Quantitative security analysis for service-oriented software architectures

Liu, Yanguo(Michael)

24 April 2008

Due to the dramatic increase in intrusion activities, the definition and evaluation of software security requirements have become important aspects of the development of software services. It is now a well-accepted fact in software engineering that security concerns, like any other quality concerns, should be dealt with in the early stages of software development process. Current practices for software security architecture risk analysis, however, still heavily rely on human expertise. This involves a significant amount of subjective efforts creating a greater potential for inaccuracies. In this dissertation, we propose a framework for quantitative security architecture analysis for service-oriented software systems. In this regard two important contributions are made in the dissertation. First, we identify and define some internal security attributes and related properties based on a generic service-oriented software model, setting up a framework for the definition and formal evaluation of corresponding security metrics. Second, we propose a measurement abstraction paradigm named User System Interaction Effect (USIE) model that can be used to systematically derive and analyze security concerns from service-oriented software architectures. Many aspects of the model derivation and analysis can be automated, which limit the amount of user involvement and, thereby, reduce the subjectivity underlying typical security analysis process. The model can be used as a foundation for quantitative analysis of software services from different security perspectives with respect to the internal security properties introduced. Based on sample metrics derived from the framework, we illustrate empirically the viability of our paradigm by conducting case studies based on existing open source software.

Security Analysis

Service-oriented

A Security Analysis of a Credit Card Payment System for Bitcoin Transactions

Grundström, Niklas

January 2018

Cryptocurrencies has become a very hot topic recently, with Bitcoin being the most popular. The increase in interest has led to an incentive to create payment systems for the currency that makes it easier to use for day-to-day shopping. A lot of companies are inves- tigating possible solutions for credit cards that are used for cryptocurrencies. This thesis aims to present and perform a security analysis on an already created concept of a credit card payment system for Bitcoin. The security analysis is done in a systematical approach where the modules were analyzed with predetermined restrictions and assumptions. The restricitons and assumptions are then removed one-by-one to find potential threats in the system. The outcome of the analysis is then evaluated in an attempt to find possible im- plementation methods that would mitigate or prevent the discovered threats. The possible implementations are also evaluated in terms of how they would affect the system.

bitcoin

cryptocurrency

payment system

transaction

cryptocurrencies

transactions

analysis

security analysis

security

Computer and Information Sciences

Data- och informationsvetenskap

A Smart Beta Approach to Fama-French and Profitability

Malgesini, Joseph

01 January 2018

The Fama and French five-factor model is molded into a smart beta investment strategy with strong exposure to the profitability factor. This constructed portfolio outperforms the market significantly despite an unintentional negative correlation with profitability that can be attributed to the intra-factor return correlations. The second portfolio, constructed by investing directly in profitability as represented by gross profit over total assets, outperforms both the market and the first portfolio.

Beta

Profitability

Fama

French

Portfolio

Correlation

Finance and Financial Management

Portfolio and Security Analysis

Computational soundness of formal reasoning about indistinguishability and non-malleability of cryptographic expressions

Hajiabadi, Mohammad

24 August 2011

Analysis and verification of security protocols are typically carried out in two different models of cryptography: formal cryptography and computational cryptography. Formal cryptography, originally inspired by the work of Dolev and Yao [14], takes an abstract and idealized view of security, and develops its proof techniques based on methods and ideas from logic and theory of programming languages. It makes strong assumptions about cryptographic operations by treating them as perfectly-secure symbolic operations. Computational cryptography, on the other hand, has developed its foundations based on complexity theory. Messages are viewed as bit-strings, and cryptographic operations are treated as actual transformations on bit-strings with certain asymptotic properties.In this thesis, we explore the relation between the Dolev-Yao model and the computational model of public-key cryptography in two contexts: indistinguishability and non-malleability of expressions. This problem in the absence of key-cycles is partially addressed in [20, 21] by Herzog. We adapt our approach to use the co-inductive definition of symbolic security, whose private-key treatment was considered in coinduction, and establish our main results as follow: Using a co-inductive approach, we extend the indistinguishability and non-malleability results of Herzog in the presence of key-cycles. By providing a counter-example, we show that the indistinguishability property in this setting is strictly stronger than the non-malleability property, which gives a negative answer to Herzog's conjecture that they are equivalent. we prove that despite the fact that IND-CCA2 security provides non-malleability in our setting, the same result does not hold for IND-CCA1 security. We prove that, under certain hypothesis, our co-inductive formal indistinguishability is computationally-complete in the absence of key-cycles and with respect to any \emph{length-revealing} encryption scheme. In the presence of key-cycles, we prove that the completeness does not hold even with respect to IND-CPA security. / Graduate

Computational Soundness

Dolev-Yao Non-Malleability

Indistinguishability of Expressions

Detecting changes in web applications

Lunyov, Phillip

January 2020

As the availability and popularity of the Internet continues to grow, the trend ofproviding global access to business resources and services online is an efficient andprofitable way for organizations to acquire a new share of the market. Due to the flexibilityand scalability of modern web technologies, web-based applications processand store personal or critical information in enormous amounts. Hence, the overallapplication’s functionality and secure data processing are the main key factors ofeach web application. For ensuring those key factors, the web page code must be regularlymonitored to retain the overall quality of the code. This project is devoted tochange identification and classification in modern web-based applications, based onthe comparison of two versions of web page code, acquired in different time periods.The foundation of the development is described as a detection algorithm in one of theacademic papers. The algorithm was supplemented by a more extensive classificationof changes that was originally proposed by the author. The result of the researchis a semi-automatic tool, developed in Python. The tool compares two versions ofthe web page code to find changes and classify those changes. The result of the tool’sexecution is a report file that contains statistics of the overall algorithm’s executionand type-clustered information about the detected changes between two versions ofthe web page code. The analysis of results showed that the implemented diff-toolprovides reliable results and allocates all types of possible changes in the web pagecodes, which are acknowledged by statistical analysis. The comparative analysis ofthe results of the developed diff-tool with the results of other similar technical solutionsrevealed serious shortcomings of other solutions, due to their data processingimplementation, classification of the changes and resulting report file.

web application security analysis

change identification and classification

diff-algorithms

Computer Sciences

Datavetenskap (datalogi)

Software Engineering

Programvaruteknik

FORECASTS AND IMPLICATIONS USING VIX OPTIONS

Stanley, Spencer, Trainor, William

01 May 2021

This study examines the Chicago Board Option Exchange (CBOE) Volatility Index (VIX) which is the implied volatility calculated from short-term option prices on the Standards & Poor’s 500 stock index (S&P 500). Findings suggest VIX overestimates average volatility by approximately 3% but explains 55% of S&P 500’s proceeding month’s volatility. The implied volatility (IV) from options on the VIX add additional explanatory power for the S&P’s 500 proceeding kurtosis values (a measure of tail risk). The VIX option’s volatility smirks did not add additional explanatory power for explaining the S&P 500 volatility or kurtosis. A simple trading rule based on buying the S&P 500 whether the VIX, IV from the options on the VIX, and the VIX option’s volatility smirk decline over the preceding month results in an additional 0.96% return in the following month. However, this only occurs approximately 10% of the time and does not outperform a simple buy-and-hold strategy as the strategy has the investor out of the market the majority of the time.

CBOE

IV

S&P 500

Index

VIX

VXV

Finance and Financial Management

Portfolio and Security Analysis

Essays on the performance of option trading strategies

Li, Zhuo

09 August 2022

This dissertation consists of two parts. In the first chapter, we examine the relative performance of four options-based investment strategies versus a buy-and-hold strategy in the underlying stock. Specifically, using ten stocks widely held in 401(k) plans, we examine monthly returns from strategies that include a long stock position as one component. These strategies are long stock, covered call, protective put, collar, and covered combination. Ignoring early exercise for simplicity, we find that the covered combination and covered call strategies generally outperform the long stock strategy, which in turn generally outperforms the collar and protective put strategies regardless of the performance measure considered. Clearly, from the first chapter, strategies that involve writing options, in general, outperform the ones buying options. The second chapter provides a detailed study of the conditions where option writers can maximize returns while minimizing risk. The nonlinear nature of time value decay in options suggests that, theoretically, holding short positions only when the speed of time decay is high might improve the performance of option writing strategies. We examine monthly returns from five option strategies without a position in the underlying asset. These strategies are: short straddle, short strangle, short guts, “crash-neutral” short straddle, and long iron butterfly. The results from two portfolios are compared: a “benchmark” portfolio using standard SPX options that expire the following month and a weekly portfolio using SPXW options that expire at the end of the weekly holding period. The short strangle strategy with weekly options consistently outperforms the other strategies with both standard and weekly options, even after accounting for transaction costs. This finding suggests that short-dated out-of-the-money options can be useful in improving the risk-return characteristics of an option writing strategy. In an effort to improve the performance of the short straddle strategy, this chapter introduces an extremely short holding period portfolio, by stitching together three weekly option expirations into one week. Although the straddle still underperforms relative to the short strangle, the performance of the short straddle is improved by entering the market 15 minutes before the close and by using the extremely short holding period portfolios.

Option trading strategies

Option time decay

Short-dated index options

Portfolio and Security Analysis

The Singularity Attack on Himq-3: A High-Speed Signature Scheme Based on Multivariate Quadratic Equations

Zhang, Zheng

30 September 2021

No description available.

Mathematics

Post-quantum cryptography

Multivariate public key cryptography

Security analysis

Oil vinegar signature scheme

Design and analysis of a trustworthy, Cross Domain Solution architecture

Daughety, Nathan

23 August 2022

No description available.

Computer Science

Cross Domain Solution

Trustworthiness

Trusted Computing Base

Data Confidentiality

Formal Verification

Security Analysis

<b>Classifying and Identifying BGP Hijacking attacks on the internet</b>

Kai Chiu Oscar Wong (18431700)

26 April 2024

<p dir="ltr">The Internet is a large network of globally interconnected devices p used to facilitate the exchange of information across different parties. As usage of the Internet is expected to grow in the future, the underlying infrastructure must be secure to ensure traffic reaches its intended destination without any disruptions. However, the primary routing protocol used on the Internet, the Border Gateway Protocol (BGP), while scalable and can properly route traffic between large networks, does not inherently have any security mechanisms built within the protocol. This leads to devices that use BGP over the internet to be susceptible to BGP Hijacking attacks, which involve maliciously injected routes into BGP’s Routing Information Base (RIB) to intentionally redirect traffic to another destination. Attempts to solve these issues in the past have been challenging due to the prevalence of devices that use BGP on the existing Internet infrastructure and the lack of backward compatibility for proposed solutions. The goal of this research is to categorize the different types of BGP Hijacking attacks that are possible on a network, identify indicators that an ongoing BGP Hijacking attack based on received routes from the Internet locally without access to machines from other locations or networks, and subsequently leverage these indicators to protect local networks from external BGP Hijacking attacks.</p>

Network engineering

System and network security

Networking and communications

BGP

network security analysis

routing attacks

BGP Hijacking