Projects with IT-SEC partiticipation
This page gives an overview of projects the IT-SEC group participates in:
AGILE: An Adaptive and Modular Gateway for the Intenet of Things
AGILE will deliver a modular IoT gateway for enabling various types of devices (wearables, home appliances,sensors and actuators, etc.) to be connected with each other and to the Internet. The modularity will enable the support of various networking interfaces and technologies (e.g., Bluetooth Low Energy, ZigBee, ZWave, 433 and 866MHz RF, LoRa, etc.) for communication with a wide range of devices, and the support of different connection mechanisms to the Internet (WiFi, Ethernet, 2G/3G) based on user needs and the different use cases.
Also, this project aims to enable Data management and device control either at local gateway level (maximising security and privacy) and/or also enabled remotely through the support of various open and private Clouds (FIWARE Cloud, AmazonWS, Microsoft Azure, Google Cloud, CloudFoundry PaaS, etc.). Developers and end-users will be able to decide where the data is stored and how device management is performed based on the context and the use case. Further, data management and device control are also provided. either at local gateway level (maximising security and privacy) and/or also enabled remotely through the support of various open and private Clouds (FIWARE Cloud, AmazonWS, Microsoft Azure, Google Cloud, CloudFoundry PaaS, etc.). Developers and end-users will be able to decide where the data is stored and how device management is performed based on the context and the use case.
Privacy and Security Maintaining Cloud Services
With a current volume of over USD 100 billion and annual growth rates of over 10%, the world-wide market for cloud computing can be considered as the major growth area in ICT. However, big companies and public authorities are reluctant to entrust their most sensitive data to external parties for storage and processing. The reason for their hesitation is clear: There exist no satisfactory approaches to adequately protect the data during its lifetime in the cloud. PRISMACLOUD addresses these challenges and yields a portfolio of novel security enabled cloud services, guaranteeing the required security for sensitive data in the cloud.
Techniques for outsourcing computation with verifiable correctness and authenticity-preservation allow to securely delegate computations to cloud providers. A distributed multi-cloud data storage architecture shares data among several cloud providers and improves security and availability. Dynamically updating shares by means of novel techniques avoids vendor lock-in, preserves data authenticity, facilitates long term privacy and promotes a dynamic cloud provider market. Claims about the secure connection and configuration of the virtualized cloud infrastructures and properties of cloud topologies are verifiable by means of cryptographic techniques. User privacy issues are addressed by data minimization and anonymization technologies due to the application of privacy-preserving cryptographic techniques. As feasibility proof, three use cases from the fields of SmartCity, e-Government, and e-Health, will be implemented and evaluated by the project participants.
The PRISMACLOUD work program is complemented with activities addressing secure user interfaces, secure service composition, secure implementation in software and hardware, security certification, and an impact analysis from an end-user view. In order to converge with the European Cloud Computing Strategy, a strategy for the dissemination of results into standards is developed.
FORSEC: Sicherheit hochgradig vernetzter IT-Systeme
Environment: Current phenomenona like outsourcing, service oriented architectures, cloud computing and also the general penetration of every kind of work process by
information technology gave rise to a situation, which was inconceivable a few years ago. At the turn of the millennium central IT-systems, for example information systems in
companies or control systems of public infrastructures (energy grid, traffic control systems) were most totally isolated or they`ve just communicated with other IT-systems in tight,
accurately defined boundaries. In the last few years this boundaries became more and more transparent or disappeared completely. Modern IT-systems became versatile, flexible,
and highly interconnected, yet fragile constructs.
While a few years ago anti-virus software and firewalls were considered to be sufficient protection against attacks on IT-systems,
recently it became apparent, that these measures are obsolete. Complex and adaptive attacks on IT-systems (for example Stuxnet, Duqu or Flame) demonstrated the capability
of abuse and industrial espionage and exposed the weakness of current defensive measures.
Taking into account the current threat situation, it emerged in particular that the so far common, strict separation of an IT-security process in the three phases:
wasn’t sufficient as many possible synergies remained unexploited.
- Preventive measures against attacks
- Defense against ongoing attacks
- Forensics and post-mortem examination of IT-security incidents
Objectives: FORSEC aims at transferring the three, up until now always separately considered parts of the process into an integrated, interdisciplinary
concept - an integrated security process for highly connected IT-systems. The phase „Preventive measures against attacks “ describes methods for securing IT-systems
as well as raising people’s awareness of the safe use of IT-systems. Subprojects in this area are particularly focused on intrusion prevention and reduction of the expected damage.
Defense measures during ongoing attacks can be assigned to the second phase of the cycle „Defense against ongoing attacks “. Topics researched include effective recognition
and subsequent defense of and from attacks as well as methods for conviction of the attackers.
Subprojects assigned to the phase "Forensics and post-mortem examination of IT-security incidents" are mostly concerned with methods for the identification of the
offenders and recovery of systems and data.
Structure: Eight professors from five different Bavarian research institutions are involved in the Bavarian research association FORSEC: four universities with
faculties and departments of different scope (Faculty of Economics and Business Administration at University Regensburg, Faculty of Computer Science and Mathematics at
University Passau, Faculty of Computer Science at TU Munich, Technical Faculty at FAU University Erlangen-Nürnberg), and - indirectly - the Institute of Applied and
Integrated Security (AISEC) at the Fraunhofer Institute in Garching near Munich. The research association is being coordinated by Prof. Dr. Günther Pernul and Prof.
Dr. Guido Schryen from the Institute for Information Systems of the University of Regensburg.
REliable, Resilient and secUre IoT for sMart city applications
We see a rapid growth of cities trying to solve their many challenges associated with living in urban environments by providing Information and Communication Technologies (ICT)-enabled services and applications to citizens, companies and authorities, driving competitiveness and improving quality of life, this is subsumed under the term Smart City. A paramount building block to this is the Internet of Things (IoT). The key challenge for IoT towards Smart City applications is ensuring its reliability, incorporating the issues of security, privacy, availability, robustness and flexibility to changing environmental conditions. Without guarantees that the Smart City IoT objects are (i) sensing correctly the environment, (ii) exchanging the information securely, (ii) safeguarding private information, users are reluctant to adopt this new technology that will be a part of their everyday lives, which decreases the market value of Smart City applications for the service providers.
The ultimate goal of RERUM is to allow IoT to become the fundamental enabler towards a truly Smart City, having the citizen at the centre of attention.
The key objectives of RERUM can be summarized as:
- Identify common threats and open security/privacy/reliability issues in existing IoT frameworks for Smart City applications.
- Develop an architectural framework for the interconnectivity of a large number of heterogeneous smart objects based on the concept of “security, privacy and reliability by design”.
- Embed security and reliability on the hardware smart objects, providing reliable, self-managed, robust and context-aware communications minimizing energy consumption.
- Investigate the adaptation of Cognitive Radio (CR) technology in smart objects to minimize wireless interference and ensure the “always connected” concept.
- Evaluate the performance of the framework in two real-world Smart City environments: Tarragona and Heraklion.
BIOMICS: Biological and Mathematical Basis of Interaction Computing
Interaction Computing (IC) takes inspiration from cellular processes rather than from evolution. BIOMICS aims to leverage existing cell metabolic and regulatory mechanisms as the ontogenetic basis of a model for IC. However, because the knowledge to properly mimic, exploit and adapt these systems to computer science is lacking, BIOMICS will also advance the state of the art in the mathematics of biocomputing. The mathematical structure thus uncovered feeds into two different and complementary directions. On the one hand, it will inform the automata theory formalisms for IC; on the other hand, it will be mapped through category theory to the logic foundations of the BIOMICS specification language. Whereas the automata theory research will focus on the structural properties of self-organising systems, the BIOMICS specification language will instead focus on the specification of self-organising behaviour. By end of Year 2 we will have developed the formal tools and frameworks from both points of view of the behaviourrealisation dichotomy to be able to effect their synthesis in the form of an environment which, through interactions, is capable of generating useful software systems that match the biological structure template - and are therefore themselves based on interactions. This foundational mathematical work of BIOMICS will be applicable to software systems of a radically new kind and to systems biology, creating a unified mathematical framework for understanding, predicting, manipulating, and dynamically synthesising algorithmic activity-in-context based on interactions (i.e. interaction computation) in both realms. This will be demonstrated not only by the application of the framework to the analysis of complex-adaptive biological systems beyond those studied in the course of its development, but also by proof-of-concept implementations of software systems (for example demonstrating security properties) as a potential new paradigm for unconventional computing.
COMPOSE: Collaborative Open Market to Place Objects at your SErvice
The COMPOSE project aims at enabling new services that can seamlessly integrate real and virtual worlds through the convergence of the Internet of Services with the Internet of Things. COMPOSE will achieve this through the provisioning of an open and scalable marketplace infrastructure, in which smart objects are associated to services that can be combined, managed, and integrated in a standardised way to easily and quickly build innovative applications.
The COMPOSE project builds upon existing European research projects and ongoing standardisation activities to provide a comprehensive marketplace framework that will be able to cover the whole service lifecycle by integrating a number of innovative technological enablers in a coherent way. The project will develop novel approaches for virtualising smart objects into services and for managing their interactions. This includes solutions for managing knowledge derivation, for secure and privacy-preserving data aggregation and distribution, and for dynamic service composition advertising and discovering objects' capabilities and service provisioning and monitoring.
The COMPOSE project is expected to give birth to a new business ecosystem, building on the convergence of the Internet of Services with the Internet of Things and the Internet of Content. The COMPOSE marketplace will allow SMEs and innovators to introduce new Internet of Things-enabled services and applications to the market in a short time and with limited upfront investment. At the same time, COMPOSE will allow major European players in the information and communication industry, particularly cloud service providers and telecommunications companies, to reposition themselves within new Internet of Things-enabled value chains.
The COMPOSE consortium comprises twelve partners, including leading ICT companies, recognised academic and research excellence centres, a standardization body, as well as pioneering SMEs in Internet of Things-based innovative services.
- RESCUE IT:
The motivation for
RESCUE IT is our ever increasing dependency of robust supply chains. Wether it are dairy products (like milk or joghurt)
or other sensitive goods the process from production to delivery is increasing in complexity and in the number of
involved parties. Supply chains of today are handled by complex IT and communication systems, their robustness against
errors must be increased to meet our societies demands of an uninterupted supply stream. The errors RESCUE IT will be
adressing range from sabotage of production, risks during transport, attacks on the underlying IT-Infrastructure, to targeted attacks on the quality and loss of consumability of goods in the wholesale sector. The research is scenario-driven and will be conducted togehter with industry partners, SCM software developers, and universities.
WEBSAND: Server-driven Outbound Web-application
Since its birth in 1990, the Web has evolved from a simple, stateless delivery mechanism for static hypertext
documents to a fully-edged run-time environment for distributed, multi-party applications. Security becomes
increasingly important in this context, but is typically only an afterthought in this process. The next wave, the
Future Internet, will continue to rely on the same web application technology, while adopting more p2p and
mashup-style approaches. Today's server-centric solutions will give way to a rich and stateful client-centric
paradigm with even less manageable security and even more severe threats to the web-based economy of the
Future Internet. Data and services from multiple heterogeneous domains, aggregated both on the server-side
and on an end-user's client, demand for a novel, comprehensive security solution that increases the
user's trust into the technological infrastructure. WebSand tackles this demand by departing from the
observation that security should be server-driven. Even though security preferences from end-users at the
client-side have to be taken into account, only the service developers at the server-side have the necessary
expertise and context information to define the policies to be enforced. Moreover, server-driven security can be
deployed relatively easily, since much can be achieved without updating the client-side platform. The WebSand
framework consists of four major building blocks: (1) a secure interaction model, that allows explicit and
fine-grained control concerning incoming Web communication, (2) methods for secure end-to-end information
flow control, to enforce confidentiality and integrity properties, (3) behavioral sandbox environments for secure
client-side and server-side composition of multi-origin components, and (4) a declarative and expressive policy
description mechanism that ties the individual components together into a unified security architecture spanning
client and server.
- ICONAV: Integrierte COM/NAV Funktionalität für
Todays Air-Traffic Management (ATM) Communication Systems are working at their capacity limits due to increasing traffic
in aviation. To counteract this, it is necessary to develop new communication methods and to switch to digital
transmissions. A new digital data transmission technique is L-DACS 1 (L-band Digital Aeronautical Communication System).
The target of the ICONAV project is to build an L-DACS demonstrator device and to evaluate if it is suitable to get a
standard in a future ground to air (a/g) communication. The development of the demonstrator unit is done by our project
partner R & S in cooperation with DLR, iAd and BPS.
Our task in this project is to develop, in cooperation with R & S SIT, a security concept/ strategy for L-DACS 1. On
base of different use cases and deployment scenarios sensitive values/ assets are determined. After threat and risk
analysis we develop different security targets and measures to protect these assets. Example measures could be an
integrity check of transmitted values or an encrypted datalink connection.
A selection of the derived security recommendations and defined security functions will be implemented by the project
partners in the demonstrator.
We are actively involved in the first half of the ICONAV project for approximately one and a half year. In the second
part of the project the developed demonstrator will be trialed in flight tests.
- BIONETS: BIOlogically inspired NETworks and
The motivation for BIONETS comes from emerging trends towards
pervasive computing and communication environments, where myriads of
networked devices with very different features will enhance our five
senses, our communication and tool manipulation capabilities. The
complexity of such environments will not be far from that of biological
organisms, ecosystems, and socio-economic communities. Traditional
communication approaches are ineffective in this context, since they
fail to address several new features: a huge number of nodes including
low-cost sensing/identifying devices, a wide heterogeneity in node
capabilities, high node mobility, the management complexity, the
possibility of exploiting spare node resources. BIONETS aims at a novel
approach able to address these challenges. Nature and society exhibit
many instances of systems in which large populations are able to reach
efficient equilibrium states and to develop effective collaboration and
survival strategies, able to work in the absence of central control and
to exploit local interactions. We seek inspiration from these systems to
provide a fully integrated network and service environment that scales
to large amounts of heterogeneous devices, and that is able to adapt and
evolve in an autonomic way. BIONETS overcomes device heterogeneity and
achieves scalability via an autonomic and localized peer-to-peer
communication paradigm. Services in BIONETS are also autonomic, and
evolve to adapt to the surrounding environment, like living organisms
evolve by natural selection. Biologically-inspired concepts permeate the
network and its services, blending them together, so that the network
moulds itself to the services it runs, and services, in turn, become a
mirror image of the social networks of users they serve. This new
paradigm breaks the barrier between service providers and users, and
sets up the opportunity for "mushrooming" of spontaneous services,
therefore paving the way to a service-centric ICT revolution.
- ORKA: Organizational Control Architecture
The goal of ORKA is to develop a fine-grained authorization
architecture that goes together with enterprise IT infrastructures
including workflow environments and service oriented architectures.
We strive for combining policy validation capabilities, ability to enforce a wide range of organizational control principles in a direct, elegant and concise way, and suitability for daily use in an enterprise setting.
- R4eGov: Towards e-Administration in the large
Interoperability and security are two key topics on the EU eGovernment research agenda. They must be addressed keeping in
mind that eGovernment systems will remain heterogeneous while local administrations remain in charge of their
configuration and of the definition of their processes. Project key objectives are:
- To gather and elicit the requirements for e-Administration in the large, on basis of which a concrete interoperation
web service enabled legacy public sector applications will be achieved using collaborative workflows.
- To provide the tools and methods for an e-Administration in the large from a technical and sociological
- To provide the required security and privacy for an e-Administration in the large, defining the appropriate methods
tools for control, security and privacy at the collaborative workflow and application layer.