Yudistira Asnar - Academia.edu (original) (raw)
Papers by Yudistira Asnar
2017 International Conference on Data and Software Engineering (ICoDSE), 2017
Nowadays, most network is already protected by Intrusion Prevention System (IPS). But most of the... more Nowadays, most network is already protected by Intrusion Prevention System (IPS). But most of the IPS is using signature based detection techniques, whereas signature update tends to be difficult and time consuming because it requires expert knowledge in the making. Therefore, IPS signature based has a weakness in detecting latest attack. This paper present a signature-generating technique by using signature generator and honeypot. The signature generator used in this paper is Polygraph because has an advantage on detecting polymorphic worm. The honeypot used is Dionaea because the log can be converted into the forms required by Polygraph. This paper will discuss what steps are needed in transforming attack data from honeypot into a rule that can be used by IPS Snort.
This research is development a framework for detecting congestion on the urban road network. ATCS... more This research is development a framework for detecting congestion on the urban road network. ATCS (Area Traffic Control System) data in Bandung city with traffic volume are used in congestion detection process. Traffic flow data is collected by vehicles detector located at crossroads within 15 minutes. To compute spatial correlation, graph modelling are used in the adjacency matrix. Assuming the location of the detector as the vertices and the direction of the vehicle as the edge, the graph modeled with vehicle's detector location and the flow direction at nine locations on road nework. The adjacency matrix used consists of 3 matrices in each period of time, which describes the order of spatial distances traveled by vehicle at the intersection location. To calculate spatial correlation, the autocorrelation function and the cross-correlation function which are derived from Pearson's simple correlation is used to looking influence at each location on road network. The result o...
2016 IEEE Region 10 Symposium (TENSYMP), 2016
Congestion because of increasing demand of air transportation occurs at several airports in Indon... more Congestion because of increasing demand of air transportation occurs at several airports in Indonesia especially Soekarno-Hatta International Airport. In 2013, Soekarno-Hatta International Airport ranked 25th busiest airports in the world by Airports Council International. One of several ways to enlarge capacity of airports is to improve efficiency current infrastructure utilization with optimizing schedule. Three referred optimization models are model of Beasley et al. which optimizes runway utilization, Bertsimas and Stock Patterson's model which optimizes air space capacity allocation and Lulli and Odoni's model which are macroscopic model of Bertsimas and Stock Patterson's model. Unfortunately, Lulli and Odoni's model cannot studied further because of lack information about increasing convex function. The other models modified from integer program to constraint satisfaction optimization program (CSOP) so that the models are flexible to modify and the solution can be local optimum. Because of these advantages, rescheduling can be performed when there was little change in flight schedule. In addition, several constraints are added to modification of model of Beasley et al. such as flight continued constraint. Based on tests, modification of model of Beasley et al. success to reduce delays and modification of Bertsimas and Stock Patterson's model success to do a simulation.
2014 International Conference on Data and Software Engineering (ICODSE), 2014
Input Injections are considered as the most common and effective vulnerabilities to exploit in ma... more Input Injections are considered as the most common and effective vulnerabilities to exploit in many software systems (esp. web apps). In this paper, we propose a way to detect such vulnerabilities, such as SQL injection, command injection, and cross-site scripting. Input injection is caused by executing user inputs which have not been validated or sanitized, so that the purpose of execution is changed by malicious agents into their advantages. The input injection detector is done by extending an existing static analysis tool, namely FindBugs. The detection uses a dataflow analysis to monitor user-contaminated variables. To improve accuracy, reducing false positives and false negatives, dataflow analysis is used to monitor variables that have been validated or sanitized by developers. Our detector has only few false positives and false negatives based on our testing using our test cases and existing applications, i.e. WebGoat and ADempiere.
Recent trends in Software Engineering have introduced the importance of reconsidering the traditi... more Recent trends in Software Engineering have introduced the importance of reconsidering the traditional idea of software design as a socio-tecnical problem, where human agents are integral part of the system along with hardware and software components. Design and runtime support for Socio-Technical Systems (STSs) requires appropriate modeling techniques and non-traditional infrastructures. Agent-oriented software methodologies are natural solutions to the development of STSs, both humans and technical components are conceptualized and analyzed as part of the same system. In this paper, we illustrate a number of Tropos features that we believe fundamental to support the development and runtime reconfiguration of STSs. Particularly, we focus on two critical design issues: risk analysis and location variability. We show how they are integrated and used into a planning-based approach to support the designer in evaluating and choosing the best design alternative. Finally, we present a generic framework to develop self-reconfigurable STSs.
2016 International Conference on Data and Software Engineering (ICoDSE), 2016
As one of the most popular smartphone operating system nowadays, Android is used for various need... more As one of the most popular smartphone operating system nowadays, Android is used for various needs start from casual purpose such as games up to critical aims like banking. To avoid any access by impostor (unauthorized parties), the use of authentication system is a must. Android provides basic authentication system based on screen-lock using PIN, password, or pattern. However all those ways have several vulnerabilities, i.e: 1) leak or transfered key access, 2) only supports full binary authentication, and 3) no re-authentication nor revocation. This research aims at developing continuous behavioral authentication as a solution for those vulnerabilities. Our solution uses authentication score, not just a binary authentication. The score is constructed using fusion approach combining two modalities i.e. keystroke dynamics (typing behavior) and touch gesture (tap, swipe, and pinch behavior). Each of those authentication model is built using two-class machine learning classification. This authentication system is designed to run continuously on Android background, so it is possible to change authorization or make a revocation anytime needed. This proposed solution has been implemented as a prototype on a testing application. There are some tests have been held, first is modality experiment to find the best classifier each modality, second is continuous fusion authentication test, third is performance test. The result shows that our proposed fusion authentication get more accurate than if the modalities work respectively. Based on the continuous and live authentication testing on Android device, best fusion method is mean Olympic with a threshold 0.81 that makes the FAR and FRR equal in 0.26.
2014 International Conference on Data and Software Engineering (ICODSE), 2014
Android is considered as the leading platform on smartphone market. Thus, it becomes a prime targ... more Android is considered as the leading platform on smartphone market. Thus, it becomes a prime target by many security crooks and its security becomes at most concern. This research aims at assessing Android Security, especially the fact whether Android's folks are getting better or worse in delivering a secure platform? In this research, we use data extracted from National Vulnerability Database (NVD) to answer such question. Surprisingly, the study discovers that 83.3% of reported Android vulnerability is originated from third-party apps that runs on Android platform and not inherently from the Android platform itself. We also discover strong evidence that Android security is getting better based on the declining numbers of reported Android vulnerability and the reducing of Android vulnerability Time-to-Patch.
2014 IEEE 27th Conference on Software Engineering Education and Training (CSEE&T), 2014
ABSTRACT In this paper, we present an overview on how to reshape the software engineering educati... more ABSTRACT In this paper, we present an overview on how to reshape the software engineering education in our undergraduate study program (i.e., curriculum program, software engineering curriculum package, and learning process) so that our graduates have sufficient skills to be the 2020 software engineers. We believe that the corner blocks to produce fine engineers are good understanding in the following areas: basic fundamentals and principles of science and computing, methodology, techniques-tools-platform, capability to understand domain problems, communication and personal skill, attitude to be a good learner and self disciplined. We translate these values to our undergraduate curriculum with an aim to produce general software engineer who are quick to master specific platforms/technologies and devices and to understand domain problems.
PhD, Universita Degli Studi Di Trento, 2009
Critical Information Systems (CISs) are a special class of information system where its operation... more Critical Information Systems (CISs) are a special class of information system where its operation is critical for us because their failures might result in catastrophic effects (eg, life loss, economic loss, the environment destruction). Many efforts have been put to improve the quality of CISs since the early phase of system development. One of the approaches is by considering some notions related to CIS (eg, value, risk, failure, security) since requirement analysis. However, a major limitation from current approaches is they analyse the system ...
Bandung, Indonesia, 2007
Abstract. Modeling and analyzing risk is one of the most critical activities in system engineerin... more Abstract. Modeling and analyzing risk is one of the most critical activities in system engineering. Through this measure, an analyst ensures the security and dependability of a system. In secure and dependable community, Security property is defined as confidentiality, integrity, and availability while dependability with reliability, availability, safety, integrity, and maintainability. These attributes can be achieved by means of controlling the risks that can affect to the system. Risk management is a set of activity that consists of organizational ...
15th IEEE International Requirements Engineering Conference (RE 2007), 2007
2011 IEEE 13th Conference on Commerce and Enterprise Computing, 2011
Recently, there has been an increase of reported security threats hitting organizations. Some of ... more Recently, there has been an increase of reported security threats hitting organizations. Some of them are originated from the assignments to users of inappropriate permissions on organizational sensitive data. Thus it is crucial for organizations to recognize as early as possible the risks deriving by inappropriate access right management and to identify the solutions that they need to prevent such risks. In this paper, we propose a framework to identify threats during the requirements analysis of organizations' IT systems. With respect to other works which have attempted to include security analysis into requirement engineering process (e.g., KAOS, Elahi et al., Asnar et al.), our framework does not rely on the level of expertise of the security analyst to detect threats but allows to automatically identify threats that derive from inappropriate access management. To capture the organization's setting and the system stakeholders' requirements, we adopt SI* [1], a requirement engineering framework founded on the concepts of actors, goals, tasks and resources. This framework extends SI* with a reasoning technique that identifies potential security threats on resources and relevant goals. The reasoning is based on Answer Set Programming (ASP) logic rules that take into account the relationships between resources and the delegation of permission relations between actors. We illustrate this framework using an eHealth scenario.
Lecture Notes in Computer Science, 2011
The Governance, Risk, and Compliance (GRC) management process for Information Security is a neces... more The Governance, Risk, and Compliance (GRC) management process for Information Security is a necessity for any software systems where important information is collected, processed, and used. To this extent, many standards for security managements at operational level exists (eg ITIL, ISO27K family etc). What is often missing is a process to govern security at organizational level. In this tutorial, we present a method to analyze and design security controls that capture the organizational setting of the system and where business goals and processes are the main citizen. The SI*-GRC method is a comprehensive method that is composed of i) a modeling framework based on a requirement engineering framework, with some extensions related to security & GRC concerns, such as: trust, permission, risk, and treatment, 2) a analysis process defining systematical steps in analyzing and design security controls, 3) analytical techniques to verify that certain security properties are satisfied and the risk level is acceptable, and at last 4) a CASE tool, namely the SI* Tool to support analysts in using the method. To illustrate this method, we use a running example on e-Health adapted from a real-life process in an hospital partner. 1 The Regional Directive n. 5743-31.10.2007 provides indications to optimize and improve the process design about prescription/dispensation/accounting of File F drugs, and the Regional Directive VIII/1375-14.12.2005 stresses the priority to implement actions towards the verification of the appropriateness of the use of File F drugs. 2 To have an idea, without mentioning privacy requirements, the File F mechanism was instituted by the regional circular 17/SAN 3.4.1997, and successively has been emended by the Circu
Lecture Notes in Computer Science
Autonomous agents and multi-agent systems have been proved to be useful in several safety-critica... more Autonomous agents and multi-agent systems have been proved to be useful in several safety-critical applications. However, in current agent architectures (particularly BDI architectures) the deliberation process does not include any form of risk analysis. In this paper, we propose guidelines to implement Tropos Goal-Risk reasoning. Our proposal aims at introducing risk reasoning in the deliberation process of a BDI agent so that the overall set of possible plans is evaluated with respect to risk. When the level of risk results too high, agents can consider and introduce additional plans, called treatments, that produce an overall reduction of the risk. Side effects of treatments are also considered as part of the model. To make the discussion more concrete, we illustrate the proposal with a case study on the Unmanned Aerial Vehicle agent.
Lecture Notes in Computer Science
Recently, multi-agent systems have proved to be a suitable approach to the development of real-li... more Recently, multi-agent systems have proved to be a suitable approach to the development of real-life information systems. In particular, they are used in the domain of safety critical systems where availability and reliability are crucial. For these systems, the ability to mitigate risk (e.g., failures, exceptional events) is very important. In this paper, we propose to incorporate risk concerns into the process of a multi-agent system design and describe the process of exploring and evaluating design alternatives based on risk-related metrics. We illustrate the proposed approach using an Air Traffic Management case study.
Lecture Notes in Computer Science, 2008
Business Continuity Management (BCM) is a process to manage risks, emergencies, and recovery plan... more Business Continuity Management (BCM) is a process to manage risks, emergencies, and recovery plans of an organization during a crisis. It results in a document called Business Continuity Plans (BCP) that specifies the methodology and procedures required to backup and recover the functional unit of a disrupted business. Traditionally, the BCP assessment is based only on the continuity of IS infrastructures and does not consider possible relations with the business objectives and business processes. This traditional approach assumes that the risk of business continuity is resulted from the disruption of the IS infrastructures. However, we believe there are situations where the risk emerges even the infrastructures up and running. Moreover, the lack of modeling framework and the aidedtool make the process even harder. In this paper, we propose a framework to support modeling and analysis of BCP from the organization perspective, where risks and treatments are modeled and analyzed along strategic objectives and their realizations. An automated reasoner based on cost-benefit analysis techniques is proposed to elicit and then adopt the most cost-efficient plan. The approach is developed using the Tropos Goal-Risk Framework and the Time Dependency and Recovery Model as underlain frameworks. A Loan Originating Process case study is used as a running example to illustrate the proposal.
2010 International Conference on Availability, Reliability and Security, 2010
Most of the critical aspects for secure and dependable systems, such as safety, integrity, availa... more Most of the critical aspects for secure and dependable systems, such as safety, integrity, availability, are related to uncertainty. Literature proposes many approaches to deal with uncertainty, mainly in the area of risk management and safety&reliability engineering. However, what is still missing is a clear understanding of the nature of uncertainty that very often has produced mistreatments in the design. In this paper, we propose a conceptual model for uncertainty that can be used to deal with systems' qualities such as security and dependability. Particularly, we will consider the relation between uncertaintyrisk and how risk affects quality attributes of the system. We use a case study in Air Traffic Management to illustrate our approach. II. SECURITY AND DEPENDABILITY: BASIC CONCEPTS In this section, we clarify our understanding about security and dependability as quality attributes. Starting from two US-DoD standards: Orange Book [11] and Failure-Modes and Criticality Analysis (FMECA) [12] that are considered referential works for S&D engineering community. A. Quality Attributes In Fig. 1, we propose a taxonomy for security and dependability as quality attributes. It is mainly based on the work
2009 Second International Conference on Dependability, 2009
There are numerous metrics proposed to assess security and dependability of technical systems (e.... more There are numerous metrics proposed to assess security and dependability of technical systems (e.g., number of defects per thousand lines of code). Unfortunately, most of these metrics are too low-level, and lack on capturing highlevel system abstractions required for organisation analysis. The analysis essentially enables the organisation to detect and eliminate possible threats by system re-organisations or re-configurations. In other words, it is necessary to assess security and dependability of organisational structures next to implementations and architectures of systems. This paper focuses on metrics suitable for assessing security and dependability aspects of a socio-technical system and supporting decision making in designing processes. We also highlight how these metrics can help in making the system more effective in providing security and dependability by applying socio-technical solutions (i.e., organisation design patterns).
Proceedings of the 4th ACM workshop on Quality of protection - QoP '08, 2008
In the last years, IT systems play a more and more fundamental role in human activities and, in p... more In the last years, IT systems play a more and more fundamental role in human activities and, in particular, in critical activities such as the management of Air Traffic Control and Nuclear Power Plant. This has spurred several researchers to develop models, metrics, and methodologies for analyzing and measuring the security and dependability of critical systems. Their objective is to understand whether the risks affecting the system are acceptable or not. If risks are too high, analysts need to identify the treatments adequate to mitigate them. Existing proposals however fail to consider risks within multi-actors settings. Here, different actors participating to the system might have a different perception of risk and react consequently. In this paper, we introduce the concept of perceived risk and discuss its differences with actual risk. We also investigate the concepts necessary to capture and analyze perceived risk.
Lecture Notes in Computer Science, 2011
Design Patterns constitute an effective way to model design knowledge for future reuse. There has... more Design Patterns constitute an effective way to model design knowledge for future reuse. There has been much research on topics such as objectoriented patterns, architectural styles, requirements patterns, security patterns, and more. Typically, such patterns are specified informally in natural language, and it is up to designers to determine if a pattern is applicable to a problem-athand, and what solution that pattern offers. Of course, this activity does not scale well, either with respect to a growing pattern library or a growing problem. In this work, we propose to formalize such patterns in a formal modeling language, thereby automating pattern matching for a given problem. The patterns and the problem are formalized in a description logic. Our proposed framework is evaluated with a case study involving Security & Dependability patterns specified in Tropos SI*. The paper presents the formalization of all concepts in SI* and the modeling of problems using OWL-DL and SWRL. We then encode patterns as SPARQL and SQWRL queries. To evaluate the scalability of our approach, we present experimental results using models inspired by an industrial case study.
2017 International Conference on Data and Software Engineering (ICoDSE), 2017
Nowadays, most network is already protected by Intrusion Prevention System (IPS). But most of the... more Nowadays, most network is already protected by Intrusion Prevention System (IPS). But most of the IPS is using signature based detection techniques, whereas signature update tends to be difficult and time consuming because it requires expert knowledge in the making. Therefore, IPS signature based has a weakness in detecting latest attack. This paper present a signature-generating technique by using signature generator and honeypot. The signature generator used in this paper is Polygraph because has an advantage on detecting polymorphic worm. The honeypot used is Dionaea because the log can be converted into the forms required by Polygraph. This paper will discuss what steps are needed in transforming attack data from honeypot into a rule that can be used by IPS Snort.
This research is development a framework for detecting congestion on the urban road network. ATCS... more This research is development a framework for detecting congestion on the urban road network. ATCS (Area Traffic Control System) data in Bandung city with traffic volume are used in congestion detection process. Traffic flow data is collected by vehicles detector located at crossroads within 15 minutes. To compute spatial correlation, graph modelling are used in the adjacency matrix. Assuming the location of the detector as the vertices and the direction of the vehicle as the edge, the graph modeled with vehicle's detector location and the flow direction at nine locations on road nework. The adjacency matrix used consists of 3 matrices in each period of time, which describes the order of spatial distances traveled by vehicle at the intersection location. To calculate spatial correlation, the autocorrelation function and the cross-correlation function which are derived from Pearson's simple correlation is used to looking influence at each location on road network. The result o...
2016 IEEE Region 10 Symposium (TENSYMP), 2016
Congestion because of increasing demand of air transportation occurs at several airports in Indon... more Congestion because of increasing demand of air transportation occurs at several airports in Indonesia especially Soekarno-Hatta International Airport. In 2013, Soekarno-Hatta International Airport ranked 25th busiest airports in the world by Airports Council International. One of several ways to enlarge capacity of airports is to improve efficiency current infrastructure utilization with optimizing schedule. Three referred optimization models are model of Beasley et al. which optimizes runway utilization, Bertsimas and Stock Patterson's model which optimizes air space capacity allocation and Lulli and Odoni's model which are macroscopic model of Bertsimas and Stock Patterson's model. Unfortunately, Lulli and Odoni's model cannot studied further because of lack information about increasing convex function. The other models modified from integer program to constraint satisfaction optimization program (CSOP) so that the models are flexible to modify and the solution can be local optimum. Because of these advantages, rescheduling can be performed when there was little change in flight schedule. In addition, several constraints are added to modification of model of Beasley et al. such as flight continued constraint. Based on tests, modification of model of Beasley et al. success to reduce delays and modification of Bertsimas and Stock Patterson's model success to do a simulation.
2014 International Conference on Data and Software Engineering (ICODSE), 2014
Input Injections are considered as the most common and effective vulnerabilities to exploit in ma... more Input Injections are considered as the most common and effective vulnerabilities to exploit in many software systems (esp. web apps). In this paper, we propose a way to detect such vulnerabilities, such as SQL injection, command injection, and cross-site scripting. Input injection is caused by executing user inputs which have not been validated or sanitized, so that the purpose of execution is changed by malicious agents into their advantages. The input injection detector is done by extending an existing static analysis tool, namely FindBugs. The detection uses a dataflow analysis to monitor user-contaminated variables. To improve accuracy, reducing false positives and false negatives, dataflow analysis is used to monitor variables that have been validated or sanitized by developers. Our detector has only few false positives and false negatives based on our testing using our test cases and existing applications, i.e. WebGoat and ADempiere.
Recent trends in Software Engineering have introduced the importance of reconsidering the traditi... more Recent trends in Software Engineering have introduced the importance of reconsidering the traditional idea of software design as a socio-tecnical problem, where human agents are integral part of the system along with hardware and software components. Design and runtime support for Socio-Technical Systems (STSs) requires appropriate modeling techniques and non-traditional infrastructures. Agent-oriented software methodologies are natural solutions to the development of STSs, both humans and technical components are conceptualized and analyzed as part of the same system. In this paper, we illustrate a number of Tropos features that we believe fundamental to support the development and runtime reconfiguration of STSs. Particularly, we focus on two critical design issues: risk analysis and location variability. We show how they are integrated and used into a planning-based approach to support the designer in evaluating and choosing the best design alternative. Finally, we present a generic framework to develop self-reconfigurable STSs.
2016 International Conference on Data and Software Engineering (ICoDSE), 2016
As one of the most popular smartphone operating system nowadays, Android is used for various need... more As one of the most popular smartphone operating system nowadays, Android is used for various needs start from casual purpose such as games up to critical aims like banking. To avoid any access by impostor (unauthorized parties), the use of authentication system is a must. Android provides basic authentication system based on screen-lock using PIN, password, or pattern. However all those ways have several vulnerabilities, i.e: 1) leak or transfered key access, 2) only supports full binary authentication, and 3) no re-authentication nor revocation. This research aims at developing continuous behavioral authentication as a solution for those vulnerabilities. Our solution uses authentication score, not just a binary authentication. The score is constructed using fusion approach combining two modalities i.e. keystroke dynamics (typing behavior) and touch gesture (tap, swipe, and pinch behavior). Each of those authentication model is built using two-class machine learning classification. This authentication system is designed to run continuously on Android background, so it is possible to change authorization or make a revocation anytime needed. This proposed solution has been implemented as a prototype on a testing application. There are some tests have been held, first is modality experiment to find the best classifier each modality, second is continuous fusion authentication test, third is performance test. The result shows that our proposed fusion authentication get more accurate than if the modalities work respectively. Based on the continuous and live authentication testing on Android device, best fusion method is mean Olympic with a threshold 0.81 that makes the FAR and FRR equal in 0.26.
2014 International Conference on Data and Software Engineering (ICODSE), 2014
Android is considered as the leading platform on smartphone market. Thus, it becomes a prime targ... more Android is considered as the leading platform on smartphone market. Thus, it becomes a prime target by many security crooks and its security becomes at most concern. This research aims at assessing Android Security, especially the fact whether Android's folks are getting better or worse in delivering a secure platform? In this research, we use data extracted from National Vulnerability Database (NVD) to answer such question. Surprisingly, the study discovers that 83.3% of reported Android vulnerability is originated from third-party apps that runs on Android platform and not inherently from the Android platform itself. We also discover strong evidence that Android security is getting better based on the declining numbers of reported Android vulnerability and the reducing of Android vulnerability Time-to-Patch.
2014 IEEE 27th Conference on Software Engineering Education and Training (CSEE&T), 2014
ABSTRACT In this paper, we present an overview on how to reshape the software engineering educati... more ABSTRACT In this paper, we present an overview on how to reshape the software engineering education in our undergraduate study program (i.e., curriculum program, software engineering curriculum package, and learning process) so that our graduates have sufficient skills to be the 2020 software engineers. We believe that the corner blocks to produce fine engineers are good understanding in the following areas: basic fundamentals and principles of science and computing, methodology, techniques-tools-platform, capability to understand domain problems, communication and personal skill, attitude to be a good learner and self disciplined. We translate these values to our undergraduate curriculum with an aim to produce general software engineer who are quick to master specific platforms/technologies and devices and to understand domain problems.
PhD, Universita Degli Studi Di Trento, 2009
Critical Information Systems (CISs) are a special class of information system where its operation... more Critical Information Systems (CISs) are a special class of information system where its operation is critical for us because their failures might result in catastrophic effects (eg, life loss, economic loss, the environment destruction). Many efforts have been put to improve the quality of CISs since the early phase of system development. One of the approaches is by considering some notions related to CIS (eg, value, risk, failure, security) since requirement analysis. However, a major limitation from current approaches is they analyse the system ...
Bandung, Indonesia, 2007
Abstract. Modeling and analyzing risk is one of the most critical activities in system engineerin... more Abstract. Modeling and analyzing risk is one of the most critical activities in system engineering. Through this measure, an analyst ensures the security and dependability of a system. In secure and dependable community, Security property is defined as confidentiality, integrity, and availability while dependability with reliability, availability, safety, integrity, and maintainability. These attributes can be achieved by means of controlling the risks that can affect to the system. Risk management is a set of activity that consists of organizational ...
15th IEEE International Requirements Engineering Conference (RE 2007), 2007
2011 IEEE 13th Conference on Commerce and Enterprise Computing, 2011
Recently, there has been an increase of reported security threats hitting organizations. Some of ... more Recently, there has been an increase of reported security threats hitting organizations. Some of them are originated from the assignments to users of inappropriate permissions on organizational sensitive data. Thus it is crucial for organizations to recognize as early as possible the risks deriving by inappropriate access right management and to identify the solutions that they need to prevent such risks. In this paper, we propose a framework to identify threats during the requirements analysis of organizations' IT systems. With respect to other works which have attempted to include security analysis into requirement engineering process (e.g., KAOS, Elahi et al., Asnar et al.), our framework does not rely on the level of expertise of the security analyst to detect threats but allows to automatically identify threats that derive from inappropriate access management. To capture the organization's setting and the system stakeholders' requirements, we adopt SI* [1], a requirement engineering framework founded on the concepts of actors, goals, tasks and resources. This framework extends SI* with a reasoning technique that identifies potential security threats on resources and relevant goals. The reasoning is based on Answer Set Programming (ASP) logic rules that take into account the relationships between resources and the delegation of permission relations between actors. We illustrate this framework using an eHealth scenario.
Lecture Notes in Computer Science, 2011
The Governance, Risk, and Compliance (GRC) management process for Information Security is a neces... more The Governance, Risk, and Compliance (GRC) management process for Information Security is a necessity for any software systems where important information is collected, processed, and used. To this extent, many standards for security managements at operational level exists (eg ITIL, ISO27K family etc). What is often missing is a process to govern security at organizational level. In this tutorial, we present a method to analyze and design security controls that capture the organizational setting of the system and where business goals and processes are the main citizen. The SI*-GRC method is a comprehensive method that is composed of i) a modeling framework based on a requirement engineering framework, with some extensions related to security & GRC concerns, such as: trust, permission, risk, and treatment, 2) a analysis process defining systematical steps in analyzing and design security controls, 3) analytical techniques to verify that certain security properties are satisfied and the risk level is acceptable, and at last 4) a CASE tool, namely the SI* Tool to support analysts in using the method. To illustrate this method, we use a running example on e-Health adapted from a real-life process in an hospital partner. 1 The Regional Directive n. 5743-31.10.2007 provides indications to optimize and improve the process design about prescription/dispensation/accounting of File F drugs, and the Regional Directive VIII/1375-14.12.2005 stresses the priority to implement actions towards the verification of the appropriateness of the use of File F drugs. 2 To have an idea, without mentioning privacy requirements, the File F mechanism was instituted by the regional circular 17/SAN 3.4.1997, and successively has been emended by the Circu
Lecture Notes in Computer Science
Autonomous agents and multi-agent systems have been proved to be useful in several safety-critica... more Autonomous agents and multi-agent systems have been proved to be useful in several safety-critical applications. However, in current agent architectures (particularly BDI architectures) the deliberation process does not include any form of risk analysis. In this paper, we propose guidelines to implement Tropos Goal-Risk reasoning. Our proposal aims at introducing risk reasoning in the deliberation process of a BDI agent so that the overall set of possible plans is evaluated with respect to risk. When the level of risk results too high, agents can consider and introduce additional plans, called treatments, that produce an overall reduction of the risk. Side effects of treatments are also considered as part of the model. To make the discussion more concrete, we illustrate the proposal with a case study on the Unmanned Aerial Vehicle agent.
Lecture Notes in Computer Science
Recently, multi-agent systems have proved to be a suitable approach to the development of real-li... more Recently, multi-agent systems have proved to be a suitable approach to the development of real-life information systems. In particular, they are used in the domain of safety critical systems where availability and reliability are crucial. For these systems, the ability to mitigate risk (e.g., failures, exceptional events) is very important. In this paper, we propose to incorporate risk concerns into the process of a multi-agent system design and describe the process of exploring and evaluating design alternatives based on risk-related metrics. We illustrate the proposed approach using an Air Traffic Management case study.
Lecture Notes in Computer Science, 2008
Business Continuity Management (BCM) is a process to manage risks, emergencies, and recovery plan... more Business Continuity Management (BCM) is a process to manage risks, emergencies, and recovery plans of an organization during a crisis. It results in a document called Business Continuity Plans (BCP) that specifies the methodology and procedures required to backup and recover the functional unit of a disrupted business. Traditionally, the BCP assessment is based only on the continuity of IS infrastructures and does not consider possible relations with the business objectives and business processes. This traditional approach assumes that the risk of business continuity is resulted from the disruption of the IS infrastructures. However, we believe there are situations where the risk emerges even the infrastructures up and running. Moreover, the lack of modeling framework and the aidedtool make the process even harder. In this paper, we propose a framework to support modeling and analysis of BCP from the organization perspective, where risks and treatments are modeled and analyzed along strategic objectives and their realizations. An automated reasoner based on cost-benefit analysis techniques is proposed to elicit and then adopt the most cost-efficient plan. The approach is developed using the Tropos Goal-Risk Framework and the Time Dependency and Recovery Model as underlain frameworks. A Loan Originating Process case study is used as a running example to illustrate the proposal.
2010 International Conference on Availability, Reliability and Security, 2010
Most of the critical aspects for secure and dependable systems, such as safety, integrity, availa... more Most of the critical aspects for secure and dependable systems, such as safety, integrity, availability, are related to uncertainty. Literature proposes many approaches to deal with uncertainty, mainly in the area of risk management and safety&reliability engineering. However, what is still missing is a clear understanding of the nature of uncertainty that very often has produced mistreatments in the design. In this paper, we propose a conceptual model for uncertainty that can be used to deal with systems' qualities such as security and dependability. Particularly, we will consider the relation between uncertaintyrisk and how risk affects quality attributes of the system. We use a case study in Air Traffic Management to illustrate our approach. II. SECURITY AND DEPENDABILITY: BASIC CONCEPTS In this section, we clarify our understanding about security and dependability as quality attributes. Starting from two US-DoD standards: Orange Book [11] and Failure-Modes and Criticality Analysis (FMECA) [12] that are considered referential works for S&D engineering community. A. Quality Attributes In Fig. 1, we propose a taxonomy for security and dependability as quality attributes. It is mainly based on the work
2009 Second International Conference on Dependability, 2009
There are numerous metrics proposed to assess security and dependability of technical systems (e.... more There are numerous metrics proposed to assess security and dependability of technical systems (e.g., number of defects per thousand lines of code). Unfortunately, most of these metrics are too low-level, and lack on capturing highlevel system abstractions required for organisation analysis. The analysis essentially enables the organisation to detect and eliminate possible threats by system re-organisations or re-configurations. In other words, it is necessary to assess security and dependability of organisational structures next to implementations and architectures of systems. This paper focuses on metrics suitable for assessing security and dependability aspects of a socio-technical system and supporting decision making in designing processes. We also highlight how these metrics can help in making the system more effective in providing security and dependability by applying socio-technical solutions (i.e., organisation design patterns).
Proceedings of the 4th ACM workshop on Quality of protection - QoP '08, 2008
In the last years, IT systems play a more and more fundamental role in human activities and, in p... more In the last years, IT systems play a more and more fundamental role in human activities and, in particular, in critical activities such as the management of Air Traffic Control and Nuclear Power Plant. This has spurred several researchers to develop models, metrics, and methodologies for analyzing and measuring the security and dependability of critical systems. Their objective is to understand whether the risks affecting the system are acceptable or not. If risks are too high, analysts need to identify the treatments adequate to mitigate them. Existing proposals however fail to consider risks within multi-actors settings. Here, different actors participating to the system might have a different perception of risk and react consequently. In this paper, we introduce the concept of perceived risk and discuss its differences with actual risk. We also investigate the concepts necessary to capture and analyze perceived risk.
Lecture Notes in Computer Science, 2011
Design Patterns constitute an effective way to model design knowledge for future reuse. There has... more Design Patterns constitute an effective way to model design knowledge for future reuse. There has been much research on topics such as objectoriented patterns, architectural styles, requirements patterns, security patterns, and more. Typically, such patterns are specified informally in natural language, and it is up to designers to determine if a pattern is applicable to a problem-athand, and what solution that pattern offers. Of course, this activity does not scale well, either with respect to a growing pattern library or a growing problem. In this work, we propose to formalize such patterns in a formal modeling language, thereby automating pattern matching for a given problem. The patterns and the problem are formalized in a description logic. Our proposed framework is evaluated with a case study involving Security & Dependability patterns specified in Tropos SI*. The paper presents the formalization of all concepts in SI* and the modeling of problems using OWL-DL and SWRL. We then encode patterns as SPARQL and SQWRL queries. To evaluate the scalability of our approach, we present experimental results using models inspired by an industrial case study.