LNCS 9327 Günther Pernul · Peter Y A Ryan Edgar Weippl (Eds.) Computer Security – ESORICS 2015 20th European Symposium on Research in Computer Security Vienna, Austria, September 21–25, 2015 Proceedings, Part II 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zürich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 9327 More information about this series at http://www.springer.com/series/7410 Günther Pernul Peter Y A Ryan Edgar Weippl (Eds.) • Computer Security – ESORICS 2015 20th European Symposium on Research in Computer Security Vienna, Austria, September 21–25, 2015 Proceedings, Part II 123 Editors Günther Pernul University of Regensburg Regensburg Germany Edgar Weippl SBA Research Wien Austria Peter Y A Ryan University of Luxembourg Luxembourg Luxembourg ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-319-24176-0 ISBN 978-3-319-24177-7 (eBook) DOI 10.1007/978-3-319-24177-7 Library of Congress Control Number: 2015948157 LNCS Sublibrary: SL4 – Security and Cryptology Springer Cham Heidelberg New York Dordrecht London © Springer International Publishing Switzerland 2015 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made Printed on acid-free paper Springer International Publishing AG Switzerland is part of Springer Science+Business Media (www.springer.com) Foreword It is our great pleasure to welcome you to the 20th European Symposium on Research in Computer Security (ESORICS 2015) This year’s symposium continues its tradition of establishing a European forum for bringing together researchers in the area of computer security, by promoting the exchange of ideas with system developers and by encouraging links with researchers in related areas The call for papers attracted 293 submissions – a record in the ESORICS series – from 41 countries The papers went through a careful review process and were evaluated on the basis of their significance, novelty, technical quality, as well as on their practical impact and/or their level of advancement of the field’s foundations Each paper received at least three independent reviews, followed by extensive discussion We finally selected 59 papers for the final program, resulting in an acceptance rate of 20 % The program was completed with keynote speeches by Sushil Jajodia, George Mason University Fairfax, USA and Richard Clayton, University of Cambridge, UK Putting together ESORICS 2015 was a team effort We first thank the authors for providing the content of the program We are grateful to the Program Committee, who worked very hard in reviewing papers (more than 880 reviews were written) and providing feedback for authors There is a long list of people who volunteered their time and energy to put together and organize the conference, and who deserve special thanks: the ESORICS Steering Committee, and its chair Pierangela Samarati in particular, for their support; Giovanni Livraga, for taking care of publicity; Javier Lopez, as workshop chair, and all workshop co-chairs, who organized workshops co-located with ESORICS; and Yvonne Poul for the local organization and the social events Finally, we would like to thank our sponsors, HUAWEI, for the financial support and SBA Research, for hosting and organizing ESORICS 2015 A different country hosts the conference every year ESORICS 2015 took place in Vienna, Austria at the Vienna University of Technology We are very happy to have hosted the 20th edition of the symposium in Vienna and we tried to put together a special social program for you, giving you the opportunity to share ideas with other researchers and practitioners from institutions around the world and see all the beautiful sights of Vienna We hope that you found this program interesting and thought-provoking and that you enjoyed ESORICS 2015 and Vienna July 2015 Günther Pernul Peter Y A Ryan Edgar Weippl Organization General Chair Günther Pernul Universität Regensburg, Germany Program Chairs Peter Y A Ryan Edgar Weippl University of Luxembourg, Luxembourg SBA Research & Vienna University of Technology, Austria Workshops Chair Javier Lopez University of Malaga, Spain Program Committee Alessandro Armando Vijay Atluri Michael Backes Feng Bao David A Basin Giampaolo Bella Carlo Blundo Stefan Brunthaler Ran Canetti Liqun Chen Michael Clarkson Jason Crampton Cas Cremers Frédéric Cuppens Nora Cuppens-Boulahia Sabrina De Capitani di Vimercati Wenliang Du Hannes Federrath Simon Foley Sara Foresti Felix Freiling Michael Goldsmith Università di Genova, Italy Rutgers University, USA Saarland University, Germany Security and Privacy Lab, Huawei, China ETH Zurich, Switzerland Università di Catania, Italy Università degli Studi di Salerno, Italy SBA Research, Austria Tel Aviv University, Israel HP Labs, UK Cornell University, USA University of London, UK University of Oxford, UK Télécom Bretagne, France Télécom Bretagne, France Università degli Studi di Milano, Italy Syracuse University, USA University of Hamburg, Germany University College Cork, Ireland Università degli Studi di Milano, Italy Friedrich-Alexander-Universität Erlangen-Nürnberg, Germany University of Oxford, UK VIII Organization Dieter Gollmann Dimitris Gritzalis Joshua Guttman Feng Hao Amir Herzberg Xinyi Huang Michael Huth Sotiris Ioannidis Sushil Jajodia Markus Jakobsson Sokratis K Katsikas Stefan Katzenbeisser Florian Kerschbaum Steve Kremer Adam J Lee Wenke Lee Yingjiu Li Peng Liu Javier Lopez Wenjing Lou Haibing Lu Antonio Maña Roy Maxion Catherine Meadows Carroll Morgan John C Mitchell Martin Mulazzani David Naccache Rolf Oppliger Stefano Paraboschi Olivier Pereira Günther Pernul Bart Preneel Jean-Jacques Quisquater Kui Ren Mark Ryan Ahmad-Reza Sadeghi Pierangela Samarati Nitesh Saxena Andreas Schaad Steve Schneider Jörg Schwenk Basit Shafiq Dimitris E Simos TU Hamburg-Harburg, Germany AUEB, Greece MTIRE Corp and Worcester Polytechnic, USA Newcastle University, UK Bar-Ilan University, Israel Fujian Normal University, China Imperial College, UK FORTH, Crete George Mason University, USA Qualcomm, USA University of Piraeus, Greece TU Darmstadt, Germany SAP, Germany INRIA Nancy and LORIA, France University of Pittsburgh, USA Georgia Institute of Technology, USA Singapore Management University, Singapore Pennsylvania State University, USA University of Malaga, Spain Virginia Polytechnic Institute and State University, USA Santa Clara University, USA Univeristy of Malaga, Spain Carnegie Mellon University, USA Naval Research Laboratory, USA University of New South Wales, Australia Stanford University, USA SBA Research, Austria ENS, France eSecurity Technologies, Switzerland Università degli Studi di Bergamo, Italy UCL Crypto Group, Belgium University of Regensburg, Germany Katholieke Universiteit Leuven, Belgium UCL, Belgium University at Buffalo, State University of New York, USA University of Birmingham, UK TU Darmstadt, Germany Università degli Studi di Milano, Italy University of Alabama at Birmingham, USA SAP, Germany University of Surrey, UK Ruhr University Bochum, Germany Lahore University of Management Sciences, Pakistan SBA Research, Austria Organization Einar Snekkenes Philip Stark Vanessa Teague Jaideep Vaidya Paulo Verissimo Luca Viganò Michael Waidner Cong Wang Lingyu Wang Ting Yu Meng Yu Moti Yung Jianying Zhou Sencun Zhu Gjovik University College, Norway University of California, Berkeley, USA University of Melbourne, Australia Rutgers University, USA University of Luxembourg, Luxembourg King’s College London, UK TU Darmstadt, Germany City University of Hong Kong, China University of Concordia, Canada North Carolina State University, USA Virginia Commonwealth University, USA Google, USA Institute for Infocomm Research, Singapore Pennsylvania State University, USA IX Contents – Part II Privacy FP-Block: Usable Web Privacy by Controlling Browser Fingerprinting Christof Ferreira Torres, Hugo Jonker, and Sjouke Mauw Mind-Reading: Privacy Attacks Exploiting Cross-App KeyEvent Injections Wenrui Diao, Xiangyu Liu, Zhe Zhou, Kehuan Zhang, and Zhou Li 20 Enabling Privacy-Assured Similarity Retrieval over Millions of Encrypted Records Xingliang Yuan, Helei Cui, Xinyu Wang, and Cong Wang 40 Privacy-Preserving Link Prediction in Decentralized Online Social Networks Yao Zheng, Bing Wang, Wenjing Lou, and Y Thomas Hou 61 Privacy-Preserving Observation in Public Spaces Florian Kerschbaum and Hoon Wei Lim Privacy-Preserving Context-Aware Recommender Systems: Analysis and New Solutions Qiang Tang and Jun Wang 81 101 Cloud Security Rich Queries on Encrypted Data: Beyond Exact Matches Sky Faber, Stanislaw Jarecki, Hugo Krawczyk, Quan Nguyen, Marcel Rosu, and Michael Steiner Extended Proxy-Assisted Approach: Achieving Revocable Fine-Grained Encryption of Cloud Data Yanjiang Yang, Joseph K Liu, Kaitai Liang, Kim-Kwang Raymond Choo, and Jianying Zhou Batch Verifiable Computation of Polynomials on Outsourced Data Liang Feng Zhang and Reihaneh Safavi-Naini CloudBI: Practical Privacy-Preserving Outsourcing of Biometric Identification in the Cloud Qian Wang, Shengshan Hu, Kui Ren, Meiqi He, Minxin Du, and Zhibo Wang 123 146 167 186 650 4.3 L Samarji et al Concurrent System Actions In [12,13], SC was expanded to handle concurrency A new sort concurrent is added Every concurrent variable c is a set of concurrent simple actions a The binary function do(c, s) returns a situation term that results from the application of concurrent actions c in situation s P oss(a, s) is thus extended to P oss(c, s) Additionally, in a simultaneous actions context, some actions can not be performed concurrently This is due to incompatibility between actions in terms of resources that each action uses As a solution, Pinto [12] proposed to add a finer level of granularity by appealing to the notion of resource: xres(a, r) means that the action a requires the exclusive use of the resource r, and sres(a, r) means that the action a requires the use of the resource r for its execution, but r can be shared Finally, poss(c, s) makes use of a conflict predicate conf lict as a precondition in order to test compatibility between actions: conf lict(c) ↔ ∃a1 , a2 ∈ c, ∃r | [(xres(a1 , r)∧ xres(a2 , r)) ∨ (xres(a1 , r) ∧ sres(a2 , r)) ∨ (sres(a1 , r) ∧ xres(a2 , r))] P oss(c, s) ↔ [∀a ∈ c, P oss(a, s)] ∧ ¬conf lict(c) Concurrent SC is thus efficient to avoid conflicts while designing a response 4.4 Anticorrelation and Response in Situation Calculus Let r and a be respectively a SC description of a system’s action, and an attack action Anticorrelation between r and a presented in Definition is expressed in SC as follows: anticorrelated(r, a, S) ↔ poss(r, S) ∧ ¬poss(a, do(r, S)) In SC, doing action r renders action a not possible for execution, this means that r has rendered one of a’s precondition’s predicates unfulfilled (i.e false) Let C = [r1 , r2 , , rL ] be a set of parallel system’s actions, and a an attack action Anticorrelation between rconcurrent and a, as presented in Definition 3, can be expressed in concurrent SC as follows: anticorrelated(C, a, S) ↔ poss(C, S) ∧ ¬poss(a, do(C, S)) i Now, let R∗ = [C0 ; C1 ; ; Ck ] be a complex action with Ci = [r1i , , rli ], and a an attack action Anticorrelation between R∗ and a, as presented in Definition 4, can be expressed in concurrent SC as follows: anticorrelated(R∗, a, S) ↔ poss(R∗, S) ∧ ¬poss(a, do(R∗, S)) with poss(R∗, S) ↔ poss(C0 , S0 ) ∧ poss(C1 , do(C0 , S0 )) ∧ ∧ poss(Ck , do(Ck−1 , ( (do(C0 , S0 ) )) Consequently, concurrent SC is adapted to model anticorrelation of a complex action against a RiskySAS as defined in Definition And, a response (see Definition 6) can be modeled in SC as follows: response(R,RiskySAS,S) ↔ anticorrelated(R,RiskySAS,S)∧ ∀Ct ∈ constraints, Ct(S) //constraints can be modeled in SC as shown in [5] On the Fly Design and Co-Simulation of Responses 651 At this stage of the paper, we have proposed a mean to dynamically design a response against a set of simultaneous attacks scenarios Since multiple response possibilities may exist, we introduce in the next section, the SC planning task that we use to propose a dynamic response co-simulator Planning in Situation Calculus In [14], the author presented and implemented the world’s simplest breadth-first planner (wspbf ) wspbf is a SC planner for an agent who can perform concurrent or sequential actions It is supplied with a goal predicate plannerGoal(s) to fulfill Here is the Golog [10] program of the wspbf : proc wspbf (n) plans(0, n) endProc proc plans(m, n) m ≤ n?; [actionSequence(m); plannerGoal? | plans(m+1, n)] endProc proc actionSequence(n) n = 0? | n > 0?; (πc) [concurrent actions(c)?; c] ; actionSequence(n-1) endProc The planner generates all sequences of concurrent actions c fulfilling the goal It terminates with failure if it does not find a sequence, which length is smaller or equal to n, that fulfills the goal 5.1 Dynamic Response Co-simulator Based on SC Planning We generalize the wspbf to the case of a multi-agent system, where we have, on one hand, the system which can perform, concurrently or sequentially, a set of actions, and on the other hand, the attack entities present in the SAG, which can perform individual or coordinated attacks First, we integrate all the attacks that have been specified to generate the SAGs Second, a network and a security expert are needed to specify and describe in SC, all the elementary actions that the system can perform, considering the resource notion Third, we integrate all the attack goals that have been specified to generate the SAGs For instance, the following are two critical assets that may be considered attack goals in a system handling a voice over IP (VoIP) service Attack Goal(Entity,S) → in denial(Entity,VoIPserver,S) ∨ is off(Entity,VoIPuser,S) //meaning that an attack entity can reach an attack goal in situation S, if in S, it has succeeded a denial of service over a VoIP server or a VoIP user Forth, we describe more specifically the attack goal that each attack entity has reached in the considered SAG For example, if entity1 has overflown a VoIP server then: goalreached(entity1, S) ↔ in denial(entity1, V oIP server, S) Fifth, we specify in SC, for each attack entity appearing in SAG, if it is risky or not [16] Besides, we specify for each risky entity, its attack scenario For instance, risky(entity1) ∧ riskySAS(entity1, scenario1), and ¬risky(entityM ) 652 L Samarji et al Finally, we configure the co-simulator goal in a manner to reach a situation where a response is designed based on described system actions, and every risky entity is either (1) completely prevented from reaching her attack goal, or (2) forced to change her path and choose a more complex one before getting to her goal, thereby, reducing her risk Concerning non risky entities, since they are not the prior concern of the system in the current situation, then no response will be intentionally designed for them Note that if a response was able to additionally block or reduce the risk of a non risky entity, then this is also considered a solution for our co-simulator We model our co-simulator’s goal as follows: plannerGoal(S) → ∀ risky(EntityA), [ riskBlocked(EntityA, S) ∨ riskReduced(EntityA, S)]∧ ∀¬risky(EntityB), [ riskBlocked(EntityB, S) ∨ riskReduced(EntityB, S) with: ∨ Attack Goal(EntityB, S)] riskBlocked(Entity, do(R∗, S)) → ∃Scenario/ riskySAS(Entity, Scenario) ∧ response(R∗, Scenario, S) ∨ riskBlocked(Entity, S) //meaning that: due to the response R*, the attack entity was completely prevented from performing her attack scenario Thus, the risk of this entity is totally blocked riskReduced(Entity, S) → goalReached(Entity, S) ∧ privilegesLoss(Entity, S) privilegesLoss(Entity, do(C, S)) → [∃Predicate, ∃Object/Predicate(Entity,Object,S) ∧¬Predicate(Entity,Object,do(C,S))] ∨ privilegesLoss(Entity, S) //meaning that: due to some system actions C making part of the response, the attack entity has lost one of its privileges Consequently, the entity will need to more effort, thus, more time, to progress in its scenario Hence, the risk of this entity will decrease Our response co-simulator generates an exhaustive list of all the response possibilities that can be designed against the risky threats, co-simulating, for each response, the potential behavior of the attackers face to this response, and the side effects that this latter can have on the system Note that, each of the generated responses appears within a response plan A response plan is a sequence of parallel actions Each action can be either an attack or a system action Actions in sequence are ordered in time, thereby, an administrator knows when to execute each system action making part of the response Experimentation We implemented our response co-simulator using a prolog interpreter, SWI prolog (http://www.swi-prolog.org/) Then, we considered two different use cases for experimentation In the first, we highlight the capability of our framework in generating responses handling sequencing and parallelism, and simulating the responses side effects In the second experimentation, we highlight the efficiency of our framework in managing the conflict between actions On the Fly Design and Co-Simulation of Responses 6.1 653 Use Case In Use case 1, we consider two simultaneous threats led by two attack entities (A1 and A2), as shown in the SAG of Fig In the initial system state, A1 has already infected machine M1 and actively scanned user U In parallel, A2 has already infected machine M2 which belongs with M1 to the same Ethernet network (machines are reachable via Switch12) It is predicted for A1 to crack the password of U’s account and highjack it in order to a toll fraud which induces economic losses to U Besides, a likely scenario for A2 is predicted starting by discovering M1 and then poisoning it with ARP messages, in order to spoof its address later on and make calls or inject packets as if they were sent by M1 In a first experimentation, we consider that both threats are risky Thus, our planner derives response plans for both of them The following sequences are some of the response plans proposed by our planner: Experimentation - Response plan 1: t1: t2: t3: t4: t5: [ [passCrack(A1, server, u), discovermacaddress(A2, M 2, M 1)]; [notifychangepassword(u,server), deployAuthentication (Switch12)]; [passCrack(A1, server, u)]; [highjack(A1, u, server)]; [tollF raud(A1, u)] ] Plan 1, presented in the graph of Fig 4, designs a response R2 against both threats as parallel system actions The first notifies U to change his password, and the second deploys an authentication on Swith12 Due to changing U’s password, A1 is no more able to highjack U’s account Thus A1 should re-execute again a password cracking in order to continue its scenario R2 is considered a response against A1, because it delays A1 from reaching its attack goal, thereby reducing its risk Due to deploying authentication on switch12, A2 will not be able to poison M1 with ARP messages Thus, it will not be able to reach its attack goal Experimentation - Response plan 2: t1: t2: t3: t4: t5: t6: [ [disconnect(M1)]; [install(SecurityPatch,M1)]; [connect(M1)]; [discovermacaddress(A2, M 2, M 1)]; [arppoisoning(A2, M 2, M 1)]; [injectRT P packets(A2, M 2, M 1)] ] Plan 2, presented in the graph of Fig 5, designs a response R1 against both threats as a sequence of system actions The response consists in patching the vulnerability in M1 and thereby prohibiting A1 from having a remote access to this machine By disconnecting M1 in order to patch it, A2 will not be able to discover the mac address of M1 Consequently A2 will have to wait until M1 is reconnected to the network in order to continue its scenario Hence, R1 blocks completely A1, and reduces the risk of A2 In a second experimentation, we now consider that A1 is a risky threat, whereas A2 is not risky yet Hence, we configure the planner’s goal to respond against A1 The following is one of the solutions proposed by our planner: 654 L Samarji et al Experimentation - Response plan 1: t1: t2: t3: t4: [ [passCrack(A1, server, u), discovermacaddress(A2, M 2, M 1)]; [disconnect(M1)]; [install(SecurityPatch,M1), injectRT P packets(A2, M 2, M 1)]; [connect(M1)] ] The above sequence, presented in the graph of Fig 6, designs a response R3 against threat A1 R3 consists in patching the vulnerability of M1, and blocking thereby A1 Note that, R3 is composed of the same actions as for R1 The only difference is that they not have the same activation time By launching R3, thus disconnecting M1, after that A2 discovers the address of M1, A2 does no more need to perform ARP poisoning Indeed, disconnecting a machine is like inducing a denial of service on this machine Consequently, A2 can directly spoof the address of M1 and fulfill its attack objective Consequently, R3 has a side effect on the system, by increasing the risk of threat A2 As you may notice, our framework is able to co-simulate the effects of each response on the system considering its activation time, allowing by this the system to choose the response plan bringing the highest risk mitigation 6.2 Use Case In Use case 2, we consider a system running a VoIP service, and a Trading service as shown in Fig For clients {cV 1, cV 2, , cV 10} subscribed to VoIP, a password based authentication using PAP (password authentication protocol) is considered and handled by a RADIUS server While for clients {cT 1, cT 2, , cT 8} Fig SAG: System threatened by two attack entities A1 and A2 On the Fly Design and Co-Simulation of Responses Fig Response against A1 and A2, designed as parallel actions Fig Response against A1 and A2, designed as a sequence of actions 655 656 L Samarji et al Fig Response against A1, having side effects on A2 subscribed to Trading service, a strong authentication (e.g multi-factor authentication, Digest access authentication, etc.) is adopted and handled by a Strong Authentication Server (SAS) SAS is suffering a Zero day vulnerability (e.g Heart bleed1 ) Besides, in the initial system state, clients {cV 1, , cV 5} and cT are compromised The graph of Fig forecasts two different risky threats T1 and T2 led by these two attack entities In T1, a coordinated password cracking attack scenario is predicted over cV 8’s account In T2, cT will try to exploit the vulnerability of SAS and prevent other traders from connecting to the trading service The following is the attack sequence corresponding to the graph: t1: t2: t3: t4: [ [botinfect(a1,cV1), ,botinfect(a5,cV5), scanVulnerability(cT1,fw2)]; [cscanuser((cV 1, , cV 5), cV 8), modif yAccessRules(cT 1, f w2)]; [cpassCrack((cV 1, , cV 5), sV 1, cV 8), scanserver(cT 1, sas)]; [ highjack(cV1,sV1,cV8), exploitVulnerability(cT1,sas)] ] In order to prevent T1, a solution would be to adapt the strong authentication to the VoIP service To so, the database containing information (passwords, accounts, etc.) about VoIP clients should be transferred to server SAS Thus, r1 =transferData(sV1,SAS) is anticorrelated with cpassCrack((cV1, ,cV5),sV1,cV8) Another solution would be to notify cV http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed7000028166/ On the Fly Design and Co-Simulation of Responses 657 to change his password before that cV highjacks his account Thus, action r3 = changePassword (sV 1, cV 8) is anticorrelated with highjack(cV 1, cV 8, sV 1) In order to prevent T2, a solution would be to disconnect SAS in order to install security patches or a new software version (e.g OpenSSL 1.0.1g) to patch the vulnerability Thus, action r2 = installP atch(sas) is anticorrelated with exploitV ulnerability(cT 1, sas) Another solution would be to discard or blacklist the malicious trader for a while Thus, r4 = discard(cT 1) is anticorrelated with all actions executed by cT A naive solution to respond to both threats would be to choose any combination [ri , rj ], with i an even number and j an odd number However, r1 and r2 are in conflict Actually, installing the security patch requires disconnecting sas from the network, whereas transfering data to sas requires this latter to stay online Consequently, our framework prevents the execution of these two actions in parallel, by appealing the notion of resource: xres(r2 , sas) ∧ sres(r1 , sas) Thus, conf lict([r1 , r2 ]) returns true, and Poss([r1 , r2 ], S) returns false Our planner avoids, thus, conflicting actions while designing the response plans: Response Plan presented in Fig integrates r3 and r2: t1: t2: t3: t4: t5: t6: [ [botinfect(a1,cV1), ,botinfect(a5,cV5), scanVulnerability(cT1,fw2), diconnect(sas)]; [cscanuser((cV1, ,cV5),cV8), modifyAccessRules(cT1,fw2), installPatch(sas) ]; [cpassCrack((cV1, ,cV5),sV1,cV8), restart(sas)]; [changePassword(cV1,cV8), scanserver(cT1,sas)]; [cpassCrack((cV1, ,cV5),sV1,cV8)]; [highjack(cV1,cV8,sV1)] ] Fig Multi-services system topology 658 L Samarji et al Fig SAG for the multi-services system Response Plan presented in Fig 10 integrates r1 and r4: t1: t2: [ [botinfect(a1,cV1), ,botinfect(a5,cV5),scanV ulnerability(cT 1, f w2)]; [cscanuser((cV1, ,cV5),cV8), transferData(sV1,sas), discard(cT1)] ] Related Work Stakhanova et al [17] proposed a response selection mechanism that can be based on a (i) static mapping, (ii) dynamic mapping, or (iii) cost-sensitive mapping As opposed to static mapping, in dynamic mapping, the countermeasure is determined in realtime by considering additional factors related to the attack occurrence (e.g attack confidence, attack severity, past experience) Cost-sensitive response systems can be viewed as a particular form of dynamic mapping In such response systems, the selection procedure considers mainly the impact of the attack on the monitored system, and the cost of candidate countermeasures Kanoun et al [9] highlighted the lack in existing taxonomies of considering the deactivation phase of a response They, proposed a novel temporal response taxonomy using the Set Theory Their taxonomy addresses the lifetime and the deactivation aspects of response measures distinguishing two major classes of countermeasures: one-shot and sustainable Thus, response measures can be classified with respect to their effectiveness, lifetime, defeasibility, etc Unfortunately, most of the existing response taxonomies are based on a matching between a threat and a predefined response Hence, an expert is needed to, first, understand and reason about each threat, and then, specify the response policy, in advance, for every threat Besides, the potential conflicts between simultaneous responses, and the potential side effect of responses on the system, are not considered In [3], different types of conflict between responses are described, and a solution to avoid the conflict was proposed This latter consists in performing, offline, On the Fly Design and Co-Simulation of Responses 659 Fig Response Plan Fig 10 Response Plan a static assignment of priorities over conflicting responses However, conflicts between responses may depend on the current system’s state and the dynamic resources’ allocation Thus, the conflict should be dynamically handled In [6], authors introduced a structured approach to evaluate a Return On Response Investment (RORI) index for all possible combinations of security measures that can be launched against simultaneous threats In this work, security measures corresponding to each threat are designed by an expert in advance Moreover, the risk mitigation for combined countermeasures is calculated by adding the effectiveness of countermeasures over the different surfaces they cover 660 L Samarji et al An attack surface is defined as the subset of the system’s resources that an attacker may use to send/receive data into/from the system in order to attack the system Thus, the effectiveness of a combination of responses, and thus its risk mitigation, is restricted to the threats for which these responses are considered However, a proper risk mitigation should be calculated over the totality of the ongoing threats including not yet risky ones Conclusion In this paper, we proposed a new response scheme for simultaneous threats, as a sequence of non conflicting parallel actions Our response is dynamically designed based on a new definition of capability-aware logic anticorrelation, and modeled using the Situation Calculus language This latter is efficient to describe conflicts between parallel actions by appealing the notion of resource Moreover, in order to choose the most effective response, when multiple responses are possible, we presented a co-simulator based on SC planning capabilities This latter cosimulates each response possibility apart, considering the system’s state and the currently existing attack entities Our framework is implemented in SWI-prolog, and experimentations were led to reveal the benefits of our solution In the future, we intend to assess the risk mitigation and the return on investment of each response plan in order to activate the most efficient one References Boutilier, C., Brafman, R.I.: Partial-order planning with concurrent interacting actions J Artif Int Res 14(1), 105–136 (2001) Cuppens, F., Autrel, F., Bouzida, Y., Garcia, J., Gombault, S., Sans, T.: Anticorrelation as a criterion to select appropriate counter-measures in an intrusion detection network (2006) Cuppens, F., Cuppens-Boulahia, N., Bouzida, Y., Kanoun, W., Croissant, A.: Expression and deployment of reaction policies In: IEEE International Conference on Signal Image Technology and Internet Based Systems, SITIS 2008, pp 118–127, November 2008 Cuppens, F., Ortalo, R.: LAMBDA: a language to model a database for detection of attacks In: Debar, H., M´e, L., Wu, S.F (eds.) RAID 2000 LNCS, vol 1907, pp 197–216 Springer, Heidelberg (2000) Essaouini, N., Cuppens, F., Cuppens-Boulahia, N., Abou El Kalam, A.: Specifying and enforcing constraints in dynamic access control policies In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust (PST), pp 290– 297 IEEE (2014) Gonzalez Granadillo, G., Belhaouane, M., Debar, H., Jacob, G.: Rori-based countermeasure selection using the OrBAC formalism Int J Inf Secur 13(1), 63–79 (2014) Irvine, C., Levin, T.: Toward a taxonomy and costing method for security services In: Proceedings of the 15th Annual Computer Security Applications Conference, ACSAC 1999, pp 183–188 IEEE Computer Society, Washington, DC (1999) On the Fly Design and Co-Simulation of Responses 661 Jr., C.C., Pooch, U.W.: An intrusion response taxonomy and its role in automatic intrusion response In: The 2000 IEEE Workshop on Information Assurance and Security (2000) Kanoun, W., Samarji, L., Cuppens-Boulahia, N., Dubus, S., Cuppens, F.: Towards a temporal response taxonomy In: Di Pietro, R., Herranz, J., Damiani, E., State, R (eds.) DPM 2012 and SETOP 2012 LNCS, vol 7731, pp 318–331 Springer, Heidelberg (2013) 10 Levesque, H.J., Reiter, R., Lesp´erance, Y., Lin, F., Scherl, R.B.: Golog: a logic programming language for dynamic domains (1994) 11 Mccarthy, J., Hayes, P.J.: Some philosophical problems from the standpoint of artificial intelligence In: Machine Intelligence, vol (1969) 12 Pinto, J.A.: Temporal reasoning in the situation calculus (1994) 13 Reiter, R.: Natural actions, concurrency and continuous time in the situation calculus In: Aiello, L.C., Doyle, J., Shapiro, S.C (eds.) KR, pp 2–13 Morgan Kaufmann, San Francisco (1996) 14 Reiter, R.: Knowledge in Action: Logical Foundations for Specifying and Implementing Dynamical Systems The MIT Press, Massachusetts, Illustrated edition (2001) 15 Samarji, L., Cuppens, F., Cuppens-Boulahia, N., Kanoun, W., Dubus, S.: Situation calculus and graph based defensive modeling of simultaneous attacks In: Wang, G., Ray, I., Feng, D., Rajarajan, M (eds.) CSS 2013 LNCS, vol 8300, pp 132–150 Springer, Heidelberg (2013) 16 Samarji, L., Cuppens-Boulahia, N., Cuppens, F., Kanoun, W., Papillon, S., Dubus, S.: Liccas: assessing the likelihood of individual, coordinated, and concurrent attack scenarios In: Security and Privacy in Communication Networks (2014) 17 Stakhanova, N., Basu, S., Wong, J.: A cost-sensitive model for preemptive intrusion response systems In: Proceedings of the 21st International Conference on Advanced Networking and Applications, AINA 2007, pp 428–435 IEEE Computer Society, Washington, DC (2007) 18 Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks In: Proceedings of the 2000 workshop on New security paradigms, NSPW 2000, pp 31–38 ACM, New York (2000) 19 Wang, H., Wang, G., Lan, Y., Wang, K., Liu, D.: A new automatic intrusion response taxonomy and its application In: Shen, H.T., Li, J., Li, M., Ni, J., Wang, W (eds.) APWeb Workshops 2006 LNCS, vol 3842, pp 999–1003 Springer, Heidelberg (2006) 20 Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection Comput Secur 29(1), 124–140 (2010) Author Index Akram, Raja Naeem II-541 Al-Ameen, Mahdi Nasrullah II-438 Almousa, Omar II-209 Avoine, Gildas I-165 Backes, Michael I-125 Barenghi, Alessandro I-429 Beaumont, Paul I-521 Benhamouda, Fabrice I-305 Bidner, David I-108 Blanton, Marina I-384 Bootle, Jonathan I-243 Cao, Zhenfu II-270 Carpent, Xavier I-165 Cerulli, Andrea I-243 Chaidos, Pyrros I-243 Chari, Suresh N II-396 Chen, Liqun I-347 Chen, Ping I-69 Chen, Xiaofeng II-252 Chfouka, Hind I-90 Choo, Kim-Kwang Raymond II-146 Chrétien, Rémy II-230 Chua, Tong-Wei II-355 Chua, Zheng Leong II-312 Clarkson, Michael R II-520 Cortier, Véronique II-230 Cui, Helei II-40 Cuppens, Frédéric II-642 Cuppens-Boulahia, Nora II-642 Dam, Mads I-90 Decker, Christian II-561 Delaune, Stéphanie II-230 Deng, Robert H I-286, I-366 Di Federico, Alessandro I-429 Diao, Wenrui II-20 Ding, Xuhua I-366 Dong, Xiaolei II-270 Du, Minxin II-186 Du, Shaoyong II-417 Dubus, Samuel II-642 Ekdahl, Patrik I-90 Evans, Neil I-521 Faber, Sky II-123 Fatema, Kanis II-438 Fett, Daniel I-43 Fetter-Degges, Jonathan II-520 Foster, Jeffrey S II-520 Garcia-Morchon, Oscar I-224 Gates, Chris II-396 Ge, Yijie I-468 Ghadafi, Essam I-243 Grossklags, Jens I-483 Groth, Jens I-243 Gruhn, Michael II-376 Gruss, Daniel I-108 Gu, Dawu I-468 Guan, Chaowen I-203 Guanciale, Roberto I-90 Guo, Zheng I-468 Guthrie, James II-561 Hanser, Christian I-146 Hao, Feng I-347 Hassanshahi, Behnaz II-577 He, Meiqi II-186 Heiderich, Mario I-23 Hou, Y Thomas II-61 Hu, Chengyu I-266 Hu, Hong II-312 Hu, Shengshan II-186 Hua, Jingyu II-417 Huth, Michael I-521 Jager, Tibor I-407 Jarecki, Stanislaw II-123 Jeon, Jinseong II-520 Jia, Yaoqi II-577 Jonker, Hugo II-3 Kanoun, Waël II-642 Kerschbaum, Florian I-203, II-81 664 Author Index Kiayias, Aggelos I-326 Krawczyk, Hugo II-123 Krenn, Stephan I-305 Küsters, Ralf I-43 Laszka, Aron I-483 Lauradoux, Cédric I-165 Li, Ninghi II-396 Li, Ximeng II-500 Li, Yingjiu I-286 Li, Zhou II-20 Liang, Kaitai II-146 Liang, Zhenkai II-312, II-577 Ligatti, Jay II-481 Lim, Hoon Wei II-81 Lin, Jingqiang II-332 Lin, Zhiqiang I-69 Liu, Joseph K I-347, II-146 Liu, Junrong I-468 Liu, Peng I-69 Liu, Shengli I-286 Liu, Xiangyu II-20 Lo, Swee-Won I-366 Lou, Wenjing II-61 Luo, Xiapu II-293 Lyubashevsky, Vadim I-305 Mangard, Stefan I-108 Mantel, Heiko I-447 Mao, Bing I-69 Markantonakis, Konstantinos II-541 Mauw, Sjouke II-3 Mayes, Keith II-541 Micinski, Kristopher II-520 Minematsu, Kazuhiko I-185 Mödersheim, Sebastian II-209 Modesti, Paolo II-209 Mohammadi, Esfandiar I-125 Molloy, Ian M II-396 Mühlberg, Jan Tobias I-503 Mukhopadhyay, Dibya II-599 Müller, Tilo II-376 Nemati, Hamed I-90 Nguyen, Quan II-123 Nielson, Flemming II-500 Nielson, Hanne Riis II-500 Niemietz, Marcus I-23 Ning, Jianting II-270 Noorman, Job I-503 Papillon, Serge II-642 Park, Youngja II-396 Peeters, Roel II-622 Pelosi, Gerardo I-429 Petit, Christophe I-243 Phuong, Tran Viet Xuan II-252 Piessens, Frank I-503 Pietrzak, Krzysztof I-305 Plant, Tom I-521 Pulls, Tobias II-622 Qin, Baodong I-286 Rabkin, Max I-146 Ray, Donald II-481 Ren, Kui I-203, II-186 Rietman, Ronald I-224 Rosu, Marcel II-123 Ruffing, Tim I-125 Safavi-Naini, Reihaneh II-167 Samarji, Léa II-642 Sanfilippo, Stefano I-429 Saraph, Siddharth I-384 Saxena, Nitesh II-599 Saxena, Prateek II-312, II-577 Schmitz, Guido I-43 Schröder, Dominique I-146 Schwenk, Jörg I-23, I-407 Scielzo, Shannon II-438 Seidel, Jochen II-561 Seitzer, Maximilian II-376 Sharma, Sahil I-224 Shirvanian, Maliheh II-599 Shulman, Haya I-3 Somorovsky, Juraj I-407 Standaert, Franỗois-Xavier I-468 Starostin, Artem I-447 Steiner, Michael II-123 Sufatrio, II-355 Sun, Wei I-468 Susilo, Willy II-252 Tan, Darell J.J II-355 Tang, Qiang I-326, II-101 Thing, Vrizlynn L.L II-355 Tolhuizen, Ludo I-224 Torre-Arce, Jose Luis I-224 Torres, Christof Ferreira II-3 Author Index Viganò, Luca II-209 Waidner, Michael I-3 Wang, Bing II-61 Wang, Cong II-40 Wang, Ding II-456 Wang, Jun II-101 Wang, Ping II-456 Wang, Qian II-186 Wang, Wei II-332 Wang, Xinyu II-40 Wang, Ze II-332 Wang, Zhan II-332 Wang, Zhibo II-186 Wattenhofer, Roger II-561 Wei, Lifei II-270 Wei, Zhuo I-366 Wright, Matthew II-438 Xia, Luning II-332 Xie, Xinjun I-468 Xu, Dongyan I-69 Xu, Jun I-69 Xu, Qiuliang I-266 Xu, Zenglin II-396 Yang, Guomin II-252 Yang, Rupeng I-266 Yang, Yanjiang II-146 Yap, Roland H.C II-577 Yi, Xun I-347 Yin, Haoyang II-293 Yu, Jia I-203 Yu, Yu I-468 Yu, Zuoxia I-266 Yuan, Xingliang II-40 Zhang, Fangguo I-203 Zhang, Kehuan II-20 Zhang, Liang Feng II-167 Zhang, Rui I-266 Zhang, Yueqian II-293 Zheng, Yao II-61 Zhong, Sheng II-417 Zhou, Jianying II-146 Zhou, Yongbin I-266 Zhou, Zhe II-20 665 ... Edgar Weippl (Eds.) • Computer Security – ESORICS 2015 20th European Symposium on Research in Computer Security Vienna, Austria, September 21–25, 2015 Proceedings, Part II 123 Editors Günther... Analytics 46.6 % c Springer International Publishing Switzerland 2015 G Pernul et al (Eds.): ESORICS 2015, Part II, LNCS 9327, pp 3–19, 2015 DOI: 10.1007/978-3-319-24177-7 C.F Torres et al The embedding... Switzerland is part of Springer Science+Business Media (www.springer.com) Foreword It is our great pleasure to welcome you to the 20th European Symposium on Research in Computer Security (ESORICS 2015)