 2) 3 A Different Approach 3.1 Detainee Movement (See Appendix A, Figs. 6, 7 and 8) 3.2 Why a New Approach 3.3 Institutional Culture in the Jails 3.4 Psychological Drivers in Jails 4 Simulations for Design that Helps Generate Positive Organizational Culture 4.1 Validity of Simulations (See Appendix A, Fig. 5) 4.2 Stair Tower Bottlenecks (See Appendix A, Figs. 2, 6, 7 and 8) 4.3 Adjusting Model Parameters 4.4 Log Jams (See Appendix A, Figs. 3, 4, 6, 7 and 8) 4.5 Direction of Movement (See Appendix A, Figs. 6, 7 and 8) 4.6 Additional Mitigation Strategies 4.7 Key Performance Indicators (See Appendix A, Fig. 9) 4.8 Future Work 5 Conclusions Appendix A References ADIoT Workshop A Basic Theory of Lightweight Hierarchical Key Predistribution Scheme 1 Introduction 1.1 Motivation 1.2 Our Contribution 1.3 Organization 2 Preliminary 2.1 Key Predistribution Scheme: An Overview 2.2 Hierarchical KPS (HKPS) 2.3 Evaluation Metrics 2.4 Combinatorial Designs and KPS 3 A Deterministic Hierarchical KPS 3.1 Hierarchical Design and HKPS 3.2 A Product Based HKPS 3.3 A Hash Chain Based HKPS (HC-HKPS) 4 Instantiation to a Selected KPS 4.1 Sensornet ch21DS17 4.2 Instantiation to Sensornet 5 Conclusion References Adversarial Examples for Hardware-Trojan Detection at Gate-Level Netlists 1 Introduction 2 Related Works 2.1 Hardware Trojan and Its Detection Utilizing Neural Networks 2.2 Adversarial Example 3 AE Attacks on Hardware Design 3.1 Scenario of the AE Attacks 3.2 Trojan-Net Concealment Degree and Modification Evaluating Value 3.3 Modification Method 4 Experiments 4.1 Experimental Setup 4.2 Six AE Patterns 4.3 Evaluation Without the Amount of Modifications 4.4 Evaluation with the Amount of Modifications 5 Conclusion References Selective Forwarding Attack on IoT Home Security Kits 1 Introduction 2 Related Work 3 Methodology 4 Results 4.1 Heartbeats in Swann 4.2 Heartbeats in D-Link Hub 4.3 Heartbeats in D-Link Camera 4.4 Heartbeats in Panasonic 4.5 Heartbeats in Telldus 4.6 Heartbeats in Samsung SmartThings 4.7 Summary 5 Threat Model 5.1 Wi-Fi Attacks 5.2 DNS Server Hijacking 5.3 Network Attacks 5.4 Automated Attack Against Swann Using Evil-Twin Wi-Fi AP 6 Discussion 6.1 Recommendations and Countermeasures 6.2 Responsible Disclosure Exercise 7 Conclusion References Denial-of-Service Attacks and Countermeasures in the RPL-Based Internet of Things 1 Introduction 2 Background 2.1 IoT Reference Model and Attack Vectors 2.2 RPL Protocol: Overview 3 Related Work 4 Implementing IoT Attacks in Cooja 4.1 Scenarios 4.2 Simulation Parameters and Metrics 4.3 Simulation Results 5 Proposed Threshold-Based IDS 5.1 IDS Architecture and Components 5.2 Attack Detection Methods 5.3 Border Router 6 IDS Evaluation 6.1 Implemented Algorithms 6.2 Metrics and Simulation Configuration 6.3 Scenarios and Topologies 6.4 Results 7 Conclusion and Future Work References Study of DNS Rebinding Attacks on Smart Home Devices 1 Introduction 2 DNS Rebinding Attack 2.1 High-Level Concept 2.2 Attack Methods 2.3 Countermeasures 2.4 Requirements 3 Descriptions of Experiments 3.1 Attacker Model 3.2 Experimental Setup 3.3 DNS Rebinding on Websites in the Wild 4 Results 4.1 Smart Home Devices 4.2 Measuring DNS Rebinding Attempts on Popular Websites 5 Discussion 6 Related Work 7 Conclusion References Anomaly Detection in the HVAC System Operation by a RadViz Based Visualization-Driven Approach 1 Introduction 2 Related Work 3 Visualization-Driven Approach 3.1 RadViz Visualization of the HVAC Data 3.2 Supplementary Visualization Models 4 Case Study and Discussion 5 Conclusions References Secure Location Verification: Why You Want Your Verifiers to Be Mobile 1 Introduction 2 System Model and Notation 2.1 Problem Statement 2.2 System Model 2.3 Threat Model 2.4 Use Cases 3 Location Verification Protocol (MoVers) 3.1 Controlled Mobility 4 Security Analysis 4.1 Single Verifier 4.2 Two Verifiers 4.3 More Verifiers or More Transmissions 5 Coordinated Controlled Mobility 6 Uncoordinated Mobility 6.1 Simulation Design 6.2 Parameter Selection 6.3 Opportunistic/Random Mobility 6.4 Uncoordinated Controlled Mobility 7 Related Work 8 Conclusion References Author Index
دانلود کتاب Computer Security: ESORICS 2019 International Workshops, CyberICPS, SECPRE, SPOSE, and ADIoT, Luxembourg City, Luxembourg, September 26–27, 2019 Revised Selected Papers (Security and Cryptology)