IEEE Computer Society: Proceedings of the 2011 IEEE 1st International Network Science Workshop : NSW 2011. Printing House, 2011, pp. 67-74

Connectivity and security of tactical mobile ad hoc networks (MANETs) can be enhanced significantly by explicit consideration of radio propagation as this not only allows determination of route feasibility and minimization of radio frequency power, but also avoids detectability of emanations. Tactical MANETs (and increasingly general MANETs) typically have geolocation and terrain information available, however as they are likely to be deployed in urban, broken, or indoor environments, simple Free Space or Two-Ray Ground models are not adequate. Although highly accurate radio propagation models exist, they require considerable computational resources and are hence unsuitable for incorporation into real-time protocols, particularly on resource-constrained platforms such as MANET nodes. We therefore propose a simplified, scalable ray-optical radio frequency propagation model that incorporates a Two-Ray Ground model and takes reflections and deflections on terrain features into account. Although our proposed model does not incorporate a comprehensive model of all physical effects, we argue that the approximation provided by our model is sufficient and suitable for the purposes of enhancing network performance and accuracy in the frequency range currently used by wireless networks. The model was incorporated in the NS-2 simulator and validated both using simulation and experimentally.

IEEE Military Communications Conference. Milcom 2009. Piscataway, NJ: IEEE, 2009, 7 p.

Limited capabilities and mission requirements imply that nodes in Tactical Mobile Ad-hoc NETworks (MANETs) carry a significant risk of being compromised physically or logically. In addition nodes or groups of nodes may defect, which is a particular concern in coalition environments where networks may spread beyond organizational boundaries. To identify defecting or compromised nodes including Byzantine behavior we propose a clustered intrusion detection architecture. Our architecture exploits multisensor data and supplementary information to identify defectors based on deviations from predicted values and correlated measurements and behavior. Furthermore multi-hop communication complexity is minimized to ensure robustness in environments with limited connectivity and frequent network partitioning. We show that our approach improves accuracy over naive Markov Chain and Kullback-Leibler divergence by boosting the number of particles, where probability density functions are highly nonlinear but partially known and can be determined using predictive importance sampling.

Mohamed, Kamel (Ed.) et al.: Image Analysis and Recognition : 6th International Conference, ICIAR 2009. Berlin; Heidelberg; New York: Springer, 2009. (Lecture Notes in Computer Science (LNCS) 5627)

Biometric features provide considerable usability benefits. At the same time, the inability to revoke templates and likelihood of adversaries being able to capture features raise security concerns. Recently, several template protection mechanisms have been proposed, which provide a one-way mapping of templates onto multiple pseudo-identities. While these proposed schemes make assumptions common for cryptographic algorithms, the entropy of the template data to be protected is considerably lower per bit of key material used than assumed owing to correlations arising from the biometric features. We review several template protection schemes and existing attacks followed by a correlation analysis for a selected biometric feature set and demonstrate that these correlations leave the stream cipher mechanism employed vulnerable to, among others, known plaintext-type attacks.

Pan, Jeng-Shyang (Ed.) et al.: Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing. Proceedings : IIH-MSP 2009. New York: IEEE, Inc., 2009, pp. 1061-1065

Privacy protection techniques are an important supplementary of biometric systems. Their main purpose is to prevent security leakages in common biometric systems and to preserve the user's privacy. However, when cryptographic functions are used in the algorithms, randomness of biometric features is strictly required from the security point of view. This randomness is hard to achieve in many feature extraction algorithms, especially for those using the local information of biometric modality. In this paper we discuss privacy protection based on a fuzzy extractor. We show that the security of the algorithm is strongly reduced when statistical properties of biometric features as well as the details of the algorithm are known. An attack exploiting feature correlation is demonstrated.

This thesis deals with the development of metrics for the automated determination of the quality and grade of acceptance of digital passport photographs without having any reference image available. Different kinds of algorithms were implemented to determine values for image attributes and to detect the face features. No priority for the evaluation of attributes was given in the documents of the international standards. For that reason an international online and on-site survey was developed to explore the opinion of user experts whose work is related to passport photographs. Three different metrics, expressed by the Photograph/ Image and Biometric Attributes Quality Indexes (PAQI, IAQI, BAQI) have been developed to obtain reference values for the quality determination of a passport photograph. Another metric developed is called "Non-Conformance Quality Index'' which is based on the representation of the quality information in the minimum unit of information storage: the byte. The nonconformance of a quality attribute is stored in a bit. For a digital passport photograph the representation of the quality attributes is defined by four bytes. Every byte has eight bits and every bit represents an attribute.

IEEE Computer Society: Proceedings of the Eighth Annual IEEE Systems, Man and Cybernetics Information Assurance Workshop : IAW 2007. New York: IEEE Press, 2007, pp. 84-91

In this paper we describe an algorithm for the distribution of trust authority functions such as key generation and distribution in tactical mobile ad hoc networks. Such networks cannot rely on existing infrastructures and must operate under severe resource constraints. Moreover, network partitioning and node failure, including Byzantine failures must be compensated in tactical networks. We propose the combination of metrics on both network state and beliefs or trust in other nodes to form a composite metric for use in a clustering algorithm. The effectiveness and other characteristics of this improved clustering algorithm are then evaluated and analyzed in a simulation environment, demonstrating a significant improvement over the baseline clustering algorithm.

US Army Research Laboratory: Annual Conference of ITA : ACITA [online]. [cited 23 November 2007] Available from: http://www.usukita.org/?q=node/13 2007, 8 p.

Trust authority (TA) services are both important infrastructure services for layered protocols requiring the availability of an identification and authentication mechanism such as access control mechanisms and confidentiality services, and can also be viewed as exemplars for the secure and efficient distribution of computations in general. While such general problems have been studied extensively, tactical MANET environments impose a number of requirements and constraints such as RF range and cost, battery limitations, and computational capabilities which call for more specific approaches. In this paper we report the analysis of algorithms for TA service distribution based on cluster head algorithms and improvements on the basic algorithms based on the specific requirements as identified in the course of simulations of tactical scenarios and realizing appreciable increases in efficiency over the general case in the process.

IEEE Military Communications Conference. Milcom 2007 : Interoperability: Policy to Performance. Piscataway, NJ: IEEE, 2007, 7 p.

Determining the efficiency of protocols in MANET environments depends heavily on accurate characterization of the operating environment, particularly of message complexity. In this paper we therefore describe an extensible group mobility model intended to capture platoon-level light infantry operations, characterized by a hierarchical set of evolutions. Movement in this model is further constrained by a terrain model reported in previous work, allowing for a more precise modeling and simulation of algorithms on tactical networks. We subsequently describe a mechanism for disseminating key revocation information across a distributed trust authority (TA) in which nodes may be compromised or exhibit Byzantine failure. We propose and evaluate key revocation mechanisms to optimize the requirements of fast revocation propagation, complete coverage, and low message complexity in the previously described modeling and simulation environment.

Information Security Technical Report, Vol.12 (2007), 1, pp. 44-55

Determining interdependencies and cascading failure modes in critical infrastructures is a complex problem that is exacerbated further by the diverging characteristics of the interconnected infrastructure types. Services in some types of infrastructure such as telecommunications or the electric grid are provided and consumed instantly. Others, notably oil and gas but also other infrastructures built on physical resources, however, exhibit buffering characteristics. In this paper we describe a model for the abstract representation of both types of infrastructure networks and their interdependencies. The model is then validated and demonstrated using characteristic topologies and interconnections.

IEEE Computer Society: Proceedings of the Eighth Annual IEEE Systems, Man and Cybernetics Information Assurance Workshop : IAW 2007. New York: IEEE Press, 2007, pp. 247-254

Critical infrastructures such as the electric grid, oil and gas pipelines, telecommunications, and financial ser-vices are characterized by direct and transitive interdependencies which, owing to their complexity and the scale at which these occur, are not readily visible. Moreover, vulnerabilities in elements of the infrastructure can lead to cascading and cyclical failures only after some delay or as a result of feedback cycles in the infrastructure. In this paper we therefore describe several statistical and algorithmic approaches for the analysis of infrastructure interdependencies which can take into account not only abstract inter dependencies but also selected properties of infrastructure types such as buffering of resources. Based on a multigraph model we analyze the interactions of random failures and targeted attacks and use graph statistics to identify critical components in infrastructure topologies, thereby providing a mechanism for the development of more robust infrastructures and more effective allocation of defensive capabilities for existing critical infrastructure.

Goetz, Eric (Ed.) et al.: Critical Infrastructure Protection. Berlin, Heidelberg, New York: Springer, 2007. (IFIP International Federation for Information Processing 253), pp. 337-350

The identification and mitigation of interdependencies among critical infrastructure elements such as telecommunication, energy, and transportation are important steps of any critical infrastructure protection strategy and are applicable both in preventive and operative settings. In this paper we present a graph-theoretical model and framework for the analysis of such dependencies based on a multigraph approach and present selected algorithms for the automatic identification of critical dependencies. These algorithms are then applied to dependency structures which simulate the scale-free structures commonly found in many infrastructure networks as well as to networks augmented by random graphs.

Bandara, Arosha K. (Ed.) et al.: Inter-Domain Management: First International Conference on Autonomous Infrastructure, Management and Security. Proceedings : AIMS 2007. Berlin, Heidelberg, New York: Springer, 2007. (Lecture Notes in Computer Science (LNCS) 4543), pp. 208-211

Critical infrastructures are interconnected on multiple levels, and due to their size models with acceptable omputational complexity and adequate modeling capacities must be developed. This paper presents the skeleton of a graph based model and sketches its capabilities.

Datenschutz & Datensicherheit, Vol.31 (2007), 10, pp. 740-743

Die Etablierung von Mehrkern-Prozessoren als Standard-Ausstattung von Arbeitsplatzrechnern erlaubt es, neue Verfahren zur wechselseitigen nebenläufigen Überwachung von Protokollierungsinstanzen sowie der parallelen und nichtdeterministischen Erfassung von Invarianten zu entwickeln. Dies erlaubt die Erkennung von Kompromittierungsversuchen selbst in dem Fall, dass Angreifer die Verteidigungsmechanismen vollständig kennen.

BT Technology Journal, (2007), 1, pp. 192-200

Both human analysts and particularly automated tool suites are capable of deriving sensitive information and conclusions from collections of data items that individually cannot be considered critical or sensitive. This activity of analysing and correlating material that is not immediately related is, in fact, highly desirable in many application areas and cannot be controlled precisely in advance. The decision whether a program or an analyst is performing searches and correlations beyond the scope of his authorisation or current mission can frequently be determined only ex post based on a heuristic analysis of documents accessed. In this paper we describe a mechanism for the instrumentation of operating systems to obtain information on the documents and resources accessed by arbitrary processes. Such a mechanism could be an important component of the infrastructure of an operational risk management system, generating an audit trail for compliance and forensic investigation, and acting as a sensor generating data for analysis. Addressing the latter application, the paper also outlines an approach for extracting textual information and metadata from accessed documents, regardless of the application program and workflow mechanisms used, without unduly impeding either workflows or operator performance. This information can then be subjected to an heuristic analysis based on natural language processing to extract the semantic context of each document or segment. Clustering this content and extracting the conceptual patterns that a user has accessed can then allow abnormal behaviour to be identified. This can then be refined further to determine heuristically whether the authorised remit of the user has been breached and whether an investigation is warranted. We argue that the risk of misbehaviour can be reduced while at the same time increasing productivity. This is made possible by enhancing the degree of freedom for individual users to act in the interest of their mission objectives and at the same time providing automated mechanisms for analysing user behaviour.

Futcher, Lynn (Ed.) et al.: Fifth World Conference on Information Security Education. Proceedings : WISE 2007. Berlin, Heidelberg, New York: Springer, 2007. (IFIP International Federation for Information Processing 237), pp. 129-136

There exists a disconnect between the expectations of students of information security and the requirements imposed on their mathematical abilities and maturity at both the M.Sc. and Ph.D. levels. In this paper we discuss efforts at \GUC, Norway, to bridge this gap on one hand by providing a targeted curriculum component intended to provide the necessary mathematical tools for conducting research at the doctoral level. On the other hand we are critically examining the curricular dependencies and requirements at the M.Sc. level where two factors are becoming evident. First, not all students at this level have adequate mathematical backgrounds to be able to profit fully from the program even though they may meet all formal prerequisites. Second, there may exist areas where the depth and rigor of the mathematical foundations currently in place in the curriculum is not be strictly necessary. Both of these factors can impede access and subsequent success of graduate programs and must therefore be addressed carefully with the aim of striking a balance between these competing objectives.

Consiglio Nazionale delle Ricerche: XVI Amaldi Conference on Problems of Global Security. Proceedings 2004. Rom: Bardi Editore, 2007. (Atti dei convegni Lincei 167), pp. 93-106

Remenyi, Dan (Ed.): ECIW 2007 - The 6th European Conference on Information Warfare and Security. Reading, UK: Academic Conferences International, 2007, pp. 303-312

Network forensics is increasingly hampered by the ubiquitous use of encrypted channels by legitimate and illegitimate network traffic. Both types of traffic are frequently tunneled over application-layer encryption mechanisms, generally using the ubiquitous TLS (SSL) protocol. This results in traditional network forensics tools being largely limited to recording external characteristics (source and origin addresses and ports, time and traffic patterns), but with little insight into content and purpose of the traffic. We propose that a precise characterization of encrypted traffic not only in the form of the external characteristics but also through the analysis of the exact mechanisms, variants and options used for the encrypted channel but visible without access to key material along with a fine-grained analysis of the traffic patterns itself incorporating domain knowledge of the SSL/TLS protocol can yield valuable insights and help to classify traffic into legitimate traffic, illegitimate immediate traffic (e.g. as caused by a Trojan). It can also characterize traffic that is added to an existing data stream by an illegitimate source. In this paper, we therefore present and characterize different traffic types and subsequently analyze this traffic, including the SSL/TLS protocol data units using selected sequence mining techniques.

Cole, John L. (Ed.) et al.: Fourth IEEE International Workshop on Information Assurance. Proceedings. Los Alamitos, Calif.: IEEE Computer Society, 2006, pp. 157-168

The commonly used flaw hypothesis model (FHM) for performing penetration tests provides only limited, high-level guidance for the derivation of actual penetration attempts. In this paper, a mechanism for the systematic modeling, simulation, and exploitation of complex multi-stage and multi-agent vulnerabilities in networked and distributed systems based on stochastic and interval-timed colored Petri nets is described and analyzed through case studies elucidating several properties of Petri net variants and their suitability to modeling this type of attack.

Proceedings of the 3rd Annual Conference on Information Security Curriculum Development. New York: ACM Press, 2006, pp. 9-16

In this paper, we describe the content and rationale of a comprehensive information security program encompassing degree options at the B.Sc., M.Sc., and Ph.D. levels established at Gjøvik University College, Norway. While the individual programs are open for students meeting certain formal prerequisites at each level, the sequence of degree programs is also designed in such a way as to allow students to progress from B.Sc. to Ph.D. levels without undue overlap or repetition. This is accomplished by placing different emphases on the teaching and learning tools and techniques used, moving on to higher levels in Bloom's hierarchy in the process. At the same time, the different degrees also take into account the career progression and concomitant changes in the needs of students. We describe these considerations along with a brief description of courses offered at each level, along with a description of the learning environments at each level.

The National Security Agency: IEEE Systems, Man and Cybernetics Society Information Assurance Workshop. CD-ROM Proceedings. New York: IEEE, Inc., 2006, pp. 163-169

While dynamic content-based filtering mechanisms for the identification of unsolicited commercial email (UCE, or more commonly \spam") have proven to be effective, these techniques require considerable computational resources. It is therefore highly desirable to reduce the number of emails that must be subjected to a content-based analysis. In this paper, a number of efficient techniques based on lower protocol level properties are analyzed using a large real-world data set. We show that combinations of several network-based filters can provide a computationally efficient pre-filtering mechanism at acceptable false-positive rates.

IT-Sicherheit & Datenschutz, (2006), 4, pp. 349-352

In diesem Beitrag werden Aspekte des COSEDA-Systems zur Definition und automatischen Durchsetzung von Sicherheitspolitiken dargestellt. Insbesondere werden Durchsetzungsmechanismen fuer die Absicherung von Schnittstellen, Email-Verkehr und Dateisysteme betrachtet. Zudem bietet der Beitrag einen kurzen Abriss ueber die dem Politikmechanismus zugrunde liegenden formalen Mechanismen.

IT-Sicherheit & Datenschutz, (2006), 3, pp. 319-321

Im vorliegenden Beitrag werden Anforderungen an abstrakte Sicherheitspolitiken sowie deren technische Umsetzung dargestellt. Darauf aufbauend werden die Erfordernisse zur technischen Durchsetzung der Politiken sowie die Grenzen von Standard-Systemen hierbei betrachtet.

Datenschutz & Datensicherheit, Vol.30 (2006), 5, pp. 281-284

Protokolldateien lassen sich sehr einfach erzeugen, aber auch verändern, unterdrücken und löschen. Die in Standard-Betriebssystemen und Anwendungsprogrammen vorhandenen Schutzmechanismen sind unzureichend und müssen ergänzt und erweitert werden, um den wachsenden Anforderungen und der Kritikalität der Protokolldaten Rechnung zu tragen. Der Autor betrachtet die technischen und organisatorischen Anforderungen an eine Revisionssichere Sammlung von Protokolldaten und weist auf die Rahmenbedingungen hin, die bei der Realisierung der Anforderungen in Protokollarchitekturen für Standardbetriebssysteme zu berücksichtigen sind.

The National Security Agency: IEEE Systems, Man and Cybernetics Society Information Assurance Workshop. CD-ROM Proceedings. New York: IEEE, Inc., 2006, pp. 200-207

Modern GIS systems increasingly rely on server-side rendering and web services for the rendering of geographical and application-specific data for both efficiency and security reasons since the underlying data sets for critical infrastructures and emergency operations are typically extremely sensitive. Given that display devices can be spread in the field on mobile devices, the ability to track and trace leaking and misuse of visualization data is of critical importance. In this paper we describe a technique to insert robust steganographic markings into the rendering process for GIS data based on context-sensitive texture adaptation along with a system architecture for marking and tracing GIS service data over a standards-based communication channel.

Information Security Technical Report, Vol.11 (2006), 4, pp. 160-165

This paper discusses both risks and mitigation strategies for risks and threats associated with physical device interfaces. To this end, a brief discussion of the I/O architecture found in the Microsoft Windows operating system is followed by a review of several classes of attacks possible using only external devices attached to standard device interfaces of host computers. Based on this analysis, a selection of possible countermeasures including the modification of the host operating systemby wrapping the I/O mechanisms into a hardened protective layer is discussed.

Kunii, Tosiyasu L. (Ed.) et al.: 2005 International Conference on Cyberworlds. Proceedings. Los Alamitos, Calif.: IEEE Computer Society, 2005, pp. 101-108

Data on the file system in mobile internetworked working environments are exposed data to a number of threats ranging from physical theft of storage devices to industrial espionage and intelligence activities. This paper describes a fully transparent, capability-based file system security mechanism for use in heterogeneous computing environments with emphasis on the implementation on the Microsoft Windows NT/XP family of operating systems. This mechanism can provide confidentiality and integrity protection for on- and off-line use through modular cryptographic means and is interoperable between several operating system platforms.

Cole, Jack (Ed.) et al.: Third IEEE International Workshop on Information Assurance. Proceedings. Los Alamitos, Calif.: IEEE Computer Society, 2005, pp. 131-138

A system for enforcing messaging security policies for both store and forward and streaming messaging protocols on COTS operating system platforms is described. Messaging protocols are subjected to interception, transformation, and filtering based on dynamically configurable security policies. Transformations include the automatic policy-based application of cryptographic confidentiality, integrity, and authenticity mechanisms and filtering primarily based on Bayesian analysis. The system provides a low cost, fine granularity compartmentalization mechanism for secure environments as well as for sensitive but unclassi- fied environments using COTS operating systems and application programs without affecting user or application behavior in which the mediation of access to key material and messaging provides protection against malware and insider attacks.

The National Security Agency: IEEE Systems, Man and Cybernetics Society Information Assurance Workshop. Proceedings. West Point, New York, 2005, pp. 410-418

This paper discusses threats posed by low granularity in access to confidential (classified) data typically found at lower protection levels, namely direct access beyond need to know and the correlation of materials yielding more sensitive aggregate data by both insider threats and malware, an area of particular concern for intelligence analysis. It is argued that while active security controls at both the procedural and technical level are currently not pragmatically feasible, near-line semantic monitoring particularly at the file system but also at the network level can provide capabilities to detect anomalous and also directed malicious activity. A mechanism for implementing the tracing and monitoring mechanism on an COTS operating system is described.

Hämmerli, Bernhard M. (Ed.) et al.: Proceedings of CIP Europe 2005 - Participants Edition : Symposium im Rahmen der Jahrestagung 2005 der Gesellschaft für Informatik, pp. 7-12

Interdependencies among the elements of national and transnational critical infrastructures necessitate coordination and cooperation among infrastructure operators as well as with government. At the same time this need to share is contrasted with the sensitivity of information that can cause severe harm if exposed. Using a standards-based platform for information sharing and fine-grained and provably secure access controls provides the ability to cross-link infrastructure operators and geographically dispersed organizational units within individual infrastructure operator organizations as needed using a common cognitive model that can support both topographical and topological visualization mechanisms, particularly using geographical information systems as a foundation.

Hämmerli, Bernhard M. (Ed.) et al.: First IEEE International Workshop on Critical Infrastructure Protection. Proceedings : IWCIP 2005. Los Alamitos, Calif.: IEEE, 2005, pp. 40-47

Critical infrastructure components are often dispersed over large areas; at the same time even an infrastructure individual component relies on a significant number of parameters that must be controlled and monitored in addition to interdependencies with other infrastructure components. Modeling and simulation of infrastructure elements and particularly of interdependencies and risks to those elements can be performed on the basis of a geographical information system providing a common semantic basis for presentation and analysis as well as a mechanism for sharing only selected and where necessary downgraded information with other infrastructure operators.

Fogelberg, Paul (Ed.): Changing Threats to Global Security: Peace or Turmoil. Helsinki: Finnish Institute of International Affairs, 2004, pp. 147-156

The paper describes threats to critical infrastructures in the times of information warfare and cyberterrorism.

Jäckel, Achim (Ed.): Telemedizinführer Deutschland 2004. Ober-Mörlen: Medizin Forum, 2004, pp. 204-205

The Naval War College Review, Vol.LVII (2004), 3/4, pp. 102-113

The National Security Agency: IEEE Systems, Man and Cybernetics Society Information Assurance Workshop. Proceedings. West Point, New York, 2004, pp. 101-108

DDLCritical infrastructures in industrialized nations form a highly interdependent network that must be protected against both intrinsic defects and active attacks. This requires local as well as joint situational awareness based on current, accurate, and semantically unambiguous data as well as simulations, particularly of attack scenarios, necessitating in turn automated information sharing measures that can span transitive dependency networks. Since the infrastructure elements are frequently civilianowned, providing provable assertions on the precise nature of the data shared and the extent of dissemination is crucial. In this paper, a layered graph-theoretical modeling technique is used; at a lower layer, a standards-based ontological model is described in which resources and interactions are formed into a common exchange format. From this, a simple dependency model amenable to combinatorial optimization and simulation is described, which is then also used as the foundation for the application of the schematic protection model by Sandhu to the information sharing problem.

Jäckel, Achim (Ed.): Telemedizinführer Deutschland 2004. Ober-Mörlen: Medizin Forum, 2004, pp. 225-229

Research and Technology Organisation (RTO): Adaptive Defence in Unclassified Networks : Papers Presented at the RTO Information Systems Technology Panel (IST) Symposium Held in Toulouse, France [CD-ROM], pp. 17-1 - 17-14

This paper summarizes existing and describes ongoing work on security policy definition and particularly enforcement in heterogeneous distributed systems. Based on a formal model of operating systems and interactions among networked nodes in a distributed system axiomatizing relations among and abstractions in distributed systems, arbitrary security policies can be defined over the same model; automated reasoning techniques can be used to dynamically derive the compliance of operations with all applicable security policies. A key component for enforcing such security policies in operating system network stacks is described along with instrumentation techniques for the Microsoft Windows NT family of operating systems.

Weisbecker, Anette (Ed.) et al.: Electronic Business : Innovationen, Anwendungen und Technologien. Stuttgart: Fraunhofer IRB Verlag, 2004, pp. 222-233

Vernetzung ist eine zwingende Voraussetzung für die Mehrzahl elektronisch unterstützter Geschäftsprozesse und stellt zudem einen maßgeblichen Faktor für Effizienzgewinne dieser Prozesse dar. Der Begriff der Netzwerksicherheit muß daher auf zwei Arten betrachtet werden: Einerseits als Schutz vor Bedrohungen, die durch Vernetzung für einzelne IT-Systeme, Netzwerke, und Rechner entstehen; andererseits jedoch auch als Schutz der Vernetzung selbst vor Beeinträchtigung und Schäden. Diese Unterscheidung ist notwendig, da die Bedrohungen in letzterem Fall teilweise oder weitestgehend außerhalb des Kontrollbereiches einer einzelnen Organisation liegen und daher andere Verfahren zur Gefahrenabwehr zum Einsatz kommen müssen. Hinzu kommt, daß eine klare Unterscheidung zwischen Bedrohungen einzelner Rechnersysteme und denen eines Netzwerkes zunehmend schwer fallen, da aufgrund von Netzwerk-Funktionen von Betriebssystemen und Anwendungsprogrammen für lokale und über Netzwerk-Verbindungen zugreifende Gegner weitestgehend äquivalente Angriffsmöglichkeiten bestehen. In diesem Beitrag wird wird ein Abriß über mögliche Vorgehensweisen für Risikoanalysen und die Erstellung von Sicherheitspolitiken gegeben und eine Auswahl von Bedrohungen der vorgenannten Kategorien vorgestellt, die in Risikoanalysen für vernetzte Systeme einfließen müssen.

The National Security Agency: IEEE Systems, Man and Cybernetics Society Information Assurance Workshop. Proceedings. West Point, New York, 2003, pp. 268-275

This paper describes a mechanism for incorporating a mail guard mechanism together with automatic, mandatory, and fully transparent digital signatures and encryption for message traffic embedded into the operating system of individual network nodes. By intercepting all inbound and outbound network traffic and analyzing for pertinent information using generalized Büchi automata, the guard mechanism can enforce the application of (centralized) mail security policies without requiring any support from mail clients. An implementation based on modular modifications to the Microsoft Windows NT/2000/XP family of operating systems and OpenPGP-based messaging is described.

Applied Computer Security Associates: 19th Annual Computer Security Applications Conference. Proceedings 2003. Los Alamitos: The Institute of Electrical and Electronics Engineers, 2003

This paper discusses a potential security issue in common operating system and application environments regarding dynamically attached devices and device interfaces. A set of countermeasures for the identified threats is described along with the integration of countermeasures into a policy-based security infrastructure; finally, an implementation of the countermeasure in the form of a policy enforcement module integrated into the kernel of theMicrosoftWindows 2000/XP family of operating systems is described.

Research and Technology Organisation (RTO): Real Time Intrusion Detection. Proceedings CD-ROM. Neuilly-sur-Seine Cedex: RTO/NATO, 2003. (RTO Meeting Proceedings 101), MP-101-04-1 - 04-11

This paper describes some attack and intrusion detection elements of a security architecture for distributed heterogeneous systems. The architecture concentrates on the level of the operating systems of the nodes involved and can also be retrofitted to existing COTS systems through the use of modular instrumentation extensions to the kernel and possibly the use of trusted coprocessor subsystems. The instrumentation provides both a reference monitor mechanism for active enforcement of security policies as well as sensor information for intrusion detection aspects, both of which occur under the control of a set of policies consistently enforced throughout distributed systems using external repositories. The reference monitor and intrusion detection mechanisms are controlled by policies defined in a first order theory permitting the abstract specification of subject, objects, and operations which are mapped to a given environment through the use of interpretations. This ensures a consistent enforcement of all applicable policies and permits the derivation of (consistent) additional rules based on automated deduction and can not only be used to model rule-based detection mechanisms but also to modulate the sensor output provided by the instrumentation within nodes. As an additional benefit, the use of predicates within the first order theory also permits a consistent view on observations at the time of data fusion.

This dissertation shows that information assurance properties can be both specified within a formal model of systems to which the properties are applied using the same formal theory for modeling, specification, and reasoning and enforced in such a way that enforcement is performed consistently across multiple, heterogeneous nodes and organizational domains while retaining the semantics of the formal model. The properties, referred to as security policies, can be specifically enforced at the operating system level and are constructed in such a way that automated reasoning mechanisms derive lower abstraction layer properties from higher semantic levels specified by administrative personnel based on the formal abstract model and interpretations thereof. Moreover, operations to be performed are permitted based on proofs obtained within the formal model while required operations are also derived within the model. To permit the consistent enforcement of an arbitrarily large set of security policies and scalability across large organizations and networks, externally controlled reference monitors and external reference monitors are introduced which control layered enforcement mechanisms that can be implemented both in systems constructed ab initio and as an add-on to existing, particularly commercially available operating systems even if no source code is available for modification to ease the transition to secure systems while permitting mission fulfillment based on legacy systems. These aspects are demonstrated using the Microsoft Windows 2000 operating system as an example. Enforcement mechanisms are described using the reference interpretation including modification and augmentation of file system and network protocol stack behavior along with the implicit benefits derived from the use of these enforcement mechanisms. Specifically, the implementation of dynamic distributed network firewalling and intrusion detection as well as multilevel security capabilities under the control of consistent policies are discussed. For this purpose the suitability of the framework for modeling multisensor data fusion as applied to intrusion detection is discussed. To demonstrate the capabilities of the layered enforcement system for application-specific domains, the use of visible and invisible labeling mechanisms for hard copy output is furthermore discussed.

Horster, Patrick (Ed.): D-A-CH Security. Proceedings : Bestandsaufnahme, Konzepte, Anwendungen, Perspektiven. syssec, 2003. (IT Security & IT Management), pp. 273-284

Dieser Beitrag beschreibt ein IT-Sicherheitssystem, das die Bearbeitung, Speicherung und Übertragung von vertraulichen oder anderweitig schützenswerten Datensätzen und Dokumenten innerhalb einer geschlossenen Nutzergruppe auf Grundlage bestehender kommerzieller Betriebssysteme ermöglicht. Kryptographische Schutzmechanismen gewährleisten dabei Vertraulichkeit und Integrität von Dokumenten in digitaler Repräsentation; auch analoge Repräsentationen wie Ausdrucke sind durch den Einsatz digitaler Wasserzeichen geschützt. Die Verwaltung, insbesondere aber die Kontrolle über die Nutzung von Dokumenten ist in das System derart integriert, dass jede Verwendung durch einen Nutzer kontrolliert und protokolliert werden kann; aufgrund automatischer und transparente Verschlüsselung kann selbst bei Speicherung auf nicht-überschreibbaren Datenträgern durch Sperrung des zum Zugriff erforderlichen Schlüsselmaterials die weitere Verwendung unterbunden werden. Die hierbei verwendeten Mechanismen sind für Anwendungsprogramme und Nutzer transparent und können durch diese nicht umgangen werden, da die Schutzmaßnahmen innerhalb des Betriebssystems (sowohl Microsoft Windows als auch Unix-Derivate) verankert sind.

Ahrend, Wolf-Martin (Red.) et al.: IT-Sicherheit für den Mittelstand : Leitfaden zum Thema IT-Sicherheit. (hessen-media 38), pp. 9-34

In diesem Kapitel werden die erforderlichen Maßnahmen und Voraussetzungen für die Erstellung einer IT-Sicherheitspolitik dargestellt, sowie die wesentlichen Elemente einer solchen Politik erläutert. Grundlage einer Sicherheitspolitik ist die Erfassung sämtlicher Güter, Werte, und Geschäftsprozesse, sowie die auf diese einwirkenden Bedrohungen und Gefährdungsmomente, die Risikoanalyse. Aufgrund der quantitativen Analyse können in einer Sicherheitspolitik dann technische und organisatorische Maßnahmen zur Beseitigung oder Begrenzung der Risiken getroffen werden. Weiterhin wird in diesem Kapitel der Lebenszyklus einer Sicherheitspolitik dargestellt.

Wong, Wah Ping (Ed.) et al.: Security and Watermarking of Multimedia Contents IV. Washington: SPIE, 2002. (Proceedings of SPIE 4675), pp. 149-157

This paper presents a mechanism for embedding both immediately readable and steganographically hidden information in human-readable output, particularly in hard copy format. The mechanism is embedded within a domain inaccessible to unprivileged users in the operating system's Trusted Computing Base. A realization is presented which permits the embedding of such markings in arbitrary printing systems under the Microsoft Windows NT family of operating systems.

The National Security Agency: Third Annual IEEE SMC Information Assurance Workshop. Proceedings 2002. CD-ROM. West Point, New York, 2002, pp. 255-262

This paper describes the intrusion detection aspects of a security architecture for distributed heterogeneous systems based on a network of externalized reference monitors defining a set of policies formulated as formulae of a first order theory. This can be retrofitted onto existing operating systems or realized standalone. Aspects considered in this paper include the effects of fine-grained component-level instrumentation of the operating system and a common entity naming model imposed by the architectural framework and discusses the application of the JDL multisensor data fusion model in the context of the framework.

ACM Operating Systems Review, Vol.36 (2002), 1, pp. 58-69

This paper presents a mechanism for the consistent enforcement of security policies within a distributed system by extending the reference monitor concept in such a way that both a conceptual and actual separation of the specification and enforcement of security policies by the reference monitor, hence an externally controlled reference monitor, is obtained. An externally controlled reference monitor may enforce multiple policies simultaneously; for this multiple external reference monitors can be queried. To maintain the policy independence of the reference monitor, subjects, objects, and operations are modeled in a formal theory which can also be mapped to multiple operating systems providing a operating system-independent mechanism for specifying and enforcing policies. This policy mechanism is briefly discussed, as is an example of an interpretation element and the corresponding implementation techniques for retrofitting the externally controlled reference monitor onto existing operating systems.

Dugelay, Jean-Luc (Ed.) et al.: Workshop on Multimedia Signal Processing. Proceedings 2001. New York: IEEE, Inc., 2001, pp. 207-212

This paper presents a security system for enforcing security policies throughout distributed environments. The aspects of the system dealing with the protection of digital data using object labeling and mandatory encryption at the operating system level are described briefly; the main focus is on the protection afforded by the system in the analog domain. This is accomplished by embedding multiple digital watermarks identifying the copyright owner, the identity of the object, and of users accessing the object into any markable object accessed by users.

The realization of a cryptographically secured Virtual Private Network (VPN) layer was the topic of this thesis. Although the implementation was done for UNIX hosts, interoperability with other platforms was required. The prototype had to provide transparency for users and applications and state-of-the art cryptographic security. It was integrated into the CIPRESS system developed at the Fraunhofer Institute for Computer Graphics. First an analysis of possible solutions for the cryptographic processing as well as for the network integration was carried out. Among other possible solutions, e.g. the design of a custom cryptographic protocol, the use of the well tested Secure Socket Layer (SSL) protocol was figured out to be the best choice. It is reliable, proven by a wide deployment, and provides a flexible framework for integration of new cryptographic methods. The most suitable solution for the network integration turned out to be a UNIX kernel module based on the STREAMS mechanism, which provides a well defined interface for implementing extensions to the UNIX network interface. This avoids re-implementating networked applications, since the commonly used interface is changing. Like that a STREAMS module was the right choice for a general solution. The implemented prototype consists of two applications. The STREAMS module operating on kernel level processes transfered data in two layers. The first layer called VPN-layer checks whether a connection to another host should be allowed or not and whether to encrypt the transferred data. For already established connections the VPN layer encrypts the data payload using symmetric encryption provided by SSL. The second layer is invoked when a new connection to a host dedicated to encryption is requested. It establishes an SSL secured connection to the destinated host. For configuration and certificate handling a daemon operating in user level has been deployed.

Steinmetz, Ralf (Ed.) et al.: Communications and Multimedia Security Issues of the New Century. Boston; Dordrecht; London: Kluwer Academic Publishers, 2001, pp. 213-226

The CIPRESS system provides security enhancements for general purpose operating systems by adding kernel level functionality for cryptographic and steganographic operations and keeping both users and application programs unmolested as far as possible. This paper describes the transparent network filtering and encryption mechanismus used in the Microsoft Windows NT implementation that allow integrated access and use control over confidential or otherwise restricted data at client systems.

The National Security Agency: Second Annual IEEE SMC Information Assurance Workshop. Proceedings 2001. West Point, New York, 2001, pp. 100-108

This paper discusses the enhancement of security in general purpose operating systems, especially related to threats caused by internetworking, using extensions to operating systems. Such mechanisms have a significantly larger basis for reaching security policy decisions than older host-level security mechanisms and firewalls. By layering defensive mechanisms yet enforcing a consistent security policy across the security layers, goals such as workload distribution, vulnerability compartmentalization, and hierarchical refinement of security policies can be achieved.

Applied Computer Security Associates: 17th Annual Computer Security Applications Conference. Proceedings 2001. Los Alamitos: The Institute of Electrical and Electronics Engineers, 2001, pp. 55-63

This paper describes the implementation of an enforcement module for file system security implemented as part of a security architecture for distributed systems which enforces a centrally administered security policy under the Windows NT operating system platform. The mechanism provides mandatory access control, encryption, and auditing on an individual file basis across distributed systems while being fully transparent to both users and application programs and functioning regardless of the type of file system or its attachment mechanism.

International Institute of Informatics and Systemics (IIIS): 4th World Multiconference on Systemics, Cybernetics and Informatics. Proceedings : Volume IV - Communications Systems and Networks. Orlando, Florida: International Institut of Informatics and Systemics, 2000, pp. 225-230

An integrated system for the protection of data both on computers and in analog representation is presented. Based on the automatic and mandatory encryption of all data on storage media, authenticated encrypted com-munication channels , and digital watermarking technology, the system protects data from misappropriation while working as an extension to the operating system, making the security mechanisms fully transparent for legitimate users. Even analog representations of the data objects are still protected through the use of digital watermarking and can be traced back. An outline of the system architecture along with information on the pro-totype is given.

Campus Estado di Mexico, TEC de Monterrey: Visual 2000. Proceedings-CD-ROM. Mexico City, 2000

Today's quality of copying machines allows everyone to copy any kind of printed document without significant loss of quality. Copying of music scores represents a particular nuisance. At the same time web-based distribution of music scores in digital representations becomes widespread raising further issues with regard to intellectual property. Although copying music scores cannot be stopped, it is possible to trace such copies by hiding information in the music score itself using watermarking techniques. Two different concepts are presented here: The first regards a music score as an image and uses standard image watermarking techniques. The second is a symbolic approach. Here some music symbols are used by changing their features for hiding information in the music score. The advantage is its robustness and visibility. By choosing suitable features a blind detection of the watermark is possible.

IEEE Computer Graphics and Applications, Vol.19 (1999), 1, pp. 25-35

The authors developed a secure, robust watermarking algorithm and applied it in digital streaming MPEG-2 format video - the format of choice in the broadcast and video stock industry.

Cumming, Geoff (Ed.): Advanced Research in Computers and Communications in Education : New Human Abilities for the Networked Society. Amsterdam: IOS Press; Ohmsha, 1999. (Frontiers in Artificial Intelligence and Applications 55), pp. 11-18

To be able to fulfill future requirements for education and training, new learning scenarios with distributed, user-adaptive, on-demand, co-operative training environments to support time and space independent learning are needed. Imparting knowledge will become a valuable service and field of business since knowledge and continuous education are becoming a major contributing factor to economic success of any company. As a consequence, courseware and the right to access it will be a major object of trade. Since its stock of courseware is the capital of each training provider there is a considerable need to protect it from any misuse. This paper will discuss the security requirements special to the area of Computer Aided Learning (CAL). It will show how courseware can be protected from illicit use and distribution when using a security system, which allows throughout the existence of the data use control instead of access control restricted to the time of delivery.

Der Deutsche Dermatologe, (1999), pp. 788 - 789

Die als einfacher Datenspeicher ohne Sicherungsmaßnahmen ausgelegte Krankenversichertenkarte hat sich in Deutschland durchgesetzt, obwohl durchaus berechtigte Bedenken bezüglich Fälschbarkeit, Überwachungsmöglichkeiten, "Ärzte-Hopping" etc. bestanden und teilweise bis heute bestehen. Europaweit besteht mittlerweile politischer Konsens, weitere Schritte in Richtung einer "Ärztekarte" oder einer Health Professional Card (HPC) zu unternehmen.

Der Deutsche Dermatologe, Vol.47 (1999), 9, pp. 687-692

Mit dem Aufkommen der "Personal Computer" vor zwanzig Jahren hat sich ein wandel vollzogen. Wartung, Pflege und Betriebsverantwortung liegen nicht mehr in den Händen von Rechenzentren. In der Mehrheit der kleinen und mittleren Unternehmen ist der Nutzer mittlerweile vollständig auf sich gestellt. Dies birgt vor und Nachteile hinsichtlich Produktivität, Verfügbarkeit und Systemsicherheit.

Deutsch-Japanischer Kooperationsrat für Hochtechnologie und Umwelttechnik: Digitale Signaturen: Ihre Rolle im Rechts- und Geschäftsverkehr. Deutsch-Japanischer Workshop 1998. Bonn: Asiatext, 1999, pp. 74-96

Binnen fünf Jahren ist in Deutschland die Anzahl der Nutzer des Internets von einer verschwindend kleinen Anzahl, die vorwiegend an Universitäten angesiedelt war, bis auf ein Zehntel der Haushalte im Bundesgebiet insgesamt angestiegen. Ein ähnlicher Trend zur Durchdringung von Privathaushalten mit dieser Technologie, die schneller vorangeht als jede Welle der Technikadaption zuvor, ist in allen Industrienationen zu beobachten; es kann davon gesprochen werden, daß die Informationstechnologie kommerzielle und private Interessen völlig durchdringt.