Beruflich Dokumente
Kultur Dokumente
Conference Dates
December 8-10, 2017
Conference Venue
Metropolitan College, Thessaloniki, Greece
ISBN:
978-1-941968-46-8 ©2017 SDIWC
Published by
The Society of Digital Information and Wireless
Communications (SDIWC)
Wilmington, New Castle, DE 19801, USA
www.sdiwc.net
Table of Contents
Cyber Security
Education Method for Simultaneous Achievement of Safety and Security in the IoT Era…………. 1
Digital Forensic
GPU Forensics: Recovering Artifacts From The Gpus Global Memory Using Opencl……........…….. 12
Miscellaneous
Project of building Security in Zoological garden …………………………………………………………………… 33
ISBN: 978-1-941968-46-8 1
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 2
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
of control systems in the production process [5] is also analyzed by using the approach
has become widespread. Figure 3 indicates mentioned above.
that the manufacturing industry uses the The analysis of global standard was
control system for automation of the conducted by deconstructing and categorizing
production line, stable operations, and clauses of the standard from the following
reduction in the human resources required. perspectives:
Also, manufacturing industries collect and 1. Chapter titles, subtitles, number, sentence
analyze data from the control system by locations
connecting to the Internet (for data analysis) 2. Sentences (extracting only the sections on
for improved marketing functions, recommendations for actions relating to
management, and line productivity. The health and safety)
analyzed will help the industry adapt to a 3. Subjects, objects, and verbs within
flexible trading business market and enhance sentences
its business efficiency. However, connecting 4. Verbs, objects, and verbs within
the control system to the Internet increases the sentences
risk of cyber-attacks, consequently, increasing 5. Knowledge, skill, rule based on
risks in the future. Rasmussen’s (Rasmussen, 1983) SRK
model [6].
Resilience matrix covers activities that
occur during establishment, implementation,
and maintenance. Accordingly, it seems to be
appropriate to place the IDEF0 model of the
global standard into the resilience matrix to
specify the structure of the organizational
activity cycle and identify basic activities. In
this previous study, we discussed a method
for evaluating a manner in which PDCA cycle
(Figure 4 shows) of OHSAS18001 and IEC
Figure 3. Maintain safe environment.
62443 systematically functions within
2.4 Analysis of Safety and Security corporations. Based on the findings, this study
Integration Standard clarifies the potential structural objection for
corporations when implementing and
In literature [1], [4] the authors discussed the operating the OHSAS18001 and IEC 62443
establishment of a cycle for bottom-up that standard.
continues to improve, maintain and According to the OHSAS18001 and IEC
implement after recognizing the international 62443 standard analysis, the installation of
standard for safety and security standards. For the PDCA cycles is essential for achieving
safety, OHSAS18001 (Occupational Health continuous improvement. Safety and security
and Safety standard) is analyzed by using standard organization structure with section-
IDEF0 and is mapped to a Resilience Matrix based PDCA cycle;
(RM) that can be defined as a cycle to Each section goes through the
develop new operational procedures to implementation, maintenance, and
maintain and increase organizational improvement processes.
resilience. In this matrix skill–rule– Subsequently, the improvement must be
knowledge (SRK) model and organizational checked and tested. If it passes the check,
levels (i.e., individual, group, and one can proceed to the next stage.
organization) are combined in the 3 × 3 chart. If the improvement fails the check, one
To specify a security standard procedure, goes back to an improvement process,
IEC62443 (Industry network system standard) provide safety instructions, and then
return to the cycle.
ISBN: 978-1-941968-46-8 3
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 4
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 5
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
understanding the framework for handling linkage between safety and cybersecurity is
cyber incidents. Therefore, depending on the necessary.
organizations that are trained, it is necessary To that end, we need to maximize the
to consider the organizational (organizational resilience of the organization to cyber-attacks
involved in the operation of the business) and that cannot be predicted reliably. First, the
correspondence to cyber-attacks (response to PDCA cycle necessary to combine Safety-I
security). and Security-I was extracted using the IDEF0
In this exercise (calling ICS-BCP) training, modeling method. To build a PDCA cycle
we will consider an organization’s response to between Safety-II and Security-II, an exercise
a cyber-attack. The purpose of the framework to maximize organization
correspondence changes with the passage of resilience was suggested.
the correspondence changes with the passage
of time. The following types of activities ACKNOWLEDGEMENTS
should be considered according to the purpose
of correspondence. (Figure8) the typical This research is partially supported by the
deliverables of the exercise are workflow Ministry of Education, Science, Sport and
which becomes plants by considering “who” Culture, Grant-in-Aid for Scientific Research
performs an action and “when.” (A), No.16H01837 (2016); however, all
1. Activities to regain plan safety when remaining errors are attributable to the
attacks are disturbed. authors.
2. Activities to maintain production
activities that are obstructed by attacks at REFERENCES
a specified service level.
[1] D. Nyambayar, H. Eguchi, and I. Koshijima, “A
3. Activities to deter further attacks. Matric for Quantitative Estimation of Production
4. Activities to preserve evidence of attacks. Unit Based On OSHMS,” IOP
Conf.Series:Materials Science and Engineering.
012009 doi:10.1088/1757-899X/206/1/012009.
Figure 8. Schematic of the safety and security [5] IEC Central Office, Industrial Communication
framework. Network, and System Security-Part2-1:
Establishing and industrial automation and control
system security manual, online, www.iec.ch.
4 CONCLUSIONS Accessed on: online user accessed by Yoshihiro
Hashimoto.
In this paper, the author proposed two [6] J. Rasmussen, “Skills, Rules, Knowledge.Signals,
problems, viz., discovering effective Signs, and Symbols, and Other Distinctions in
Human Performance Models, ” IEEE Transactions
interactions between safety and cyber security on Systems, Man, and Cybernetics, pp.257-266,
and Maximizing organizational resilience 1983.
against uncertain and unexpected cyber-
[7] E. Holnagel, “Safety-I and Safety-II,” Ashgate Pub
attacks. Discovering an effective interactive Co. The Past and Future of Safety Management.
ISBN: 978-1-941968-46-8 6
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
The non- parametric CUSUM algorithm deviation is the square root of the variance
detects deviations from normal protocol which is equal to:
behaviours caused by DoS attacks.
The proposed method in the present work (1)
utilizes the NSL-KDD dataset, focusing on
the attribute of the source bytes of UDP and When the process is under control both
ICMP packets in order to achieve detection of moments of the distribution are
DoS intrusion. Considering that the network maintained constant. The mean may be
is under normal operation (no attacks taken as the target value of the quality
involved), in a certain training period the characteristic . During the operation of the
mean value of the source bytes may be tabular CUSUM chart, two statistics: the
estimated. This value is set as the target mean and are applied to accumulate the
in the cumulative sum (CUSUM) chart deviations from . accumulates the
mechanism that is utilized in order to achieve deviations above target while the
intrusion detection. Assuming that the UDP deviations below target and they are estimated
and ICMP source bytes are normally as:
distributed, with mean and standard
deviation σ. If after intrusion there is a shift (2)
in the mean value and or and
then the detection will be (3)
successfully achieved.
The rest of the paper is organized as follows: Initially = = 0.
Section 2 contains the methodology of the is the reference value and it is estimated by:
proposed method along with analytical
elements of the tabular CUSUM chart as well
as the NSL-KDD dataset. Section 3 contains (4)
the evaluation results for the intrusion
detection in the UDP packets as well as the where is the mean of the out of control
ICMP and UDP packets concurrently. Finally, values. is the decision interval
in section 4 there are the conclusions and which means that if either of the two statistics
further work. and exceeds the value of , then the
process is out of control. Two reasonable
2 METHODOLOGY values of may be or [7].
The proposed method is based on the idea of 2.2 The NSL-KDD Dataset
detecting a change in the mean value of the
source bytes of the UDP and ICMP packets The data set used for this work is the NSL-
respectively during operation. Thus, the KDD that consists of 42 attributes. It does not
tabular cumulative sum control chart was contain duplicate instances as they have been
utilized for this purpose [6]. removed from the previous version (KDD’99)
and so, it represents an improved type of data
2.1 The Tabular CUSUM Control Chart sets. A number of NSL-KDD data set
versions are available: the 20% of the training
The utilized CUSUM control chart in the data identified as “KDDTrain+_20Percent”
present work is of the type of tabular, with with 25192 instances, as well as the
individual observations and it works as “KDDtest+” with 22544 instances. The
follows: number of attributes in each version is 42
Assuming a normal distribution of a random with the 42nd attribute labeled as ‘class’ to
variable with mean and a known or indicate whether a given instance is normal
estimable standard deviation of . Standard connection or an attack [8]. The dataset files
have been downloaded from [9]. The dataset source bytes of the UDP packets while the
used for the evaluation was the second evaluation (2nd case) concerned the
"KDDtrain20percent" with 42 attributes UDP and the ICMP source bytes
where the 42nd attribute named “xattack”
concurrently, since they gave the same target
contains a numbering which indicates the type
of the attack as follows: (1) is the DoS, (2) is mean For the above cases, the
the User to Root (U2R), (3) is the Remote to CUSUM algorithm of the form (5):
User (R2L), (4) is the Probe and (5) is the
normal operation packets. The files are also (5)
formatted for the machine learning program
“WEKA”. was applied initially for the detection of the
mean shift and then the tabular CUSUM
control chart, as described in Sec. 2.1, for
2.3 Proposed Method more analytical process of the detection.
A network that operates normally has been 3 Evaluation of Results
considered as an initial situation, supported
with a data recording mechanism. The data 3.1 Detection of DoS attack based on the
recording mechanism captures the required UDP packets.
information, which in this case are the source
bytes. Assuming that the UDP and ICMP The first stage of the method was the training
source bytes are normally distributed, with a period for the calculation of the mean value of
mean and standard deviation . In some the UDP source bytes. Thus, the entire set of
instance an intrusion occurs in either UDP or source bytes instances of the original NSL-
ICMP packets. If after intrusion there is a KDD dataset were used, considering that the
shift in the mean value and or network is in normal operation with no
, then the CUSUM control chart, attacks involved. The estimated mean value of
which is the utilized detection mechanism, the entire UDP source bytes of the training
will successfully detect the intrusion. period was . The first evaluation was
According to the functionality of the CUSUM the case where the first 100 instances
chart, the calculation of the target mean is contained source bytes of normal
crucial. Thus, a training period is set in order operation, and in sequence with them there
this value would be computed. Α hypothetical were added instances of attack
training period may be the one in which the packets. Applying the CUSUM algorithmic
test of (5) for 150 instances a change in mean
UDP and ICMP packets of the NSL-KDD
was observed as depicted in Figure 1.
dataset were recorded with the network in 400
normal operation (no attacks). Thus, the target 200
0
mean value was calculated from the entire
17
25
33
41
49
57
65
73
81
89
97
1
9
105
113
121
129
137
145
-200
sequence of the UDP and ICMP source byte -400
Ci
place for a very small number of instances . In cases where n takes a lower value
The first evaluation (1st case) concerned the the detection will be also achieved, but
300,0
200,0
At instance 122 the value of , so
100,0
0,0 which means that at
1
9
105
113
121
129
137
145
17
25
33
41
49
57
65
73
81
89
97
The CUSUM test of (5) for the same number out of control process comes at instance 92.
of instances (150) showed a change in mean Then again from instance 101 until the end,
as depicted in Figure 3. the process is permanently out of control.
This result leads to that, both values of
2500
(4 or 5) give a decision interval with the
2000 almost the same effectiveness.
1500
4 Conclusion and Future Work
Ci
1000
105
113
121
129
137
145
17
25
33
41
49
57
65
73
81
89
97
-500
the source bytes of the UDP and ICMP
Instances protocols as they have been recorded in the
Figure 3. Drift of test statistic of the cumulative sum in NSL-KDD dataset. The mechanism utilized
(5) with four (2 ICMP & 2 UDP) attack instances after for the detection was the tabular CUSUM
the 100th instance chart, which gave satisfactory results since it
successfully detected the intrusion in both
Thereafter, the statistic in (2) was applied for UDP and ICMP packets.
150 instances as depicted in Figure 4. Further to this work the cases of moving
average as well as subgroup averages will be
2000,0 examined for the intrusion detection. Also,
1800,0
1600,0
detection evaluation will take place on the
1400,0 TCP packets for Remote to User (R2L) and
1200,0
User to Root (U2R) types of intrusion
Ci
1000,0
800,0
600,0
utilizing possible upcoming newer versions of
400,0 datasets.
200,0
0,0
17
25
33
41
49
57
65
73
81
89
97
1
9
105
113
121
129
137
145
4 REFERENCES
Instances
[1] Hovav, Anat, and John D’Arcy, “The impact of denial-of-
service attack announcements on the market value of firms”,
Figure 4. Drift of test statistic in (2) with four (2 Risk Management and Insurance Review 6.2 (2003):97-121.
ICMP & 2 UDP) attack instances after the 100th [2] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao,
[3]
instance “Detecting Distributed Denial of Service Attacks Using
Source IP Address Monitoring”, In Proceedings of the Third
International IFIP-TC6 Networking Conference Networking
Because there is a positive shift of the mean 2004.
the statistic (eq. 2) was applied. As [3] Vasilios A. Siris, Fotini Papagalou, “Application of anomaly
detection algorithms for detecting SYN flooding attacks”,
depicted in Figure 4, there is a sharp change Computer Communications 29 (2006) 1433–1442, Elsevier.
of the slope after the 100th instance and this [4] Alexandros G. Fragkiadakis, Vasilios A. Siris, and Nikolaos
Petroulakis, “Anomaly-Based Intrusion Detection Algorithms
indicates the change in the mean. for Wireless Networks”, E. Osipov et al. (Eds.): WWIC 2010,
In this case (the mean for both UDP LNCS 6074, pp. 192-203, 2010.
[5] Haining Wang, Danlu Zhang, Kang G. Shin, “Change-Point
and ICMP source bytes is 79), , Monitoring for Detection of DoS Attacks”, IEEE Transactions
on Dependable and Secure Computing ( Volume: 1, Issue: 4,
the parameter and the Oct.-Dec. 2004 )
interval The first signal [6] V. V. Koshti, “CUMULATIVE SUM CONTROL CHART”,
International Journal of Physics and Mathematical Sciences
for out of control process came at instance 91 ISSN: 2277-2111 (Online).
until 95 and then from instance 101 until 150 [7] D. R. Prajapati, “Effectiveness of Conventional CUSUM
Control Chart for Correlated Observations”, International
the process was out of control. From a list of Journal of Modeling and Optimization, Vol. 5, No. 2, April
values with the same logic as Table 1 (not 2015
[8] Preeti Aggarwala, Sudhir Kumar Sharma, “Analysis of KDD
quoted), at instance 101, . So, at Dataset Attributes- Class wise For Intrusion Detection” 3rd
instance the shift in mean started to be International Conference on Recent Trends in Computing
2015 (ICRTC-2015), Elsevier
created. For the decision interval [9] https://github.com/FransHBotes/NSLKDD-Dataset,
then the first signal for (10/7/2016)
ISBN: 978-1-941968-46-8 12
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
is reviewed in Section 2, followed by the de- lishment of high-speed intrusion detection sys-
scription and illustration of the proposed GPU tems (IDSs). Researchers in [4], aimed at eval-
graphics recovery process in Section 3. Results uating the potential risks associated with GPUs
from the experiments are examined and dis- and, more specifically, how attackers are ca-
cussed in Section 4. The paper concludes our pable of disclosing sensitive data stored in the
work and gives an outlook on future research GPUs memory. While performing an in-depth
directions in Section 5. analysis on GPUs to detect security
3 susceptibilities, the authors discovered that
2 LITERATURE REVIEW
extensively used GPUs, namely NVIDIA’s and
Offloading graphics processing tasks to the AMD’s, fail to initialize recently allotted GPU
GPU has led to substantial improvements in memory pages that are likely to contain deli-
the performance of graphical computations. cate user data. This vulnerability may then be
The deployment of GPUs has further increased exploited through attack strategies so that the
with the emergence of general-purpose graph- program data belonging to the victim can be
ics processing units (GPGPUs). While study- revealed, particularly information stored in the
ing how GPU-assisted malware affect mem- GPUs memory. Such exploitations may hap-
ory forensics, the authors of [1], found that pen both during the execution of a program
GPUs can assist applications to achieve a sub- and after its termination. The greatest num-
stantial speed-up and enhance the performance ber of these attacks targeted the Chrome and
of various applications, including financial and Firefox web browsers that render web pages
scientific computations. The authors further through the GPU. The research also indicated
posit that GPUs have enabled the realization that, regardless of their wide application in the
of video transcoding, bitcoin mining, recover- computing industry, the security issues associ-
ing passwords, and regular expression match- ated with GPUs have not been given the neces-
ing. However, they note that despite the GPUs sary consideration [4]. Random Access Mem-
ability to perform generic computations, GPU ory (RAM) analysis is similar to the foren-
misuse, i.e., the use of GPUs to engage in mali- sic analysis of GPUs, however, it is concerned
cious activity, has not been studied sufficiently. with analyzing volatile information from the
To perform a forensic analysis on the GPU, the RAM relating to executable applications, net-
authors gathered and analyzed numerous data work links, as well as the command history
structures by developing several custom tools [2]. Like GPU forensics, memory forensics
specifically for this purpose. The data struc- is affected by the fact that RAM, being a
tures that were examined in the study include volatile memory, loses data immediately when
graphic page tables, hangcheck flags, a list of the power is interrupted. However, under cer-
buffer objects, a list of contexts, and the regis- tain favorable conditions such as uninterrupted
ter files. The study also revealed that the use power and the computer not being locked, a
of various GPU ecosystems posed substantial forensic investigation of the RAM can still be
challenges in the forensic process. This, there- conducted within a particular time frame and
fore, makes it necessary to develop individual using specialized tools. The forensic analy-
tools for the probable combinations of GPU sis of RAM may require copying the RAM’s
simulations and operating systems. GPUs may contents to perform a comprehensive analysis
also be implemented to solve both general of the memory dump, while in other cases it
tasks and tasks that require intensive compu- requires the retrieval of Unicode string con-
tations. For instance, GPUs may be used to tent or ASCII [6]. The authors of [7], con-
increase the performance of AES and RSA en- ducted three experiments, the Color Test, the
cryption algorithms. Similarly, GPUs can be Line Test, and the Color Map Pattern Test,
implemented to accelerate routers to support IP respectively, to explore the formatting pattern
networks [4]. GPUs may also aid in the estab- of images. The Color Test, in which differ-
ISBN: 978-1-941968-46-8 13
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ent data were introduced onto the screen, was the host memory to the buffer. The reading of
aimed at exploring the data structures of col- data by the clEnqueueReadBuffer requires an
ors within the GPUs memory. The evidence allocated area of the memory for the data stor-
was then collected from the GPUs memory age, because the function cannot perform the
with the help of an enhanced model. The re- memory allocation by itself.
searcher then created eight different color rep-
resentation squares using Photoshop to prepare 3 METHODOLOGY
the evidence. The squares were given individ-
ual values such as 000000, 00FF00, FFFF00, The methodology used for this experiment was
among others. After the analysis of the data built on the workflow defined by [7]. The de-
structures and the deletion of empty memory sign process consists of three stages. Stage 1
spaces, the researcher successfully recovered is to acquire potential unique pixel patterns by
the photo [7]. The limitations of this paper first cleaning the GPUs global memory, fol-
are that the author only tested one image size, lowed by computing conversion matrices be-
which is 200x200 pixels, and used CUDA, tween the image and the data retrieved from
which is limited to NVIDIA GPUs. To im- the GPUs global memory. Stage 2 simulates
prove upon these results, our paper will test the live capture process with the assumption of
different image formats in different sizes using no noise. The images to be tested were loaded
OpenCL, which is supported by multiple GPUs onto the GPU and then captured as a mem-
such as AMD, Intel, and NVIDIA. ory dump, which are then restored to possible
graphics by applying the unique patterns gen-
erated in Stage 1. In Stage 3, if the method
2.1 Open Computing Language (OpenCL)
is efficient, one of the recovered images will
OpenCL is a framework used to write pro- be found visually identical to the image previ-
grams through its execution across diverse ously loaded onto the GPU in Stage 2.
platforms containing CPUs, GPUs, and other
processors [3]. OpenCL offers several distinct
advantages as compared to CUDA. For ex-
ample, the mathematical precision in OpenCL
is well-defined, whereas in CUDA it is un-
defined. Furthermore, while OpenCL is sup-
ported by many GPU vendors such as AMD,
Intel, and NVIDIA, CUDA is only supported Figure 1. Design process.
by NVIDIA. And lastly, OpenCL provides
CPU support, while CUDA doesnt. OpenCl
The experiment tests three image formats in
contains certain specific functions that sup-
three different sizes. The image formats that
port the execution of commands. These ser-
will be tested are JPEG, TIFF, and BMP. The
vices are necessary for the data transfer be-
image sizes that will be tested are 64x64 pix-
tween the buffer objects and the host mem-
els, 100x100 pixels, and 200x200 pixels. Since
ory. The clEnqueueReadBuffer enqueues com-
memory allocation is difficult to predict, we
mands to read from, or write to, a buffer object
first clean the memory in Stage 1 and Stage 2
to the host memory, while the clCreateBuffer
in an attempt to ease the process of locating the
is used to create the buffer object also from
dump data of the processed image.
the host memory [3]. Both functions, there-
fore, puts the reading’ and writing’ command
3.1 Generating Patterns
queue and therefore, they are commanded prin-
cipal objects. The clEnqueueReadBuffer helps The first step in this experiment is to generate
in the data transfer from the buffer object to patterns which later will be used to recover any
host memory whereas the writing occurs from image of the same size as the generated pattern.
ISBN: 978-1-941968-46-8 14
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
Figure 3. Pixel patterns for 100x100 image. Figure 4. Recovered dump data.
ISBN: 978-1-941968-46-8 15
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
3. FA F3 EE FF FA F3 EE FF FA F3 EE FF
FA F3 EE FF
4. FA F3 EE FF FA F3 EE FF 00 00 00 00
00 00 00 00 Figure 7. Webpage recovery process.
3.3 Image and webpage recovery process Since there is no way to know the resolu-
After recovering the pixel patterns shown in tion of the image we want to recover, we as-
Section 3.1 and setting the stage to recover the sumed that its size is 1024x1024 pixels. The
image, the patterns that store the image data GPU used for this experiment was a GTS450
were used to map the recovered image to its from the NVIDIA Fermi family. It has high-
original state. performance capabilities, with a 2x ability and
DirectX 11 geometry processing power, and a
maximum memory size of 1,024 MB [5].
ISBN: 978-1-941968-46-8 16
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
NVIDIA GPU GTS450 was tested on three op- based on the results in Figure 8, there is not one
erating systems: Windows 7, Windows 8, and specific pattern for each image size, but rather
Windows 10. a set of unique patterns. As shown in Figure
8, the recovered images shift between the four
4 RESULTS unique patterns generated in Section 3.1. All
ten images tested were recovered successfully
The results of the experiments conducted in
using just four patterns for the 100x100 pixel
Section 3 will be evaluated and discussed in the
image. For the 64x64 pixel image, two unique
following subsections.
patterns were discovered, and all the ten dif-
4.1 Image recovery results ferent images tested match those two unique
patterns as shown in Figure 9.
Several images with different sizes and formats
were tested in this paper. In order to ensure
the accuracy of the results, we tested ten dif-
ferent images for each size to determine if the
generated unique pixel patterns are enough to
recover the image of the same size or not.
Table 2. The successful results of the image recovery
process .
Figure 9. Unique patterns for 64x64 pixel image.
Image size JPEG BMP TIFF
64x64 4 3 3
When testing larger images, the number of pat-
100x100 4 3 3
200x200 4 3 3 terns increased as shown in table 1.
ISBN: 978-1-941968-46-8 17
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
conclude that the image format does not influ- Table 3. Unsuccessful recovery attempts.
ence the recovery process. GPU GPU Drivers
AMD Radeon HD 6770 15.7, 14.12, 14.4, 12.1, 13.1, 13.4 amd catalyst
GTX560M 378.49, 353.9
GTX960M All drivers from 341.81 notebook win10 64bit international To 359.06
4.2 Webpage recovery
The webpage recovery process followed the
In these cases, every time OpenCL tried to
same approach as recovering the images from
collect the dump data, the dump file returned
the GPU, except this time our aim was to test
blocks of only zeros, indicating that those sec-
the possibility of recovering artifacts of the
tions did not contain any data. To overcome
last visited webpages. The browser used for
this barrier, [7] used the driver 340.34 which
this experiment is Google Chrome, and we
supports the methods presented in this paper.
edited the NVIDIA control panel to enable the
GPU to operate whenever the user uses Google Table 4. Successful recovery attempts.
Chrome. This was necessary because, by de-
fault, when visiting websites, the GPU will not GPU GPU Drivers
GTX560M 340.43
work unless a web extension requires GPU in-
GTS450 340.62
volvement.
Drivers 340.43 for the GTX560M GPU and
340.62 for the GTS450 support the method
presented in this paper. All beta drivers of
NVIDIA for Windows 7 and Windows 8 sup-
port the method introduced in this paper and
allow the data collection process. On the other
hand, it was not possible to recover dump data
from the AMD Radeon GPU as the return
Figure 11. Tested Facebook webpage on the left, and value of the dump file is zero.
the recovered artifacts on the right.
4.4 Operating system (OS) results
We opened a Facebook account page to test Several OSs were tested to measure the impact
the possibility of recovering any artifacts from of using different OSs on the GPU forensics
the GPU after visiting the webpage. About 40 process introduced in this paper.
percent of the webpage content was recovered
successfully and with high legibility, although Table 5. Operating system test results.
other parts of the recovered webpage, about 60
Operating System Same identified patterns? GPU
percent, cannot be read or recognized. In a case W indows7 →Windows 7 No GTS450
W indows7 →Windows 8 No GTS450
where a suspect is under investigation, recover- Windows 10 Couldnt generate any patterns GTX960
ing 40percent of the last visited page has good
potential for solving the case, e.g. in the case The OSs tested were Windows 7, Windows 8,
of recovering illicit content from the suspects and Windows 10. The pixel patterns recov-
machine. ered in Section 3.1 were recovered using Win-
dows 7, and once the system was upgraded
4.3 GPU and driver results
to Windows 8 the combination of the patterns
Several GPUs and drivers were tested to gain changed. Therefore, new patterns had to be
a proper understanding of which GPUs and generated in order to successfully recover the
drivers support the graphics recovery process tested image. The recovery attempt on Win-
and which do not. dows 10 was not successful because the new
Table 3 shows the GPUs and the drivers that OS supports only the latest drivers, which, as
did not support the graphics recovery process. indicated in Section 4.2, do not support the
ISBN: 978-1-941968-46-8 18
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 19
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 20
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 21
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
2 THE ATTRIBUTES OF SECURITY will be same like the primary threat. The
BREACH range of blackout together with time of
blackout can be marked like attributes which
The selection of security breach was influence caused damage.
conceived by number of occurrences in the
society and according to dangerous of 2.1.1. Main Sign of Blackout
security breach. The elements of the energy
industry, chemical industry, public Main sign of the blackout is unavailability
administration and communication and electrical energy and the reason of blackout
information technologies belong to critical point to the relevance and options of
infrastructure. As mentioned above, the managing extraordinary event. The blackout
research common attributes is targeted to can be caused a technical problem in the
long-term blackout, terrorist attack, leakage of production, in the transport network but in the
dangerous chemicals and cyber-attack. If we final user too. The Blackout can be caused a
want to research all typical attributes so we natural disaster, serious accident but war or
have to target to common signs. The common civil ear too.
signs reveal attributes of security breach
types. The time course is another main sing and this
sing influences the level of damage in the
2.1 Blackout affected area or the region. It can be assumed
that the blackout can cause, but need not
Blackout is the phenomenon 21st century. cause the damage if the blackout lasts just
This threat increase technological dependence some second. Compared to that the blackout
and technological progress of the society. causes really serious problem when it lasts
Currently the electrical energy is used as some days and weeks because the electrical
easy-transform energy to mechanical energy, energy is really important medical rescue
thermal energy and light energy. The service, water management, traffic,
electrical energy belongs to a large of number communication and security.
manufacturing processes and this energy is
used as a signal in communication and Restriction of activities and services depends
information systems. The blackout usually on technological dependence and
means stop of heavy current systems but it technological progress of the society in the
means stop of control and information blackout area. The technological dependence
systems too. This is main reason why this is understood the society addict to electrical
department belong between secure parts of energy because this energy is necessary for
critical infrastructure. The main blackout work and interest activities and other daily
attributes are: life. When the society in not ready for
blackout, so the blackout can be caused
Speed of blackout; serious restriction of activities.
Range of blackout;
Time of blackout; Potential damage responds with the affect
area, the time of blackout, the technological
The range of Blackout can be assumed to dependence and the level of security
range from an object (building, area) to a environment. The damages are determined for
region (state, country). The border of the each object differently. The personal damage
Blackout time cannot be supposed, there are is calculated along the damage of property
many cases which lasted few days and a few and damage of health. Currently damage in
weeks too. It can be assumed that when the the company or another the legal entity is
blackout will be caused by other different calculated from damage of property and loss
threat (war, civil war) so the time of blackout of profits. The damage in the state, the
ISBN: 978-1-941968-46-8 22
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 23
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
The target of terrorist attack is enforcement Performing an attack is a basic sign of cyber-
own ideas, intimidation, culture, religions and attack. The target of attack is controlling
profit too. victim’s information system. And the reason
of cyber-attack is stealing new information,
The damage can be defined like secondary causing damage and interrupting of
target of attacker. The secondary target causes functionality or destruction of the target. The
enormous damage of health, death and next target can be monitoring victim’s
environment. The primary target is information system and so searching some
enforcement own ideas. information too.
The illegality belongs to every terrorists The attacker’s identity is hidden and
attack in every society. Illegality is defined in everything what he is doing is illegal. The
the rule of law and this means that, the attacker can be one person but he can be
illegality is defined by danger for society and person who works for some group of people
legal punishment. In fact any activities belong or for some company or for some state
to preparation of terrorist attack is illegal and service. The attacker can be more than one
is affected by the law. person too. The level of attack is influenced to
knowledge, experience and next possibilities
Relevance of the terrorist attack is formed of the attacker. There are two types of cyber-
threat for the critical infrastructure system and attack. First type of attack is use a social
so for the society. The level of potential engineering. Second type of attack is attack
ISBN: 978-1-941968-46-8 24
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
when someone uses the knowledge of IT or universal asset. We suppose that it is the right
software engineering. way to maximal protection.
ISBN: 978-1-941968-46-8 25
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
5 THE CONCLUSION
REFERENCES
ISBN: 978-1-941968-46-8 26
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
Anderson Araújo, Loriza Melo, Luiz Henrique Andrade, Jansen Fonseca, José Ney Lima, Juliana
Moreira, Rodrigo Maeda, Tássio Silva
ISBN: 978-1-941968-46-8 27
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 28
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
The MGR-SISP processes and activities level of its primary assets (business
generate information that must be evaluated processes and information) related to
and validated (usually by a role at a higher attributes: Confidentiality; Integrity;
risk management level) at the end of the Availability; And Authenticity on a
process or activity. Repetitions of information scale between 1 and 5.
and decision-making activities are also • To define criteria. It defines support
foreseen, as are repetitions of processes where questions that guide the evaluations to
information is inadequate or insufficient for be carried out in later activities, in
support decision-making. which the consequences and
The MGR-SISP also establishes roles (actors), probabilities of risks are identified in 5
according to the idea described in NIST 800- classes (according to NIST 800-30,
39, 2011 [8], actions and responsibilities at all 2011) [9]:
levels of the organization, namely: i)
Representatives of the High Administration; 1 Very Low VL
ii) Risk Managers; iii) Responsible for
2 Low L
Organizational Units; And iv) Asset Owners.
3 Moderate M
3.2 Processes and Activities 4 High H
5 Very High VH
Figure 2 shows the workflow of the MGR-
SISP processes. The processes and activities, The information generated by this process is
described briefly below, are carried out with the basis for all subsequent actions.
the support of FAMGR-SISP. Risk Identification (RI)
This process identifies the existing risks and
the adequacy of the controls used by each
organizational unit. It gets several information
(simultaneously and independently) which are
validated by the Risk Manager.
The heads of each organizational unit (and/or
Figure 2. workflow of the MGR-SISP asset owners) must identify and document the
assets (business processes, hardware,
Context Establishment (CE) software, physical locations, etc.) and their
This process addresses the points to be related information. FAMGR-SISP filters,
defined for the beginning of the use of MGR- from a generic list of threats, those that apply
SISP and FAMGR-SISP in the organization. to each type of asset in order to facilitate the
The main activities and tasks are: identification and description of threats
• To define roles, responsibilities and to associated with the assets. Similarly, for each
allocate human resources. threat, FAMGR-SISP filters, from a generic
• To define goals to ISRM, scope, and list of controls, those that protect the asset
constraints. from the threat. The status of each control
• To conduct pre-analysis of the should be investigated, documented, and
organization. It is the application of an evaluated as follows: not implemented,
evaluation questionnaire based on the implemented, or not applicable. Finally, for
Safety Level Assessment Method [10]. each non implemented control, FAMGR-SISP
• To carry out pre-analysis of filters from a generic list of vulnerabilities
those related to the lack of controls for the
organizational units. It is also the
threats to the assets, also assisting in the
application of an evaluation
identification and documentation of
questionnaire in each unit (sector).
vulnerabilities. All the information is
The goal is to evaluate the critical
consolidated in a Risk Map.
ISBN: 978-1-941968-46-8 29
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
Risk Analysis (RA) The consolidated and ordered Risk Map with
risk treatment options and respective
This process estimates each identified risk
estimates is used to make decisions about the
and must be performed in each organization
treatments to be performed. Decisions should
unity. It is possible to be executed
be documented, as well as the way to
simultaneously and independently too.
monitoring the risks. Finally, Risk
It begins with the identification and
Management Plans (RMP) should be
evaluation of possible risk consequences. For
developed and allocated to a role.
each asset and threat (a risk), the FAMGR-
SISP presents registered support questions, so Risk Communication (RC) and Risk
that the responsible one can estimate the Monitoring (MR)
consequence of the risk for each attribute These processes address communication and
(Confidentiality, Integrity, Availability and monitoring activities, which are embedded in
Authenticity), associating it in a class (VL, L, the other processes and are supported by
M, H, VH). The same is true for probability FAMGR-SISP too. In addition to these, we
estimation, by associating risk with one of the highlight the activities to monitor the
classes (VL, L, M, H, VH). The consequences execution status of the RMPs, to monitor the
of the risks and the justifications for the risks and to identify the need for
estimates should be documented. Based on reassessments.
the estimates made, the FAMGR-SISP
generates (by applying a consequence-
probability matrix) the estimate of the level 4 THE ARCHITECTURE OF THE
(numerical value between 1 and 9) and the FAMGR-SISP
class (VL, L, M, H, or VH) for each risk.
Estimates are generated separately in each
unit of the organization. The FAMGR-SISP is a service will be
The Risk Map is updated by associating one provided by the cloud computing of the
level for each risk (threat to asset). Secretariat of Information Technology of the
Brazilian Ministry of Planning, Development
Risk Evaluation (RE) and Risk Treatment and Management. It is available for all
(RT) Brazilian Public Agencies, including, as a
In these processes the risks are evaluated and future view, public agencies from others
treated. The risk consolidation of all the unites of federation, from judicial system and
organizational units is made in a single Risk legislative branch. Figure 3 presents the
Map, which presents all risks, sorted by level, architecture of the FAMGR-SISP.
in a decreasing way. At this point, it is Public
Public
decided to return to previous processes for Agencies of
Agencies of
Municipalities
more information or to refine them. Public ISRM Public
Agencies ofof
Agencies
All information is used to make decisions Agencies of
States ISRM
States ISRM
Judicial
about how to treat each risk: reduce, retain, System ISRM
ISBN: 978-1-941968-46-8 30
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 31
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 32
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
Miroslav Budín
Tomas Bata University in Zlín, Czech Republic
budin@fai.utb.cz
ISBN: 978-1-941968-46-8 33
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 34
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
premises intended for animal breeding as the movement of employees and other
well as those intended for zoo operations. persons throughout the zoo premises, the
methods for handling important security
The legislation that governs the operation
elements, rules for conducting security
of zoos is based on the requirements of the
checks, etc. [3].
directives and regulations of the European
Union and the European Commission. Zoos require establishment of regime
European law is based on the United measures for the rules governing:
Nations Universal Declaration on Animal movement of zoo employees, part-
Welfare, which was drafted by WSPA, a time workers, interns, etc;
global organization for the protection of movement of visitors, children,
animals. The goal of uniform legislation is and disabled persons;
to secure adequate protection for animals movement of employees of vendor
not only in countries of the European companies, including movement
Union but also in terms of animal of materials, goods, utility
conservation on the planet. The EU services, etc.;
legislation also creates conditions for zoo employee alcohol and/or drug
Europe’s zoos to participate in global testing;
animal protection programmes. movement of medical personnel
Zoos are such complicated facilities that and accompanying individuals;
legislation and normative requirements securing the transfer of animals
from a wide range of fields must be outside of their pavilions;
applied, from zoology to medicine, the physical security activities;
establishment and operation of premises, provision of regular worker
and, last but not least, regulations on training;
science, research, and education. safeguarding the operation,
regular inspection, and
2. BASIC ASPECTS OF maintenance of technological
PHYSICAL SECURITY OF security devices.
OBJECTS
2.2. Physical security
Guaranteeing physical security on zoo Security guards provide both permanent
premises is a complicated and continuously and temporary surveillance on zoo
evolving process. Zoos are vulnerable to a premises. With respect to the character and
wide variety of contemporary threats, such operation of such premises, this is a
as terrorist attacks, assault, theft of rare nonstop, multiple-shift service.
plants and animals, drugs, and funds,
various activities of sexual deviants, and Zoo are also visited in great numbers by
misdemeanours, for example foreign tourists; therefore, it is necessary
pickpocketing. Modern devices and that selected security personnel speak at
methods of physical and electronic least one world language, especially
premises security are available to counter workers providing security at the main
these modern-day threats. entrance, carpark, certain pavilions, and at
least one member of the field response
2.1. Regime measures team.
The purpose of regime measures is to
establish principles, rules, authorization for
ISBN: 978-1-941968-46-8 35
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
3. ANALYSIS OF PROPERTIES
OF CHARACTERISTICS OF
ZOO PREMISES WITH
RESPECTS TO SECURITY The chart of resulting values shows that
POSSIBILITES the size of the model zoo premises is 40
hectares situated at the edge of a city. The
Assessing the collective characteristics of number of species is 400 of a total number
zoo premises will be carried out by means of 2,200 captive animals. The zoo premises
of analysis of characteristics. The goal of is cared for by 110 employees. An access
this analysis is also to extract information road leads to each zoo to its carpark, which
and then obtain realistic data for creating a
ISBN: 978-1-941968-46-8 36
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
is near the main visitor entrance. In on inadequate criteria, the results can have
addition to the road, there are also a tourist a negative impact on, for example,
path and bike path that lead to the zoo. The insufficient requirements for the provision
majority of the buildings are brick or of physical security. The future design of
wood. The model zoo premises will also the technological security system may then
include buildings with glass walls and contain weaknesses or even faults.
other building materials.
4. SECURITY ASSESSMENT OF
THE PREMISES MODEL
Security assessment is part of the first
stage of the process of establishing
warning, security, and emergency systems
during which analysis is conducted on
Figure Nr. 1 Comparison of selected zoos secured values, buildings, and internal and
external influences that might affect the
The column graph shows that for the warning, security, and emergency system.
representative sample from across the
Republic, three larger and three smaller The main objective of the security
zoos were chosen. The resulting values assessment is to determine, based on risk
demonstrate that there is no direct analysis and assessment of other
proportionality between the number of influences, the required level of security as
employees, the number of species, and the the starting point for designing the system.
total number of individual captive animals. [2]
Using the analysis of the characteristics of
the selected zoos in the Czech Republic, a
premises model was created with the
parameters hereunder, which will serve as
the basis for the security assessment.
Table. Nr. 2 Input parameters of the
model object
Figure Nr. 2 Location of selected zoos
The location of the selected sample zoos is
divided equally according to the stipulated
criteria. In general, the selection of locality
for a zoo depends on many factors, but
does not depend on city size. In the case of
the selected samples, there is a zoo situated
near the centre of the largest and smallest
city.
4.1. Level of security
The analysis of the selected zoos
demonstrates that each zoo is unique, thus According to Czech technical standard
the values obtained for creating the ČSN EN 50 131-1, ed. 2, zoos are
premises model are crucial to the design of classified as level 1 security facilities. On
a technological security system. If we the zoo premises, however, there are
choose entry values for the analysis based
ISBN: 978-1-941968-46-8 37
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
structures that the standard classifies at the remote buildings or sections of them and
following levels of security: their surroundings.
Archive, registry 4.4. Other factors
security level 2 - 3
The interior spaces of technical buildings
Cafeteria (no kiosk) with increased fire risk and gas boiler
security level 2 rooms and adjacent spaces should be
Pharmaceutical, medical supplies designated Environments with Class II
security level 2 - 3 Explosion Danger. When designing a
Ticket office, safe technological security system, it is
security level 2 – 4 necessary to adhere to all regulations and
Security command centre normative standards.
security level 3
From the standpoint of assessing the
4.2. History of theft, other incidents effects of the environment, animal
Analysis of the history of theft and other pavilions represent a heavy burden to the
criminal acts confirms that zoos are the components of technological security
target of theft, and not only of animals; systems in the form of high humidity,
zoos are of interest to a variety of temperatures, lighting, draughts, etc. In
criminals. Damage assessments do not addition to demanding climatic conditions,
always represent realistic values or actual pavilions for tropical animals contain
damage. If a zoo has devoted itself to an moving plants. In their behaviour, animals
animal for several years, the damage is, present a great risk of damage both to
from a breeding standpoint, inestimable. components and cabling.
ISBN: 978-1-941968-46-8 38
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
of technological security. The person make up the outer perimeter will be fitted
preparing the design chooses from with exterior cameras.
technologies currently available on the
The entrance to the administration building
market and assigns them to specific
will be fitted with an access system
buildings or sections of buildings.
scanner, surveillance camera, and alarm,
5.1. Outer perimeter security security, and emergency system control
panel. Motion detectors will be installed in
Fencing, reinforced concrete wall or
offices and hallways. Access control
chain-link fencing with digging barrier,
scanners and door locks will be used for
height 3 m.
the director’s office, meetings rooms, the
Detection cables generally comprise two economic department, ticket office, etc.
coaxial cables, one functioning as a Control panels will be located in the
transmitter (T x), the other acting as a hallways so that employees can execute
receiver (Rx). Slits are created in the necessary user commands on their floor.
shielding of the transmitter cable that allow
electromagnetic energy to escape. Thanks 5.3. Predator pavilion
to the slits in the shielding, this energy is The entrance to the predator pavilion will
detected by the parallel receiver coaxial be equipped with a contactless card
cable. The electromagnetic field created scanner, electronic lock, and surveillance
around the detection cables creates a camera. The interior spaces will be
detection field, which also extends above monitored by means of fixed cameras and
the ground.[3] Detection cables can be laid other interior security elements. Arming
in soil, concrete, or asphalt. The system and disarming the security alarm system
management software can differentiate will be conducted by means of the entry
between human and animal. The outer scanner. Openings in the structure of the
perimeter can also be divided into utility section of the pavilion will be fitted
individual zones depending on with security bars.
irregularities in the premises border and
The predator pavilion will be equipped
terrain complexity. Locating intruders is
with fire detectors and acoustic fire alarms.
accurate to within one meter.
The alarms will be positioned so that
Outer perimeter security installations can animals are not subjected to unnecessary
also make use of excavation work for stress in the event of evacuation.
laying outer perimeter warning, security,
and emergency systems, CCTV camera 5.4. Cabling requirements
points, utility lighting, and electronic In spaces where there are animals, cabling
access control for entrances and gates. must run beneath either the plaster or other
form of protection against thieving
5.2. Administration building animals.
Inner perimeter security will not be applied
universally but rather only to those spaces 5.5. Physical security
with a higher security classification, such Vehicle entry to the zoo premises will be
as the economics department, ticket office, authorized only for those with permission
archive, and security command centre. The from the zoo director and at times
windows of these spaces will be fitted with approved in advance. The rear gate may be
security bars. The exterior of buildings that opened only during regular hours of
operation.
ISBN: 978-1-941968-46-8 39
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
Permanent security in the zoo must be especially red. The LED diodes in
provided for the following spaces: infrared camera lighting shine red;
main entrance and vehicle entry the monkey is very agile and
gate; explores everything of interest and
patrol activities; causes damage to it. In the monkey
surveillance centre (security pavilions, runs, and surrounding
command centre); areas, no security elements can be
field response team of at least 2 installed that might irritate or harm
security workers. the monkeys;
horse hearing: 31-46000, elephant
Temporary security in zoos is hearing low frequency 5 - 24 Hz;
possible:
bats emit signals from frequencies
in animal pavilions during of 15 Hz to 120 kHz, which they
opening hours; use to hunt and navigate. Their
in public buildings with fixed audio and hearing system works
opening hours; like an echolocator, in human
in public spaces, pathways; terms radar or sonar. It is not
in carparks. recommended to install ultrasound
motion detectors, for example, in
6. SELECTED ANIMAL the vicinity of bats;
CHARACTERISTICS AND horse hearing ranges from 31 Hz to
ABILITIES 46 kHz, thus the same rules apply
as for bats;
Thanks to the ability and diversity of
sharks have passive perception of
nature, animals differ from other forms of
electric fields.
life in ways that are often diametrical and
even incomprehensible to us. Unlike 6.2. Birds, other animals
humans, animals are capable of sensing
subtle vibrations in the ground. This means Parrots need to sharpen their
they can feel earthquakes and other natural beaks, so they are constantly biting
catastrophes. Thanks to sensitive something; therefore, no perimeter
perception of the planet’s magnetic field, security system components can be
animals are able to navigate unknown installed in their aviaries;
territory with ease. birds see light in the ultraviolet
spectrum;
6.1. Mammals snakes see light in the infrared
the African elephant can reach spectrum;
objects as high up as 6 m. The low frequency hearing in elephants
giraffe is the same height. In the ranges from 5 to 24 Hz, so they
pavilions of these animals, cameras can hear sounds from several
and detectors must be installed kilometres away.
with consideration for the height of
these animals; 7. MODERN TECHNOLOGICAL
the rhinoceros is more active at SECURITY DEVICES
night than in the day and is Modern technological security devices
irritated by bright colours, available for application in zoos include
ISBN: 978-1-941968-46-8 40
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 41
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 42
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 43
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
Abstract
In order to tackle the slow adoption of cloud Medium scale Enterprises (SMEs) are still
service by SMEs, a semantically engineered slow in the adoption of this technology [2,
framework, which is modelled based on a case 3, 4].
study of advertised cloud service provider
offerings is proposed. A novel version of Cloud services are divided into three layers
Analytical hierarchical Process (AHP), which [5]: Software as a Service (SaaS), Platform
is a traditional multi-criteria decision method as a Service (PaaS), and Infrastructure as a
(MCDM) for solving complex comparison Service (IaaS).The top layer focuses on
problems has been created. This new application services (SaaS), which is the
technique is used to tackle the rank reversal cloud interface that allows computer users
problem associated with the traditional AHP
to access software services using a web
method. The ontology issue associated with
cloud service recommendation was solved by browser or thin client computer. The PaaS
introducing an acceptable standard for each layer is the application and software
cloud service attribute. This new framework environment layer that is built on the lower
with the protocol uses rational relationships to layer known as the IaaS layer. The upper
facilitate an effective cloud service ranking layers are developed and provided by third
process, which was verified and evaluated party service providers, while the service
using Protégé the ontology editor. providers of the IaaS are different as they
focus more on the datacentre provision [6].
Keywords: Depending on the needs of an
organisation, SaaS services are adopted
SaaS, Ontology, AHP, DSS, SME, service based on service application needs, for
ranking, Knowledge Management example Customer Relationship
Management (CRM) application provided
1- Introduction by Salesforce [7]. PaaS provides a
platform for adoption in instances where a
Cloud computing in recent years is one of
business is interested in the development
the biggest breakthrough in technology. A
of other applications for example the
large number of cloud service providers
Google App Engine [8]. The IaaS layer
exist with each prioritising on different
offers on- demand storage in terms of
aspects of cloud services (Google mail,
incremental scalability of computer
Google App Engine, Amazon EC2)
resources [5].
provided by Google and Amazon
respectively [1]. To remain competitive in Furthermore, based on the characteristics
cloud technology offerings, these service of cloud computing services, businesses
providers have made effort towards easy that try to adopt this technology need to
accessibility to their services, which are know what service will be most
known to offer benefits such as reduction appropriate for their operations e.g.
in operational cost and eradication of (memory size, subscription cost, operating
upfront investment for businesses. system, security, trust) and how to rank the
However, despite their efforts Small and available services from various service
ISBN: 978-1-941968-46-8 44
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
providers that render similar services. To method for measuring the quality of cloud
address this problem, different frameworks service based on two significant aspects
[9, 10] and Management models have been namely their availability and performance
proposed [11, 12]. The paper [13] was the of service. These metrics are used by
first to initiate the application of semantic customers for the evaluation of cloud
modelling towards cloud adoption but it offerings based their ability to meet user
was limited to only classification. In the
Quality of Service (QoS) requirements.
paper [14], a semantically based approach
Our work complements these previous
is proposed to tackle the slow adoption of
cloud services. It states that Semantic web works by measuring and evaluating the
ontology can enable a higher degree of QoS offerings advertised by different
automation for both functional and non- cloud service providers according to how
functional aspects of cloud services. This they meet user requirements. Although the
paper uses the cloud service concept to evaluation and ranking of various cloud
model a semantically engineered services are in their preliminary stage in
framework, which can be used for cloud cloud computing, other computing areas
service ranking with service such as web services the concept is widely
recommendation to facilitate effective used. The most related work in the field of
service adoption decision making. The cloud services ranking was done by [15,
developed semantic model (ontology) is 16]. Their research also proposed a similar
built based on a set of semantic rules to aid
approach, which is based on AHP concept
SMEs in cloud service adoption process
thereby selecting the most relevant service for the classification of cloud services.
that meets their business process However, they focused more on the
requirement. Infrastructure as a Service (IaaS) aspect of
cloud services offerings. Our work also
The rest of this paper is organized as adopted an extended version of AHP
follows: section 2 discusses related works concept for the comparison of the
and section 3 explains the methodology superiority of one cloud service attribute
used. Section 4 reviews the Ranking over another, by assigning weights to each
Protocol while section 5, describes the criteria and adopting acceptable
case study. Again, Section 6 discusses the benchmark for each attribute. This ensures
Decision support middleware framework
leads to the introduction and formalisation
and Section 7 reviews the Service
Ranking. Finally in sections 8 and 9, has of cloud service ranking. Although our
Evaluation with the Conclusion and future work focuses on SaaS storage aspect of
works. cloud services but in addition it assigns
sets of rules that a cloud service must
2. Related works attain to be ranked between 5star and 1
star. Again, our ranking is represented in
An increase in awareness of cloud
a decision support system equipped with
computing has led many researchers to
an ontology to aid SME owners in the
propose various frameworks to give
decision making towards cloud services
businesses a better understanding of the
adoption. The work of [17] proposed an
cloud technology. For instance the work of
ontology web language (owl) for cloud
[9] proposes a framework which gives
computing ontology (CoCoon) that defines
businesses the ability to analyse and
the functional and non-functional
determine if cloud computing services will
concepts, attributes and relationships of
have a positive impact on their business
IaaS cloud offerings. Again [18] proposed
operation. The work of [10] proposes a
ISBN: 978-1-941968-46-8 45
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 46
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
ISBN: 978-1-941968-46-8 47
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
Applications
(Interoperabi Windows, Mac, Windows, Mac, Windows, Mac, Windows,
lity) Android and iOS Linux, Android, Android and Mac,
The selection of SaaS storage is based on Operating
system
iOS iOS Android and
iOS
focus group session with SME owners supported
Trust
from which several parameters were Access rights
Security
SLA SLA SLA SLA
four top SaaS cloud services used in this adjustment No Unlimited User restriction No
ISBN: 978-1-941968-46-8 48
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
= =
( )
The relative ranking vector for file size ( )
restriction (FSR) is determined as
=( ) ( )
Then the relative ranking vector for free In the next section, we show our
storage (FS) is determined as: middleware architecture and we
demonstrate how our middleware aids in
=( )
service recommendation based on a set of
The relative ranking vector for security reasoning techniques and our service
(SE) is determined as ranking based on a set of semantic rules. In
aiding cloud service adoption decision.
=
( )
Then the relative ranking vector for Trust 6. Decision Support System
(TS) is determined as Architecture
The decision support system architecture
=( )
depicts the sequence of activities that takes
Then relative ranking vector for place within the DSS when a user sends a
Bandwidth Adjustment (BA) is determined requirement. In order to complete the
as proposed framework, an ontology of SaaS
storage cloud services is added. This
=( ) ontology holds information about cloud
Finally the relative ranking vector for services advertised by service providers
Office via Web (OVW) is determined as and is used by our system algorithms to
retrieve user requirements. The developed
=( ) cloud service ontology has been tested on
Furthermore, the combined RSRV for all protégé software which is an ontology
the KPI in the case study is determined. editor to check consistencies as explained
The resulting RSRV for each attribute is in the remainder of this section.
set as the acceptable standard that each
service attribute must attain for a cloud
service to be recommended for adoption.
This is demonstrated in the proposed
semantic ontology. See appendix 1
=
( ) ( ) ( ) ( ) ( )
[ ]
( ) ( ) ( )
ISBN: 978-1-941968-46-8 49
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
The system architecture consists of the data storage with a budget of 2 Dollars per
following component: Graphical User month for 100GBs of storage and consults
Interface, query processor, Similarity the proposed middleware for decision
reasoning domain, cloud service making. The user requirement can be
knowledge management () and service summarised as follows. The cloud service
ranking. First, The SME owner/ manager required by the user is a SaaS cloud
sends their requirements to the middleware service with a storage of 100GB and a
from the graphical user interface. The price value of 2 Dollars. The conceptual
decision support system carries out the modelling is designed within the system
following functions depending user following the RDF format of Subject,
request: 1) Query processing 2) Similarity Predicate and Object statements with
reasoning 3) Similarity matching 4) Subject and Object representing the
Cloud service ranking. domain and range of the predicate which
helps us to translate the user requirement
6.1.1. Query Processing: When a user into machine language as
requirement is sent from the SME follows:(DOMAIN: SaaS, Data
owner/manager via the graphical user Property: hasPaymentplan1price, Range:
interface, the query processor initiates Integer). To get our user requirement, the
query processing and converts the query to following query is processed in machine
machine readable format. Then the readable format as (SaaS and
processor sends the processed query to the hasPaymentplan1price value 2 and
similarity reasoning component for further haspaymentPlan1GB value of 100).The
processing based on the required query is translated to lay terms as follows
information. (Software as a service with a payment plan
of 2USD for 100Gigabyte of data per
6.1.2. Similarity Reasoning: The
month) Please note that the price value is
processed query initiates the similarity
in USD/Month and the GB (Gigabyte).
reasoning process. This is done by
consulting the cloud service ontology.
Similarity decision is based on the type of
information the query processed seeks to
fetch. An example of similarity reasoning
is concept similarity reasoning as
presented in Fig 4.
Concept Similarity Reasoning: This is
based on the conceptual modelling of the
ontology to meet user requirements. The
presence of pellet reasoner within the
ontology editor (protégé) aids the DSS to
undergo conceptual reasoning by
consulting the ontology to retrieve Fig 4: Example of conceptual
accurate information using system similarity reasoning.
algorithms to meet user requirements. To
show that our DSS equipped with a 7. Cloud Service Ranking
semantically designed ontology of cloud
services can undergo conceptual similarity The service ranking is done using the 5
reasoning in an attempt to answer user Stars, 4 Stars, 3 Stars, 2 Stars, as explained
requirements. Based on the case study in service ranking protocol in section 4. In
presented in Table 2, when an SME owner this section we show the use of semantic
intends to adopt a cloud service for his rules (Fig5) within the system in machine
ISBN: 978-1-941968-46-8 50
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
readable form. While fig 6 shows a query 9. Conclusion and Future work
execution listing Service B as the only
SaaS storage service to attain the 5 star Cloud computing is a technology that
service rank. provides services over the internet just like
public utilities. Many cloud service
providers present cloud services in their
own format as there is no standardisation
for representing cloud services.
This research work presents a framework
that aids in the SaaS storage cloud service
application adoption by measuring the
quality of service attributes advertised by
SaaS cloud service providers. Also, this
paper proposed the use of an extended
version Analytical Hierarchical Processes
(AHP) to rank each cloud service. Finally,
Fig 5: Showing Rules within the system this paper proposed the use of a decision
support system equipped with a semantic
Below is a system query executed to show model of advertised SaaS cloud services
the services that meets the 5 star SaaS and cloud service rankings. From the
service ranking. findings in a bid to understand how service
providers meet user requirements, only
cloud service B (not real name) met the
highest rank of 5 star.
In future work, an extended version of the
quantifiable quality of PaaS and IaaS cloud
services in terms of performance from a
user perspective as well as developing a
Fig 6: Showing Service B as the only SaaS system that can be used to aggregate the
to meets the 5 Star ranking. QOS configuration between cloud service
layers in different applications.
8. Construct Validity Evaluation
References
Construct validity method is the degree to [1] Jagannathan, S: ‘Comparison and Evaluation of Open-source
which a test measures what it claims or Cloud Management software’. KTH Royal Institute of
Technology Stockholm, Sweden 2012.
proposes to measure [22]. In this paper, a
confirmatory case study as presented in [2] Aljabre, A: ‘Cloud Computing for Increased Business Value.
International Journal of Business and Social Science’. 2012 3 (1)
Table 2 as well as the proposed evaluation pp 234-239.
benchmarks presented as
[3] Ashwini,R., K. Sanjay, M. Sanjay and T. Rahul: ‘ Decision
as obtained in section 5 in view of Point for Cloud Computing in Small, Medium Enterprises
assessing the proposed model ontology (SMEs)’.Proceedings of 7th international Conference for
Internet Technology and Secured Transactions (ICITST-2012)
with specific emphasis on its validity and pp.688-691.
completeness [23,24,25]. An exploratory [4] Khan, S.U: ‘Elements of Cloud Adoption. IEEE Journal on
case study of four major SaaS storage Cloud Computing’. 2014 1(1) pp.71-73.
applications cloud services was adopted. [5] Buyya, R., C.S.Yeo., J.Venugopal, J.Broberg, I.Brandic:
As the research framework proposes a ‘Cloud Computing and Emerging IT Platform: Vision, Hype and
Reality for Delivering computing as the 5th Utility Future
knowledge management domain, service Generation computer Systems.’ 2009 25(6) 599-616.
recommendation domain and service
[6] Fortis, T., V.I. Munteanu, V. Negru, 2012. Towards an
ranking for cloud service adoption by Ontology for Cloud Services. IEEE 6TH International
SMEs.
ISBN: 978-1-941968-46-8 51
Proceedings of the Third International Conference on Information Security and Digital Forensics, Thessaloniki, Greece, 2017
Conference on Complex, Intelligent and Software Intensive [16] S. Garg, S. Versteeg, R. Buyya, A Framework for Ranking
Systems.pp787-792 of Cloud Computing Services .Future Generation Comp.Sys’
2013 29(4):1012-1023.
[7] Cusumano, M: Cloud Computing and SaaS as New
Computing Platforms, Communications of the ACM 2010 53(4) [17] M.Zhang,R. Ranjan, A. Haller, D. Georgakopoulos, M.
27-29. Menzel, S.Nepal, An ontology –based system for cloud
infrastructure services discovery. Proceedings of 8th
[8] Ciurana, M.: ‘Developing with Google App Engine’ A press, International Conference on Collaborative Computing:
Barkley, CA, USA 2009. Networking, Applications and Work sharing (CollaborateCom),
2012 pp.524-530.
[9] Ebneter, D., S.G. Grivas, T.U. Kumar, H. Wache: Enterprise
Architecture Framework for Enabling Cloud Computing. IEEE [18] A.Ali, M. Shamsuddin, F.Eassa, Ontology –Based Cloud
3rd International Conference on Cloud Computing.2010 pp542- service Representation’. Research Journal of Applied Sciences,
543. Engineering and Technology. 2014, 8 (1):83-94.
[10] Boa. D., Z. Xiao, Y. Sun, J. Zhao: ‘A Method and [19] T.Chen,R.Bahson, Self –Adaptive and Sensitity-Aware
Framework for Quality of Cloud Services Measurement’. 3rd QoS Modelling for the Cloud. IEEE SEAMS 2013, San
International Conference on Advanced Computer Theory and Francisco, CA, USA
Engineering (ICACTE) 2010 pp358-362.
[20] D. Menasce, A. Silberstein, E. Tam, R. Ramakrishnan ,R.
[11] Misra, S.C, A. Mondal: ‘Identification of a company’s Sears, Benchmarking cloud serving systems with YCSB,in
suitability for adoption of Cloud computing and modelling its Proceedings of the 1st ACM Symposium of Cloud
corresponding Return on Investment’. Mathematical and Computing,Indiana,USA,2010.
Computer Modelling 2014, 53(2011)504- 521.
[21] T .Saaty, Theory and Applications of Analytic Network
[12] Takabi, H. J.B.D .Joshi, G. Ahn. SecureCloud: ‘Towards a Process, vol.4922, RWS Publications Pittsburgh,PA,2005.
Comprehensive Security Framework for Cloud Computing
Environment’. 34th Annual IEEE Computer software and [22] S.E Cashin and Elmore, P. B. (2005) 'The Survey of
Applications conference Workshops.2010 pp393-398. Attitudes toward Statistics scale: A construct validity study',
Educational and Psychological Measurement, 65(3), pp. 509-
[13] Youseff, L., M. Butrico, and D. Da Silva: Towards a 524.
Unified ontology of cloud computing, in Grid computing
Environments Workshop, GCE 08, Nov 2008, pp.1-10 [23] D. Mann (2001) 'Laws of system completeness', TRIZ
Journal, May
[14] Zhang, M.,R. Ranjan, A. Haller, D: ‘Georgakopoulos, M.
Menzel and S.Nepal, An ontology –based system for cloud [24] S.A Cook, (1978) 'Soundness and completeness of an
infrastructure services discovery. Proceeding of 8th International axiom system for program verification', SIAM Journal on
Conference on Collaborative Computing: Networking, Computing, 7(1), pp. 70-90.
Applications and Work sharing (CollaborateCom), 2012 pp.
524-530. [25] Suwa, M., Scott, A. C. and Shortliffe, E. H. (1982) 'An
approach to verifying completeness and consistency in a rule-
[15]V. Tran, H.Tsuji, R.Masudu, A new QoS ontology and its based expert system', Ai Magazine, 3(4), pp. 16.
QoS –based ranking algorithm for web services, Simulation
Modelling Practice and theory 17(8) (2009)1378-1398.
Appendix 1
ISBN: 978-1-941968-46-8 52