Visible to the public Biblio

Filters: Keyword is Security Audits  [Clear All Filters]
2023-01-13
Deng, Chao, He, Mingxing, Wen, Xinyu, Luo, Qian.  2022.  Support Efficient User Revocation and Identity Privacy in Integrity Auditing of Shared Data. 2022 7th International Conference on Cloud Computing and Big Data Analytics (ICCCBDA). :221—229.
The cloud provides storage for users to share their files in the cloud. Nowadays some shared data auditing schemes are proposed for protecting data integrity. However, preserving the identity privacy of group users and secure user revocation usually result in high computational overhead. Then a shared data auditing scheme supporting identity privacy preserving is proposed that enables users to be effectively revoked. To preserve identity privacy during the audit process, we develop an efficient authenticator generation mechanism that enables public auditing. Our solution supports efficient user revocation, where the authenticator of the revoked user does not need to be regenerated and integrity checking can be performed appropriately. At the same time, the group manager maintains two tables to ensure user traceability. When the user updates data, two tables are modified and updated by the group manager promptly. It shows that our scheme is secure by security analysis. Moreover, concrete experiments prove the performance of the system.
Li, Xiuli, Wang, Guoshi, Wang, Chuping, Qin, Yanyan, Wang, Ning.  2022.  Software Source Code Security Audit Algorithm Supporting Incremental Checking. 2022 IEEE 7th International Conference on Smart Cloud (SmartCloud). :53—58.
Source code security audit is an effective technique to deal with security vulnerabilities and software bugs. As one kind of white-box testing approaches, it can effectively help developers eliminate defects in the code. However, it suffers from performance issues. In this paper, we propose an incremental checking mechanism which enables fast source code security audits. And we conduct comprehensive experiments to verify the effectiveness of our approach.
Yuan, Wenyong, Wei, Lixian, Li, Zhengge, Ki, Ruifeng, Yang, Xiaoyuan.  2022.  ID-based Data Integrity Auditing Scheme from RSA with Forward Security. 2022 7th International Conference on Cloud Computing and Big Data Analytics (ICCCBDA). :192—197.

Cloud data integrity verification was an important means to ensure data security. We used public key infrastructure (PKI) to manage user keys in Traditional way, but there were problems of certificate verification and high cost of key management. In this paper, RSA signature was used to construct a new identity-based cloud audit protocol, which solved the previous problems caused by PKI and supported forward security, and reduced the loss caused by key exposure. Through security analysis, the design scheme could effectively resist forgery attack and support forward security.

Alimzhanova, Zhanna, Tleubergen, Akzer, Zhunusbayeva, Salamat, Nazarbayev, Dauren.  2022.  Comparative Analysis of Risk Assessment During an Enterprise Information Security Audit. 2022 International Conference on Smart Information Systems and Technologies (SIST). :1—6.

This article discusses a threat and vulnerability analysis model that allows you to fully analyze the requirements related to information security in an organization and document the results of the analysis. The use of this method allows avoiding and preventing unnecessary costs for security measures arising from subjective risk assessment, planning and implementing protection at all stages of the information systems lifecycle, minimizing the time spent by an information security specialist during information system risk assessment procedures by automating this process and reducing the level of errors and professional skills of information security experts. In the initial sections, the common methods of risk analysis and risk assessment software are analyzed and conclusions are drawn based on the results of comparative analysis, calculations are carried out in accordance with the proposed model.

Saloni, Arora, Dilpreet Kaur.  2022.  A Review on The Concerns of Security Audit Using Machine Learning Techniques. 2022 2nd International Conference on Advance Computing and Innovative Technologies in Engineering (ICACITE). :835—839.
Successful information and communication technology (ICT) may propel administrative procedures forward quickly. In order to achieve efficient usage of TCT in their businesses, ICT strategies and plans should be examined to ensure that they align with the organization's visions and missions. Efficient software and hardware work together to provide relevant data that aids in the improvement of how we do business, learn, communicate, entertain, and work. This exposes them to a risky environment that is prone to both internal and outside threats. The term “security” refers to a level of protection or resistance to damage. Security can also be thought of as a barrier between assets and threats. Important terms must be understood in order to have a comprehensive understanding of security. This research paper discusses key terms, concerns, and challenges related to information systems and security auditing. Exploratory research is utilised in this study to find an explanation for the observed occurrences, problems, or behaviour. The study's findings include a list of various security risks that must be seriously addressed in any Information System and Security Audit.
Upadhyaya, Santosh Kumar, Thangaraju, B..  2022.  A Novel Method for Trusted Audit and Compliance for Network Devices by Using Blockchain. 2022 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT). :1—6.

The Network Security and Risk (NSR) management team in an enterprise is responsible for maintaining the network which includes switches, routers, firewalls, controllers, etc. Due to the ever-increasing threat of capitalizing on the vulnerabilities to create cyber-attacks across the globe, a major objective of the NSR team is to keep network infrastructure safe and secure. NSR team ensures this by taking proactive measures of periodic audits of network devices. Further external auditors are engaged in the audit process. Audit information is primarily stored in an internal database of the enterprise. This generic approach could result in a trust deficit during external audits. This paper proposes a method to improve the security and integrity of the audit information by using blockchain technology, which can greatly enhance the trust factor between the auditors and enterprises.

Lobanok, Oleg, Promyslov, Vitaly, Semenkov, Kirill.  2022.  Safety-Driven Approach for Security Audit of I&C Systems of Nuclear Power Plants. 2022 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM). :545—550.
In this paper, we tried to summarize the practical experience of information security audits of nuclear power plants' automated process control system (I&C). The article presents a methodology for auditing the information security of instrumentation and control systems for nuclear power plants. The methodology was developed taking into account international and national Russian norms and rules and standards. The audit taxonomy, classification lifecycle are described. The taxonomy of information security audits shows that form, objectives of the I&C information security audit, and procedures can vary widely. A conceptual program is considered and discussed in details. The distinctive feature of the methodology is the mandatory consideration of the impact of information security on nuclear safety.
Bryushinin, Anton O., Dushkin, Alexandr V., Melshiyan, Maxim A..  2022.  Automation of the Information Collection Process by Osint Methods for Penetration Testing During Information Security Audit. 2022 Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus). :242—246.
The purpose of this article is to consider one of the options for automating the process of collecting information from open sources when conducting penetration testing in an organization's information security audit using the capabilities of the Python programming language. Possible primary vectors for collecting information about the organization, personnel, software, and hardware are shown. The basic principles of operation of the software product are presented in a visual form, which allows automated analysis of information from open sources about the object under study.
Ahmad, Adil, Lee, Sangho, Peinado, Marcus.  2022.  HARDLOG: Practical Tamper-Proof System Auditing Using a Novel Audit Device. 2022 IEEE Symposium on Security and Privacy (SP). :1791—1807.
Audit systems maintain detailed logs of security-related events on enterprise machines to forensically analyze potential incidents. In principle, these logs should be safely stored in a secure location (e.g., network storage) as soon as they are produced, but this incurs prohibitive slowdown to a monitored machine. Hence, existing audit systems protect batched logs asynchronously (e.g., after tens of seconds), but this allows attackers to tamper with unprotected logs.This paper presents HARDLOG, a practical and effective system that employs a novel audit device to provide fine-grained log protection with minimal performance slowdown. HARDLOG implements criticality-aware log protection: it ensures that logs are synchronously protected in the audit device before an infrequent security-critical event is allowed to execute, but logs are asynchronously protected on frequent non-critical events to minimize performance overhead. Importantly, even on non-critical events, HARDLOG ensures bounded-asynchronous protection: it sends log entries to the audit device within a tiny, bounded delay from their creation using well-known real-time techniques. To demonstrate HARDLOG’S effectiveness, we prototyped an audit device using commodity components and implemented a reference audit system for Linux. Our prototype achieves a bounded protection delay of 15 milliseconds at non-critical events alongside undelayed protection at critical events. We also show that, for diverse real-world programs, HARDLOG incurs a geometric mean performance slowdown of only 6.3%, hence it is suitable for many real-world deployment scenarios.
2022-04-01
Akmal, Muhammad, Syangtan, Binod, Alchouemi, Amr.  2021.  Enhancing the security of data in cloud computing environments using Remote Data Auditing. 2021 6th International Conference on Innovative Technology in Intelligent System and Industrial Applications (CITISIA). :1—10.
The main aim of this report is to find how data security can be improved in a cloud environment using the remote data auditing technique. The research analysis of the existing journal articles that are peer-reviewed Q1 level of articles is selected to perform the analysis.The main taxonomy that is proposed in this project is being data, auditing, monitoring, and output i.e., DAMO taxonomy that is used and includes these components. The data component would include the type of data; the auditing would ensure the algorithm that would be used at the backend and the storage would include the type of database as single or the distributed server in which the data would be stored.As a result of this research, it would help understand how the data can be ensured to have the required level of privacy and security when the third-party database vendors would be used by the organizations to maintain their data. Since most of the organizations are looking to reduce their burden of the local level of data storage and to reduce the maintenance by the outsourcing of the cloud there are still many issues that occur when there comes the time to check if the data is accurate or not and to see if the data is stored with resilience. In such a case, there is a need to use the Remote Data Auditing techniques that are quite helpful to ensure that the data which is outsourced is reliable and maintained with integrity when the information is stored in the single or the distributed servers.
Bichhawat, Abhishek, Fredrikson, Matt, Yang, Jean.  2021.  Automating Audit with Policy Inference. 2021 IEEE 34th Computer Security Foundations Symposium (CSF). :1—16.
The risk posed by high-profile data breaches has raised the stakes for adhering to data access policies for many organizations, but the complexity of both the policies themselves and the applications that must obey them raises significant challenges. To mitigate this risk, fine-grained audit of access to private data has become common practice, but this is a costly, time-consuming, and error-prone process.We propose an approach for automating much of the work required for fine-grained audit of private data access. Starting from the assumption that the auditor does not have an explicit, formal description of the correct policy, but is able to decide whether a given policy fragment is partially correct, our approach gradually infers a policy from audit log entries. When the auditor determines that a proposed policy fragment is appropriate, it is added to the system's mechanized policy, and future log entries to which the fragment applies can be dealt with automatically. We prove that for a general class of attribute-based data policies, this inference process satisfies a monotonicity property which implies that eventually, the mechanized policy will comprise the full set of access rules, and no further manual audit is necessary. Finally, we evaluate this approach using a case study involving synthetic electronic medical records and the HIPAA rule, and show that the inferred mechanized policy quickly converges to the full, stable rule, significantly reducing the amount of effort needed to ensure compliance in a practical setting.
Abu Othman, Noor Ashitah, Norman, Azah Anir, Mat Kiah, Miss Laiha.  2021.  Information System Audit for Mobile Device Security Assessment. 2021 3rd International Cyber Resilience Conference (CRC). :1—6.
The competency to use mobile devices for work-related tasks gives advantages to the company productiveness and expedites business processes. Thus Bring Your Own Device (BYOD) setting emerge to enable work flexibility and technological compatibility. For management, employees’ productivity is important, but they could not jeopardise the security of information and data stored in the corporate network. Securing data and network becomes more complex tasks as it deals with foreign devices, i.e., devices that do not belong to the organisation. With much research focused on pre-implementation and the technical aspects of mobile device usage, post-implementation advancement is receiving less attention. IS audit as one of the post-implementation mechanisms provides performance evaluation of existing IS assets, business operations and process implementation, thus helping management formulating the best strategies in optimising IS practices. This paper discusses the feasibility of IS audit in assessing mobile device security by exploring the risks and vulnerabilities of mobile devices for organisational IS security as well as the perception of Information system management in mobile device security. By analysing related literature, authors pointed out how the references used in the current IS audit research address the mobile device security. This work serves a significant foundation in the future development in mobile device audit.
Sedano, Wadlkur Kurniawan, Salman, Muhammad.  2021.  Auditing Linux Operating System with Center for Internet Security (CIS) Standard. 2021 International Conference on Information Technology (ICIT). :466—471.
Linux is one of the operating systems to support the increasingly rapid development of internet technology. Apart from the speed of the process, security also needs to be considered. Center for Internet Security (CIS) Benchmark is an example of a security standard. This study implements the CIS Benchmark using the Chef Inspec application. This research focuses on building a tool to perform security audits on the Ubuntu 20.04 operating system. 232 controls on CIS Benchmark were successfully implemented using Chef Inspec application. The results of this study were 87 controls succeeded, 118 controls failed, and 27 controls were skipped. This research is expected to be a reference for information system managers in managing system security.
Dabthong, Hachol, Warasart, Maykin, Duma, Phongsaphat, Rakdej, Pongpat, Majaroen, Natt, Lilakiatsakun, Woraphon.  2021.  Low Cost Automated OS Security Audit Platform Using Robot Framework. 2021 Research, Invention, and Innovation Congress: Innovation Electricals and Electronics (RI2C). :31—34.
Security baseline hardening is a baseline configuration framework aims to improve the robustness of the operating system, lowering the risk and impact of breach incidents. In typical best practice, the security baseline hardening requires to have regular check and follow-up to keep the system in-check, this set of activities are called "Security Baseline Audit". The Security Baseline Audit process is responsible by the IT department. In terms of business, this process consumes a fair number of resources such as man-hour, time, and technical knowledge. In a huge production environment, the resources mentioned can be multiplied by the system's amount in the production environment. This research proposes improving the process with automation while maintaining the quality and security level at the standard. Robot Framework, a useful and flexible opensource automation framework, is being utilized in this research following with a very successful result where the configuration is aligned with CIS (Center for Internet Security) run by the automation process. A tremendous amount of time and process are decreased while the configuration is according to this tool's standard.
Khurat, Assadarat, Sangkhachantharanan, Phirawat.  2021.  An Automatic Networking Device Auditing Tool Based on CIS Benchmark. 2021 18th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology (ECTI-CON). :409—412.
Security has become an important issue in an IT system of an organization. Each IT component has to be configured correctly, otherwise the risk of attack could increase. An important component is networking device such as router and switch. To avoid this misconfiguration, a well-known process called audit is used. There are several auditing tools both commercial and open-source. However, none of the existing tools that are open-source can automatically audit the security settings of networking device based on standard e.g., CIS benchmark. We, thus propose a tool that can verify the networking device automatically based on best practices so that auditors can conveniently check as well as issue a report.
Yuan, Yilin, Zhang, Jianbiao, Xu, Wanshan, Li, Zheng.  2021.  Enable data privacy, dynamics, and batch in public auditing scheme for cloud storage system. 2021 2nd International Conference on Computer Communication and Network Security (CCNS). :157—163.
With the popularity of cloud computing, cloud storage technology has also been widely used. Among them, data integrity verification is a hot research topic. At present, the realization of public auditing has become the development trend of integrity verification. Most existing public auditing schemes rarely consider some indispensable functions at the same time. Thus, in this paper, we propose a comprehensive public auditing scheme (PDBPA) that can simultaneously realize data block privacy protection, data dynamics, and multi- user batch auditing. Our PDBPA scheme is implemented in bilinear pairing. By adding random masking in the audit phase, with the help of the characteristics of homomorphic verifiable tags (HVTs), it can not only ensure that the TPA performs the audit work correctly, but also prevent it from exploring the user’s sensitive data. In addition, by utilizing the modified index hash table (MIHT), data dynamics can be effectively achieved. Furthermore, we provide a specific process for the TPA to perform batch audits for multiple users. Moreover, we formally prove the security of the scheme; while achieving the audit correctness, it can resist three types of attacks.
Markina, Maria S., Markin, Pavel V., Voevodin, Vladislav A., Burenok, Dmitry S..  2021.  Methodology for Quantifying the Materiality of Audit Evidence Using Expert Assessments and Their Ranking. 2021 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus). :2390—2393.
An Information security audit is a process of obtaining objective audit evidence and evaluating it objectively for compliance with audit criteria. Given resource constraints, it's advisable to focus on obtaining evidence that has a significant impact on its effectiveness when developing an audit program to organize the audit. The person managing the audit program faces an urgent task developing an audit program, taking into account the information content of extracted evidence and resource constraints. In practice, evidence cannot be evaluated correctly directly in numerical scales, so they are forced to use less informative scales. The purpose of scientific research is to develop a methodology for assessing the materiality of audit evidence using expert assessments, their statistical processing, and transition to quantitative scales. As a result, the person managing the audit program gets a tool for developing an effective audit program.
2021-04-27
Wang, Y., Guo, S., Wu, J., Wang, H. H..  2020.  Construction of Audit Internal Control System Based on Online Big Data Mining and Decentralized Model. 2020 Fourth International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC). :623–626.
Construction of the audit internal control system based on the online big data mining and decentralized model is done in this paper. How to integrate the novel technologies to internal control is the attracting task. IT audit is built on the information system and is independent of the information system itself. Application of the IT audit in enterprises can provide a guarantee for the security of the information system that can give an objective evaluation of the investment. This paper integrates the online big data mining and decentralized model to construct an efficient system. Association discovery is also called a data link. It uses similarity functions, such as the Euclidean distance, edit distance, cosine distance, Jeckard function, etc., to establish association relationships between data entities. These parameters are considered for comprehensive analysis.
Pozdniakov, K., Alonso, E., Stankovic, V., Tam, K., Jones, K..  2020.  Smart Security Audit: Reinforcement Learning with a Deep Neural Network Approximator. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). :1–8.
A significant challenge in modern computer security is the growing skill gap as intruder capabilities increase, making it necessary to begin automating elements of penetration testing so analysts can contend with the growing number of cyber threats. In this paper, we attempt to assist human analysts by automating a single host penetration attack. To do so, a smart agent performs different attack sequences to find vulnerabilities in a target system. As it does so, it accumulates knowledge, learns new attack sequences and improves its own internal penetration testing logic. As a result, this agent (AgentPen for simplicity) is able to successfully penetrate hosts it has never interacted with before. A computer security administrator using this tool would receive a comprehensive, automated sequence of actions leading to a security breach, highlighting potential vulnerabilities, and reducing the amount of menial tasks a typical penetration tester would need to execute. To achieve autonomy, we apply an unsupervised machine learning algorithm, Q-learning, with an approximator that incorporates a deep neural network architecture. The security audit itself is modelled as a Markov Decision Process in order to test a number of decision-making strategies and compare their convergence to optimality. A series of experimental results is presented to show how this approach can be effectively used to automate penetration testing using a scalable, i.e. not exhaustive, and adaptive approach.
H, R. M., Shet, U. Harshitha, Shetty, R. D., Shrinivasa, J, A. N., S, K. R. N..  2020.  Triggering and Auditing the Event During Intrusion Detections in WSN’s Defence Application. 2020 3rd International Conference on Intelligent Sustainable Systems (ICISS). :1328–1332.
WSNs are extensively used in defence application for monitoring militant activities in various ways in large unknown territories. Here WSNs has to have large set of distributed systems in the form as sensors nodes. Along with security concerns, False Alarming is also a factor which may interrupt the service and downgrade the application further. Thus in our work we have made sure that when a trigger is raised to an event, images can be captured from the connected cameras so that it will be helpful for both auditing the event as well as capturing the scene which led to the triggering of the event.
Lekshmi, M. M., Subramanian, N..  2020.  Data Auditing in Cloud Storage using Smart Contract. 2020 Third International Conference on Smart Systems and Inventive Technology (ICSSIT). :999–1002.
In general, Cloud storage is considered as a distributed model. Here, the data is usually stored on remote servers to properly maintain, back up and make it accessible to clients over a network, whenever required. Cloud storage providers keep the data and processes to oversee it on capacity servers based on secure virtualization methods. A security framework is proposed for auditing the cloud data, which makes use of the proposed blockchain technology. This ensures to efficiently maintain the data integrity. The blockchain structure inspects the mutation of operational information and thereby ensures the data security. Usually, the data auditing scheme is widely used in a Third Party Auditor (TPA), which is a centralized entity that the client is forced to trust, even if the credibility is not guaranteed. To avoid the participation of TPA, a decentralised scheme is suggested, where it uses a smart contract for auditing the cloud data. The working of smart contracts is based on blockchain. Ethereum is used to deploy a smart contract thereby eliminating the need of a foreign source in the data auditing process.
Tian, Z..  2020.  Design and Implementation of Distributed Government Audit System Based on Multidimensional Online Analysis. 2020 IEEE International Conference on Power, Intelligent Computing and Systems (ICPICS). :981–983.
With the continuous progress of the information age, e-commerce, the Internet of things and other emerging Internet areas are gradually emerging. Massive amount of structured data auditing becomes a major issue. Log files and other data can be uploaded to the cloud via the Internet to guard against potential threats. Difficulty now is how to realize the data in the field of data audit query online, interactive and impromptu. There are two main methods of data warehouse, respectively is zhang table reduction method and basic data verification method. In the age of big data, data quantity increases gradually, so that the audit speed, design of the data storage and so on will be more or less problematic. If the audit task is not completed in time, it will result in the failure to store the audit data, which will cause losses to enterprises and the government. This paper focuses on the data cube physical model and distributed technical analysis, through the establishment of a set of efficient distributed and online auditing system, so as to make the data fast and efficient auditing.
Zhou, X..  2020.  Improvement of information System Audit to Deal With Network Information Security. 2020 International Conference on Communications, Information System and Computer Engineering (CISCE). :93–96.
With the rapid development of information technology and the increasing popularity of information and communication technology, the information age has come. Enterprises must adapt to changes in the times, introduce network and computer technologies in a timely manner, and establish more efficient and reasonable information systems and platforms. Large-scale information system construction is inseparable from related audit work, and network security risks have become an important part of information system audit concerns. This paper analyzes the objectives and contents of information system audits under the background of network information security through theoretical analysis, and on this basis, proposes how the IS audit work will be carried out.
Wang, S., Yang, Y., Liu, S..  2020.  Research on Audit Model of Dameng Database based on Security Configuration Baseline. 2020 IEEE International Conference on Power, Intelligent Computing and Systems (ICPICS). :833–836.
Compared with traditional databases such as Oracle database, SQL Server database and MySQL database, Dameng database is a domestic database with independent intellectual property rights. Combined with the security management of Dameng database and the requirement of database audit, this paper designs the security configuration baseline of Dameng database. By designing the security configuration baseline of Dameng database, the audit work of Dameng database can be carried out efficiently, and by analyzing the audit results, the security configuration baseline of Dameng database can be improved.
2021-03-29
Erulanova, A., Soltan, G., Baidildina, A., Amangeldina, M., Aset, A..  2020.  Expert System for Assessing the Efficiency of Information Security. 2020 7th International Conference on Electrical and Electronics Engineering (ICEEE). :355—359.

The paper considers an expert system that provides an assessment of the state of information security in authorities and organizations of various forms of ownership. The proposed expert system allows to evaluate the state of compliance with the requirements of both organizational and technical measures to ensure the protection of information, as well as the level of compliance with the requirements of the information protection system in general. The expert assessment method is used as a basic method for assessing the state of information protection. The developed expert system provides a significant reduction in routine operations during the audit of information security. The results of the assessment are presented quite clearly and provide an opportunity for the leadership of the authorities and organizations to make informed decisions to further improve the information protection system.