Kontekstowo zorientowany model bezpieczeństwa systemów internetowych - Publication - Bridge of Knowledge

Your account

login

Search

Kontekstowo zorientowany model bezpieczeństwa systemów internetowych

Abstract

W rozprawie dokonano analizy usługowych systemów internetowych pod względem bezpieczeństwa. Przedstawiono autorskie uniwersalne modele bezpieczeństwa CoRBAC oraz jego rozszerzenie TCoRBAC, będące rozwinięciem tradycyjnego modelu RBAC. Uwzględniono analizę szeroko rozumianego kontekstu funkcjonowania systemu oraz poziom jego zaufania do użytkownika. Opracowano metodę wyznaczania dwóch parametrów: zaufania do systemu (λ) będącego tożsamym z poziomem bezpieczeństwa (β) oraz użyteczność systemu (ε). Na podstawie zaproponowanych modeli zaimplementowano reprezentacyjne mechanizmy bezpieczeństwa zgodne z przyjętą polityką bezpieczeństwa. Przebadano właściwości tych rozwiązań w oparciu o modele, jak i dane eksperymentalne. Wykazano zauważalny wzrost poziomu bezpieczeństwa (β) systemu wykorzystującego modele CoRBAC i TCoRBAC w porównaniu do modelu RBAC. Co więcej jest to możliwe bez znaczącego spadku użyteczności systemu (ε). Analiza bezpieczeństwa może być wykonana na podstawie analizy ryzyka podatności wykrytych przez zewnętrzny audyt bezpieczeństwa, natomiast użyteczność na podstawie analizy logów działań użytkowników. Przyjęte rozwiązania jak i ich ocenę przeprowadzono poprzez przebadanie systemu Moja PG rozwijanego i używanego na Politechnice Gdańskiej od ponad 4 lat.

Author (1)

Cite as

Full text

download paper
downloaded 325 times
Publication version
Accepted or Published Version
License
Copyright (Author(s))

Keywords

Details

Category:
Thesis, nostrification
Type:
praca doktorska pracowników zatrudnionych w PG oraz studentów studium doktoranckiego
Language:
Polish
Publication year:
2016
Bibliography: test
  1. Rysunek 1 Cztery główne kierunki rozwoju systemów internetowych ..................................... 9 open in new tab
  2. Rysunek 2 Relacja pomiędzy zaufaniem użytkownika do systemu, a bezpieczeństwem systemu informatycznego ..................................................................................... 10 open in new tab
  3. Rysunek 3 Aspekty bezpieczeństwa w rozważanym systemie internetowym......................... 18 open in new tab
  4. Rysunek 4 Dekompozycja trójki: system, polityka bezpieczeństwa oraz zagrożenia na poszczególne poziomy szczegółowej analizy ........................................................ 20 open in new tab
  5. Rysunek 5 Architektura rozważanego systemu internetowego .............................................. 21 open in new tab
  6. Rysunek 6 Modele wyniesionego i zcentralizowanego uwierzytelniania i zarządzania autoryzacją: (a) tradycyjny, (b) z wyniesionym uwierzytelnianiem, (c) z wyniesionym uwierzytelnianiem i zarządzaniem uprawnieniami ........................ 23 open in new tab
  7. Rysunek 7 Relacje w modelu RBAC pomiędzy: a) użytkownikami (U) i rolami (R), b) uprawnieniami (P) i rolami (R), c) pomiędzy uprawnieniami (P), a operacjami/usługami (S) ....................................................................................... 27 open in new tab
  8. Rysunek 8 Ogólna topologia zagrożeń, podatności i ryzyka z nimi związanego ...................... 35 open in new tab
  9. Rysunek 9 Proces "utwardzania" zabezpieczeń systemu internetowego ............................... 36 open in new tab
  10. Rysunek 10 Przykład fragmentu warstwowego grafu G(Vert, E) wykorzystanego do opisu bezpieczeństwa danego systemu internetowego ................................................. 41 open in new tab
  11. Rysunek 11 Zakres kontekstu działań użytkownika w aspekcie bezpieczeństwa .................... 43 open in new tab
  12. Rysunek 12 Architektura logiczna systemu zorientowanego na usługi z uwzględnieniem kontekstu ............................................................................................................... 44 open in new tab
  13. Rysunek 13 Przykład fragmentu warstwowego grafu G'(Vert, E) uwzględniającego kontekst C wykorzystanego do opisu bezpieczeństwa danego systemu ................................ 52 open in new tab
  14. Rysunek 14 Przykładowy graf G'(Vert(c), E(c)) dla bieżącego kontekstu c 2 , c 4 , c 5 , c 7 , c 8 zgodnie z tabelą 11 ............................................................................................................. 53 open in new tab
  15. Rysunek 15 Przykładowy graf G'(Vert(c), E(c)) dla bieżącego kontekstu c 3 , c 6 , c 9 zgodnie z tabelą 11 ................................................................................................................ 53 open in new tab
  16. Rysunek 16 Przykład fragmentu uogólnionego warstwowego grafu G''(Vert(c), E(c)) uwzględniającego kontekst c wykorzystanego do opisu bezpieczeństwa danego systemu ................................................................................................................. 54 open in new tab
  17. Rysunek 17 Wykładniczy wzrost liczności kontekstu (a) oraz liniowy czas wyznaczania bieżącego kontekstu (b) ........................................................................................ 55 open in new tab
  18. Rysunek 18 Przykładowy scenariusz działań użytkownika w ramach jednej sesji z zaznaczonym wymuszonym wywołaniem dodatkowej weryfikacji kodu SMS ..... 58 open in new tab
  19. Rysunek 19 Przykładowy graf G'''(Vert(c,tl), E(c,tl)) dla modelu TCoRBAC .............................. 60 open in new tab
  20. Rysunek 20 Architektura logiczna warstwy bezpieczeństwa systemu internetowego obejmująca: a) uwierzytelnianie, b) dwustopniową kontrolę dostępu ................ 61 open in new tab
  21. Rysunek 21 Poszczególne czynności dwuetapowej kontroli dostępu w modelu CoRBAC ...... 62 open in new tab
  22. Rysunek 24 Wyszczególnienie podstawowych modułów platformy IP 2 .................................. 70 open in new tab
  23. Rysunek 25 Uproszczony model rozproszenia i skalowania poziomego poszczególnych elementów platformy IP 2 ...................................................................................... 71 open in new tab
  24. Rysunek 26 Topologia wykrytych podatności z określeniem ich ryzyka .................................. 90 open in new tab
  25. Rysunek 27 Algorytm weryfikacji dostępu zgodnego z modelem TCoRBAC dla zadanych mechanizmów bezpieczeństwa ............................................................................. 93 open in new tab
  26. Bibliografia open in new tab
  27. P. P. Maglio, S. Srinivasan, J. T. Kreulen, and J. Spohrer, "Service systems, service scientists, SSME, and innovation," Communications of the ACM, vol. 49, no. 7, p. 81, Jul. 2006. open in new tab
  28. W. Li, H. Wan, X. Ren, and S. Li, "A Refined RBAC Model for Cloud Computing," in IEEE/ACIS International Conference on Computer and Information Science, 2012, pp. 43-48.
  29. V. Chaurasiya, P. Dhyani, and S. Munot, "Linux Highly Available (HA) Fault-Tolerant Servers," 10th International Conference on Information Technology (ICIT 2007), 2007. open in new tab
  30. T. Mather, S. Kumaraswamy, and S. Latif, Cloud Security and Privacy. An Enterprise Perspective on Risks and Compliance. O'Reilly, 2009.
  31. S. Fehr, "Flexible networks for better security," Network Security, vol. 2013, no. 3, pp. 17-20, Mar. 2013. open in new tab
  32. G. Hogben, "A privacy enhancing identity management framework using the semantic web." nakł. aut., Gdańsk, 2009.
  33. C. K. Georgiadis, I. Mavridis, G. Pangalos, and R. K. Thomas, "Flexible team-based access control using contexts," in Proceedings of the sixth ACM symposium on Access control models and technologies -SACMAT '01, 2001, pp. 21-27. open in new tab
  34. K.-D. Lee, M. Y. Nam, K.-Y. Chung, Y.-H. Lee, and U.-G. Kang, "Context and profile based cascade classifier for efficient people detection and safety care system," Multimedia Tools and Applications, vol. 63, no. 1, pp. 27-44, Apr. 2012. open in new tab
  35. J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton, "Analysis of end user security behaviors," Computers & Security, vol. 24, no. 2, pp. 124-133, Mar. 2005. open in new tab
  36. S. P. S. Pahnila, M. S. M. Siponen, and A. M. A. Mahmood, "Employees' Behavior towards IS Security Policy Compliance," 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07), 2007. open in new tab
  37. S. Furnell, "Usability versus complexity -striking the balance in end-user security," Network Security, vol. 2010, no. 12, pp. 13-17, Dec. 2010. open in new tab
  38. W. H. DeLone and E. R. McLean, "Information Systems Success: The Quest for the Dependent Variable," Information Systems Research, vol. 3, no. 1, pp. 60-95, Mar. 1992. open in new tab
  39. J. H. Saltzer and M. D. Schroeder, "The protection of information in computer systems," Proceedings of the IEEE, vol. 63, no. 9, pp. 1278-1308, 1975. open in new tab
  40. R. Sandhu, D. Ferraiolo, and R. Kuhn, "The NIST model for role-based access control," in Proceedings of the fifth ACM workshop on Role-based access control -RBAC '00, 2000, pp. 47- 63. open in new tab
  41. D. F. Ferraiolo, D. R. Kuhn, and R. Chandramouli, Role-Based Access Control, Second. Artech House, 2007. open in new tab
  42. R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, "Role-based access control models," Computer, vol. 29, no. 2, pp. 38-47, 1996. open in new tab
  43. M. Strembeck and G. Neumann, "An integrated approach to engineer and enforce context constraints in RBAC environments," ACM Transactions on Information and System Security, vol. 7, no. 3, pp. 392-427, Aug. 2004. open in new tab
  44. X. Feng, X. Jun, H. Hao, and X. Li, "Context-Aware Role-Based Access Control Model for Web Services," in Grid and Cooperative Computing -GCC 2004 Workshops SE -54, vol. 3252, H. Jin, Y. Pan, N. Xiao, and J. Sun, Eds. Springer Berlin Heidelberg, 2004, pp. 430-436. open in new tab
  45. S. Haibo and H. Fan, "A context-aware role-based access control model for Web services," IEEE International Conference on e-Business Engineering (ICEBE'05), pp. 220-223, 2005.
  46. R. Bhatti, E. Bertino, and A. Ghafoor, "A Trust-Based Context-Aware Access Control Model for Web-Services," Distributed and Parallel Databases, vol. 18, no. 1, pp. 83-105, Jul. 2005. open in new tab
  47. J. W. Woo, M. J. Hwang, C. G. Lee, and H. Y. Youn, "Dynamic Role-Based Access Control with Trust-Satisfaction and Reputation for Multi-agent System," 2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops, pp. 1121- 1126, 2010. open in new tab
  48. A. Gupta, M. S. Kirkpatrick, and E. Bertino, "A formal proximity model for RBAC systems," Computers & Security, Sep. 2013. open in new tab
  49. X. H. Le, T. Doll, M. Barbosu, A. Luque, and D. Wang, "An enhancement of the Role-Based Access Control model to facilitate information access management in context of team collaboration and workflow," Journal of Biomedical Informatics, vol. 45, pp. 1084-1107, 2012. open in new tab
  50. S. Gostojić, G. Sladić, B. Milosavljević, and Z. Konjović, "Context-Sensitive Access Control Model for Government Services," Journal of Organizational Computing and Electronic Commerce, vol. 22, no. 2, pp. 184-213, Apr. 2012. open in new tab
  51. P. Damián-Reyes, J. Favela, and J. Contreras-Castillo, "Uncertainty Management in Context- Aware Applications: Increasing Usability and User Trust," Wireless Personal Communications, vol. 56, no. 1, pp. 37-53, Dec. 2009. open in new tab
  52. Politechnika Gdańska, "Moja PG," 2013. [Online]. Available: https://moja.pg.gda.pl.
  53. Oracle, "Java Platform, Enterprise Edition (Java EE)," 2013. [Online]. Available: http://www.oracle.com/technetwork/java/javaee/overview/index.html. open in new tab
  54. M. Bishop, Introduction to Computer Security. Addison-Wesley Professional, 2004.
  55. S. Hernan, S. Lambert, T. Ostwald, and A. Shostack, "Uncover Security Design Flaws Using The STRIDE Approach," Microsoft MSDN Magazine, 2006. open in new tab
  56. M. Anisetti, C. A. Ardagna, E. Damiani, and F. Saonara, "A test-based security certification scheme for web services," ACM Transactions on the Web, vol. 7, no. 2, pp. 1-41, May 2013. open in new tab
  57. "The STRIDE Threat Model," Commerce Server, 2002. [Online]. Available: http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx. open in new tab
  58. G. Disterer, "ISO/IEC 27000, 27001 and 27002 for Information Security Management," Journal of Information Security, vol. 04, no. 02, pp. 92-100, 2013. open in new tab
  59. ISO 27001, Information Technology, Security Techniques, Information Security Management Systems, Requirements. Geneve: International Organization for Standardization ISO, 2005. open in new tab
  60. M. T. Siponen, "Secure-system design methods: evolution and future directions," IT Professional, vol. 8, no. 3, pp. 40-44, Jan. 2006. open in new tab
  61. H. Krawczyk and P. Lubomski, "Generalized access control in hierarchical computer network," in Zeszyty naukowe Wydziału Elektroniki, Telekomunikacji i Informatyki Politechniki Gdańskiej, vol. 18, 2010, pp. 217-222. open in new tab
  62. P. J. Windley, Digital Identity. O'Reilly, 2005. open in new tab
  63. C. W. Thompson and D. R. Thompson, "Identity Management," IEEE Internet Computing, vol. 11, no. 3, pp. 82-85, May 2007. open in new tab
  64. M. Benantar, Access Control Systems. Security, Identity Management and Trust Models. Springer-Verlag, 2006. open in new tab
  65. T. Erl, SOA Principles of Service Design. SOA Systems Inc., 2007.
  66. W. Christopher, Ajax. Bezpieczne aplikacje internetowe. Helion Wydawnictwo, 2007.
  67. Google, "GoogleDocs," 2014. [Online]. Available: http://www.google.com/google-d- s/intl/pl/tour1.html.
  68. Microsoft, "Office 365," 2014. [Online]. Available: http://office.microsoft.com/pl-PL/.
  69. Adobe, "Adobe Photoshop," 2014. [Online]. Available: http://www.photoshop.com/tools.
  70. R. Zhang, F. Giunchiglia, B. Crispo, and L. Song, "Relation-Based Access Control: An Access Control Model for Context-Aware Computing Environment," Wireless Personal Communications, vol. 55, no. 1, pp. 5-17, Aug. 2009. open in new tab
  71. N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody, "Using trust and risk in role- based access control policies," in Proceedings of the ninth ACM symposium on Access control models and technologies -SACMAT '04, 2004, p. 156. open in new tab
  72. F. B. F. Shaikh and S. Haider, "Security threats in cloud computing," 2011 International Conference for Internet Technology and Secured Transactions, pp. 214-219, 2011.
  73. K. J. Knapp, R. Franklin Morris, T. E. Marshall, and T. A. Byrd, "Information security policy: An organizational-level process model," Computers & Security, vol. 28. pp. 493-508, 2009. open in new tab
  74. H. Krawczyk and J. Proficz, "Podstawowe metody integracji aplikacji trójwarstwowych," in Od modelu do wdrożenia -kierunki badań i zastosowań inżynierii oprogramowania, W. Dąbrowski and A. Stasiak, Eds. Wydawnictwo Komunikacji i Łączności, 2009, pp. 103-115.
  75. P. Lubomski, "Architektura zintegrowanego środowiska usług wspomagających funkcjonowanie uczelni," in Perspektywy Rozwoju e-Uczelni w Kontekście Globalnej Informatyzacji; -e-uczelnia, konferencja krajowa., 2009, pp. 165-170. open in new tab
  76. G. Goth, "Single Sign-on and Social Networks," IEEE Distributed Systems Online, vol. 9, no. 12, pp. 1-1, Dec. 2008. open in new tab
  77. S. De Capitani Di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, G. Psaila, and P. Samarati, "Integrating trust management and access control in data-intensive Web applications," ACM Transactions on the Web, vol. 6, no. 2, pp. 1-43, May 2012. open in new tab
  78. OpenID Foundation, "OpenID," 2013. [Online]. Available: http://openid.net/. open in new tab
  79. OAuth Community, "OAuth," 2013. [Online]. Available: http://oauth.net/.
  80. Jasig Community, "Central Authentication Service," 2013. [Online]. Available: http://www.jasig.org/cas.
  81. Ministerstwo Administracji i Cyfryzacji, "ePUAP -elektroniczna Platforma Usług Administracji Publicznej," 2013. [Online]. Available: http://epuap.gov.pl/.
  82. L. Harn and J. Ren, "Generalized Digital Certificate for User Authentication and Key Establishment for Secure Communications," IEEE Transactions on Wireless Communications, vol. 10, no. 7, pp. 2372-2379, Jul. 2011. open in new tab
  83. M. Myers and H. Tschofenig, "Online Certificate Status Protocol (OCSP) Extensions to IKEv2," IETF, 2007. [Online]. Available: http://tools.ietf.org/html/rfc4806. open in new tab
  84. B. W. Lampson, "Protection," in Proc. 5th Princeton Conf. on Information Sciences and Systems, 1971, pp. 18-24. open in new tab
  85. M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, "Protection in operating systems," Communications of the ACM, vol. 19, no. 8, pp. 461-471, Aug. 1976. open in new tab
  86. D. E. Denning, "A lattice model of secure information flow," Communications of the ACM, vol. 19, no. 5, pp. 236-243, May 1976. open in new tab
  87. R. S. Sandhu, "Lattice-based access control models," Computer, vol. 26, no. 11, pp. 9-19, Nov. 1993. open in new tab
  88. D. E. Bell, "Looking Back at the Bell-La Padula Model," in 21st Annual Computer Security Applications Conference (ACSAC'05), pp. 337-351. open in new tab
  89. K. Biba, "Integrity considerations for secure computer systems," 1977.
  90. D. F. C. Brewer and M. J. Nash, "The Chinese Wall security policy," Proceedings. 1989 IEEE Symposium on Security and Privacy, 1989. open in new tab
  91. D. F. Ferraiolo and D. R. Kuhn, "Role-Based Access Controls," in 15th National Computer Security Conference, 1992, pp. 554-563.
  92. E. Bertino, "RBAC models -concepts and trends," Computers & Security, vol. 22, no. 6, pp. 511-514, Sep. 2003. open in new tab
  93. E. Bertino, L. Martino, F. Paci, and A. Squicciarini, Security for Web Services and Service- Oriented Architectures. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010. open in new tab
  94. D. M'Raihi, M. Bellare, F. Hoornaert, D. Naccache, and O. Ranen, "HOTP: An HMAC-Based One-Time Password Algorithm," IETF, 2005. [Online]. Available: https://tools.ietf.org/html/rfc4226. open in new tab
  95. A. Herzog and N. Shahmehri, "An evaluation of Java application containers according to security requirements," in Proceedings of the Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, WETICE, 2005, vol. 2005, pp. 178-183. open in new tab
  96. A. Freier, P. Karlton, and P. Kocher, "The Secure Sockets Layer (SSL) Protocol Version 3.0," IETF, 2011. [Online]. Available: http://tools.ietf.org/html/rfc6101. open in new tab
  97. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol. Version 1.2," IETF, 2008. [Online]. Available: http://tools.ietf.org/html/rfc5246. open in new tab
  98. T. Imamura, B. Dillaway, and E. Simon, "XML Encryption Syntax and Processing," W3C Recommendation, 2002. [Online]. Available: http://www.w3.org/TR/xmlenc-core/. open in new tab
  99. M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon, "XML Signature Syntax and Processing (Second Edition)," W3C Recommendation, 2008. [Online]. Available: http://www.w3.org/TR/xmldsig-core/. open in new tab
  100. S. Cantor, J. Kemp, and E. Maler, "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0," OASIS Security Services Technical Committee, 2004. [Online].
  101. L. Sliman, F. Biennier, and Y. Badr, "A security policy framework for context-aware and user preferences in e-services," Journal of Systems Architecture, vol. 55, pp. 275-288, 2009. open in new tab
  102. N. Nurseitov, M. Paulson, R. Reynolds, and C. Izurieta, "Comparison of JSON and XML Data Interchange Formats: A Case Study," Scenario, vol. 59715, pp. 157-162, 2009.
  103. B. Lin, Y. Chen, X. Chen, and Y. Yu, "Comparison between JSON and XML in Applications Based on AJAX," 2012 International Conference on Computer Science and Service System, pp. 1174- 1177, 2012. open in new tab
  104. JSON-RPC Working Group, "JSON-RPC 2.0 Specification," 2013. [Online]. Available: http://www.jsonrpc.org/specification. open in new tab
  105. C. Samsel, P. Heiniz, and K. Krempels, "Web Service to JSON-RPC Transformation," in Proceedings of the 8th International Joint Conference on Software Technologies, 2013, pp. 214-219. open in new tab
  106. L. Richardson and S. Ruby, RESTful Web Services. 2008.
  107. S. Schreier, "Modeling RESTful applications," Proceedings of the Second International Workshop on RESTful Design WSREST 11, pp. 15-21, 2011. open in new tab
  108. S. Nakajima and T. Tamai, "Formal specification and analysis of JAAS framework," Proceedings of the 2006 international workshop on Software engineering for secure systems -SESS '06, p. 59, 2006. open in new tab
  109. N. Leavitt, "Mobile Security: Finally a Serious Problem?," Computer, vol. 44, no. 6, pp. 11-14, Jun. 2011. open in new tab
  110. M. S. Kirkpatrick and E. Bertino, "Enforcing spatial constraints for mobile RBAC systems," in SACMAT '10 Proceedings of the 15th ACM symposium on Access control models and technologies, 2010, pp. 99-108. open in new tab
  111. F. Hansen and V. Oleshchuk, "SRBAC: A spatial role-based access control model for mobile systems," in Proceedings of the 7th Nordic Workshop on Secure IT Systems (NORDSEC'03), 2003, pp. 129-141. open in new tab
  112. C. Miller, "Mobile Attacks and Defense," IEEE Security & Privacy Magazine, vol. 9, no. 4, pp. 68-70, Jul. 2011. open in new tab
  113. A. Drozd, Zabezpieczenie danych osobowych. Presscom, 2008. open in new tab
  114. P. Lubomski, "Wyzwania bezpieczeństwa nowoczesnych platform nauczania zdalnego," EduAkcja. Magazyn edukacji elektronicznej, vol. 9, no. 1, pp. 80-89, 2015.
  115. Software Engineering Institute, "US-CERT Vulnerability Notes," Carnegie Mellon University, 2014. [Online]. Available: https://www.kb.cert.org/vuls/. open in new tab
  116. CVE Community, "Common Vulnerabilities and Exposures," The MITRE Corporation, 2014. [Online]. Available: http://cve.mitre.org/.
  117. "National Vulnerability Database Version 2.2," National Institute of Standards and Technology, 2014. [Online]. Available: https://nvd.nist.gov/. open in new tab
  118. "SecurityFocus Vulnerability Database and BugTraq mail list," SecurityFocus, 2014. [Online]. open in new tab
  119. "Open Sourced Vulnerability Database," Open Sourced Vulnerability Database (OSVDB), 2014. [Online]. Available: http://osvdb.org/. open in new tab
  120. CWE Community, "Common Weakness Enumeration," The MITRE Corporation, 2014. [Online]. Available: https://cwe.mitre.org/.
  121. "OWASP Top Ten Project," 2015. [Online]. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. open in new tab
  122. M. Meucci and A. Muller, OWASP Testing Guide v4. OWASP Foundation, 2014.
  123. L. Lowis and R. Accorsi, "On a Classification Approach for SOA Vulnerabilities," in 2009 33rd Annual IEEE International Computer Software and Applications Conference, 2009, pp. 439- 444. open in new tab
  124. M. Jensen, Analysis of Attacks and Defenses in the Context of Web Services. 2011. open in new tab
  125. "Creative Commons Licenses," 2015. [Online]. Available: http://creativecommons.org/licenses/. open in new tab
  126. M. S. Lund, B. Solhaug, and K. Stølen, "Evolution in Relation to Risk and Trust Management," Computer, vol. 43, no. 5, pp. 49-55, May 2010. open in new tab
  127. J. Clinch, "ITIL v3 and information security," White Paper, pp. 1 -40, 2009.
  128. G. Hinson, "Seven myths about information security metrics," ISSA Journal, 2006.
  129. J. R. Hauser and G. M. Katz, "Metrics: you are what you measure!," European Management Journal, no. 4, pp. 517-528, 1998. open in new tab
  130. S. C. Payne, A Guide to Security Metrics. SANS Security Essentials GSEC Practical Assignment, 2006. open in new tab
  131. "Microsoft Security Response Center Security Bulletin Severity Rating System," Microsoft Developer Network, 2002. [Online]. Available: http://msdn.microsoft.com/en- us/library/bb720758.aspx. open in new tab
  132. "US-CERT Vulnerability Metric," National Institute of Standards and Technology, 2014. [Online]. Available: www.kb.cert.org/vuls/html/fieldhelp#metric. open in new tab
  133. J. D. Meier, A. Mackman, M. Dunner, S. Vasireddy, R. Escamilla, and A. Murukan, "Improving Web Application Security: Threats and Countermeasures," Microsoft patterns & practices, 2015.
  134. P. Mell, K. Scarfone, and S. Romanosky, "Common Vulnerability Scoring System," IEEE Security and Privacy Magazine, vol. 4, no. 6, pp. 85-89, Nov. 2006. open in new tab
  135. "NVD Common Vulnerability Scoring System Support v2," National Institute of Standards and Technology, 2007. [Online]. Available: http://nvd.nist.gov/cvss.cfm. open in new tab
  136. P. Mell, K. A. Kent, and S. Romanosky, The common vulnerability scoring system (CVSS) and its applicability to federal agency systems. US Department of Commerce, National Institute of Standards and Technology, 2007. open in new tab
  137. P. Mell, K. Scarfone, and S. Romanosky, "A Complete Guide to the Common Vulnerability Scoring System Version 2.0," FIRST.org, Inc., 2014. [Online]. Available: http://www.first.org/cvss/cvss-guide. open in new tab
  138. "Common Vulnerability Scoring System Version 2 Calculator," National Institute of Standards and Technology, 2014. [Online]. Available: https://nvd.nist.gov/cvss.cfm?calculator&version=2. open in new tab
  139. P. Lubomski, "Context in Security of Distributed e-Service Environments," in Proceedings of the Chip to Cloud Security Forum 2014.
  140. A. Ricci, M. Viroli, and A. Omicini, "An RBAC Approach for Securing Access Control in a MAS Coordination Infrastructure," in 1st International Workshop "Safety and Security in MultiAgent Systems" (SASEMAS 2004), 2004, pp. 110-124.
  141. F. Cuppens and N. Cuppens-Boulahia, "Modeling contextual security policies," International Journal of Information Security, vol. 7, no. 4, pp. 285-305, Nov. 2007. open in new tab
  142. Z. Maamar, D. Benslimane, and N. C. Narendra, "What can context do for web services?," Communications of the ACM, vol. 49, no. 12, pp. 98-103, Dec. 2006. open in new tab
  143. R. Mayrhofer, H. R. Schmidtke, and S. Sigg, "Security and trust in context-aware applications," Personal and Ubiquitous Computing, Nov. 2012. open in new tab
  144. M. S. Kirkpatrick, M. L. Damiani, and E. Bertino, "Prox-RBAC: a proximity-based spatially aware RBAC," in Proceedings of the 19th ACM SIGSPATIAL International Conference on Advances in Geographic Information Systems -GIS '11, 2011, p. 339. open in new tab
  145. M. L. Damiani, E. Bertino, B. Catania, and P. Perlasca, "GEO-RBAC," ACM Transactions on Information and System Security, vol. 10, no. 1, p. 2-es, Feb. 2007. open in new tab
  146. S. Aich, S. Sural, and A. K. Majumdar, "STARBAC: Spatiotemporal Role Based Access Control," in On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS, Springer Berlin Heidelberg, 2007, pp. 1567-1582. open in new tab
  147. E. Bertino and M. S. Kirkpatrick, "Location-based access control systems for mobile users," in Proceedings of the 4th ACM SIGSPATIAL International Workshop on Security and Privacy in GIS and LBS -SPRINGL '11, 2011, p. 49. open in new tab
  148. M. F. F. Khan and K. Sakamura, "Context-aware access control for clinical information systems," in 2012 International Conference on Innovations in Information Technology (IIT), 2012, pp. 123-128. open in new tab
  149. A. Baumgrass, "Deriving Current State RBAC Models from Event Logs," 2011 Sixth International Conference on Availability, Reliability and Security, pp. 667-672, 2011. open in new tab
  150. M. Miettinen and N. Asokan, "Towards security policy decisions based on context profiling," in Proceedings of the 3rd ACM workshop on Artificial intelligence and security -AISec '10, 2010, p. 19. open in new tab
  151. A. E. Abdallah and H. Takabi, "Integrating Delegation with the Formal Core RBAC Model," 2008 The Fourth International Conference on Information Assurance and Security, pp. 33-36, Sep. 2008. open in new tab
  152. A. Gupta, M. Miettinen, N. Asokan, and M. Nagy, "Intuitive Security Policy Configuration in Mobile Devices Using Context Profiling," in Privacy, Security, Risk and Trust (PASSAT), 2012 open in new tab
  153. International Conference on and 2012 International Confernece on Social Computing (SocialCom), 2012, pp. 471-480. open in new tab
  154. P. A. Zandbergen, "Accuracy of iPhone Locations: A Comparison of Assisted GPS, WiFi and Cellular Positioning," Transactions in GIS, vol. 13, pp. 5-25, Jun. 2009. open in new tab
  155. S. Cawood and M. Fiala, Augmented Reality: A Practical Guide. Pragmatic Bookshelf, 2008.
  156. Wikimedia Commons, "Wikitude -location-based Augmented Reality explained," 2012. [Online]. Available: http://commons.wikimedia.org/wiki/File:Wikitude_explained.png. open in new tab
  157. S. Meek, G. Priestnall, M. Sharples, and J. Goulding, "Mobile capture of remote points of interest using line of sight modelling," Computers & Geosciences, vol. 52, pp. 334-344, Mar. 2013. open in new tab
  158. E. Macías, H. Abdelfatah, A. Suárez, and A. Cánovas, "Full Geo-localized Mobile Video in Android Mobile Telephones," Network Protocols and Algorithms, vol. 3, no. 1, Apr. 2011. open in new tab
  159. M. Conti, V. T. N. Nguyen, and B. Crispo, "CRePE: Context-related Policy Enforcement for Android," ISC'10 Proceedings of the 13th international conference on Information security, pp. 331-345, 2010. open in new tab
  160. F. Paci, M. Mecella, M. Ouzzani, and E. Bertino, "ACConv --An Access Control Model for Conversational Web Services," ACM Transactions on the Web, vol. 5, no. 3, pp. 1-33, Jul. 2011. open in new tab
  161. H. Mouratidis and J. Jurjens, "From goal-driven security requirements engineering to secure design," International Journal of Intelligent Systems, vol. 25, no. 8, pp. 813-840, Jun. 2010. open in new tab
  162. H. Mouratidis and P. Giorgini, "Integrating Security and Software Engineering: An Introduction," in Integrating Security and Software Engineering: Advances and Future Visions, Hershey, PA, USA: Idea Group Publishing, 2006, pp. 1-15. open in new tab
  163. E. Yu, L. Liu, and J. Mylopoulos, "A Social Ontology for Integrating Security and Software Engineering," in Integrating Security and Software Engineering: Advances and Future Visions, Hershey, PA, USA, 2006, pp. 70-106. open in new tab
  164. O. Etzion, Y. Magid, E. Rabinovich, I. Skarbovsky, and N. Zolotorevsky, "Context Aware Computing and its utilization in event-based systems," Context, vol. 4, pp. 270-281, 2010. open in new tab
  165. M. J. Covington, P. Fogla, Z. Z. Z. Zhan, and M. Ahamad, "A context-aware security architecture for emerging applications," 18th Annual Computer Security Applications Conference, 2002. Proceedings., 2002. open in new tab
  166. D. Kulkarni and A. Tripathi, "Context-aware role-based access control in pervasive computing systems," in Proceedings of the 13th ACM symposium on Access control models and technologies -SACMAT '08, 2008, p. 113. open in new tab
  167. P. McDaniel, "On context in authorization policy," SACMAT, pp. 80-89, 2003. open in new tab
  168. S. Schefer-Wenzl and M. Strembeck, "Modeling Context-Aware RBAC Models for Business Processes in Ubiquitous Computing Environments," in 2012 Third FTRA International Conference on Mobile, Ubiquitous, and Intelligent Computing, 2012, pp. 126-131. open in new tab
  169. V. Franqueira and R. Wieringa, "Role-Based Access Control in Retrospect," Computer, vol. 45, no. 6, pp. 81-88, Jun. 2012. open in new tab
  170. H. Krawczyk and P. Lubomski, "User Trust Levels and Their Impact on System Security and Usability," in Communications in Computer and Information Science, Springer International Publishing, 2015, pp. 82-91. open in new tab
  171. K. Scarfone and P. Mell, "Guide to Intrusion Detection and Prevention Systems ( IDPS ) Recommendations of the National Institute of Standards and Technology," NIST Special Publication, p. 94, 2007. open in new tab
  172. P. Pszczoliński and H. Krawczyk, "Ujednolicony opis zasobów uczelnianych," in Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, 2009, pp. 151-159. open in new tab
  173. A. Rek and H. Krawczyk, "Wykorzystanie technologii portletów do budowy usług uczelnianych," Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, vol. 17, no. 7, pp. 161-171, 2009.
  174. A. Rek and H. Krawczyk, "Methodology for developing Web-Based applications from reusable components using open source tools," Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, vol. 18, no. 8, pp. 211-216, 2010. open in new tab
  175. T. Dziubich, P. Lubomski, and A. Mizgier, "Architektura portalu zarządzania informacjami dydaktycznymi," in Zeszyty naukowe Wydziału Elektroniki, Telekomunikacji i Informatyki Politechniki Gdańskiej, vol. 16, 2008, pp. 539-544.
  176. H. Krawczyk and P. Lubomski, "Pączkowanie -metoda rozwoju interoperacyjnych komponentów dla systemów rozproszonych," in Inżynieria oprogramowania w procesach integracji systemów informatycznych, 2010, vol. 8, pp. 241-248. open in new tab
  177. The PostgreSQL Global Development Group, "PostgreSQL," 2013. [Online]. Available: http://www.postgresql.org/. open in new tab
  178. M. Brambilla and A. Origgi, "MVC-Webflow: An AJAX Tool for Online Modeling of MVC-2 Web Applications," in 2008 Eighth International Conference on Web Engineering, 2008, pp. 344- 349. open in new tab
  179. P. Pszczoliński and H. Krawczyk, "Unified and flexible way to the organizations resources," Zeszyty Naukowe Wydziału ETI Politechniki Gdańskiej. Technologie Informacyjne, vol. 19, no. 8, pp. 359-364, 2010. open in new tab
  180. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, "Hypertext Transfer Protocol --HTTP/1.1," IETF, 1999. [Online]. Available: http://tools.ietf.org/html/rfc2616. open in new tab
  181. M. Nottingham and J. Mogul, "HTTP Header Field Registrations," IETF, 2005. [Online]. open in new tab
  182. H. Zimmermann, "OSI Reference Model--The ISO Model of Architecture for Open Systems Interconnection," IEEE Transactions on Communications, vol. 28, no. 4, pp. 425-432, Apr. 1980. open in new tab
  183. Y. Liu and D. B. Hoang, "OSI RPC model and protocol," Computer Communications, vol. 17, no. 1, pp. 53-66, Jan. 1994.
  184. Y. Li, D. Li, W. Cui, and R. Zhang, "Research based on OSI model," in 2011 IEEE 3rd International Conference on Communication Software and Networks, 2011, pp. 554-557. open in new tab
  185. D. Khader, L. Chen, and J. H. Davenport, Cryptography and Coding, vol. 5921. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009. open in new tab
  186. E. Bursztein, M. Martin, and J. Mitchell, "Text-based CAPTCHA strengths and weaknesses," in Proceedings of the 18th ACM conference on Computer and communications security -CCS '11, 2011, vol. 2011, p. 125. open in new tab
  187. P. Lubomski and H. Krawczyk, "Practical evaluation of security mechanisms of Internet systems (w recenzji)," IEEE Security & Privacy Magazine. open in new tab
  188. H. Crawford and K. Renaud, "Understanding user perceptions of transparent authentication on a mobile device," Journal of Trust Management, vol. 1, 2014. open in new tab
Verified by:
Gdańsk University of Technology

seen 162 times

Recommended for you

Web based training system TeleCAD. Teleworkers training for CAD system users

2003

Reputacja i zaufanie w systemach teleinformatycznych z podmiotami anonimowymi  podejście dynamiczne

2016

Analiza niezawodności i bezpieczeństwa maszyn i instalacji

2008

Comparing noise levels and audiometric testing results employing it based diagnostic systems.

2004
Meta Tags