A Formal Methodology for Detecting Managerial Vulnerabilities and Threats in an Enterprise Information System

Authors:
Anirban Sengupta;Chandan Mazumdar;Aditya Bagchi
Affiliations:
Centre for Distributed Computing, Department of Computer Science and Engineering, Jadavpur University, Kolkata, India 700032;Centre for Distributed Computing, Department of Computer Science and Engineering, Jadavpur University, Kolkata, India 700032;Indian Statistical Institute, Kolkata, India 700108
Venue:
Journal of Network and Systems Management
Year:
2011

Citing 14
Cited 2

Undecidability of safety for the schematic protection model with cyclic creates

Journal of Computer and System Sciences
A Linear Time Algorithm for Deciding Subject Security

Journal of the ACM (JACM)
Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management

Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management
Decidability of Safety in Graph-Based Models for Access Control

ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
On protection in operating systems

SOSP '75 Proceedings of the fifth ACM symposium on Operating systems principles
Automated Generation and Analysis of Attack Graphs

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Beyond Proof-of-Compliance: Safety and Availability Analysis in Trust Management

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Using Model Checking to Analyze Network Vulnerabilities

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
A fully dynamic reachability algorithm for directed graphs with an almost linear update time

STOC '04 Proceedings of the thirty-sixth annual ACM symposium on Theory of computing
Extrusion Detection: Security Monitoring for Internal Intrusions

Extrusion Detection: Security Monitoring for Internal Intrusions
Dual Labeling: Answering Graph Reachability Queries in Constant Time

ICDE '06 Proceedings of the 22nd International Conference on Data Engineering
Towards insider threat detection using web server logs

Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Policy-based security configuration management application to intrusion detection and prevention

ICC'09 Proceedings of the 2009 IEEE international conference on Communications
An evolutionary approach in threats detection for distributed security defence systems

ISI'06 Proceedings of the 4th IEEE international conference on Intelligence and Security Informatics

Specification and validation of enterprise information security policies

Proceedings of the CUBE International Information Technology Conference
Live digital, remember digital: State of the art and research challenges

Computers and Electrical Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

From information security point of view, an enterprise is considered as a collection of assets and their interrelationships. These interrelationships may be built into the enterprise information infrastructure, as in the case of connection of hardware elements in network architecture, or in the installation of software or in the information assets. As a result, access to one element may enable access to another if they are connected. An enterprise may specify conditions on the access of certain assets in certain mode (read, write etc.) as policies. The interconnection of assets, along with specified policies, may lead to managerial vulnerabilities in the enterprise information system. These vulnerabilities, if exploited by threats, may cause disruption to the normal functioning of information systems. This paper presents a formal methodology for detection of managerial vulnerabilities of, and threats to, enterprise information systems in linear time.