The Experts below are selected from a list of 24807 Experts worldwide ranked by ideXlab platform
Mark Felegyhazi - One of the best experts on this subject based on the ideXlab platform.
-
optimal information security investment with Penetration Testing
Decision and Game Theory for Security, 2010Co-Authors: Rainer Bohme, Mark FelegyhaziAbstract:Penetration Testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds Penetration Testing to the realm of information security investment. Penetration Testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue Penetration Testing until a secure state is reached. Further analysis using a new metric for the return on Penetration Testing suggests that Penetration Testing almost always increases the per-dollar efficiency of security investment.
-
GameSec - Optimal information security investment with Penetration Testing
Lecture Notes in Computer Science, 2010Co-Authors: Rainer Bohme, Mark FelegyhaziAbstract:Penetration Testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds Penetration Testing to the realm of information security investment. Penetration Testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue Penetration Testing until a secure state is reached. Further analysis using a new metric for the return on Penetration Testing suggests that Penetration Testing almost always increases the per-dollar efficiency of security investment.
Alexei Lisitsa - One of the best experts on this subject based on the ideXlab platform.
-
Agent-based (BDI) modeling for automation of Penetration Testing.
arXiv: Cryptography and Security, 2019Co-Authors: Ge Chu, Alexei LisitsaAbstract:Penetration Testing (or penTesting) is one of the widely used and important methodologies to assess the security of computer systems and networks. Traditional penTesting relies on the domain expert knowledge and requires considerable human effort all of which incurs a high cost. The automation can significantly improve the efficiency, availability and lower the cost of Penetration Testing. Existing approaches to the automation include those which map vulnerability scanner results to the corresponding exploit tools, and those addressing the penTesting as a planning problem expressed in terms of attack graphs. Due to mainly non-interactive processing, such solutions can deal effectively only with static and simple targets. In this paper, we propose an automated Penetration Testing approach based on the belief-desire-intention (BDI) agent model, which is central in the research on agent-based processing in that it deals interactively with dynamic, uncertain and complex environments. Penetration Testing actions are defined as a series of BDI plans and the BDI reasoning cycle is used to represent the Penetration Testing process. The model is extensible and new plans can be added, once they have been elicited from the human experts. We report on the results of Testing of proof of concept BDI-based Penetration Testing tool in the simulated environment.
-
PST - Poster: Agent-based (BDI) modeling for automation of Penetration Testing
2018 16th Annual Conference on Privacy Security and Trust (PST), 2018Co-Authors: Ge Chu, Alexei LisitsaAbstract:Traditional Penetration Testing relies on the domain expert knowledge and requires considerable human effort all of which incurs a high cost. In this paper, we propose an automated Penetration Testing approach based on the belief-desire-intention (BDI) agent model, which is central in the research on agentbased processing in that it deals interactively with dynamic, uncertain and complex environments. Penetration Testing actions are defined as a series of BDI plans and the BDI reasoning cycle is used to represent the Penetration Testing process. The model is extensible and new plans can be added, once they have been elicited from the human experts. We report on the results of Testing of proof of concept BDI-based Penetration Testing tool in the simulated environment.
-
Poster: Agent-based (BDI) modeling for automation of Penetration Testing
2018 16th Annual Conference on Privacy Security and Trust (PST), 2018Co-Authors: Ge Chu, Alexei LisitsaAbstract:Traditional Penetration Testing relies on the domain expert knowledge and requires considerable human effort all of which incurs a high cost. In this paper, we propose an automated Penetration Testing approach based on the belief-desire-intention (BDI) agent model, which is central in the research on agent based processing in that it deals interactively with dynamic, uncertain and complex environments. Penetration Testing actions are defined as a series of BDI plans and the BDI reasoning cycle is used to represent the Penetration Testing process. The model is extensible and new plans can be added, once they have been elicited from the human experts. We report on the results of Testing of proof of concept BDI-based Penetration Testing tool in the simulated environment.
Rainer Bohme - One of the best experts on this subject based on the ideXlab platform.
-
optimal information security investment with Penetration Testing
Decision and Game Theory for Security, 2010Co-Authors: Rainer Bohme, Mark FelegyhaziAbstract:Penetration Testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds Penetration Testing to the realm of information security investment. Penetration Testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue Penetration Testing until a secure state is reached. Further analysis using a new metric for the return on Penetration Testing suggests that Penetration Testing almost always increases the per-dollar efficiency of security investment.
-
GameSec - Optimal information security investment with Penetration Testing
Lecture Notes in Computer Science, 2010Co-Authors: Rainer Bohme, Mark FelegyhaziAbstract:Penetration Testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds Penetration Testing to the realm of information security investment. Penetration Testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nature, weakest-link security game. We prove that once started, it is optimal to continue Penetration Testing until a secure state is reached. Further analysis using a new metric for the return on Penetration Testing suggests that Penetration Testing almost always increases the per-dollar efficiency of security investment.
Jörg Schwenk - One of the best experts on this subject based on the ideXlab platform.
-
Penetration Testing Tool for Web Services Security
2012 IEEE Eighth World Congress on Services, 2012Co-Authors: Christian Mainka, Juraj Somorovsky, Jörg SchwenkAbstract:XML-based SOAP Web Services are a widely used technology, which allows the users to execute remote operations and transport arbitrary data. It is currently adapted in Service Oriented Architectures, cloud interfaces, management of federated identities, eGovernment, or millitary services. The wide adoption of this technology has resulted in an emergence of numerous - mostly complex - extension specifications. Naturally, this has been followed by a rise in large number of Web Services attacks. They range from specific Denial of Service attacks to attacks breaking interfaces of cloud providers [1], [2] or confidentiality of encrypted messages [3]. By implementing common web applications, the developers evaluate the security of their systems by applying different Penetration Testing tools. However, in comparison to the wellknown attacks as SQL injection or Cross Site Scripting, there exist no Penetration Testing tools for Web Services specific attacks. This was the motivation for developing the first automated Penetration Testing tool for Web Services called WS-Attacker. In this paper we give an overview of our design decisions and provide evaluation of four Web Services frameworks and their resistance against WS-Addressing spoofing and SOAPAction spoofing attacks.
-
Penetration Testing tool for web services security
World Congress on Services, 2012Co-Authors: Christian Mainka, Juraj Somorovsky, Jörg SchwenkAbstract:XML-based SOAP Web Services are a widely used technology, which allows the users to execute remote operations and transport arbitrary data. It is currently adapted in Service Oriented Architectures, cloud interfaces, management of federated identities, eGovernment, or millitary services. The wide adoption of this technology has resulted in an emergence of numerous -- mostly complex -- extension specifications. Naturally, this has been followed by a rise in large number of Web Services attacks. They range from specific Denial of Service attacks to attacks breaking interfaces of cloud providers or confidentiality of encrypted messages. By implementing common web applications, the developers evaluate the security of their systems by applying different Penetration Testing tools. However, in comparison to the well-known attacks as SQL injection or Cross Site Scripting, there exist no Penetration Testing tools for Web Services specific attacks. This was the motivation for developing the first automated Penetration Testing tool for Web Services called WS-Attacker. In this paper we give an overview of our design decisions and provide evaluation of four Web Services frameworks and their resistance against WS-Addressing spoofing and SOAPAction spoofing attacks. %WS-Attacker was built with respect to its future extensions with further attacks in order to provide an all-in-one security checking interface.
Ge Chu - One of the best experts on this subject based on the ideXlab platform.
-
Agent-based (BDI) modeling for automation of Penetration Testing.
arXiv: Cryptography and Security, 2019Co-Authors: Ge Chu, Alexei LisitsaAbstract:Penetration Testing (or penTesting) is one of the widely used and important methodologies to assess the security of computer systems and networks. Traditional penTesting relies on the domain expert knowledge and requires considerable human effort all of which incurs a high cost. The automation can significantly improve the efficiency, availability and lower the cost of Penetration Testing. Existing approaches to the automation include those which map vulnerability scanner results to the corresponding exploit tools, and those addressing the penTesting as a planning problem expressed in terms of attack graphs. Due to mainly non-interactive processing, such solutions can deal effectively only with static and simple targets. In this paper, we propose an automated Penetration Testing approach based on the belief-desire-intention (BDI) agent model, which is central in the research on agent-based processing in that it deals interactively with dynamic, uncertain and complex environments. Penetration Testing actions are defined as a series of BDI plans and the BDI reasoning cycle is used to represent the Penetration Testing process. The model is extensible and new plans can be added, once they have been elicited from the human experts. We report on the results of Testing of proof of concept BDI-based Penetration Testing tool in the simulated environment.
-
PST - Poster: Agent-based (BDI) modeling for automation of Penetration Testing
2018 16th Annual Conference on Privacy Security and Trust (PST), 2018Co-Authors: Ge Chu, Alexei LisitsaAbstract:Traditional Penetration Testing relies on the domain expert knowledge and requires considerable human effort all of which incurs a high cost. In this paper, we propose an automated Penetration Testing approach based on the belief-desire-intention (BDI) agent model, which is central in the research on agentbased processing in that it deals interactively with dynamic, uncertain and complex environments. Penetration Testing actions are defined as a series of BDI plans and the BDI reasoning cycle is used to represent the Penetration Testing process. The model is extensible and new plans can be added, once they have been elicited from the human experts. We report on the results of Testing of proof of concept BDI-based Penetration Testing tool in the simulated environment.
-
Poster: Agent-based (BDI) modeling for automation of Penetration Testing
2018 16th Annual Conference on Privacy Security and Trust (PST), 2018Co-Authors: Ge Chu, Alexei LisitsaAbstract:Traditional Penetration Testing relies on the domain expert knowledge and requires considerable human effort all of which incurs a high cost. In this paper, we propose an automated Penetration Testing approach based on the belief-desire-intention (BDI) agent model, which is central in the research on agent based processing in that it deals interactively with dynamic, uncertain and complex environments. Penetration Testing actions are defined as a series of BDI plans and the BDI reasoning cycle is used to represent the Penetration Testing process. The model is extensible and new plans can be added, once they have been elicited from the human experts. We report on the results of Testing of proof of concept BDI-based Penetration Testing tool in the simulated environment.
