TY - GEN A1 - Welearegai, Gebrehiwet B. A1 - Schlueter, Max A1 - Hammer, Christian T1 - Static security evaluation of an industrial web application T2 - Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing N2 - JavaScript is the most popular programming language for web applications. Static analysis of JavaScript applications is highly challenging due to its dynamic language constructs and event-driven asynchronous executions, which also give rise to many security-related bugs. Several static analysis tools to detect such bugs exist, however, research has not yet reported much on the precision and scalability trade-off of these analyzers. As a further obstacle, JavaScript programs structured in Node. js modules need to be collected for analysis, but existing bundlers are either specific to their respective analysis tools or not particularly suitable for static analysis. KW - JavaScript KW - WALA KW - SAFE KW - comparison Y1 - 2019 SN - 978-1-4503-5933-7 U6 - https://doi.org/10.1145/3297280.3297471 SP - 1952 EP - 1961 PB - Association for Computing Machinery CY - New York ER - TY - GEN A1 - Ullrich, Andre A1 - Enke, Judith A1 - Teichmann, Malte A1 - Kress, Antonio A1 - Gronau, Norbert T1 - Audit - and then what? BT - a roadmap for digitization of learning factories T2 - Procedia Manufacturing N2 - Current trends such as digital transformation, Internet of Things, or Industry 4.0 are challenging the majority of learning factories. Regardless of whether a conventional learning factory, a model factory, or a digital learning factory, traditional approaches such as the monotonous execution of specific instructions don‘t suffice the learner’s needs, market requirements as well as especially current technological developments. Contemporary teaching environments need a clear strategy, a road to follow for being able to successfully cope with the changes and develop towards digitized learning factories. This demand driven necessity of transformation leads to another obstacle: Assessing the status quo and developing and implementing adequate action plans. Within this paper, details of a maturity-based audit of the hybrid learning factory in the Research and Application Centre Industry 4.0 and a thereof derived roadmap for the digitization of a learning factory are presented. KW - Audit KW - Digitization KW - Learning Factory KW - Roadmap Y1 - 2019 U6 - https://doi.org/10.1016/j.promfg.2019.03.025 SN - 2351-9789 VL - 31 SP - 162 EP - 168 PB - Elsevier CY - Amsterdam ER - TY - GEN A1 - Torkura, Kennedy A. A1 - Sukmana, Muhammad Ihsan Haikal A1 - Strauss, Tim A1 - Graupner, Hendrik A1 - Cheng, Feng A1 - Meinel, Christoph T1 - CSBAuditor BT - proactive security risk analysis for cloud storage broker systems T2 - 17th International Symposium on Network Computing and Applications (NCA) N2 - Cloud Storage Brokers (CSB) provide seamless and concurrent access to multiple Cloud Storage Services (CSS) while abstracting cloud complexities from end-users. However, this multi-cloud strategy faces several security challenges including enlarged attack surfaces, malicious insider threats, security complexities due to integration of disparate components and API interoperability issues. Novel security approaches are imperative to tackle these security issues. Therefore, this paper proposes CSBAuditor, a novel cloud security system that continuously audits CSB resources, to detect malicious activities and unauthorized changes e.g. bucket policy misconfigurations, and remediates these anomalies. The cloud state is maintained via a continuous snapshotting mechanism thereby ensuring fault tolerance. We adopt the principles of chaos engineering by integrating Broker Monkey, a component that continuously injects failure into our reference CSB system, Cloud RAID. Hence, CSBAuditor is continuously tested for efficiency i.e. its ability to detect the changes injected by Broker Monkey. CSBAuditor employs security metrics for risk analysis by computing severity scores for detected vulnerabilities using the Common Configuration Scoring System, thereby overcoming the limitation of insufficient security metrics in existing cloud auditing schemes. CSBAuditor has been tested using various strategies including chaos engineering failure injection strategies. Our experimental evaluation validates the efficiency of our approach against the aforementioned security issues with a detection and recovery rate of over 96 %. KW - Cloud-Security KW - Cloud Audit KW - Security Metrics KW - Security Risk Assessment KW - Secure Configuration Y1 - 2018 SN - 978-1-5386-7659-2 U6 - https://doi.org/10.1109/NCA.2018.8548329 PB - IEEE CY - New York ER - TY - GEN A1 - Torkura, Kennedy A. A1 - Sukmana, Muhammad Ihsan Haikal A1 - Meinig, Michael A1 - Kayem, Anne V. D. M. A1 - Cheng, Feng A1 - Meinel, Christoph A1 - Graupner, Hendrik T1 - Securing cloud storage brokerage systems through threat models T2 - Proceedings IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA) N2 - Cloud storage brokerage is an abstraction aimed at providing value-added services. However, Cloud Service Brokers are challenged by several security issues including enlarged attack surfaces due to integration of disparate components and API interoperability issues. Therefore, appropriate security risk assessment methods are required to identify and evaluate these security issues, and examine the efficiency of countermeasures. A possible approach for satisfying these requirements is employment of threat modeling concepts, which have been successfully applied in traditional paradigms. In this work, we employ threat models including attack trees, attack graphs and Data Flow Diagrams against a Cloud Service Broker (CloudRAID) and analyze these security threats and risks. Furthermore, we propose an innovative technique for combining Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring System (CCSS) base scores in probabilistic attack graphs to cater for configuration-based vulnerabilities which are typically leveraged for attacking cloud storage systems. This approach is necessary since existing schemes do not provide sufficient security metrics, which are imperatives for comprehensive risk assessments. We demonstrate the efficiency of our proposal by devising CCSS base scores for two common attacks against cloud storage: Cloud Storage Enumeration Attack and Cloud Storage Exploitation Attack. These metrics are then used in Attack Graph Metric-based risk assessment. Our experimental evaluation shows that our approach caters for the aforementioned gaps and provides efficient security hardening options. Therefore, our proposals can be employed to improve cloud security. KW - Cloud-Security KW - Threat Models KW - Security Metrics KW - Security Risk Assessment KW - Secure Configuration Y1 - 2018 SN - 978-1-5386-2195-0 U6 - https://doi.org/10.1109/AINA.2018.00114 SN - 1550-445X SP - 759 EP - 768 PB - IEEE CY - New York ER - TY - GEN A1 - Torkura, Kennedy A. A1 - Sukmana, Muhammad Ihsan Haikal A1 - Kayem, Anne V. D. M. A1 - Cheng, Feng A1 - Meinel, Christoph T1 - A cyber risk based moving target defense mechanism for microservice architectures T2 - IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom) N2 - Microservice Architectures (MSA) structure applications as a collection of loosely coupled services that implement business capabilities. The key advantages of MSA include inherent support for continuous deployment of large complex applications, agility and enhanced productivity. However, studies indicate that most MSA are homogeneous, and introduce shared vulnerabilites, thus vulnerable to multi-step attacks, which are economics-of-scale incentives to attackers. In this paper, we address the issue of shared vulnerabilities in microservices with a novel solution based on the concept of Moving Target Defenses (MTD). Our mechanism works by performing risk analysis against microservices to detect and prioritize vulnerabilities. Thereafter, security risk-oriented software diversification is employed, guided by a defined diversification index. The diversification is performed at runtime, leveraging both model and template based automatic code generation techniques to automatically transform programming languages and container images of the microservices. Consequently, the microservices attack surfaces are altered thereby introducing uncertainty for attackers while reducing the attackability of the microservices. Our experiments demonstrate the efficiency of our solution, with an average success rate of over 70% attack surface randomization. KW - Security Risk Assessment KW - Security Metrics KW - Moving Target Defense KW - Microservices Security KW - Application Container Security Y1 - 2018 SN - 978-1-7281-1141-4 U6 - https://doi.org/10.1109/BDCloud.2018.00137 SN - 2158-9178 SP - 932 EP - 939 PB - Institute of Electrical and Electronics Engineers CY - Los Alamitos ER - TY - GEN A1 - Teusner, Ralf A1 - Matthies, Christoph A1 - Staubitz, Thomas T1 - What Stays in Mind? BT - Retention Rates in Programming MOOCs T2 - IEEE Frontiers in Education Conference (FIE) Y1 - 2018 SN - 978-1-5386-1174-6 U6 - https://doi.org/10.1109/FIE.2018.8658890 SN - 0190-5848 PB - IEEE CY - New York ER - TY - GEN A1 - Teichmann, Malte A1 - Ullrich, Andre A1 - Gronau, Norbert T1 - Subject-oriented learning BT - a new perspective for vocational training in learning factories T2 - Procedia Manufacturing N2 - The transformation to a digitized company changes not only the work but also social context for the employees and requires inter alia new knowledge and skills from them. Additionally, individual action problems arise. This contribution proposes the subject-oriented learning theory, in which the employees´ action problems are the starting point of training activities in learning factories. In this contribution, the subject-oriented learning theory is exemplified and respective advantages for vocational training in learning factories are pointed out both theoretically and practically. Thereby, especially the individual action problems of learners and the infrastructure are emphasized as starting point for learning processes and competence development. KW - Subject-oriented learning KW - action problems KW - vocational training KW - learning factories Y1 - 2019 U6 - https://doi.org/10.1016/j.promfg.2019.03.012 SN - 2351-9789 VL - 31 SP - 72 EP - 78 PB - Elsevier CY - Amsterdam ER - TY - GEN A1 - Tala, Mahdi A1 - Schrape, Oliver A1 - Krstić, Miloš A1 - Bertozzi, Davide T1 - Exploring the Performance-Energy Optimization Space of a Bridge Between 3D-Stacked Electronic and Optical Networks-on-Chip T2 - XXXIII Conference on Design of Circuits and Integrated Systems (DCIS) N2 - The relentless improvement of silicon photonics is making optical interconnects and networks appealing for use in miniaturized systems, where electrical interconnects cannot keep up with the growing levels of core integration due to bandwidth density and power efficiency limitations. At the same time, solutions such as 3D stacking or 2.5D integration open the door to a fully dedicated process optimization for the photonic die. However, an architecture-level integration challenge arises between the electronic network and the optical one in such tightly-integrated parallel systems. It consists of adapting signaling rates, matching the different levels of communication parallelism, handling cross-domain flow control, addressing re-synchronization concerns, and avoiding protocol-dependent deadlock. The associated energy and performance overhead may offset the inherent benefits of the emerging technology itself. This paper explores a hybrid CMOS-ECL bridge architecture between 3D-stacked technology-heterogeneous networks-on-chip (NoCs). The different ways of overcoming the serialization challenge (i.e., through an improvement of the signaling rate and/or through space-/wavelength division multiplexing options) give rise to a configuration space that the paper explores, in search for the most energy-efficient configuration for high-performance. Y1 - 2018 SN - 978-1-7281-0171-2 U6 - https://doi.org/10.1109/DCIS.2018.8681461 SN - 2471-6170 SN - 2640-5563 PB - IEEE CY - New York ER - TY - GEN A1 - Sukmana, Muhammad Ihsan Haikal A1 - Torkura, Kennedy A. A1 - Cheng, Feng A1 - Meinel, Christoph A1 - Graupner, Hendrik T1 - Unified logging system for monitoring multiple cloud storage providers in cloud storage broker T2 - 32ND International Conference on Information Networking (ICOIN) N2 - With the increasing demand for personal and enterprise data storage service, Cloud Storage Broker (CSB) provides cloud storage service using multiple Cloud Service Providers (CSPs) with guaranteed Quality of Service (QoS), such as data availability and security. However monitoring cloud storage usage in multiple CSPs has become a challenge for CSB due to lack of standardized logging format for cloud services that causes each CSP to implement its own format. In this paper we propose a unified logging system that can be used by CSB to monitor cloud storage usage across multiple CSPs. We gather cloud storage log files from three different CSPs and normalise these into our proposed log format that can be used for further analysis process. We show that our work enables a coherent view suitable for data navigation, monitoring, and analytics. KW - Unified logging system KW - Cloud Service Provider KW - cloud monitoring KW - data integration KW - security analytics Y1 - 2018 SN - 978-1-5386-2290-2 U6 - https://doi.org/10.1109/ICOIN.2018.8343081 SP - 44 EP - 49 PB - IEEE CY - New York ER - TY - GEN A1 - Staubitz, Thomas A1 - Teusner, Ralf A1 - Meinel, Christoph T1 - MOOCs in Secondary Education BT - Experiments and Observations from German Classrooms T2 - 2019 IEEE Global Engineering Education Conference (EDUCON) N2 - Computer science education in German schools is often less than optimal. It is only mandatory in a few of the federal states and there is a lack of qualified teachers. As a MOOC (Massive Open Online Course) provider with a German background, we developed the idea to implement a MOOC addressing pupils in secondary schools to fill this gap. The course targeted high school pupils and enabled them to learn the Python programming language. In 2014, we successfully conducted the first iteration of this MOOC with more than 7000 participants. However, the share of pupils in the course was not quite satisfactory. So we conducted several workshops with teachers to find out why they had not used the course to the extent that we had imagined. The paper at hand explores and discusses the steps we have taken in the following years as a result of these workshops. KW - MOOC KW - Secondary Education KW - School KW - Teamwork KW - K-12 KW - Programming course KW - Java KW - Python Y1 - 2019 SN - 978-1-5386-9506-7 U6 - https://doi.org/10.1109/EDUCON.2019.8725138 SN - 2165-9567 SP - 173 EP - 182 PB - IEEE CY - New York ER -