| 1. |
- Johnson, Pontus, et al.
(författare)
-
Can the Common Vulnerability Scoring System be Trusted? : A Bayesian Analysis
- 2018
-
Ingår i: IEEE Transactions on Dependable and Secure Computing. - : IEEE Press. - 1545-5971 .- 1941-0018. ; 15:6, s. 1002-1015
-
Tidskriftsartikel (refereegranskat)abstract
- The Common Vulnerability Scoring System (CVSS) is the state-of-the art system for assessing software vulnerabilities. However, it has been criticized for lack of validity and practitioner relevance. In this paper, the credibility of the CVSS scoring data found in five leading databases – NVD, X-Force, OSVDB, CERT-VN, and Cisco – is assessed. A Bayesian method is used to infer the most probable true values underlying the imperfect assessments of the databases, thus circumventing the problem that ground truth is not known. It is concluded that with the exception of a few dimensions, the CVSS is quite trustworthy. The databases are relatively consistent, but some are better than others. The expected accuracy of each database for a given dimension can be found by marginalizing confusion matrices. By this measure, NVD is the best and OSVDB is the worst of the assessed databases.
|
|
| 2. |
- Nawaz, Omer, et al.
(författare)
-
Secure Mobile Social Networks using USIM in a Closed Environment
- 2012. - 13
-
Ingår i: 7th International Conference for Internet Technology and Secured Transactions. - London : IEEE. - 9781908320087 ; , s. 439-446
-
Konferensbidrag (refereegranskat)abstract
- Online social networking and corresponding mobile based applications are gaining popularity and now considered a well-integrated service within mobile devices. Basic security mechanisms normally based on passwords for the authentication of social-network users are widely deployed and poses a threat for the user security. In particular, for dedicated social groups with high confidentiality and privacy demands, stronger and user friendly principles for the authentication and identification of group members are needed. On the other hand, most of the mobile units already provide strong authentication procedures through the USIM/ISIM module. This paper explores how to build an architectural framework for secure enrollment and identification of group members in dedicated closed social groups using the USIM/SIM authentication and in particular, the 3GPP Generic Authentication Architecture (GAA), which is built upon the USIM/SIM capabilities. One part of the research is to identify the marketable use-cases with corresponding security challenges to fulfill the requirements that extend beyond the online connectivity. This paper proposes a secure identification design to satisfy the security dimensions for both online and offline peers. We have also implemented an initial proof of the concept prototype to simulate the secure identification procedure based on the proposed design. Our implementation has demonstrated the flexibility of the solution to be applied independently for applications requiring secure identification.
|
|
| 3. |
|
|
| 4. |
- Östling, Alina, et al.
(författare)
-
Mobility Data Specification (MDS)
- 2023
-
Rapport (övrigt vetenskapligt/konstnärligt)abstract
- In recent years, e-scooters have become increasingly common in cities around the world, and municipalities have been working with digital solutions to regulate and monitor their use. The Mobility Data Specification (MDS) is one such standard that many cities use to establish a digital infrastructure for electric scooters. MDS has helped cities with regulatory issues and created business opportunities for outside software developers. This report has particularly focused on business models and ecosystems, semantic interoperability, information security and privacy protection, and data ownership under MDS.
|
|
| 5. |
- Besker, Terese, et al.
(författare)
-
Navigating the Cyber-Security Risks and Economics of System-of-Systems
- 2023
-
Ingår i: 2023 18th Annual System of Systems Engineering Conference, SoSe 2023. - : Institute of Electrical and Electronics Engineers Inc.. - 9798350327236
-
Konferensbidrag (refereegranskat)abstract
- Cybersecurity is an important concern in systems-of-systems (SoS), where the effects of cyber incidents, whether deliberate attacks or unintentional mistakes, can propagate from an individual constituent system (CS) throughout the entire SoS. Unfortunately, the security of an SoS cannot be guaranteed by separately addressing the security of each CS. Security must also be addressed at the SoS level. This paper reviews some of the most prominent cybersecurity risks within the SoS research field and combines this with the cyber and information security economics perspective. This sets the scene for a structured assessment of how various cyber risks can be addressed in different SoS architectures. More precisely, the paper discusses the effectiveness and appropriateness of five cybersecurity policy options in each of the four assessed SoS archetypes and concludes that cybersecurity risks should be addressed using both traditional design-focused and more novel policy-oriented tools.
|
|
| 6. |
- Shreenivas, Dharmini, et al.
(författare)
-
Intrusion Detection in the RPL-connected 6LoWPAN Networks
- 2017
-
Ingår i: IoTPTS '17. - New York, NY, USA : ACM Press. ; , s. 31-38
-
Konferensbidrag (refereegranskat)abstract
- The interconnectivity of 6LoWPAN networks with the Internet raises serious security concerns, as constrained 6LoWPAN devices are accessible anywhere from the untrusted global Internet. Also, 6LoWPAN devices are mostly deployed in unattended environments, hence easy to capture and clone. Despite that state of the art crypto solutions provide information security, IPv6 enabled smart objects are vulnerable to attacks from outside and inside 6LoWPAN networks that are aimed to disrupt networks. This paper attempts to identify intrusions aimed to disrupt the Routing Protocol for Low-Power and Lossy Networks (RPL).In order to improve the security within 6LoWPAN networks, we extend SVELTE, an intrusion detection system for the Internet of Things, with an intrusion detection module that uses the ETX (Expected Transmissions) metric. In RPL, ETX is a link reliability metric and monitoring the ETX value can prevent an intruder from actively engaging 6LoWPAN nodes in malicious activities. We also propose geographic hints to identify malicious nodes that conduct attacks against ETX-based networks. We implement these extensions in the Contiki OS and evaluate them using the Cooja simulator.
|
|
| 7. |
- Andersson, Kristina
(författare)
-
Regelverk för datadelning inom citylogistik: nulägesanalys
- 2022
-
Rapport (övrigt vetenskapligt/konstnärligt)abstract
- Almost all data sharing regulations have origins from the EU. At EU level, three trends can be identified for data sharing. The first trend is that data sharing more and more is regulated by legislation. Current regulations are being amended and many new regulations are underway within the EU. Data sharing legislations are thus in an expansive phase. There are also many reasons why the EU believes that a certain regulatory framework is needed, such as: • Information security: Historically, information security has generated a large amount of activity in the field of regulatory framework. This includes, for example, cyber security and preventing data breaches. • Human health: Human health is also a reason to regulate data sharing. Examples of regulations in this area are the GDPR and sharing of sensitive personal data. • Consumer protection: There are also regulations aimed at strengthening consumer protection and ensuring that, for example, digital services are safe for consumers to share data in. • A free and efficient internal market: For the EU, it is important to create an internal market for data sharing. Many regulations are aimed at ensuring that SMEs can compete with large companies. Example of legislation in this area is the Platform Regulation. • Increased innovation power: For the EU, it is also important to increase innovation capacity in the internal market. One way is to protect innovations through, for example, copyright and trade secrets rules. • Increased transparency and trust: To create an internal market, people and companies also need to feel safe sharing data. Example of legislation within this area is the proposed Data Governance Act. • Fundamental rights and freedoms: Finally, the EU is reassessing in many regulatory frameworks in terms of respect of fundamental human rights and freedoms. Examples of regulations in this area are the GDPR and the e-Privacy regulation. The EU is also working on developing a code on this theme. The code shall guide the future work on the develop of new legislation. The second trend is for the EU to encourage industry organizations to develop voluntary rules on data sharing (code of conduct) to accelerate the creation of an internal market for data sharing. An example of this is the Code of Conduct for sharing agricultural data in agreements. The Free Flow of non-personal data regulation would also like to see industry organizations develop principles for data sharing. The third trend is that the EU would like to see us all make more data publicly available or that we donate data, both from authorities and individuals (open data and altruism). Examples of this are the Open Data Directive and the forthcoming Data Governance Act. In this lies a conflict of interest between information security and open data that is not easy to solve. The challenge lies in the fact that each individual dataset itself does not have to reveal anything sensitive. However, if many datasets are added together, aggregated data can reveal too much. The EU is also interested in data sharing for certain sectors, of which vehicles and mobility is an area that is becoming more and more regulated in terms of data sharing. Here, a lot of new regulations are expected that will have a major impact on the sector, both in terms of vehicle development but also in terms of the development of new business models. The trend is towards vehicle manufacturers being increasingly forced to share data with authorities. When it comes to logistics, the pressure from new legislation about data sharing is not as clear. The existing legislation is more about the safe distribution of goods in a crisis or regarding sharing data from certain goods e.g., tobacco. What problems does the EU address in its mobility and vehicle regulations? • Human health: Compared to the general regulatory framework, there is a clear emphasis on human health and data sharing in the regulations. It is both about data sharing related to air quality but also road safety. • Consumer protection: There are also regulations aimed at strengthening consumer protection, e.g., for manufacturers to inform consumers about how much exhaust fumes a particular vehicle emits so that the consumer can make an informed choice based on this aspect between different manufacturers. • A free functioning efficient internal market: Examples of legislation in this area are the access of independent branded workshops to data from connected vehicles to increase competition. At EU level, there are several regulatory frameworks in the pipeline that will have a major impact on what we want to explore in our project. In the HITS2024 project, we want to explore and test efficient city logistics based on different vehicle concepts and logistics solutions. At EU level, a forthcoming e-Privacy Regulation is being discussed. The regulation will dictate how data from vehicles is allowed to be transfer to a cloud solution i.e., the connection as such. The e-Privacy Regulation is closely related to the GDPR, but there are also differences between these regulations. The GDPR accepts consent and balancing of interests to collect personal data while the e-Privacy Regulation only accepts consent (at the time of writing). The challenge for the automotive industry, for example, is that an autonomous vehicle can only collect personal data based on balancing interests because it is not doable to work with consent. However, if the e-Privacy Regulation in its current state is approved, the data will not be allowed to leave the vehicle because there is no consent. Another challenge is the upcoming AI Act. The AI Act distinguishes between technologies that already have an international regulatory framework for, e.g., type approval of a truck and technology where only the EU regulates the issue, e.g., machines. But a vehicle consists of many different “parts” and not all parts are type approved. How do you fit different technologies and different legislation together in an autonomous truck? In the logistics area, the upcoming Data Act can be of great importance as it will be about data sharing between companies. Until now, coordination between different data regulations has not always been optimal. The same phenomenon has been regulated in different regulations. There is a risk that different regulations in the future will find it difficult to co-exist with each other. How will, for example, GDPR, e-Privacy regulation and Data Act work together in a vehicle and logistics context? Developments in this area need to be followed.
|
|
