Biblio

The class of Trustworthy Autonomous Systems (TAS) includes cyber-physical systems leveraging on self-x technologies that make them capable to learn, adapt to changes, and reason under uncertainties in possibly critical applications and evolving environments. In the last decade, there has been a growing interest in enabling artificial intelligence technologies, such as advanced machine learning, new threats, such as adversarial attacks, and certification challenges, due to the lack of sufficient explainability. However, in order to be trustworthy, those systems also need to be dependable, secure, and resilient according to well-established taxonomies, methodologies, and tools. Therefore, several aspects need to be addressed for TAS, ranging from proper taxonomic classification to the identification of research opportunities and challenges. Given such a context, in this paper address relevant taxonomies and research perspectives in the field of TAS. We start from basic definitions and move towards future perspectives, regulations, and emerging technologies supporting development and operation of TAS.

Nowadays, smart home devices like Amazon Echo and Google Home have reached mainstream popularity.
Being in the homes of users, these devices are intrinsically intrusive, being able to access details such as users' name, gender, home address, calendar appointments and others.
There are growing concerns about indiscriminate data collection and invasion of user privacy in smart home devices, but studies show that perceived benefits are exceeding perceived risks when it comes to consumers.
As a result, consumers are placing a lot of trust in these devices, sometimes without realizing it.
Improper trust assumptions and security controls can lead to unauthorized access and control of the devices, which can result in serious consequences.
In this paper, we explore the behaviour of devices such as Amazon Echo and Google Home in a smart home setting with respect to trust relationships and propose a trust model to improve these relationships among all the involved actors.
We have evaluated how trust was built and managed from the initial set up phase to the normal operation phase, during which we performed a number of interaction tests with different types of users (i.e. owner, guests).
As a result, we were able to assess the effectiveness of the provided security controls and identify potential relevant security issues.  In order to address the identified issues, we defined a trust model and propose a solution based on it for further securing smart home systems.

The Internet of Things (IoT) is an environment of interconnected entities, which are identifiable, usable and controllable via the Internet. Trust is useful for a system such as the IoT as the entities involved would like to know how the other entities they have to interact with are going to perform.
When developing an IoT entity, it will be desirable to guarantee trust during its whole life cycle. Trust domain is strongly dependent on other domains such as security and privacy.
To consider these domains as a whole and to elicit the right requirements since the first phases of the System Development Life Cycle (SDLC) is a key point when developing an IoT entity.
This paper presents a requirements elicitation method focusing on trust plus other domains such as security, privacy and usability that increase the trust level of the IoT entity developed. To help the developers to elicit the requirements, we propose a JavaScript Notation Object (JSON) template containing all the key elements that must be taken into consideration.
We emphasize on the importance of the concept of traceability. This property permits to connect all the elicited requirements guaranteeing more control on the whole requirements engineering process.

Advanced persistent threats pose a serious issue for modern industrial environments, due to their targeted and complex attack vectors that are difficult to detect. This is especially severe in critical infrastructures that are accelerating the integration of IT technologies. It is then essential to further develop effective monitoring and response systems that ensure the continuity of business to face the arising set of cyber-security threats. In this paper, we study the practical applicability of a novel technique based on opinion dynamics, that permits to trace the attack throughout all its stages along the network by correlating different anomalies measured over time, thereby taking the persistence of threats and the criticality of resources into consideration. The resulting information is of essential importance to monitor the overall health of the control system and correspondingly deploy accurate response procedures.

The Internet of Things (IoT) is an environment of interconnected entities, that are identifiable, usable and controllable via the Internet. Trust is necessary in a system such as IoT as the entities involved should know the effect of interacting with other entities. Moreover, the entities must also be able to trust a system to reliably use it. An IoT system is composed of different entities from different vendors, each of them with a different purpose and a different lifecycle. So considering trust in the whole IoT system lifecycle is useful and necessary to guarantee a good service for the whole system. The heterogeneity and dynamicity of this field make it difficult to ensure trust in IoT. We propose a trust by design framework for including trust in the development of an IoT entity considering all the phases of the life-cycle. It is composed of the K-Model and transversal activities.

Transparency and verifiability are necessary aspects of accountability, but care needs to be taken that auditing is done in a privacy friendly way. There are situations where it would be useful for certain actors to be able to make restricted views within service provision chains on accountability evidence, including logs, available to other actors with specific governance roles. For example, a data subject or a Data Protection Authority (DPA) might want to authorize an accountability agent to act on their behalf, and be given access to certain logs in a way that does not compromise the privacy of other actors or the security of involved data processors. In this paper two cryptographic-based techniques that may address this issue are proposed and assessed.

El creciente número de dispositivos interconectados trae consigo problemas de seguridad bien conocidos; por ejemplo, aquellos debidos a las vulnerabilidades en protocolos muy diversos –muchos de ellos propietarios– y al factor de error humano introducido por los usuarios. Sin embargo, cabe preguntarse cómo podemos usar el despliegue de tales dispositivos en beneficio de la ciberseguridad. En el proyecto IoTest se está desarrollando una solución, el Testigo Digital, que permitirá a los dispositivos personales con arquitectura de seguridad embebida reaccionar ante ataques virtuales, protegiéndonos de los ciberataques emergentes.

En un mundo en el que los usuarios dependen cada vez más de sus dispositivos, éstos almacenan gran cantidad de datos y son una fuente muy valiosa de información sobre su entorno. Sin embargo, la heterogeneidad y la densidad de los objetos conectados, características propias de la Internet de las Cosas (IoT), sirven de velo para ocultar conductas maliciosas que afectan a estos dispositivos, sin que quede rastro de tales acciones. En este artículo definimos el concepto de testigo digital: funcionalidad que permitirá a los dispositivos personales y otros objetos colaborar para implementar una cadena de custodia digital en la IoT. El fin perseguido es ofrecer soluciones que mitiguen los efectos de la ciberdelincuencia, amparándose en la colaboración de los dispositivos con arquitecturas de seguridad embebidas para alertar de conductas maliciosas, y dejar constancia de éstas.

The correct operation of Critical Infrastructures (CIs) is vital for the well being of society, however these complex systems are subject to multiple faults and threats every day. International organizations around the world are alerting the scientific community to the need for protection of CIs, especially through preparedness and prevention mechanisms. One of the main tools available in this area is the use of Intrusion Detection Systems (IDSs). However, in order to deploy this type of component within a CI, especially within its Control System (CS), it is necessary to verify whether the characteristics of a given IDS solution are compatible with the special requirements and constraints of a critical environment. In this paper, we carry out an extensive study to determine the requirements imposed by the CS on the IDS solutions using the Non-Functional Requirements (NFR) Framework. The outcome of this process are the abstract properties that the IDS needs to satisfy in order to be deployed within a CS, which are refined through the identification of satisficing techniques for the NFRs. To provide quantifiable measurable evidence on the suitability of the IDS component for a CI, we broaden our study using the Goal Question Metric (GQM) approach to select a representative set of metrics. A requirements model, refined with satisficing techniques and sets of metrics which help assess, in the most quantifiable way possible, the suitability and performance of a given IDS solution for a critical scenario, constitutes the results of our analysis.

Cloud computing is becoming a key IT infrastructure technology being adopted progressively by companies and users. Still, there are issues and uncertainties surrounding its adoption, such as security and how users data is dealt with that require attention from developers, researchers, providers and users. The A4Cloud project tries to help solving the problem of accountability in the cloud by providing tools that support the process of achieving accountability. This paper presents the contents of the first A4Cloud tutorial. These contents include basic concepts and tools developed within the project. In particular, we will review how metrics can aid the accountability process and some of the tools that the A4Cloud project will produce such as the Data Track Tool (DTT) and the Cloud Offering Advisory Tool (COAT).

Cloud sourcing consists of outsourcing data, services and infrastructure to cloud providers. Even when this outsourcing model brings advantages to cloud customers, new threats also arise as sensitive data and critical IT services are beyond customers' control. When an organization considers moving to the cloud, IT decision makers must select a cloud provider and must decide which parts of the organization will be outsourced and to which extent. This paper proposes a methodology that allows decision makers to evaluate their trust in cloud providers. The methodology provides a systematic way to elicit knowledge about cloud providers, quantify their trust factors and aggregate them into trust values that can assist the decision-making process. The trust model that we propose is based on trust intervals, which allow capturing uncertainty during the evaluation, and we define an operator for aggregating these trust intervals. The methodology is applied to an eHealth scenario.

Critical Infrastructure Protection (CIP) faces increasing challenges in number and in sophistication, which makes vital to provide new forms of protection to face every day’s threats. In order to make such protection holistic, covering all the needs of the systems from the point of view of security, prevention aspects and situational awareness should be considered. Researchers and Institutions stress the need of providing intelligent and automatic solutions for protection, calling our attention to the need of providing Intrusion Detection Systems (IDS) with intelligent active reaction capabilities. In this paper, we support the need of automating the processes implicated in the IDS solutions of the critical infrastructures and theorize that the introduction of Machine Learning (ML) techniques in IDS will be helpful for implementing automatic adaptable solutions capable of adjusting to new situations and timely reacting in the face of threats and anomalies. To this end, we study the different levels of automation that the IDS can implement, and outline a methodology to endow critical scenarios with preventive automation. Finally, we analyze current solutions presented in the literature and contrast them against the proposed methodology

Security must be a primary concern when engineering Future Internet (FI) systems and applications. In order to achieve secure solutions, we need to capture security requirements early in the Software Development Life Cycle (SDLC). Whereas the security community has traditionally focused on providing tools and mechanisms to capture and express hard security requirements (e.g. confidentiality), little attention has been paid to other important requirements such as trust and reputation. We argue that these soft security requirements can leverage security in open, distributed, heterogeneous systems and applications and that they must be included in an early phase as part of the development process. In this paper we propose a UML extension for specifying trust and reputation requirements, and we apply it to an eHealth case study.

The Future Internet (FI) comprises scenarios where many heterogeneous and dynamic entities must interact to provide services (e.g., sensors, mobile devices and information systems in smart city scenarios). The dynamic conditions under which FI applications must execute call for self-adaptive software to cope with unforeseeable changes in the application environment. Software engineering currently provides frameworks to develop reasoning engines that automatically take reconfiguration decisions and that support the runtime adaptation of distributed, heterogeneous applications. However, these frameworks have very limited support to address security concerns of these application, hindering their usage for FI scenarios. We address this challenge by enhancing self-adaptive systems with the concepts of trust and reputation. Trust will improve decision-making processes under risk and uncertainty, in turn improving security of self-adaptive FI applications. This paper presents an approach that includes a trust and reputation framework into a platform for adaptive, distributed component-based systems, thus providing software components with new abilities to include trust in their reasoning process.  

The Future Internet is posing new security challenges as their scenarios are bringing together a huge amount of stakeholders and devices that must interact under unforeseeable conditions. In addition, in these scenarios we cannot expect entities to know each other beforehand, and therefore, they must be involved in risky and uncertain collaborations. In order to minimize threats and security breaches, it is required that a well-informed decision-making process is in place, and it is here where trust and reputation can play a crucial role. Unfortunately, services and applications developers are often unarmed to address trust and reputation requirements in these scenarios. To overcome this limitation, we propose a trust and reputation framework that allows developers to create trust- and reputation-aware applications.  

Trust has become essential in computer science as a way of assisting the process of decision-making, such as access control. In any system, several tasks may be performed, and each of these tasks might pose different associated trust values between the entities of the system. For instance, in a file system, reading and overwriting a file are two tasks that pose different trust values between the users who can carry out these tasks. In this paper, we propose a simple model for automatically establishing trust relationships between entities considering an established order among tasks.

The smart grid is an electronically controlled electrical grid that connects power generation, transmission, distribution, and consumers using information communication technologies. One of the key characteristics of the smart grid is its support for bi-directional information flow between the consumer of electricity and the utility provider. This two-way interaction allows electricity to be generated in real-time based on consumers’ demands and power requests. As a result, consumer privacy becomes an important concern when collecting energy usage data with the deployment and adoption of smart grid technologies. To protect such sensitive information it is imperative that privacy protection mechanisms be used to protect the privacy of smart grid users. We present an analysis of recently proposed smart grid privacy solutions and identify their strengths and weaknesses in terms of their implementation complexity, efficiency, robustness, and simplicity.

Wireless Sensor Networks (WSN) are networks composed of autonomous devices manufactured to solve a specific problem, with limited computational capabilities and resource-constrained (e.g. limited battery). WSN are used to monitor physical or environmental conditions within an area (e.g. temperature, humidity). The popularity of the WSN is growing, precisely due to the wide range of sensors available. As a result, these networks are being deployed as part of several infrastructures. However, sensors are designed to collaborate only with sensors of the same type. In this sense, taking advantage of the heterogeneity of WSN in order to provide common services, like it is the case of routing, has not been sufficiently considered. For this reason, in this paper we propose a routing protocol based on traffic classification and role-assignment to enable heterogeneous WSN for cooperation. Our approach considers both QoS requirements and lifetime maximization to allow the coexistence of different applications in the heterogeneous network infrastructure.

While there has been considerable progress in the research and technological development (RTD) of the Internet of Things (IoT), there is still considerable RTD required by international communities for the trust, privacy and security research challenges arising from the constitution of the IoT architectures, infrastructures, communications, devices, objects, applications and services. In this paper, we present an thorough analysis of the ongoing and future RTD work, specifically in Europe, regarding trust, privacy and security of the Internet of Things with a view towards enabling international cooperation efforts around the globe to solve these major research challenges.

Cognitive Radio Networks (CRNs) arise as a promising solution to the scarcity of spectrum. By means of cooperation and smart decisions influenced by previous knowledge, CRNs are able to detect and profit from the best spectrum opportunities without interfering primary licensed users. However, besides the well-known attacks to wireless networks, new attacks threat this type of networks. In this paper we analyze these threats and propose a set of intrusion detection modules targeted to detect them. Provided method will allow a CRN to identify attack sources and types of attacks, and to properly react against them.

The systematic processes exactly define the development cycle and help the development team follow the same development strategies and techniques, thus allowing a continuous improvement in the quality of the developed products. Likewise, it is important that the development process used integrates security aspects from the first stages at the same level as other functional and non-functional requirements. Grid systems allow us to build very complex information systems with different and remarkable features (interoperability between multiple security domains, cross-domain authentication and authorization, dynamic, heterogeneous and limited mobile devices, etc). With the development of wireless technology and mobile devices, the Grid becomes the perfect candidate for letting mobile users make complex works that add new computational capacity to the Grid. A methodology of development for secure mobile Grid systems is being defined. One of the activities of this methodology is the requirements analysis which is based in reusable use cases. In this paper, we will present a UML-extension for security use cases and Grid use case which capture the behaviour of this kind of systems. A detailed description of all these new use cases defined in the UML extension is necessary, describing the stereotypes, tagged values, constraints and graphical notation. We show an example of how to apply and use this extension for building the diagram of use cases and incorporating common security aspects for this kind of systems. Also, we will see how the diagrams built can be reused in the construction of others diagrams saving time and effort in this task.
 

Wireless sensor networks (WSNs) have been proven a useful technology for perceiving information about the physical world and as a consequence has been used in many applications such as measurement of temperature, radiation, flow of liquids, etc. The nature of this kind of technology, and also their vulnerabilities to attacks make the security tools required for them to be considered in a special way. The decision making in a WSN is essential for carrying out certain tasks as it aids sensors establish collaborations. In order to assist this process, trust management systems could play a relevant role. In this paper, we list the best practices that we consider are essential for developing a good trust management system for WSN and make an analysis of the state of the art related to these practices.

The concept of trust has become very relevant in the late years as a consequence of the growth of fields such as internet transactions or electronic commerce. In general, trust has become of paramount importance for any kind of distributed networks, such as wireless sensor networks (WSN in the following). In this chapter of the book, we try to give a general overview of the state of the art on trust management systems for WSN and also try to identify the main features of the architectures of these trust management systems.

 Temporal logics of knowledge are useful for reasoning about situations where the knowledge of an agent or component is important, and where change in this knowledge may occur over time. Here we investigate the application of temporal logics of knowledge to the specification and verification of security protocols. We show how typical assumptions relating to authentication protocols can be specified. We consider verification methods for these logics, in particular, focusing on proofs using clausal resolution. Finally we present experiences from using a resolution based theorem prover applied to security protocols specified in temporal logics of knowledge.

An important aspect of e-business is the area of e-commerce. According to recent surveys, one of the most severe restraining factors for the proliferation of e-commerce, as measured by the gap between predicted market value and actual development is the (lack of) security measures required to assure both businesses and customers that their business relationship and transactions will be carried out in privacy, correctly, and timely. A large number of individuals are not willing to engage in e-commerce (or are only participating at a reduced level) simply because they do not trust the e-commerce sites and the underlying information and communication technologies to be secure enough. This paper first considers privacy and security requirements for e-commerce applications; it then discusses methods and technologies that can be used to fulfil these requirements.

  An important aspect of e-business is the area of e-commerce. One of the most severe restraining factors for the proliferation of e-commerce, is the lack of trust between customers and sellers, consumer privacy concerns and the lack of security measures required to assure both businesses and customers that their business relationship and transactions will be carried out in privacy, correctly, and timely. This paper considers trust privacy and security issues in e-commerce applications and discusses methods and technologies that can be used to fulfil the pertinent requirements.

In this work we elaborate on a taxonomy of systems that provide either joint solutions for both authentication and authorization problems, or solutions for only one of the problems. Basically, we do not focus our work on theoretical systems that have been proposed only in the literature. On the other hand, we focus on: (i) systems that are already developed; (ii) systems that are under development or deployment; and (iii) systems that are still in the initial stages of design but are supported by international working groups or bodies. More precisely, we elaborate on a taxonomy of systems that are (or will be soon) available to final users.

An essential issue for the best operation of non-repudiation protocols is to figure out their timeouts. In this paper, we propose a simulation model for this purpose since timeouts depend on specific scenario features such as network speed, TTP characteristics, number of originators and recipients, etc. Based on a one-to-many Markowicth’s protocol simulation model as a specific example, we have worked out various simulation experiments.

A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is commonly at the business process level that customers and end users are able to express their security needs. In addition, systems are often developed by automating existing manual business processes. Since many security notions belongs conceptually to the world of business processes, it is natural to try to capture and express them in the context of business models in which moreover customers and end users feel most comfortable. In this paper, based on experience drawn from an ongoing work within the CASENET project \cite{CASENET}, we propose a UML-based business process-driven framework for the development of security-critical systems.

Interaction of citizens and private organizations with Public Administrations can produce meaningful benefits in the accessibility, efficiency and availability of documents, regardless of time, location and quantity. Although there are some experiences in the field of e-government there are still some technological and legal difficulties that avoid a higher rate of communications with Public Administrations through Internet, not only from citizens, but also from private companies. We have studied two of the technological problems, the need to work in a trustful environment and the creation of tools to manage electronic versions of the paper-based forms.

La confianza en el comercio electrónico se ha reforzado, sin duda, gracias a la difusión de las tarjetas inteligentes. Estos elementos clave, que mejoran en gran medida la seguridad de los sistemas informáticos, tienen usos que van desde la simple identificación del usuario hasta complejos mecanismos de pago. Dentro del comercio electrónico, uno de los servicios de valor añadido más interesantes para cualquier usuario es el de ticketing. La seguridad de este sistema puede beneficiarse del uso de las tarjetas inteligentes en los procesos de venta, almacenamiento y uso de los tickets electrónicos. Uno de los puntos críticos para conseguir una amplia aceptación de este servicio será su capacidad de llegar a la gran mayoría de usuarios. En esta línea, parece apropiado pensar en los teléfonos móviles como la mejor plataforma sobre la que implantar el sistema. Este trabajo presenta los resultados del proyecto GSM-ticket, en el que se introducen, por una parte, un esquema de tickets electrónicos seguros, eficientes y fáciles de usar, y por otra el conjunto de servicios adicionales de venta, pago y distribución junto con sus protocolos correspondientes.