Title: 13. Vulnerabilities and Threats in Distributed Systems*
113. Vulnerabilities and Threatsin Distributed
Systems
- Prof. Bharat Bhargava
- Department of Computer Sciences and
- Center for Education and Research in Information
Assurance and Security (CERIAS ) - Purdue University
- www.cs.purdue.edu/people/bb
- In collaboration with
- Prof. Leszek Lilien
- Western Michigan University and CERIAS
- Supported in part by NSF grants IIS-0209059 and
IIS-0242840
2From Vulnerabilities to Losses
- Growing business losses due to vulnerabilities in
distributed systems - Identity theft in 2003 expected loss of 220
bln worldwide 300(!) annual growth rate
csoonline.com, 5/23/03 - Computer virus attacks in 2003 estimated loss
of 55 bln worldwide news.zdnet.com, 1/16/04 - Vulnerabilities occur in
- Hardware / Networks / Operating Systems / DB
systems / Applications - Loss chain
- Dormant vulnerabilities enable threats against
systems - Potential threats can materialize as (actual)
attacks - Successful attacks result in security breaches
- Security breaches cause losses
3Vulnerabilities and Threats
- Vulnerabilities and threats start the loss chain
- Best to deal with them first
- Deal with vulnerabilities
- Gather in metabases and notification systems info
on vulnerabilities and security incidents, then
disseminate it - Example vulnerability and incident metabases
- CVE (Mitre), ICAT (NIST), OSVDB (osvdb.com)
- Example vulnerability notification systems
- CERT (SEI-CMU), Cassandra (CERIAS-Purdue)
- Deal with threats
- Threat assessment procedures
- Specialized risk analysis using e.g.
vulnerability and incident info - Threat detection / threat avoidance / threat
tolerance
4Outline
- Vulnerabilities
- Threats
- Examples of Mechanisms to Reduce Vulnerabilities
and Threats - 3.1. Applying Reliability and Fault Tolerance
Principles to Security Research - 3.2. Fraud Countermeasure Mechanisms
5Vulnerabilities - Topics
- Models for Vulnerabilities
- Fraud Vulnerabilities
- Vulnerability Research Issues
6Models for Vulnerabilities (1)
- A vulnerability in security domain like a fault
in reliability domain - A flaw or a weakness in system security
procedures, design, implementation, or internal
controls - Can be accidentally triggered or intentionally
exploited, causing security breaches - Modeling vulnerabilities
- Analyzing vulnerability features
- Classifying vulnerabilities
- Building vulnerability taxonomies
- Providing formalized models
- System design should not let an adversary know
vulnerabilities unknown to the system owner
7Models for Vulnerabilities (2)
- Diverse models of vulnerabilities in the
literature - In various environments
- Under varied assumptions
- Examples follow
- Analysis of four common computer vulnerabilities
17 - Identifies their characteristics, the policies
violated by their exploitation, and the steps
needed for their eradication in future software
releases - Vulnerability lifecycle model applied to three
case studies 4 - Shows how systems remains vulnerable long after
security fixes - Vulnerability lifetime stages
- appears, discovered, disclosed, corrected,
publicized, disappears
8Models for Vulnerabilities (3)
- Model-based analysis to identify configuration
vulnerabilities 23 - Formal specification of desired security
properties - Abstract model of the system that captures its
security-related behaviors - Verification techniques to check whether the
abstract model satisfies the security properties - Kinds of vulnerabilities 3
- Operational
- E.g. an unexpected broken linkage in a
distributed database - Information-based
- E.g. unauthorized access (secrecy/privacy),
unauthorized modification (integrity), traffic
analysis (inference problem), and Byzantine input
9Models for Vulnerabilities (4)
- Not all vulnerabilities can be removed, some
shouldnt - Because
- Vulnerabilities create only a potential for
attacks - Some vulnerabilities cause no harm over entire
systems life cycle - Some known vulnerabilities must be tolerated
- Due to economic or technological limitations
- Removal of some vulnerabilities may reduce
usability - E.g., removing vulnerabilities by adding
passwords for each resource request lowers
usability - Some vulnerabilities are a side effect of a
legitimate system feature - E.g., the setuid UNIX command creates
vulnerabilities 14 - Need threat assessment to decide which
vulnerabilities to remove first
10Fraud Vulnerabilities (1)
- Fraud
- a deception deliberately practiced in order to
secure unfair or unlawful gain 2 - Examples
- Using somebody elses calling card number
- Unauthorized selling of customer lists to
telemarketers - (example of an overlap of fraud with privacy
breaches) - Fraud can make systems more vulnerable to
subsequent fraud - Need for protection mechanisms to avoid future
damage
11Fraud Vulnerabilities (2)
- Fraudsters 13
- Impersonators
- illegitimate users who steal resources from
victims - (for instance by taking over their accounts)
- Swindlers
- legitimate users who intentionally benefit from
the system or other users by deception - (for instance, by obtaining legitimate
telecommunications accounts and using them
without paying bills) - Fraud involves abuse of trust 12, 29
- Fraudster strives to present himself as
a trustworthy individual and friend - The more trust one places in others the more
vulnerable one becomes
12Vulnerability Research Issues (1)
- Analyze severity of a vulnerability and its
potential impact on an application - Qualitative impact analysis
- Expressed as a low/medium/high degree of
performance/availability degradation - Quantitative impact
- E.g., economic loss, measurable cascade effects,
time to recover - Provide procedures and methods for efficient
extraction of characteristics and properties of
known vulnerabilities - Analogous to understanding how faults occur
- Tools searching for known vulnerabilities in
metabases can not anticipate attacker behavior - Characteristics of high-risk vulnerabilities can
be learnt from the behavior of attackers, using
honeypots, etc.
13Vulnerability Research Issues (2)
- Construct comprehensive taxonomies of
vulnerabilities for different application areas - Medical systems may have critical privacy
vulnerabilities - Vulnerabilities in defense systems compromise
homeland security - Propose good taxonomies to facilitate both
prevention and elimination of vulnerabilities - Enhance metabases of vulnerabilities/incidents
- Reveals characteristics for preventing not only
identical but also similar vulnerabilities - Contributes to identification of related
vulnerabilities, including dangerous synergistic
ones - Good model for a set of synergistic
vulnerabilities can lead to uncovering gang
attack threats or incidents
14Vulnerability Research Issues (3)
- Provide models for vulnerabilities and their
contexts - The challenge how vulnerability in one context
propagates to another - If Dr. Smith is a high-risk driver, is he a
trustworthy doctor? - Different kinds of vulnerabilities emphasized in
different contexts - Devise quantitative lifecycle vulnerability
models for a given type of application or system - Exploit unique characteristics of vulnerabilities
application/system - In each lifecycle phase
- - determine most dangerous and common types of
vulnerabilities - - use knowledge of such types of vulnerabilities
to prevent them - Best defensive procedures adaptively selected
from a predefined set
15Vulnerability Research Issues (4)
- The lifecycle models helps solving a few problems
- Avoiding system vulnerabilities most efficiently
- By discovering eliminating them at design and
implementation stages - Evaluations/measurements of vulnerabilities at
each lifecycle stage - In system components / subsystems / of the system
as a whole - Assist in most efficient discovery of
vulnerabilities before they are exploited by an
attacker or a failure - Assist in most efficient elimination / masking of
vulnerabilities - (e.g. based on principles analogous to
fault-tolerance) - OR
- Keep an attacker unaware or uncertain of
important system parameters - (e.g., by using non-deterministic or deceptive
system behavior, increased component diversity,
or multiple lines of defense)
16Vulnerability Research Issues (5)
- Provide methods of assessing impact of
vulnerabilities on security in applications
systems - Create formal descriptions of the impact of
vulnerabilities - Develop quantitative vulnerability impact
evaluation methods - Use resulting ranking for threat/risk analysis
- Identify the fundamental design principles and
guidelines for dealing with system
vulnerabilities at each lifecycle stage - Propose best practices for reducing
vulnerabilities at all lifecycle stages (based on
the above principles and guidelines) - Develop interactive or fully automatic tools and
infrastructures encouraging or enforcing use of
these best practices - Other issues
- Investigate vulnerabilities in security
mechanisms themselves - Investigate vulnerabilities due to non-malicious
but threat-enabling uses of information 21
17Outline
- Vulnerabilities
- Threats
- Examples of Mechanisms to Reduce Vulnerabilities
and Threats - 3.1. Applying Reliability and Fault Tolerance
Principles to Security Research - 3.2. Fraud Countermeasure Mechanisms
18Threats - Topics
- Models of Threats
- Dealing with Threats
- Threat Avoidance
- Threat Tolerance
- Fraud Threat Detection for Threat Tolerance
- Fraud Threats
- Threat Research Issues
19Models of Threats
- Threats in security domain like errors in
reliability domain - Entities that can intentionally exploit or
inadvertently trigger specific system
vulnerabilities to cause security breaches 16,
27 - Attacks or accidents materialize threats
(changing them from potential to actual) - Attack - an intentional exploitation of
vulnerabilities - Accident - an inadvertent triggering of
vulnerabilities - Threat classifications 26
- Based on actions, we have
- threats of illegal access, threats of
destruction, threats of modification, and
threats of emulation - Based on consequences, we have
- threats of disclosure, threats of (illegal)
execution, threats of - misrepresentation, and threats of repudiation
20Dealing with Threats
- Dealing with threats
- Avoid (prevent) threats in systems
- Detect threats
- Eliminate threats
- Tolerate threats
- Deal with threats based on degree of risk
acceptable to application - Avoid/eliminate threats to human life
- Tolerate threats to noncritical or redundant
components
21Dealing with Threats Threat Avoidance (1)
- Design of threat avoidance techniques - analogous
to fault avoidance (in reliability) - Threat avoidance methods are frozen after system
deployment - Effective only against less sophisticated attacks
- Sophisticated attacks require adaptive schemes
for threat tolerance 20 - Attackers have motivation, resources, and the
whole system lifetime to discover its
vulnerabilities - Can discover holes in threat avoidance methods
22Dealing with Threats Threat Avoidance (2)
- Understanding threat sources
- Understand threats by humans, their motivation
and potential attack modes 27 - Understand threats due to system faults and
failures - Example design guidelines for preventing threats
- Model for secure protocols 15
- Formal models for analysis of authentication
protocols 25, 10 - Models for statistical databases to prevent data
disclosures 1
23Dealing with Threats Threat Tolerance
- Useful features of fault-tolerant approach
- Not concerned with each individual failure
- Dont spend all resources on dealing with
individual failures - Can ignore transient and non-catastrophic errors
and failures - Need analogous intrusion-tolerant approach
- Deal with lesser and common security breaches
- E.g. intrusion tolerance for database systems
3 - Phase 1 attack detection
- Optional (e.g., majority voting schemes dont
need detection) - Phases 2-5 damage confinement, damage
assessment, reconfiguration, continuation of
service - can be implicit (e.g., voting schemes follow the
same procedure whether attacked or not) - Phase 6 report attack
- to repair and fault treatment (to prevent
a recurrence of similar attacks)
24Dealing with Threats Fraud Threat Detection for
Threat Tolerance
- Fraud threat identification is needed
- Fraud detection systems
- Widely used in telecommunications, online
transactions, insurance - Effective systems use both fraud rules and
pattern analysis of user behavior - Challenge a very high false alarm rate
- Due to the skewed distribution of fraud
occurrences
25Fraud Threats
- Analyze salient features of fraud threats
- Some salient features of fraud threats 9
- Fraud is often a malicious opportunistic reaction
- Fraud escalation is a natural phenomenon
- Gang fraud can be especially damaging
- Gang fraudsters can cooperate in misdirecting
suspicion on others - Individuals/gangs planning fraud thrive in fuzzy
environments - Use fuzzy assignments of responsibilities to
participating entities - Powerful fraudsters create environments that
facilitate fraud - E.g. CEOs involved in insider trading
26Threat Research Issues (1)
- Analysis of known threats in context
- Identify (in metabases) known threats relevant
for the context - Find salient features of these threats and
associations between them - Threats can be associated also via their links to
related vulnerabilities - Infer threat features from features of
vulnerabilities related to them - Build a threat taxonomy for the considered
context - Propose qualitative and quantitative models of
threats in context - Including lifecycle threat models
- Define measures to determine threat levels
- Devise techniques for avoiding/tolerating threats
via unpredictability or non-determinism - Detecting known threats
- Discovering unknown threats
27Threat Research Issues (2)
- Develop quantitative threat models using
analogies to reliability models - E.g., rate threats or attacks using time and
effort random variables - Describe the distribution of their random
behavior - Mean Effort To security Failure (METF)
- Analogous to Mean Time To Failure (MTTF)
reliability measure - Mean Time To Patch and Mean Effort To Patch (new
security measures) - Analogous to Mean Time To Repair (MTTR)
reliability measure and METF security measure,
respectively - Propose evaluation methods for threat impacts
- Mere threat (a potential for attack) has its
impact - Consider threat properties direct damage,
indirect damage, recovery cost, prevention
overhead - Consider interaction with other threats and
defensive mechanisms
28Threat Research Issues (3)
- Invent algorithms, methods, and design guidelines
to reduce number and severity of threats - Consider injection of unpredictability or
uncertainty to reduce threats - E.g., reduce data transfer threats by sending
portions of critical data through different
routes - Investigate threats to security mechanisms
themselves - Study threat detection
- It might be needed for threat tolerance
- Includes investigation of fraud threat detection
29Products, Services and Research Programs for
Industry (1)
- There are numerous commercial products and
services, and some free products and services - Examples follow.
- Notation used below Product (Organization)
- Example vulnerability and incident metabases
- CVE (Mitre), ICAT (NIST), OSVDB (osvdb.com),
Apache Week Web Server (Red Hat), Cisco Secure
Encyclopedia (Cisco), DOVESComputer Security
Laboratory (UC Davis), DragonSoft Vulnerability
Database (DragonSoft Security Associates),
Secunia Security Advisories (Secunia),
SecurityFocus Vulnerability Database (Symantec),
SIOS (Yokogawa Electric Corp.),
Verletzbarkeits-Datenbank (scip AG), Vigil_at_nce
AQL (Alliance Qualité Logiciel) - Example vulnerability notification systems
- CERT (SEI-CMU), Cassandra (CERIAS-Purdue), ALTAIR
(esCERT-UPC), DeepSight Alert Services
(Symantec), Mandrake Linux Security Advisories
(MandrakeSoft) - Example other tools (1)
- Vulnerability Assessment Tools (for databases,
applications, web applications, etc.) - AppDetective (Application Security),
NeoScanner_at_ESM (Inzen), AuditPro for SQL Server
(Network Intelligence India Pvt. Ltd.), eTrust
Policy Compliance (Computer Associates),
Foresight (Cubico Solutions CC), IBM Tivoli Risk
Manager (IBM), Internet Scanner (Internet
Security Systems), NetIQ Vulnerability Manager
(NetIQ), N-Stealth (N-Stalker), QualysGuard
(Qualys), Retina Network Security Scannere (Eye
Digital Security), SAINT (SAINT Corp.), SARA
(Advanced Research Corp.), STAT-Scanner (Harris
Corp.), StillSecure VAM (StillSecure), Symantec
Vulnerability Assessment (Symantec) - Automated Scanning Tools, Vulnerability Scanners
- Automated Scanning (Beyond Security Ltd.),
ipLegion/intraLegion (EMAZE Networks), Managed
Vulnerability Assessment (LURHQ Corp.), Nessus
Security Scanner (The Nessus Project), NeVO
(Tenable Network Security)
30Products, Services and Research Programs for
Industry (2)
- Example other tools (2)
- Vulnerability und Penetration Testing
- Attack Tool Kit (Computec.ch), CORE IMPACT (Core
Security Technologies), LANPATROL (Network
Security Syst.) - Intrusion Detection System
- Cisco Secure IDS (Cisco), Cybervision Intrusion
Detection System (Venus Information Technology),
Dragon Sensor (Enterasys Networks), McAfee
IntruShield (IDSMcAfee), NetScreen-IDP (NetScreen
Technologies), Network Box Internet Threat
Protection Device (Network Box Corp.) - Threat Management Systems
- Symantec ManHunt (Symantec)
- Example services
- Vulnerability Scanning Services
- Netcraft Network Examination Service (Netcraft
Ltd.) - Vulnerability Assessment and Risk Analysis
Services - ActiveSentry (Intranode), Risk Analysis
Subscription Service (Strongbox Security),
SecuritySpace Security Audits (E-Soft), Westpoint
Enterprise Scan (Westpoint Ltd.) - Threat Notification
- TruSecure IntelliSHIELD Alert Manager (TruSecure
Corp.) - Pathches
- Software Security Updates (Microsoft)
- More on metabases/tools/services
http//www.cve.mitre.org/compatible/product.html
31Outline
- Vulnerabilities
- Threats
- Examples of Mechanisms to Reduce Vulnerabilities
and Threats - 3.1. Applying Reliability and Fault Tolerance
Principles to Security Research - 3.2. Fraud Countermeasure Mechanisms
32Applying Reliability Principlesto Security
Research (1)
- Apply the science and engineering from
Reliability to Security 6 - Analogies in basic notions 6, 7
- Fault vulnerability
- Error (enabled by a fault) threat (enabled by
a vulnerability) - Failure/crash (materializes a fault, consequence
of an error) - Security breach (materializes a vulnerability,
consequence of a threat) - Time - effort analogies 18
- time-to-failure distribution for accidental
failures - expended effort-to-breach distribution for
intentional security breaches - This is not a direct analogy it considers
important differences between Reliability and
Security - Most important intentional human factors in
Security
33Applying Reliability Principlesto Security
Research (2)
- Analogies from fault avoidance/tolerance 27
- Fault avoidance - threat avoidance
- Fault tolerance - threat tolerance (gracefully
adapts to threats that have materialized) - Maybe threat avoidance/tolerance should be named
vulnerability avoidance/tolerance - (to be consistent with the vulnerability -
fault analogy) - Analogy
- To deal with failures, build fault-tolerant
systems - To deal with security breaches, build
threat-tolerant systems
34Applying Reliability Principlesto Security
Research (3)
- Examples of solutions using fault tolerance
analogies - Voting and quorums
- To increase reliability - require a quorum of
voting replicas - To increase security - make forming voting
quorums more difficult - This is not a direct analogy but a kind of its
reversal - Checkpointing applied to intrusion detection
- To increase reliability use checkpoints to
bring system back to a reliable (e.g.,
transaction consistent) state - To increase security - use checkpoints to bring
system back to a secure state - Adaptability / self-healing
- Adapt to common and less severe security breaches
as we adapt to every-day and relatively benign
failures - Adapt to timing / severity / duration / extent
of a security breach
35Applying Reliability Principlesto Security
Research (4)
- Beware Reliability analogies are not always
helpful - Differences between seemingly identical notions
- E.g., system boundaries are less open for
Reliability than for Security - No simple analogies exist for intentional
security breaches arising from planted malicious
faults - In such cases, analogy of time (Reliability) to
effort (Security) is meaningless - E.g., sequential time vs. non-sequential effort
- E.g., long time duration vs. nearly
instantaneous effort - No simple analogies exist when attack efforts are
concentrated in time - As before, analogy of time to effort is
meaningless
36Outline
- Vulnerabilities
- Threats
- Examples of Mechanisms to Reduce Vulnerabilities
and Threats - 3.1. Applying Reliability and Fault Tolerance
Principles to Security Research - 3.2. Fraud Countermeasure Mechanisms
37Overview - Fraud Countermeasure Mechanisms (1)
- System monitors user behavior
- System decides whether users behavior qualifies
as fraudulent - Three types of fraudulent behavior identified
- Uncovered deceiving intention
- User misbehaves all the time
- Trapping intention
- User behaves well at first, then commits fraud
- Illusive intention
- User exhibits cyclic behavior longer periods of
proper behavior separated by shorter periods of
misbehavior
38Overview - Fraud Countermeasure Mechanisms (2)
- System architecture for swindler detection
- Profile-based anomaly detector
- Monitors suspicious actions searching for
identified fraudulent behavior patterns - State transition analysis
- Provides state description when an activity
results in entering a dangerous state - Deceiving intention predictor
- Discovers deceiving intention based on
satisfaction ratings - Decision making
- Decides whether to raise fraud alarm when
deceiving pattern is discovered
39Overview - Fraud Countermeasure Mechanisms (3)
- Performed experiments validated the architecture
- All three types of fraudulent behavior were
quickly detected - More details on Fraud Countermeasure Mechanisms
- available in the extended version of this
presentation - at www.cs.purdue.edu/people/bbcolloqia
40Summary
- Presented
- Vulnerabilities
- Threats
- Mechanisms to Reduce Vulnerabilities and Threats
- 3.1. Applying Reliability and Fault Tolerance
Principles to Security Research - 3.2. Using Trust in Role-based Access Control
- 3.3. Privacy-preserving Data Dissemination
- 3.4. Fraud Countermeasure Mechanisms
41Conclusions
- Exciting area of research
- 20 years of research in Reliability can form a
basis for vulnerability and threat studies in
Security - Need to quantify threats, risks, and potential
impacts on distributed applications. Do not be
terrorized and act scared - Adapt and use resources to deal with different
threat levels - Government, industry, and the public are
interested in progress in this research
42References (1)
- N.R. Adam and J.C. Wortmann, Security-Control
Methods for Statistical Databases A Comparative
Study, ACM Computing Surveys, Vol. 21, No. 4,
Dec. 1989. - The American Heritage Dictionary of the English
Language, Fourth Edition, Houghton Mifflin, 2000. - P. Ammann, S. Jajodia, and P. Liu, A Fault
Tolerance Approach to Survivability, in Computer
Security, Dependability, and Assurance From
Needs to Solutions, IEEE Computer Society Press,
Los Alamitos, CA, 1999. - W.A. Arbaugh, et al., Windows of Vulnerability
A Case Study Analysis, IEEE Computer, pp. 52-59,
Vol. 33 (12), Dec. 2000. - A. Avizienis, J.C. Laprie, and B. Randell,
Fundamental Concepts of Dependability, Research
Report N01145, LAAS-CNRS, Apr. 2001. - A. Bhargava and B. Bhargava, Applying
fault-tolerance principles to security research,
in Proc. of IEEE Symposium on Reliable
Distributed Systems, New Orleans, Oct. 2001. - B. Bhargava, Security in Mobile Networks, in
NSF Workshop on Context-Aware Mobile Database
Management (CAMM), Brown University, Jan. 2002. - B. Bhargava (ed.), Concurrency Control and
Reliability in Distributed Systems, Van Nostrand
Reinhold, 1987. - B. Bhargava, Vulnerabilities and Fraud in
Computing Systems, Proc. Intl. Conf. IPSI, Sv.
Stefan, Serbia and Montenegro, Oct. 2003. - B. Bhargava, S. Kamisetty and S. Madria,
Fault-tolerant authentication and group key
management in mobile computing, Intl. Conf. on
Internet Comp., Las Vegas, June 2000. - B. Bhargava and L. Lilien, Private and Trusted
Collaborations, Proc. Secure Knowledge
Management (SKM 2004) A Workshop, Amherst, NY,
Sep. 2004.
43References (2)
- B. Bhargava and Y. Zhong, Authorization Based on
Evidence and Trust, Proc. Intl. Conf. on Data
Warehousing and Knowledge Discovery DaWaK-2002,
Aix-en-Provence, France, Sep. 2002. - B. Bhargava, Y. Zhong, and Y. Lu, "Fraud
Formalization and Detection, Proc. Intl. Conf.
on Data Warehousing and Knowledge Discovery
DaWaK-2003, Prague, Czechia, Sep. 2003. - M. Dacier, Y. Deswarte, and M. Kaâniche,
Quantitative Assessment of Operational Security
Models and Tools, Technical Report, LAAS Report
96493, May 1996. - N. Heintze and J.D. Tygar, A Model for Secure
Protocols and Their Compositions, IEEE
Transactions on Software Engineering, Vol. 22,
No. 1, 1996, pp. 16-30. - E. Jonsson et al., On the Functional Relation
Between Security and Dependability Impairments,
Proc. 1999 Workshop on New Security Paradigms,
Sep. 1999, pp. 104-111. - I. Krsul, E.H. Spafford, and M. Tripunitara,
Computer Vulnerability Analysis, Technical
Report, COAST TR 98-07, Dept. of Computer
Sciences, Purdue University, 1998. - B. Littlewood at al., Towards Operational
Measures of Computer Security, Journal of
Computer Security, Vol. 2, 1993, pp. 211-229. - F. Maymir-Ducharme, P.C. Clements, K. Wallnau,
and R. W. Krut, The Unified Information Security
Architecture, Technical Report,
CMU/SEI-95-TR-015, Oct. 1995. - N.R. Mead, R.J. Ellison, R.C. Linger, T.
Longstaff, and J. McHugh, Survivable Network
Analysis Method, Tech. Rep. CMU/SEI-2000-TR-013,
Pittsburgh, PA, Sep. 2000. - C. Meadows, Applying the Dependability Paradigm
to Computer Security, Proc. Workshop on New
Security Paradigms, Sep. 1995, pp. 75-81.
44Reference (3)
- P.C. Meunier and E.H. Spafford, Running the free
vulnerability notification system Cassandra,
Proc. 14th Annual Computer Security Incident
Handling Conference, Hawaii, Jan. 2002. - C. R. Ramakrishnan and R. Sekar, Model-Based
Analysis of Configuration Vulnerabilities, Proc.
Second Intl. Workshop on Verification, Model
Checking, and Abstract Interpretation (VMCAI98),
Pisa, Italy, 2000. - B. Randell, Dependabilitya Unifying Concept,
in Computer Security, Dependability, and
Assurance From Needs to Solutions, IEEE Computer
Society Press, Los Alamitos, CA, 1999. - A.D. Rubin and P. Honeyman, Formal Methods for
the Analysis of Authentication Protocols, Tech.
Rep. 93-7, Dept. of Electrical Engineering and
Computer Science, University of Michigan, Nov.
1993. - G. Song et al., CERIAS Classic Vulnerability
Database User Manual, Technical Report 2000-17,
CERIAS, Purdue University, West Lafayette, IN,
2000. - G. Stoneburner, A. Goguen, and A. Feringa, Risk
Management Guide for Information Technology
Systems, NIST Special Publication 800-30,
Washington, DC, 2001. - M. Winslett et al., Negotiating trust on the
web, IEEE Internet Computing Spec. Issue on
Trust Management, 6(6), Nov. 2002. - Y. Zhong, Y. Lu, and B. Bhargava, Dynamic Trust
Production Based on Interaction Sequence, Tech.
Rep. CSD-TR 03-006, Dept. Comp. Sciences, Purdue
Univ., Mar.2003. - The extended version of this presentation
available at www.cs.purdue.edu/people/bbcolloqia
45Thank you!