Proceedings of The Third International Conference On Information Security and Digital Forensics, Thessaloniki, Greece, 2017

Conference Title
The Third International Conference on

Information Security and Digital Forensics
(ISDF2017)
Conference Dates
December 8-10, 2017
Conference Venue
Metropolitan College, Thessaloniki, Greece
ISBN:
978-1-941968-46-8 ©2017 SDIWC
Published by
The Society of Digital Information and Wireless
Communications (SDIWC)
Wilmington, New Castle, DE 19801, USA
www.sdiwc.net
Table of Contents
Cyber Security
Education Method for Simultaneous Achievement of Safety and Security in the IoT Era…………. 1
A Cumulative Sum Technique for Network Cyber Intrusion Detection………………………………….. 7
Digital Forensic
GPU Forensics: Recovering Artifacts From The Gpus Global Memory Using Opencl……........…….. 12
Formal Methods Application in Security

Common Attributes of Security Breach Types………………………………………………………………………..… 21
Information Security Risk Management

The Strategy of Brazilian Government to Improve the Information Security Risk Management
and the Cyber Security in Brazilian Public Sector……………………………………………………………………… 27
Miscellaneous
Project of building Security in Zoological garden …………………………………………………………………… 33
A Novel Semantic Framework for Cloud Service Ranking and Adoption………………………………… 44

Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
Education Method for Simultaneous Achievement of Safety and Security in

the IoT Era
Nyambayar Davaadorj, Yuitaka Ota, Akihiro Tsuchiya and Ichiro Koshijima

Department of Architecture, Civil Engineering and
Industrial Management Engineering
Nagoya Institute of Technology, Nagoya, Japan
Nyamaa0727@gmail.com
ABSTRACT However, workers in a manufacturing plant

are exposed continuously to health hazards.
The manufacturing industry is obligated to ensure With the recent introduction of control
its employees' health and safety. However, systems by the manufacturing industry for
employees in a manufacturing plant are exposed management, it has become necessary to
to constant safety hazards. Therefore, ensuring respond to the threat of cyber-attacks in a
worker safety in the plant is difficult. Moreover, production environment. Therefore, securing
the manufacturing industry in recent times has
the control systems against cyber-attacks
adopted control systems for plant management.
Therefore, it is imperative to respond to the threat while ensuring the safety of employees at the
of cyber-attacks in a production environment. same time at a given site has become
Hence, simultaneously safeguarding the control necessary [2]. However, up until now, worker
system against cyber-attacks and ensuring the safety and cyber security have been dealt with
safety of employees is necessary. However, the separately by the production safety division
safety of employees and cyber-security are dealt and the IT security division, respectively.
with independently by the production safety Safety and security divisions work
division and the IT security division, respectively. independently, and they may lead to more
Such a scenario may lead to a delayed response in severe damage caused by a delayed response
case of an emergency and may increase the in case of an emergency [3].
seriousness of the damage caused. Therefore, in
Therefore, in this paper, a PDCA cycle that
this paper, a PDCA cycle that combines safety
and security in the IoT era is presented, and an combines safety and security in the IoT
educational method is proposed that Safety-II and (Internet of Thinking) era is presented, and an
Security-II implementation together. educational method is proposed to implement
Safety-II and Security-II the organization,
KEYWORDS simultaneously.
Safety, Security, Cyber-attack, IoT, ICS. 2 SAFETY AND SECURITY
1 INTRODUCTION In the IoT era, control systems are

significantly involved in the planning, design,
With the diversification of production operation, and marketing of the
processes, complications and international manufacturing industry. In particular, IoT is
standardization of on-site machine tools are often used to achieve improvements in
increasing. Moreover, with the introduction of productivity and to reduce the production
new mechanical equipment and chemical costs of plants and manufacturing industries.
substances, the causes of occupational Therefore, the manufacturing industry
accidents are diversifying. Therefore, the needs to ensure employee safety and
greatest obligation of the manufacturing industrial control system (ICS) safety
industry is to safeguard workers’ health and to simultaneously. For that purpose, we define
ensure the safety of its employees [1]. the following two problems.
ISBN: 978-1-941968-46-8 1
1. Discovering effective interactions A standardized operating procedure of the

between safety and cybersecurity: It is control system allows the operation of the
necessary to propose an analysis control system to proceed normally. ICS is
method based on global standards. involved in the planning, design, and
Find out about effective PDCA cycle operation of the processing system. In
to continuously implementing. particular, an information network can be
2. Maximizing organizational resilience used manufacturing industry utilizes IoT to
against uncertain and unexpected improve productivity, thereby contributing to
cyber-attacks: It is necessary to access reduced costs and some human resource
PDCA cycles implementation based requirements.
on global standards. Therefore, designing a procedure manual for
the control system and utilizing the procedure
2.1 Safety-based production manual affects the following three aspects
(Figure 2).
Deciding to standardize each of task for work 1. Operation of the ICS network without
manuals and advancing work according to the incurring safety damage.
manual can reduce defects. First, it is 2. Operation of the ICS network without
necessary to arrange work procedure manual incurring production damage.
properly. Figure 1 shows indispensable 3. Operation of the ICS network without
relationships between safety and production information loss
tasks. The above three operations ultimately lead
When tasks are designed using a procedure to a smooth functioning of the manufacturing
manual, and when work is carried out business. Moreover, the work is devoid of
according to the guidelines in a procedure mechanical and environmental damage, and a
manual, the following is achieved. safe work environment for employees is
1. Machinery can be run without ensured, which leads to continuity in the
incurring mechanical damage. company's management.
2. Machinery can be run without
incurring environmental damage.
3. Machinery can be run while ensuring
employee’s health and safety.
The above three operations ultimately result
in smooth operations in a manufacturing
business. Also, the work is devoid of
mechanical and environmental damage, and a Figure 2. Schematic of the safety and security
safe work environment for employees is framework.
ensured, which leads to continuity in the
company's management. 2.3 Safety and security-based production
Until now, safety has been implemented for

many years for the manufacturing industry in
the manufacturing industry. However,
realizing a perfectly safe plant is a
challenging task. Consequently, the
manufacturing industry has attempted to
Figure 1. Relationship between safety and production. secure the safety of the site using their
method for safety. Recently, the big
companies have adopted international
2.2 Security-based production standards for safety and security. They expect
a reduction in risk due to the adoption of
global safety standards. In the IoT era, the use
ISBN: 978-1-941968-46-8 2
of control systems in the production process [5] is also analyzed by using the approach
has become widespread. Figure 3 indicates mentioned above.
that the manufacturing industry uses the The analysis of global standard was
control system for automation of the conducted by deconstructing and categorizing
production line, stable operations, and clauses of the standard from the following
reduction in the human resources required. perspectives:
Also, manufacturing industries collect and 1. Chapter titles, subtitles, number, sentence
analyze data from the control system by locations
connecting to the Internet (for data analysis) 2. Sentences (extracting only the sections on
for improved marketing functions, recommendations for actions relating to
management, and line productivity. The health and safety)
analyzed will help the industry adapt to a 3. Subjects, objects, and verbs within
flexible trading business market and enhance sentences
its business efficiency. However, connecting 4. Verbs, objects, and verbs within
the control system to the Internet increases the sentences
risk of cyber-attacks, consequently, increasing 5. Knowledge, skill, rule based on
risks in the future. Rasmussen’s (Rasmussen, 1983) SRK
model [6].
Resilience matrix covers activities that
occur during establishment, implementation,
and maintenance. Accordingly, it seems to be
appropriate to place the IDEF0 model of the
global standard into the resilience matrix to
specify the structure of the organizational
activity cycle and identify basic activities. In
this previous study, we discussed a method
for evaluating a manner in which PDCA cycle
(Figure 4 shows) of OHSAS18001 and IEC
Figure 3. Maintain safe environment.
62443 systematically functions within
2.4 Analysis of Safety and Security corporations. Based on the findings, this study
Integration Standard clarifies the potential structural objection for
corporations when implementing and
In literature [1], [4] the authors discussed the operating the OHSAS18001 and IEC 62443
establishment of a cycle for bottom-up that standard.
continues to improve, maintain and According to the OHSAS18001 and IEC
implement after recognizing the international 62443 standard analysis, the installation of
standard for safety and security standards. For the PDCA cycles is essential for achieving
safety, OHSAS18001 (Occupational Health continuous improvement. Safety and security
and Safety standard) is analyzed by using standard organization structure with section-
IDEF0 and is mapped to a Resilience Matrix based PDCA cycle;
(RM) that can be defined as a cycle to  Each section goes through the
develop new operational procedures to implementation, maintenance, and
maintain and increase organizational improvement processes.
resilience. In this matrix skill–rule–  Subsequently, the improvement must be
knowledge (SRK) model and organizational checked and tested. If it passes the check,
levels (i.e., individual, group, and one can proceed to the next stage.
organization) are combined in the 3 × 3 chart.  If the improvement fails the check, one
To specify a security standard procedure, goes back to an improvement process,
IEC62443 (Industry network system standard) provide safety instructions, and then
return to the cycle.
ISBN: 978-1-941968-46-8 3
 PDCA is repeated in each responding conditions in the control system, safety

section of the organization. measures are first implemented.
An unsecured state is one of the outputs in
the process of looping safety correspondence
to safeguard the control system. The non-
secure state shown Figure 5 is the state of the
control system that is affected by the cyber
incident, viz., the human condition (judgment,
knowledge). Further, security correspondence
is implemented against the outputted insecure
state. Security correspondence loop is
executed until a secure state is outputted.
Even if a secure state is outputted, if the
control system is in an all-anxiety status, the
safety correspondence loop is executed again,
and if an insecure state is outputted in that
process, the security correspondence is
implemented. Safety response and security
correspondence are implemented in this
structure until the control system outputs it in
a safe and secure state. There exists an
extensive roof between the safety and security
Figure 4. Schematic of the safety and security standard tree. According to Figure 5 bottom arrow
framework.
which is control added to perform measures
implemented by the organization safely. Non-
3 SAFETY AND SECURITY
safety state caused by cyber incidents is
SIMULTANEOUS ACHIEVEMENT
implemented by the group and the division.
FRAMEWORK
Mechanism added to safety perform measures
should be implemented individually.
In the event of a cyber-attack, it is necessary
to have a corresponding structure to add
security correspond for safety response. Also,
a response process is required to converge the
situation. If the control system survives the
cyber-attack as an operational abnormality,
measures for securing safety must be
immediately implemented. Safety response
and security correspondence must be realized
simultaneously. Figure 5 illustrates a cyber
incident correspondence structure that takes
into consideration the security Figure 5. Safe and secure state.
correspondence constraint condition. During a
cyber incident, the organization 3.1 Approach to integration of safety and
(communication, resource, system) and there cybersecurity
are constraints on (resources, systems) in the
environment, and time constraints due to the Resilience engineering is a concept proposed
urgency in the cyber incident. We explain the by Erik Hollnagel [7]. Hollnagel presented
relationship between safety, cyber incident views on Safety-I and Safety-II, which are
response, and the corresponding constraints summarized as follows.
using the IDEF0 modeling method. Given  Safety-I: Avoiding that things go wrong.
that cyber-attacks cause unsafe operating The Safety-I means a state where things
ISBN: 978-1-941968-46-8 4
do not go wrong. The safety I try only to

prevent these things from going wrong.
This approach assumes that it is possible
to attain safety by eliminating all of the
contributory factors of adverse outcomes.
 Safety-II: Safety management for
responding errors to happen. The safety-
II tries to ensure a state where the level of Figure 6. Safety-I, security-I and safety-II, security-II
required performance is maintained to be framework
as high as possible and to ensure that
things go right under varying conditions. 3.2 Global Standard Approach for
Attention is paid not too rare failure cases Integration Respond
but actual routine operational International standards correspond to Safety-I
performances. and Security-I. Also, it is important to
By the above explanation, Security-I and identify and continuously maintain a cycle for
Security-II are assumed in the same way of a bottom-up approach that can be
thinking. continuously improved, maintained, and
 Security-I ： On the ICS, avoiding that executed after recognizing the international
things go wrong Security-I refers to a standards for safety and security. As shown in
state where things do not go wrong in the Figure 7 one factory needs care about safety
ICS. Security-I attempts to prevent these (Safety-I, Safety-II) and security (Security-I,
accidents from happening. This approach Security-II), human approaches to Safety-II
assumes that it is possible to attain safety and Security-II are indispensable. In the event
by eliminating all of the contributory of accidents or cyber incident, it is human
factors of adverse outcomes. beings who make the final making decision.
 Security-II: Security management for Therefore, it is necessary to continuously
responding errors that are yet to occur develop a human resource development
Security-II attempts to ensure a state training and PDCA of Safety-II and Security-
where the level of required performance II in case of an emergency.
is maintained as high as possible and to
ensure that things go right under varying
conditions.
In the system, attention is paid not to
infrequent failure cases but instead of actual
routine operational performances.
First, the global standard determines activities
based on risk assessment, which can be
considered as the countermeasures of Safety-I Figure 7. Safety and security integration framework.
and Security-I. Second, Safety-II and
Security-II define the maintenance and 3.3 ICS-BCP training Exercise to
improvement of a safe environment, which Implement the Integrated Response
can be considered as the countermeasures of
Safety-II and Security-II; these require a Safety-II and Security-II involve taking safety
continuous execution of the improvement measures at the early stages of an emergency.
cycle. However, cyber-attacks and cyber incidents
Therefore, one company can do not always happen, and cannot be
simultaneously achieve safety and security by predicted. Therefore, it is necessary to
maintaining Safety-I, Safety-II, Security-I, implement correspondence training when
and Security-II continuously, as described in Safety-II and Security-II occur. Training for
Figure 6. cyber incident handling is aimed at
ISBN: 978-1-941968-46-8 5
understanding the framework for handling linkage between safety and cybersecurity is
cyber incidents. Therefore, depending on the necessary.
organizations that are trained, it is necessary To that end, we need to maximize the
to consider the organizational (organizational resilience of the organization to cyber-attacks
involved in the operation of the business) and that cannot be predicted reliably. First, the
correspondence to cyber-attacks (response to PDCA cycle necessary to combine Safety-I
security). and Security-I was extracted using the IDEF0
In this exercise (calling ICS-BCP) training, modeling method. To build a PDCA cycle
we will consider an organization’s response to between Safety-II and Security-II, an exercise
a cyber-attack. The purpose of the framework to maximize organization
correspondence changes with the passage of resilience was suggested.
the correspondence changes with the passage
of time. The following types of activities ACKNOWLEDGEMENTS
should be considered according to the purpose
of correspondence. (Figure8) the typical This research is partially supported by the
deliverables of the exercise are workflow Ministry of Education, Science, Sport and
which becomes plants by considering “who” Culture, Grant-in-Aid for Scientific Research
performs an action and “when.” (A), No.16H01837 (2016); however, all
1. Activities to regain plan safety when remaining errors are attributable to the
attacks are disturbed. authors.
2. Activities to maintain production
activities that are obstructed by attacks at REFERENCES
a specified service level.
[1] D. Nyambayar, H. Eguchi, and I. Koshijima, “A
3. Activities to deter further attacks. Matric for Quantitative Estimation of Production
4. Activities to preserve evidence of attacks. Unit Based On OSHMS,” IOP
Conf.Series:Materials Science and Engineering.
012009 doi:10.1088/1757-899X/206/1/012009.
[2] SANS: Industrial Control Systems Security Blog,

https://ics.sans.org/blog/2016/01/09/confirmation-
of-a-coordinated-attack-on-the-ukrainian-power-
grid. Accessed January 29, 2017.
[3] Y. Hashimoto, T. Toyoshima, S. Yogo, M. Koike,

T. Hamaguchi, S. Jing, and I. Koshijima, “Safety
Securing approach against cyber-attacks for
process control system,” Computers & Chemical
Engineering, vol.57, no.15, pp.181-186, October
2013.
[4] D. Nyambayar, and I. Koshijima, “Study of a

Safety and Security Framework Based on
Resilience Engineering,” REA symposium.
Figure 8. Schematic of the safety and security [5] IEC Central Office, Industrial Communication
framework. Network, and System Security-Part2-1:
Establishing and industrial automation and control
system security manual, online, www.iec.ch.
4 CONCLUSIONS Accessed on: online user accessed by Yoshihiro
Hashimoto.
In this paper, the author proposed two [6] J. Rasmussen, “Skills, Rules, Knowledge.Signals,
problems, viz., discovering effective Signs, and Symbols, and Other Distinctions in
Human Performance Models, ” IEEE Transactions
interactions between safety and cyber security on Systems, Man, and Cybernetics, pp.257-266,
and Maximizing organizational resilience 1983.
against uncertain and unexpected cyber-
[7] E. Holnagel, “Safety-I and Safety-II,” Ashgate Pub
attacks. Discovering an effective interactive Co. The Past and Future of Safety Management.
ISBN: 978-1-941968-46-8 6
A Cumulative Sum Technique for Network Cyber Intrusion Detection
Dimitris Sklavounos1, George Paraskevopoulos1, Aloysius Edoh2

1
AMC College, 74 Sorou St, Amarousio 11525
2
University of East London, 4-6 University Way, London E16 2RD
dsklavounos@mitropolitiko.edu.gr, gparsk@amc.edu.gr, edoh@uel.ac.uk
ABSTRACT which has created very useful datasets like the

Defence Advanced Research Projects Agency
The present work proposes a mechanism of (DARPA) 1998 dataset and the later versions:
denial of service (DoS) intrusion detection, by the Knowledge Discovery and Data mining
examining changes in mean of the UDP and Competition (KDDCup) 1999 dataset and the
ICMP source bytes. The detection mechanism NSL-KDD. These datasets were created to be
utilized for this purpose is the tabular utilized by the American Air Force and they
cumulative sum (CUSUM) chart and the
have been widely used to evaluate
experimental dataset is the NSL-KDD Dataset.
Two cases were evaluated. In the first case performance of Intrusion Detection Systems
intrusion occurred in the UDP packets while in (IDS). Several research works have been
the second case the intrusion occurred in UDP carried out focusing on the intrusion detection
and ICMP packets. In both cases, a shift in the in networks and systems. Indicative related
source bytes mean value took place after the works are the following: The authors in [2]
intrusion, and it was clearly depicted in the proposed a scheme for detecting distributed
CUSUM chart. Thus, the intrusion detection in DoS attacks and their source, especially when
both cases was made successfully. there are multiple attacks. Using a non-
parametric CUSUM algorithm, proposed by
KEYWORDS Wang, they monitor the server traffic for high
increase of requests coming from new IP-
DoS intrusion detection, CUSUM chart, NSL- addresses. This situation indicates a fact of
KDD Dataset attack. The authors in [3] evaluated two
anomaly detection algorithms (an adaptive
1 INTRODUCTION threshold algorithm and a CUSUM change
point detection algorithm), for detecting TCP
Denial of service (DoS) and its distributed SYN flood attacks. The main goal of the
type (DDoS) have been very serious threats of research focuses on how the parameters of the
security in systems and networks for several algorithms and the characteristics of the
years. Although many research works have attacks affect the performance of detection
been carried out with satisfactory results, it systems like the above. The work in [4]
continues to retain research interest in new focuses on the utilization of simple threshold
detection methods. DoS attacks are very detection and CUSUM change point detection
dangerous for systems and networks because algorithms for pin pointing anomalies in the
they can cause serious delays in accessing signal to noise ratio. The main task of the
servers and other resources due to the packet work is to specify the balance between
flooding. This means that in many cases performance and intelligence. In [5] the
servers must be shut down that causes huge authors proposed a simple and robust
problems in serviceability, especially in real- mechanism, called Change-point Monitoring
time applications such as e-commerce or (CPM), to detect DoS attacks. The work
banking[1]. utilizes the correlation between requests and
Α valuable contribution to research for the replies of the internet protocol behaviour,
detection and confrontation of DoS and DDoS which is being destroyed from the attacks.
intrusions was the recording of network data,
ISBN: 978-1-941968-46-8 ©2017 SDIWC 7

The non- parametric CUSUM algorithm deviation is the square root of the variance
detects deviations from normal protocol which is equal to:
behaviours caused by DoS attacks.
The proposed method in the present work (1)
utilizes the NSL-KDD dataset, focusing on
the attribute of the source bytes of UDP and When the process is under control both
ICMP packets in order to achieve detection of moments of the distribution are
DoS intrusion. Considering that the network maintained constant. The mean may be
is under normal operation (no attacks taken as the target value of the quality
involved), in a certain training period the characteristic . During the operation of the
mean value of the source bytes may be tabular CUSUM chart, two statistics: the
estimated. This value is set as the target mean and are applied to accumulate the
in the cumulative sum (CUSUM) chart deviations from . accumulates the
mechanism that is utilized in order to achieve deviations above target while the
intrusion detection. Assuming that the UDP deviations below target and they are estimated
and ICMP source bytes are normally as:
distributed, with mean and standard
deviation σ. If after intrusion there is a shift (2)
in the mean value and or and
then the detection will be (3)
successfully achieved.
The rest of the paper is organized as follows: Initially = = 0.
Section 2 contains the methodology of the is the reference value and it is estimated by:
proposed method along with analytical
elements of the tabular CUSUM chart as well
as the NSL-KDD dataset. Section 3 contains (4)
the evaluation results for the intrusion
detection in the UDP packets as well as the where is the mean of the out of control
ICMP and UDP packets concurrently. Finally, values. is the decision interval
in section 4 there are the conclusions and which means that if either of the two statistics
further work. and exceeds the value of , then the
process is out of control. Two reasonable
2 METHODOLOGY values of may be or [7].
The proposed method is based on the idea of 2.2 The NSL-KDD Dataset
detecting a change in the mean value of the
source bytes of the UDP and ICMP packets The data set used for this work is the NSL-
respectively during operation. Thus, the KDD that consists of 42 attributes. It does not
tabular cumulative sum control chart was contain duplicate instances as they have been
utilized for this purpose [6]. removed from the previous version (KDD’99)
and so, it represents an improved type of data
2.1 The Tabular CUSUM Control Chart sets. A number of NSL-KDD data set
versions are available: the 20% of the training
The utilized CUSUM control chart in the data identified as “KDDTrain+_20Percent”
present work is of the type of tabular, with with 25192 instances, as well as the
individual observations and it works as “KDDtest+” with 22544 instances. The
follows: number of attributes in each version is 42
Assuming a normal distribution of a random with the 42nd attribute labeled as ‘class’ to
variable with mean and a known or indicate whether a given instance is normal
estimable standard deviation of . Standard connection or an attack [8]. The dataset files
ISBN: 978-1-941968-46-8 ©2017 SDIWC 8

have been downloaded from [9]. The dataset source bytes of the UDP packets while the
used for the evaluation was the second evaluation (2nd case) concerned the
"KDDtrain20percent" with 42 attributes UDP and the ICMP source bytes
where the 42nd attribute named “xattack”
concurrently, since they gave the same target
contains a numbering which indicates the type
of the attack as follows: (1) is the DoS, (2) is mean For the above cases, the
the User to Root (U2R), (3) is the Remote to CUSUM algorithm of the form (5):
User (R2L), (4) is the Probe and (5) is the
normal operation packets. The files are also (5)
formatted for the machine learning program
“WEKA”. was applied initially for the detection of the
mean shift and then the tabular CUSUM
control chart, as described in Sec. 2.1, for
2.3 Proposed Method more analytical process of the detection.
A network that operates normally has been 3 Evaluation of Results
considered as an initial situation, supported
with a data recording mechanism. The data 3.1 Detection of DoS attack based on the
recording mechanism captures the required UDP packets.
information, which in this case are the source
bytes. Assuming that the UDP and ICMP The first stage of the method was the training
source bytes are normally distributed, with a period for the calculation of the mean value of
mean and standard deviation . In some the UDP source bytes. Thus, the entire set of
instance an intrusion occurs in either UDP or source bytes instances of the original NSL-
ICMP packets. If after intrusion there is a KDD dataset were used, considering that the
shift in the mean value and or network is in normal operation with no
, then the CUSUM control chart, attacks involved. The estimated mean value of
which is the utilized detection mechanism, the entire UDP source bytes of the training
will successfully detect the intrusion. period was . The first evaluation was
According to the functionality of the CUSUM the case where the first 100 instances
chart, the calculation of the target mean is contained source bytes of normal
crucial. Thus, a training period is set in order operation, and in sequence with them there
this value would be computed. Α hypothetical were added instances of attack
training period may be the one in which the packets. Applying the CUSUM algorithmic
test of (5) for 150 instances a change in mean
UDP and ICMP packets of the NSL-KDD
was observed as depicted in Figure 1.
dataset were recorded with the network in 400
normal operation (no attacks). Thus, the target 200
0
mean value was calculated from the entire
17
25
33
41
49
57
65
73
81
89
97
1
9
105
113
121
129
137
145
-200
sequence of the UDP and ICMP source byte -400
Ci
values of the whole dataset. Thereafter, two -600

-800
cases were examined for both UDP and ICMP -1000
packets with the tabular CUSUM chart -1200
-1400
utilization. For both cases, the assumption
-1600
made was, that in an initial stage the network Instances
was in a normal operation (with no attacks) Figure 1. Drift of test statistic of the cumulative sum in
for instances. Afterwards, an attack took (5) with three attack instances after the 100th instance
place for a very small number of instances . In cases where n takes a lower value
The first evaluation (1st case) concerned the the detection will be also achieved, but
ISBN: 978-1-941968-46-8 ©2017 SDIWC 9

as the mean of the source byte values is closer

to the target mean value the detection is
clearer depicted. So, a conservative value of 114 278,1 13
115 301,7 14
was selected in order for the 116 290,3 15
detection to be clearly achieved and depicted. 117 313,9 16
As observed from the graph of Fig. 1, the drift 118 350,5 17
initially fluctuates around zero, and after 119 372,2 18
instance 97 takes a negative direction. This is 120 333,8 19
due to the downward shift of the mean 121 295,4 20
122 317,0 21
after the attack.
123 337,6 22
Furthermore, the statistic in (3) was applied 124 359,3 23
for 150 instances and it is depicted in Figure 125 382,9 24
2. 126 302,5 25
127 327,1 26
… … …
700,0
600,0
130 395 29
500,0 … … …
400,0 150 596,4 49
Ci
300,0
200,0
At instance 122 the value of , so
100,0
0,0 which means that at
1
9
105
113
121
129
137
145
17
25
33
41
49
57
65
73
81
89
97
instance 101 the shift in mean started to be

Instances
created (Fig. 1). If is
taken, then the first signal for out of control
Figure 2. Drift of test statistic of in (3) with three
process comes at instance 125, and then from
attack instances after the 100th instance
instance 130 until the end, the process is
As shown in the graph, the slope of from permanently out of control. This result shows
the 100th instance, where the attack occurred, that, the better choice of the decision interval
until the 150th, takes a permanently positive may be the case when .
direction. This change of the slope is due to
the change in mean of the values after 100 3.2 Detection of DoS attack based on the
and this means that the process is out of UDP and ICMP packets concurrently.
control. So, the detection is made.
More analytically, the out of control mean is The same method with the previous section
estimated as , (where (Sec. 3.1) was applied for the detection of
). From (4) the UDP and ICMP source bytes in a concurrent
parameter and the interval manner. Examining the ICMP source bytes
At instance 115 comes size in normal and attack classification, the
the first signal for out of control process and a size in attack showed a large diversion
second one comes at instance 117 to 120. upwards from the size in normal operation.
From instance 122 until the end of the process Thus, the CUSUM chart detection seems to
all values are greater than 300 and this means be quite obvious. Hence, more challenging
that from that point the process is out of situation is the detection of attack when
control (Table 1). examining both ICMP and UDP source bytes
concurrently. As mentioned above there is a
Table 1. Indicative values of the slope of Figure 2 large deviation upwards between normal and
Instances attack ICMP source bytes, while there is
1 0 0 deviation downwards in UDP packets. For
2 0 0 this detection the same scenario as in Sec 3.1
3 21,6 1 was applied, as far as the sequence of the
instances is concerned.
ISBN: 978-1-941968-46-8 ©2017 SDIWC 10

The CUSUM test of (5) for the same number out of control process comes at instance 92.
of instances (150) showed a change in mean Then again from instance 101 until the end,
as depicted in Figure 3. the process is permanently out of control.
This result leads to that, both values of
2500
(4 or 5) give a decision interval with the
2000 almost the same effectiveness.
1500
4 Conclusion and Future Work
Ci
1000
500 A new DoS intrusion detection has been

0 method proposed. The method was based on
1
9
105
113
121
129
137
145
17
25
33
41
49
57
65
73
81
89
97
-500
the source bytes of the UDP and ICMP
Instances protocols as they have been recorded in the
Figure 3. Drift of test statistic of the cumulative sum in NSL-KDD dataset. The mechanism utilized
(5) with four (2 ICMP & 2 UDP) attack instances after for the detection was the tabular CUSUM
the 100th instance chart, which gave satisfactory results since it
successfully detected the intrusion in both
Thereafter, the statistic in (2) was applied for UDP and ICMP packets.
150 instances as depicted in Figure 4. Further to this work the cases of moving
average as well as subgroup averages will be
2000,0 examined for the intrusion detection. Also,
1800,0
1600,0
detection evaluation will take place on the
1400,0 TCP packets for Remote to User (R2L) and
1200,0
User to Root (U2R) types of intrusion
Ci
1000,0
800,0
600,0
utilizing possible upcoming newer versions of
400,0 datasets.
200,0
0,0
17
25
33
41
49
57
65
73
81
89
97
1
9
105
113
121
129
137
145
4 REFERENCES
Instances
[1] Hovav, Anat, and John D’Arcy, “The impact of denial-of-
service attack announcements on the market value of firms”,
Figure 4. Drift of test statistic in (2) with four (2 Risk Management and Insurance Review 6.2 (2003):97-121.
ICMP & 2 UDP) attack instances after the 100th [2] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao,
[3]
instance “Detecting Distributed Denial of Service Attacks Using
Source IP Address Monitoring”, In Proceedings of the Third
International IFIP-TC6 Networking Conference Networking
Because there is a positive shift of the mean 2004.
the statistic (eq. 2) was applied. As [3] Vasilios A. Siris, Fotini Papagalou, “Application of anomaly
detection algorithms for detecting SYN flooding attacks”,
depicted in Figure 4, there is a sharp change Computer Communications 29 (2006) 1433–1442, Elsevier.
of the slope after the 100th instance and this [4] Alexandros G. Fragkiadakis, Vasilios A. Siris, and Nikolaos
Petroulakis, “Anomaly-Based Intrusion Detection Algorithms
indicates the change in the mean. for Wireless Networks”, E. Osipov et al. (Eds.): WWIC 2010,
In this case (the mean for both UDP LNCS 6074, pp. 192-203, 2010.
[5] Haining Wang, Danlu Zhang, Kang G. Shin, “Change-Point
and ICMP source bytes is 79), , Monitoring for Detection of DoS Attacks”, IEEE Transactions
on Dependable and Secure Computing ( Volume: 1, Issue: 4,
the parameter and the Oct.-Dec. 2004 )
interval The first signal [6] V. V. Koshti, “CUMULATIVE SUM CONTROL CHART”,
International Journal of Physics and Mathematical Sciences
for out of control process came at instance 91 ISSN: 2277-2111 (Online).
until 95 and then from instance 101 until 150 [7] D. R. Prajapati, “Effectiveness of Conventional CUSUM
Control Chart for Correlated Observations”, International
the process was out of control. From a list of Journal of Modeling and Optimization, Vol. 5, No. 2, April
values with the same logic as Table 1 (not 2015
[8] Preeti Aggarwala, Sudhir Kumar Sharma, “Analysis of KDD
quoted), at instance 101, . So, at Dataset Attributes- Class wise For Intrusion Detection” 3rd
instance the shift in mean started to be International Conference on Recent Trends in Computing
2015 (ICRTC-2015), Elsevier
created. For the decision interval [9] https://github.com/FransHBotes/NSLKDD-Dataset,
then the first signal for (10/7/2016)
ISBN: 978-1-941968-46-8 ©2017 SDIWC 11

GPU FORENSICS: RECOVERING ARTIFACTS FROM THE GPUS

GLOBAL MEMORY USING OPENCL
Yazeed Albabtain Baijian Yang
Department of Computer and Information Technology, Purdue University
401 N.Grant Street, West Lafayette, IN 47907
{yalbabta, byang} @purdue.edu
ABSTRACT tion of digital devices. Potentially critical data

is being processed and saved for a limited time
The purpose of this research is to perform a graph-
in the global memory of graphics processing
ics recovery process on the GPU in line with the
units (GPUs) that can benefit digital forensic
principles of computer forensics. The research
investigations. Due to the volatility of data,
tested the possibility of recovering artifacts of last
few researchers have implemented forensics
visited web pages and last opened images from the
methods to recover artifacts from the GPU. To
GPUs global memory. The experiment deployed
the best of the authors knowledge, [7] was the
the OpenCL framework and tested JPEG, TIFF, and
only major work that has attempted to recover
BMP graphic file formats of 64x64 pixels, 100x100
graphic images from a GPUs global memory
pixels, and 200x200 pixels in size. Other variables,
dump using CUDA. However, the work was
such as the choice of OS, GPU, and GPU driver,
limited to 200x200 pixel TIFF files, and not
were also tested to measure the effectiveness on the
all of the tested images were successfully re-
proposed method. The research indicates that re-
stored. This paper introduces a data recov-
covering artifacts from the GPUs global memory is
ery process for graphic and webpage artifacts
possible using a set of unique pixel patterns. The
from the global memory of GPUs. Building
research highlights three challenges of implement-
on prior work attempting to recover graph-
ing forensic techniques on GPUs: 1) elusive global
ics from the global memory dump of GPUs
memory allocation scheme of GPUs; 2) varying
using CUDA (Zhang, 2015), we consider an
levels of support for different GPU drivers; and 3)
enhanced data recovery method for retrieving
the prerequisite of using certain types of OS and
inaccessible, lost, or deleted data using the
applications.
Open Computing Language (OpenCl) frame-
work. To evaluate the data recovery capabili-
KEYWORDS ties of OpenCl, we test several image formats,
GPU forensics, OpenCL, RAM, volatile memory, in different pixel sizes, and on different oper-
GPU Architecture, Artifacts, Webpage, Images. ating systems. Since the OpenCL framework
is widely supported by GPU vendors, our pro-
posed approach is applicable to a good vari-
1 INTRODUCTION
ety of GPUs. We also consider how the choice
With the rise of the global internet over the of GPU driver affects the data recovery pro-
past decades, the use of digital technology be- cess. Due to the large variety and possible
came an essential part of human life, which, combinations of available hardware and soft-
inevitably, also gave rise to cybercrime. This ware, implementing the OpenCl data recovery
shift toward digital has led to the rise of a method to GPUs faces three major challenges:
new area of forensic science, digital forensics, 1) elusive global memory allocation scheme of
which is concerned with collecting and exam- GPUs; 2) varying levels of support for different
ining potential digital evidence from comput- GPU drivers; and 3) the prerequisite of using
ers, networks, and mobile phones. As a result, the types of OS and applications on which the
a new area of forensic science, data recovery, recovery process is applicable. The rest of the
has been gaining a momentum in the investiga- paper is organized as follows. Related work
ISBN: 978-1-941968-46-8 12
is reviewed in Section 2, followed by the de- lishment of high-speed intrusion detection sys-
scription and illustration of the proposed GPU tems (IDSs). Researchers in [4], aimed at eval-
graphics recovery process in Section 3. Results uating the potential risks associated with GPUs
from the experiments are examined and dis- and, more specifically, how attackers are ca-
cussed in Section 4. The paper concludes our pable of disclosing sensitive data stored in the
work and gives an outlook on future research GPUs memory. While performing an in-depth
directions in Section 5. analysis on GPUs to detect security
3 susceptibilities, the authors discovered that
2 LITERATURE REVIEW
extensively used GPUs, namely NVIDIA’s and
Offloading graphics processing tasks to the AMD’s, fail to initialize recently allotted GPU
GPU has led to substantial improvements in memory pages that are likely to contain deli-
the performance of graphical computations. cate user data. This vulnerability may then be
The deployment of GPUs has further increased exploited through attack strategies so that the
with the emergence of general-purpose graph- program data belonging to the victim can be
ics processing units (GPGPUs). While study- revealed, particularly information stored in the
ing how GPU-assisted malware affect mem- GPUs memory. Such exploitations may hap-
ory forensics, the authors of [1], found that pen both during the execution of a program
GPUs can assist applications to achieve a sub- and after its termination. The greatest num-
stantial speed-up and enhance the performance ber of these attacks targeted the Chrome and
of various applications, including financial and Firefox web browsers that render web pages
scientific computations. The authors further through the GPU. The research also indicated
posit that GPUs have enabled the realization that, regardless of their wide application in the
of video transcoding, bitcoin mining, recover- computing industry, the security issues associ-
ing passwords, and regular expression match- ated with GPUs have not been given the neces-
ing. However, they note that despite the GPUs sary consideration [4]. Random Access Mem-
ability to perform generic computations, GPU ory (RAM) analysis is similar to the foren-
misuse, i.e., the use of GPUs to engage in mali- sic analysis of GPUs, however, it is concerned
cious activity, has not been studied sufficiently. with analyzing volatile information from the
To perform a forensic analysis on the GPU, the RAM relating to executable applications, net-
authors gathered and analyzed numerous data work links, as well as the command history
structures by developing several custom tools [2]. Like GPU forensics, memory forensics
specifically for this purpose. The data struc- is affected by the fact that RAM, being a
tures that were examined in the study include volatile memory, loses data immediately when
graphic page tables, hangcheck flags, a list of the power is interrupted. However, under cer-
buffer objects, a list of contexts, and the regis- tain favorable conditions such as uninterrupted
ter files. The study also revealed that the use power and the computer not being locked, a
of various GPU ecosystems posed substantial forensic investigation of the RAM can still be
challenges in the forensic process. This, there- conducted within a particular time frame and
fore, makes it necessary to develop individual using specialized tools. The forensic analy-
tools for the probable combinations of GPU sis of RAM may require copying the RAM’s
simulations and operating systems. GPUs may contents to perform a comprehensive analysis
also be implemented to solve both general of the memory dump, while in other cases it
tasks and tasks that require intensive compu- requires the retrieval of Unicode string con-
tations. For instance, GPUs may be used to tent or ASCII [6]. The authors of [7], con-
increase the performance of AES and RSA en- ducted three experiments, the Color Test, the
cryption algorithms. Similarly, GPUs can be Line Test, and the Color Map Pattern Test,
implemented to accelerate routers to support IP respectively, to explore the formatting pattern
networks [4]. GPUs may also aid in the estab- of images. The Color Test, in which differ-
ISBN: 978-1-941968-46-8 13
ent data were introduced onto the screen, was the host memory to the buffer. The reading of
aimed at exploring the data structures of col- data by the clEnqueueReadBuffer requires an
ors within the GPUs memory. The evidence allocated area of the memory for the data stor-
was then collected from the GPUs memory age, because the function cannot perform the
with the help of an enhanced model. The re- memory allocation by itself.
searcher then created eight different color rep-
resentation squares using Photoshop to prepare 3 METHODOLOGY
the evidence. The squares were given individ-
ual values such as 000000, 00FF00, FFFF00, The methodology used for this experiment was
among others. After the analysis of the data built on the workflow defined by [7]. The de-
structures and the deletion of empty memory sign process consists of three stages. Stage 1
spaces, the researcher successfully recovered is to acquire potential unique pixel patterns by
the photo [7]. The limitations of this paper first cleaning the GPUs global memory, fol-
are that the author only tested one image size, lowed by computing conversion matrices be-
which is 200x200 pixels, and used CUDA, tween the image and the data retrieved from
which is limited to NVIDIA GPUs. To im- the GPUs global memory. Stage 2 simulates
prove upon these results, our paper will test the live capture process with the assumption of
different image formats in different sizes using no noise. The images to be tested were loaded
OpenCL, which is supported by multiple GPUs onto the GPU and then captured as a mem-
such as AMD, Intel, and NVIDIA. ory dump, which are then restored to possible
graphics by applying the unique patterns gen-
erated in Stage 1. In Stage 3, if the method
2.1 Open Computing Language (OpenCL)
is efficient, one of the recovered images will
OpenCL is a framework used to write probe found visually identical to the image previ-
grams through its execution across diverse ously loaded onto the GPU in Stage 2.
platforms containing CPUs, GPUs, and other
processors [3]. OpenCL offers several distinct
advantages as compared to CUDA. For ex-
ample, the mathematical precision in OpenCL
is well-defined, whereas in CUDA it is un-
defined. Furthermore, while OpenCL is sup-
ported by many GPU vendors such as AMD,
Intel, and NVIDIA, CUDA is only supported Figure 1. Design process.
by NVIDIA. And lastly, OpenCL provides
CPU support, while CUDA doesnt. OpenCl
The experiment tests three image formats in
contains certain specific functions that sup-
three different sizes. The image formats that
port the execution of commands. These ser-
will be tested are JPEG, TIFF, and BMP. The
vices are necessary for the data transfer be-
image sizes that will be tested are 64x64 pix-
tween the buffer objects and the host mem-
els, 100x100 pixels, and 200x200 pixels. Since
ory. The clEnqueueReadBuffer enqueues com-
memory allocation is difficult to predict, we
mands to read from, or write to, a buffer object
first clean the memory in Stage 1 and Stage 2
to the host memory, while the clCreateBuffer
in an attempt to ease the process of locating the
is used to create the buffer object also from
dump data of the processed image.
the host memory [3]. Both functions, there-
fore, puts the reading’ and writing’ command
3.1 Generating Patterns
queue and therefore, they are commanded prin-
cipal objects. The clEnqueueReadBuffer helps The first step in this experiment is to generate
in the data transfer from the buffer object to patterns which later will be used to recover any
host memory whereas the writing occurs from image of the same size as the generated pattern.
ISBN: 978-1-941968-46-8 14
Table 1. Total number of an identified patterns per im-

age.
Image size Generated patterns Unique patterns found

64x64 20 2
100x100 35 4
200x200 45 9
Figure 2. Color map image for sizes 64x64, 100x100,

and 200x200. 3.2 Data collection
To validate whether the generated pixel pat-

We generate a color map image for each im- terns can recover images of the same size, it
age size as shown in Figure 2. The color map was necessary to first perform a test with a ran-
images were created using Adobe Photoshop dom image. For this study, a random image
and each pixel of the image has a unique color. was opened and then closed in Windows Photo
The purpose of generating these color map im- Viewer. We chose this program because it uses
ages is to create a set of pixel patterns that we the GPU, supports many image file formats,
can later use to recover the test image. To ease and is one of the most commonly used image
the process of recovering the dump data of the viewer applications. After loading the image
image, we cleaned the global memory of the into the GPUs memory, we used the OpenCL
GPU using OpenCL. The color map image was functions clEnqueueReadBuffer and clCreate-
processed through the GPU by simply open- Buffer, to recover the dump data of the random
ing and closing the image in Windows Photo image.
Viewer. Then, the dump data of the processed
color map image was recovered from the GPU
using OpenCL. Once the color map image is
processed and the dump data of the color map
image is collected multiple times, a set of pixel
patterns will be ready to recover any image of
the same size. For this experiment, the image
sizes were 64x64, 100x100, and 200x200 pix-
els.
Figure 3. Pixel patterns for 100x100 image. Figure 4. Recovered dump data.
Figure 3 shows the unique patterns that were

recovered by processing the color map im- The above image shows an example of dump
age multiple times. The same experiment is data that represents a 100x100 pixel image
repeated with a 200x200 pixel image and a which can be used later to recover the image in
64x64 pixel image. Table 1 shows and the its original shape. The offset 8A40000 marks
number of unique patterns found for each size. the start of the image.
ISBN: 978-1-941968-46-8 15
patterns to find the correct combination of pix-

els that matches the random image that was
processed by the GPU. It should be noted that
[7] invented the technique of Pattern mapping,
and this paper enhanced it to support different
Figure 5. Noise removal.
types of images and sizes as well as webpages.
Noise removal is a critical step in the process

of recovering images from the GPU. The high-
lighted part above shows noise that needs to
be removed to successfully recover the image.
Other noise that needs to be removed is the fol-
lowing:
1. rows with all 00
2. rows with all FF
3. FA F3 EE FF FA F3 EE FF FA F3 EE FF
FA F3 EE FF
4. FA F3 EE FF FA F3 EE FF 00 00 00 00
00 00 00 00 Figure 7. Webpage recovery process.
3.3 Image and webpage recovery process Since there is no way to know the resolu-
After recovering the pixel patterns shown in tion of the image we want to recover, we as-
Section 3.1 and setting the stage to recover the sumed that its size is 1024x1024 pixels. The
image, the patterns that store the image data GPU used for this experiment was a GTS450
were used to map the recovered image to its from the NVIDIA Fermi family. It has high-
original state. performance capabilities, with a 2x ability and
DirectX 11 geometry processing power, and a
maximum memory size of 1,024 MB [5].
3.4 GPUs and drivers test

A test for multiple drivers will be conducted to
test the effects of different GPU drivers on the
Graphics recovery process. According to [9],
the driver of the GPU plays an essential role
in accessing the GPU. Therefore, several GPU
types will be tested to understand which GPUs
support the proposed method and which do not.
Figure 6. Image recovery process.

3.5 Operating System test
The patterns generated in Section 3.1 show the The OS is one of the major factors that influ-
structure of the image in the GPU. Processing ence the process of recovering graphics from
the color map image multiple times will yield GPUs. The aim of the OS test is to measure
different pixel combinations. To successfully the influence of the different operating systems
recover a random image, we use the generated on the recovery process. For this study, the
ISBN: 978-1-941968-46-8 16
NVIDIA GPU GTS450 was tested on three op- based on the results in Figure 8, there is not one
erating systems: Windows 7, Windows 8, and specific pattern for each image size, but rather
Windows 10. a set of unique patterns. As shown in Figure
8, the recovered images shift between the four
4 RESULTS unique patterns generated in Section 3.1. All
ten images tested were recovered successfully
The results of the experiments conducted in
using just four patterns for the 100x100 pixel
Section 3 will be evaluated and discussed in the
image. For the 64x64 pixel image, two unique
following subsections.
patterns were discovered, and all the ten dif-
4.1 Image recovery results ferent images tested match those two unique
patterns as shown in Figure 9.
Several images with different sizes and formats
were tested in this paper. In order to ensure
the accuracy of the results, we tested ten dif-
ferent images for each size to determine if the
generated unique pixel patterns are enough to
recover the image of the same size or not.
Table 2. The successful results of the image recovery
process .
Figure 9. Unique patterns for 64x64 pixel image.
Image size JPEG BMP TIFF
64x64 4 3 3
When testing larger images, the number of pat-
100x100 4 3 3
200x200 4 3 3 terns increased as shown in table 1.
Table 2 shows the number and the type of the

successfully recovered images. It can be ob-
served from the experiment that the patterns
generated in Section 3.1 were enough to re-
cover the images of the same size.
Figure 10. 200x200 image results.
The successful pixel pattern for figure 10 im-

age was pattern 2. It is important to note that
using different GPUs could result in differ-
ent pixel pattern combinations and could yield
both more or less number of unique patterns
for each image size. The Color Map images
that were used to generate the pixel patterns
Figure 8. 100x100 image results. in Section 3.1 are in the TIFF format. Using
these patterns, we were able to recover JPEG
[7] indicated that his experiment was looking and BMP images from a pattern that was orig-
for a single correct pixel pattern. However, inally generated from a TIFF image. Thus, we
ISBN: 978-1-941968-46-8 17
conclude that the image format does not influ- Table 3. Unsuccessful recovery attempts.
ence the recovery process. GPU GPU Drivers
AMD Radeon HD 6770 15.7, 14.12, 14.4, 12.1, 13.1, 13.4 amd catalyst
GTX560M 378.49, 353.9
GTX960M All drivers from 341.81 notebook win10 64bit international To 359.06
4.2 Webpage recovery
The webpage recovery process followed the
In these cases, every time OpenCL tried to
same approach as recovering the images from
collect the dump data, the dump file returned
the GPU, except this time our aim was to test
blocks of only zeros, indicating that those sec-
the possibility of recovering artifacts of the
tions did not contain any data. To overcome
last visited webpages. The browser used for
this barrier, [7] used the driver 340.34 which
this experiment is Google Chrome, and we
supports the methods presented in this paper.
edited the NVIDIA control panel to enable the
GPU to operate whenever the user uses Google Table 4. Successful recovery attempts.
Chrome. This was necessary because, by de-
fault, when visiting websites, the GPU will not GPU GPU Drivers
GTX560M 340.43
work unless a web extension requires GPU in-
GTS450 340.62
volvement.
Drivers 340.43 for the GTX560M GPU and
340.62 for the GTS450 support the method
presented in this paper. All beta drivers of
NVIDIA for Windows 7 and Windows 8 sup-
port the method introduced in this paper and
allow the data collection process. On the other
hand, it was not possible to recover dump data
from the AMD Radeon GPU as the return
Figure 11. Tested Facebook webpage on the left, and value of the dump file is zero.
the recovered artifacts on the right.
4.4 Operating system (OS) results
We opened a Facebook account page to test Several OSs were tested to measure the impact
the possibility of recovering any artifacts from of using different OSs on the GPU forensics
the GPU after visiting the webpage. About 40 process introduced in this paper.
percent of the webpage content was recovered
successfully and with high legibility, although Table 5. Operating system test results.
other parts of the recovered webpage, about 60
Operating System Same identified patterns? GPU
percent, cannot be read or recognized. In a case W indows7 →Windows 7 No GTS450
W indows7 →Windows 8 No GTS450
where a suspect is under investigation, recover- Windows 10 Couldnt generate any patterns GTX960
ing 40percent of the last visited page has good
potential for solving the case, e.g. in the case The OSs tested were Windows 7, Windows 8,
of recovering illicit content from the suspects and Windows 10. The pixel patterns recov-
machine. ered in Section 3.1 were recovered using Win-
dows 7, and once the system was upgraded
4.3 GPU and driver results
to Windows 8 the combination of the patterns
Several GPUs and drivers were tested to gain changed. Therefore, new patterns had to be
a proper understanding of which GPUs and generated in order to successfully recover the
drivers support the graphics recovery process tested image. The recovery attempt on Win-
and which do not. dows 10 was not successful because the new
Table 3 shows the GPUs and the drivers that OS supports only the latest drivers, which, as
did not support the graphics recovery process. indicated in Section 4.2, do not support the
ISBN: 978-1-941968-46-8 18
method introduced in Section 3. The GTS 5 CONCLUSIONS

450 GPU was moved to a new desktop with
Since the use of digital technology has be-
the same OS tested in Section 3 (Windows
come an indispensable part of human life, the
7), which yielded different patterns than those
need for digital forensics is evident. GPUs
generated on the previous desktop.
hold valuable data that could very well solve
In conclusion, the only way to generate the cor-
cases. However, implementing forensics tech-
rect set of pixel patterns is using an identical
niques on volatile data and volatile memory
OS platform and GPU as the ones used for pre-
has its own challenges due to the volatility.
viously opening the image we want to recover.
This paper discussed a method using OpenCL
In a real setting, it would mean that the investi-
to recover graphics content and webpages from
gator needs to clone the suspect storage device,
GPUs. During the research, all of the tested
recover the dump data from the GPU and then
images were recovered successfully using a
generate the set of patterns needed to recover
set of unique pixel patterns. In sum, it was
the processed images. The only obstacle would
observed that the larger the image size, the
be locating the dump data that is linked to the
more unique pixel patterns there are. Although
processed image. In this experiment, this issue
the proposed technique could only partially re-
has been tackled by first cleaning the memory,
cover the webpage, the recovered data, in this
but in a real setting cleaning the memory is not
case, provided enough information to deter-
an option.
mine what the user was reading and browsing.
GPUs consist of different types of memories,
4.5 GPU forensics challenges and each type of memory holds different types
We considered several factors to determine of data which can be helpful for forensic in-
their potential influences on the image recov- vestigations. As future work, testing different
ery process introduced in Section 3. It was types of data other than images and webpages
observed that the only set of circumstances in as well as more AMD GPUs is essential. Once
which an investigator can generate the correct we have addressed the challenges presented in
image patterns is when the same OS platform this research, the ultimate goal of developing a
and GPU are used. Using a different OS or a forensics model for GPU analysis can be real-
different GPU will not help in generating the ized.
correct patterns. In fact, even having the same
OS will not generate the correct patterns. The ACKNOWLEDGEMENT
limitations to applying forensics to GPU are as This project is partially funded by Intel Grant
follows: #21626857.
• In a real setting, the memory cleaning pro-
REFERENCES
cess presented in Section 3.1 is the most
obvious barrier, because the investigator [1] Balzarotti, D., Di Pietro, R., and Villani, A.: The
impact of GPU-assisted malware on memory foren-
cannot clear the global memory, other-
sics: A case study. Digital Investigation, 14, S16-
wise the dump data stored there will be S24. (2015).
lost.
[2] Garcia, G. L.. Forensic physical memory analy-
• As indicated in Section 4.2, not all drivers sis: an overview of tools and techniques. Paper
support the forensics process. presented at Helsinki University of Technology,
Helsinki, Canada. (2007).
• As indicated in section 4.4, the Windows [3] Howes, L., and Munshi, A. The OpenCL Specifica-
10 OS didnt support the proposed method, tion. Khronos Group. (2015).
thus, the pixel patterns could not be iden-
tified. [4] Lee, S., Kim, Y., Kim, J., and Kim, J. Stealing
ISBN: 978-1-941968-46-8 19
Webpages Rendered on Your Browser by Exploit-

ing GPU Vulnerabilities. 2014 IEEE Symposium on
Security and Privacy. (2014).
[5] NVIDIA. NVIDIA GeForce GTS 450. Retrieved

from http://www.nvidia.co.uk/object/product-
geforce-gts-450-uk.html (2017).
[6] Urrea, J. M. An analysis of Linux RM forensics

(Unpublished master’s thesis). Naval Postgraduate
School, Monterey, CA. (2006).
[7] Zhang, Y. Recovering image data from a GPU using

a forensic sound method. Purdue University, West
Lafayette, Indiana. (2015).
[8] Ladakis, E., Koromilas, L., Vasiliadis, G., Poly-

chronakis, M., and Ioannidis, S. You Can Type, but
You Cant Hide: A Stealthy GPU-based Keylogger.
In 6th European Workshop on System Security (Eu-
roSec). (2013).
[9] In Lin, H.-X, In Alexander, M., In Forsell, M.,

In Knu pfer, A., In Prodan, R., Sousa, L., Streit,
A. Euro-Par 2009 - Parallel Processing Workshops:
HPPC, HeteroPar, PROPER, ROIA, UNICORE,
VHPC, Delft, the Netherlands, August 25-28, 2009,
Revised Selected Papers. (2010).
ISBN: 978-1-941968-46-8 20
Common Attributes of Security Breach Types
Jan Svoboda, Luděk Lukáš

Tomas Bata University in Zlín, Czech Republic
j3svoboda@utb.cz
lukas@utb.cz
ABSTRACT security breach. We suppose that we can

solve some security breaches same along
The security breach is the phenomenon when common categories, common types and
a detriment affects to reference object. The common gist. For first we need to identify the
reference object is an individual, a legal entity most important attributes of security breach
or a state. The security breach has a typical signs types and then we are going to try to make
and these typical signs exactly define the security new classification of security breach.
breach too. The aim of article is introducing the
main typical attributes of selected parts
(cyberattacks, terrorist attack, leakage A security breach is a phenomenon when the
of dangerous substance and blackout). In the last selected object is directly at risk, or the
part of this article is introduced the common selected object was already at risk. Risk
attributes and these common attributes are means risk at life, health, property or
together for all the parts of security and they are environment. The attributes collection was
really important for critical infrastructure too. made comparative method of selected security
We can suppose than, all new common attributes breach types. The analysis contained selected
can help to find out all options in security types of security breach. The types of security
management. New common attributes can help breach are selected from cyber security
in risk analysis and security verification too. (cyber-attack), protection of public order
(terrorist attack), industrial safety (leakage of
KEYWORDS dangerous substance), and energy security
(blackout). The common attributes were
Attribute, Relevance, Harm, Type, Safety,
obtained generalization of typical attributes of
Security
selected security breach types.
1 INTRODUCTION
The level of general security is increased the
Many of Scientists work on theory of needs and the development of the current
security. A security department targets on society. The security requirements are
question about classification of type security increasing according to globalization,
breach. Many examples of security breach technological progress and technological
exist now for example the theft belongs to dependence of society. The function of
physical security, hacker attack belongs to critical infrastructure is basic and important
cyber security and accident belongs to traffic part of society system and this function
safety. Many of scientists are analysing secures elementary living needs. Main role of
pragmatically type of security breach also we function is not substitutable, and in short time
try to work on theory of security separately horizon is irreplaceable too. It can be assumed
and we are going to try to make the new that, the level of security is influenced
classification of the most security breach relationship between general security and an
types. The classification can target important element of critical infrastructure and this
attributes of security breach and the relationship is created to the quality of the
classification can find out new measures. The general security and quality of the security
measures can influence consequences of education and the security knowledge.
ISBN: 978-1-941968-46-8 21
2 THE ATTRIBUTES OF SECURITY will be same like the primary threat. The
BREACH range of blackout together with time of
blackout can be marked like attributes which
The selection of security breach was influence caused damage.
conceived by number of occurrences in the
society and according to dangerous of 2.1.1. Main Sign of Blackout
security breach. The elements of the energy
industry, chemical industry, public Main sign of the blackout is unavailability
administration and communication and electrical energy and the reason of blackout
information technologies belong to critical point to the relevance and options of
infrastructure. As mentioned above, the managing extraordinary event. The blackout
research common attributes is targeted to can be caused a technical problem in the
long-term blackout, terrorist attack, leakage of production, in the transport network but in the
dangerous chemicals and cyber-attack. If we final user too. The Blackout can be caused a
want to research all typical attributes so we natural disaster, serious accident but war or
have to target to common signs. The common civil ear too.
signs reveal attributes of security breach
types. The time course is another main sing and this
sing influences the level of damage in the
2.1 Blackout affected area or the region. It can be assumed
that the blackout can cause, but need not
Blackout is the phenomenon 21st century. cause the damage if the blackout lasts just
This threat increase technological dependence some second. Compared to that the blackout
and technological progress of the society. causes really serious problem when it lasts
Currently the electrical energy is used as some days and weeks because the electrical
easy-transform energy to mechanical energy, energy is really important medical rescue
thermal energy and light energy. The service, water management, traffic,
electrical energy belongs to a large of number communication and security.
manufacturing processes and this energy is
used as a signal in communication and Restriction of activities and services depends
information systems. The blackout usually on technological dependence and
means stop of heavy current systems but it technological progress of the society in the
means stop of control and information blackout area. The technological dependence
systems too. This is main reason why this is understood the society addict to electrical
department belong between secure parts of energy because this energy is necessary for
critical infrastructure. The main blackout work and interest activities and other daily
attributes are: life. When the society in not ready for
blackout, so the blackout can be caused
 Speed of blackout; serious restriction of activities.
 Range of blackout;
 Time of blackout; Potential damage responds with the affect
area, the time of blackout, the technological
The range of Blackout can be assumed to dependence and the level of security
range from an object (building, area) to a environment. The damages are determined for
region (state, country). The border of the each object differently. The personal damage
Blackout time cannot be supposed, there are is calculated along the damage of property
many cases which lasted few days and a few and damage of health. Currently damage in
weeks too. It can be assumed that when the the company or another the legal entity is
blackout will be caused by other different calculated from damage of property and loss
threat (war, civil war) so the time of blackout of profits. The damage in the state, the
ISBN: 978-1-941968-46-8 22
country or the region is calculated differently substance (immediate, long-term) and

thus this damage is calculated according to protection of environmental resistance.
the GDP decline or like loss of income tax
and the paid work. The damage is connected with every leakage
of dangerous substance. The damage can be
Potential relevance of the blackout is formed divided into the potential damage and the real
threat for the critical infrastructure system and damage. The potential damage is caused by
so for the society. The level of potential failure to solve the security breach (maximum
relevance can be determined number of forces damage) and real damage is caused by
and resources (Integrated Rescue System) for relationship between leakage of dangerous
crisis resolution. substance and working integrated rescue
systems (rescue and disposal work).
2.1 Leakage of Dangerous Substance
The contamination of place dangerous
The leakage of dangerous substance is really substance leakage appears with every leakage
serious threat for society. The leakage of of dangerous substance. The contamination is
dangerous substance means phenomenon phenomenon which can be solved by rescue
when the dangerous substance (flammable, and disposal working. The contamination
explosive, toxic, radioactive and corrosive sometimes can be so low that the dangerous is
substance) escapes into the environment negligible for society, but exist the
which is not determined to storage, transport, contaminations too which are enormous and
and processing. The dangerous substance is global and despite are negligible for global
used in most of part of industrial processing. society too.
The most of leakage of dangerous substance
so can be cause really serious damage. The Relevance of the leakage of dangerous
main leakage of dangerous substance substance is formed threat for the critical
attributes are: infrastructure system and so for the society.
The level of potential relevance can be
 The level of chemical hazard; determined number of forces and resources
 The amount of dangerous substance; (Integrated Rescue System) for crisis
 The time of occurrence of the substance in resolution.
the environment;
2.3 Terrorist Attack
The leakage of dangerous substance presents
main threat for occurrence of health damage, The terrorist attack is really specific act. The
death, property damage and damage of target of act is intimidation and influence
environment. The leakage is consequence of target society. The basic characteristic of
security breach in the processing, distribution, terrorism is committing terror. Reason of
or transfer of dangerous substance. All three terror is enforcement own ideas, culture,
attributes are in common relations ever. religions and profit too. The main terrorist
attack attributes are:
2.2.1 Main Sign of the Leakage of
Dangerous Substance  Destruction;
 Spreading fear;
The Leakage is definitely a main sign. Main  Addressing the widest circle of people;
factors of leakage of dangerous substance are  Deviation of the personality of the
attributes of dangerous substance and amount attacker (terrorists);
of dangerous substance. Next accompanying
factors are speed of leakage of dangerous Currently the number of terrorist attack is
increased and the purpose of increasing is
ISBN: 978-1-941968-46-8 23
globalization, economic policy of major relevance can be determined by damage of

states, international armed conflicts, health, death and environment.
suppressing religion or political interests of
major states. 2.4 Cyber-attack
2.3.1 Main Sign of Terrorist attack Cyber-attack is the phenomenon which

appears every day and maybe every minute.
Keeping an attack is first and main sign of Cyber-attack is activity and this activity
terrorist attack. The attack can be defined by usually does someone or group of people.
target of attacker. The target of attack is This people use own knowledge or special
enforcement own ideas, attention and software (malware, rootkit) and they reason is
intimidation. The attack on life and health is stealing information, new advantage for them
only the instrument to attainment of target. of someone else, domination, causing damage
The attack can be defined by method of and interrupting of functionality or
execution and the method of execution is destruction of the target. Currently the cyber-
influenced by organizational and financial attack is really serious threat and the most
possibilities terrorist organization or other dangerous attack is a ransomware. The
society. ransomware encrypts victim’s data. The
attacker can blackmail victim because the
Attacker personality is perceived by the dual victim can have own data back only for
way. The attacker is perceived like individual money. The main cyber-attack attributes are:
person, like evil, or someone who caused
whole situation. The “target society” difficult  Profit or advantage;
understands global reasons of terrorism and  Hidden identity of attacker;
own fault, but in the attacker society is the  Controlling targets or monitoring targets;
attacker a hero and someone who sacrificed
himself. 2.4.1 Main Sign of Cyber-attack
The target of terrorist attack is enforcement Performing an attack is a basic sign of cyber-
own ideas, intimidation, culture, religions and attack. The target of attack is controlling
profit too. victim’s information system. And the reason
of cyber-attack is stealing new information,
The damage can be defined like secondary causing damage and interrupting of
target of attacker. The secondary target causes functionality or destruction of the target. The
enormous damage of health, death and next target can be monitoring victim’s
environment. The primary target is information system and so searching some
enforcement own ideas. information too.
The illegality belongs to every terrorists The attacker’s identity is hidden and
attack in every society. Illegality is defined in everything what he is doing is illegal. The
the rule of law and this means that, the attacker can be one person but he can be
illegality is defined by danger for society and person who works for some group of people
legal punishment. In fact any activities belong or for some company or for some state
to preparation of terrorist attack is illegal and service. The attacker can be more than one
is affected by the law. person too. The level of attack is influenced to
knowledge, experience and next possibilities
Relevance of the terrorist attack is formed of the attacker. There are two types of cyber-
threat for the critical infrastructure system and attack. First type of attack is use a social
so for the society. The level of potential engineering. Second type of attack is attack
ISBN: 978-1-941968-46-8 24
when someone uses the knowledge of IT or universal asset. We suppose that it is the right
software engineering. way to maximal protection.
The target of cyber-attack is the profit or the 3.1 Common Attributes

advantage for the attacker. The attacker can
sell stealing data or he can use your new  The type of security breach (cause,
advantage. The second possibility is using department, area of the emergence);
cyber-attack for causing damage. The second  The time course of security breach
possibility means that the attack can cause (immediate change, slow, fast and gradual
interrupting of functionality or destruction of development);
the target.  The range of (point, area);
 The direction of security breach
The damage can be defined like loss of profit, (unidirectional, bidirectional)
price of steal data, response and recovery  The size of security breach (the level of
costs and next cost. Firstly the damage is threat)
direct and the damage afflicts a person or a  The impact to a reference object (the
company when the damage is caused to damage, life, health, property and
directly the target. Secondly the damage is environment);
indirect and the damage afflicts the people
whose are not the target. It means the people 4 USE OF SECURITY BREACH
are customers of company and this company TYPOLOGY IN PRACTICE
is the target of cyber-attack.
Formation of common attributes introduces
The illegality belongs to every cyber-attack in the basic for new typology security breach.
every society. Illegality is defined in the rule The new typology can classify security
of law and this means that, the illegality is breach. The new typology can:
defined by danger for society and legal
punishment. In fact any activities belong to
 The system view to security breach, easy
preparation of terrorist attack is illegal and is
analysis of new types of security breach;
affected by the law.
 Assessment by attributes of types of
security breach;
Relevance of the terrorist attack is formed
threat for the critical infrastructure system and  The monitoring of new trends of new
types of security breach;
so for the society. The level of potential
relevance can be determined by damage of  The generalization of same types of
health, death and environment. security breach;
 The transfer protection from same types
security breach to new types of security
3 THE COMMON ATTRIBUTES OF breach;
SECURITY BREACH  The improving prevention like the base
system to minimalize of number of
There were defined six basic common security breach;
attributes of security breach from the analysis.
The purpose of research is search of common If new types of security are detected, so we
attributes and the purpose of research is work can do some new analysis of security breach
with common attributes too. We can be with using all attributes and signs. We can do
assumed that we can make an instrument or the transfer all ways to protection from exist
an application which will be able to determine types of security.
the right advance of risk analysis for a
ISBN: 978-1-941968-46-8 25
5 THE CONCLUSION
It is found out that the terrorist attack and

cyber-attack have a similar attributes and
signs and the leakage of dangerous substance
and the blackout have similar attributes and
signs too. New common attributes of security
breach define the general development of
security breach. The relevance like common
attribute exists only for strategic object. The
strategic object can be the element of crisis
infrastructure.
Next step will be analysing new attribute and

we going to research any possibilities for
creating new typology of security breach.
If we can create new typology of security

breach so we can suppose that all information
can be used to creating new methodology for
risk analysis, because risk analysis is main
part of risk management.
REFERENCES
[1] L. Hofreiter, “Bezpečnostné prostredie súčasného

sveta,” Radim Bačuvčík - VeRBuM, Zlín 2016.
[2] L. Lukáš, “Bezpečnostní technologie, systémy a

management,” Radim Bačuvčík – VeRBuM, Zlín
2015.
[3] D. Cooke, “Energy Market Experience Learning

from the Blackouts Transmission System Security
in Competitive Electricity Markets,” International
Energy Agency, Paris: OECD, 2005.
[4] O. Filipec, „Fenomén terorismus: česká

perspektiva,“ Olomouc: Univerzita Palackého
v Olomouci, 2017.
[5] L. Polívka, O. J. Mika, J. Sabol, „Nebezpečné

chemické látky a průmyslové havárie,“ Praha:
Policejní akademie České republiky v Praze,
2017.
[6] R. Jašek, D. Malaník, „Bezpečnost informačních

systémů,“ Zlín: Univerzita Tomáše Bati ve Zlíně,
2013.
ISBN: 978-1-941968-46-8 26
The Strategy of Brazilian Government to Improve the Information Security

Risk Management and the Cyber Security in Brazilian Public Sector
Anderson Araújo, Loriza Melo, Luiz Henrique Andrade, Jansen Fonseca, José Ney Lima, Juliana
Moreira, Rodrigo Maeda, Tássio Silva
Ministry of Planning, Development and Management

Secretariat of Information and Communication Technology
Presidency Of The Republic
Information Technology National Institute
Brasília-DF / Brazil
anderson.araujo@iti.gov.br; {loriza.melo, luiz.sandrade, jansen.fonseca, joseney.lima,

juliana.m.moreira, rodrigo.maeda, tassio.silva}@planejamento.gov.br
ABSTRACT threaten sovereignty, individual rights and

privacy.
This paper presents the Strategy of Brazilian Surveys carried out in Brazilian public
Government to improve the Information Security agencies [1] suggest that, even with important
Risk Management and the Cyber Security in initiatives came out by the Brazilian
Brazilian Public Sector (BPS). It presents the government over the last 15 years [2], there is
Information Security Risk Management
a need for strategic action to improve
Methodology for the BPS and its support tool,
based on best practices consolidated in
information security and cyber security within
international standards and considering the needs the Brazilian public sector.
identified within the Brazilian public agencies. This context led to the elaboration of an
This initiative aims to bring a greater level of Information Security Risk Management
protection to Information Assets and Information Methodology and its Support Tool available
and Communication Technologies in the scope of for all Brazilian public agencies. The main
Brazilian Public Sector. It also aims to create a goal is to systematize risk management in
risk management culture within the BPS and order to provide objective information that
optimize investments in Information Security and makes threat identification more effective and
Cyber Security. guides the adoption of cost-effective controls.
Other goal is to disseminate a culture of risk
KEYWORDS management in BPS. It aims at a practical
approach that leads to a higher level of
Risk Management, Information Security, Cyber
Security, Public Sector.
protection of Information Assets and
Information and Communication
1 INTRODUCTION Technologies (ICT) in the scope of BPS.
In the scope of the Brazilian Public Sector 2 RELATED INITIATIVES

(BPS), the maturity level of Information
Security (IS) and Cyber Security is very Several guidelines for the improvement of IS
important to guarantee the provision of and Cyber Security, in the scope of the BPS,
services to the Brazilian society, especially in can be identified, such as the Brazilian
critical sectors such as energy, transportation, Information Access Law, which establishes a
telecommunications and finance. differential treatment for classified
Furthermore, it helps to prevent acts of information [3]. Also noteworthy is the
espionage, terrorism, fraud and crime, which framework published by the Institutional
ISBN: 978-1-941968-46-8 27
Security Office of the Presidency of the 3 THE STRATEGY OF BRAZILIAN

Federative Republic of Brazil (GSI/PR) in GOVERNMENT TO IMPROVE THE
recent years, highlighting the regulation [4]. It INFORMATION SECURITY RISK
presents guidelines for Information Security MANAGEMENT IN BRAZILIAN
Management. The regulation [04] sets the PUBLIC SECTOR.
process of Information Security Risk
Management for the BPS. In order to guarantee the provision of services
Information Security Risk Management to citizens and organizations, especially in
(ISRM) is recognized as an effective way to critical sectors such as energy, transportation,
deal with IS issues systematically and focused telecommunications and finance, preventing
on optimizing and prioritizing investments. acts of espionage, terrorism, fraud and crime,
The standard [5] presents an approach to which threaten sovereignty, individual rights
establish, implement, operate, critically and privacy, the Brazilian Government
analyze, maintain, improve and monitor an IS decided to standardize the procedures to deal
Management System. A critical element with information security risks (MGR-SISP)
identified is the need for a model for risk applicable to all Brazilian public agencies: the
analysis, assessment and acceptance. This Information Security Risk Management
point is addressed by the standard [6]. Methodology (MGR-SISP).
Another initiative related to the IS Risk In addition, this strategy include to provide,
Management Methodology and a Support for all Brazilian public agencies, a cloud
Tool is the IT-Grundschutz methodology [7], computing service (FAMGR-SISP), in order
developed by the German Information to make threats identification more effective
Security Agency (BSI), which establishes an and guides the adoption of cost-effective
IS Management System that aims to "achieve controls, helping the Brazilian public agencies
and maintain an appropriate level of to reach a higher level of protection of your
Information Security". Information Assets and Information and
In addition, the importance of the National Communication Technologies (ICT): the
Institute of Standards and Technology (NIST) Support Tool for the MGR-SISP (FAMGR-
approach [8], an agency of the United States SISP).
Department of Commerce, which integrates The following is a brief presentation of the
best risk management practices in ICT, MGR-SISP its Support Tool (FAMGR-SISP).
complemented by [9] which presents a guide
for conducting the risk assessment activity. As 3.1 Structuring and Representation
a highlight, we have the abstraction of layers
to address risks presented in Figure 1. The MGR-SISP is composed of processes,
which in turn are decomposed into activities,
and these into tasks. The processes are
associated with specific partial objectives
related to risk management and they are
defined based on the main phases established
in ISO/IEC 27005, 2011 [6].
Each process is characterized by descriptions
and workflow diagrams. Each activity (of
each process) is characterized by the
following elements: name; description;
workflow; task description and their
responsible role; condition to be fulfilled;
information used; information produced;
Figure 1. set of layers to address risks condition to be completed; templates and
examples.
ISBN: 978-1-941968-46-8 28
The MGR-SISP processes and activities level of its primary assets (business
generate information that must be evaluated processes and information) related to
and validated (usually by a role at a higher attributes: Confidentiality; Integrity;
risk management level) at the end of the Availability; And Authenticity on a
process or activity. Repetitions of information scale between 1 and 5.
and decision-making activities are also • To define criteria. It defines support
foreseen, as are repetitions of processes where questions that guide the evaluations to
information is inadequate or insufficient for be carried out in later activities, in
support decision-making. which the consequences and
The MGR-SISP also establishes roles (actors), probabilities of risks are identified in 5
according to the idea described in NIST 800- classes (according to NIST 800-30,
39, 2011 [8], actions and responsibilities at all 2011) [9]:
levels of the organization, namely: i)
Representatives of the High Administration; 1 Very Low VL
ii) Risk Managers; iii) Responsible for
2 Low L
Organizational Units; And iv) Asset Owners.
3 Moderate M
3.2 Processes and Activities 4 High H
5 Very High VH
Figure 2 shows the workflow of the MGR-
SISP processes. The processes and activities, The information generated by this process is
described briefly below, are carried out with the basis for all subsequent actions.
the support of FAMGR-SISP. Risk Identification (RI)
This process identifies the existing risks and
the adequacy of the controls used by each
organizational unit. It gets several information
(simultaneously and independently) which are
validated by the Risk Manager.
The heads of each organizational unit (and/or
Figure 2. workflow of the MGR-SISP asset owners) must identify and document the
assets (business processes, hardware,
Context Establishment (CE) software, physical locations, etc.) and their
This process addresses the points to be related information. FAMGR-SISP filters,
defined for the beginning of the use of MGR- from a generic list of threats, those that apply
SISP and FAMGR-SISP in the organization. to each type of asset in order to facilitate the
The main activities and tasks are: identification and description of threats
• To define roles, responsibilities and to associated with the assets. Similarly, for each
allocate human resources. threat, FAMGR-SISP filters, from a generic
• To define goals to ISRM, scope, and list of controls, those that protect the asset
constraints. from the threat. The status of each control
• To conduct pre-analysis of the should be investigated, documented, and
organization. It is the application of an evaluated as follows: not implemented,
evaluation questionnaire based on the implemented, or not applicable. Finally, for
Safety Level Assessment Method [10]. each non implemented control, FAMGR-SISP
• To carry out pre-analysis of filters from a generic list of vulnerabilities
those related to the lack of controls for the
organizational units. It is also the
threats to the assets, also assisting in the
application of an evaluation
identification and documentation of
questionnaire in each unit (sector).
vulnerabilities. All the information is
The goal is to evaluate the critical
consolidated in a Risk Map.
ISBN: 978-1-941968-46-8 29
Risk Analysis (RA) The consolidated and ordered Risk Map with
risk treatment options and respective
This process estimates each identified risk
estimates is used to make decisions about the
and must be performed in each organization
treatments to be performed. Decisions should
unity. It is possible to be executed
be documented, as well as the way to
simultaneously and independently too.
monitoring the risks. Finally, Risk
It begins with the identification and
Management Plans (RMP) should be
evaluation of possible risk consequences. For
developed and allocated to a role.
each asset and threat (a risk), the FAMGR-
SISP presents registered support questions, so Risk Communication (RC) and Risk
that the responsible one can estimate the Monitoring (MR)
consequence of the risk for each attribute These processes address communication and
(Confidentiality, Integrity, Availability and monitoring activities, which are embedded in
Authenticity), associating it in a class (VL, L, the other processes and are supported by
M, H, VH). The same is true for probability FAMGR-SISP too. In addition to these, we
estimation, by associating risk with one of the highlight the activities to monitor the
classes (VL, L, M, H, VH). The consequences execution status of the RMPs, to monitor the
of the risks and the justifications for the risks and to identify the need for
estimates should be documented. Based on reassessments.
the estimates made, the FAMGR-SISP
generates (by applying a consequence-
probability matrix) the estimate of the level 4 THE ARCHITECTURE OF THE
(numerical value between 1 and 9) and the FAMGR-SISP
class (VL, L, M, H, or VH) for each risk.
Estimates are generated separately in each
unit of the organization. The FAMGR-SISP is a service will be
The Risk Map is updated by associating one provided by the cloud computing of the
level for each risk (threat to asset). Secretariat of Information Technology of the
Brazilian Ministry of Planning, Development
Risk Evaluation (RE) and Risk Treatment and Management. It is available for all
(RT) Brazilian Public Agencies, including, as a
In these processes the risks are evaluated and future view, public agencies from others
treated. The risk consolidation of all the unites of federation, from judicial system and
organizational units is made in a single Risk legislative branch. Figure 3 presents the
Map, which presents all risks, sorted by level, architecture of the FAMGR-SISP.
in a decreasing way. At this point, it is Public
Public
decided to return to previous processes for Agencies of
Agencies of
Municipalities
more information or to refine them. Public ISRM Public
Agencies ofof
Agencies
All information is used to make decisions Agencies of
States ISRM
States ISRM
Judicial
about how to treat each risk: reduce, retain, System ISRM
transfer, or avoid. They also allow planning

for future actions. Federal Public FAMGR-
Public
Agencies of
Agencies
For each risk and each treatment alternative, ISRM SISP Legislative
branch ISRM
cost and time estimates should be made, and
possible constraints should be raised. In
particular, for the "reduce risk" option, the Figure 3. architecture of FAMGR-SISP
FAMGR-SISP recovers information on the
controls that are not implemented. Each
control of these represents a treatment option
(the one to implement the control), for which
the estimates must be made.
ISBN: 978-1-941968-46-8 30
5 FINAL CONSIDERATIONS 2 – The risk management approach consider

all organizational units or all public agencies
Earlier versions of the MGR-SISP were (integrated approach), or consider only one
evaluated by IS experts and BPS experts, organizational unit or only one public agency
resulting in modifications that led to the (isolated approach).
content described herein. The FAMGR-SISP
is being used in a validation stage, which is a Paper Feature 1 Feature 2
pilot project running in some Brazilian public This paper Public Integrated
agencies.
Vijayakumar, A. N.;
It is important to highlight that several points Nagaraja, N. Internal
of the methodology and the tool were Control Systems:
established in order to meet the needs and Effectiveness of
constraints identified in the BPS, such as: Internal Audit in Risk
Public Isolated
i. compliance with existing laws, Management at Public
Sector Enterprises.
standards and the IS strategy for the BVIMR Management
BPS; Edge. 2012, Vol. 5
ii. flexibility and applicability to Issue 1, p1-8. 8p.
organizations with different needs and Ezeosa Dafikpaku.
realities, leading to the incorporation The Strategic
of pre-analysis for the diagnosis of Implications of
needs; Enterprise Risk
Management:
iii. practicality, since FAMGR-SISP
A Framework. In: Private Integrated
implements the risk list concept, Enterprise Risk
which will serve as a reference for the Management
Republic analysis and treatment of Symposium. Society
risks of the assets, streamlining the of Actuaries, March
14-16, 2011.
processes of Risk Identification and
Risks Analysis. These lists contain the Dong-Young Yoo,
major risks that can affect the assets of Jong-Whoi Shin,
Gang Shin Lee, and
the organization. It lists the key Jae-I Lee. Improve of
elements of risk such as vulnerability, Evaluation Method
threat and control. For each risk, its for Information
impact and probability as well as its Security Levels of
impact related to availability, integrity, CIIP (Critical
Information
confidentiality and authenticity may Infrastructure Public Isolated
also be informed. The list should be Protection).
created by the process experts, system International
or technology experts, so their Scholarly and
analysis and treatment can be Scientific Research &
Innovation 1(12),
performed by any professional, as it 2007, World Academy
will serve as guidelines for the asset. of Science,
Engineering and
In addition, the Table 1 presents a Technology.
comparative analysis with recent research
articles considering the following specific Table 1. Comparative analysis with recent research
articles considering specific features of study
features:
1 – The research consider the risk
management process in public sector or in
private sector?
ISBN: 978-1-941968-46-8 31
REFERENCES [11] Brazilian Association of Technical Standards.

ABNT NBR ISO/IEC 31010 - “Risk Management:
Techniques for the process of risk assessment”.
[1] BRAZIL, Federal Court of Accounts. “Evaluation Gestão de Riscos: Técnicas para o processo de
of Information Technology Governance in the avaliação de riscos. Rio de Janeiro, 2012.
Brazilian Federal Public Administration”.
Avaliação da Governança de Tecnologia da
Informação na Administração Pública Federal. [12] BRAZIL, Presidency Of The Republic.
Brasília: 2012. Institutional Security Office. Information Security
and Communications Department. Complementary
Regulation NC 02/IN01/DSIC/GSIPR:
[2] BRAZIL, Presidency Of The Republic. “Information and Communications Security
Institutional Security Office. Information Security Management Methodology”. Metodologia de
and Communications Department. “National Gestão de Segurança da Informação e
Strategy for Information Security and Cyber Comunicações, 2008.
Security in Brazilian federal Public
Administration”. Estratégia de Segurança da
Informação e Comunicações (SIC) e de Segurança [13] BRAZIL, Presidency Of The Republic.
Cibernética da Administração Pública Federal Institutional Security Office. Information Security
(APF). Brasília: 2015. and Communications Department. Complementary
Regulation NC 03/IN01/DSIC/GSIPR: “Guidelines
for the Elaboration of Information and
[3] BRAZIL, “Access to Information Law”. Lei de Communication Security Policy in the Federal
Acesso à Informação. Brasília: November, 2011. Public Administration”. Diretrizes para a
Elaboração de Política de Segurança da
[4] BRAZIL, Presidency Of The Republic. Informação e Comunic. nos Órgãos e Entidades da
Institutional Security Office. Information Security Administração Pública Federal, 2009.
and Communications Department. Complementary
Regulation NC 04/IN01/DSIC/GSIPR: “Guidelines
for the Information Security and Communications
Risk Management Process for the Federal Public
Administration”. Diretrizes para o processo de
Gestão de Riscos de Segurança da Informação e
Comunic. nos órgãos e entidades da Administração
Pública Federal. Brasília: 2013.
[5] Brazilian Association of Technical Standards.

ABNT NBR ISO/IEC 27001 - “Information
Technology, Security Techniques, Information
Security Management Systems, Requirements”.
Tecnologia da informação, Técnicas de Segurança,
Sistemas de Gestão da Segurança da Informação,
Requisitos. Rio de Janeiro, 2013.
[6] Brazilian Association of Technical Standards.

ABNT NBR ISO/IEC 27005 - “Information
Technology, Security Techniques, Information
Security Risk Management”. Tecnologia da
Informação, Técnicas de Segurança, Gestão de
Riscos de Segurança da Informação. Rio de
Janeiro, 2011.
[7] BSI Standard 100-2 - “IT-Grundschutz

Methodology”, Version 2.0, May 2008.
[8] NIST 800-39 – “Managing Information Security

Risk”, 2011. Available at: <http://csrc.nist.gov/publ
ications/nistpubs/800-39/SP800-39-final.pdf>.
[9] NIST 800-30 – “Guide for Conducting Risk

Assessment”, 2011. Available at: <http://csrc.nist.g
ov/publications/nistpubs/800-39/SP800-30final.pd
f>.
[10] Dong-Young Yoo, Jong-Whoi Shin, Gang Shin

Lee, and Jae-I Lee. “Improve of Evaluation
Method for Information Security Levels of CIIP
(Critical Information Infrastructure Protection)”.
International Scholarly and Scientific Research &
Innovation 1(12), 2007, World Academy of
Science, Engineering and Technology.
ISBN: 978-1-941968-46-8 32
Project of building Security in Zoological garden
Miroslav Budín
Tomas Bata University in Zlín, Czech Republic
budin@fai.utb.cz
visitors, and that carries the potential for

ABSTRACT terrorist attacks. Secondly, zoos frequently
experience theft of rare species for
The introductory part presents an analysis subsequent sale on the black market.
of the possibility of physical security Finally, zoos store drugs that can be used
systems. This part is supplemented by to create illegal narcotics.
analysis of characteristic properties of
selected objects of zoological garden with 1. SIGNIFICANCE OF ZOO
respect to their security. Crucial output of SECURITY
this work consists the security design object From AD 1 until the year 1800, one animal
model, developed on the basis of the species went extinct approximately every
security assessment. The conclusion 55 years. In the 19th century, that interval
provides information about modern decreased drastically to only 18 months,
technical devices of security, suitable for and since 1900, several species go extinct
application in zoological garden buildings. every year. [4] In the interest of conserving
animal species for future generations, the
KEYWORDS
protection of animals is the most important
zoological garden, security, intrusion alarm criteria for the existence of zoos. Zoos
system, animal. serve as scientific and educational
institutions for breeding animals in
INTRODUCTION captivity in conditions that resemble as
closely as possible natural life in the wild.
Not all of us realize that zoos are
Today, roughly 3% of the planet’s known
sanctuaries for endangered species as well
animal species are kept in zoos all over the
as places to conduct scientific research on
world.
them. Zoos also allow the public to learn
about the wild while relaxing and having a Zoos are members of various global and
good time. The rare animal trade is a regional organizations, such as WAZA,
serious global problem, and in terms of EAZA, and others, which provide them
smuggling and theft of animals and plants, with support in their breeding and
Czechs are dishonourably high up in the conservation efforts. The primary goal of
notional rankings. Zoos provide the these joint activities is the return of
opportunity for such parties to pursue their endangered species to the wild and
criminal objectives. safeguarding of genetic diversity among
them.
The use of technology to secure zoos can
be divided into three categories. Firstly,
zoos naturally attract large numbers of
ISBN: 978-1-941968-46-8 33
1.1. Origins of zoos 1.2. List of selected foreign Zoological

The origins of building zoos date to the garden
beginnings of agriculture; however, the There are approximately 2,700 registered
first zoo was built in the middle of the 15 th zoos throughout the world. Half of the ten
century. most important zoos are in Europe.
The discovery of America (12 October  ZOO Linz, 110 different species,
1492) led to important contributions to founded 1964, Wingflachweg 1,
European collections, not only because 4040 Linz [www.zoo-linz.at];
Europeans were seeing many yet unknown  Tiergarten Schönbrunn Wien,
animals that lived on the American 700 different species, founded
continent at the time, they were also 1752, Maxingstraße 13b, 1130
discovering the rare collections of the Wien [www.zooviena.at];
Maya, Inca, and Aztec civilizations.  Attica Zoological Park, 350
th
Between the 16 and 18 centuries, th different species, founded 2000,
animals were being brought to Europe Spata, 190 04 Athens
from all over the world. The most [www.atticapark.com];
important collections of animals were in  ZOO Berlin, 1500 different
Vienna, Paris, and London. By opening species, founded 1844,
these collections to the public for Hardenbergplatz 8, 10787 Berlin
educational and research purposes, the [www.zoo-berlin.de];
foundations for the creation of the modern  ZOO Zürich, 340 different species,
zoo, as we know it today, were laid. founded 1925, Zürichbergstrasse
221, 8044 Zürich [www.zoo.ch];
The 19th century is considered the golden  Parc Zoologique de Paris, 180
age of zoos. In this period, modern zoos different species, founded 1934,
were founded in the form we know to this Parc Zoologique de Paris, 53
day (e.g., Jardin des Plantes in Paris and avenue de Saint Maurice, 75012
Regent’s Park Zoo in London). Natural Paris
history museums and botanical gardens [www.parczoologiquedeparis.fr];
were also gaining in importance. This was
 London ZOO at low Prices, 800
fundamentally driven by the voyages of
different species, founded 1828,
Charles Darwin, who brought back new
Regent`s Park, London, NW1 4RY
specimens of exotic plants and animals
[www.londonpass.com/London-
from all corners of the world. [5] By the
zoo].
end of the 19th century, another 100 zoos
had been established, 18 of which were in 1.3. Legislative reguirements
the United States of America. Previously
The legislative requirements for
unknown regions of the dark continent,
establishing and operating zoos comprise a
South America, and Indonesia were giving
group of regulations relating to animal
up their natural riches for them. The
breeding and the conditions under which
populations of wild animals seemed to be
scientific research is to be carried out. The
invulnerable. Ships and trains provided
second group is the protection of animals,
faster transport, and the captured animals
the establishing of rules international trade,
had a chance of surviving the journey. [1]
and the fight against poaching and
smuggling. The third group consists of
requirements for establishing and operating
ISBN: 978-1-941968-46-8 34
premises intended for animal breeding as the movement of employees and other
well as those intended for zoo operations. persons throughout the zoo premises, the
methods for handling important security
The legislation that governs the operation
elements, rules for conducting security
of zoos is based on the requirements of the
checks, etc. [3].
directives and regulations of the European
Union and the European Commission. Zoos require establishment of regime
European law is based on the United measures for the rules governing:
Nations Universal Declaration on Animal  movement of zoo employees, part-
Welfare, which was drafted by WSPA, a time workers, interns, etc;
global organization for the protection of  movement of visitors, children,
animals. The goal of uniform legislation is and disabled persons;
to secure adequate protection for animals  movement of employees of vendor
not only in countries of the European companies, including movement
Union but also in terms of animal of materials, goods, utility
conservation on the planet. The EU services, etc.;
legislation also creates conditions for  zoo employee alcohol and/or drug
Europe’s zoos to participate in global testing;
animal protection programmes.  movement of medical personnel
Zoos are such complicated facilities that and accompanying individuals;
legislation and normative requirements  securing the transfer of animals
from a wide range of fields must be outside of their pavilions;
applied, from zoology to medicine, the  physical security activities;
establishment and operation of premises,  provision of regular worker
and, last but not least, regulations on training;
science, research, and education.  safeguarding the operation,
regular inspection, and
2. BASIC ASPECTS OF maintenance of technological
PHYSICAL SECURITY OF security devices.
OBJECTS
2.2. Physical security
Guaranteeing physical security on zoo Security guards provide both permanent
premises is a complicated and continuously and temporary surveillance on zoo
evolving process. Zoos are vulnerable to a premises. With respect to the character and
wide variety of contemporary threats, such operation of such premises, this is a
as terrorist attacks, assault, theft of rare nonstop, multiple-shift service.
plants and animals, drugs, and funds,
various activities of sexual deviants, and Zoo are also visited in great numbers by
misdemeanours, for example foreign tourists; therefore, it is necessary
pickpocketing. Modern devices and that selected security personnel speak at
methods of physical and electronic least one world language, especially
premises security are available to counter workers providing security at the main
these modern-day threats. entrance, carpark, certain pavilions, and at
least one member of the field response
2.1. Regime measures team.
The purpose of regime measures is to
establish principles, rules, authorization for
ISBN: 978-1-941968-46-8 35
2.3. Technological security reference model of the premises of the zoo.

Together with physical security, the The basis for creating the analysis of the
components of technological security characteristics of the premises of the zoo
represent the basic security measures for will be the selection of zoos according to
the premises. The objective of size, specialization, and location
technological components is to support the throughout the Czech Republic.
implementation of regime measures, In order to create a model premises for
enhance the operations of physical technological security, we will assess the
security, and deter intruders from their aforesaid characteristics data according to
actions or make their actions considerably the following parameters:
more difficult and prolong the amount  the size of the premises and
required for them to gain access to characteristics of the location;
protected assets. [3]  number of animals, species,
The first essential step to creating suitable workers – employees;
measures – and thus achieve the required  pedestrian and automobile access
state – is to prepare a comprehensive points, outer perimeter;
design for a system of physical security  characteristics of buildings,
with multi-stage, automated, and sufficient premises;
breach resistance. In order to accomplish  opening hours.
the required state of physical security, we
The selection of criteria for creating a
must adopt and secure necessary measures,
premises model is only a representative
both from the standpoint of the subsequent
sample. For future applications, the scope
building of a physical security system as
and number of parameters can be set
well as providing effective regime
according to specific requirements for
measures.
technological security. The selection of
Signals from alarm systems, electronic fire criteria must be determined in compliance
signalization, and other systems will be with the required degree of technological
monitored in the zoo’s surveillance centre. security.
Integration will be secured by means of
Table Nr.1 Resulting analyzes of selected
system management software, which will zoos
also make it possible to carry out actions
for other associated systems, such as
control of lighting, heating and/or cooling,
etc. depending on the operating mode.
3. ANALYSIS OF PROPERTIES
OF CHARACTERISTICS OF
ZOO PREMISES WITH
RESPECTS TO SECURITY The chart of resulting values shows that
POSSIBILITES the size of the model zoo premises is 40
hectares situated at the edge of a city. The
Assessing the collective characteristics of number of species is 400 of a total number
zoo premises will be carried out by means of 2,200 captive animals. The zoo premises
of analysis of characteristics. The goal of is cared for by 110 employees. An access
this analysis is also to extract information road leads to each zoo to its carpark, which
and then obtain realistic data for creating a
ISBN: 978-1-941968-46-8 36
is near the main visitor entrance. In on inadequate criteria, the results can have
addition to the road, there are also a tourist a negative impact on, for example,
path and bike path that lead to the zoo. The insufficient requirements for the provision
majority of the buildings are brick or of physical security. The future design of
wood. The model zoo premises will also the technological security system may then
include buildings with glass walls and contain weaknesses or even faults.
other building materials.
4. SECURITY ASSESSMENT OF
THE PREMISES MODEL
Security assessment is part of the first
stage of the process of establishing
warning, security, and emergency systems
during which analysis is conducted on
Figure Nr. 1 Comparison of selected zoos secured values, buildings, and internal and
external influences that might affect the
The column graph shows that for the warning, security, and emergency system.
representative sample from across the
Republic, three larger and three smaller The main objective of the security
zoos were chosen. The resulting values assessment is to determine, based on risk
demonstrate that there is no direct analysis and assessment of other
proportionality between the number of influences, the required level of security as
employees, the number of species, and the the starting point for designing the system.
total number of individual captive animals. [2]
Using the analysis of the characteristics of
the selected zoos in the Czech Republic, a
premises model was created with the
parameters hereunder, which will serve as
the basis for the security assessment.
Table. Nr. 2 Input parameters of the
model object
Figure Nr. 2 Location of selected zoos
The location of the selected sample zoos is
divided equally according to the stipulated
criteria. In general, the selection of locality
for a zoo depends on many factors, but
does not depend on city size. In the case of
the selected samples, there is a zoo situated
near the centre of the largest and smallest
city.
4.1. Level of security
The analysis of the selected zoos
demonstrates that each zoo is unique, thus According to Czech technical standard
the values obtained for creating the ČSN EN 50 131-1, ed. 2, zoos are
premises model are crucial to the design of classified as level 1 security facilities. On
a technological security system. If we the zoo premises, however, there are
choose entry values for the analysis based
ISBN: 978-1-941968-46-8 37
structures that the standard classifies at the remote buildings or sections of them and
following levels of security: their surroundings.
 Archive, registry 4.4. Other factors
security level 2 - 3
The interior spaces of technical buildings
 Cafeteria (no kiosk) with increased fire risk and gas boiler
security level 2 rooms and adjacent spaces should be
 Pharmaceutical, medical supplies designated Environments with Class II
security level 2 - 3 Explosion Danger. When designing a
 Ticket office, safe technological security system, it is
security level 2 – 4 necessary to adhere to all regulations and
 Security command centre normative standards.
security level 3
From the standpoint of assessing the
4.2. History of theft, other incidents effects of the environment, animal
Analysis of the history of theft and other pavilions represent a heavy burden to the
criminal acts confirms that zoos are the components of technological security
target of theft, and not only of animals; systems in the form of high humidity,
zoos are of interest to a variety of temperatures, lighting, draughts, etc. In
criminals. Damage assessments do not addition to demanding climatic conditions,
always represent realistic values or actual pavilions for tropical animals contain
damage. If a zoo has devoted itself to an moving plants. In their behaviour, animals
animal for several years, the damage is, present a great risk of damage both to
from a breeding standpoint, inestimable. components and cabling.
Pickpocketing robs visitors of cash, The common denominator for negative

identification, and other valuables. Vehicle external influences in zoos is reckless
break-ins primarily involve the theft of behaviour on the part of visitors,
items left in vehicles, but may also include vandalism, and the weather.
car vehicle equipment (radio, navigations, The zoo is situated near a tram line and
etc.). There have even been cases of fuel several hundred meters from an electrified
being stolen from parked cars. train line. This means electrical devices
Theft of actual animals represents a serious can be affected by so-called stray voltage.
danger to their lives, health, and is also a
highly stressful experience with possible 5. SECURITY DESIGN FOR
permanent consequences. Breaking into an MODEL PREMISES
animal pavilion with the intent of stealing
In the previous chapters, we conducted a
physical objects can cause damage to and
security analysis of the characteristics of
destroy the integrity of mechanical
the zoo premises, on the basis of which a
barriers, allowing animals to escape and
model premises was created and used to
exposing them to the risk of serious injury.
produce a security assessment. We can use
4.3. Risk analysis these documents to design a zoo premises
security system for a specific customer.
A zoo is a closed complex, so the inner
buildings experience the same degree of The security design for the model zoo
crime in the monitored areas. A higher premises is the result of a process of
degree of crime can be regarded only for characteristics analysis from the standpoint
ISBN: 978-1-941968-46-8 38
of technological security. The person make up the outer perimeter will be fitted
preparing the design chooses from with exterior cameras.
technologies currently available on the
The entrance to the administration building
market and assigns them to specific
will be fitted with an access system
buildings or sections of buildings.
scanner, surveillance camera, and alarm,
5.1. Outer perimeter security security, and emergency system control
panel. Motion detectors will be installed in
Fencing, reinforced concrete wall or
offices and hallways. Access control
chain-link fencing with digging barrier,
scanners and door locks will be used for
height 3 m.
the director’s office, meetings rooms, the
Detection cables generally comprise two economic department, ticket office, etc.
coaxial cables, one functioning as a Control panels will be located in the
transmitter (T x), the other acting as a hallways so that employees can execute
receiver (Rx). Slits are created in the necessary user commands on their floor.
shielding of the transmitter cable that allow
electromagnetic energy to escape. Thanks 5.3. Predator pavilion
to the slits in the shielding, this energy is The entrance to the predator pavilion will
detected by the parallel receiver coaxial be equipped with a contactless card
cable. The electromagnetic field created scanner, electronic lock, and surveillance
around the detection cables creates a camera. The interior spaces will be
detection field, which also extends above monitored by means of fixed cameras and
the ground.[3] Detection cables can be laid other interior security elements. Arming
in soil, concrete, or asphalt. The system and disarming the security alarm system
management software can differentiate will be conducted by means of the entry
between human and animal. The outer scanner. Openings in the structure of the
perimeter can also be divided into utility section of the pavilion will be fitted
individual zones depending on with security bars.
irregularities in the premises border and
The predator pavilion will be equipped
terrain complexity. Locating intruders is
with fire detectors and acoustic fire alarms.
accurate to within one meter.
The alarms will be positioned so that
Outer perimeter security installations can animals are not subjected to unnecessary
also make use of excavation work for stress in the event of evacuation.
laying outer perimeter warning, security,
and emergency systems, CCTV camera 5.4. Cabling requirements
points, utility lighting, and electronic In spaces where there are animals, cabling
access control for entrances and gates. must run beneath either the plaster or other
form of protection against thieving
5.2. Administration building animals.
Inner perimeter security will not be applied
universally but rather only to those spaces 5.5. Physical security
with a higher security classification, such Vehicle entry to the zoo premises will be
as the economics department, ticket office, authorized only for those with permission
archive, and security command centre. The from the zoo director and at times
windows of these spaces will be fitted with approved in advance. The rear gate may be
security bars. The exterior of buildings that opened only during regular hours of
operation.
ISBN: 978-1-941968-46-8 39
Permanent security in the zoo must be especially red. The LED diodes in
provided for the following spaces: infrared camera lighting shine red;
 main entrance and vehicle entry  the monkey is very agile and
gate; explores everything of interest and
 patrol activities; causes damage to it. In the monkey
 surveillance centre (security pavilions, runs, and surrounding
command centre); areas, no security elements can be
 field response team of at least 2 installed that might irritate or harm
security workers. the monkeys;
 horse hearing: 31-46000, elephant
Temporary security in zoos is hearing low frequency 5 - 24 Hz;
possible:
 bats emit signals from frequencies
 in animal pavilions during of 15 Hz to 120 kHz, which they
opening hours; use to hunt and navigate. Their
 in public buildings with fixed audio and hearing system works
opening hours; like an echolocator, in human
 in public spaces, pathways; terms radar or sonar. It is not
 in carparks. recommended to install ultrasound
motion detectors, for example, in
6. SELECTED ANIMAL the vicinity of bats;
CHARACTERISTICS AND  horse hearing ranges from 31 Hz to
ABILITIES 46 kHz, thus the same rules apply
as for bats;
Thanks to the ability and diversity of
 sharks have passive perception of
nature, animals differ from other forms of
electric fields.
life in ways that are often diametrical and
even incomprehensible to us. Unlike 6.2. Birds, other animals
humans, animals are capable of sensing
subtle vibrations in the ground. This means  Parrots need to sharpen their
they can feel earthquakes and other natural beaks, so they are constantly biting
catastrophes. Thanks to sensitive something; therefore, no perimeter
perception of the planet’s magnetic field, security system components can be
animals are able to navigate unknown installed in their aviaries;
territory with ease.  birds see light in the ultraviolet
spectrum;
6.1. Mammals  snakes see light in the infrared
 the African elephant can reach spectrum;
objects as high up as 6 m. The  low frequency hearing in elephants
giraffe is the same height. In the ranges from 5 to 24 Hz, so they
pavilions of these animals, cameras can hear sounds from several
and detectors must be installed kilometres away.
with consideration for the height of
these animals; 7. MODERN TECHNOLOGICAL
 the rhinoceros is more active at SECURITY DEVICES
night than in the day and is Modern technological security devices
irritated by bright colours, available for application in zoos include
ISBN: 978-1-941968-46-8 40
new methods for obtaining footage from  acceptability – scanning biometric

CCTV, among which are future use of characteristics is easy and user
pilotless aircraft and face recognition friendly.
systems. Other modern technologies
Face recognition systems are ranked
include intelligent building devices and
among continuously improving biometric
software integrations.
technological resources. The basis for the
Laser detectors provide a new way to system is a camera with very high
detect motion in monitored areas. Thanks resolution, a sufficiently fast transmission
to a special assessment algorithm, laser pathway, and powerful software. Based on
detectors can determine the size, speed, unique biometric markers, the programme
and distance of a moving object. Laser identifies individuals in a crowd. It can be
detectors are capable of providing used at football stadiums, for example, to
surveillance to a distance of up to 30 m identify fans or suspicious individuals. In
and at an angle of 180 degrees. terms of visitor numbers, zoos are
We know how to manufacture pilotless comparable to football league matches.
aircraft on the basis of developed ultralight Due to ever increasing terrorist attack
materials and battery capacities as well as threats, these systems are ideal for
for purposes of obtaining, processing, and supporting camera surveillance systems.
transmitting digital camera footage. For
technological security in zoos, pilotless
surveillance aircraft make it possible to
provide nearly immediate monitoring in
the event of intrusion or other incident.
Biometric systems make use of unique
physiological features of living beings –
people – known as markers. Measurable
biometric characteristics are scanned,
processed, and evaluated. In order to
guarantee security and the protection of
personal data, the data is encoded. From
the perspective of electronic entrance
controls, there are two methods:
identification and verification.
The advantages of using biometric
identification methods are:
 universality – everyone has
biometric characteristics;
 uniqueness – no two people share
the same biometric characteristics;
 permanence – biometric
characteristics are invariable over
time;
 simplicity – biometric
characteristics are quantitatively
measurable, simple, and precise;
ISBN: 978-1-941968-46-8 41
CONCLUSION connecting modern electronic devices to

Large modern zoos are home to animals integrated warning system applications.
from every continent; therefore, with a
dose of hyperbole, it can be said that we
must approach security in zoos as though
we were protecting our planet. Each zoo is
unique, so designing a technological
security model is no easy task.
Based on a summary of valid regulations
and requirements, we are able to determine
the elementary aspects of physical security
of zoo premises and divide them into three
main categories: regime measures, physical
security, and technological security. Each
category has clearly defined requirements
for determining the aspects of physical
security.
The next step in preparing a technological
security system is analysis of the
characteristics of the zoo premises. Here, it
is important to determine the requirements
for the selection of zoos so that the
subsequent model corresponds as closely
as possible to real requirements. For the
purposes of this paper, six zoos were
chosen with consideration for the diversity
of specific characteristics. Then the criteria
for determining the specific characteristics
were defined. Next, the obtained values
were processed, and the result is a model
of zoo premises. For the creation of the
zoo premises model, a security analysis
was conducted, including risk analysis and
determining the required level of security
as well as other internal and external
influences that could have a negative effect
on system components. The design of the
technological security system for the
model premises encompasses outer
perimeter security, the carpark, the
administration building, and the predator
pavilion.
In closing, this paper describes the
possibilities of modern technological
security. The current trend also involves
ISBN: 978-1-941968-46-8 42
System requirements," Prague: Czech

office for standards, metrology ang
testing, 2010, p. 42, grading character
REFERENCES 86937.
[1] Team of authors, "Zoo útočiště zvířat,"

Prague: Panorama, 1992, vol. 1, p. 271,
ISBN 80-7038-110-8.
[2] J. Valouch, "Projektování
bezpečnostních systémů." [skriptum].
Zlín : UTB, 2012, p. 155, ISBN 978-
80-7454-230-5.
[3] L. Lukáš, "Bezpečnostní technologie,
systémy a management I.," Zlín:
VeRBuM, 2011, vol. 1, p. 316. ISBN
978-80-87500-05-7.
[4] H. Dobroruka and collective,
"Zoologické zahrady," Prague: Státní
pedagogické nakladatelství, 1989, vol.
1., p. 232, ISBN 80-04-21177-1.
[5] Team of authors, "ZOO animals,
behaviour, management, and welfare,"
Oxford: University Press, 2009, vol. 2.,
p. 643, ISBN 978-0-19-969352-8.
[6] EU, Offitial Journal of the European
Union, "Consolidated versions of the
Treaty on European Union and the
Treaty on the Functioning of the
European union," Luxembourg, Office
for Official Publications of the
European Communities, 2008, p.v153,
ISBN 978-928242572-5.
[7] ČSN EN 50 131-1 ed. 2, "Alarm

systems, Intrusion and hold-up systems,
Part 1: System requirements," Prague:
Czech office for standards, metrology
ang testing, 2007, p. 40, grading
character 78248.
[8] ČSN CLC/TS 50 131-7, "Alarm
systems, Intrusion and hold-up systems,
Part 7: Application guidelines," Prague:
Czech office for standards, metrology
ang testing, 2011, p. 48, grading
character 87986.
[9] ČSN EN 50 132-1 ed. 2, "Alarm
systems. CCTV surveillance systems
for use in security applications – Part 1
ISBN: 978-1-941968-46-8 43
A Novel Semantic Framework for Cloud Service Ranking and Adoption

Richard Ikechukwu Otuka, Aloysius Adotey Edoh, Ameer Al-Nemrat
School of Architecture Computing & Engineering,
University of East London,
E16 2RD, London, UK.
U0749744@uel.ac.uk, a.a.edoh@uel.ac.uk, al-nemrat@uel.ac.uk
Abstract
In order to tackle the slow adoption of cloud Medium scale Enterprises (SMEs) are still
service by SMEs, a semantically engineered slow in the adoption of this technology [2,
framework, which is modelled based on a case 3, 4].
study of advertised cloud service provider
offerings is proposed. A novel version of Cloud services are divided into three layers
Analytical hierarchical Process (AHP), which [5]: Software as a Service (SaaS), Platform
is a traditional multi-criteria decision method as a Service (PaaS), and Infrastructure as a
(MCDM) for solving complex comparison Service (IaaS).The top layer focuses on
problems has been created. This new application services (SaaS), which is the
technique is used to tackle the rank reversal cloud interface that allows computer users
problem associated with the traditional AHP
to access software services using a web
method. The ontology issue associated with
cloud service recommendation was solved by browser or thin client computer. The PaaS
introducing an acceptable standard for each layer is the application and software
cloud service attribute. This new framework environment layer that is built on the lower
with the protocol uses rational relationships to layer known as the IaaS layer. The upper
facilitate an effective cloud service ranking layers are developed and provided by third
process, which was verified and evaluated party service providers, while the service
using Protégé the ontology editor. providers of the IaaS are different as they
focus more on the datacentre provision [6].
Keywords: Depending on the needs of an
organisation, SaaS services are adopted
SaaS, Ontology, AHP, DSS, SME, service based on service application needs, for
ranking, Knowledge Management example Customer Relationship
Management (CRM) application provided
1- Introduction by Salesforce [7]. PaaS provides a
platform for adoption in instances where a
Cloud computing in recent years is one of
business is interested in the development
the biggest breakthrough in technology. A
of other applications for example the
large number of cloud service providers
Google App Engine [8]. The IaaS layer
exist with each prioritising on different
offers on- demand storage in terms of
aspects of cloud services (Google mail,
incremental scalability of computer
Google App Engine, Amazon EC2)
resources [5].
provided by Google and Amazon
respectively [1]. To remain competitive in Furthermore, based on the characteristics
cloud technology offerings, these service of cloud computing services, businesses
providers have made effort towards easy that try to adopt this technology need to
accessibility to their services, which are know what service will be most
known to offer benefits such as reduction appropriate for their operations e.g.
in operational cost and eradication of (memory size, subscription cost, operating
upfront investment for businesses. system, security, trust) and how to rank the
However, despite their efforts Small and available services from various service
ISBN: 978-1-941968-46-8 44
providers that render similar services. To method for measuring the quality of cloud
address this problem, different frameworks service based on two significant aspects
[9, 10] and Management models have been namely their availability and performance
proposed [11, 12]. The paper [13] was the of service. These metrics are used by
first to initiate the application of semantic customers for the evaluation of cloud
modelling towards cloud adoption but it offerings based their ability to meet user
was limited to only classification. In the
Quality of Service (QoS) requirements.
paper [14], a semantically based approach
Our work complements these previous
is proposed to tackle the slow adoption of
cloud services. It states that Semantic web works by measuring and evaluating the
ontology can enable a higher degree of QoS offerings advertised by different
automation for both functional and non- cloud service providers according to how
functional aspects of cloud services. This they meet user requirements. Although the
paper uses the cloud service concept to evaluation and ranking of various cloud
model a semantically engineered services are in their preliminary stage in
framework, which can be used for cloud cloud computing, other computing areas
service ranking with service such as web services the concept is widely
recommendation to facilitate effective used. The most related work in the field of
service adoption decision making. The cloud services ranking was done by [15,
developed semantic model (ontology) is 16]. Their research also proposed a similar
built based on a set of semantic rules to aid
approach, which is based on AHP concept
SMEs in cloud service adoption process
thereby selecting the most relevant service for the classification of cloud services.
that meets their business process However, they focused more on the
requirement. Infrastructure as a Service (IaaS) aspect of
cloud services offerings. Our work also
The rest of this paper is organized as adopted an extended version of AHP
follows: section 2 discusses related works concept for the comparison of the
and section 3 explains the methodology superiority of one cloud service attribute
used. Section 4 reviews the Ranking over another, by assigning weights to each
Protocol while section 5, describes the criteria and adopting acceptable
case study. Again, Section 6 discusses the benchmark for each attribute. This ensures
Decision support middleware framework
leads to the introduction and formalisation
and Section 7 reviews the Service
Ranking. Finally in sections 8 and 9, has of cloud service ranking. Although our
Evaluation with the Conclusion and future work focuses on SaaS storage aspect of
works. cloud services but in addition it assigns
sets of rules that a cloud service must
2. Related works attain to be ranked between 5star and 1
star. Again, our ranking is represented in
An increase in awareness of cloud
a decision support system equipped with
computing has led many researchers to
an ontology to aid SME owners in the
propose various frameworks to give
decision making towards cloud services
businesses a better understanding of the
adoption. The work of [17] proposed an
cloud technology. For instance the work of
ontology web language (owl) for cloud
[9] proposes a framework which gives
computing ontology (CoCoon) that defines
businesses the ability to analyse and
the functional and non-functional
determine if cloud computing services will
concepts, attributes and relationships of
have a positive impact on their business
IaaS cloud offerings. Again [18] proposed
operation. The work of [10] proposes a
ISBN: 978-1-941968-46-8 45
ontology-based cloud service methods. In addition, AHP captures both

representation that is applicable to cloud subjective and objective evaluation
service discovery and cloud computing methods while offering a powerful
knowledge management. Our study mechanism that checks the consistency of
complements the ontology design concept the evaluation measures and alternatives
used in the above work but extra steps are [21].
added to implement the rules that assist in There are three major phases within the
solving the issue of complex queries as AHP mechanism, which are: problem
well as representing the cloud service decomposition, judgement of priorities and
ranking findings within our ontology. In aggregation of priorities.
terms of benchmarks, the international
consortiums are working towards adopting Phase 1: Problem decomposition
various measures for evaluating cloud
service performance, however various In this phase, a hierarchy structural
representation of cloud services that shows
researchers have proposed other
the interrelationship among the overall
benchmarks. The work of [19] proposed goal, the attributes and the alternative
the use of TPC-W benchmarks. While the services is shown. This layer analyses the
work of [20] propose the use of metrics for goals and how each cloud service attribute
measuring the QoS of IaaS cloud services. satisfies the requirement of the user.
The use of traditional High Performance
Computing (HPC) benchmarks and Phase 2: Judgement and priority phase
matrices focus on static systems with
specific performance and pricing. In our This deals with assigning of weights to
each attribute, which is essential for the
approach, we adopted the use of an
comparison of two cloud services to
extended version of AHP that is a multi-
ascertain their relative importance. In this
criteria decision making method. The regard, weights are assigned using
method gives the ability to capture both pairwise comparison scale of 1-9 as shown
functional and non-functional evaluation in Table1 as recommended in the AHP
metrics for comparison of two cloud method to judge the importance of one
service attributes and adopting an attribute over another. This allows the
acceptable benchmark for cloud service quantifying of both functional and non-
adoption. functional cloud service preference of a
certain attribute over another. By using the
3. Methodology AHP method, the sum of all weights must
be equal to 1[21].
In this paper a novel version of the AHP
approach is introduced to tackle the issue Table 1: Pairwise comparison scale for
of rank reversal associated with the AHP preference [21]
traditional method. Generally, the AHP
method simplifies complex and Intensity of
unstructured problems by arranging the importance Definition Explanation
1 Equal Two elements
decision criteria in hierarchical structure. It importance contribute
applies pairwise comparison that allows equally to the
decision makers to determine the balance objective
among criteria. Also it has the ability to 3 Moderate Somewhat
check consistency, flexibility and intuitive importance more important
5 Strong Definitely
appeal to decision makers since it gives an importance more important
advantage over other multi-criteria
ISBN: 978-1-941968-46-8 46
7 Very strong Much more better then is the value of ⁄ and if

important important
9 Extreme Highest lower is better then is the value of ⁄ .
importance possible order
of affirmation
of one element 4. Ranking Protocol
over another
To address the issue of rank reversal, this
paper differs from the traditional summing
up of weight used in the AHP method by
Phase 3: Aggregation of priority phase introducing a protocol and using rational
relationships for ranking our cloud
This phase addresses the assigning services as follows: 1. Declare the
weights, which is complex because some acceptable standard for each KPI; 2. obtain
of the attributes are not quantifiable. the acceptable KPI standards from the
Therefore, 5 SME managers who are highest to lowest; 3. The service ranking is
experts in cloud service storage application done from 5 star to 1 star where five star
usage assign weights for each service are the services with the highest rank and 1
attribute following the formalism below star are services with the lowest rank.
and a democratic method is used to arrive
at a final assigned weight as follows: The service attributes used are based on
the level of importance from highest to
Let us assume be the weight assigned lowest as declared before introducing the
by the user for the attributes q. Let and ranking formations as below:
be the values of attribute q for cloud
services i and j. If and are the cloud Let M- Be the cloud service
- The weight value of the attribute with
services, then ⁄ represents the relative
the highest KPI priority
comparison of and . Then represent - The acceptable standard for the
the value required by the user as . In attribute
order to compare the values and for - The weight value of the attribute
cloud services and we need to with the 2nd KPI priority weight
confirm that conventional unit for both - The acceptable standard for
values are the same. In an instance where attribute
we want to compare the cost of two - The weight value of the attribute
advertised cloud service data storage, they with the 3rd priority weight
- The acceptable standard for
must have the same currency notation
attribute
(USD) and price per 1GB to be able to
- The weight value of the≥ attribute
carry out a perfect comparison. To contain
of any of the remaining KPI priority
the versatility of cloud service attribute the
- The acceptable standard for any of
non-measurable characteristics of some
the attribute of
attributes, a different nature of comparison The 5 stars service ranking is characterized
is proposed for each type. Again for 2 based on the following formation
types of cloud services and with When M  ( ≥ ) ∧ (( ≥ ) ∨
numeric attributes we can compare them ( )) ∧ ( )
using two different criteria either higher is The 4 star service ranking is characterized by
better therefore a higher intensity of the following formation
importance is assigned or higher is lower When M  ( ) ∧ (( ≥ )∨
therefore a lower intensity of importance is ( )) ∧ ( )
assigned to it. If we consider higher to be The 3 star service ranking is characterized by
the following formation
ISBN: 978-1-941968-46-8 47
When M  ( )∧( )∧ weights. Finally, we show the acceptable

( )∧( ) standard for each criterion as represented
The 2 star service ranking is characterized by in our middleware. The relative weight
the following formation method was used to determine the relative
When M  ( )∧( )∧ priority of each attribute for each SaaS
( )∧( ) cloud service in our scenario as advertised
The 1 star ranking is characterized by the in service provider’s website.
following formation
When M  ( )∧( )∧ Table 2: Table of case study
( )∧( )
Service Service_A Service_B Service_C Service_D
provider (SaaS) (SaaS) (SaaS) (SaaS)
In the next section, demonstrate our offerings
File size 2GB - 10GB 15GB
approach using a case study of advertised Restriction
(Trialability) 5GB 2GB 15GB 2GB
SaaS storage cloud services. Free Storage
(Cost) $83.88/1TB/1 $99/1TB/1 Year $99/1TB/1 Year $99.99/1TB/
On-Going Year $10/month/1TB $2/month/100G Year
Payment plan $2/month/100GB B $20/month/1
5. Case Study of 4 major SaaS Storage TB
Applications
(Interoperabi Windows, Mac, Windows, Mac, Windows, Mac, Windows,
lity) Android and iOS Linux, Android, Android and Mac,
The selection of SaaS storage is based on Operating
system
iOS iOS Android and
iOS
focus group session with SME owners supported
Trust
from which several parameters were Access rights
Security
SLA SLA SLA SLA
selected and service information is gotten Encrypt per file

basis/no on rest
AES 256- bit
Encryption
128- bits AES
and HTTP
128-bits
AES
from advertised cloud service offerings of Office via
encryption
four major cloud service providers. The web

Bandwidth
Yes Yes Yes Yes
four top SaaS cloud services used in this adjustment No Unlimited User restriction No
case study are OneDrive, Dropbox, Google

Drive and ICloud. Although we use
Service_A, Service_B, Service_C and Furthermore, from the information in
Service_D randomly without using their Table 2, the procedural steps leading to
real names. ranking of cloud services is presented. The
relative weighting method as described in
section 3 is used to assign weights for each
Service Service Service Service_ functional and non-functional property of
_B _C _A D the cloud services. A relative ranking
matrix is constructed for each attribute.
Service_ 0.1818 0.182 0.174 0.222
B
Based on the case study data, the Relative
Service_ 0.1818 0.182 0.174 0.222 Service Ranking Matrix (RSRM) for
C payment (Pa) will be:
Service_ 0.5454 0.5454 0.522 0.444
A = Computing the relative
Service_ 0.091 0.101 0.130 0.111 ranking vector for payment from the
D above as:
total 1 1 1 1 =
( )
Table 2 presents a cloud service provider Similarly, we determine the Relative

offerings in a tabular form as advertised in ranking vector for Operating System
service provider websites. Also, each supported (OPS) as
assigned weight of the compared cloud
services together with their attribute
ISBN: 978-1-941968-46-8 48
= =
( )
The relative ranking vector for file size ( )
restriction (FSR) is determined as
=( ) ( )
Then the relative ranking vector for free In the next section, we show our
storage (FS) is determined as: middleware architecture and we
demonstrate how our middleware aids in
=( )
service recommendation based on a set of
The relative ranking vector for security reasoning techniques and our service
(SE) is determined as ranking based on a set of semantic rules. In
aiding cloud service adoption decision.
=
( )
Then the relative ranking vector for Trust 6. Decision Support System
(TS) is determined as Architecture
The decision support system architecture
=( )
depicts the sequence of activities that takes
Then relative ranking vector for place within the DSS when a user sends a
Bandwidth Adjustment (BA) is determined requirement. In order to complete the
as proposed framework, an ontology of SaaS
storage cloud services is added. This
=( ) ontology holds information about cloud
Finally the relative ranking vector for services advertised by service providers
Office via Web (OVW) is determined as and is used by our system algorithms to
retrieve user requirements. The developed
=( ) cloud service ontology has been tested on
Furthermore, the combined RSRV for all protégé software which is an ontology
the KPI in the case study is determined. editor to check consistencies as explained
The resulting RSRV for each attribute is in the remainder of this section.
set as the acceptable standard that each
service attribute must attain for a cloud
service to be recommended for adoption.
This is demonstrated in the proposed
semantic ontology. See appendix 1
=
( ) ( ) ( ) ( ) ( )
[ ]
( ) ( ) ( )
To determine the cloud service attribute

combined weighting, the RSRVs for all the Fig 3: Showing Middleware Architecture
attribute and the RSRV of the four major
service providers are combined and then
multiply the result RSRV with the RSRV
6.1. Characteristics of each component
standard for each of the KPI as represented
of cloud service architecture
below
ISBN: 978-1-941968-46-8 49
The system architecture consists of the data storage with a budget of 2 Dollars per
following component: Graphical User month for 100GBs of storage and consults
Interface, query processor, Similarity the proposed middleware for decision
reasoning domain, cloud service making. The user requirement can be
knowledge management () and service summarised as follows. The cloud service
ranking. First, The SME owner/ manager required by the user is a SaaS cloud
sends their requirements to the middleware service with a storage of 100GB and a
from the graphical user interface. The price value of 2 Dollars. The conceptual
decision support system carries out the modelling is designed within the system
following functions depending user following the RDF format of Subject,
request: 1) Query processing 2) Similarity Predicate and Object statements with
reasoning 3) Similarity matching 4) Subject and Object representing the
Cloud service ranking. domain and range of the predicate which
helps us to translate the user requirement
6.1.1. Query Processing: When a user into machine language as
requirement is sent from the SME follows:(DOMAIN: SaaS, Data
owner/manager via the graphical user Property: hasPaymentplan1price, Range:
interface, the query processor initiates Integer). To get our user requirement, the
query processing and converts the query to following query is processed in machine
machine readable format. Then the readable format as (SaaS and
processor sends the processed query to the hasPaymentplan1price value 2 and
similarity reasoning component for further haspaymentPlan1GB value of 100).The
processing based on the required query is translated to lay terms as follows
information. (Software as a service with a payment plan
of 2USD for 100Gigabyte of data per
6.1.2. Similarity Reasoning: The
month) Please note that the price value is
processed query initiates the similarity
in USD/Month and the GB (Gigabyte).
reasoning process. This is done by
consulting the cloud service ontology.
Similarity decision is based on the type of
information the query processed seeks to
fetch. An example of similarity reasoning
is concept similarity reasoning as
presented in Fig 4.
Concept Similarity Reasoning: This is
based on the conceptual modelling of the
ontology to meet user requirements. The
presence of pellet reasoner within the
ontology editor (protégé) aids the DSS to
undergo conceptual reasoning by
consulting the ontology to retrieve Fig 4: Example of conceptual
accurate information using system similarity reasoning.
algorithms to meet user requirements. To
show that our DSS equipped with a 7. Cloud Service Ranking
semantically designed ontology of cloud
services can undergo conceptual similarity The service ranking is done using the 5
reasoning in an attempt to answer user Stars, 4 Stars, 3 Stars, 2 Stars, as explained
requirements. Based on the case study in service ranking protocol in section 4. In
presented in Table 2, when an SME owner this section we show the use of semantic
intends to adopt a cloud service for his rules (Fig5) within the system in machine
ISBN: 978-1-941968-46-8 50
readable form. While fig 6 shows a query 9. Conclusion and Future work
execution listing Service B as the only
SaaS storage service to attain the 5 star Cloud computing is a technology that
service rank. provides services over the internet just like
public utilities. Many cloud service
providers present cloud services in their
own format as there is no standardisation
for representing cloud services.
This research work presents a framework
that aids in the SaaS storage cloud service
application adoption by measuring the
quality of service attributes advertised by
SaaS cloud service providers. Also, this
paper proposed the use of an extended
version Analytical Hierarchical Processes
(AHP) to rank each cloud service. Finally,
Fig 5: Showing Rules within the system this paper proposed the use of a decision
support system equipped with a semantic
Below is a system query executed to show model of advertised SaaS cloud services
the services that meets the 5 star SaaS and cloud service rankings. From the
service ranking. findings in a bid to understand how service
providers meet user requirements, only
cloud service B (not real name) met the
highest rank of 5 star.
In future work, an extended version of the
quantifiable quality of PaaS and IaaS cloud
services in terms of performance from a
user perspective as well as developing a
Fig 6: Showing Service B as the only SaaS system that can be used to aggregate the
to meets the 5 Star ranking. QOS configuration between cloud service
layers in different applications.
8. Construct Validity Evaluation
References
Construct validity method is the degree to [1] Jagannathan, S: ‘Comparison and Evaluation of Open-source
which a test measures what it claims or Cloud Management software’. KTH Royal Institute of
Technology Stockholm, Sweden 2012.
proposes to measure [22]. In this paper, a
confirmatory case study as presented in [2] Aljabre, A: ‘Cloud Computing for Increased Business Value.
International Journal of Business and Social Science’. 2012 3 (1)
Table 2 as well as the proposed evaluation pp 234-239.
benchmarks presented as
[3] Ashwini,R., K. Sanjay, M. Sanjay and T. Rahul: ‘ Decision
as obtained in section 5 in view of Point for Cloud Computing in Small, Medium Enterprises
assessing the proposed model ontology (SMEs)’.Proceedings of 7th international Conference for
Internet Technology and Secured Transactions (ICITST-2012)
with specific emphasis on its validity and pp.688-691.
completeness [23,24,25]. An exploratory [4] Khan, S.U: ‘Elements of Cloud Adoption. IEEE Journal on
case study of four major SaaS storage Cloud Computing’. 2014 1(1) pp.71-73.
applications cloud services was adopted. [5] Buyya, R., C.S.Yeo., J.Venugopal, J.Broberg, I.Brandic:
As the research framework proposes a ‘Cloud Computing and Emerging IT Platform: Vision, Hype and
Reality for Delivering computing as the 5th Utility Future
knowledge management domain, service Generation computer Systems.’ 2009 25(6) 599-616.
recommendation domain and service
[6] Fortis, T., V.I. Munteanu, V. Negru, 2012. Towards an
ranking for cloud service adoption by Ontology for Cloud Services. IEEE 6TH International
SMEs.
ISBN: 978-1-941968-46-8 51
Conference on Complex, Intelligent and Software Intensive [16] S. Garg, S. Versteeg, R. Buyya, A Framework for Ranking
Systems.pp787-792 of Cloud Computing Services .Future Generation Comp.Sys’
2013 29(4):1012-1023.
[7] Cusumano, M: Cloud Computing and SaaS as New
Computing Platforms, Communications of the ACM 2010 53(4) [17] M.Zhang,R. Ranjan, A. Haller, D. Georgakopoulos, M.
27-29. Menzel, S.Nepal, An ontology –based system for cloud
infrastructure services discovery. Proceedings of 8th
[8] Ciurana, M.: ‘Developing with Google App Engine’ A press, International Conference on Collaborative Computing:
Barkley, CA, USA 2009. Networking, Applications and Work sharing (CollaborateCom),
2012 pp.524-530.
[9] Ebneter, D., S.G. Grivas, T.U. Kumar, H. Wache: Enterprise
Architecture Framework for Enabling Cloud Computing. IEEE [18] A.Ali, M. Shamsuddin, F.Eassa, Ontology –Based Cloud
3rd International Conference on Cloud Computing.2010 pp542- service Representation’. Research Journal of Applied Sciences,
543. Engineering and Technology. 2014, 8 (1):83-94.
[10] Boa. D., Z. Xiao, Y. Sun, J. Zhao: ‘A Method and [19] T.Chen,R.Bahson, Self –Adaptive and Sensitity-Aware
Framework for Quality of Cloud Services Measurement’. 3rd QoS Modelling for the Cloud. IEEE SEAMS 2013, San
International Conference on Advanced Computer Theory and Francisco, CA, USA
Engineering (ICACTE) 2010 pp358-362.
[20] D. Menasce, A. Silberstein, E. Tam, R. Ramakrishnan ,R.
[11] Misra, S.C, A. Mondal: ‘Identification of a company’s Sears, Benchmarking cloud serving systems with YCSB,in
suitability for adoption of Cloud computing and modelling its Proceedings of the 1st ACM Symposium of Cloud
corresponding Return on Investment’. Mathematical and Computing,Indiana,USA,2010.
Computer Modelling 2014, 53(2011)504- 521.
[21] T .Saaty, Theory and Applications of Analytic Network
[12] Takabi, H. J.B.D .Joshi, G. Ahn. SecureCloud: ‘Towards a Process, vol.4922, RWS Publications Pittsburgh,PA,2005.
Comprehensive Security Framework for Cloud Computing
Environment’. 34th Annual IEEE Computer software and [22] S.E Cashin and Elmore, P. B. (2005) 'The Survey of
Applications conference Workshops.2010 pp393-398. Attitudes toward Statistics scale: A construct validity study',
Educational and Psychological Measurement, 65(3), pp. 509-
[13] Youseff, L., M. Butrico, and D. Da Silva: Towards a 524.
Unified ontology of cloud computing, in Grid computing
Environments Workshop, GCE 08, Nov 2008, pp.1-10 [23] D. Mann (2001) 'Laws of system completeness', TRIZ
Journal, May
[14] Zhang, M.,R. Ranjan, A. Haller, D: ‘Georgakopoulos, M.
Menzel and S.Nepal, An ontology –based system for cloud [24] S.A Cook, (1978) 'Soundness and completeness of an
infrastructure services discovery. Proceeding of 8th International axiom system for program verification', SIAM Journal on
Conference on Collaborative Computing: Networking, Computing, 7(1), pp. 70-90.
Applications and Work sharing (CollaborateCom), 2012 pp.
524-530. [25] Suwa, M., Scott, A. C. and Shortliffe, E. H. (1982) 'An
approach to verifying completeness and consistency in a rule-
[15]V. Tran, H.Tsuji, R.Masudu, A new QoS ontology and its based expert system', Ai Magazine, 3(4), pp. 16.
QoS –based ranking algorithm for web services, Simulation
Modelling Practice and theory 17(8) (2009)1378-1398.
Appendix 1
PA OPS SE FSR BA FS OVW TS

PA 0.1377 0.1828 0.1267 0.2249 0.1739 0.1666 0.1880 0.1121
OPS 0.0688 0.0914 0.0951 0.1687 0.1449 0.1428 0.1504 0.0746
SE 0.4132 0.3656 0.3805 0.2811 0.2318 0.2142 0.2633 0.4484

FSR 0.0344 0.0304 0.0633 0.0562 0.1159 0.1190 0.1128 0.0448
BA 0.0229 0.0182 0.0475 0.0140 0.0289 0.0476 0.0125 0.0324
FS 0.0196 0.0152 0.0761 0.0112 0.0144 0.0238 0.0094 0.0280
OVW 0.0275 0.0130 0.0543 0.0187 0.0869 0.0952 0.0376 0.0373
TS 0.2755 0.2742 0.1902 0.2249 0.2028 0.1904 0.2257 0.2242
ISBN: 978-1-941968-46-8 52

Proceedings of The Third International Conference On Information Security and Digital Forensics, Thessaloniki, Greece, 2017

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Proceedings of The Third International Conference On Information Security and Digital Forensics, Thessaloniki, Greece, 2017

Hochgeladen von

Copyright:

Verfügbare Formate

Conference Title

The Third International Conference on

A Cumulative Sum Technique for Network Cyber Intrusion Detection………………………………….. 7

Formal Methods Application in Security

Information Security Risk Management

A Novel Semantic Framework for Cloud Service Ranking and Adoption………………………………… 44

Education Method for Simultaneous Achievement of Safety and Security in

Nyambayar Davaadorj, Yuitaka Ota, Akihiro Tsuchiya and Ichiro Koshijima

ABSTRACT However, workers in a manufacturing plant

Safety, Security, Cyber-attack, IoT, ICS. 2 SAFETY AND SECURITY

1 INTRODUCTION In the IoT era, control systems are

1. Discovering effective interactions A standardized operating procedure of the

Until now, safety has been implemented for

 PDCA is repeated in each responding conditions in the control system, safety

do not go wrong. The safety I try only to

[2] SANS: Industrial Control Systems Security Blog,

[3] Y. Hashimoto, T. Toyoshima, S. Yogo, M. Koike,

[4] D. Nyambayar, and I. Koshijima, “Study of a

A Cumulative Sum Technique for Network Cyber Intrusion Detection

Dimitris Sklavounos1, George Paraskevopoulos1, Aloysius Edoh2

ABSTRACT which has created very useful datasets like the

ISBN: 978-1-941968-46-8 ©2017 SDIWC 7

ISBN: 978-1-941968-46-8 ©2017 SDIWC 8

values of the whole dataset. Thereafter, two -600

ISBN: 978-1-941968-46-8 ©2017 SDIWC 9

as the mean of the source byte values is closer

instance 101 the shift in mean started to be

ISBN: 978-1-941968-46-8 ©2017 SDIWC 10

500 A new DoS intrusion detection has been

ISBN: 978-1-941968-46-8 ©2017 SDIWC 11

GPU FORENSICS: RECOVERING ARTIFACTS FROM THE GPUS

ABSTRACT tion of digital devices. Potentially critical data

Table 1. Total number of an identified patterns per im-

Image size Generated patterns Unique patterns found

Figure 2. Color map image for sizes 64x64, 100x100,

To validate whether the generated pixel pat-

Figure 3 shows the unique patterns that were

patterns to find the correct combination of pix-

Noise removal is a critical step in the process

2. rows with all FF

3.4 GPUs and drivers test

Figure 6. Image recovery process.

Table 2 shows the number and the type of the

Figure 10. 200x200 image results.

The successful pixel pattern for figure 10 im-

method introduced in Section 3. The GTS 5 CONCLUSIONS

Webpages Rendered on Your Browser by Exploit-

[5] NVIDIA. NVIDIA GeForce GTS 450. Retrieved

[6] Urrea, J. M. An analysis of Linux RM forensics

[7] Zhang, Y. Recovering image data from a GPU using

[8] Ladakis, E., Koromilas, L., Vasiliadis, G., Poly-

[9] In Lin, H.-X, In Alexander, M., In Forsell, M.,

Common Attributes of Security Breach Types

Jan Svoboda, Luděk Lukáš

ABSTRACT security breach. We suppose that we can

country or the region is calculated differently substance (immediate, long-term) and

globalization, economic policy of major relevance can be determined by damage of

2.3.1 Main Sign of Terrorist attack Cyber-attack is the phenomenon which

The target of cyber-attack is the profit or the 3.1 Common Attributes

It is found out that the terrorist attack and

Next step will be analysing new attribute and

If we can create new typology of security

[1] L. Hofreiter, “Bezpečnostné prostredie súčasného