16-20 December 2007
University of Delhi, India
http://siis.cse.psu.edu/iciss07
In collaboration with:
Center for Secure Information Systems, George Mason University,
USA
Systems and Information Infrastructure Security Laboratory, Penn
State University, USA
Indian Institute of Technology, Delhi, India
Center for Secure Information Systems, George Mason University, Fairfax, VA, USA
Tutorials
The following tutorials will be offered at ICISS 2007:
Recent Advances in Role Based Access Control, Shamik Sural (IIT Kharagpur, India)
Abstract
Access control models are of prime interest in computer security. The models are meant to express various complex access control needs relevant to resource protection in real world. In this respect, Role Based Access Control Model (RBAC) has been found to be quite useful and has drawn a lot of research interest over the last fifteen years. The main advantage of RBAC is the organization power of role. Roles are considered to be inherently natural and they express a single unit of job function in an organization.
In this tutorial, we will introduce the basic RBAC model, including constraints, role hierarchies and administrative functions. We will then review some of the constraint specification languages and how time tested security properties like Separation of Duty, Delegation, etc. can be handled in RBAC. Recently, some approaches towards RBAC safety analysis have been suggested, which will be briefly presented.
Traditional RBAC considers user to role as well as role to permission assignments to be static in nature with respect to space and time. In this tutorial, we will study approaches which consider space and time varying nature of access control. In Temporal RBAC (TRBAC), role enabling and disabling is done based on periodic time interval. A model that provides location-based services in wireless networks is Spatial RBAC (SRBAC), where the role to permission assignment is a Cartesian product of role set, permission set and location set. GEO-RBAC is another approach for location aware access control. Roles in this model have a spatial extent, which defines the range where a role stays activated.
During the last few years, attempts are being made to include both space and time coordinates together to control access. The spatio-temporal context could be both of the subjects making the request as well as of the objects being accessed, especially when the subject or the object is mobile in nature. We will conclude the tutorial by discussing such spatio-temporal RBAC models and giving some directions towards future research in this immensely exciting and challenging field.
Biography
Shamik Sural is an Associate Professor at the School of Information Technology, IIT Kharagpur India. He received the B.E. degree in Electronics & Tele-communication Engineering from Jadavpur University, Calcutta, India, in 1990, M.E. in Electrical Communication Engineering from Indian Institute of Science, Bangalore, India, in 1992 and the Ph.D. degree from Jadavpur University in 2000. Before joining IIT, he held technical and managerial positions in a number of organizations both in India as well as in the USA.
Shamik has served on the Program Committee and Executive Committee of a number of international conferences including International Conference on Information Systems Security, International Database Engineering and Applications Symposium, IEEE Conference on Fuzzy Systems, Asian Mobile Computing Conference, International Workshop on Distributed Computing and others. His research work has been funded by the Ministry of Communication and Information Technology, Department of Science and Technology, Govt. of India and the National Semiconductor Corporation, USA.
He is a senior member of the IEEE and has served as the Chairman of the IEEE Kharagpur Section in the year 2006. He has published more than seventy research papers in reputed international journals and conferences. His primary research interests include database security, data mining and multimedia database systems. He can be reached at shamik@sit.iitkgp.ernet.in. For further information, please visit: http://www.facweb.iitkgp.ernet.in/~shamik.
Web Application: Security Threats and Challenges, Poonam Rani Gupta (CDAC, Noida, India) and P. Govind Raj (CDAC, India)
Abstract
The World Wide Web is growing at a very fast pace in terms of web servers and also the purpose it served. From a platform to share information it has become a platform to host applications. This trend would grow as more of Web 2.0 becomes evident. Further, in era of the Semantic Web the web would host even more intelligent application. Although, the www provides a lot of convenience, the convenience comes with an equal share of risk. Issue of confidentiality, integrity and availability of information, identity theft, and non-availability of service are some of the additional risks associated with convenience of www.
Lots of solution for network security such as Firewalls, IDS, Vulnerability scanners, patches and hardening solutions, VPNs etc. do exist. Security controls like ACLs, Buffer Overflow guards, principles of least privilege, library and framework are available in case of the traditional software. In case of Web, there are not enough security controls as its still evolving medium for lots of applications.
Major contribution to the insecure web applications is attributed to the fact that Web application developers are usually not trained on security issues and most security personnel are not web application developers. Web application developers are trained on how to convert functional specification to deployable web applications where as security personnel are trained as to how to configure Firewalls, IDS etc.
Through this tutorial we intend to make web application developers aware of various security issues involved in web application development. Topics covered will include overview of Web based application and security issues and demonstration of various attacks through Web-Scarab.
The participants would gain a basic understanding of the principles of performing a penetration test on a web application. They will also know about the different types of attacks that can be performed on a web-based application. The session will involve an interactive environment where they will be shown how to hack and secure an insecure demo web application.
Biography
Dr. P.R. Gupta has more than 20 years experience in academics and research . She has M.Tech from IIT Delhi and Ph.D. in Computer Sc. & Engg from KNIT, Sultanpur. Presently, she is working as Associate Professor at CDAC , Noida . Her research interest include Ubiquitous computing, Artificial Intelligence, information security, Open Source Systems , e-governance and IPR issues,. A localized live CD version of Linux namely Abhigyan has been developed by her team for Hindi, Bengali, Tamil and Punjabi. Her group is also working for developing tools for training physically challenged people.
Mr P Govind Raj is a working as project engineer at CDAC, Noida . His research interest includes Ubiquitous computing, e-Security and Open Source Systems. He has been involved in development of ABHIGYAN-a Live CD Version of Linux with Indian language support.
Application of Data Mining Techniques for Computer Security, Jaideep Srivatsava (University of Minnesota, USA)
Abstract
Today computers control power, oil and gas delivery, communication systems, transportation networks, banking and financial services, and various other infrastructure services critical to the functioning of our society. However, as the cost of the information processing and Internet accessibility falls, more and more organizations are becoming vulnerable to a wide variety of cyber threats. According to CERT/CC (Computer Emergency Response Team/Coordination Center), the rate of cyber attacks has been more than doubling every year for some time. It has become increasingly important to make our information systems, especially those used for critical functions in the military and commercial sectors, resistant to and tolerant of such attacks. Intrusion detection, as a special form of cyber threat analysis, includes identifying a set of malicious actions that compromise the integrity, confidentiality, and availability of information resources. Traditional methods for intrusion detection are based on extensive knowledge of signatures of known attacks. The signature database has to be manually revised for each new type of intrusion that is discovered. A significant limitation of signature-based methods is that they cannot detect emerging cyber threats, since by their very nature these threats are launched using previously unknown attacks. These limitations have led to an increasing interest in intrusion detection techniques based upon data mining. The tremendous increase of novel cyber attacks has made data mining based intrusion detection techniques extremely useful in their detection. These techniques generally fall into one of two categories; misuse detection and anomaly detection. In misuse detection, each instance in a data set is labeled as 'normal' or 'attack/intrusion' and a learning algorithm is trained over the labeled data. However, standard data mining techniques are not applicable due to issues including (i) dealing with skewed class distribution (attacks/intrusions correspond to a class of interest that is much smaller, i.e. rarer, than the class representing normal behavior) and (ii) learning from data streams (attacks/intrusions very often represent sequence of events). Anomaly detection, on the other hand, builds models of normal behavior, and automatically detects new types of intrusions as deviations from normal usage. Generalizing from our experience in intrusion detection, we show that the need to detect 'rare events' and 'anomalies' from very large volumes of data, with very high degree of precision, and often in real time, is needed in many application domains. This includes transaction fraud from the financial and e-commerce domains, claims fraud and off-prescription drug usage from the medical domain, audit selection from income and sales tax, alarms from home and industrial security systems, and health monitoring of vehicles b^@^S airborne and on the road. Drawing upon our experience from collaborative projects in all of these areas, we show how research in data mining for security informatics can have much broader impact. Our goal is to initiate a two way dialogue between the security community, and many of these areas.
Biography
Jaideep Srivastava is a professor at the University of Minnesota, where he has established and led a research laboratory which conducts research in the information and knowledge aspects of computing. He has supervised 24 Ph.D. dissertations and 50 M.S. theses, and authored or co-authored over 200 papers in refereed journals and conferences. Dr. Srivastava have served on the editorial boards of various journals, including IEEE TPDS, IEEE TKDE, and the VLDB journal. He has also served as Program and Conference Chair for a number of prominent conferences, especially in the area of data mining, and is on the Steering Committee for the PAKDD series of conferences. He has delivered a number of keynote addresses, plenary talks, and invited tutorials at major conferences. Dr. Srivastava has a very active interaction with the industry, in both consulting and executive roles. Specifically, during a 2-year sabbatical during 1999-2001, he lead a corporate data mining team at Amazon.com (www.amazon.com) and built a data analytics department at Yodlee (www.yodlee.com) from the ground up. More recently, he spent two years as the Chief Technology Officer for Persistent Systems (http://en.wikipedia.org/wiki/Persistent_Systems), where he helped organize an R&D division with a number of Centers of Excellence. In addition, he oversaw the redesign of the training and technical vitalization program for 2,200+ engineers. He has provided technology and technology strategy advice to a number of large corporations including Cargill, United Technologies, IBM, Honeywell, 3M, and Eaton. He has served in an advisory capacity to annumber of small companies, including Lancet Software and Infobionics. Dr. Srivastava has also played an active advisory role in the government sector. Specifically, he has served as the US federal government's expert witness in a nationally significant tax case. He has served as Senior Technology Advisor to the State of Minnesota, and is on the Technology Advisory Council to the Chief Minister of Maharashtra, India. Dr. Srivastava has a PhD from the University of California, Berkeley, and bachelors in computer science from IIT Kanpur, India. He is a Fellow of the IEEE.
Home | Call for Papers | Program | Registration | Author Instructions | Committees | Tutorials
Travel/Hotel | Venue | Contact | ICISS 2006