Artsiom Yautsiukhin

Artsiom Yautsiukhin
Italian National Research Council | CNR · Institute for Informatics and Telematics IIT

PhD

About

65
Publications
22,613
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
821
Citations
Introduction
Artsiom Yautsiukhin received his PhD degree in the Information and Communication Technology at the University of Trento in 2009. He is a researcher of the information security group at the Institute of Informatics and Telematics (IIT) of the National Concile of Research (CNR), Pisa, Italy. His main research interests are IT security metrics and security evaluation. He participated in a number of European projects: SERENITY, SENSORIA, ANIKETOS, NESSOS, SESAMO, CAMINO, etc.
Additional affiliations
June 2009 - present
Italian National Research Council
Position
  • Researcher
September 2004 - May 2009
University of Trento
Position
  • PhD Student
Education
September 2004 - May 2009
University of Trento
Field of study
  • Computer Security

Publications

Publications (65)
Article
In usage control, access decisions rely on mutable attributes. A reference monitor should reevaluate security policies each time attributes change their values. Identifying all attribute changes in a timely manner is a challenging issue, especially if the attribute provider and the reference monitor reside in different security domains. Some attrib...
Article
Full-text available
Secure orchestration is an important concern in the internet of service. Next to providing the required functionality the composite services must also provide a reasonable level of security in order to protect sensitive data. Thus, the orchestrator has a need to check whether the complex service is able to satisfy certain properties. Some propertie...
Conference Paper
Full-text available
Security metrics are usually defined informally and, therefore, the rigourous analysis of these metrics is a hard task. This analysis is required to identify the existing relations between the security metrics, which try to quantify the same quality: security. Risk, computed as Annualised Loss Expectancy, is often used in order to give the overall...
Chapter
Security risk assessment is often a heavy manual process, making it expensive to perform. DevOps, that aims at improving software quality and speed of delivery, as well as DevSecOps that augments DevOps with the automation of security activities, provide tools and procedures to automate the risk assessment. We propose a solution to integrate risk a...
Preprint
Full-text available
p>The proliferation of Internet of Things (IoT) systems is having a profound impact across all aspects of life. Recognising and identifying particular users is central to delivering the personalised experience that citizens want to experience, and that organisations wish to deliver. This article presents a survey of human-computer interaction-based...
Preprint
Full-text available
p>The proliferation of Internet of Things (IoT) systems is having a profound impact across all aspects of life. Recognising and identifying particular users is central to delivering the personalised experience that citizens want to experience, and that organisations wish to deliver. This article presents a survey of human-computer interaction-based...
Article
Full-text available
The paper presents a risk-driven behavioral biometric-based user authentication scheme for smartphones. Our scheme delivers one-shot-cum-continuous authentication, thus not only authenticates users at the start of the application sign-in process but also, throughout the active user session. The scheme leverages the widely used PIN/password-based au...
Preprint
Full-text available
The paper presents a risk-driven behavioral biometric-based user authenti-cation scheme for smartphones. Our scheme delivers one-shot-cum-continuous authenti-cation, thus not only authenticates users at the start of the application sign-in process but also, throughout the active user session. The scheme leverages the widely used PIN/password-based...
Article
Full-text available
Nowadays, cyber threats are considered among the most dangerous risks by top management of enterprises. One way to deal with these risks is to insure them, but cyber insurance is still quite expensive. The insurance fee can be reduced if organisations improve their cyber security protection, i.e., reducing the insured risk. In other words, organisa...
Chapter
In our increasingly connected world, cybersecurity and privacy (CSP) have become center stage issues. The European Union and the United States are the two regions at the forefront of cyber challenges. This chapter presents the key elements of the CSP landscapes in the European Union and the United States. It highlights each region's research and in...
Chapter
Full-text available
Insurance of digital assets is becoming an important aspect nowadays, in order to reduce the investment risks in modern businesses. GDPR and other legal initiatives makes this necessity even more demanding as an organization is now accountable for the usage of its client data. In this paper, we present a cyber insurance framework, called CyberSure....
Conference Paper
Full-text available
Nowadays, more-and-more aspects of our daily activities are digitalized. Data and assets in the cyber-space, both for individuals and organizations, must be safeguarded. Thus, the insurance sector must face the challenge of digital transformation in the 5G era with the right set of tools. In this paper, we present CyberSure-an insurance framework f...
Conference Paper
Full-text available
Insurance of digital assets is becoming an important aspect nowadays, in order to reduce the investment risks in modern businesses. GDPR and other legal initiatives makes this necessity even more demanding as an organization is now accountable for the usage of its client data. In this paper, we present a cyber insurance framework, called CyberSure....
Chapter
Full-text available
Losses due to cyber security incidents could be very significant for organisations. This fact forces managers to consider cyber security risks at the highest management level. Cyber risks are usually either mitigated by technical means (countermeasures) or transferred to another party (i.e., insurer). Both options require significant investments an...
Chapter
Full-text available
A specific kind of insurance that is emerging within the domain of cyber-systems is that of cyber-insurance. Cyber-insurance is the transfer of financial risk associated with network and computer incidents to a third party. Insurance companies are increasingly offering such policies, in particular in the USA, but also in Europe. The emerging trends...
Article
Service composition is a key concept of Service- Oriented Architecture that allows for combining loosely coupled services that are offered and operated by different service providers. Such environments are expected to dynamically respond to changes that may occur at runtime, including changes in the environment and individual services themselves. T...
Conference Paper
The rapid development of cyber insurance market brings for- ward the question about the effect of cyber insurance on cyber security. Some researchers believe that the effect should be positive as organisa- tions will be forced to maintain a high level of security in order to pay lower premiums. On the other hand, other researchers conduct a theo- r...
Article
Full-text available
Cyber insurance is a rapidly developing area which draws more and more attention of practitioners and researchers. Insurance, an alternative way to deal with residual risks, was only recently applied to the cyber world. The immature cyber insurance market faces a number of unique challenges on the way of its development. In this paper we summarise...
Conference Paper
Full-text available
It is hard to guarantee proper protection in the Service Oriented Architecture (SOA), when a client outsources a part of its business or sends private data to a services provider. Various solutions proposed so far mostly require evidences of proper protection (e.g., source code for verification or execution traces for monitoring), which are to be p...
Chapter
In this paper we present the discussion about the future ideas, needs and trends for cyber security technologies. Our focus is on the future technologies which should be developed in order to further enhance the protection of the cyberspace. Similarly to our work in the FP7 CAMINO project, we follow the comprehensive approach looking at broad range...
Conference Paper
An Abstract Argumentation Framework (AAF) represents a useful technique for the analysis of arguments supporting or discouraging decisions (i.e., information can be in conflict). In particular, we apply Abstract Argumentation to support the administration of security in computer networks. Our approach captures the high-level topology of a system an...
Conference Paper
In this paper the initial results of the European project CAMINO in terms of the realistic roadmap to counter cyber crime and cyber terrorism are presented. The roadmap is built in accordance to so called CAMINO THOR approach, where cyber security is perceived comprehensively in 4 dimensions: Technical, Human, Organisational, and Regulatory.
Conference Paper
Full-text available
Argumentation has been proved as a simple yet powerful approach to manage conflicts in reasoning with the purpose to find subsets of " surviving " arguments. Our intent is to exploit such form of resolution to support the administration of security in complex systems, e.g., in case threat countermeasures are in conflict with non-functional requirem...
Article
The acquisition of information about computer systems by mostly non-technical means is called social engineering. Most critical systems are vulnerable to social threats, even when technical security is high. Social engineering is a technique that: i does not require any advanced technical tools, ii can be used by anyone, iii is cheap, iv almost imp...
Article
Many approaches for security assessment were recently proposed. In particular, attack graphs and attack surface gained a lot of attention. Nevertheless, these approaches suffer from several drawbacks. For example, attack graph operates only with known vulnerabilities and it is unclear how attack surface (metric) contributes to the risk picture for...
Conference Paper
Full-text available
Social engineering is the acquisition of information about computer systems by methods that deeply include non-technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) c...
Conference Paper
Web services composition allows a software designer for combining atomic services, for instance taken from a marketplace, in a complex business process fulfilling a desired functional goal. Moreover, among a large number of possible compositions, the designer may want to consider only those which satisfy specific non-functional requirements. In our...
Conference Paper
Smart grid is an intelligent energy distribution system consisting of multiple information and communication technologies (ICT). One of the challenges for such complex and heterogeneous system as smart grid is to unite security analysis on a high level of abstraction and concrete behavioral attack patterns that exploit low-level vulnerabilities. We...
Article
The pervasiveness of Web services increases the necessity for consumers to access and use them in a secure way. Besides secure communications, consumer security also involves providing strong guarantees that a requested security policy is satisfied. Needless to say, remote services are adverse to most techniques of analysis and control that usually...
Article
One important challenge the Aniketos platform has to address is the effective monitoring of services at runtime to ensure that services behave as promised. A service developer plays the role that is responsible for constructing service compositions and the service provider is responsible for offering them to consumers of the Aniketos platform. Typi...
Conference Paper
Security management requires quantitative security metrics in order to effectively distribute limited resources and justify investments into security. The problem is not only to select the right security metrics but also to be sure that the selected metrics correctly represent security strength. In this paper, we tackle the problem of formal analys...
Conference Paper
Attribute-based Access Control (ABAC) was recently proposed as a general model which is able to capture the main existing access control models. This paper discusses the problems of configuring ABAC and engineering access policies. We question how to design attributes, how to assign attributes to subjects, objects, actions, and how to formulate acc...
Conference Paper
Usage Control (UCON) enhances traditional access control introducing mutable attributes and continuous policy enforcement. UCON addresses security requirements of dynamic computer environments like Grid and Cloud, but also raises new challenges. This paper considers two problems of usage control. The first problem arises when a value of a mutable a...
Conference Paper
We describe our model for the behaviour of an attacker. In the model, the attacker has uncertain knowledge about a computer system. Moreover, the attacker tries different attack paths if initially selected ones cannot be completed. The model allows finer-grained analysis of the security of computer systems. The model is based on Markov Decision Pro...
Conference Paper
Full-text available
We focus on the assessment of the security of business processes. We assume that a business process is composed of abstract services, each of which has several concrete instantiations. Essential peculiarity of our method is that we express security metrics used for the evaluation of security properties as semirings. First, we consider primitive dec...
Conference Paper
Dynamic and evolving systems might require flexible access control mechanisms, in order to make sure that the unavailability of some users does not prevent the system to be functional, in particular for emergency-prone environments, such as healthcare, natural disaster response teams, or military systems. The auto-delegation mechanism, which combin...
Conference Paper
In Usage CONtrol (UCON) access decisions rely on mutable attributes. A reference monitor should re-evaluate security policies each time when attributes change their values. Catching timely all attribute changes is a challenging issue, especially if the attribute provider and the reference monitor reside in different security domains. Some attribute...
Conference Paper
Full-text available
The usage control (UCON) model demands for continuous control over objects of a system. Access decisions are done several times within a usage session and are performed on the basis of mutable attributes. Values of attributes in modern highly-dynamic and distributed systems sometimes are not up-to-date, because attributes may be updated by several...
Conference Paper
Full-text available
In this paper we describe our general framework for usage control (UCON) enforcement on GRID systems. It allows both GRID services level enforcement of UCON as well as fine-grained one at the level of local GRID node resources. In addition, next to the classical checks for usage control: checks of conditions, authorizations, and obligations, the fr...
Article
Full-text available
Security metrics are the tools for providing correct and upto- date information about a state of security. This information is essential for managing security efficiently. Although a number of security metrics were proposed we still need reliable ways for assessment of security. First of all, we do not have a widely-accepted and unambiguous definit...
Conference Paper
Usage control model (UCON) is based on the idea that attributes required for decision-making can be changed over a period of usage. Since it is not always possible to get a fresh and trustworthy value of attributes, a decision has to be done with some uncertainties in mind. Moreover, modern systems become more distributed and dynamic and this evolu...
Conference Paper
Full-text available
In Service Oriented Architecture (SOA) data belonging to a client (data provider) is often processed by a provider (data consumer). During this processing the data can be compromised. A client wants to be sure that its data is used in the least risky way while is under provider's control. The risk level should be low when access to the data is gran...
Conference Paper
Full-text available
There are numerous metrics proposed to assess security and dependability of technical systems (e.g., number of defects per thousand lines of code). Unfortunately, most of these metrics are too low-level, and lack on capturing high-level system abstractions required for organisation analysis. The analysis essentially enables the organisation to dete...
Conference Paper
Full-text available
Management of a modern enterprise is based on the as- sumption that executive reports of lower-layer management are faithful to what is actually happening in the fleld. As some well-publicised major recent disasters (such as Barings, AllFirst-Allied Irish Bank, ENRON, Societe Generale) have shown, this assumption is not well-founded. Intermediate m...
Conference Paper
Full-text available
In this paper we extend a model-based approach to security management with concepts and methods that provide a possibility for quantitative assessments. For this purpose we introduce security metrics and explain how they are aggregated using the underlying model as a frame. We measure numbers of attack of certain threats and estimate their likeliho...
Conference Paper
Full-text available
In order to provide certified security services we must provide indi- cators that can measure the level of assurance that a complex busi- ness process can offer. Unfortunately the formulation of security indicators is not amenable to efficient algorithms able to evaluate the level of assurance of complex process from its components. In this paper w...
Conference Paper
Full-text available
There is a large number of research papers and standards dedicated to security for outsourced data. Yet, most papers propose new controls to access and protect the data rather than to assess the level of assurance of the whole process that is currently deployed. The main contributions of the paper is an approach for aggregating security properties...
Conference Paper
Full-text available
While logging events is becoming increasingly common in computing, in communication and in collaborative work, log systems need to satisfy increasingly challenging (if not conflicting) requirements. Despite the growing pervasiveness of log systems, to date there is no high-level framework which allows one to model a log system and to check whether...
Article
Full-text available
Nowadays many companies understand the benefit of outsourcing. Yet, in current outsourcing practices, clients usually focus primarily on business objectives and security is negotiated only for communication links. It is however not determined how data must be protected after transmission. Strong protection of a communication link is of little value...
Article
Full-text available
The issue of business process design for a complex web ser- vice provision is gaining attention and has been addressed in a number of recent works. We argue that calculation of global quality of service and protection, which then is negotiated with a client as service and protection level agreements, for complex web services must be based on busine...
Book
Information security in the business setting has matured in the last few decades. Standards, such as IS017799, the Common Criteria’s, and a number of industry and academic certifications and risk analysis methodologies, have raised the bar on what is considered good security solution, from a business perspective. Yet, the evaluation of security sol...
Article
Full-text available
In this paper we present an approach and algorithm for selecting the "best" secure architecture for supporting a business process according to a variety of assurance indicators. The key difficulty is to select an architectural design in presence of multiple indicators that might offer alternative notions of minimality. Therefore we must use the not...
Article
Full-text available
Security is a very important aspect for Web Service technol-ogy. There are a large number of works devoted to security of Web Service transactions. However, we argue that secu-rity must be guaranteed for data processing (after transmis-sion) as well. These requirements must be negotiated with a client and inserted into the agreement between a clien...
Article
Software patterns are key building blocks used to construct the architecture of a software system. Patterns also have an important role during the architecture assessment phase, as they represent the design rationale, which is central to evaluation. This work presents a quantitative approach to assess the security of a pattern-based software archit...
Article
Full-text available
When designing a service-based business process employing loosely-coupled services, one is not only interested in guaranteeing a certain flow of work, but also in how the work will be performed. This involves the consideration of non-functional properties which go from execution time, costs, up to security and trust. Ideally, a designer would like...

Network

Cited By