2023
Conference article
Open Access
Breakthroughs in testing and certification in cybersecurity: research gaps and open problems
Daoudagh S., Marchetti E.
Software and hardware systems are becoming increasingly complex and interconnected, making their testing and certification more challenging, considering cybersecurity aspects. The trustworthiness, security, and quality of these systems call for innovative approaches to testing and certifications. This paper provides an overview of some of the most promising research directions in software and hardware testing and certification in the cybersecurity area. It outlines some of the critical challenges and opportunities for future research. We discuss each approach's potential benefits and challenges, highlight some key research questions to be addressed in each area, and investigate how they can be used to promote "Full Quality - positive-sum, not zero-sum" in developing software and hardware systems.Source: ITASEC2023 - Italian Conference on CyberSecurity, Bari, Italy, 03-05/05/2023
Project(s): BIECO
, CyberSec4Europe
Daoudagh S., Marchetti E.
Software and hardware systems are becoming increasingly complex and interconnected, making their testing and certification more challenging, considering cybersecurity aspects. The trustworthiness, security, and quality of these systems call for innovative approaches to testing and certifications. This paper provides an overview of some of the most promising research directions in software and hardware testing and certification in the cybersecurity area. It outlines some of the critical challenges and opportunities for future research. We discuss each approach's potential benefits and challenges, highlight some key research questions to be addressed in each area, and investigate how they can be used to promote "Full Quality - positive-sum, not zero-sum" in developing software and hardware systems.Source: ITASEC2023 - Italian Conference on CyberSecurity, Bari, Italy, 03-05/05/2023
Project(s): BIECO
, CyberSec4Europe
See at:
ISTI Repository 
| ceur-ws.org 
| CNR ExploRA
2023
Journal article
Open Access
DAEMON: a domain-based monitoring ontology for IoT systems
Daoudagh S., Marchetti E., Calabrò A., Ferrada F., Oliveira A. I., Barata J., Peres R., Marques F.
Context: Internet of Things (IoT) is an emerging technology used in several contexts and domains. Objective: The work aims to define a technological reference solution specifically conceived for monitoring and assessing the behavior of IoT systems from the cybersecurity perspective when a new device or component joins the system. Method: We leverage semantic web technologies, such as ontologies, for defining DAEMON, a domain-based ontology that formally models monitoring, IoT, and System of Systems (SoS) domains' knowledge. We also propose a supporting architecture and describe the proof-of-concept implementing different components. Results and Conclusion: We have validated and showcased our proposal by instantiating DAEMON into a multi-robot autonomous navigation scenario applied to the intralogistics domain.Source: SN computer science (Online) 4 (2023). doi:10.1007/S42979-023-01975-Y
DOI: 10.1007/s42979-023-01975-y
Project(s): BIECO
Metrics:
Daoudagh S., Marchetti E., Calabrò A., Ferrada F., Oliveira A. I., Barata J., Peres R., Marques F.
Context: Internet of Things (IoT) is an emerging technology used in several contexts and domains. Objective: The work aims to define a technological reference solution specifically conceived for monitoring and assessing the behavior of IoT systems from the cybersecurity perspective when a new device or component joins the system. Method: We leverage semantic web technologies, such as ontologies, for defining DAEMON, a domain-based ontology that formally models monitoring, IoT, and System of Systems (SoS) domains' knowledge. We also propose a supporting architecture and describe the proof-of-concept implementing different components. Results and Conclusion: We have validated and showcased our proposal by instantiating DAEMON into a multi-robot autonomous navigation scenario applied to the intralogistics domain.Source: SN computer science (Online) 4 (2023). doi:10.1007/S42979-023-01975-Y
DOI: 10.1007/s42979-023-01975-y
Project(s): BIECO
Metrics:
See at:
SN Computer Science | ISTI Repository | CNR ExploRA
2022
Conference article
Open Access
GROOT: a GDPR-based combinatorial testing approach
Daoudagh S., Marchetti E.
For replying to the strict exigencies and rules imposed by the GDPR, ICT systems are currently adopting different means for managing personal data. However, due to their critical and crucial role, effective and efficient validation methods should be applied, taking into account the peculiarity of the reference legal framework (i.e., the GDPR). In this paper, we present GROOT, a generic combinatorial testing methodology specifically conceived for assessing the GDPR compliance and its contextualization in the context of access control domain.Source: ICTSS 2021 - 33rd IFIP WG 6.1 International Conference on Testing Software Systems, pp. 210–217, London, UK, 10-11/11/2021
DOI: 10.1007/978-3-031-04673-5_17
Project(s): BIECO, CyberSec4Europe
Metrics:
Daoudagh S., Marchetti E.
For replying to the strict exigencies and rules imposed by the GDPR, ICT systems are currently adopting different means for managing personal data. However, due to their critical and crucial role, effective and efficient validation methods should be applied, taking into account the peculiarity of the reference legal framework (i.e., the GDPR). In this paper, we present GROOT, a generic combinatorial testing methodology specifically conceived for assessing the GDPR compliance and its contextualization in the context of access control domain.Source: ICTSS 2021 - 33rd IFIP WG 6.1 International Conference on Testing Software Systems, pp. 210–217, London, UK, 10-11/11/2021
DOI: 10.1007/978-3-031-04673-5_17
Project(s): BIECO
, CyberSec4Europe Metrics:
See at:
ISTI Repository | doi.org | link.springer.com | CNR ExploRA
2022
Conference article
Open Access
Predictive simulation for building trust within service-based ecosystems
Cioroaica E., Daoudagh S., Marchetti E.
Modern vehicles extend their system components outside the typical physical body, relying on functionalities provided by off-board resources within complex digital ecosystems. Focusing on the service-based connection within automotive smart ecosystems, in this paper we present the method of predictive simulation, based on the synergistic combination of Digital Twin execution and interface-based testing approaches, used for building trust in the interactions between a safety critical system and third parties.Source: PerCom Workshops 2022 - IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events, pp. 34–37, Pisa, Italy, 21-25/03/2022
DOI: 10.1109/percomworkshops53856.2022.9767457
Project(s): BIECO
Metrics:
Cioroaica E., Daoudagh S., Marchetti E.
Modern vehicles extend their system components outside the typical physical body, relying on functionalities provided by off-board resources within complex digital ecosystems. Focusing on the service-based connection within automotive smart ecosystems, in this paper we present the method of predictive simulation, based on the synergistic combination of Digital Twin execution and interface-based testing approaches, used for building trust in the interactions between a safety critical system and third parties.Source: PerCom Workshops 2022 - IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events, pp. 34–37, Pisa, Italy, 21-25/03/2022
DOI: 10.1109/percomworkshops53856.2022.9767457
Project(s): BIECO
Metrics:
See at:
ISTI Repository | doi.org | ieeexplore.ieee.org | CNR ExploRA
2022
Conference article
Open Access
An ontology-based solution for monitoring IoT cybersecurity
Daoudagh S., Marchetti E., Calabrò A., Ferrada F., Oliveira A. I., Barata J., Peres R., Marques F.
Context: Systems of Systems (SoSs) are becoming an emerging architecture, and they are used in several daily life contexts. Objective: The aim is to define a reference environment conceived for monitoring and assessing the behavior from the cybersecurity point of view of SoS when a new IoT device is added. Method: In this paper, we propose the Domain bAsEd Monitoring ONtology (DAEMON), an ontology that formally models knowledge about monitoring and System of Systems (SoS) domains. We also conceived a reference supporting architecture, and we provided the first proof-of-concept by implementing different components. Results and Conclusion: For the feasibility purpose, we have validated our proof-of-concept in the context of the EU BIECO project by considering a Robot Navigation use-case scenario.Source: IFIPIoT 2022 - 5th IFIP International Cross-Domain Conference on Internet of Things, pp. 158–176, Amsterdam, Netherlands, 27-28/10/2022
DOI: 10.1007/978-3-031-18872-5_10
Project(s): BIECO, CyberSec4Europe
Metrics:
Daoudagh S., Marchetti E., Calabrò A., Ferrada F., Oliveira A. I., Barata J., Peres R., Marques F.
Context: Systems of Systems (SoSs) are becoming an emerging architecture, and they are used in several daily life contexts. Objective: The aim is to define a reference environment conceived for monitoring and assessing the behavior from the cybersecurity point of view of SoS when a new IoT device is added. Method: In this paper, we propose the Domain bAsEd Monitoring ONtology (DAEMON), an ontology that formally models knowledge about monitoring and System of Systems (SoS) domains. We also conceived a reference supporting architecture, and we provided the first proof-of-concept by implementing different components. Results and Conclusion: For the feasibility purpose, we have validated our proof-of-concept in the context of the EU BIECO project by considering a Robot Navigation use-case scenario.Source: IFIPIoT 2022 - 5th IFIP International Cross-Domain Conference on Internet of Things, pp. 158–176, Amsterdam, Netherlands, 27-28/10/2022
DOI: 10.1007/978-3-031-18872-5_10
Project(s): BIECO
, CyberSec4Europe Metrics:
See at:
ISTI Repository | doi.org | link.springer.com | CNR ExploRA
2022
Conference article
Open Access
The GDPR compliance and access control systems: challenges and research opportunities
Daoudagh S., Marchetti E.
The General Data Protection Regulation (GDPR) is changing how Personal Data should be processed. Using Access Control Systems (ACSs) and their specific policies as practical means for assuring a by-design lawfully compliance with the privacy-preserving rules and provision is currently an increasingly researched topic. As a result, this newly born research field raises several research questions and paves the way for different solutions. This position paper would like to provide an overview of research challenges and questions concerning activities for analyzing, designing, implementing, and testing Access Control mechanisms (systems and policies) to guarantee compliance with the GDPR. Some possible answers to the open issues and future research directions and topics are also provided.Source: ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy, pp. 571–578, Online conference, 09-11/02/2022
DOI: 10.5220/0010912300003120
Project(s): COVR, BIECO , CyberSec4Europe
Metrics:
Daoudagh S., Marchetti E.
The General Data Protection Regulation (GDPR) is changing how Personal Data should be processed. Using Access Control Systems (ACSs) and their specific policies as practical means for assuring a by-design lawfully compliance with the privacy-preserving rules and provision is currently an increasingly researched topic. As a result, this newly born research field raises several research questions and paves the way for different solutions. This position paper would like to provide an overview of research challenges and questions concerning activities for analyzing, designing, implementing, and testing Access Control mechanisms (systems and policies) to guarantee compliance with the GDPR. Some possible answers to the open issues and future research directions and topics are also provided.Source: ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy, pp. 571–578, Online conference, 09-11/02/2022
DOI: 10.5220/0010912300003120
Project(s): COVR
, BIECO , CyberSec4Europe Metrics:
See at:
doi.org | ISTI Repository | ISTI Repository | www.scitepress.org | CNR ExploRA
2021
Journal article
Open Access
COVID-19 & privacy: Enhancing of indoor localization architectures towards effective social distancing
Barsocchi P., Calabrò A., Crivello A., Daoudagh S., Furfari F., Girolami M., Marchetti E.
The way people access services in indoor environments has dramatically changed in the last year. The countermeasures to the COVID-19 pandemic imposed a disruptive requirement, namely preserving social distance among people in indoor environments. We explore in this work the possibility of adopting the indoor localization technologies to measure the distance among users in indoor environments. We discuss how information about people's contacts collected can be exploited during three stages: before, during, and after people access a service. We present a reference architecture for an Indoor Localization System (ILS), and we illustrate three representative use-cases. We derive some architectural requirements, and we discuss some issues that concretely cope with the real installation of an ILS in real-world settings. In particular, we explore the privacy and trust reputation of an ILS, the discovery phase, and the deployment of the ILS in real-world settings. We finally present an evaluation framework for assessing the performance of the architecture proposed.Source: Array 9 (2021). doi:10.1016/j.array.2020.100051
DOI: 10.1016/j.array.2020.100051
Project(s): CyberSec4Europe
Metrics:
Barsocchi P., Calabrò A., Crivello A., Daoudagh S., Furfari F., Girolami M., Marchetti E.
The way people access services in indoor environments has dramatically changed in the last year. The countermeasures to the COVID-19 pandemic imposed a disruptive requirement, namely preserving social distance among people in indoor environments. We explore in this work the possibility of adopting the indoor localization technologies to measure the distance among users in indoor environments. We discuss how information about people's contacts collected can be exploited during three stages: before, during, and after people access a service. We present a reference architecture for an Indoor Localization System (ILS), and we illustrate three representative use-cases. We derive some architectural requirements, and we discuss some issues that concretely cope with the real installation of an ILS in real-world settings. In particular, we explore the privacy and trust reputation of an ILS, the discovery phase, and the deployment of the ILS in real-world settings. We finally present an evaluation framework for assessing the performance of the architecture proposed.Source: Array 9 (2021). doi:10.1016/j.array.2020.100051
DOI: 10.1016/j.array.2020.100051
Project(s): CyberSec4Europe
Metrics:
See at:
Array | ISTI Repository | Array | www.sciencedirect.com | CNR ExploRA
2021
Conference article
Restricted
GRADUATION: a GDPR-based mutation methodology
Daoudagh S., Marchetti E.
The adoption of the General Data Protection Regulation (GDPR) is enhancing different business and research opportunities that evidence the necessity of appropriate solutions supporting specification, processing, testing, and assessing the overall (personal) data management. This paper proposes GRADUATION (GdpR-bAseD mUtATION) methodology, for mutation analysis of data protection policies test cases. The new methodology provides generic mutation operators in reference to the currently applicable EU Data Protection Regulation. The preliminary implementation of the steps involved in the GDPR-based mutants derivation is also described.Source: QUATIC 2021 - 14th International Conference on the Quality of Information and Communications Technology, pp. 311–324, Online conference, 08-10/09/2021
DOI: 10.1007/978-3-030-85347-1_23
Project(s): CyberSec4Europe
Metrics:
Daoudagh S., Marchetti E.
The adoption of the General Data Protection Regulation (GDPR) is enhancing different business and research opportunities that evidence the necessity of appropriate solutions supporting specification, processing, testing, and assessing the overall (personal) data management. This paper proposes GRADUATION (GdpR-bAseD mUtATION) methodology, for mutation analysis of data protection policies test cases. The new methodology provides generic mutation operators in reference to the currently applicable EU Data Protection Regulation. The preliminary implementation of the steps involved in the GDPR-based mutants derivation is also described.Source: QUATIC 2021 - 14th International Conference on the Quality of Information and Communications Technology, pp. 311–324, Online conference, 08-10/09/2021
DOI: 10.1007/978-3-030-85347-1_23
Project(s): CyberSec4Europe
Metrics:
See at:
link.springer.com | link.springer.com | CNR ExploRA
2021
Conference article
Open Access
How to improve the GDPR compliance through consent management and access control
Daoudagh S., Marchetti E., Savarino V., Di Bernardo R., Alessi M.
This paper presents a privacy-by-design solution based on Consent Manager (CM) and Access Control (AC) to aid organizations to comply with the GDPR. The idea is to start from the GDPR's text, transform it into a machine-readable format through a given CM, and then convert the obtained outcome to a set of enforceable Access Control Policies (ACPs). As a result, we have defined a layered architecture that makes any given system privacy-aware, i.e., systems that are compliant by-design with the GDPR. Furthermore, we have provided a proof-of-concept by integrating a Consent Manager coming from an industrial context and an AC Manager coming from academia.Source: ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy, pp. 534–541, Online conference, 11-13/02/2021
DOI: 10.5220/0010260205340541
Project(s): CyberSec4Europe
Metrics:
Daoudagh S., Marchetti E., Savarino V., Di Bernardo R., Alessi M.
This paper presents a privacy-by-design solution based on Consent Manager (CM) and Access Control (AC) to aid organizations to comply with the GDPR. The idea is to start from the GDPR's text, transform it into a machine-readable format through a given CM, and then convert the obtained outcome to a set of enforceable Access Control Policies (ACPs). As a result, we have defined a layered architecture that makes any given system privacy-aware, i.e., systems that are compliant by-design with the GDPR. Furthermore, we have provided a proof-of-concept by integrating a Consent Manager coming from an industrial context and an AC Manager coming from academia.Source: ICISSP 2021 - 7th International Conference on Information Systems Security and Privacy, pp. 534–541, Online conference, 11-13/02/2021
DOI: 10.5220/0010260205340541
Project(s): CyberSec4Europe
Metrics:
See at:
doi.org | ISTI Repository | www.scitepress.org | www.scopus.com | CNR ExploRA
2021
Doctoral thesis
Embargo
The GDPR compliance through access control systems
Daoudagh S.
The GDPR is changing how Personal Data should be processed. It states, in Art. 5.1(f), that "[data] should be processed in a manner that ensures appropriate security of the personal data [...], using appropriate technical or organizational measures (integrity and confidentiality)". We identify in the Access Control (AC) systems such a measure. Indeed, AC is the mechanism used to restrict access to data or systems according to Access Control Policies (ACPs), i.e., a set of rules that specify who has access to which resources and under which circumstances. In our view, the ACPs, when suitably enriched with attributes, elements and rules extracted from the GDPR provisions, can suitably specify the regulations and the AC systems can assure a by-design lawfully compliance with the privacy preserving rules. Vulnerabilities, threats, inaccuracies and misinterpretations that occur during the process of ACPs specification and AC systems implementation may have serious consequences for the security of personal data (security perspective) and for the lawfulness of the data processing (legal perspective). For mitigating these risks, this thesis provides a systematic process for automatically deriving, testing and enforcing ACPs and AC systems in line with the GDPR. Its data protection by-design solution promotes the adoption of AC systems ruled by policies systematically designed for expressing the GDPR's provisions. Specifically, the main contributions of this thesis are: (1) the definition of an Access Control Development Life Cycle for analyzing, designing, implementing and testing AC mechanisms (systems and policies) able to guarantee the compliance with the GDPR; (2) the realization of a reference architecture allowing the automatic application of the proposed Life Cycle; and (3) the use of the thesis proposal within five application examples highlighting the flexibility and feasibility of the proposal.Project(s): COVR, BIECO , CyberSec4Europe
Daoudagh S.
The GDPR is changing how Personal Data should be processed. It states, in Art. 5.1(f), that "[data] should be processed in a manner that ensures appropriate security of the personal data [...], using appropriate technical or organizational measures (integrity and confidentiality)". We identify in the Access Control (AC) systems such a measure. Indeed, AC is the mechanism used to restrict access to data or systems according to Access Control Policies (ACPs), i.e., a set of rules that specify who has access to which resources and under which circumstances. In our view, the ACPs, when suitably enriched with attributes, elements and rules extracted from the GDPR provisions, can suitably specify the regulations and the AC systems can assure a by-design lawfully compliance with the privacy preserving rules. Vulnerabilities, threats, inaccuracies and misinterpretations that occur during the process of ACPs specification and AC systems implementation may have serious consequences for the security of personal data (security perspective) and for the lawfulness of the data processing (legal perspective). For mitigating these risks, this thesis provides a systematic process for automatically deriving, testing and enforcing ACPs and AC systems in line with the GDPR. Its data protection by-design solution promotes the adoption of AC systems ruled by policies systematically designed for expressing the GDPR's provisions. Specifically, the main contributions of this thesis are: (1) the definition of an Access Control Development Life Cycle for analyzing, designing, implementing and testing AC mechanisms (systems and policies) able to guarantee the compliance with the GDPR; (2) the realization of a reference architecture allowing the automatic application of the proposed Life Cycle; and (3) the use of the thesis proposal within five application examples highlighting the flexibility and feasibility of the proposal.Project(s): COVR
, BIECO , CyberSec4Europe
See at:
etd.adm.unipi.it | CNR ExploRA
2021
Journal article
Open Access
Data protection by design in the context of smart cities: a consent and access control proposal
Daoudagh S, Marchetti E., Savarino V., Bernal Bernabe J., Garcia Rodriguez J., Torres Moreno R., Martinez J. A., Skarmeta A. F.
The growing availability of mobile devices has lead to an arising development of smart cities services that share a huge amount of (personal) information and data. Without accurate and verified management, they could become severe back-doors for security and privacy. In this paper, we propose a smart city infrastructure able to integrate a distributed privacy-preserving identity management solution based on attribute-based credentials (p-ABC), a user-centric Consent Manager, and a GDPR-based Access Control mechanism so as to guarantee the enforcement of the GDPR's provisions. Thus, the infrastructure supports the definition of specific purpose, collection of data, regulation of access to personal data, and users' consents, while ensuring selective and minimal disclosure of personal information as well as user's unlinkability across service and identity providers. The proposal has been implemented, integrated, and evaluated in a fully-fledged environment consisting of MiMurcia, the Smart City project for the city of Murcia, CaPe, an industrial consent management system, and GENERAL_D, an academic GDPR-based access control system, showing the feasibility.Source: Sensors (Basel) 21 (2021). doi:10.3390/s21217154
DOI: 10.3390/s21217154
Project(s): CyberSec4Europe
Metrics:
Daoudagh S, Marchetti E., Savarino V., Bernal Bernabe J., Garcia Rodriguez J., Torres Moreno R., Martinez J. A., Skarmeta A. F.
The growing availability of mobile devices has lead to an arising development of smart cities services that share a huge amount of (personal) information and data. Without accurate and verified management, they could become severe back-doors for security and privacy. In this paper, we propose a smart city infrastructure able to integrate a distributed privacy-preserving identity management solution based on attribute-based credentials (p-ABC), a user-centric Consent Manager, and a GDPR-based Access Control mechanism so as to guarantee the enforcement of the GDPR's provisions. Thus, the infrastructure supports the definition of specific purpose, collection of data, regulation of access to personal data, and users' consents, while ensuring selective and minimal disclosure of personal information as well as user's unlinkability across service and identity providers. The proposal has been implemented, integrated, and evaluated in a fully-fledged environment consisting of MiMurcia, the Smart City project for the city of Murcia, CaPe, an industrial consent management system, and GENERAL_D, an academic GDPR-based access control system, showing the feasibility.Source: Sensors (Basel) 21 (2021). doi:10.3390/s21217154
DOI: 10.3390/s21217154
Project(s): CyberSec4Europe
Metrics:
See at:
Sensors | ISTI Repository | Sensors | Sensors | CNR ExploRA
2021
Conference article
Embargo
BIECO runtime auditing framework
Calabrò A., Cioroaica E., Daoudagh S., Marchetti E.
Context: Within digital ecosystems avoiding the propagation of security and trust violations among interconnected parties is a mandatory requirement, especially when a new device, a software component, or a system component is integrated within the ecosystem. Objective: The aim is to define an auditing framework able to assess and evaluate the specific functional and non-functional properties of the ecosystems and their components. Method: In this paper, we present the concept of predictive simulation and runtime monitoring for detecting malicious behavior of ecosystem components. Results and Conclusion: We defined a reference architecture allowing the automation of the auditing process for the runtime behavior verification of ecosystems and their components. Validation of the proposal with real use-cases is part of the future BIECO's activities.Source: CISIS 2021 and ICEUTE 2021 - 14th International Conference on Computational Intelligence in Security for Information Systems and 12th International Conference on European Transnational Educational, pp. 181–191, Bilbao, Spain, 22-24/09/2021
DOI: 10.1007/978-3-030-87872-6_18
Project(s): BIECO
Metrics:
Calabrò A., Cioroaica E., Daoudagh S., Marchetti E.
Context: Within digital ecosystems avoiding the propagation of security and trust violations among interconnected parties is a mandatory requirement, especially when a new device, a software component, or a system component is integrated within the ecosystem. Objective: The aim is to define an auditing framework able to assess and evaluate the specific functional and non-functional properties of the ecosystems and their components. Method: In this paper, we present the concept of predictive simulation and runtime monitoring for detecting malicious behavior of ecosystem components. Results and Conclusion: We defined a reference architecture allowing the automation of the auditing process for the runtime behavior verification of ecosystems and their components. Validation of the proposal with real use-cases is part of the future BIECO's activities.Source: CISIS 2021 and ICEUTE 2021 - 14th International Conference on Computational Intelligence in Security for Information Systems and 12th International Conference on European Transnational Educational, pp. 181–191, Bilbao, Spain, 22-24/09/2021
DOI: 10.1007/978-3-030-87872-6_18
Project(s): BIECO
Metrics:
See at:
link.springer.com | link.springer.com | CNR ExploRA
2021
Conference article
Open Access
MENTORS: Monitoring Environment for System of Systems
Calabrò A., Daoudagh S., Marchetti E.
Context: Systems Of Systems (SoSs) are becoming a widespread emerging architecture, and they are used in several daily life contexts. Therefore, when a new device is integrated into an existing SoS, facilities able to efficaciously assess and prevent anomalous and dangerous situations are necessary. Objective: The aim is to define a reference environment conceived for monitoring and assessing the behavior of SoS when a new device is added. Method: In this paper, we present MENTORS, a monitoring environment for SoS. MENTORS is based on semantic web technologies to formally represent SoS and Monitoring knowledge through a core ontology, called MONTOLOGY. Results and Conclusion: We defined the conceptual model of MENTORS, which is composed of two phases: Off-line and On-line, supported by a reference architecture that allows its (semi-)automation. Validation of the proposal with real use-cases is part of future activities.Source: WEBIST 2021 - 17th International Conference on Web Information Systems and Technologies, pp. 291–298, Online conference, 26-28/10/2021
DOI: 10.5220/0010658900003058
Project(s): BIECO, CyberSec4Europe
Metrics:
Calabrò A., Daoudagh S., Marchetti E.
Context: Systems Of Systems (SoSs) are becoming a widespread emerging architecture, and they are used in several daily life contexts. Therefore, when a new device is integrated into an existing SoS, facilities able to efficaciously assess and prevent anomalous and dangerous situations are necessary. Objective: The aim is to define a reference environment conceived for monitoring and assessing the behavior of SoS when a new device is added. Method: In this paper, we present MENTORS, a monitoring environment for SoS. MENTORS is based on semantic web technologies to formally represent SoS and Monitoring knowledge through a core ontology, called MONTOLOGY. Results and Conclusion: We defined the conceptual model of MENTORS, which is composed of two phases: Off-line and On-line, supported by a reference architecture that allows its (semi-)automation. Validation of the proposal with real use-cases is part of future activities.Source: WEBIST 2021 - 17th International Conference on Web Information Systems and Technologies, pp. 291–298, Online conference, 26-28/10/2021
DOI: 10.5220/0010658900003058
Project(s): BIECO
, CyberSec4Europe Metrics:
See at:
ISTI Repository | www.scitepress.org | CNR ExploRA
2020
Conference article
Restricted
A Framework for the Validation of Access Control Systems
Daoudagh S., Lonetti F., Marchetti E.
In modern pervasive applications, it is important to validate Access Control (AC) mechanisms that are usually defined by means of the XACML standard. Mutation analysis has been applied on Access Control Policies (ACPs) for measuring the adequacy of a test suite. This paper provides an automatic framework for realizing mutations of the code of the Policy Decision Point (PDP) that is a critical component in AC systems. The proposed framework allows the test strategies assessment and the analysis of test data by leveraging mutation-based approaches. We show how to instantiate the proposed framework and provide also some examples of its application.Source: Emerging Technologies for Authorization and Authentication. ETAA 2019, pp. 35–51, Luxembourg City, Luxembourg, 27/09/2019
DOI: 10.1007/978-3-030-39749-4_3
Project(s): CyberSec4Europe
Metrics:
Daoudagh S., Lonetti F., Marchetti E.
In modern pervasive applications, it is important to validate Access Control (AC) mechanisms that are usually defined by means of the XACML standard. Mutation analysis has been applied on Access Control Policies (ACPs) for measuring the adequacy of a test suite. This paper provides an automatic framework for realizing mutations of the code of the Policy Decision Point (PDP) that is a critical component in AC systems. The proposed framework allows the test strategies assessment and the analysis of test data by leveraging mutation-based approaches. We show how to instantiate the proposed framework and provide also some examples of its application.Source: Emerging Technologies for Authorization and Authentication. ETAA 2019, pp. 35–51, Luxembourg City, Luxembourg, 27/09/2019
DOI: 10.1007/978-3-030-39749-4_3
Project(s): CyberSec4Europe
Metrics:
See at:
Lecture Notes in Computer Science | link.springer.com | CNR ExploRA
2020
Conference article
Open Access
A life cycle for authorization systems development in the GDPR perspective
Said D., Marchetti E.
The General Data Protection Regulation (GDPR) defines the principle of Integrity and Confidentiality, and implicitly calls for the adoption of authorization systems for regulating the access to personal data. We present here a process development life cycle for the specification, deployment and testing of authorization systems. The life cycle targets legal aspects, such as the data usage purpose, the user consent and the data retention period. We also present its preliminary architecture where available solutions for extracting, implementing and testing the data protection regulation are integrated. The objective is to propose for the first time a unique improved solution for addressing different aspects of the GDPR development and enforcement along all the life cycle phases.Source: 4th Italian Conference on Cyber Security, ITASEC 2020, Ancona, Italy, 05-07/02/2020
Project(s): CyberSec4Europe
Said D., Marchetti E.
The General Data Protection Regulation (GDPR) defines the principle of Integrity and Confidentiality, and implicitly calls for the adoption of authorization systems for regulating the access to personal data. We present here a process development life cycle for the specification, deployment and testing of authorization systems. The life cycle targets legal aspects, such as the data usage purpose, the user consent and the data retention period. We also present its preliminary architecture where available solutions for extracting, implementing and testing the data protection regulation are integrated. The objective is to propose for the first time a unique improved solution for addressing different aspects of the GDPR development and enforcement along all the life cycle phases.Source: 4th Italian Conference on Cyber Security, ITASEC 2020, Ancona, Italy, 05-07/02/2020
Project(s): CyberSec4Europe
See at:
ceur-ws.org | ISTI Repository | CNR ExploRA
2020
Conference article
Open Access
Assessing testing strategies for access control systems: a controlled experiment
Daoudagh S., Lonetti F., Marchetti E.
This paper presents a Controlled Experiment (CE) for assessing testing strategies in the context of Access Control (AC); more precisely, the CE is performed by considering the AC Systems (ACSs) based on the XACML Standard. We formalized the goal of the CE, and we assessed two available test cases generation strategies in terms of three metrics: Effectiveness, Size and Average Percentage Faults Detected (APFD). The experiment operation is described and the main results are analyzed.Source: 6th International Conference on Information Systems Security and Privacy, pp. 107–118, Valletta, Malta, 25-27/02/2020
DOI: 10.5220/0008974201070118
Project(s): CyberSec4Europe
Metrics:
Daoudagh S., Lonetti F., Marchetti E.
This paper presents a Controlled Experiment (CE) for assessing testing strategies in the context of Access Control (AC); more precisely, the CE is performed by considering the AC Systems (ACSs) based on the XACML Standard. We formalized the goal of the CE, and we assessed two available test cases generation strategies in terms of three metrics: Effectiveness, Size and Average Percentage Faults Detected (APFD). The experiment operation is described and the main results are analyzed.Source: 6th International Conference on Information Systems Security and Privacy, pp. 107–118, Valletta, Malta, 25-27/02/2020
DOI: 10.5220/0008974201070118
Project(s): CyberSec4Europe
Metrics:
See at:
doi.org | ISTI Repository | www.scitepress.org | www.scopus.com | CNR ExploRA
2020
Conference article
Open Access
Defining controlled experiments inside the access control environment
Daoudagh S., Marchetti E.
In ICT systems and modern applications access control systems are important mechanisms for managing resources and data access. Their criticality requires high security levels and consequently, the application of effective and efficient testing approaches. In this paper we propose standardized guidelines for correctly and systematically performing the testing process in order to avoid errors and improve the effectiveness of the validation. We focus in particular on Controlled Experiments, and we provide here a characterization of the first three steps of the experiment process (i.e., Scoping, Planning and Operation) by the adoption of the Goal- Question-Metric template. The specialization of the three phases is provided through a concrete example.Source: 8th International Conference on Model-Driven Engineering and Software Development, MODELSWARD 2020; Valletta, pp. 167–176, Valletta, Malta, 25-27 February, 2020
DOI: 10.5220/0009358201670176
Project(s): CyberSec4Europe
Metrics:
Daoudagh S., Marchetti E.
In ICT systems and modern applications access control systems are important mechanisms for managing resources and data access. Their criticality requires high security levels and consequently, the application of effective and efficient testing approaches. In this paper we propose standardized guidelines for correctly and systematically performing the testing process in order to avoid errors and improve the effectiveness of the validation. We focus in particular on Controlled Experiments, and we provide here a characterization of the first three steps of the experiment process (i.e., Scoping, Planning and Operation) by the adoption of the Goal- Question-Metric template. The specialization of the three phases is provided through a concrete example.Source: 8th International Conference on Model-Driven Engineering and Software Development, MODELSWARD 2020; Valletta, pp. 167–176, Valletta, Malta, 25-27 February, 2020
DOI: 10.5220/0009358201670176
Project(s): CyberSec4Europe
Metrics:
See at:
ISTI Repository | www.scitepress.org | doi.org | www.scopus.com | CNR ExploRA
2020
Journal article
Open Access
XACMET: XACML Testing & Modeling: An automated model-based testing solution for access control systems
Daoudagh S., Lonetti F., Marchetti E.
In the context of access control systems, testing activity is among the most adopted means to assure that sensible information or resources are correctly accessed. In XACML-based access control systems, incoming access requests are transmitted to the policy decision point (PDP) that grants or denies the access based on the defined XACML policies. The criticality of a PDP component requires an intensive testing activity consisting in probing such a component with a set of requests and checking whether its responses grant or deny the requested access as specified in the policy. Existing approaches for improving manual derivation of test requests such as combinatorial ones do not consider policy function semantics and do not provide a verdict oracle. In this paper, we introduce XACMET, a novel approach for systematic generation of XACML requests as well as automated model-based oracle derivation. The main features of XACMET are as follows: (i) it defines a typed graph, called the XAC-Graph, that models the XACML policy evaluation; (ii) it derives a set of test requests via full-path coverage of this graph; (iii) it derives automatically the expected verdict of a specific request execution by executing the corresponding path in such graph; (iv) it allows us to measure coverage assessment of a given test suite. Our validation of the XACMET prototype implementation confirms the effectiveness of the proposed approach.Source: Software quality journal 28 (2020): 249–282. doi:10.1007/s11219-019-09470-5
DOI: 10.1007/s11219-019-09470-5
Metrics:
Daoudagh S., Lonetti F., Marchetti E.
In the context of access control systems, testing activity is among the most adopted means to assure that sensible information or resources are correctly accessed. In XACML-based access control systems, incoming access requests are transmitted to the policy decision point (PDP) that grants or denies the access based on the defined XACML policies. The criticality of a PDP component requires an intensive testing activity consisting in probing such a component with a set of requests and checking whether its responses grant or deny the requested access as specified in the policy. Existing approaches for improving manual derivation of test requests such as combinatorial ones do not consider policy function semantics and do not provide a verdict oracle. In this paper, we introduce XACMET, a novel approach for systematic generation of XACML requests as well as automated model-based oracle derivation. The main features of XACMET are as follows: (i) it defines a typed graph, called the XAC-Graph, that models the XACML policy evaluation; (ii) it derives a set of test requests via full-path coverage of this graph; (iii) it derives automatically the expected verdict of a specific request execution by executing the corresponding path in such graph; (iv) it allows us to measure coverage assessment of a given test suite. Our validation of the XACMET prototype implementation confirms the effectiveness of the proposed approach.Source: Software quality journal 28 (2020): 249–282. doi:10.1007/s11219-019-09470-5
DOI: 10.1007/s11219-019-09470-5
Metrics:
See at:
ISTI Repository | Software Quality Journal | link.springer.com | CNR ExploRA
2020
Conference article
Restricted
A privacy-by-design architecture for indoor localization systems
Barsocchi P., Calabro A., Crivello A., Daoudagh S., Furfari F., Girolami M., Marchetti E.
The availability of mobile devices has led to an arising development of indoor location services collecting a large amount of sensitive information. However, without accurate and verified management, such information could become severe back-doors for security and privacy issues. We propose in this paper a novel Location-Based Service (LBS) architecture in line with the GDPR's provisions. For feasibility purposes and considering a representative use-case, a reference implementation, based on the popular Telegram app, is also presented.Source: 13th International Conference on the Quality of Information and Communications Technology (QUATIC 2020), pp. 358–366, Faro, Portugal, September 9-11, 2020
DOI: 10.1007/978-3-030-58793-2_29
Project(s): CyberSec4Europe
Metrics:
Barsocchi P., Calabro A., Crivello A., Daoudagh S., Furfari F., Girolami M., Marchetti E.
The availability of mobile devices has led to an arising development of indoor location services collecting a large amount of sensitive information. However, without accurate and verified management, such information could become severe back-doors for security and privacy issues. We propose in this paper a novel Location-Based Service (LBS) architecture in line with the GDPR's provisions. For feasibility purposes and considering a representative use-case, a reference implementation, based on the popular Telegram app, is also presented.Source: 13th International Conference on the Quality of Information and Communications Technology (QUATIC 2020), pp. 358–366, Faro, Portugal, September 9-11, 2020
DOI: 10.1007/978-3-030-58793-2_29
Project(s): CyberSec4Europe
Metrics:
See at:
Communications in Computer and Information Science | link-springer-com-443.webvpn.fjmu.edu.cn | CNR ExploRA
2020
Conference article
Closed Access
Continuous Development and Testing of Access and Usage Control: A Systematic Literature Review
Daoudagh S., Lonetti F., Marchetti E.
Context: Development and testing of access/usage control systems is a growing research area. With new trends in software development such as DevOps, the development of access/usage control also has to evolve. Objective: The main aim of this paper is to provide an overview of research proposals in the area of continuous development and testing of access and usage control systems. Method: The paper uses a Systematic Literature Review as a research method to define the research questions and answer them following a systematic approach. With the specified search string, 210 studies were retrieved. After applying the inclusion and exclusion criteria in two phases, a final set of 20 primary studies was selected for this review. Results: Results show that primary studies are mostly published in security venues followed by software engineering venues. Furthermore, most of the studies are based on the standard XACML access control language. In addition, a significant portion of the proposals for development and testing is automated with test assessment and generation the most targeted areas. Some general guidelines for leveraging continuous developing and testing of the usage and access control systems inside the DevOps process are also provided.Source: 2020 European Symposium on Software Engineering, pp. 51–59, Rome, Italy, 06-08/11/2020
DOI: 10.1145/3393822.3432330
Project(s): CyberSec4Europe
Metrics:
Daoudagh S., Lonetti F., Marchetti E.
Context: Development and testing of access/usage control systems is a growing research area. With new trends in software development such as DevOps, the development of access/usage control also has to evolve. Objective: The main aim of this paper is to provide an overview of research proposals in the area of continuous development and testing of access and usage control systems. Method: The paper uses a Systematic Literature Review as a research method to define the research questions and answer them following a systematic approach. With the specified search string, 210 studies were retrieved. After applying the inclusion and exclusion criteria in two phases, a final set of 20 primary studies was selected for this review. Results: Results show that primary studies are mostly published in security venues followed by software engineering venues. Furthermore, most of the studies are based on the standard XACML access control language. In addition, a significant portion of the proposals for development and testing is automated with test assessment and generation the most targeted areas. Some general guidelines for leveraging continuous developing and testing of the usage and access control systems inside the DevOps process are also provided.Source: 2020 European Symposium on Software Engineering, pp. 51–59, Rome, Italy, 06-08/11/2020
DOI: 10.1145/3393822.3432330
Project(s): CyberSec4Europe
Metrics:
See at:
dl.acm.org | doi.org | CNR ExploRA