By Topic

Configuration Analytics and Automation (SAFECONFIG), 2011 4th Symposium on

Date Oct. 31 2011-Nov. 1 2011

Filter Results

Displaying Results 1 - 19 of 19
  • A moving target environment for computer configurations using Genetic Algorithms

    Publication Year: 2011, Page(s):1 - 7
    Cited by:  Papers (3)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (417 KB) | HTML iconHTML

    Moving Target (MT) environments for computer systems provide security through diversity by changing various system properties that are explicitly defined in the computer configuration. Temporal diversity can be achieved by making periodic configuration changes; however in an infrastructure of multiple similarly purposed computers diversity must also be spatial, ensuring multiple computers do not s... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A software toolkit for visualizing enterprise routing design

    Publication Year: 2011, Page(s):1 - 8
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (197 KB) | HTML iconHTML

    Routing design is widely considered as one of the most challenging parts of enterprise network design. The challenges come from the typical large scale of such networks, the diverse objectives to meet through design, and a wide variety of protocols and mechanisms to choose from. As a result network operators often find it difficult to understand and trouble-shoot the routing design of their networ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • AMIAnalyzer: Security analysis of AMI configurations

    Publication Year: 2011, Page(s):1 - 2
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (104 KB) | HTML iconHTML

    The Advanced Metering Infrastructure (AMI) is comprising of heterogeneous cyber-physical components, which are interconnected through different communication media, protocols and secure tunnels, and operated using different security policies. The inherent complexity and heterogeneity in AMI significantly increase the potential of security threats due to misconfiguration or absence of defense, whic... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Captchæcker: Reconfigurable CAPTCHAs based on automated security and usability analysis

    Publication Year: 2011, Page(s):1 - 4
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (223 KB) | HTML iconHTML

    CAPTCHAs have been deployed ubiquitously by web sites to combat automated malicious programs. Security against web bots and usability to legitimate users are two main goals that have to be simultaneously satisfied when designing a useful CAPTCHA scheme. However, there exists a well-known and intricate trade-off between these goals. So far, balancing this trade-off remains an art rather than a scie... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • CloudChecker: An imperative framework for cloud configuration management

    Publication Year: 2011, Page(s): 1
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (67 KB) | HTML iconHTML

    Summary form only given. Cloud computing became one of the major research areas recently. The interest in cloud computing increases day by day because of the features provided by cloud providers. Pay-as-you-go is one of these features that attract customers to adopt this idea. Another feature is providing different levels of services to the customers; Software, Platform, and Infrastructure as a Se... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • ConfigChecker: A tool for comprehensive security configuration analytics

    Publication Year: 2011, Page(s):1 - 2
    Cited by:  Papers (3)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (146 KB) | HTML iconHTML

    Recent studies show that configurations of network access control is one of the most complex and error prone network management tasks. For this reason, network misconfiguration becomes the main source for network unreachablility and vulnerability problems. In this paper, we present a novel approach that models the global end-to-end behavior of access control configurations of the entire network in... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Decision theoretic approach to detect anomalies beyond enterprise boundaries

    Publication Year: 2011, Page(s):1 - 9
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (320 KB) | HTML iconHTML

    Many algorithms have been proposed in the last decade to detect traffic anomalies in enterprise networks. However, most of these algorithms cannot detect anomalies that occur beyond enterprise boundaries. Anomaly monitoring and detection on end-to-end Internet paths, although important for network operations, is challenging due to lack of access and control over intermediate network devices. In th... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Federated autonomic Network Access Control

    Publication Year: 2011, Page(s):1 - 2
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (219 KB) | HTML iconHTML

    Network Access Controls (NAC) are widely used to provide endpoint security typically complementing existing application-based security controls. NAC security mechanisms, for instance firewalls, are routinely prescribed as requirements for compliance to security standards such as PCI-DSS and ISO 27000. However, the effectiveness of a NAC configuration may be hampered by poor understanding and/or ma... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Measuring firewall security

    Publication Year: 2011, Page(s):1 - 4
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (165 KB) | HTML iconHTML

    In the recent years, more attention is given to firewalls as they are considered the corner stone in Cyber defense perimeters. The ability to measure the quality of protection of a firewall policy is a key step to assess the defense level for any network. To accomplish this task, it is important to define objective metrics that are formally provable and practically useful. In this work, we propose... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A dynamic configuration validation language

    Publication Year: 2011, Page(s):1 - 2
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (142 KB) | HTML iconHTML

    Configuration validation is a crucial requirement for dynamic reconfiguration effectiveness. This short paper presents a validation-purpose configuration language which can be used to model a system's configuration reference model which includes structural and operational validity constraints. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A generic data flow security model

    Publication Year: 2011, Page(s):1 - 2
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (532 KB) | HTML iconHTML

    Network security policy enforcement consists in configuring heterogeneous security mechanisms (IPsec gateways, ACLs on routers, stateful firewalls, proxies, etc) that are available in a given network environment. The complexity of this task resides in the number, the nature, and the interdependence of the mechanisms. We propose in this paper a formal data flow model focused on detecting multi-laye... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Preface

    Publication Year: 2011, Page(s): 1
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (72 KB)

    The complexity of Network and system configuration places a heavy burden on both regular users and experienced administrators and dramatically reduces overall network assurability and usability. For example, a December 2008 report from Center for Strategic and International Studies “Securing Cyberspace for the 44th Presidency” states that “inappropriate or incorrect security c... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Reasoning about the security configuration of SAN switch fabrics

    Publication Year: 2011, Page(s):1 - 8
    Cited by:  Papers (2)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (141 KB) | HTML iconHTML

    Management of a switch fabric security configuration, a core component of Storage Area Networks, is complex and error prone. As a consequence, misconfiguration of and/or a poor understanding of a switch fabric may unnecessarily expose an enterprise to known threats. A formal model of a switch security configuration is presented. This model is reasoned over to help manage complex switch fabric secu... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • SCAP based configuration analytics for comprehensive compliance checking

    Publication Year: 2011, Page(s):1 - 8
    Cited by:  Papers (2)  |  Patents (2)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (295 KB) | HTML iconHTML

    Computing systems today have large number of security configuration settings that are designed to offer flexible and robust services. However, incorrect configuration increases the potential of vulnerability and attacks. Security Content Automation Protocol provides a unified mean to automate the process of checking the desktop system compliance using standard interfaces. However, misconfiguration... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security considerations in data center configuration management

    Publication Year: 2011, Page(s):1 - 9
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (489 KB) | HTML iconHTML

    Data centers need to manage a large amount of configuration information for a variety of computational, storage and networking assets at multiple levels (e.g., individual devices to entire data center). The increasingly sophisticated configuration management required to support virtualization significantly enhances chances of misconfigurations and exploitation by hackers that could impact data cen... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Automation for creating and configuring security manifests for hardware containers

    Publication Year: 2011, Page(s):1 - 2
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (39 KB) | HTML iconHTML

    Hardware containers provide fine-grained memory access control to isolate memory regions and sandbox memory references between components of an application. A hardware reference monitor enforces a security manifest of memory access permissions for the currently executing component. In this paper we discuss how automation tools can help software developers to create the security manifest that confi... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • SEGrapher: Visualization-based SELinux policy analysis

    Publication Year: 2011, Page(s):1 - 8
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (572 KB) | HTML iconHTML

    Performing SELinux policy analyses can be difficult due to the complexity of the policy language and the sheer number of policy rules and attributes involved. For example, the default policy on most SELinux-enabled systems has over 1; 500; 000 flat rules, involving over 1; 780 types. Simple analyses between types can result in a large amount of data, which is poorly presented to administrators in ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Towards eliminating configuration errors in cyber infrastructure

    Publication Year: 2011, Page(s):1 - 2
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (250 KB) | HTML iconHTML

    It is well-documented that configuration errors account for 50% to 80% of downtime and vulnerabilities in cyber infrastructure. The ConfigAssure suite of tools has been developed to help eliminate these errors. These tools are for requirement specification, configuration synthesis, diagnosis and repair, verification, reconfiguration planning and visualization. These tools are being made available ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Vulnerability hierarchies in access control configurations

    Publication Year: 2011, Page(s):1 - 9
    Cited by:  Papers (1)
    Request permission for commercial reuse | Click to expandAbstract | PDF file iconPDF (297 KB) | HTML iconHTML

    This paper applies methods for analyzing fault hierarchies to the analysis of relationships among vulnerabilities in misconfigured access control rule structures. Hierarchies have been discovered previously for faults in arbitrary logic formulae [11,10,9,21], such that a test for one class of fault is guaranteed to detect other fault classes subsumed by the one tested, but access control policies ... View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.