Policy-Based Vulnerability Assessment for Virtual Organisations

  • Jan Muhammad
  • Thomas Doherty
  • Sardar Hussain
  • Richard Sinnott
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7672)


E-Infrastructures can be used to support e-science and e-research allowing different collaborators from disparate organisations, often from different disciplines and utilising heterogeneous software and hardware, to work together on common research problems. This is typically achieved through the formation of targeted Virtual Organisations (VO). Inter-organisational collaborations also bring challenges of security that must be overcome. There has been much work in e-Research-oriented security, i.e. at the middleware level, but far less on ensuring that middleware-oriented security is not made redundant through ensuring the robustness of the underlying hardware and software (fabric) upon which the e-Research middleware security is based, e.g. the operating systems, network configurations and core software required to support e-Research solutions. To tackle this, an integrated security framework is needed that is cognisant of VO requirements on e-Research middleware-oriented security and incorporates targeted fabric level security. In this paper we present an integrated architecture (ACVAS), which encompasses VO-specific fabric security including configuration-aware security monitoring (patch status monitoring) and vulnerability scanning and subsequent updating. We show how tool support can be used to pre-emptively identify and assess potential vulnerabilities in a VO, before they are potential exploited. We also outline how these vulnerabilities can be dynamically overcome to support the needs of the VO and associated e-Infrastructure to improve the overall VO security.


e-Infrastructure Configuration Management Monitoring Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    JISC Virtual Research Environments programme,
  2. 2.
    Chadwick, D.W., Otenko, A.: The PERMIS X. 509 role based privilege management infrastructure. Future Generation Computer Systems 19(2), 277–289 (2003)CrossRefGoogle Scholar
  3. 3.
    Alfieri, R., Cecchini, R.L., Ciaschini, V., dell’Agnello, L., Frohner, A., Gianoli, A., Lõrentey, K., Spataro, F.: VOMS, an Authorization System for Virtual Organizations. In: Fernández Rivera, F., Bubak, M., Gómez Tato, A., Doallo, R. (eds.) Across Grids 2003. LNCS, vol. 2970, pp. 33–40. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Lorch, M., et al.: First experiences using XACML for access control in distributed systems. In: Proceedings of the 2003 ACM Workshop on XML Security, pp. 25–37. ACM, Fairfax (2003)CrossRefGoogle Scholar
  5. 5.
    Anderson, A.: SAML 2.0 profile of XACML (2004)Google Scholar
  6. 6.
    Internet2. Internet Shibboleth Technology (2009),
  7. 7.
    Sinnott, R.O., et al.: Advanced security for virtual organizations: The pros and cons of centralized vs decentralized security models, pp. 106–113 (2008)Google Scholar
  8. 8.
    Power, R.: 2001 CSI/FBI Computer Crime and Security Survey. Computer Security Institute (2001)Google Scholar
  9. 9.
    Grid Site Monitoring (2005)Google Scholar
  10. 10.
    Grid Security Monitoring (2008)Google Scholar
  11. 11.
    Muncaster, P.: Google hack-attack code hits the web (2010),,google-hack-attack-code-hits-the-web.aspx (June 2012)
  12. 12.
    Kurtz, G.: Aurora Exploit in Google Attack Now Public (2010), (June 2012)
  13. 13.
    Prince, K.: Malicious Software Defense: Have We Moved Beyond Anti-Virus and Spyware Protection Software? Perimeter eSecurity (2007)Google Scholar
  14. 14.
    Shostack, A.: Quantifying Patch Management. Secure Business Quarterly III(2) (2003)Google Scholar
  15. 15.
    Stirparo, P., Shibli, M.A., Muftic, S.: Vulnerability analysis and patches management using secure mobile agents. In: 11th International Conference on Advanced Communication Technology, ICACT 2009 (2009)Google Scholar
  16. 16.
  17. 17.
    An Overview of Vulnerability Scanners (2008),
  18. 18.
    Microsoft software update services,
  19. 19.
    Sufatrio, Yap, R.H.C., Zhong, L.: A Machine-Oriented Vulnerability Database for Automated Vulnerability Detection and Processing. In: Proceedings of the 18th USENIX Conference on System Administration. USENIX Association, Berkeley (2004)Google Scholar
  20. 20.
  21. 21.
    Berlind, D.: Why Windows Update desperately needs an update (2003),
  22. 22.
    Sinnott, R.O.: Grid Security: Practices, Middleware and Outlook. National e-Science Centre (2005)Google Scholar
  23. 23.
    Pakiti: A Patching Status Monitoring Tool,
  24. 24.
    EGEE Operational Security Coordination Team (OSCT),
  25. 25.
    Yum-Package Manager,
  26. 26.
  27. 27.
    Roberge, M.W., Bergeron, T.: Robert, Introduction to OVAL: A new language to determine the presence of software vulnerabilities (2003)Google Scholar
  28. 28.
    Common vulnerabilities and exposures list, CVE (2011),
  29. 29.
  30. 30.
    CFengine Web site,
  31. 31.
    Matsushita, M.: Telecommunication Management Network. In: NTT Review, Geneva (1991)Google Scholar
  32. 32.
    Problem Informant/Killer Tool (PIKT), (cited March 2012)
  33. 33.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14. USENIX Association, Baltimore (2005)Google Scholar
  34. 34.
    Ajayi, O., Sinnott, R., Stell, A.: Dynamic trust negotiation for flexible e-health collaborations. In: Proceedings of the 15th ACM Mardi Gras Conference: From Lightweight Mash-Ups to Lambda Grids: Understanding the Spectrum of Distributed Computing Requirements, Applications, Tools, Infrastructures, Interoperability, and the Incremental Adoption of Key Capabilities, pp. 1–7. ACM, Baton Rouge (2008)Google Scholar
  35. 35.
    Ajayi, O.: Dynamic Trust Negotiation for Decentralised e-Health Collaborations, University of Glasgow (2009)Google Scholar
  36. 36.
    Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. ACM, New York (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jan Muhammad
    • 1
  • Thomas Doherty
    • 1
  • Sardar Hussain
    • 1
  • Richard Sinnott
    • 2
  1. 1.National e-Science CentreUniversity of GlasgowUK
  2. 2.Department of Computing and Information SystemsUniversity of MelbourneMelbourneAustralia

Personalised recommendations