Abstract
W rozprawie dokonano analizy usługowych systemów internetowych pod względem bezpieczeństwa. Przedstawiono autorskie uniwersalne modele bezpieczeństwa CoRBAC oraz jego rozszerzenie TCoRBAC, będące rozwinięciem tradycyjnego modelu RBAC. Uwzględniono analizę szeroko rozumianego kontekstu funkcjonowania systemu oraz poziom jego zaufania do użytkownika. Opracowano metodę wyznaczania dwóch parametrów: zaufania do systemu (λ) będącego tożsamym z poziomem bezpieczeństwa (β) oraz użyteczność systemu (ε). Na podstawie zaproponowanych modeli zaimplementowano reprezentacyjne mechanizmy bezpieczeństwa zgodne z przyjętą polityką bezpieczeństwa. Przebadano właściwości tych rozwiązań w oparciu o modele, jak i dane eksperymentalne. Wykazano zauważalny wzrost poziomu bezpieczeństwa (β) systemu wykorzystującego modele CoRBAC i TCoRBAC w porównaniu do modelu RBAC. Co więcej jest to możliwe bez znaczącego spadku użyteczności systemu (ε). Analiza bezpieczeństwa może być wykonana na podstawie analizy ryzyka podatności wykrytych przez zewnętrzny audyt bezpieczeństwa, natomiast użyteczność na podstawie analizy logów działań użytkowników. Przyjęte rozwiązania jak i ich ocenę przeprowadzono poprzez przebadanie systemu Moja PG rozwijanego i używanego na Politechnice Gdańskiej od ponad 4 lat.
Author (1)
Cite as
Full text
- Publication version
- Accepted or Published Version
- License
- Copyright (Author(s))
Keywords
Details
- Category:
- Thesis, nostrification
- Type:
- praca doktorska pracowników zatrudnionych w PG oraz studentów studium doktoranckiego
- Language:
- Polish
- Publication year:
- 2016
- Bibliography: test
-
- Rysunek 1 Cztery główne kierunki rozwoju systemów internetowych ..................................... 9 open in new tab
- Rysunek 2 Relacja pomiędzy zaufaniem użytkownika do systemu, a bezpieczeństwem systemu informatycznego ..................................................................................... 10 open in new tab
- Rysunek 3 Aspekty bezpieczeństwa w rozważanym systemie internetowym......................... 18 open in new tab
- Rysunek 4 Dekompozycja trójki: system, polityka bezpieczeństwa oraz zagrożenia na poszczególne poziomy szczegółowej analizy ........................................................ 20 open in new tab
- Rysunek 5 Architektura rozważanego systemu internetowego .............................................. 21 open in new tab
- Rysunek 6 Modele wyniesionego i zcentralizowanego uwierzytelniania i zarządzania autoryzacją: (a) tradycyjny, (b) z wyniesionym uwierzytelnianiem, (c) z wyniesionym uwierzytelnianiem i zarządzaniem uprawnieniami ........................ 23 open in new tab
- Rysunek 7 Relacje w modelu RBAC pomiędzy: a) użytkownikami (U) i rolami (R), b) uprawnieniami (P) i rolami (R), c) pomiędzy uprawnieniami (P), a operacjami/usługami (S) ....................................................................................... 27 open in new tab
- Rysunek 8 Ogólna topologia zagrożeń, podatności i ryzyka z nimi związanego ...................... 35 open in new tab
- Rysunek 9 Proces "utwardzania" zabezpieczeń systemu internetowego ............................... 36 open in new tab
- Rysunek 10 Przykład fragmentu warstwowego grafu G(Vert, E) wykorzystanego do opisu bezpieczeństwa danego systemu internetowego ................................................. 41 open in new tab
- Rysunek 11 Zakres kontekstu działań użytkownika w aspekcie bezpieczeństwa .................... 43 open in new tab
- Rysunek 12 Architektura logiczna systemu zorientowanego na usługi z uwzględnieniem kontekstu ............................................................................................................... 44 open in new tab
- Rysunek 13 Przykład fragmentu warstwowego grafu G'(Vert, E) uwzględniającego kontekst C wykorzystanego do opisu bezpieczeństwa danego systemu ................................ 52 open in new tab
- Rysunek 14 Przykładowy graf G'(Vert(c), E(c)) dla bieżącego kontekstu c 2 , c 4 , c 5 , c 7 , c 8 zgodnie z tabelą 11 ............................................................................................................. 53 open in new tab
- Rysunek 15 Przykładowy graf G'(Vert(c), E(c)) dla bieżącego kontekstu c 3 , c 6 , c 9 zgodnie z tabelą 11 ................................................................................................................ 53 open in new tab
- Rysunek 16 Przykład fragmentu uogólnionego warstwowego grafu G''(Vert(c), E(c)) uwzględniającego kontekst c wykorzystanego do opisu bezpieczeństwa danego systemu ................................................................................................................. 54 open in new tab
- Rysunek 17 Wykładniczy wzrost liczności kontekstu (a) oraz liniowy czas wyznaczania bieżącego kontekstu (b) ........................................................................................ 55 open in new tab
- Rysunek 18 Przykładowy scenariusz działań użytkownika w ramach jednej sesji z zaznaczonym wymuszonym wywołaniem dodatkowej weryfikacji kodu SMS ..... 58 open in new tab
- Rysunek 19 Przykładowy graf G'''(Vert(c,tl), E(c,tl)) dla modelu TCoRBAC .............................. 60 open in new tab
- Rysunek 20 Architektura logiczna warstwy bezpieczeństwa systemu internetowego obejmująca: a) uwierzytelnianie, b) dwustopniową kontrolę dostępu ................ 61 open in new tab
- Rysunek 21 Poszczególne czynności dwuetapowej kontroli dostępu w modelu CoRBAC ...... 62 open in new tab
- Rysunek 24 Wyszczególnienie podstawowych modułów platformy IP 2 .................................. 70 open in new tab
- Rysunek 25 Uproszczony model rozproszenia i skalowania poziomego poszczególnych elementów platformy IP 2 ...................................................................................... 71 open in new tab
- Rysunek 26 Topologia wykrytych podatności z określeniem ich ryzyka .................................. 90 open in new tab
- Rysunek 27 Algorytm weryfikacji dostępu zgodnego z modelem TCoRBAC dla zadanych mechanizmów bezpieczeństwa ............................................................................. 93 open in new tab
- Bibliografia open in new tab
- P. P. Maglio, S. Srinivasan, J. T. Kreulen, and J. Spohrer, "Service systems, service scientists, SSME, and innovation," Communications of the ACM, vol. 49, no. 7, p. 81, Jul. 2006. open in new tab
- W. Li, H. Wan, X. Ren, and S. Li, "A Refined RBAC Model for Cloud Computing," in IEEE/ACIS International Conference on Computer and Information Science, 2012, pp. 43-48.
- V. Chaurasiya, P. Dhyani, and S. Munot, "Linux Highly Available (HA) Fault-Tolerant Servers," 10th International Conference on Information Technology (ICIT 2007), 2007. open in new tab
- T. Mather, S. Kumaraswamy, and S. Latif, Cloud Security and Privacy. An Enterprise Perspective on Risks and Compliance. O'Reilly, 2009.
- S. Fehr, "Flexible networks for better security," Network Security, vol. 2013, no. 3, pp. 17-20, Mar. 2013. open in new tab
- G. Hogben, "A privacy enhancing identity management framework using the semantic web." nakł. aut., Gdańsk, 2009.
- C. K. Georgiadis, I. Mavridis, G. Pangalos, and R. K. Thomas, "Flexible team-based access control using contexts," in Proceedings of the sixth ACM symposium on Access control models and technologies -SACMAT '01, 2001, pp. 21-27. open in new tab
- K.-D. Lee, M. Y. Nam, K.-Y. Chung, Y.-H. Lee, and U.-G. Kang, "Context and profile based cascade classifier for efficient people detection and safety care system," Multimedia Tools and Applications, vol. 63, no. 1, pp. 27-44, Apr. 2012. open in new tab
- J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton, "Analysis of end user security behaviors," Computers & Security, vol. 24, no. 2, pp. 124-133, Mar. 2005. open in new tab
- S. P. S. Pahnila, M. S. M. Siponen, and A. M. A. Mahmood, "Employees' Behavior towards IS Security Policy Compliance," 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07), 2007. open in new tab
- S. Furnell, "Usability versus complexity -striking the balance in end-user security," Network Security, vol. 2010, no. 12, pp. 13-17, Dec. 2010. open in new tab
- W. H. DeLone and E. R. McLean, "Information Systems Success: The Quest for the Dependent Variable," Information Systems Research, vol. 3, no. 1, pp. 60-95, Mar. 1992. open in new tab
- J. H. Saltzer and M. D. Schroeder, "The protection of information in computer systems," Proceedings of the IEEE, vol. 63, no. 9, pp. 1278-1308, 1975. open in new tab
- R. Sandhu, D. Ferraiolo, and R. Kuhn, "The NIST model for role-based access control," in Proceedings of the fifth ACM workshop on Role-based access control -RBAC '00, 2000, pp. 47- 63. open in new tab
- D. F. Ferraiolo, D. R. Kuhn, and R. Chandramouli, Role-Based Access Control, Second. Artech House, 2007. open in new tab
- R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, "Role-based access control models," Computer, vol. 29, no. 2, pp. 38-47, 1996. open in new tab
- M. Strembeck and G. Neumann, "An integrated approach to engineer and enforce context constraints in RBAC environments," ACM Transactions on Information and System Security, vol. 7, no. 3, pp. 392-427, Aug. 2004. open in new tab
- X. Feng, X. Jun, H. Hao, and X. Li, "Context-Aware Role-Based Access Control Model for Web Services," in Grid and Cooperative Computing -GCC 2004 Workshops SE -54, vol. 3252, H. Jin, Y. Pan, N. Xiao, and J. Sun, Eds. Springer Berlin Heidelberg, 2004, pp. 430-436. open in new tab
- S. Haibo and H. Fan, "A context-aware role-based access control model for Web services," IEEE International Conference on e-Business Engineering (ICEBE'05), pp. 220-223, 2005.
- R. Bhatti, E. Bertino, and A. Ghafoor, "A Trust-Based Context-Aware Access Control Model for Web-Services," Distributed and Parallel Databases, vol. 18, no. 1, pp. 83-105, Jul. 2005. open in new tab
- J. W. Woo, M. J. Hwang, C. G. Lee, and H. Y. Youn, "Dynamic Role-Based Access Control with Trust-Satisfaction and Reputation for Multi-agent System," 2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops, pp. 1121- 1126, 2010. open in new tab
- A. Gupta, M. S. Kirkpatrick, and E. Bertino, "A formal proximity model for RBAC systems," Computers & Security, Sep. 2013. open in new tab
- X. H. Le, T. Doll, M. Barbosu, A. Luque, and D. Wang, "An enhancement of the Role-Based Access Control model to facilitate information access management in context of team collaboration and workflow," Journal of Biomedical Informatics, vol. 45, pp. 1084-1107, 2012. open in new tab
- S. Gostojić, G. Sladić, B. Milosavljević, and Z. Konjović, "Context-Sensitive Access Control Model for Government Services," Journal of Organizational Computing and Electronic Commerce, vol. 22, no. 2, pp. 184-213, Apr. 2012. open in new tab
- P. Damián-Reyes, J. Favela, and J. Contreras-Castillo, "Uncertainty Management in Context- Aware Applications: Increasing Usability and User Trust," Wireless Personal Communications, vol. 56, no. 1, pp. 37-53, Dec. 2009. open in new tab
- Politechnika Gdańska, "Moja PG," 2013. [Online]. Available: https://moja.pg.gda.pl.
- Oracle, "Java Platform, Enterprise Edition (Java EE)," 2013. [Online]. Available: http://www.oracle.com/technetwork/java/javaee/overview/index.html. open in new tab
- M. Bishop, Introduction to Computer Security. Addison-Wesley Professional, 2004.
- S. Hernan, S. Lambert, T. Ostwald, and A. Shostack, "Uncover Security Design Flaws Using The STRIDE Approach," Microsoft MSDN Magazine, 2006. open in new tab
- M. Anisetti, C. A. Ardagna, E. Damiani, and F. Saonara, "A test-based security certification scheme for web services," ACM Transactions on the Web, vol. 7, no. 2, pp. 1-41, May 2013. open in new tab
- "The STRIDE Threat Model," Commerce Server, 2002. [Online]. Available: http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx. open in new tab
- G. Disterer, "ISO/IEC 27000, 27001 and 27002 for Information Security Management," Journal of Information Security, vol. 04, no. 02, pp. 92-100, 2013. open in new tab
- ISO 27001, Information Technology, Security Techniques, Information Security Management Systems, Requirements. Geneve: International Organization for Standardization ISO, 2005. open in new tab
- M. T. Siponen, "Secure-system design methods: evolution and future directions," IT Professional, vol. 8, no. 3, pp. 40-44, Jan. 2006. open in new tab
- H. Krawczyk and P. Lubomski, "Generalized access control in hierarchical computer network," in Zeszyty naukowe Wydziału Elektroniki, Telekomunikacji i Informatyki Politechniki Gdańskiej, vol. 18, 2010, pp. 217-222. open in new tab
- P. J. Windley, Digital Identity. O'Reilly, 2005. open in new tab
- C. W. Thompson and D. R. Thompson, "Identity Management," IEEE Internet Computing, vol. 11, no. 3, pp. 82-85, May 2007. open in new tab
- M. Benantar, Access Control Systems. Security, Identity Management and Trust Models. Springer-Verlag, 2006. open in new tab
- T. Erl, SOA Principles of Service Design. SOA Systems Inc., 2007.
- W. Christopher, Ajax. Bezpieczne aplikacje internetowe. Helion Wydawnictwo, 2007.
- Google, "GoogleDocs," 2014. [Online]. Available: http://www.google.com/google-d- s/intl/pl/tour1.html.
- Microsoft, "Office 365," 2014. [Online]. Available: http://office.microsoft.com/pl-PL/.
- Adobe, "Adobe Photoshop," 2014. [Online]. Available: http://www.photoshop.com/tools.
- R. Zhang, F. Giunchiglia, B. Crispo, and L. Song, "Relation-Based Access Control: An Access Control Model for Context-Aware Computing Environment," Wireless Personal Communications, vol. 55, no. 1, pp. 5-17, Aug. 2009. open in new tab
- N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody, "Using trust and risk in role- based access control policies," in Proceedings of the ninth ACM symposium on Access control models and technologies -SACMAT '04, 2004, p. 156. open in new tab
- F. B. F. Shaikh and S. Haider, "Security threats in cloud computing," 2011 International Conference for Internet Technology and Secured Transactions, pp. 214-219, 2011.
- K. J. Knapp, R. Franklin Morris, T. E. Marshall, and T. A. Byrd, "Information security policy: An organizational-level process model," Computers & Security, vol. 28. pp. 493-508, 2009. open in new tab
- H. Krawczyk and J. Proficz, "Podstawowe metody integracji aplikacji trójwarstwowych," in Od modelu do wdrożenia -kierunki badań i zastosowań inżynierii oprogramowania, W. Dąbrowski and A. Stasiak, Eds. Wydawnictwo Komunikacji i Łączności, 2009, pp. 103-115.
- P. Lubomski, "Architektura zintegrowanego środowiska usług wspomagających funkcjonowanie uczelni," in Perspektywy Rozwoju e-Uczelni w Kontekście Globalnej Informatyzacji; -e-uczelnia, konferencja krajowa., 2009, pp. 165-170. open in new tab
- G. Goth, "Single Sign-on and Social Networks," IEEE Distributed Systems Online, vol. 9, no. 12, pp. 1-1, Dec. 2008. open in new tab
- S. De Capitani Di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, G. Psaila, and P. Samarati, "Integrating trust management and access control in data-intensive Web applications," ACM Transactions on the Web, vol. 6, no. 2, pp. 1-43, May 2012. open in new tab
- OpenID Foundation, "OpenID," 2013. [Online]. Available: http://openid.net/. open in new tab
- OAuth Community, "OAuth," 2013. [Online]. Available: http://oauth.net/.
- Jasig Community, "Central Authentication Service," 2013. [Online]. Available: http://www.jasig.org/cas.
- Ministerstwo Administracji i Cyfryzacji, "ePUAP -elektroniczna Platforma Usług Administracji Publicznej," 2013. [Online]. Available: http://epuap.gov.pl/.
- L. Harn and J. Ren, "Generalized Digital Certificate for User Authentication and Key Establishment for Secure Communications," IEEE Transactions on Wireless Communications, vol. 10, no. 7, pp. 2372-2379, Jul. 2011. open in new tab
- M. Myers and H. Tschofenig, "Online Certificate Status Protocol (OCSP) Extensions to IKEv2," IETF, 2007. [Online]. Available: http://tools.ietf.org/html/rfc4806. open in new tab
- B. W. Lampson, "Protection," in Proc. 5th Princeton Conf. on Information Sciences and Systems, 1971, pp. 18-24. open in new tab
- M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, "Protection in operating systems," Communications of the ACM, vol. 19, no. 8, pp. 461-471, Aug. 1976. open in new tab
- D. E. Denning, "A lattice model of secure information flow," Communications of the ACM, vol. 19, no. 5, pp. 236-243, May 1976. open in new tab
- R. S. Sandhu, "Lattice-based access control models," Computer, vol. 26, no. 11, pp. 9-19, Nov. 1993. open in new tab
- D. E. Bell, "Looking Back at the Bell-La Padula Model," in 21st Annual Computer Security Applications Conference (ACSAC'05), pp. 337-351. open in new tab
- K. Biba, "Integrity considerations for secure computer systems," 1977.
- D. F. C. Brewer and M. J. Nash, "The Chinese Wall security policy," Proceedings. 1989 IEEE Symposium on Security and Privacy, 1989. open in new tab
- D. F. Ferraiolo and D. R. Kuhn, "Role-Based Access Controls," in 15th National Computer Security Conference, 1992, pp. 554-563.
- E. Bertino, "RBAC models -concepts and trends," Computers & Security, vol. 22, no. 6, pp. 511-514, Sep. 2003. open in new tab
- E. Bertino, L. Martino, F. Paci, and A. Squicciarini, Security for Web Services and Service- Oriented Architectures. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010. open in new tab
- D. M'Raihi, M. Bellare, F. Hoornaert, D. Naccache, and O. Ranen, "HOTP: An HMAC-Based One-Time Password Algorithm," IETF, 2005. [Online]. Available: https://tools.ietf.org/html/rfc4226. open in new tab
- A. Herzog and N. Shahmehri, "An evaluation of Java application containers according to security requirements," in Proceedings of the Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, WETICE, 2005, vol. 2005, pp. 178-183. open in new tab
- A. Freier, P. Karlton, and P. Kocher, "The Secure Sockets Layer (SSL) Protocol Version 3.0," IETF, 2011. [Online]. Available: http://tools.ietf.org/html/rfc6101. open in new tab
- T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol. Version 1.2," IETF, 2008. [Online]. Available: http://tools.ietf.org/html/rfc5246. open in new tab
- T. Imamura, B. Dillaway, and E. Simon, "XML Encryption Syntax and Processing," W3C Recommendation, 2002. [Online]. Available: http://www.w3.org/TR/xmlenc-core/. open in new tab
- M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon, "XML Signature Syntax and Processing (Second Edition)," W3C Recommendation, 2008. [Online]. Available: http://www.w3.org/TR/xmldsig-core/. open in new tab
- S. Cantor, J. Kemp, and E. Maler, "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0," OASIS Security Services Technical Committee, 2004. [Online].
- L. Sliman, F. Biennier, and Y. Badr, "A security policy framework for context-aware and user preferences in e-services," Journal of Systems Architecture, vol. 55, pp. 275-288, 2009. open in new tab
- N. Nurseitov, M. Paulson, R. Reynolds, and C. Izurieta, "Comparison of JSON and XML Data Interchange Formats: A Case Study," Scenario, vol. 59715, pp. 157-162, 2009.
- B. Lin, Y. Chen, X. Chen, and Y. Yu, "Comparison between JSON and XML in Applications Based on AJAX," 2012 International Conference on Computer Science and Service System, pp. 1174- 1177, 2012. open in new tab
- JSON-RPC Working Group, "JSON-RPC 2.0 Specification," 2013. [Online]. Available: http://www.jsonrpc.org/specification. open in new tab
- C. Samsel, P. Heiniz, and K. Krempels, "Web Service to JSON-RPC Transformation," in Proceedings of the 8th International Joint Conference on Software Technologies, 2013, pp. 214-219. open in new tab
- L. Richardson and S. Ruby, RESTful Web Services. 2008.
- S. Schreier, "Modeling RESTful applications," Proceedings of the Second International Workshop on RESTful Design WSREST 11, pp. 15-21, 2011. open in new tab
- S. Nakajima and T. Tamai, "Formal specification and analysis of JAAS framework," Proceedings of the 2006 international workshop on Software engineering for secure systems -SESS '06, p. 59, 2006. open in new tab
- N. Leavitt, "Mobile Security: Finally a Serious Problem?," Computer, vol. 44, no. 6, pp. 11-14, Jun. 2011. open in new tab
- M. S. Kirkpatrick and E. Bertino, "Enforcing spatial constraints for mobile RBAC systems," in SACMAT '10 Proceedings of the 15th ACM symposium on Access control models and technologies, 2010, pp. 99-108. open in new tab
- F. Hansen and V. Oleshchuk, "SRBAC: A spatial role-based access control model for mobile systems," in Proceedings of the 7th Nordic Workshop on Secure IT Systems (NORDSEC'03), 2003, pp. 129-141. open in new tab
- C. Miller, "Mobile Attacks and Defense," IEEE Security & Privacy Magazine, vol. 9, no. 4, pp. 68-70, Jul. 2011. open in new tab
- A. Drozd, Zabezpieczenie danych osobowych. Presscom, 2008. open in new tab
- P. Lubomski, "Wyzwania bezpieczeństwa nowoczesnych platform nauczania zdalnego," EduAkcja. Magazyn edukacji elektronicznej, vol. 9, no. 1, pp. 80-89, 2015.
- Software Engineering Institute, "US-CERT Vulnerability Notes," Carnegie Mellon University, 2014. [Online]. Available: https://www.kb.cert.org/vuls/. open in new tab
- CVE Community, "Common Vulnerabilities and Exposures," The MITRE Corporation, 2014. [Online]. Available: http://cve.mitre.org/.
- "National Vulnerability Database Version 2.2," National Institute of Standards and Technology, 2014. [Online]. Available: https://nvd.nist.gov/. open in new tab
- "SecurityFocus Vulnerability Database and BugTraq mail list," SecurityFocus, 2014. [Online]. open in new tab
- "Open Sourced Vulnerability Database," Open Sourced Vulnerability Database (OSVDB), 2014. [Online]. Available: http://osvdb.org/. open in new tab
- CWE Community, "Common Weakness Enumeration," The MITRE Corporation, 2014. [Online]. Available: https://cwe.mitre.org/.
- "OWASP Top Ten Project," 2015. [Online]. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. open in new tab
- M. Meucci and A. Muller, OWASP Testing Guide v4. OWASP Foundation, 2014.
- L. Lowis and R. Accorsi, "On a Classification Approach for SOA Vulnerabilities," in 2009 33rd Annual IEEE International Computer Software and Applications Conference, 2009, pp. 439- 444. open in new tab
- M. Jensen, Analysis of Attacks and Defenses in the Context of Web Services. 2011. open in new tab
- "Creative Commons Licenses," 2015. [Online]. Available: http://creativecommons.org/licenses/. open in new tab
- M. S. Lund, B. Solhaug, and K. Stølen, "Evolution in Relation to Risk and Trust Management," Computer, vol. 43, no. 5, pp. 49-55, May 2010. open in new tab
- J. Clinch, "ITIL v3 and information security," White Paper, pp. 1 -40, 2009.
- G. Hinson, "Seven myths about information security metrics," ISSA Journal, 2006.
- J. R. Hauser and G. M. Katz, "Metrics: you are what you measure!," European Management Journal, no. 4, pp. 517-528, 1998. open in new tab
- S. C. Payne, A Guide to Security Metrics. SANS Security Essentials GSEC Practical Assignment, 2006. open in new tab
- "Microsoft Security Response Center Security Bulletin Severity Rating System," Microsoft Developer Network, 2002. [Online]. Available: http://msdn.microsoft.com/en- us/library/bb720758.aspx. open in new tab
- "US-CERT Vulnerability Metric," National Institute of Standards and Technology, 2014. [Online]. Available: www.kb.cert.org/vuls/html/fieldhelp#metric. open in new tab
- J. D. Meier, A. Mackman, M. Dunner, S. Vasireddy, R. Escamilla, and A. Murukan, "Improving Web Application Security: Threats and Countermeasures," Microsoft patterns & practices, 2015.
- P. Mell, K. Scarfone, and S. Romanosky, "Common Vulnerability Scoring System," IEEE Security and Privacy Magazine, vol. 4, no. 6, pp. 85-89, Nov. 2006. open in new tab
- "NVD Common Vulnerability Scoring System Support v2," National Institute of Standards and Technology, 2007. [Online]. Available: http://nvd.nist.gov/cvss.cfm. open in new tab
- P. Mell, K. A. Kent, and S. Romanosky, The common vulnerability scoring system (CVSS) and its applicability to federal agency systems. US Department of Commerce, National Institute of Standards and Technology, 2007. open in new tab
- P. Mell, K. Scarfone, and S. Romanosky, "A Complete Guide to the Common Vulnerability Scoring System Version 2.0," FIRST.org, Inc., 2014. [Online]. Available: http://www.first.org/cvss/cvss-guide. open in new tab
- "Common Vulnerability Scoring System Version 2 Calculator," National Institute of Standards and Technology, 2014. [Online]. Available: https://nvd.nist.gov/cvss.cfm?calculator&version=2. open in new tab
- P. Lubomski, "Context in Security of Distributed e-Service Environments," in Proceedings of the Chip to Cloud Security Forum 2014.
- A. Ricci, M. Viroli, and A. Omicini, "An RBAC Approach for Securing Access Control in a MAS Coordination Infrastructure," in 1st International Workshop "Safety and Security in MultiAgent Systems" (SASEMAS 2004), 2004, pp. 110-124.
- F. Cuppens and N. Cuppens-Boulahia, "Modeling contextual security policies," International Journal of Information Security, vol. 7, no. 4, pp. 285-305, Nov. 2007. open in new tab
- Z. Maamar, D. Benslimane, and N. C. Narendra, "What can context do for web services?," Communications of the ACM, vol. 49, no. 12, pp. 98-103, Dec. 2006. open in new tab
- R. Mayrhofer, H. R. Schmidtke, and S. Sigg, "Security and trust in context-aware applications," Personal and Ubiquitous Computing, Nov. 2012. open in new tab
- M. S. Kirkpatrick, M. L. Damiani, and E. Bertino, "Prox-RBAC: a proximity-based spatially aware RBAC," in Proceedings of the 19th ACM SIGSPATIAL International Conference on Advances in Geographic Information Systems -GIS '11, 2011, p. 339. open in new tab
- M. L. Damiani, E. Bertino, B. Catania, and P. Perlasca, "GEO-RBAC," ACM Transactions on Information and System Security, vol. 10, no. 1, p. 2-es, Feb. 2007. open in new tab
- S. Aich, S. Sural, and A. K. Majumdar, "STARBAC: Spatiotemporal Role Based Access Control," in On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS, Springer Berlin Heidelberg, 2007, pp. 1567-1582. open in new tab
- E. Bertino and M. S. Kirkpatrick, "Location-based access control systems for mobile users," in Proceedings of the 4th ACM SIGSPATIAL International Workshop on Security and Privacy in GIS and LBS -SPRINGL '11, 2011, p. 49. open in new tab
- M. F. F. Khan and K. Sakamura, "Context-aware access control for clinical information systems," in 2012 International Conference on Innovations in Information Technology (IIT), 2012, pp. 123-128. open in new tab
- A. Baumgrass, "Deriving Current State RBAC Models from Event Logs," 2011 Sixth International Conference on Availability, Reliability and Security, pp. 667-672, 2011. open in new tab
- M. Miettinen and N. Asokan, "Towards security policy decisions based on context profiling," in Proceedings of the 3rd ACM workshop on Artificial intelligence and security -AISec '10, 2010, p. 19. open in new tab
- A. E. Abdallah and H. Takabi, "Integrating Delegation with the Formal Core RBAC Model," 2008 The Fourth International Conference on Information Assurance and Security, pp. 33-36, Sep. 2008. open in new tab
- A. Gupta, M. Miettinen, N. Asokan, and M. Nagy, "Intuitive Security Policy Configuration in Mobile Devices Using Context Profiling," in Privacy, Security, Risk and Trust (PASSAT), 2012 open in new tab
- International Conference on and 2012 International Confernece on Social Computing (SocialCom), 2012, pp. 471-480. open in new tab
- P. A. Zandbergen, "Accuracy of iPhone Locations: A Comparison of Assisted GPS, WiFi and Cellular Positioning," Transactions in GIS, vol. 13, pp. 5-25, Jun. 2009. open in new tab
- S. Cawood and M. Fiala, Augmented Reality: A Practical Guide. Pragmatic Bookshelf, 2008.
- Wikimedia Commons, "Wikitude -location-based Augmented Reality explained," 2012. [Online]. Available: http://commons.wikimedia.org/wiki/File:Wikitude_explained.png. open in new tab
- S. Meek, G. Priestnall, M. Sharples, and J. Goulding, "Mobile capture of remote points of interest using line of sight modelling," Computers & Geosciences, vol. 52, pp. 334-344, Mar. 2013. open in new tab
- E. Macías, H. Abdelfatah, A. Suárez, and A. Cánovas, "Full Geo-localized Mobile Video in Android Mobile Telephones," Network Protocols and Algorithms, vol. 3, no. 1, Apr. 2011. open in new tab
- M. Conti, V. T. N. Nguyen, and B. Crispo, "CRePE: Context-related Policy Enforcement for Android," ISC'10 Proceedings of the 13th international conference on Information security, pp. 331-345, 2010. open in new tab
- F. Paci, M. Mecella, M. Ouzzani, and E. Bertino, "ACConv --An Access Control Model for Conversational Web Services," ACM Transactions on the Web, vol. 5, no. 3, pp. 1-33, Jul. 2011. open in new tab
- H. Mouratidis and J. Jurjens, "From goal-driven security requirements engineering to secure design," International Journal of Intelligent Systems, vol. 25, no. 8, pp. 813-840, Jun. 2010. open in new tab
- H. Mouratidis and P. Giorgini, "Integrating Security and Software Engineering: An Introduction," in Integrating Security and Software Engineering: Advances and Future Visions, Hershey, PA, USA: Idea Group Publishing, 2006, pp. 1-15. open in new tab
- E. Yu, L. Liu, and J. Mylopoulos, "A Social Ontology for Integrating Security and Software Engineering," in Integrating Security and Software Engineering: Advances and Future Visions, Hershey, PA, USA, 2006, pp. 70-106. open in new tab
- O. Etzion, Y. Magid, E. Rabinovich, I. Skarbovsky, and N. Zolotorevsky, "Context Aware Computing and its utilization in event-based systems," Context, vol. 4, pp. 270-281, 2010. open in new tab
- M. J. Covington, P. Fogla, Z. Z. Z. Zhan, and M. Ahamad, "A context-aware security architecture for emerging applications," 18th Annual Computer Security Applications Conference, 2002. Proceedings., 2002. open in new tab
- D. Kulkarni and A. Tripathi, "Context-aware role-based access control in pervasive computing systems," in Proceedings of the 13th ACM symposium on Access control models and technologies -SACMAT '08, 2008, p. 113. open in new tab
- P. McDaniel, "On context in authorization policy," SACMAT, pp. 80-89, 2003. open in new tab
- S. Schefer-Wenzl and M. Strembeck, "Modeling Context-Aware RBAC Models for Business Processes in Ubiquitous Computing Environments," in 2012 Third FTRA International Conference on Mobile, Ubiquitous, and Intelligent Computing, 2012, pp. 126-131. open in new tab
- V. Franqueira and R. Wieringa, "Role-Based Access Control in Retrospect," Computer, vol. 45, no. 6, pp. 81-88, Jun. 2012. open in new tab
- H. Krawczyk and P. Lubomski, "User Trust Levels and Their Impact on System Security and Usability," in Communications in Computer and Information Science, Springer International Publishing, 2015, pp. 82-91. open in new tab
- K. Scarfone and P. Mell, "Guide to Intrusion Detection and Prevention Systems ( IDPS ) Recommendations of the National Institute of Standards and Technology," NIST Special Publication, p. 94, 2007. open in new tab
- P. Pszczoliński and H. Krawczyk, "Ujednolicony opis zasobów uczelnianych," in Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, 2009, pp. 151-159. open in new tab
- A. Rek and H. Krawczyk, "Wykorzystanie technologii portletów do budowy usług uczelnianych," Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, vol. 17, no. 7, pp. 161-171, 2009.
- A. Rek and H. Krawczyk, "Methodology for developing Web-Based applications from reusable components using open source tools," Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, vol. 18, no. 8, pp. 211-216, 2010. open in new tab
- T. Dziubich, P. Lubomski, and A. Mizgier, "Architektura portalu zarządzania informacjami dydaktycznymi," in Zeszyty naukowe Wydziału Elektroniki, Telekomunikacji i Informatyki Politechniki Gdańskiej, vol. 16, 2008, pp. 539-544.
- H. Krawczyk and P. Lubomski, "Pączkowanie -metoda rozwoju interoperacyjnych komponentów dla systemów rozproszonych," in Inżynieria oprogramowania w procesach integracji systemów informatycznych, 2010, vol. 8, pp. 241-248. open in new tab
- The PostgreSQL Global Development Group, "PostgreSQL," 2013. [Online]. Available: http://www.postgresql.org/. open in new tab
- M. Brambilla and A. Origgi, "MVC-Webflow: An AJAX Tool for Online Modeling of MVC-2 Web Applications," in 2008 Eighth International Conference on Web Engineering, 2008, pp. 344- 349. open in new tab
- P. Pszczoliński and H. Krawczyk, "Unified and flexible way to the organizations resources," Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, vol. 19, no. 8, pp. 359-364, 2010. open in new tab
- R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, "Hypertext Transfer Protocol --HTTP/1.1," IETF, 1999. [Online]. Available: http://tools.ietf.org/html/rfc2616. open in new tab
- M. Nottingham and J. Mogul, "HTTP Header Field Registrations," IETF, 2005. [Online]. open in new tab
- H. Zimmermann, "OSI Reference Model--The ISO Model of Architecture for Open Systems Interconnection," IEEE Transactions on Communications, vol. 28, no. 4, pp. 425-432, Apr. 1980. open in new tab
- Y. Liu and D. B. Hoang, "OSI RPC model and protocol," Computer Communications, vol. 17, no. 1, pp. 53-66, Jan. 1994.
- Y. Li, D. Li, W. Cui, and R. Zhang, "Research based on OSI model," in 2011 IEEE 3rd International Conference on Communication Software and Networks, 2011, pp. 554-557. open in new tab
- D. Khader, L. Chen, and J. H. Davenport, Cryptography and Coding, vol. 5921. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009. open in new tab
- E. Bursztein, M. Martin, and J. Mitchell, "Text-based CAPTCHA strengths and weaknesses," in Proceedings of the 18th ACM conference on Computer and communications security -CCS '11, 2011, vol. 2011, p. 125. open in new tab
- P. Lubomski and H. Krawczyk, "Practical evaluation of security mechanisms of Internet systems (w recenzji)," IEEE Security & Privacy Magazine. open in new tab
- H. Crawford and K. Renaud, "Understanding user perceptions of transparent authentication on a mobile device," Journal of Trust Management, vol. 1, 2014. open in new tab
- Verified by:
- Gdańsk University of Technology
seen 162 times