Abstract: The use of public-key cryptosystems (PKC) received considerable attention They are beneficial in encryption as well as signing which play an essential role in electronic banking and financial transactions Elliptic Curve Cryptography (ECC) is one of best public key techniques because of its small key size and high security Secure applications in smart cards present implementation challenges particular to the platform's memory, bandwidth, and computation constraints ECC's unique properties make it especially well suited to smart card applications ECC systems provide the highest strength per bit of any cryptosystem known today The paper presents a new method for smart card implementation of elliptic curves, explaining how ECC can not only significantly reduce the cost, but also accelerate the deployment of smart cards in new applications ECC permits reductions in key and certificate size that translate to smaller memory requirements (especially for EEPROM), which represent significant cost savings This added functionality can play an effective role in electronic payment and online banking technologies

Abstract: There has been significant interest in the area of keystroke analysis to support the authentication of users, and previous research has identified three discrete methods of application; static, periodic dynamic and continuous dynamic analysis. This paper summarises the approaches and metrics arising from previous work, and then proceeds to introduce a new variation, based upon application-specific keystroke analysis. The discussion also considers the use of keystroke analysis as a progressive, escalating response measure in the context of a comprehensive user authentication and supervision system, presenting an example of how this could be realised in practice.

Abstract: Electronic voting has been attracting the attention of governments and research groups with most work on the subject referring to the user requirements such a system should satisfy For several cases, though, requirement identification seldom goes further than a simple narrative description of a basic set of non-functional characteristics related to security On the other hand, governmental reports usually refer to requirements as the set of applicable laws pertaining a certain voting procedure Both sides seem to underestimate the fact that an electronic voting system is an information system with functional, as well as nonfunctional, requirements In this paper we apply the Rational Software Development Process for identifying and presenting the requirements an electronic voting system should meet The requirements are based on a generic voting model that has been developed having in mind the European Union member states legislation, the organisational details of currently applicable voting procedures and the opportunities offered and the constraints imposed by the state-of-the-art technology

Abstract: The competitiveness of the global marketplace means that organizations are relying increasingly on information to stay ahead. This information needs to be protected at all costs and the users play a huge role in the protection of this vital asset. All employees need to be educated in the procedures and controls that will secure the organization’s information and the most direct way to do this is by implementing a formal information security awareness program that addresses all aspects of information security awareness and caters for all types of users in the organization.

Abstract: WebCom is a distributed computing architecture that may be used to distribute application components for execution over a network. A practical trust management system for the WebCom architecture is described. KeyNote-based authorization credentials are used to determine whether a WebCom server is authorised to schedule, and whether a WebCom client is authorised to execute, mobile application components. Secure WebCom provides a meta-language for bringing together the components of a distributed application in such a way that the components need not concern themselves with security issues.

Abstract: A main problem for the detection of security violations in misuse detection systems is the manner how attack scenarios (signatures) are described. Attack languages are used to specify attack scenarios for misuse detection systems. Usually not only the attack signatures are described also some details controlling the detection process have to be noted. This is disadvantageous because it makes signature development more complicated and prone to errors. In this paper we propose an attack language for describing signatures without caring about the used detection techniques. The language further provides means to simplify the description of attack signatures.

Abstract: A wireless sensor network can be seen as a large number (hundreds of thousand) of small (a few cubic millimetres) devices, battery powered, with very limited hardware resources. Such a network has been studied specifically in the ad hoc model, where the sensors autonomously set up a network infrastructure. We propose here an extension to the current wireless ad hoc sensor network (WSN) model (in particular the base station model), by introducing a Supervisor which has very few interactions with the network, it is mobile in itself, it could have more powerful hardware and it is asynchronous with respect to the sensors. Nevertheless, the Supervisor has to interact with the sensor network, for example to invoke the command to exclude from the network a selected sensor. We believe such a model is particularly suitable for, but not limited to, military applications. We then propose a distributed, cooperative, parallel algorithm for this model that assures the following properties: it enforces both the secure exclusion of a selected compromised sensor from the network and the rekeying of the remaining sensors. It has an overall low overhead both in terms of computation and required transmitted messages. It is scalable, since the algorithm requires only limited, local knowledge of the network topology. Finally, it can be adopted, as an independent layer, to enforce secure exclusion in other models.

Abstract: Due to the overwhelming complexity in establishing and maintaining a secure organizational framework, it is essential that various Information Security Management elements be tightly integrated to form a well planned methodology. However, organizations often do not have the necessary expertise or resources to follow such a detailed methodology. This paper introduces a software tool that can automate the phases comprising the Information Security Management Methodology.

Abstract: The event-driven model is a model commonly used in the implementation of systems such as the Graphical User Interface (GUI). While it offers important advantages over alternative choices, it often exhibits security vulnerabilities due to its architectural characteristics in the handling of events. In this paper we examine the security vulnerabilities of event-driven systems and define the conditions that produce them. We show that a substantial number of these vulnerabilities follow the same principles with buffer overrun vulnerabilities and finally we provide countermeasures.

Abstract: This paper proposes a multiple model approach for detection and estimation of contact transitions in forced controlled robots

Abstract: There is a significant gap between the stated objectives of organizational security found in corporate security policy and the audit configuration of event logs present on IT systems. Audit configuration has always been a bottom-up process. As a result, the design and implementation of audit configurations is often constrained by the audit management interface that often models operating system structures rather than real world behavior. This paper argues for a top-down approach in the establishment of IT audit policies and practices. We propose that management should develop an organization wide audit policy that will set mandatory audit directives and ensures that the audit configuration reflects the needs of the organization as defined in the security policy.

Abstract: Although denial of service attack has been becoming a fast-growing concern in security research, previous work focused on a type of classical denial of service caused by resource exhaustion In this paper, a different type of network denial of service attack is discussed Since traditional models and countermeasures are not applicable, we discuss solutions that can defend this non-classical service denial attack

Abstract: Computer security is now recognised as an important consideration in modern business, with a variety of guidelines and standards currently available to enable different business environments to be properly protected. However, financial and operational constraints often exist which influence the practicality of these recommendations. New baseline security methods such as Australian and New Zealand Standard (AS/NZS) 4444 and British Standard (BS) 7799 represent minimal standards which organisations can use to improve their security. The aim of the paper is to look at the effectiveness of baseline security standards through the use of an evaluation criteria, which assesses their effectiveness.

Abstract: The paper presents some secure optical network models. The security of the models is achieved using quantum cryptographic-key distribution. Both point-topoint and multiple-access broadcast networks are considered. In the modeling of these networks, the simplicity, generality and flexibility are highly maintained. This enables the efficient use of these models for software simulation purposes. Each secure optical communication network model is assumed to be composed of N communication nodes (stations) that are connected by fiber-optic links. Some hardware requirements are briefly explained. Also, samples of simulation results for these network models are presented.

Abstract: This paper presents Policap — a Policy Service for distributed applications that use CORBA security model. Policap was proposed for insertion in the JaCoWeb Project context, which is developing an authorization scheme for large-scale networks based on CORBA security standards. The contribution of this paper is the combination of client-side and server-side access control, in a single domain. In this paper, operations of security management not currently included in the OMG standards are also proposed. The paper further presents the implementation results obtained and an evaluation of these results based on Common Criteria, ISO standard 15408.

Abstract: Information Systems security evaluation is a sine qua non requirement for effective IT security management, as well as for establishing trust among different but cooperating business partners. This paper initially provides a critical review of traditionally applied evaluation and certification schemes. Based upon this review, the paper stresses the need for an approach that is quantitative in nature and can address the problem of IS operational security. Then, such an approach is presented, mainly based on an existing complex of models (CEISOQ) for evaluating IS operation quality. It is argued that there are certain benefits if this approach is applied in combination with the traditional qualitative ones.

Abstract: This paper presents a security incident data model. The model uses many of the existing security incident taxonomies to organise its security incident related information. Where characteristic of incidents is not covered by existing taxonomies some progress has been made in developing one. The proposed structure stores both management and technical information. Indication of further development for the presented core structure has also been given.

Abstract: The use of computers is becoming increasingly more important in everyday life, not only in the work environment, but also in domestic environments. As computer usage increases, so do the things that can go wrong. The Internet has opened up many new ways of communication — sending documents and other personal information via email for whatever reason. Not all users are information security experts, but also require assurance that they can trust the computer. Human computer interaction (HCI) should be as secure and productive as possible. An investigation into currently available HCI research results, literature and efforts from product suppliers revealed that almost no attention is given to the information security aspects during the design and development of human computer interfaces for IT-products. The purpose of this paper is to highlight the usability of security features in software used on a daily basis.

Abstract: Computer viruses pose an increasing risk to computer data integrity. They cause loss of valuable data and require an enormous effort in restoration/duplication of lost and damaged data. Each month many new viruses are reported. As the problem of viruses increases, we need to detect them and to eradicate them. This paper provides a brief introduction to computer viruses and points to the emergence of more intelligent and targeted viruses. Existing methods of virus detection are discussed. A method for the detection and removal of a macro virus called “SK virus” is described. This is achieved through the development of a scanner written in Visual Basic.

Abstract: Information systems development practices often require trade offs between make-or-buy decisions. Contemporary practices tend along the 'buy' maxim, resulting in systems that are largely depended on commodity IT facilities. Such systems development however introduces new security problems. New ways of addressing and resolving security hazards, early within the development lifecycle, must therefore be introduced in the systems development field. To do so, we need to properly associate the existing development context with suitable concepts that introduce security within it. In this paper we address the challenges arising by new forms of systems development and describe the factors that are most likely to be taken under consideration for securing the system under development.

Abstract: The electronic ticket issuing system for cellular phones is described in this paper. The system has strong security for commercial use and has flexibility to support any cellular phone and PDA. A cellular phone needs no adding hardware module. A user can deal with everything related with a ticket such as issue, payment and showing with his cellular phone. A user accesses to the ticket issuing server to get a ticket and shows that ticket holding his cellular phone to the ticket reader at an entrance gate. 3-D pattern is used in order to show a ticket, and its recognition is free from tilt, rotation and moving of a cellular phone during reading. This electronic ticket issuing system can be used for concert ticket, train ticket, etc. This system allows reentrance, and still more, this ticket can be used as a coupon ticket that is used any number of times.

Abstract: Mobile policies provide a flexible framework for enforcing access controls in distributed applications. But what happens when a mobile policy needs to be modified or certain permissions from a policy have to be revoked? Since a mobile policy is attached to the data and travels with the data over the network, it can be tricky to propagate any changes to the policy. In addition, real-world constraints affect the formulation of the problem and imply a variety of propagation algorithms. In this paper, we propose different approaches for propagating modifications to mobile policies consistent with these constraints.

Abstract: In this article we will regard different kinds of electronic contracts and analyze them as to their special security requirements. We will use a goal-oriented method to derive appropriate security safeguards for the different contract types and discuss implementation issues for agent-based contracting systems.

Abstract: The usefulness of data largely depends on its correctness, which is determined by the extent to which the data reflects the real-world and universe of discourse. Since the real world is constantly changing, it follows that data must constantly be changed. Since an integrity violation could occur when information is wrongfully changed, changes should only be entrusted to trustworthy users. The changes must, furthermore, occur according to business rules. This type of control falls within the domain of an access control service. This paper investigates activities involved to enforce semantic integrity in relational database environments, particularly those where access is controlled according to a role-based paradigm.

Abstract: The rapid growth of the Internet increases the importance of connecting to existing databases. The Web, with all its versatility, is putting database security to the test. Access to web-enabled databases containing sensitive information such as credit card numbers must be made available only to those who need it. The focus of this paper is to shed some light on how databases can be used in a secure manner when connecting to the World Wide Web, by investigating the application of current state-of-the-art database security services.

Abstract: Observing network traffic is necessary for achieving different purposes such as system performance, network debugging and/or information security Observations, as such, are obtained from low-level monitors that may record a large volume of relevant and irrelevant events Thus adequate filters are needed to pass interesting information only

Abstract: Mobile Internet environments will offer a whole new range of services that might revolutionize our way of life However, with these new technologies and services new risks to the user’s privacy arise, and both legal and technical privacy safeguards are needed to protect the user This paper discusses privacy and privacy risks in the mobile Internet and presents the result of the PiMI prototype project, in which one browser built-in, and one proxy-based P3P user agent for mobile Internet environments have been developed The PiMI prototype enhances the users’ control over the dissemination of user and user device related information and thus protects their right for informational self determination