Security Metrics Research Articles

Zipf’s Law in Passwords

Despite three decades of intensive research efforts, it remains an open question as to what is the underlying distribution of user-generated passwords. In this paper, we make a substantial step forward toward understanding this foundational question. By introducing a number of computational statistical techniques and based on 14 large-scale data sets, which consist of 113.3 million real-world passwords, we, for the first time, propose two Zipf-like models (i.e., PDF-Zipf and CDF-Zipf) to characterize the distribution of passwords. More specifically, our PDF-Zipf model can well fit the popular passwords and obtain a coefficient of determination larger than 0.97; our CDF-Zipf model can well fit the entire password data set, with the maximum cumulative distribution function (CDF) deviation between the empirical distribution and the fitted theoretical model being 0.49%~4.59% (on an average 1.85%). With the concrete knowledge of password distributions, we suggest a new metric for measuring the strength of password data sets. Extensive experimental results show the effectiveness and general applicability of the proposed Zipf-like models and security metric.

Management of information protection based on the integrated implementation of decision support systems

We developed the method and the model for managing protection of objects of informatization, based on the integrated implementation of decision support systems for the tasks on cybersecurity. The proposed solutions differ from the existing ones by the possibility to automate the procedure of generating variants for controlling actions using the decision support system, designed as a web application. The described model for the coordination of experts' opinions is based on the Delphi method. The approach proposed makes it possible to coordinate expert opinions, including to take into account different interval estimates of the degree of protection and information security metrics of the objects of informatization. Results are presented of testing under actual conditions at the enterprises of Ukraine the software complex Decision support system for managing cyber security of an enterprise ‒ DMSSCSE. The DSS is adapted for the on-line work of experts. It was established that the DSS DMSSCSE makes it possible to improve effectiveness of the applied organizational and technical measures to protect objects of informatization. The proposed solutions enabled bringing down the cost of organizing comprehensive information protection systems by 12−15 % compared to the existing methods

Enterprise Architecture Security Assessment Framework (EASAF)

Many existing studies have shown that the causes of most of system attacks are not related to coding vulnerabilities that apply to individual systems, issues related to the run-time environment, or the technology in place. In fact, they are caused by issues associated with how systems within organizations are structured. Therefore, it is necessary to examine security with regard to all components that influence the organization’s systems, including data, processes and even employees. The most promising approach to achieving this goal is Enterprise Architecture (EA). The main goal of this project is to develop a framework based on the concepts of well-established EA frameworks such as TOGAF and Zachman and their compositional layers (e.g., application, information and process). This framework will be combined with a data flow analysis of the principles that trace the potential information flow between high- and low-security enterprise components. Therefore, this paper studies various enterprise architecture frameworks and shows how to develop an enterprise architecture framework that considers the organization’s information security from the perspective of information flow. This framework will have various layers, each with a set of security metrics that quantify the organization’s relative security based on the specifications of that layer. The defined framework will be capable of defining Enterprise Architecture security-related principles and metrics. These principles and metrics will eventually be used to define how to develop secure enterprise systems based on the enterprise architecture with regard to security-critical information flow within any given organization. The defined framework will also be capable of providing guidance for information security architects by recognizing certain parts of the organization that are less secure than others.

Sustainability, robustness, and resilience metrics for water and other infrastructure systems

Metrics representing water resources security (Sustainability, Robustness, Resilience – SRR) were adopted from reliability engineering to quantify stress on water systems in both the demand and supply sectors. The metrics were calculated for Prescott Valley, AZ and a hypothetical water system to illustrate a method of application, the breadth of situations in which they are useful and their response to water management and system design decisions. The sensitivities of the proposed metrics to (i) variation in supply and demand functions, (ii) surface reservoir storage capacity, and (iii) reclaimed water use were investigated. Strengths and weaknesses of the proposed metrics are discussed. The water security metrics can contribute to the multi-objective evaluation of water resources planning alternatives. The fundamental nature of these metrics taken from broadly applicable field of reliability engineering suggests that they can be generally applied to single and joint infrastructure SRR assessment, planning, and design.

SAIRF: A similarity approach for attack intention recognition using fuzzy min-max neural network

Sensitive information can be exposed to critical risks when communicated through computer networks. The ability of cybercriminals to hide their intention to attack obstructs existing protection systems causing the system to be unable to prevent any possible sabotage in network systems. In this paper, we propose a Similarity approach for Attack Intention Recognition using Fuzzy Min-Max Neural Network (SAIRF). In particular, the proposed SAIRF approach aims to recognize attack intention in real time. This approach classifies attacks according to their characteristics and uses similar metric method to identify motives of attacks and predict their intentions. In this study, network attack intentions are categorized into specific and general intentions. General intentions are recognized by investigating violations against the security metrics of confidentiality, integrity, availability, and authenticity. Specific intentions are recognized by investigating the network attacks used to achieve a violation. The obtained results demonstrate the capability of the proposed approach to investigate similarity of network attack evidence and recognize the intentions of the attack being investigated.

The Hungry Cities Food Purchases Matrix: Household Food Sourcing and Food System Interaction

Urban food insecurity is partly the result of interactions between households and the broader food system. There is considerable discussion and debate on the most appropriate measures of household food insecurity but very little on how to quantify interactions between households and the system. One priority is to develop food security metrics that incorporate household interactions with the food retail environment. The Hungry Cities Food Purchases Matrix (HCFPM) is one such metric developed for relating household food sourcing behaviour to that environment. The matrix has been successfully used by the Hungry Cities Partnership to shed light on food sourcing and food system interactions in a number of cities in the Global South. Using Maputo as a case study, this paper discusses the objectives, structure and potential of the HCFPM for African cities and illustrates how in can provide important insights into household-food system interactions. The HCFPM therefore opens up a new way of understanding household purchasing behaviour and associated food insecurity.

Significance of Security Metrics in Secure Software Development

Significance of Security Metrics in Secure Software Development

A Priori knowledge based secure payload estimation

Many contemporary steganographic schemes aim to embed fixed-length secret message in the cover while minimizing the stego distortion. However, in some cases, the secret message sender requires to embed a variable-length secret payload within his expected stego security. This kind of problem is named as secure payload estimation (SPE). In this paper, we propose a practical SPE approach for individual cover. The stego security metric we adopt here is the detection error rate of steganalyzer (P E ). Our method is based on a priori knowledge functions, which are two kinds of functions to be determined before the estimation. The first function is the relation function of detection error rate and stego distortion (P E − D function). The second function reflects the relationship between stego distortion and payload rate (D − α) of the chosen cover. The P E − D is the general knowledge, which is calculated from image library. On the other hand, D − α is for specific cover, which is needed to be determined on site. The estimating procedure is as follows: firstly, the sender solves the distortion D under his expected P E via P E − D, and then calculates the corresponding secure payload α via D − α of the cover. For on-site operations, the most time-consuming part is calculating D − α function for cover image, which costs 1 time of STC coding. Besides this, the rest on-site operations are solving single-variable formulas, which can be easily tackled. Our approach is an efficient and practical solution for SPE problem.

Location Privacy Preservation in Database-Driven Wireless Cognitive Networks Through Encrypted Probabilistic Data Structures

In this paper, we propose new location privacy preserving schemes for database-driven cognitive radio networks that protect secondary users' (SUs) location privacy while allowing them to learn spectrum availability in their vicinity. Our schemes harness probabilistic set membership data structures to exploit the structured nature of spectrum databases (DBs) and SUs' queries. This enables us to create a compact representation of DB that could be queried by SUs without having to share their location with DB, thus guaranteeing their location privacy. Our proposed schemes offer different cost-performance characteristics. Our first scheme relies on a simple yet powerful two-party protocol that achieves unconditional security with a plausible communication overhead by making DB send a compacted version of its content to SU which needs only to query this data structure to learn spectrum availability. Our second scheme achieves significantly lower communication and computation overhead for SUs, but requires an additional architectural entity which receives the compacted version of the database and fetches the spectrum availability information in lieu of SUs to alleviate the overhead on the latter. We show that our schemes are secure, and also demonstrate that they offer significant advantages over existing alternatives for various performance and/or security metrics.

Comparative analysis and patch optimization using the cyber security analytics framework

Dependable metrics are one of the critical elements of an organization’s information security program and are crucial for its long-term success. Current research in the area of enterprise security metrics provides limited insight on understanding the impact that attacks have on the overall security goals of an enterprise as well as predicting the future security state of the network. In this paper we present a novel security analytics framework that takes into account both the inter-relationship between different vulnerabilities and the temporal features that evolve over time, such as the vulnerability discovery rate and the lifecycle events. We then formally define a non-homogenous stochastic model that incorporates time dependent covariates, namely the vulnerability age and the vulnerability discovery rate, to help visualize the future security state of the network leading to actionable knowledge and insight. We will perform a comparative analysis and also describe the patch optimization methodology by applying this model on a sample network to demonstrate the practicality of our approach.

A Phase Wise Review of Software Security Metrics

A Phase Wise Review of Software Security Metrics

Privacy-preserving evaluation techniques and their application in genetic tests

Abstract We discuss several protocols that apply secure multiparty computation to privacy preserving genetic testing. We categorize methods into those using oblivious finite automata, additive homomorphic encryption, garbled circuits, and private set intersection. Through comparison of performance and security metrics, we aim to make recommendations for efficient and secure multiparty computation protocols for various genetic tests including edit distance, disease susceptibility, identity/paternity/common ancestry testing, medicine and treatment efficacy for personalized medicine, and genetic compatibility.

Progress in household water insecurity metrics: a cross‐disciplinary approach

Despite the central importance of water for human wellbeing and development, researchers and practitioners have few tools to quantitatively measure, assess, and compare the scope and scale of household and individual water insecurity across cultural and climatic variations. There are multiple definitions of water insecurity, and the analytical tools for measuring household‐level water insecurity are in their infancy. This paper provides an overview and systematic evaluation of current household and individual water in security metrics for human development. We seek to advance micro‐level metrics—attending to the considerations of dimensionality, temporality, unit of analysis, and comparability—because they will provide the research community with necessary tools to untangle the complex determinants and outcomes of water insecurity. Moreover, such metrics will support the translation of research outcomes into meaningful and useful products and results for stakeholders, communities, and decision‐makers.WIREs Water2017, 4:e1214. doi: 10.1002/wat2.1214This article is categorized under:Human Water > Methods

Waterfilling: Balancing the Tor network with maximum diversity

Abstract We present the Waterfilling circuit selection method, which we designed in order to mitigate the risks of a successful end-to-end traffic correlation attack. Waterfilling proceeds by balancing the Tor network load as evenly as possible on endpoints of user paths. We simulate the use of Waterfilling thanks to the TorPS and Shadow tools. Applying several security metrics, we show that the adoption of Waterfilling considerably increases the number of nodes that an adversary needs to control in order to be able to mount a successful attack, while somewhat decreasing the minimum amount of bandwidth required to do so. Moreover, we evaluate Waterfilling in Shadow and show that it does not impact significantly the performance of the network. Furthermore, Waterfilling reduces the benefits that an attacker could obtain by hacking into a top bandwidth Tor relay, hence limiting the risks raised by such relays. Waterfilling does not require any major change in Tor, and can co-exist with the current circuit selection algorithm.

Using Analytical Hierarchy and Analytical Network Processes to Create Cyber Security Metrics

Using Analytical Hierarchy and Analytical Network Processes to Create Cyber Security Metrics

Measuring energy security performance within China: Toward an inter-provincial prospective

China has been the world's largest energy consumer and producer for many years, yet while myriad studies have investigated Chinese performance on energy metrics compared to other countries, few to none have looked internally at Chinese provinces. This paper firstly develops a five-dimensional evaluation system centered on the energy security dimensions of availability and diversity, affordability and equality, technology and efficiency, environmental sustainability, and governance and innovation. It then correlates these dimensions to 20 distinct energy security metrics that are used to assess the energy security performance of 30 Chinese provinces, divided into eight regions. Our results reveal both trends in energy policy and practice as well as provincial status of comparative energy security for the year 2013. We find, for instance, that there is no province which performs well in all five of the energy security dimensions, and that all provinces confronted threats related to energy availability and diversity. We also demonstrate that in comparative terms, the Middle Reaches of Yellow River and the Northwest were the most energy-secure, while the Middle Reaches of Yangtze River and the Northeast were least energy-secure.

Selection of countermeasures against network attacks based on dynamical calculation of security metrics

This paper considers the issue of countermeasure selection for ongoing computer network attacks. We outline several challenges that should be overcome for the efficient response: the uncertainty of an attacker behavior, the complexity of interconnections between the resources of the modern distributed systems, the huge set of security data, time limitations, and balancing between countermeasure costs and attack losses. Although there are many works that are focused on the particular challenges, we suppose that there is still a need for an integrated solution that takes into account all of these issues. We suggest a model-driven approach to the security assessment and countermeasure selection in the computer networks that takes into account characteristics of different objects of assessment. The approach is based on integration with security information and event management systems to consider the dynamics of attack development, taking into account security event processing. Open standards and databases are used to automate security data processing. The suggested technique for countermeasure selection is based on the countermeasure model that was defined on the basis of open standards, the family of interrelated security metrics, and the security analysis technique based on attack graphs and service dependencies. We describe the prototype of the developed system and validate it on several case studies.

The 5th International Conference on Science & Engineering in Mathematics, Chemistry and Physics 2017 (ScieTech 2017), The Ramada Bintang Hotel, Kuta, Bali, Indonesia 21 - 22 January 2017

The 5th International Conference on Science & Engineering in Mathematics, Chemistry and Physics 2017 (ScieTech 2017), The Ramada Bintang Hotel, Kuta, Bali, Indonesia 21 - 22 January 2017

A framework for automating security analysis of the internet of things

The Internet of Things (IoT) is enabling innovative applications in various domains. Due to its heterogeneous and wide-scale structure, it introduces many new security issues. To address this problem, we propose a framework for modeling and assessing the security of the IoT and provide a formal definition of the framework. Generally, the framework consists of five phases: (1) data processing, (2) security model generation, (3) security visualization, (4) security analysis, and (5) model updates. Using the framework, we can find potential attack scenarios in the IoT, analyze the security of the IoT through well-defined security metrics, and assess the effectiveness of different defense strategies. The framework is evaluated via three scenarios, which are the smart home, wearable healthcare monitoring and environment monitoring scenarios. We use the analysis results to show the capabilities of the proposed framework for finding potential attack paths and mitigating the impact of attacks.

The A Priori Knowledge Based Secure Payload Estimation for Additive Model

In this paper, we propose a practical method to estimate the payload rate for individual cover before stego embedding. The proposed method is adopted to the additive distortion model. The a priori knowledge functions employed in the method contains the relation function of steganalyzer's detection error and stego distortion (PE– D), and the relation function of payload rate and distortion(D–α) of the given cover. As it is not suitable to measure the stego security with stego distortion, we adopt PE as the security metric. With the sender's expected PE, the role of PE– D function is to calculate the corresponding D, and then sender can solve out his expectedα with D–α function for the cover. The PE – D function is acquired before estimating phase. During the estimating, the most time-consuming part is calculating the D–α function for the cover, which costs 1 time of stego embedding. Our method is an efficient solution for estimating the secure payload rate.