DIRC PA6: Security and Privacy in Computer-Based Systems - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

DIRC PA6: Security and Privacy in Computer-Based Systems

Description:

Many systems have top-level security requirements (e.g. medical informatics) ... Peter Ryan, Newcastle UK. Yves Deswarte, LAAS Fr. Frederic Cuppens, ONERA Fr ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 19
Provided by: Peter655
Category:

less

Transcript and Presenter's Notes

Title: DIRC PA6: Security and Privacy in Computer-Based Systems


1
DIRC PA6Security and Privacy in Computer-Based
Systems
  • Peter Ryan
  • School of Computing Science
  • University of Newcastle
  • Peter.Ryan_at_ncl.ac.uk

2
DIRC
  • Dependability Interdisciplinary Research
    Collaboration.
  • 6 year project, 5 institutions
  • Newcastle
  • Edinburgh
  • City, London
  • York
  • Lancaster
  • www.dirc.org

3
DIRC
  • Take account of the socio-technical as well as
    technical factors influencing dependability.
  • Computer scientists, psychologists, sociologists,
    ethnographers
  • 9 Project Activities, 6Security.
  • 5 themes structure, diversity, timeliness,
    responsibility, risk.

4
PA6 Security
  • Security is an essential aspect of dependable,
    computer-based systems.
  • Many systems have top-level security requirements
    (e.g. medical informatics).
  • Others have to deal with security threats in
    order to dependably deliver their requirements
    (e.g. ATC).
  • Recognition of the vulnerability of critical
    infrastructures makes this work particularly
    timely.

5
Background
  • Hitherto, research in information assurance has
    tended to
  • concentrate on technical failures and
    counter-measures.
  • aim for Absolute security and assume prevention
    mechanisms are enough.
  • Security policies have mainly been about (binary)
    information flows, MLS, MAC etc.

6
DIRC/PA6 Approach
  • Recognise that
  • Most security failures are due to, or at least
    facilitated by, human failures.
  • Security policies require a mix of technical and
    socio-technical enforcement mechanisms.
  • Systems will have vulnerabilities and intrusions
    will occur. Hence need a mix of prevention,
    containment, detection and recovery.
  • Need to deal with exceptions.
  • Need richer classes of policies, e.g. privacy.
  • Need to deal with evolving systems, requirements
    and threats.
  • Need measures of system robustness in the face of
    malicious threats.

7
Objectives
  1. Characterise security and privacy requirements in
    computer-based systems.
  2. Characterise socio-technical threats and
    vulnerabilities.
  3. Explore the theoretical and practical boundary
    between technical and socio-technical enforcement
    mechanisms.
  4. Develop models, techniques and tools to support
    design and assessment w.r.t. security
    requirements and threats. Trade-offs.
  5. Investigate the role of structure and diversity.
  6. Understand the role of intrusion detection and
    diagnosis.

8
Objective 2
  • Characterise the behaviours and failure modes of
    humans interacting with the system
  • Users
  • Security officers
  • White hats, grey hats, hackers
  • Insiders
  • Designers, implementers etc
  • Shaping factors (both sides)
  • Motivation
  • Competence
  • Rewards/losses
  • Complacency
  • Least effort
  • Stress
  • Risk perception

9
Case studies
  • Healthcare records
  • E-government
  • Financial sector
  • NATS
  • Dynamic coalitions
  • Distributed scientific computations (GRID).

10
Healthcare case study
  • Need to address
  • Privacy (anonymity)
  • Integrity
  • Availability
  • Accountability
  • Conflicting interests of various stakeholders
  • Patients
  • Clinicians
  • Researchers
  • Society
  • Administrators
  • Insurance
  • Law-enforcement

11
GRID Security
  • Excellent DIRC case study
  • Strongly interdisciplinary.
  • Complex, dynamic, heterogeneous user base (B
    Collins).
  • Also complex
  • Security requirements.
  • Threat models
  • Trust relationships
  • Is RBAC enough?
  • Legal and economic factors.

12
GRID Security
  • GRID is not a single well defined entity.
  • Many different projects with different
    requirements, approaches etc.

13
Further interdisciplinary aspects
  • Trust
  • Responsibility
  • Delegation
  • Legal aspects
  • Economic aspects
  • Exceptions
  • Evolving systems, requirements and threats.

14
FP6 ESORICS Security NoE
  • Facilitate and stimulate cooperation and
    cross-fertilisation between the principal
    security experts in Europe.
  • To address the security and privacy challenges
    facing e-Europe in the 21st century.
  • To help put Europe at the forefront research in
    security and privacy.
  • Address issues raised in, for example, the ISTAG
    report security for ambient spaces etc.

15
ESORICS
  • European Symposium On Research In Computer
    Security.
  • Premier European conference on security research.
  • European counterpart to IEEE Security and
    Privacy.
  • Gathers together many of the key European experts
    in security and privacy (and some non-EU).

16
Editorial Team
  • Peter Ryan, Newcastle UK
  • Yves Deswarte, LAAS Fr
  • Frederic Cuppens, ONERA Fr
  • Dieter Gollmann, MSR UK
  • Simon Foley, Cork Ir
  • Pierangela Samarati, Milan It
  • Elisa Bertino, Milan It
  • Bart Preneel, KU Leuven B
  • Fabio Martinelli, Milan It
  • Jean-Jacques Quisquater, UCL B
  • Katsikas Socrates, Aegean Gr
  • Steve Schneider, Royal Holloway UK
  • Refik Molva, Eurocom Fr

17
Structure
  • Foundations of Security and Trust
  • Formal methods for security analysis, Security
    models and policies, Information flow
    (non-interference), Cryptography
  • Security Mechanisms
  • Access control and authorization, Security
    protocol design and analysis, Secure Programming
    (languages, mobile code)
  • Security Architectures
  • Secure architectures, Security of middleware,
    Secure systems and devices (smartcards)
  • Communications and Distributed System Security
  • Secure Communications (mobile and fixed), Network
    Security (wireless and wireline), Intrusion
    Detection (forensics), Secure applications
    (e-business, e-vote, etc.)
  • Security Management
  • Privacy and Identity Management, Trust
    (Management), DRM

18
Activities
  • Research
  • Travel and exchanges
  • Education, training.
  • Studentships
  • Workshops
  • Standardisation
  • Dissemination, technology transfer.
Write a Comment
User Comments (0)
About PowerShow.com