Publications

Sebastian Schrittwieser and Peter Fruehwirt and Peter Kieseberg and Manuel Leithner and Martin Mulazzani and Markus Huber and Edgar R. Weippl, "Guess Who Is Texting You? Evaluating the Security of Smartphone Messaging Applications," in Network and Distributed System Security Symposium (NDSS 2012), 2012. BibTeX

@INPROCEEDINGS{Schrittwieser_Guess_Who_s_Texting_You_Evalua_2012, Author = {Sebastian Schrittwieser and Peter Fruehwirt and Peter Kieseberg and Manuel Leithner and Martin Mulazzani and Markus Huber and {Edgar R.} Weippl}, sbahotlist = {true}, title = {Guess Who Is Texting You? Evaluating the Security of Smartphone Messaging Applications}, booktitle = {Network and Distributed System Security Symposium (NDSS 2012)}, year = {2012}, month = {2}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, 2011. BibTeX

@ARTICLE{Fenz_Information_Security_Risk_Mana_2011, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {NA}, note = {not published yet}, }
Martin Mulazzani and Sebastian Schrittwieser and Manuel Leithner and Markus Huber and Edgar R. Weippl, "Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space," in USENIX Security, 2011. BibTeX | PDF

@INPROCEEDINGS{Mulazzani_Dark_Clouds_on_the_Horizon_Usi_2011, Author = {Martin Mulazzani and Sebastian Schrittwieser and Manuel Leithner and Markus Huber and {Edgar R.} Weippl}, sbahotlist = {true}, title = {Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space}, booktitle = {USENIX Security}, year = {2011}, month = {8}, pdf = {dropboxUSENIX2011.pdf}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, vol. 28, iss. 1, pp. 329-356, 2011. BibTeX | PDF

@ARTICLE{Fenz2011a, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {5}, pdf = {2011 - Fenz - Information Security Risk Management In Which Security Solutions Is It Worth Investing.pdf}, volume = {28}, number = {1}, pages = {329-356}, }
Johannes Heurix and Michael Karlinger and Michael Schrefl and Thomas Neubauer, "A Hybrid Approach integrating Encryption and Pseudonymization for Protecting Electronic Health Records," in Proceedings of the Eighth IASTED International Conference on Biomedical Engineering, 2011. BibTeX | PDF

@INPROCEEDINGS{Heurix_A_Hybrid_Approach_integrating__2011, Author = {Johannes Heurix and Michael Karlinger and Michael Schrefl and Thomas Neubauer}, sbahotlist = {true}, title = {A Hybrid Approach integrating Encryption and Pseudonymization for Protecting Electronic Health Records}, booktitle = {Proceedings of the Eighth IASTED International Conference on Biomedical Engineering}, year = {2011}, month = {2}, pdf = {2011_BioMed_A HYBRID APPROACH INTEGRATING ENCRYPTION AND.pdf}, }

View all publications

Martin Mulazzani and Markus Huber and Edgar R. Weippl, "Social Network Forensics: Tapping the Data Pool of Social Networks," Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics, 2012. BibTeX | PDF

@ARTICLE{Mulazzani_Social_Network_Forensics_2012, Author = {Martin Mulazzani and Markus Huber and {Edgar R.} Weippl}, title = {Social Network Forensics: Tapping the Data Pool of Social Networks}, journal = {Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics}, year = {2012}, month = {01}, pdf = {socialForensics_preprint.pdf}, }
Sebastian Schrittwieser and Peter Fruehwirt and Peter Kieseberg and Manuel Leithner and Martin Mulazzani and Markus Huber and Edgar R. Weippl, "Guess Who Is Texting You? Evaluating the Security of Smartphone Messaging Applications," in Network and Distributed System Security Symposium (NDSS 2012), 2012. BibTeX

@INPROCEEDINGS{Schrittwieser_Guess_Who_s_Texting_You_Evalua_2012, Author = {Sebastian Schrittwieser and Peter Fruehwirt and Peter Kieseberg and Manuel Leithner and Martin Mulazzani and Markus Huber and {Edgar R.} Weippl}, sbahotlist = {true}, title = {Guess Who Is Texting You? Evaluating the Security of Smartphone Messaging Applications}, booktitle = {Network and Distributed System Security Symposium (NDSS 2012)}, year = {2012}, month = {2}, }
Bernhard Hoisl and Mark Strembeck, "Modeling Support for Confidentiality and Integrity of Object Flows in Activity Models," in Proc. of the 14th International Conference on Business Information Systems (BIS), Lecture Notes in Business Information Processing (LNBIP), 2011. BibTeX | PDF

@INPROCEEDINGS{_Modeling_Support_for_Confident_2011, Author = {Bernhard Hoisl and Mark Strembeck}, title = {Modeling Support for Confidentiality and Integrity of Object Flows in Activity Models}, booktitle = {Proc. of the 14th International Conference on Business Information Systems (BIS), Lecture Notes in Business Information Processing (LNBIP)}, year = {2011}, month = {6}, pdf = {bis11-extended.pdf}, volume = {87}, publisher = {Springer}, }
Hannes Obweger and Josef Schiefer and Martin Suntinger and Robert Thullner, "Entity-Driven State Management for Complex Event Processing Applications," in 5th International Symposium on Rules (RuleML11), 2011. BibTeX

@INPROCEEDINGS{Obweger_Entity_Driven_State_Management_2011, Author = {Hannes Obweger and Josef Schiefer and Martin Suntinger and Robert Thullner}, title = {Entity-Driven State Management for Complex Event Processing Applications}, booktitle = {5th International Symposium on Rules (RuleML11)}, year = {2011}, month = {7}, note = {In Review}, }
Hannes Obweger and Josef Schiefer and Martin Suntinger and Peter Kepplinger and Szabolcs Rozsnyai, "User-Oriented Rule Management for Event-Based Applications," in ACM International Conference on Distributed Event-Based Systems DEBS11, 2011. BibTeX | PDF

@INPROCEEDINGS{Obweger_User_Oriented_Rule_Management__2011, Author = {Hannes Obweger and Josef Schiefer and Martin Suntinger and Peter Kepplinger and Szabolcs Rozsnyai}, title = {User-Oriented Rule Management for Event-Based Applications}, booktitle = {ACM International Conference on Distributed Event-Based Systems DEBS11}, year = {2011}, month = {7}, pdf = {DEBS2011_cameraready.pdf}, note = {In Review}, }
Hannes Obweger and Josef Schiefer and Martin Suntinger and F. Breier and Robert Thullner, "Complex Event Processing off the Shelf – Rapid Development of Event-Driven Applications with Solution Templates," in 19th Mediterrean Conference on Control and Automation (MED11), 2011. BibTeX | PDF

@INPROCEEDINGS{Obweger_Complex_Event_Processing_off_t_2011, Author = {Hannes Obweger and Josef Schiefer and Martin Suntinger and F. Breier and Robert Thullner}, title = {Complex Event Processing off the Shelf - Rapid Development of Event-Driven Applications with Solution Templates}, booktitle = {19th Mediterrean Conference on Control and Automation (MED11)}, year = {2011}, month = {6}, pdf = {MED2011_cameraready.pdf}, note = {In Review}, }
Anne Baumgrass and Mark Strembeck and Stefanie Rinderle Ma, "Deriving Role Engineering Artifacts from Business Processes and Scenario Models," in Proc. of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT), 2011. BibTeX | PDF

@INPROCEEDINGS{_Deriving_Role_Engineering_Arti_2011, Author = {Anne Baumgrass and Mark Strembeck and Stefanie Rinderle Ma}, title = {Deriving Role Engineering Artifacts from Business Processes and Scenario Models}, booktitle = {Proc. of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT)}, year = {2011}, month = {6}, pdf = {sacmat11-re-extended.pdf}, }
Waldemar Hummer and Patrick Gaubatz and Mark Strembeck and Uwe Zdun and Schahram Dustdar, ": An Integrated Approach for Identity and Access Management in a SOA Context," in Proc. of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT), 2011. BibTeX | PDF

@INPROCEEDINGS{_An_Integrated_Approach_for_Ide_2011, Author = {Waldemar Hummer and Patrick Gaubatz and Mark Strembeck and Uwe Zdun and Schahram Dustdar}, title = {: An Integrated Approach for Identity and Access Management in a SOA Context}, booktitle = {Proc. of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT)}, year = {2011}, month = {6}, pdf = {sacmat11-iam.pdf}, }
Zhendong Ma and Juergen Mangler, "Enhance Data Privacy In Service Compositions Through A Privacy Proxy," in The Sixth International Conference on Availability, Reliability and Security, 2011. BibTeX | PDF

@INPROCEEDINGS{_Enhance_Data_Privacy_In_Servic_2011, Author = {Zhendong Ma and Juergen Mangler}, title = {Enhance Data Privacy In Service Compositions Through A Privacy Proxy}, booktitle = {The Sixth International Conference on Availability, Reliability and Security}, year = {2011}, month = {8}, pdf = {mangler_privacy_proxy.pdf}, publisher = {{IEEE} Computer Society}, }
Maria Leitner and Juergen Mangler and Stefanie Rinderle Ma, "Design and Development of Process-aware Security Policies," in Sixth International Conference on Availability, Reliability and Security, 2011. BibTeX | PDF

@INPROCEEDINGS{_Design_and_Development_of_Proc_2011, Author = {Maria Leitner and Juergen Mangler and Stefanie Rinderle Ma}, title = {Design and Development of Process-aware Security Policies}, booktitle = {Sixth International Conference on Availability, Reliability and Security}, year = {2011}, month = {8}, pdf = {mangler_responsibilities.pdf}, publisher = {IEEE Computer Society}, }
Reza Rawassizadeh and Johannes Heurix and Soheil Khosravipour and A Min Tjoa, "LidSec: A Lightweight Pseudonymization Approach for Textual Personal Information," in ARES 2011 Workshop: Proceedings of the First International Workshop on Privacy by Design, 2011. BibTeX | PDF

@INPROCEEDINGS{_LidSec_A_Lightweight_Pseudonym_2011, Author = {Reza Rawassizadeh and Johannes Heurix and Soheil Khosravipour and A Min Tjoa}, title = {LidSec: A Lightweight Pseudonymization Approach for Textual Personal Information}, booktitle = {ARES 2011 Workshop: Proceedings of the First International Workshop on Privacy by Design}, year = {2011}, month = {8}, pdf = {Heurix_pbd_2011.pdf}, publisher = {IEEE Computer Society}, }
Johannes Heurix and Thomas Neubauer, "Privacy-Preserving Storage and Access of Medical Data through Pseudonymization and Encryption," in Trust, Privacy and Security in Digital Business – 8th International, 2011, pp. 186-197. BibTeX | PDF

@INPROCEEDINGS{_Privacy_Preserving_Storage_and_2011, Author = {Johannes Heurix and Thomas Neubauer}, title = {Privacy-Preserving Storage and Access of Medical Data through Pseudonymization and Encryption}, booktitle = {Trust, Privacy and Security in Digital Business - 8th International}, year = {2011}, month = {8}, pdf = {Heurix_trustbus_2011.pdf}, volume = {6863}, pages = {186-197}, publisher = {Springer}, }
Maria Leitner and Stefanie Rinderle Ma and Juergen Mangler, "AW-RBAC: Access Control in Adaptive Workflow Systems," in Sixth International Conference on Availability, Reliability and Security, 2011. BibTeX | PDF

@INPROCEEDINGS{_AW_RBAC_Access_Control_in_Adap_2011, Author = {Maria Leitner and Stefanie Rinderle Ma and Juergen Mangler}, title = {AW-RBAC: Access Control in Adaptive Workflow Systems}, booktitle = {Sixth International Conference on Availability, Reliability and Security}, year = {2011}, month = {8}, pdf = {mangler_aw-rbac.pdf}, publisher = {IEEE Computer Society}, }
Sigrid Schefer, "Consistency Checks for Duties in Extended UML2 Activity Models," in Proc. of the International Workshop on Security Aspects in Process-Aware Information Systems (SAPAIS), 2011. BibTeX | PDF

@INPROCEEDINGS{_Consistency_Checks_for_Duties__2011, Author = {Sigrid Schefer}, title = {Consistency Checks for Duties in Extended UML2 Activity Models}, booktitle = {Proc. of the International Workshop on Security Aspects in Process-Aware Information Systems (SAPAIS)}, year = {2011}, month = {8}, pdf = {230_paper_4148.pdf}, }
Anne Baumgrass, "Using Event Logs to Derive Role Engineering Artefacts," in Proc. of the International Workshop on Security Aspects in Process-Aware Information Systems (SAPAIS), 2011. BibTeX | PDF

@INPROCEEDINGS{_Deriving_Current_State_RBAC_Mo_2011, Author = {Anne Baumgrass}, title = {Using Event Logs to Derive Role Engineering Artefacts}, booktitle = {Proc. of the International Workshop on Security Aspects in Process-Aware Information Systems (SAPAIS)}, year = {2011}, month = {8}, pdf = {230_paper_4025.pdf}, note = {ARES Workshop}, }
Bernhard Hoisl and S. Sobernig, "Integrity and Confidentiality Annotations for Service Interfaces in SoaML Models," in Proc. of the International Workshop on Security Aspects in Process-Aware Information Systems (SAPAIS), 2011. BibTeX | PDF

@INPROCEEDINGS{_Integrity_and_Confidentiality__2011, Author = {Bernhard Hoisl and S. Sobernig}, title = {Integrity and Confidentiality Annotations for Service Interfaces in SoaML Models}, booktitle = {Proc. of the International Workshop on Security Aspects in Process-Aware Information Systems (SAPAIS)}, year = {2011}, month = {8}, pdf = {230_paper_4037.pdf}, note = {ARES Workshop}, }
Sigrid Schefer and Mark Strembeck, "Modeling Support for Delegating Roles, Tasks, and Duties in a Process-Related RBAC Context," in Proc. of the International Workshop on Information Systems Security Engineering (WISSE), 2011. BibTeX | PDF

@INPROCEEDINGS{_Modeling_Support_for_Delegatin_2011, Author = {Sigrid Schefer and Mark Strembeck}, title = {Modeling Support for Delegating Roles, Tasks, and Duties in a Process-Related RBAC Context}, booktitle = {Proc. of the International Workshop on Information Systems Security Engineering (WISSE)}, year = {2011}, month = {6}, pdf = {wisse11.pdf}, }
Dimitrios Settas and Antonio Cerone and Stefan Fenz, "Towards Automatic Generation of Ontology-based Antipattern Bayesian Network Models," in Proceedings of the 9th International Conference on Software Engineering Research Management and Applications, 2011. BibTeX | PDF

@INPROCEEDINGS{_Towards_Automatic_Generation_o_2011, Author = {Dimitrios Settas and Antonio Cerone and Stefan Fenz}, title = {Towards Automatic Generation of Ontology-based Antipattern Bayesian Network Models}, booktitle = {Proceedings of the 9th International Conference on Software Engineering Research Management and Applications }, year = {2011}, month = {8}, pdf = {urkesettas.pdf}, }
Philipp Reschl and Martin Mulazzani and Markus Huber and Edgar R. Weippl, "Poster ACSAC 2011: Efficient Browser Identification with JavaScript Engine Fingerprinting," in Annual Computer Security Applications Conference (ACSAC), 2011. BibTeX | PDF

@INPROCEEDINGS{Reschl_Poster_ACSAC_2011_Efficient_Br_2011, Author = {Philipp Reschl and Martin Mulazzani and Markus Huber and {Edgar R.} Weippl}, title = {Poster ACSAC 2011: Efficient Browser Identification with JavaScript Engine Fingerprinting }, booktitle = {Annual Computer Security Applications Conference (ACSAC)}, year = {2011}, month = {12}, pdf = {JSFingerprinting_ACSAC.pdf}, }
Peter Kieseberg and Sebastian Schrittwieser and Lorcan Morgan and Martin Mulazzani and Markus Huber and Edgar R. Weippl, "Using the Structure of B plus Trees for Enhancing Logging Mechanisms of Databases," in International Conference on Information Integration and Web-based Applications & Services (iiWAS2011), 2011. BibTeX

@INPROCEEDINGS{_Using_the_Structure_of_B_Trees_2011, Author = {Peter Kieseberg and Sebastian Schrittwieser and Lorcan Morgan and Martin Mulazzani and Markus Huber and {Edgar R.} Weippl}, title = {Using the Structure of B plus Trees for Enhancing Logging Mechanisms of Databases}, booktitle = {International Conference on Information Integration and Web-based Applications & Services (iiWAS2011)}, year = {2011}, month = {12}, }
Sebastian Schrittwieser and Peter Kieseberg and Isao Echizen and Sven Wohlgemuth and Noboru Sonehara and Edgar R. Weippl, "An Algorithm for k-anonymity-based Fingerprinting," in International Workshop on Digital-forensics and Watermarking (IWDW 2011), 2011. BibTeX | PDF

@INPROCEEDINGS{_An_Algorithm_for_k_anonymity_b_2011, Author = {Sebastian Schrittwieser and Peter Kieseberg and Isao Echizen and Sven Wohlgemuth and Noboru Sonehara and {Edgar R.} Weippl}, title = {An Algorithm for k-anonymity-based Fingerprinting}, booktitle = {International Workshop on Digital-forensics and Watermarking (IWDW 2011)}, year = {2011}, month = {10}, pdf = {k_anonymity_algorithm_2011.pdf}, }
Martin Mulazzani and Sebastian Schrittwieser and Manuel Leithner and Markus Huber and Edgar R. Weippl, "Cloud Speicherdienste als Angriffsvektoren," in 9th Information Security Konferenz in Krems, 2011. BibTeX | PDF

@INPROCEEDINGS{DropboxKrems2011, Author = {Martin Mulazzani and Sebastian Schrittwieser and Manuel Leithner and Markus Huber and {Edgar R.} Weippl}, title = {Cloud Speicherdienste als Angriffsvektoren}, booktitle = {9th Information Security Konferenz in Krems}, year = {2011}, month = {10}, pdf = {DunkleWolken.pdf}, }
Stefan Fenz, "E-Business and Information Security Risk Management: Challenges and Potential Solutions." IGI Global, 2011. BibTeX

@INBOOK{Fenz_Electronic_Business_Interopera_2011, Author = {Stefan Fenz}, title = {E-Business and Information Security Risk Management: Challenges and Potential Solutions}, booktitle = {Electronic Business Interoperability: Concepts, Opportunities and Challenges}, year = {2011}, month = {1}, chapter = {E-Business and Information Security Risk Management: Challenges and Potential Solutions}, publisher = {IGI Global}, }
Stefan Fenz, "Increasing Knowledge Capturing Efficiency by Enterprise Portals," VINE Journal, 2011. BibTeX | PDF

@ARTICLE{_Increasing_Knowledge_Capturing_2011, Author = {Stefan Fenz}, title = {Increasing Knowledge Capturing Efficiency by Enterprise Portals}, journal = {VINE Journal }, year = {2011}, month = {10}, pdf = {sigproc-KCAPsample.pdf}, }
Mark Strembeck, "Testing Policy-based Systems with Scenarios," in 10th Conference on Software Engineering (SE 2011), 2011. BibTeX | PDF

@INPROCEEDINGS{Strembeck_Testing_Policy_based_Systems_w_2011, Author = {Mark Strembeck}, title = {Testing Policy-based Systems with Scenarios}, booktitle = {10th Conference on Software Engineering (SE 2011)}, year = {2011}, month = {2}, pdf = {se2011-extended.pdf}, }
Stefan Fenz, "Electronic Business Interoperability: Concepts." IGI Global, 2011, pp. 596-614. BibTeX | PDF

@INBOOK{Fenz2011c, Author = {Stefan Fenz}, title = {Electronic Business Interoperability: Concepts}, booktitle = {Electronic Business Interoperability: Concepts, Opportunities and Challenges }, year = {2011}, month = {3}, abstract = {For almost all private individuals and especially organizations information technology (IT) including hardware}, pdf = {2011 - Fenz - E-Business and Information Security Risk Management.pdf}, chapter = {E-Business and Information Security Risk Management: Challenges and Potential Solutions}, pages = {596-614}, publisher = {IGI Global}, note = {ISBN: 978-1-60960-485-1}, }
Sebastian Schrittwieser and Stefan Katzenbeisser, "Code Obfuscation Against Static and Dynamic Reverse Engineering," in Information Hiding Conference 2011, 2011. BibTeX | PDF

@INPROCEEDINGS{Schrittwieser_Code_Obfuscation_Against_Stati_2011, Author = {Sebastian Schrittwieser and Stefan Katzenbeisser}, title = {Code Obfuscation Against Static and Dynamic Reverse Engineering}, booktitle = {Information Hiding Conference 2011}, year = {2011}, month = {5}, pdf = {Code_Obfuscation_CameraReady.pdf}, }
Mark Strembeck and Jan Mendling, "Modeling Process-related RBAC Models with Extended UML Activity Models," Information and Software Technology, vol. 37, 2011. BibTeX | PDF

@ARTICLE{Strembeck_Modeling_Process_related_RBAC__2011, Author = {Mark Strembeck and Jan Mendling}, title = {Modeling Process-related RBAC Models with Extended UML Activity Models}, journal = {Information and Software Technology}, year = {2011}, month = {5}, abstract = {Business processes are an important source for the engineering of customized software systems and are constantly gaining attention in the area of software engineering as well as in the area of information and system security. While the need to integrate processes and role-based access control (RBAC) models has been repeatedly identified in research and practice, standard process modeling languages do not provide corresponding language elements.}, pdf = {ist-v53n5-may11.pdf}, volume = {37}, }
Stefan Fenz and Simon Parkin and Aad van Moorsel, "A Community Knowledge Base for IT Security," IT Professional, vol. 13, iss. 3, pp. 24-30, 2011. BibTeX | PDF

@ARTICLE{Fenz2011b, Author = {Stefan Fenz and Simon Parkin and Aad van Moorsel}, title = {A Community Knowledge Base for IT Security}, journal = {IT Professional}, year = {2011}, month = {5}, abstract = {Does every organization need to reinvent the wheel when it comes to IT security? Not if the IT community can develop a formal knowledge base for sharing and applying IT security management knowledge.}, pdf = {2011 - Fenz - A Community Knowledge Base for IT Security.pdf}, volume = {13}, number = {3}, pages = {24-30}, }
Stefan Fenz, "An Ontology- and Bayesian-based Approach for Determining Threat Probabilities," in ASIA CCS ’11: 6th ACM Symposium on Information, Computer and Communications Security, 2011. BibTeX

@INPROCEEDINGS{Fenz_An_Ontology_and_Bayesian_based_2011, Author = {Stefan Fenz}, title = {An Ontology- and Bayesian-based Approach for Determining Threat Probabilities}, booktitle = {ASIA CCS '11: 6th ACM Symposium on Information, Computer and Communications Security}, year = {2011}, month = {3}, publisher = {ACM}, }
Sigrid Schefer and Mark Strembeck, "Modeling Process-Related Duties with Extended UML Activity and Interaction Diagrams," in International Workshop on Flexible Workflows in Distributed Systems (WowKiVS), 2011. BibTeX | PDF

@INPROCEEDINGS{Schefer_Modeling_Process_Related_Dutie_2011, Author = {Sigrid Schefer and Mark Strembeck}, title = {Modeling Process-Related Duties with Extended UML Activity and Interaction Diagrams}, booktitle = {International Workshop on Flexible Workflows in Distributed Systems (WowKiVS)}, year = {2011}, month = {3}, abstract = {Business processes are an important source for the engineering of customized software systems. In this context, the definition, monitoring, and enforcement of the duties associated with different tasks in a business process is one important factor to ensure compliance of an IT system with certain laws and regulations. In this paper, we present a UML2 extension for an integrated modeling of business processes and process-related duties. In particular, our extension allows for the modeling of duties and associated tasks in business process models.}, pdf = {wowkivs11-extended.pdf}, volume = {37}, }
Szabolcs Rozsnyai and Hannes Obweger and Josef Schiefer, "Event Access Expressions – A Business User Language for Analyzing Event Streams," in 25th IEEE International Conference on Advanced Information Networking and Applications (AINA11), 2011. BibTeX

@INPROCEEDINGS{Rozsnyai_Event_Access_Expressions_A_Bus_2011, Author = {Szabolcs Rozsnyai and Hannes Obweger and Josef Schiefer}, title = {Event Access Expressions - A Business User Language for Analyzing Event Streams}, booktitle = {25th IEEE International Conference on Advanced Information Networking and Applications (AINA11)}, year = {2011}, month = {3}, }
Thomas Neubauer and Markus Pehn, "Workshop-based Security Safeguard Selection with AURUM," International Journal On Advances in Security, vol. 3, 2011. BibTeX

@ARTICLE{Neubauer_Workshop_based_Security_Safegu_2011, Author = {Thomas Neubauer and Markus Pehn}, title = {Workshop-based Security Safeguard Selection with AURUM}, journal = {International Journal On Advances in Security}, year = {2011}, month = {3}, volume = {3}, note = {According to BIB should be B rated but Journal not found}, }
Markus Huber and Martin Mulazzani and Edgar R. Weippl and Gerhard Kitzler and Sigrun Goluch, "Friend-in-the-middle Attacks: Exploiting Social Networking Sites for Spam," IEEE Internet Computing: Special Issue on Security and Privacy in Social Networks, 2011. BibTeX | PDF

@ARTICLE{Huber_Friend_in_the_middle_Attacks_E_2011, Author = {Markus Huber and Martin Mulazzani and {Edgar R.} Weippl and Gerhard Kitzler and Sigrun Goluch}, title = {Friend-in-the-middle Attacks: Exploiting Social Networking Sites for Spam}, journal = {IEEE Internet Computing: Special Issue on Security and Privacy in Social Networks}, year = {2011}, month = {5}, pdf = {FITM_InternetComputing_preprint.pdf}, note = {Pre Print}, }
Martin Mulazzani and Sebastian Schrittwieser and Manuel Leithner and Markus Huber and Edgar R. Weippl, "Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space," in USENIX Security, 2011. BibTeX | PDF

@INPROCEEDINGS{Mulazzani_Dark_Clouds_on_the_Horizon_Usi_2011, Author = {Martin Mulazzani and Sebastian Schrittwieser and Manuel Leithner and Markus Huber and {Edgar R.} Weippl}, sbahotlist = {true}, title = {Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space}, booktitle = {USENIX Security}, year = {2011}, month = {8}, pdf = {dropboxUSENIX2011.pdf}, }
Daniel Abouakil and Johannes Heurix and Thomas Neubauer, "Data Models for the Pseudonymization of DICOM Data," in Proceedings of the 44nd Hawaii International Conference on System Sciences, 2011, p. 157. BibTeX

@INPROCEEDINGS{Abouakil_Data_Models_for_the_Pseudonymi_2011, Author = {Daniel Abouakil and Johannes Heurix and Thomas Neubauer}, sbahotlist = {true}, title = {Data Models for the Pseudonymization of DICOM Data}, booktitle = {Proceedings of the 44nd Hawaii International Conference on System Sciences}, year = {2011}, month = {1}, pages = {157}, }
Kresimir Kasal and Johannes Heurix and Thomas Neubauer, "Model-driven Development Meets Security: An Evaluation of Current Approaches," in Proceedings of the 44nd Hawaii International Conference on System Sciences, 2011, p. 268. BibTeX

@INPROCEEDINGS{Kasal_Model_driven_Development_Meets_2011, Author = {Kresimir Kasal and Johannes Heurix and Thomas Neubauer}, sbahotlist = {true}, title = {Model-driven Development Meets Security: An Evaluation of Current Approaches}, booktitle = {Proceedings of the 44nd Hawaii International Conference on System Sciences}, year = {2011}, month = {1}, pages = {268}, }
Markus Huber and Martin Mulazzani and Manuel Leithner and Sebastian Schrittwieser and Gilbert Wondracek and Edgar R. Weippl, "Social Snapshots: Digital Forensics for Online Social Networks," in Annual Computer Security Applications Conference (ACSAC), 2011. BibTeX | PDF

@INPROCEEDINGS{_Social_Snapshots_Digital_Foren_2011, Author = {Markus Huber and Martin Mulazzani and Manuel Leithner and Sebastian Schrittwieser and Gilbert Wondracek and {Edgar R.} Weippl}, sbahotlist = {true}, title = {Social Snapshots: Digital Forensics for Online Social Networks}, booktitle = {Annual Computer Security Applications Conference (ACSAC)}, year = {2011}, month = {12}, pdf = {social_snapshots_preprint.pdf}, }
Johannes Heurix and Michael Karlinger and Michael Schrefl and Thomas Neubauer, "A Hybrid Approach integrating Encryption and Pseudonymization for Protecting Electronic Health Records," in Proceedings of the Eighth IASTED International Conference on Biomedical Engineering, 2011. BibTeX | PDF

@INPROCEEDINGS{Heurix_A_Hybrid_Approach_integrating__2011, Author = {Johannes Heurix and Michael Karlinger and Michael Schrefl and Thomas Neubauer}, sbahotlist = {true}, title = {A Hybrid Approach integrating Encryption and Pseudonymization for Protecting Electronic Health Records}, booktitle = {Proceedings of the Eighth IASTED International Conference on Biomedical Engineering}, year = {2011}, month = {2}, pdf = {2011_BioMed_A HYBRID APPROACH INTEGRATING ENCRYPTION AND.pdf}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, 2011. BibTeX

@ARTICLE{Fenz_Information_Security_Risk_Mana_2011, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {NA}, note = {not published yet}, }
Raydel Montesino and Stefan Fenz, "Information security automation: how far can we go," in Proceedings of the Sixth International Conference on Availability, 2011, pp. 280-285. BibTeX | PDF

@INPROCEEDINGS{_Information_security_automatio_2011, Author = {Raydel Montesino and Stefan Fenz}, title = {Information security automation: how far can we go}, booktitle = {Proceedings of the Sixth International Conference on Availability}, year = {2011}, month = {8}, abstract = {Information security management is a very complex task which involves the implementation and monitoring of more than 130 security controls. To achieve greater efficiency in this process it is necessary to automate as many controls as possible. This paper provides an analysis of how many controls can be automated}, pdf = {Montesino.pdf}, pages = {280-285}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, vol. 28, iss. 1, pp. 329-356, 2011. BibTeX | PDF

@ARTICLE{Fenz2011a, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {5}, pdf = {2011 - Fenz - Information Security Risk Management In Which Security Solutions Is It Worth Investing.pdf}, volume = {28}, number = {1}, pages = {329-356}, }
Stefan Fenz and Simon Parkin and Aad van Moorsel, "Do we have to reinvent the security wheel at every organization?," IT Professional, 2011. BibTeX

@ARTICLE{Fenz_Do_we_have_to_reinvent_the_sec_2011, Author = {Stefan Fenz and Simon Parkin and Aad van Moorsel}, title = {Do we have to reinvent the security wheel at every organization?}, journal = {IT Professional}, year = {2011}, month = {NA}, note = {not published yet}, }
Hannes Obweger and Josef Schiefer and Martin Suntinger and Peter Kepplinger, "Model-Driven Rule Composition for Event-Based Systems," International Journal of Business Process Integration and Management, 2011. BibTeX | PDF

@ARTICLE{Obweger_Model_Driven_Rule_Composition__2011, Author = {Hannes Obweger and Josef Schiefer and Martin Suntinger and Peter Kepplinger}, title = {Model-Driven Rule Composition for Event-Based Systems}, journal = {International Journal of Business Process Integration and Management}, year = {2011}, month = {NA}, pdf = {IJBPIM050405 OBWEGER.pdf}, note = {In Press}, }
Sigrid Schefer and Mark Strembeck and Jan Mendling, "Checking Satisfiability Aspects of Binding Constraints in a Business Process Context," in Proc. of the Workshop on Workflow Security Audit and Certification (WfSAC), Lecture Notes in Computer Science (LNCS), 2011. BibTeX

@INPROCEEDINGS{_Checking_Satisfiability_Aspect_2011, Author = {Sigrid Schefer and Mark Strembeck and Jan Mendling}, title = {Checking Satisfiability Aspects of Binding Constraints in a Business Process Context}, booktitle = {Proc. of the Workshop on Workflow Security Audit and Certification (WfSAC), Lecture Notes in Computer Science (LNCS)}, year = {2011}, month = {8}, volume = {XX}, publisher = {Springer}, }
Stefan Proell and Eva Zangerle and Wolfgang Gassler, "MySQL: Das Handbuch fuer Administratoren." Galileo Press, 2011. BibTeX

@INBOOK{_MySQL_Das_Handbuch_fuer_Admini_2011, Author = {Stefan Proell and Eva Zangerle and Wolfgang Gassler}, title = {MySQL: Das Handbuch fuer Administratoren}, booktitle = {Galileo Computing}, year = {2011}, month = {8}, publisher = {Galileo Press}, }
Robert Thullner and Szabolcs Rozsnyai and Hannes Obweger and Josef Schiefer and Martin Suntinger, "Proactive Business Process Compliance Monitoring with Event-Based Systems," in 6th International Workshop on Vocabularies, Ontologies and Rules for The Enterprise (VORTE 2011), 2011. BibTeX | PDF

@INPROCEEDINGS{Thullner_Proactive_Business_Process_Com_2011, Author = {Robert Thullner and Szabolcs Rozsnyai and Hannes Obweger and Josef Schiefer and Martin Suntinger}, title = {Proactive Business Process Compliance Monitoring with Event-Based Systems}, booktitle = {6th International Workshop on Vocabularies, Ontologies and Rules for The Enterprise (VORTE 2011)}, year = {2011}, month = {8}, pdf = {07 Proactive Business Process Compliance Monitoring with Event-Based.pdf}, }
Sebastian Schrittwieser and Peter Kieseberg and Isao Echizen and Sven Wohlgemuth and Noboru Sonehara, "Using Generalization Patterns for Fingerprinting Sets of Partially Anonymized Microdata in the Course of Disasters," in Workshop on Resilience and IT-Risk in Social Infrastructures (RISI 2011), 2011. BibTeX | PDF

@INPROCEEDINGS{Schrittwieser_Using_Generalization_Patterns__2011, Author = {Sebastian Schrittwieser and Peter Kieseberg and Isao Echizen and Sven Wohlgemuth and Noboru Sonehara}, title = {Using Generalization Patterns for Fingerprinting Sets of Partially Anonymized Microdata in the Course of Disasters}, booktitle = {Workshop on Resilience and IT-Risk in Social Infrastructures (RISI 2011)}, year = {2011}, month = {8}, pdf = {k-anonymity_fingerprinting_cameraReady.pdf}, }
Peter Kieseberg and Sebastian Schrittwieser and Martin Mulazzani and Markus Huber and Edgar R. Weippl, "Trees Cannot Lie: Using Data Structures for Forensics Purposes," in European Intelligence and Security Informatics Conference (EISIC 2011), 2011. BibTeX | PDF

@INPROCEEDINGS{Kieseberg_Trees_Cannot_Lie_Using_Data_St_2011, Author = {Peter Kieseberg and Sebastian Schrittwieser and Martin Mulazzani and Markus Huber and {Edgar R.} Weippl}, title = {Trees Cannot Lie: Using Data Structures for Forensics Purposes}, booktitle = {European Intelligence and Security Informatics Conference (EISIC 2011)}, year = {2011}, month = {9}, pdf = {btree_forensics_camera_ready.pdf}, }
Raydel Montesino and Stefan Fenz, "Automation possibilities in information security management," in Proceedings of the European Conference in Intelligence Security Informatics 2011, 2011. BibTeX | PDF

@INPROCEEDINGS{_Automation_possibilities_in_in_2011, Author = {Raydel Montesino and Stefan Fenz}, title = {Automation possibilities in information security management}, booktitle = {Proceedings of the European Conference in Intelligence Security Informatics 2011}, year = {2011}, month = {9}, pdf = {PID1947709.pdf}, }
Anne Baumgrass and Thomas Baier and Jan Mendling and Mark Strembeck, "Conformance Checking of RBAC Policies in Process-Aware Information," in Proc. of the Workshop on Workflow Security Audit and Certification (WfSAC), Lecture Notes in Computer Science (LNCS), 2011. BibTeX

@INPROCEEDINGS{_Conformance_Checking_of_RBAC_P_2011, Author = {Anne Baumgrass and Thomas Baier and Jan Mendling and Mark Strembeck}, title = {Conformance Checking of RBAC Policies in Process-Aware Information }, booktitle = {Proc. of the Workshop on Workflow Security Audit and Certification (WfSAC), Lecture Notes in Computer Science (LNCS)}, year = {2011}, month = {8}, volume = {XX}, publisher = {Springer}, }
Matthias Neugschwandtner and Christian Platzer and Paolo Milani Comparetti and Ulrich Bayer, "DAnubis (Dynamic Device Driver Analysis Based on Virtual Machine Introspection)," in Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment DIMVA, 2010. BibTeX | PDF

@INPROCEEDINGS{Neugschwandtner_dAnubis_Dynamic_Device_Driver__null, Author = {Matthias Neugschwandtner and Christian Platzer and Paolo Milani Comparetti and Ulrich Bayer}, title = {dAnubis (Dynamic Device Driver Analysis Based on Virtual Machine Introspection)}, booktitle = {Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment DIMVA}, year = {2010}, month = {7}, abstract = {In the escalating arms race between malicious code and secu- rity tools designed to analyze it, detect it or mitigate its impact, malicious code running inside the operating system kernel provides an extremely powerful tool. Kernel-level code can introduce hard to detect backdoors, provide stealth by hiding fies, processes or other resources and in general tamper with operating system code and data in arbitrary ways. Under Windows, kernel-level malicious code typically takes the form of a device driver. In this work, we present dAnubis, a system for the real- time, dynamic analysis of malicious Windows device drivers. dAnubis can automatically provide a high-level, human-readable report of a driver's behavior on the system. We applied our system to a dataset of over 400 malware samples. The results of this analysis shed some light on the behavior of kernel-level malicious code that is in the wild today.}, pdf = {dimva2010-dAnubis.pdf}, }
Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel, "Is the Internet for Porn? An Insight into the Online Adult Industry," in Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010), 2010. BibTeX | PDF

@INPROCEEDINGS{Wondracek_InternetPorn2010, Author = {Gilbert Wondracek and Thorsten Holz and Christian Platzer and Engin Kirda and Christopher Kruegel}, title = {Is the Internet for Porn? An Insight into the Online Adult Industry}, booktitle = {Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010)}, year = {2010}, month = {6}, pdf = {weis2010_wondracek.pdf}, }
Markus Huber and Martin Mulazzani and Edgar R. Weippl, "Social Networking Sites Security Quo Vadis," in Proceedings of the 1st International Workshop on Privacy Aspects of Social Web and Cloud Computing, 2010. BibTeX

@INPROCEEDINGS{Huber_Social_Networking_Sites_Securi_2010, Author = {Markus Huber and Martin Mulazzani and {Edgar R.} Weippl}, title = {Social Networking Sites Security Quo Vadis}, booktitle = {Proceedings of the 1st International Workshop on Privacy Aspects of Social Web and Cloud Computing}, year = {2010}, month = {8}, }
Stefan Jakoubi and Simon Tjoa and Sigrun Goluch and Gerhard Kitzler, "Risk-Aware Business Process Management :Establishing the Link Between Business and Security." Springer New York, 2010, vol. 41, pp. 109-135. BibTeX

@INBOOK{Jakoubi_Risk_Aware_Business_Process_Ma_2010, Author = {Stefan Jakoubi and Simon Tjoa and Sigrun Goluch and Gerhard Kitzler}, title = {Risk-Aware Business Process Management :Establishing the Link Between Business and Security}, booktitle = {Complex Intelligent Systems and Their Applications}, year = {2010}, month = {8}, volume = {41}, pages = {109-135}, publisher = {Springer New York}, note = {Book}, }
Gerald Bader and Amin Anjomshoaa and A Min Tjoa, "Privacy Aspects of Mashup Architecture," in Proceedings of IEEE Conference on Privacy, Security, Risk and Trust (PASSAT 2010), 2010. BibTeX

@INPROCEEDINGS{Bader_Privacy_Aspects_of_Mashup_Arch_2010, Author = {Gerald Bader and Amin Anjomshoaa and {A Min} Tjoa}, title = {Privacy Aspects of Mashup Architecture}, booktitle = {Proceedings of IEEE Conference on Privacy, Security, Risk and Trust (PASSAT 2010)}, year = {2010}, month = {8}, }
Albert Kavelar and Hannes Obweger and Josef Schiefer and Martin Suntinger, "Web-Based Decision Making for Complex Event Processing Systems," in Proceedings of the 2010 6th World Congress on Services (SERVICES’10), 2010. BibTeX

@INPROCEEDINGS{Kavelar_Web_Based_Decision_Making_for__2010, Author = {Albert Kavelar and Hannes Obweger and Josef Schiefer and Martin Suntinger}, title = {Web-Based Decision Making for Complex Event Processing Systems}, booktitle = {Proceedings of the 2010 6th World Congress on Services (SERVICES'10)}, year = {2010}, month = {7}, }
Markus Huber and Martin Mulazzani and Edgar R. Weippl, "Tor HTTP usage and information leakage," in Proceedings of IFIP CMS 2010, 2010, pp. 245-255. BibTeX

@INPROCEEDINGS{Mulazzani_Tor_HTTP_usage_and_information_2010, Author = {Markus Huber and Martin Mulazzani and {Edgar R.} Weippl}, title = {Tor HTTP usage and information leakage}, booktitle = {Proceedings of IFIP CMS 2010}, year = {2010}, month = {5}, pages = {245-255}, }
Hannes Obweger and Martin Suntinger and Josef Schiefer and Gunther Raidl, "Similarity Searching in Sequences of Complex Events," in Proceedings of the 4th International Conference on Research Challenges in Information Science (RCIS’10), 2010. BibTeX

@INPROCEEDINGS{Obweger_Similarity_Searching_in_Sequen_2010, Author = {Hannes Obweger and Martin Suntinger and Josef Schiefer and Gunther Raidl}, title = {Similarity Searching in Sequences of Complex Events}, booktitle = {Proceedings of the 4th International Conference on Research Challenges in Information Science (RCIS'10)}, year = {2010}, month = {5}, }
Thomas Neubauer and Johannes Heurix and A Min Tjoa and Edgar R. Weippl, "Pseudonymisierung für die datenschutzkonforme Speicherung medizinischer Daten," Elektrotechnik und Informationstechnik, vol. 127, iss. 5, pp. 135-142, 2010. BibTeX

@ARTICLE{Neubauer_Pseudonymisierung_f_r_die_date_2010, Author = {Thomas Neubauer and Johannes Heurix and {A Min} Tjoa and {Edgar R.} Weippl}, title = {Pseudonymisierung für die datenschutzkonforme Speicherung medizinischer Daten}, journal = {Elektrotechnik und Informationstechnik}, year = {2010}, month = {5}, volume = {127}, number = {5}, pages = {135-142}, }
Clemens Kolbitsch and Christopher Kruegel and Engin Kirda, "Extending Mondrian Memory Protection," in NATO RTO IST-091 Symposium, 2010. BibTeX

@INPROCEEDINGS{Kolbitsch_Extending_Mondrian_Memory_Prot_2010, Author = {Clemens Kolbitsch and Christopher Kruegel and Engin Kirda}, title = {Extending Mondrian Memory Protection}, booktitle = {NATO RTO IST-091 Symposium}, year = {2010}, month = {4}, }
Martin Suntinger and Hannes Obweger and Josef Schiefer and Philip Limbeck and Gunther Raidl, "Trend-Based Similarity Search in Time-Series Data," in Proceedings of the Second International Conference on Advances in Databases, Knowledge and Data Applications (DBKDA’10), 2010. BibTeX

@INPROCEEDINGS{Suntinger_Trend_Based_Similarity_Search__2010, Author = {Martin Suntinger and Hannes Obweger and Josef Schiefer and Philip Limbeck and Gunther Raidl}, title = {Trend-Based Similarity Search in Time-Series Data}, booktitle = {Proceedings of the Second International Conference on Advances in Databases, Knowledge and Data Applications (DBKDA'10)}, year = {2010}, month = {4}, }
Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel, "A Solution for the Automated Detection of Clickjacking Attacks," in ASIACCS, 2010. BibTeX

@INPROCEEDINGS{Balduzzi_A_Solution_for_the_Automated_D_2010, Author = {Marco Balduzzi and Manuel Egele and Engin Kirda and Davide Balzarotti and Christopher Kruegel}, title = {A Solution for the Automated Detection of Clickjacking Attacks}, booktitle = {ASIACCS}, year = {2010}, month = {4}, }
Tobias Lauinger and Veikko Pankakoski and Davide Balzarotti and Engin Kirda, "Honeybot, Your Man in the Middle for Automated Social Engineering," in Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2010), 2010. BibTeX | PDF

@INPROCEEDINGS{Lauinger_Honeybot2010, Author = {Tobias Lauinger and Veikko Pankakoski and Davide Balzarotti and Engin Kirda}, title = {Honeybot, Your Man in the Middle for Automated Social Engineering}, booktitle = {Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2010)}, year = {2010}, month = {4}, pdf = {autosoc-leet2010.pdf}, }
Simon Tjoa and Stefan Jakoubi and Gernot Goluch and Gerhard Kitzler and Sigrun Goluch and Gerald Quirchmayr, "A Formal Approach Enabling Risk-aware Business Process Modeling and Simulation," IEEE Transactions on Services Computing, 2010. BibTeX | PDF

@ARTICLE{Tjoa2010a, Author = {Simon Tjoa and Stefan Jakoubi and Gernot Goluch and Gerhard Kitzler and Sigrun Goluch and Gerald Quirchmayr}, title = {A Formal Approach Enabling Risk-aware Business Process Modeling and Simulation}, journal = {IEEE Transactions on Services Computing}, year = {2010}, month = {4}, pdf = {Tjoa_TSC2010.pdf}, }
David Huemer and A Min Tjoa and Benjamin Böck, "Towards more Trustable Log Files for Digital Forensics by Means of Trusted Computing," in Proceedings of the 24th International Conference on Advanced Information Networking and Applications (AINA 2010), 2010. BibTeX

@INPROCEEDINGS{huemer_2010_towardsMoreTrustableLogFiles, Author = {David Huemer and {A Min} Tjoa and Benjamin Böck}, title = {Towards more Trustable Log Files for Digital Forensics by Means of Trusted Computing }, booktitle = {Proceedings of the 24th International Conference on Advanced Information Networking and Applications (AINA 2010)}, year = {2010}, month = {4}, }
Philip Limbeck and Martin Suntinger and Josef Schiefer, "SARI OpenRec – Empowering Recommendation Systems with Business Events," in Proceedings of the Second International Conference on Advances in Databases, Knowledge and Data Applications (DBKDA’10), 2010. BibTeX

@INPROCEEDINGS{Limbeck_SARI_OpenRec_Empowering_Recomm_2010, Author = {Philip Limbeck and Martin Suntinger and Josef Schiefer}, title = {SARI OpenRec - Empowering Recommendation Systems with Business Events}, booktitle = {Proceedings of the Second International Conference on Advances in Databases, Knowledge and Data Applications (DBKDA'10)}, year = {2010}, month = {4}, }
Johannes Heurix and Thomas Neubauer, "A Roadmap for personal identity management," in Fifth International Conference on Systems, 2010, pp. 134-139. BibTeX

@INPROCEEDINGS{Neubauer_A_Roadmap_for_personal_identit_2010, Author = {Johannes Heurix and Thomas Neubauer}, title = {A Roadmap for personal identity management}, booktitle = {Fifth International Conference on Systems}, year = {2010}, month = {4}, pages = {134-139}, }
Heinz Roth and Josef Schiefer and Hannes Obweger and Szabolcs Rozsnyai, "Event Data Warehousing for Complex Event Processing," in Proceedings of the 4th International Conference on Research Challenges in Information Science (RCIS’10), 2010. BibTeX

@INPROCEEDINGS{Schiefer_Event_Data_Warehousing_for_Com_2010, Author = {Heinz Roth and Josef Schiefer and Hannes Obweger and Szabolcs Rozsnyai}, title = {Event Data Warehousing for Complex Event Processing}, booktitle = {Proceedings of the 4th International Conference on Research Challenges in Information Science (RCIS'10)}, year = {2010}, month = {5}, }
Gerhard Kitzler and Sigrun Goluch and Simon Tjoa and Stefan Jakoubi, "A Formal Approach Enabling Risk-aware Business Process Modeling and Simulation," IEEE Transactions on Services Computing, vol. PP, iss. PrePrints, p. 1, 2010. BibTeX

@ARTICLE{Tjoa_A_Formal_Approach_Enabling_Ris_2010, Author = {Gerhard Kitzler and Sigrun Goluch and Simon Tjoa and Stefan Jakoubi}, title = {A Formal Approach Enabling Risk-aware Business Process Modeling and Simulation}, journal = {IEEE Transactions on Services Computing}, year = {2010}, month = {5}, volume = {PP}, number = {PrePrints}, pages = {1}, }
Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel, "Abusing Social Networks for Automated User Profiling," in International Symposium on Recent Advances in Intrusion Detection (RAID 2010), 2010. BibTeX

@INPROCEEDINGS{Balduzzi_Abusing_Social_Networks_for_Au_2010, Author = {Marco Balduzzi and Christian Platzer and Thorsten Holz and Engin Kirda and Davide Balzarotti and Christopher Kruegel}, title = {Abusing Social Networks for Automated User Profiling}, booktitle = {International Symposium on Recent Advances in Intrusion Detection (RAID 2010)}, year = {2010}, month = {9}, }
Gilbert Wondracek and Thorsten Holz and Engin Kirda and Christopher Kruegel, "A Practical Attack to De-Anonymize Social Network Users," in IEEE Security and Privacy, 2010. BibTeX

@INPROCEEDINGS{Wondracek_A_Practical_Attack_to_De_Anony_2010, Author = {Gilbert Wondracek and Thorsten Holz and Engin Kirda and Christopher Kruegel}, title = {A Practical Attack to De-Anonymize Social Network Users}, booktitle = {IEEE Security and Privacy}, year = {2010}, month = {5}, }
Peter Fruehwirt and Markus Huber and Martin Mulazzani and Edgar R. Weippl, "InnoDB Database Forensics," in Proceedings of the 24th International Conference on Advanced Information Networking and Applications, 2010. BibTeX | PDF

@INPROCEEDINGS{Huber_InnoDB_Database_Forensics_2010, Author = {Peter Fruehwirt and Markus Huber and Martin Mulazzani and {Edgar R.} Weippl}, title = {InnoDB Database Forensics}, booktitle = {Proceedings of the 24th International Conference on Advanced Information Networking and Applications}, year = {2010}, month = {4}, pdf = {AINA2010-InnoDBforensics_preprint.pdf}, }
Kathrin Figl and Jan Mendling and Mark Strembeck and Jan Recker, "On the Cognitive Effectiveness of Routing Symbols in Process Modeling Languages," in 13th International Conference on Business Information Systems (BIS), 2010. BibTeX

@INPROCEEDINGS{Figl_On_the_Cognitive_Effectiveness_2010, Author = {Kathrin Figl and Jan Mendling and Mark Strembeck and Jan Recker}, title = {On the Cognitive Effectiveness of Routing Symbols in Process Modeling Languages}, booktitle = {13th International Conference on Business Information Systems (BIS)}, year = {2010}, month = {5}, }
W. Sunindyo and Stefan Biffl and C. Frühwirth and R. Mordinyi and T. Moser and Alexander Schatten and Sebastian Schrittwieser and Edgar R. Weippl, "Defect Detection Using Event-Based Process Analysis in Software Engineering Projects," in 36th Euromicro Conference Software Engineering and Advanced Applications SEAA 2010, 2010. BibTeX

@INPROCEEDINGS{Sunindyo_Defect_Detection_Using_Event_B_2010, Author = {W. Sunindyo and Stefan Biffl and C. Frühwirth and R. Mordinyi and T. Moser and Alexander Schatten and Sebastian Schrittwieser and {Edgar R.} Weippl}, title = {Defect Detection Using Event-Based Process Analysis in Software Engineering Projects}, booktitle = {36th Euromicro Conference Software Engineering and Advanced Applications SEAA 2010}, year = {2010}, month = {9}, }
Farman Ali Khan and Sabine Graf and Edgar R. Weippl and A Min Tjoa, "Role of Learning Styles and Affective States in Web-based Adaptive Learning Environments," in Proceedings of ED-MEDIA, 2010. BibTeX

@INPROCEEDINGS{weippl_bzzh_2010_LearningStyles_EDMEDIA, Author = {Farman {Ali Khan} and Sabine Graf and {Edgar R.} Weippl and {A Min} Tjoa}, title = {Role of Learning Styles and Affective States in Web-based Adaptive Learning Environments}, booktitle = {Proceedings of ED-MEDIA}, year = {2010}, month = {9}, publisher = {AACE}, }
Muhammad Asfand e yar and Amin Anjomshoaa and Edgar R. Weippl and A Min Tjoa, "Exploiting Ontology for Software License Agreements," International Journal of Software and Informatics (IJSI), vol. 4, iss. 1, pp. 1-12, 2010. BibTeX | PDF

@ARTICLE{Asfand-e-yar_Exploiting_Ontology_for_Softwa_2010, Author = {Muhammad Asfand e yar and Amin Anjomshoaa and {Edgar R.} Weippl and {A Min} Tjoa}, title = {Exploiting Ontology for Software License Agreements}, journal = {International Journal of Software and Informatics (IJSI)}, year = {2010}, month = {3}, pdf = {Papers/Weippl/ax_2010_ontologyLicense.pdf}, volume = {4}, number = {1}, pages = {1--12}, note = {According to Aminwithin Reporting Timeframe}, }
Gianluca Stringhini and Christopher Kruegel and Giovanni Vigna, "Detecting Spammers On Social Networks," in 26th Annual Computer Security Applications Conference (ACSAC), 2010. BibTeX

@INPROCEEDINGS{Stringhini_Detecting_Spammers_On_Social_N_2010, Author = {Gianluca Stringhini and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Detecting Spammers On Social Networks}, booktitle = {26th Annual Computer Security Applications Conference (ACSAC)}, year = {2010}, month = {12}, }
Kaan Onarlioglu and Leyla Bilge and Andrea Lanzi and Davide Balzarotti and Engin Kirda, "G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries," in 26th Annual Computer Security Applications Conference (ACSAC), 2010. BibTeX

@INPROCEEDINGS{Onarlioglu_G_Free_Defeating_Return_Orient_2010, Author = {Kaan Onarlioglu and Leyla Bilge and Andrea Lanzi and Davide Balzarotti and Engin Kirda}, sbahotlist = {true}, title = {G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries}, booktitle = {26th Annual Computer Security Applications Conference (ACSAC)}, year = {2010}, month = {12}, }
Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna, "Efficient Detection of Split Personalities in Malware," in 17th Annual Network and Distributed System Security Symposium (NDSS 2010), 2010. BibTeX

@INPROCEEDINGS{Balzarotti_Efficient_Detection_of_Split_P_2010, Author = {Davide Balzarotti and Marco Cova and Christoph Karlberger and Christopher Kruegel and Engin Kirda and Giovanni Vigna}, sbahotlist = {true}, title = {Efficient Detection of Split Personalities in Malware}, booktitle = {17th Annual Network and Distributed System Security Symposium (NDSS 2010)}, year = {2010}, month = {2}, }
Johannes Heurix and Thomas Neubauer, "A methodology for the pseudonymization of medical data," International Journal of Medical Informatics, vol. 80, iss. 3, pp. 190-204, 2010. BibTeX

@ARTICLE{Neubauer_A_methodology_for_the_pseudony_2010, Author = {Johannes Heurix and Thomas Neubauer}, sbahotlist = {true}, title = {A methodology for the pseudonymization of medical data}, journal = {International Journal of Medical Informatics}, year = {2010}, month = {10}, volume = {80}, number = {3}, pages = {190-204}, }
Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christoderescu and Engin Kirda, "AccessMiner: Using System-Centric Models for Malware Protection," in 17th ACM Conference on Computer and Communications Security (CCS), 2010. BibTeX

@INPROCEEDINGS{Lanzi_AccessMiner_Using_System_Centr_2010, Author = {Andrea Lanzi and Davide Balzarotti and Christopher Kruegel and Mihai Christoderescu and Engin Kirda}, sbahotlist = {true}, title = {AccessMiner: Using System-Centric Models for Malware Protection}, booktitle = {17th ACM Conference on Computer and Communications Security (CCS)}, year = {2010}, month = {10}, }
Engin Kirda and Ulrich Bayer and Corrado Leita, "Exploiting diverse observation perspectives to get insights on the malware landscape," in Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on, 2010, pp. 393-402. BibTeX | PDF

@INPROCEEDINGS{leita2010exploiting, Author = {Engin Kirda and Ulrich Bayer and Corrado Leita}, sbahotlist = {true}, title = {Exploiting diverse observation perspectives to get insights on the malware landscape}, booktitle = {Dependable Systems and Networks (DSN) 2010 IEEE IFIP International Conference on}, year = {2010}, month = {1}, pdf = {dsn2010.pdf}, pages = {393--402}, }
Stefan Fenz, "Ontology-based Generation of IT-Security Metrics," in Proceedings of the 2010 ACM Symposium on Applied Computing, 2010, pp. 1833-1839. BibTeX | PDF

@INPROCEEDINGS{Fenz2010, Author = {Stefan Fenz}, sbahotlist = {true}, title = {Ontology-based Generation of {IT}-Security Metrics}, booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing}, year = {2010}, month = {1}, abstract = {Legal regulations and industry standards require organizations to measure and maintain a specified IT-security level. Although several IT-security metrics approaches have been developed, a methodology for automatically generating ISO 27001-based IT-security metrics based on concrete organization-specific control implementation knowledge is missing. Based on the security ontology by Fenz et al., including information security domain knowledge and the necessary structures to incorporate organization-specific facts into the ontology, this paper proposes a methodology for automatically generating ISO 27001-based IT-security metrics. The conducted validation has shown that the research results are a first step towards increasing the degree of automation in the field of IT-security metrics. Using the introduced methodology, organizations are enabled to evaluate their compliance with information security standards, and to evaluate control implementations' effectiveness at the same time.}, pdf = {2010FenzOntologybasedGenerationMetrics.pdf}, pages = {1833-1839}, publisher = {ACM}, }
Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda, "Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries," in IEEE Security and Privacy 2010, 2010. BibTeX

@INPROCEEDINGS{Kolbitsch_AutomatedExtraction_2010, Author = {Clemens Kolbitsch and Thorsten Holz and Christopher Kruegel and Engin Kirda}, sbahotlist = {true}, title = {Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries}, booktitle = {IEEE Security and Privacy 2010}, year = {2010}, month = {1}, }
Mark Strembeck and Jan Mendling, "Generic Algorithms for Consistency Checking of Mutual-Exclusion and Binding Constraints in a Business Process Context," in 18th International Conference on Cooperative Information Systems (CoopIS), 2010. BibTeX

@INPROCEEDINGS{Strembeck_Generic_Algorithms_for_Consist_2010, Author = {Mark Strembeck and Jan Mendling}, sbahotlist = {true}, title = {Generic Algorithms for Consistency Checking of Mutual-Exclusion and Binding Constraints in a Business Process Context}, booktitle = {18th International Conference on Cooperative Information Systems (CoopIS)}, year = {2010}, month = {10}, volume = {6426}, publisher = {Springer Verlag}, }
Corrado Leita and Ulrich Bayer and Engin Kirda, "Exploiting diverse observation perspectives to get insights on the malware landscape," in Dependable Systems and Networks DSN, 2010. BibTeX

@INPROCEEDINGS{Leita_Exploiting_diverse_observation_2010, Author = {Corrado Leita and Ulrich Bayer and Engin Kirda}, sbahotlist = {true}, title = {Exploiting diverse observation perspectives to get insights on the malware landscape}, booktitle = {Dependable Systems and Networks DSN}, year = {2010}, month = {1}, abstract = {We are witnessing an increasing complexity in the malware analysis scenario. The usage of polymorphic techniques generates a new challenge: it is often difficult to discern the instance of a known polymorphic malware from that of a newly encountered malware family, and to evaluate the impact of patching and code sharing among malware writers in order to prioritize analysis efforts. This paper offers an empirical study on the value of exploiting the complementarity of different information sources in studying malware relationships. By leveraging real-world data generated by a distributed honeypot deployment, we combine clustering techniques based on static and behavioral characteristics of the samples, and we show how this combination helps in detecting clustering anomalies. We also show how the different characteristics of the approaches can help, once combined, to underline relationships among different code variants. Finally, we highlight the importance of contextual information on malware propagation for getting a deeper understanding of the evolution and the economy of the different threats.}, }
William Robertson and Federico Maggi and Christopher Kruegel and Giovanni Vigna, "Effective Anomaly Detection with Scarce Training Data," in Network and Distributed System Security Symposium (NDSS 2010), 2010. BibTeX

@INPROCEEDINGS{Robertson_Effective_Anomaly_Detection_wi_2010, Author = {William Robertson and Federico Maggi and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Effective Anomaly Detection with Scarce Training Data}, booktitle = {Network and Distributed System Security Symposium (NDSS 2010)}, year = {2010}, month = {2}, }
Marco Cova and Christopher Kruegel and Giovanni Vigna, "Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code," in International World Wide Web Conference (WWW), 2010. BibTeX

@INPROCEEDINGS{Cova_Detection_and_Analysis_of_Driv_2010, Author = {Marco Cova and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code}, booktitle = {International World Wide Web Conference (WWW)}, year = {2010}, month = {4}, }
Martin Mulazzani and Markus Huber and Edgar R. Weippl, "Anonymity and Monitoring: How to Monitor the Infrastructure of an Anonymity System," IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, pp. 539-546, 2010. BibTeX

@ARTICLE{Mulazzani_Anonymity_and_Monitoring_How_t_2010, Author = {Martin Mulazzani and Markus Huber and {Edgar R.} Weippl}, title = {Anonymity and Monitoring: How to Monitor the Infrastructure of an Anonymity System}, journal = {IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews}, year = {2010}, month = {9}, pages = {539-546}, }
Johannes Heurix and Thomas Neubauer, "On the Security of Outsourced and Untrusted Databases," in IEEE ACIS International Conference on Computer and Information Science, 2010, pp. 125-132. BibTeX

@INPROCEEDINGS{Heurix_On_the_Security_of_Outsourced__2010, Author = {Johannes Heurix and Thomas Neubauer}, title = {On the Security of Outsourced and Untrusted Databases}, booktitle = {IEEE ACIS International Conference on Computer and Information Science}, year = {2010}, month = {9}, abstract = {The outsourcing of databases to third parties has become a viable alternative to traditional in-house data management. Database management by third parties including the storage and maintenance allows companies to reduce their expenses and profit from the expertise of data storage specialists. However, the price is the transfer of confidential data to third parties. The data owners need to trust the third party that data is stored (i) confidentially, such that the service providers cannot profit from passing the data to unauthorized parties, and (ii) in a correct and untampered state. This work identifies security issues that data owners have to face when it comes to database outsourcing. We provide an overview of existing techniques for solving the confidentiality and integrity problem and point out the limitations of these approaches. Thereby, this work aims to support decision makers who are confronted with the outsourcing question.}, pages = {125-132}, }
Nicolas Racz and Andreas Seufert and Edgar R. Weippl, "Questioning the need for separate IT risk management frameworks," in Konferenz Risk Management, Compliance und Governance für widerstandsfähige Informationssysteme, 2010, pp. 245-252. BibTeX

@INPROCEEDINGS{Weippl_Questioning_the_need_for_separ_2010, Author = {Nicolas Racz and Andreas Seufert and {Edgar R.} Weippl}, title = {Questioning the need for separate IT risk management frameworks}, booktitle = {Konferenz Risk Management, Compliance und Governance für widerstandsfähige Informationssysteme }, year = {2010}, month = {9}, abstract = {The growing importance of enterprise risk management and the resulting integration efforts put the need for separate IT risk management frameworks in question. In this research we analyse common and distinct elements of the COSO enterprise risk management and ISACA Risk IT frameworks. The analysis affirms the hypothesis that separate IT risk management frameworks are redundant}, pages = {245-252}, }
Amirreza Tahamtan and Amin Anjomshoaa and Edgar R. Weippl and A Min Tjoa, "A SOM-Based Technique for a User-Centric Content Extraction and Classification of Web 2.0 with a Special Consideration of Security Aspects," in Proc. of 4th International Conference on Knowledge Science, Engineering & Management (KSEM’10), 2010. BibTeX

@INPROCEEDINGS{Tahamtan_A_SOM_Based_Technique_for_a_Us_2010, Author = {Amirreza Tahamtan and Amin Anjomshoaa and {Edgar R.} Weippl and {A Min} Tjoa}, title = {A SOM-Based Technique for a User-Centric Content Extraction and Classification of Web 2.0 with a Special Consideration of Security Aspects}, booktitle = {Proc. of 4th International Conference on Knowledge Science, Engineering & Management (KSEM'10)}, year = {2010}, month = {9}, note = {According to Aminwithin Reporting Timeframe}, }
Markus Huber and Martin Mulazzani and Edgar R. Weippl, "Who On Earth Is Mr. Cypher? Automated Friend Injection Attacks on Social Networking Sites," in Proceedings of the IFIP International Information Security Conference 2010: Security and Privacy, 2010. BibTeX | PDF

@INPROCEEDINGS{Huber_Who_On_Earth_Is_Mr_Cypher_Auto_2010, Author = {Markus Huber and Martin Mulazzani and {Edgar R.} Weippl}, title = {Who On Earth Is Mr. Cypher? Automated Friend Injection Attacks on Social Networking Sites}, booktitle = {Proceedings of the IFIP International Information Security Conference 2010: Security and Privacy}, year = {2010}, month = {9}, pdf = {sec2010-friendInjection_preprint.pdf}, }
C. Frühwirth and Stefan Biffl and Alexander Schatten and Sebastian Schrittwieser and Edgar R. Weippl, "Research Challenges in the Security Design and Evaluation of an Engineering Service Bus Platform," in 36th Euromicro Conference Software Engineering and Advanced Applications (SEAA 2010, 2010. BibTeX

@INPROCEEDINGS{Fruehwirth_Research_Challenges_in_the_Sec_2010, Author = {C. Frühwirth and Stefan Biffl and Alexander Schatten and Sebastian Schrittwieser and {Edgar R.} Weippl}, title = {Research Challenges in the Security Design and Evaluation of an Engineering Service Bus Platform}, booktitle = {36th Euromicro Conference Software Engineering and Advanced Applications (SEAA 2010}, year = {2010}, month = {9}, }
Steffen Kunz and Sergei Evdokimov and Benjamin Fabian and Bernd Stieger and Mark Strembeck, "Role-Based Access Control for Information Federations in the Industrial Service Sector," in 18th European Conference on Information Systems (ECIS), 2010. BibTeX

@INPROCEEDINGS{Kunz_Role_Based_Access_Control_for__2010, Author = {Steffen Kunz and Sergei Evdokimov and Benjamin Fabian and Bernd Stieger and Mark Strembeck}, sbahotlist = {true}, title = {Role-Based Access Control for Information Federations in the Industrial Service Sector}, booktitle = {18th European Conference on Information Systems (ECIS)}, year = {2010}, month = {6}, abstract = {Information federations promise an enhanced collaboration between individual stakeholders in the life cycle of commercial products, including software and hardware products from arbitrary business sectors. However, information sharing across corporate borders must be controlled by tailored mechanisms for enforcing individual business confidentiality and integrity requirements. One influential current security paradigm to achieve this goal is the application of Role-Based Access Control (RBAC). Based on ongoing work in the Aletheia project on service-oriented information federation, we present a case study on applying RBAC for information sharing among multiple stakeholders in the industrial service sector. We place a special emphasis on the methodical, tool-supported elicitation and definition of RBAC policies in this environment. In addition, we use the eXtensible Access Control Markup Language (XACML) to transfer RBAC policies between the different nodes in information federations. Further, we present a corresponding security architecture in which those XACML policies are applied for authorization decision and enforcement. The case study was conducted in cooperation with ABB, a large company providing}, }
Hannes Obweger and Josef Schiefer and Peter Kepplinger and Martin Suntinger, "Discovering Hierarchical Patterns in Event-Based Systems," in In Proceedings of the 2010 IEEE International Conference on Services Computing (SCC 10), 2010. BibTeX

@INPROCEEDINGS{Obweger_Discovering_Hierarchical_Patte_2010, Author = {Hannes Obweger and Josef Schiefer and Peter Kepplinger and Martin Suntinger}, sbahotlist = {true}, title = {Discovering Hierarchical Patterns in Event-Based Systems}, booktitle = {In Proceedings of the 2010 IEEE International Conference on Services Computing (SCC 10)}, year = {2010}, month = {7}, }
Viktoria Felmetsger and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna, "Toward Automated Detection of Logic Vulnerabilities in Web Applications," in 19th Usenix Security Symposium, 2010. BibTeX

@INPROCEEDINGS{Felmetsger_Toward_Automated_Detection_of__2010, Author = {Viktoria Felmetsger and Ludovico Cavedon and Christopher Kruegel and Giovanni Vigna}, sbahotlist = {true}, title = {Toward Automated Detection of Logic Vulnerabilities in Web Applications}, booktitle = {19th Usenix Security Symposium}, year = {2010}, month = {8}, }
Nenad Jovanovic and Christopher Kruegel and Engin Kirda, "Static analysis for detecting taint-style vulnerabilities in web applications," Journal of Computer Security, vol. 18, 2010. BibTeX

@ARTICLE{Jovanovic_Static_analysis_for_detecting__2010, Author = {Nenad Jovanovic and Christopher Kruegel and Engin Kirda}, title = {Static analysis for detecting taint-style vulnerabilities in web applications}, journal = {Journal of Computer Security}, year = {2010}, month = {NA}, volume = {18}, }
Amin Anjomshoaa and Khue Vo Sao and Amirreza Tahamtan and A Min Tjoa and Edgar R. Weippl, "Self-Monitoring in Social Networks," Special issue for the International Journal of Intelligent Information and Database Systems (IJIIDS), 2010. BibTeX

@ARTICLE{Anjomshoaa_Self_Monitoring_in_Social_Netw_2010, Author = {Amin Anjomshoaa and Khue Vo Sao and Amirreza Tahamtan and {A Min} Tjoa and {Edgar R.} Weippl}, title = {Self-Monitoring in Social Networks}, journal = {Special issue for the International Journal of Intelligent Information and Database Systems (IJIIDS)}, year = {2010}, month = {NA}, note = {According to Aminwithin Reporting Timeframe}, }
Nicolas Racz and Edgar R. Weippl and Andreas Seufert, "A process model for integrated IT governance, risk, and compliance management," in Proceedings of the Ninth Conference on Databases and Information Systems (DB IS 2010), 2010. BibTeX

@INPROCEEDINGS{weippl_bzzf_2010_Racz, Author = {Nicolas Racz and {Edgar R.} Weippl and Andreas Seufert}, title = {A process model for integrated IT governance, risk, and compliance management}, booktitle = {Proceedings of the Ninth Conference on Databases and Information Systems (DB IS 2010)}, year = {2010}, month = {7}, publisher = {Springer LNCS}, }
Alexandra Mazak and Bernhard Schandl and Monika Lanzenberger, "A Heuristic-based Method for Approximating the Mismatch-at-Risk in Schema-based Ontology Alignment," in International Conference on Knowledge Engineering and Ontology Development KEOD, 2010. BibTeX

@INPROCEEDINGS{Mazak_A_Heuristic_based_Method_for_A_2010, Author = {Alexandra Mazak and Bernhard Schandl and Monika Lanzenberger}, title = {A Heuristic-based Method for Approximating the Mismatch-at-Risk in Schema-based Ontology Alignment}, booktitle = {International Conference on Knowledge Engineering and Ontology Development KEOD}, year = {2010}, month = {10}, abstract = {Frequently, ontologies based on the same domain are similar but also have many differences, which are known as heterogeneity. The alignment of entities which are not meant to be used in the same context, or which follow different modeling conventions, may cause mismatch in ontology alignment. End-users would benefit from knowing the risk level of mismatch between ontologies prior to starting a time- and cost-intensive procedure. With our heuristic-based method we propose to consider the general application context of a modeled domain (the modeling context) in order to enhance the user support in schema-based alignment. In the method first part, ontology concepts are enriched with weighting meta-information, resulting from two indicators: importance weighting indicator and importance outdegree indicator. These indicators contain model- and graph-based information and can be observed and measured at the schema level of an ontology. Possible heterogeneity-risk factors are encoded in these weightings and are exploitable later in the alignment process. The output of the first part of our approach are lists of importance indicators for each ontology concept in the role of a domain class. These can be used by end-users to get a quick and context-based overview of the source ontologies. They further help to detect the core concepts or efficient initial points. In the second part, the candidate sample for our mismatch-risk model bases on external user input by manually identifying concepts between the lists of each source ontology. This strategy of a manually conducted concept selection minimizes a possible structural falsification induced by other methods. The heterogeneity risk among the concepts importance indicator values is measured as standard deviation over the candidate sample. Afterwards these measured values are aggregated, and a heterogeneity coefficient is calculated. On the basis of this risk factor the mismatch-at-risk (MaR) between ontologies can be approximated as a threshold value for schema-based ontology alignment.}, }
Paolo Milani Comparetti and Guido Salvaneschi and Engin Kirda and Clemens Kolbitsch and Christopher Kruegel and Stefano Zanero, "Identifying Dormant Functionality in Malware Programs," in IEEE Security and Privacy 2010, 2010. BibTeX

@INPROCEEDINGS{Milani_IdentifyingDormantFunctionalityMalware_2010, Author = {Paolo Milani Comparetti and Guido Salvaneschi and Engin Kirda and Clemens Kolbitsch and Christopher Kruegel and Stefano Zanero}, title = {Identifying Dormant Functionality in Malware Programs}, booktitle = {IEEE Security and Privacy 2010}, year = {2010}, month = {1}, }
Markus Huber and Martin Mulazzani and Edgar R. Weippl and Gerhard Kitzler and Sigrun Goluch, "Exploiting social networking sites for spam," in Proceedings of the 17th ACM conference on Computer and communications security, 2010, pp. 693-695. BibTeX | PDF

@INPROCEEDINGS{Huber_Proceedings_of_the_17th_ACM_co_2010, Author = {Markus Huber and Martin Mulazzani and {Edgar R.} Weippl and Gerhard Kitzler and Sigrun Goluch}, title = {Exploiting social networking sites for spam}, booktitle = {Proceedings of the 17th ACM conference on Computer and communications security}, year = {2010}, month = {10}, pdf = {Poster_CCS_2010.pdf}, pages = {693-695}, note = {Poster - ACM CCS 2010}, }
Markus Huber and Martin Mulazzani and Sigrun Goluch and Gerhard Kitzler and Edgar R. Weippl, "Poster ACM CCS 2010: Friend-in-the-middle Attacks," in Proceedings of the 17th ACM conference on Computer and communications security, 2010. BibTeX

@INPROCEEDINGS{Huber_Poster_ACM_CCS_2010_Friend_in__2010, Author = {Markus Huber and Martin Mulazzani and Sigrun Goluch and Gerhard Kitzler and {Edgar R.} Weippl}, title = {Poster ACM CCS 2010: Friend-in-the-middle Attacks}, booktitle = {Proceedings of the 17th ACM conference on Computer and communications security}, year = {2010}, month = {10}, }
Edgar R. Weippl, "Data Warehousing Design and Advanced Engineering Applications: Methods for Complex Construction." Information Science Reference, IGI Global, 2010, pp. 272-279. BibTeX | PDF

@INBOOK{Weippl_SecurityinDataWarehouses_2010, Author = {{Edgar R.} Weippl}, title = {Data Warehousing Design and Advanced Engineering Applications: Methods for Complex Construction}, year = {2010}, month = {1}, pdf = {weippl_arh_securityDWH.pdf}, chapter = {Security in Data Warehouses}, pages = {272--279}, publisher = {Information Science Reference, IGI Global}, }
Peter Kieseberg and Manuel Leithner and Martin Mulazzani and Lindsay Munroe and Sebastian Schrittwieser and Mayank Sinha and Edgar R. Weippl, "QR Code Security," in Fourth International Workshop on Trustworthy Ubiquitous Computing (TwUC 2010), 2010. BibTeX | PDF

@INPROCEEDINGS{twuc_2010, Author = {Peter Kieseberg and Manuel Leithner and Martin Mulazzani and Lindsay Munroe and Sebastian Schrittwieser and Mayank Sinha and {Edgar R.} Weippl}, title = {QR Code Security}, booktitle = {Fourth International Workshop on Trustworthy Ubiquitous Computing (TwUC 2010)}, year = {2010}, month = {1}, pdf = {QR_Code_Security.pdf}, }
Nicolas Racz and Edgar R. Weippl and Andreas Seufert, "A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC)," in Proceedings of IFIP CMS 2010, 2010. BibTeX

@INPROCEEDINGS{weippl_bzze_2010_CMS_Racz, Author = {Nicolas Racz and {Edgar R.} Weippl and Andreas Seufert}, title = {A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC)}, booktitle = {Proceedings of IFIP CMS 2010}, year = {2010}, month = {3}, publisher = {Springer LNCS}, }
Stefan Jakoubi and Simon Tjoa and Sigrun Goluch and Gerhard Kitzler, "Risk-Aware Business Process Management: Establishing the Link Between Business and Security," in Complex Intelligent Systems and Their Applications, 2010, pp. 109-135. BibTeX | PDF

@INPROCEEDINGS{Jakoubi_CISTA_2010, Author = {Stefan Jakoubi and Simon Tjoa and Sigrun Goluch and Gerhard Kitzler}, title = {Risk-Aware Business Process Management: Establishing the Link Between Business and Security}, booktitle = {Complex Intelligent Systems and Their Applications}, year = {2010}, month = {1}, pdf = {Jakoubi_CISTA_2010.pdf}, volume = {41}, pages = {109-135}, publisher = {Springer New York}, }
Thomas Neubauer, "Pseudonymisierung fuer die datenschutzkonforme Speicherung medizinischer Daten," Elektrotechnik und Informationstechnik, 2010. BibTeX

@ARTICLE{Neubauer_Pseudonymisierungfuerdie_2010, Author = {Thomas Neubauer}, title = {Pseudonymisierung fuer die datenschutzkonforme Speicherung medizinischer Daten}, journal = {Elektrotechnik und Informationstechnik}, year = {2010}, month = {1}, }
Stefan Fenz, "From the Resource to the Business Process Risk Level," in Proceedings of the South African Information Security Multi-Conference (SAISMC’2010), 2010, pp. 100-109. BibTeX | PDF

@INPROCEEDINGS{fenz2010resource, Author = {Stefan Fenz}, title = {From the Resource to the Business Process Risk Level}, booktitle = {Proceedings of the South African Information Security Multi-Conference (SAISMC'2010)}, year = {2010}, month = {1}, pdf = {fenz2010resource.pdf}, pages = {100--109}, }
Markus Huber and Martin Mulazzani and Gerhard Kitzler and Sigrun Goluch and Edgar R. Weippl, "Technical Report: Friend-in-the-middle Attacks’," , TR-SBA-Res, 2010. BibTeX | PDF

@TECHREPORT{fitm10, Author = {Markus Huber and Martin Mulazzani and Gerhard Kitzler and Sigrun Goluch and {Edgar R.} Weippl}, title = {Technical Report: Friend-in-the-middle Attacks'}, year = {2010}, month = {1}, pdf = {pdf/FITM_TR-SBA-Research-0710-01.pdf}, number = {TR-SBA-Res}, }
Thomas Neubauer and Markus Pehn, "Workshop-based Risk Assessment for the Definition of Secure Business Processes (best paper award)," in Second International Conference on Information, Process, and Knowledge Management, 2010, pp. 74-79. BibTeX

@INPROCEEDINGS{Neubauer_Workshop_based_Risk_Assessment_2010, Author = {Thomas Neubauer and Markus Pehn}, title = {Workshop-based Risk Assessment for the Definition of Secure Business Processes (best paper award)}, booktitle = {Second International Conference on Information, Process, and Knowledge Management}, year = {2010}, month = {2}, pages = {74-79}, note = {BIB says rated as B but no such event found in list}, }
Stefan Jakoubi and Simon Tjoa and Sigrun Goluch and Gerhard Kitzler, "A Formal Approach Towards Risk-Aware Service Level Analysis and Planning," in 2010 International Conference on Availability, Reliability and Security, 2010, pp. 180-187. BibTeX

@INPROCEEDINGS{Tjoa_A_Formal_Approach_Towards_Risk_2010, Author = {Stefan Jakoubi and Simon Tjoa and Sigrun Goluch and Gerhard Kitzler}, title = {A Formal Approach Towards Risk-Aware Service Level Analysis and Planning}, booktitle = {2010 International Conference on Availability, Reliability and Security}, year = {2010}, month = {2}, pages = {180-187}, }
Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel, "CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,, 2010. BibTeX

@INPROCEEDINGS{Egele_CAPTCHASmugglingHijacking_2010, Author = {Manuel Egele and Leyla Bilge and Engin Kirda and Christopher Kruegel}, title = {CAPTCHA Smuggling: Hijacking Web Browsing Sessions to Create CAPTCHA Farms}, booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications,}, year = {2010}, month = {3}, }
Markus Huber and Martin Mulazzani and Sebastian Schrittwieser and Edgar R. Weippl, "Cheap and Automated Socio-Technical Attacks based on Social Networking Sites," in 3rd Workshop on Artificial Intelligence and Security (AISec’10), 2010. BibTeX

@INPROCEEDINGS{Huber_Cheap_and_Automated_Socio_Tech_2010, Author = {Markus Huber and Martin Mulazzani and Sebastian Schrittwieser and {Edgar R.} Weippl}, title = {Cheap and Automated Socio-Technical Attacks based on Social Networking Sites}, booktitle = {3rd Workshop on Artificial Intelligence and Security (AISec'10)}, year = {2010}, month = {10}, }
Simon Tjoa and Stefan Jakoubi and Sigrun Goluch and Gerhard Kitzler, "Planning Dynamic Activity and Resource Allocations Using a Risk-Aware Business Process Management Approach," in 2010 International Conference on Availability, Reliability and Security, 2010, pp. 268-274. BibTeX | PDF

@INPROCEEDINGS{Tjoa_Planning_Dynamic_Activity_and__2010, Author = {Simon Tjoa and Stefan Jakoubi and Sigrun Goluch and Gerhard Kitzler}, title = {Planning Dynamic Activity and Resource Allocations Using a Risk-Aware Business Process Management Approach}, booktitle = {2010 International Conference on Availability, Reliability and Security}, year = {2010}, month = {2}, pdf = {Tjoa_ARES2010_dynamic.pdf}, pages = {268-274}, }
Mark Guttenbrunner and Jan Wieners and Andreas Rauber and Manfred Thaller, "Same Same But Different Comparing Rendering Environments for Interactive Digital Objects," in Proceedings of the Third international conference on Digital heritage – EuroMed 10, 2010. BibTeX

@INPROCEEDINGS{Guttenbrunner_Same_Same_But_Different_Compar_2010, Author = {Mark Guttenbrunner and Jan Wieners and Andreas Rauber and Manfred Thaller}, title = {Same Same But Different Comparing Rendering Environments for Interactive Digital Objects}, booktitle = {Proceedings of the Third international conference on Digital heritage - EuroMed 10}, year = {2010}, month = {11}, abstract = {Digital cultural heritage in interactive form can take different shapes. It can be either in the form of interactive virtual representations of non-digital objects like buildings or nature, but also as born digital materials like interactive art and video games. To preserve these materials for a long term, we need to perform preservation actions on them. To check the validity of these actions, the original and the preserved form have to be compared. While static information like images or text documents can be migrated to new formats, especially digital objects which are interactive have to be preserved using new rendering environments. In this paper we show how the results of rendering an object in different environments can be compared. We present a workflow with three stages that supports the execution of digital objects in a rendering environment, the application of interactive actions in a standardized way to ensure no deviations due to different interactions, and the XCL Layout processor application that extends the characterized screenshots of the rendering results by adding information about significant areas in the screenshot allowing us to compare the rendering results. We present case studies on interactive fiction and a chess program that show that the approach is valid and that the rendering results can be successfully compared.}, }
Ulrich Bayer and Engin Kirda and Christopher Kruegel, "Improving the Efficiency of Dynamic Malware Analysis," in 25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications, 2010. BibTeX | PDF

@INPROCEEDINGS{Bayer_ImprovingEfficiencyof_2010, Author = {Ulrich Bayer and Engin Kirda and Christopher Kruegel}, title = {Improving the Efficiency of Dynamic Malware Analysis}, booktitle = {25th Symposium On Applied Computing (SAC), Track on Information Security Research and Applications}, year = {2010}, month = {3}, pdf = {Bayer_ImprovingEfficiencyof_2010.pdf}, note = {Lusanne, Switzerland}, }
Peter Fruehwirt and Markus Huber and Martin Mulazzani and Edgar R. Weippl, "Sicherheit in sozialen Netzwerken: Quo Vadis," in 8th Information Security Konferenz in Krems, 2010. BibTeX

@INPROCEEDINGS{Fruewirt_Sicherheit_in_sozialen_Netzwer_2010, Author = {Peter Fruehwirt and Markus Huber and Martin Mulazzani and {Edgar R.} Weippl}, title = {Sicherheit in sozialen Netzwerken: Quo Vadis}, booktitle = {8th Information Security Konferenz in Krems}, year = {2010}, month = {11}, }
Mark Strembeck, "Scenario-Driven Role Engineering," IEEE Security and Privacy, vol. 8, iss. 1, 2010. BibTeX

@ARTICLE{Strembeck_Scenario_Driven_Role_Engineeri_2010, Author = {Mark Strembeck}, title = {Scenario-Driven Role Engineering}, journal = {IEEE Security and Privacy}, year = {2010}, month = {2}, volume = {8}, number = {1}, }
Stefan Fenz and Andreas Ekelhart, "Verification, Validation, and Evaluation in Information Security Risk Management," IEEE Security and Privacy, vol. 8, pp. 18-25, 2010. BibTeX

@ARTICLE{Fenz_Verification_Validation_and_Ev_2010, Author = {Stefan Fenz and Andreas Ekelhart}, title = {Verification, Validation, and Evaluation in Information Security Risk Management}, journal = {IEEE Security and Privacy}, year = {2010}, month = {11}, volume = {8}, pages = {18-25}, publisher = {IEEE Computer Society}, }
Thomas Neubauer and Christian Stummer, "Interaktive Portfolioauswahl im IT-Servicemanagement," HMD – Praxis der Wirtschaftsinformatik, vol. 256, pp. 48-55, 2009. BibTeX

@ARTICLE{Neubauer_InteraktivePortfolioauswahlim_2009, Author = {Thomas Neubauer and Christian Stummer}, title = {Interaktive Portfolioauswahl im IT-Servicemanagement}, journal = {HMD - Praxis der Wirtschaftsinformatik}, year = {2009}, month = {1}, volume = {256}, pages = {48-55}, }
Severin Winkler and Christian Proschinger, "Collaborative Penetration Testing," in 9. Internationale Tagung Wirtschaftsinformatik (Kurztitel Wi 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{Winkler_CollaborativePenetrationTesting_2009, Author = {Severin Winkler and Christian Proschinger}, title = {Collaborative Penetration Testing}, booktitle = {9. Internationale Tagung Wirtschaftsinformatik (Kurztitel Wi 2009)}, year = {2009}, month = {1}, pdf = {Winkler_CollaborativePenetrationTesting_2009.pdf}, }
Edgar R. Weippl and Mohammad Tabatabai Irani, "Automation Of Post-Exploitation," in Proceedings of International Conference on Security Technology (SecTech 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{TabatabaiIrani_AutomationOfPostExploitation_2009, Author = {{Edgar R.} Weippl and Mohammad {Tabatabai Irani}}, title = {Automation Of Post-Exploitation}, booktitle = {Proceedings of International Conference on Security Technology (SecTech 2009)}, year = {2009}, month = {1}, pdf = {TabatabaiIrani_AutomationOfPostExploitation_2009.pdf}, publisher = {Springer LNCS}, }
Thomas Neubauer and Christian Stummer, "Interactive selection of Web services under multiple objectives," Information Technology and Management, 2009. BibTeX

@ARTICLE{Neubauer_Interactiveselectionof_2009, Author = {Thomas Neubauer and Christian Stummer}, title = {Interactive selection of Web services under multiple objectives}, journal = {Information Technology and Management}, year = {2009}, month = {1}, abstract = {Abstract\ \ The manual composition of efficient combinations of Web services becomes almost impossible as the number of services increases dramatically. When determining an appropriate set of services, managers must take into consideration given business processes, business strategy and multiple Quality of Service (QoS) objectives while ensuring the cost-efficient usage of limited resources. Because the agility with which new business requirements are adapted has a major influence on business success and poor investment decisions may thus entail corporate failure, decision makers are experiencing growing pressure to prove the value of IT investments---but they often lack appropriate multicriteria decision support tools. This paper introduces a new decision support approach that more properly addresses these challenges. We implemented this approach into a tool and evaluated the performance of two popular methods (i.e., the Analytic Hierarchy Process and the Weighted Scoring Method) by means of a real-life case study in the social security sector. It turns out that the decision support system assists decision makers in identifying investments that more precisely target their company's business needs by allowing them to interactively determine and continually optimize service allocation according to the corporate business processes and multiple (strategic) objectives.}, }
Martin Mulazzani and Edgar R. Weippl, "Aktuelle Herausforderungen in der Datenbankforensik," in 7th Information Security Konferenz in Krems, 2009. BibTeX | PDF

@INPROCEEDINGS{Mulazzani_AktuelleHerausforderungenin_2009, Author = {Martin Mulazzani and {Edgar R.} Weippl}, title = {Aktuelle Herausforderungen in der Datenbankforensik}, booktitle = {7th Information Security Konferenz in Krems}, year = {2009}, month = {1}, pdf = {Mulazzani_AktuelleHerausforderungenin_2009.pdf}, publisher = {OCG Austrian Computer Society, Krems}, }
Andreas Ekelhart and Mathias Kolb, "An Evaluation of Technologies for the Pseudonymization of Medical Data," in Proceedings of the ACM Symposium on Applied Computing, 2009. BibTeX

@INPROCEEDINGS{Neubauer_EvaluationofTechnologies_2009a, Author = {Andreas Ekelhart and Mathias Kolb}, title = {An Evaluation of Technologies for the Pseudonymization of Medical Data}, booktitle = {Proceedings of the ACM Symposium on Applied Computing}, year = {2009}, month = {1}, }
Thomas Neubauer, "A Comparison of Security Safeguard Selection Methods," in Proceedings of the 11th International Conference on Enterprise Information Systems, 2009, pp. 320-323. BibTeX

@INPROCEEDINGS{Neubauer_ComparisonofSecurity_2009, Author = {Thomas Neubauer}, title = {A Comparison of Security Safeguard Selection Methods}, booktitle = {Proceedings of the 11th International Conference on Enterprise Information Systems}, year = {2009}, month = {1}, pages = {320-323}, }
Gerald Quirchmayr and Gernot Goluch and Simon Tjoa and Stefan Jakoubi, "A Survey of Scientific Approaches Considering the Integration of Security and Risk Aspects into Business Process Management," in International Workshop on Database and Expert Systems Applications, 2009, pp. 127-132. BibTeX | PDF

@INPROCEEDINGS{Jakoubi_SurveyofScientific_2009, Author = {Gerald Quirchmayr and Gernot Goluch and Simon Tjoa and Stefan Jakoubi}, title = {A Survey of Scientific Approaches Considering the Integration of Security and Risk Aspects into Business Process Management}, booktitle = {International Workshop on Database and Expert Systems Applications}, year = {2009}, month = {1}, pdf = {Jakoubi_SurveyofScientific_2009.pdf}, pages = {127-132}, publisher = {IEEE Computer Society}, }
Thomas Neubauer, "An Empirical Study about the Status of Business Process Management," Business Process Management Journal, vol. 15, iss. 2, pp. 166-183, 2009. BibTeX

@ARTICLE{Neubauer_EmpiricalStudyabout_2009, Author = {Thomas Neubauer}, title = {An Empirical Study about the Status of Business Process Management}, journal = {Business Process Management Journal}, year = {2009}, month = {1}, volume = {15}, number = {2}, pages = {166-183}, }
Thomas Neubauer, "Technologies for the Pseudonymization of Medical Data: A Legal Evaluation," in International Conference on Systems, 2009. BibTeX

@INPROCEEDINGS{Neubauer_TechnologiesPseudonymizationof_2009, Author = {Thomas Neubauer}, title = {Technologies for the Pseudonymization of Medical Data: A Legal Evaluation}, booktitle = {International Conference on Systems}, year = {2009}, month = {1}, publisher = {IEEE Computer Society}, note = {Best Paper Award}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "AURUM: A Framework for Supporting Information Security Risk Management," in Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009, 2009, pp. 1-10. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_AURUMFrameworkSupporting_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {AURUM: A Framework for Supporting Information Security Risk Management}, booktitle = {Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009}, year = {2009}, month = {1}, abstract = {As companies are increasingly exposed to a variety of information security threats, they are permanently forced to pay attention to security issues. Risk management provides an effective approach for measuring the security through risk assessment, risk mitigation and evaluation. Existing risk management approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents AURUM - a new methodology for supporting the NIST SP 800-30 risk management standard - and provides a comparison with the GSTool and CRISAM in order to highlight the benefits decision makers may expect when using AURUM.}, pdf = {2009 - Ekelhart - AURUM A Framework for Information Security Risk Management.pdf}, pages = {1-10}, publisher = {IEEE Computer Society}, note = {978-0-7695-3450-3}, }
Thomas Neubauer and Christian Hartl, "On the singularity of valuating IT security investments," in IEEE/ACIS International Conference on Computer and Information Science, 2009, pp. 549-556. BibTeX

@INPROCEEDINGS{Neubauer_singularityofvaluating_2009, Author = {Thomas Neubauer and Christian Hartl}, title = {On the singularity of valuating IT security investments}, booktitle = {IEEE/ACIS International Conference on Computer and Information Science}, year = {2009}, month = {1}, pages = {549 - 556}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek, "Scalable, Behavior-Based Malware Clustering," in Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_ScalableBehaviorBasedMalware_2009, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Ulrich Bayer and Clemens Hlauschek}, sbahotlist = {true}, title = {Scalable, Behavior-Based Malware Clustering}, booktitle = {Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009)}, year = {2009}, month = {1}, pdf = {Bayer_ScalableBehaviorBasedMalware_2009.pdf}, }
Simon Tjoa and Stefan Jakoubi, "A Reference Model for Risk-Aware Business Process Management," in International Conference on Risks and Security of Internet and Systems, 2009. BibTeX | PDF

@INPROCEEDINGS{Jakoubi_ReferenceModelRiskAware_2009, Author = {Simon Tjoa and Stefan Jakoubi}, title = {A Reference Model for Risk-Aware Business Process Management}, booktitle = {International Conference on Risks and Security of Internet and Systems}, year = {2009}, month = {1}, pdf = {Jakoubi_ReferenceModelRiskAware_2009 (2).pdf}, publisher = {IEEE}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Business Process-based Resource Importance Determination," in Proceedings of the 7th International Conference on Business Process Management (BPM 2009), 2009, pp. 113-127. BibTeX | PDF

@INPROCEEDINGS{Fenz_BusinessProcessbasedResource_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Business Process-based Resource Importance Determination}, booktitle = {Proceedings of the 7th International Conference on Business Process Management (BPM 2009)}, year = {2009}, month = {1}, abstract = {Information security risk management (ISRM) heavily depends on realistic impact values representing the resources importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can business processes be used to determine resources importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Therefore, this paper presents our novel business process-based resource importance determination method which provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.}, pdf = {2009 - Fenz - Business Process-based Resource Importance Determination.pdf}, pages = {113-127}, publisher = {Springer}, note = {accepted for publication}, }
Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone Gross, "FIRE: FInding Rogue nEtworks," in 25th Annual Computer Security Applications Conference (ACSAC), 2009. BibTeX | PDF

@INPROCEEDINGS{StoneGross_FIREFIndingRogue_2009, Author = {Christopher Kruegel and Engin Kirda and Andreas Moser and Kevin Almaroth and Brett Stone Gross}, sbahotlist = {true}, title = {FIRE: FInding Rogue nEtworks}, booktitle = {25th Annual Computer Security Applications Conference (ACSAC)}, year = {2009}, month = {12}, pdf = {StoneGross_FIREFIndingRogue_2009.pdf}, }
Engin Kirda and Davide Balzarotti and Leyla Bilge and Thorsten Strufe, "All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks," in 18th International World Wide Web Conference, 2009. BibTeX | PDF

@INPROCEEDINGS{Bilge_AllYourContacts_2009, Author = {Engin Kirda and Davide Balzarotti and Leyla Bilge and Thorsten Strufe}, sbahotlist = {true}, title = {All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks}, booktitle = {18th International World Wide Web Conference}, year = {2009}, month = {4}, pdf = {Bilge_AllYourContacts_2009.pdf}, publisher = {31st International Conference on Software Engineering IEEE Computer Society, Vancouver, Cana}, }
Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel, "Automatically Generating Models for Botnet Detection," in 14th European Symposium on Research in Computer Security (ESORICS 2009), 2009. BibTeX | PDF

@INPROCEEDINGS{Wurzinger_AutomaticallyGeneratingModels_2009, Author = {Christopher Kruegel and Engin Kirda and Leyla Bilge and Thorsten Holz and Peter Wurzinger and Jan Goebel}, sbahotlist = {true}, title = {Automatically Generating Models for Botnet Detection}, booktitle = {14th European Symposium on Research in Computer Security (ESORICS 2009)}, year = {2009}, month = {9}, pdf = {Wurzinger_AutomaticallyGeneratingModels_2009.pdf}, note = {14th European Symposium on Research in Computer Security (ESORICS 2009), Saint Malo, Brittany, France}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang, "Effective and Efficient Malware Detection at the End Host," in in USENIX Security 09, 2009. BibTeX | PDF

@INPROCEEDINGS{Kolbitsch_EffectiveandEfficient_2009, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Xiaoyong Zhou and Xiaofeng Wang}, sbahotlist = {true}, title = {Effective and Efficient Malware Detection at the End Host}, booktitle = {in USENIX Security 09}, year = {2009}, month = {8}, pdf = {Kolbitsch_EffectiveandEfficient_2009.pdf}, note = {Canada, August 2009}, }
Christopher Kruegel and Engin Kirda and Manuel Egele, "Removing Web Spam Links from Search Engine Results," in 31st International Conference on Software Engineering (ICSE), 2009. BibTeX | PDF

@INPROCEEDINGS{Egele_RemovingWebSpam_2009, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele}, sbahotlist = {true}, title = {Removing Web Spam Links from Search Engine Results}, booktitle = {31st International Conference on Software Engineering (ICSE)}, year = {2009}, month = {5}, pdf = {Egele_RemovingWebSpam_2009.pdf}, publisher = {IEEE Computer Society}, note = {Vancouver, Canada}, }
Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger, "SWAP: Mitigating XSS Attacks using a Reverse Proxy," in The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE, 2009. BibTeX | PDF

@INPROCEEDINGS{Wurzinger_SWAPMitigatingXSS_2009, Author = {Christopher Kruegel and Engin Kirda and Christian Platzer and Christian Ludl and Peter Wurzinger}, sbahotlist = {true}, title = {SWAP: Mitigating XSS Attacks using a Reverse Proxy}, booktitle = {The 5th International Workshop on Software Engineering for Secure Systems SESS09 31st International Conference on Software Engineering ICSE}, year = {2009}, month = {5}, pdf = {Wurzinger_SWAPMitigatingXSS_2009.pdf}, publisher = {IEEE Computer Society}, }
Gernot Goluch and Simon Tjoa and Thomas Neubauer and Stefan Jakoubi and Martin Wisser, "A Process Model for RFID based Business Process Analysis," in APSCC, 2009. BibTeX

@INPROCEEDINGS{Neubauer_ProcessModelRFID_2009, Author = {Gernot Goluch and Simon Tjoa and Thomas Neubauer and Stefan Jakoubi and Martin Wisser}, title = {A Process Model for RFID based Business Process Analysis}, booktitle = {APSCC}, year = {2009}, month = {1}, }
Mark Strembeck and Jan Mendling and Kathrin Figl, "Towards a Usability Assessment of Process Modeling Languages," in 8. GI-Workshop EPK: Geschäftsprozessmanagement mit Ereignisgesteuerten Prozessketten, 2009. BibTeX

@INPROCEEDINGS{Figl_Towards_a_Usability_Assessment_2009, Author = {Mark Strembeck and Jan Mendling and Kathrin Figl}, title = {Towards a Usability Assessment of Process Modeling Languages}, booktitle = {8. GI-Workshop EPK: Geschäftsprozessmanagement mit Ereignisgesteuerten Prozessketten}, year = {2009}, month = {10}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Ontology-based Decision Support for Information Security Risk Management," in International Conference on Systems, 2009. ICONS 2009., 2009, pp. 80-85. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologybasedDecisionSupport_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Ontology-based Decision Support for Information Security Risk Management}, booktitle = {International Conference on Systems, 2009. ICONS 2009.}, year = {2009}, month = {3}, abstract = {As e-Business and e-Commerce applications are increasingly exposed to a variety of information security threats, corporate decision makers are increasingly forced to pay attention to security issues. Risk management provides an effective approach for measuring the security but existing risk management approaches come with major shortcomings such as the demand for very detailed knowledge about the IT security domain and the actual company environment. This paper presents the implementation of the AURUM methodology into a software solution which addresses the identified shortcomings of existing information security risk management software solutions. Thereby, the presented approach supports decision makers in risk assessment, risk mitigation, and safeguard evaluation.}, pdf = {2009 - Ekelhart - Ontology-based Decision Support for Information Security Risk Management.pdf}, pages = {80-85}, publisher = {IEEE Computer Society}, }
Markus Huber, "Automated Social Engineering, Proof of Concept." 2009. BibTeX | PDF

@INPROCEEDINGS{MHuber_ASEthesis09, Author = {Markus Huber}, title = {Automated Social Engineering, Proof of Concept}, year = {2009}, month = {3}, pdf = {thesis_ASE-PoC_MHuber.pdf}, }
A Min Tjoa and Edgar R. Weippl and Farman Ali Khan and Sabine Graf, "An Approach for Identifying Affective States through Behavioral Patterns in Web-based Learning Management System," in Proceedings of the 11th International Conference on Information Integration and Web Based Applications and Services (iiWAS2009), 2009. BibTeX

@INPROCEEDINGS{Khan_Identifying_and_Incorporating__2010, Author = {{A Min} Tjoa and {Edgar R.} Weippl and Farman Ali Khan and Sabine Graf}, title = {An Approach for Identifying Affective States through Behavioral Patterns in Web-based Learning Management System}, booktitle = {Proceedings of the 11th International Conference on Information Integration and Web Based Applications and Services (iiWAS2009)}, year = {2009}, month = {12}, abstract = {Learning styles and affective states influence students learning. The purpose of this study is to develop a conceptual framework for identifying and integrating learning styles and affective states of a learner into web-based learning management systems and therefore provide learners with adaptive courses and additional individualized pedagogical guidance that is tailored to their learning styles and affective states. The study was carried out in three phases, the first of which was the investigation and determination of learning styles and affective states which are important for learning. Phase two consisted of the development of an approach for the identification of learning styles and affective states as well as the development of a mechanism to calculate them from the students learning interactions within web-based learning management systems. The third phase was to develop a learning strategy that is more personalized and adaptive in nature and tailored to learners needs and current situation through considering learners learning styles and affective states, aiming to lead to better learning outcomes and progress}, }
Simon Tjoa and Thomas Neubauer and Stefan Jakoubi, "A Roadmap to Risk-Aware Business Process Management," in APSCC, 2009. BibTeX

@INPROCEEDINGS{Jakoubi_RoadmaptoRiskAware_2009, Author = {Simon Tjoa and Thomas Neubauer and Stefan Jakoubi}, title = {A Roadmap to Risk-Aware Business Process Management}, booktitle = {APSCC}, year = {2009}, month = {1}, }
Stefan Fenz and Thomas Pruckner and Arman Manutscheri, "Ontological Mapping of Information Security Best-Practice Guidelines," in Business Information Systems, 12th International Conference on Business Information Systems, BIS 2009, 2009. BibTeX | PDF

@INPROCEEDINGS{Fenz_OntologicalMappingof_2009, Author = {Stefan Fenz and Thomas Pruckner and Arman Manutscheri}, title = {Ontological Mapping of Information Security Best-Practice Guidelines}, booktitle = {Business Information Systems, 12th International Conference on Business Information Systems, BIS 2009}, year = {2009}, month = {4}, pdf = {2009 - Fenz - Ontological Mapping of Information Security Best-Practice Guidelines.pdf}, publisher = {Springer Berlin Heidelberg}, }
Christopher Kruegel and Engin Kirda and Manuel Egele, "Mitigating Drive-by Download Attacks: Challenges and Open Problems," in Open Research Problems in Network Security Workshop, 2009. BibTeX | PDF

@INPROCEEDINGS{Egele_MitigatingDrivebyDownload_2009, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele}, title = {Mitigating Drive-by Download Attacks: Challenges and Open Problems}, booktitle = {Open Research Problems in Network Security Workshop}, year = {2009}, month = {4}, pdf = {Egele_MitigatingDrivebyDownload_2009.pdf}, publisher = {iNetSec 2009}, note = {Zurich}, }
Clemens Kolbitsch, "Automated Spyware Collection and Analysis," in Information Security Conference, 2009. BibTeX | PDF

@INPROCEEDINGS{Kolbitsch_AutomatedSpywareCollection_2009, Author = {Clemens Kolbitsch}, title = {Automated Spyware Collection and Analysis}, booktitle = {Information Security Conference}, year = {2009}, month = {9}, pdf = {Kolbitsch_AutomatedSpywareCollection_2009.pdf}, publisher = {ISC 2009}, note = {Pisa, Italy}, }
Mark Strembeck and Uwe Zdun, "Reusable Architectural Decisions for DSL Design: Foundational Decisions in DSL Development," in 14th European Conference on Pattern Languages of Programs (EuroPLoP), 2009. BibTeX

@INPROCEEDINGS{Zdun_Reusable_Architectural_Decisio_2009, Author = {Mark Strembeck and Uwe Zdun}, title = {Reusable Architectural Decisions for DSL Design: Foundational Decisions in DSL Development}, booktitle = {14th European Conference on Pattern Languages of Programs (EuroPLoP)}, year = {2009}, month = {7}, }
Christopher Kruegel and Engin Kirda and Manuel Egele, "Prospex: Protocol Specification Extraction," in 18th European Institute for Computer Antivirus Research, 2009. BibTeX | PDF

@INPROCEEDINGS{Egele_ProspexProtocolSpecification_2009, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele}, title = {Prospex: Protocol Specification Extraction}, booktitle = {18th European Institute for Computer Antivirus Research}, year = {2009}, month = {5}, pdf = {Egele_ProspexProtocolSpecification_2009.pdf}, publisher = {EICAR 2009 Annual Conference}, note = {Berlin}, }
Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi, "Insights Into Current Malware Behavior," in 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, 2009. BibTeX | PDF

@INPROCEEDINGS{Bayer_InsightsIntoCurrent_2009, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Davide Balzarotti and Imam Habibi}, title = {Insights Into Current Malware Behavior}, booktitle = {2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston}, year = {2009}, month = {4}, pdf = {Bayer_InsightsIntoCurrent_2009.pdf}, }
Hannes Obweger and Josef Schiefer and Martin Suntinger, "Correlating Business Events for Event-Triggered Rules," in Proceedings of the 2009 International Symposium on Rule Interchange and Applications (RuleML’09), 2009. BibTeX

@INPROCEEDINGS{Schiefer_Correlating_Business_Events_fo_2009, Author = {Hannes Obweger and Josef Schiefer and Martin Suntinger}, title = {Correlating Business Events for Event-Triggered Rules}, booktitle = {Proceedings of the 2009 International Symposium on Rule Interchange and Applications (RuleML'09)}, year = {2009}, month = {11}, }
Stefan Fenz and Thomas Neubauer, "How to Determine Threat Probabilities Using Ontologies and Bayesian Networks," in CSIIRW ’09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research, 2009. BibTeX | PDF

@INPROCEEDINGS{Fenz_HowtoDetermine_2009, Author = {Stefan Fenz and Thomas Neubauer}, title = {How to Determine Threat Probabilities Using Ontologies and Bayesian Networks}, booktitle = {CSIIRW '09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research}, year = {2009}, month = {1}, abstract = {The subjective threat probability determination is one of the main reasons for an inadequate information security strategy endangering the organization in performing its mission. To address the problem this research project proposes an ontology- and Bayesian-based approach for determining asset-specific and comprehensible threat probabilities. The elaborated concepts enable risk managers to comprehensibly quantify the current security status of their organization.}, pdf = {2009 - Fenz - How to Determine Threat Probabilities Using Ontologies and Bayesian Networks.pdf}, publisher = {ACM}, }
Johannes Heurix and Thomas Neubauer and Thomas Mueck, "Zentralisierte Pseudonymisierung von medizinischen Patientendaten," in Tagungsband e-Health 2009, 2009. BibTeX

@INPROCEEDINGS{Heurix_ZentralisiertePseudonymisierungvon_2009, Author = {Johannes Heurix and Thomas Neubauer and Thomas Mueck}, title = {Zentralisierte Pseudonymisierung von medizinischen Patientendaten}, booktitle = {Tagungsband e-Health 2009}, year = {2009}, month = {1}, }
Johannes Heurix and Thomas Neubauer, "Massenpseudonymisierung von persönlichen medizinischen Daten," in DACH Security, 2009. BibTeX

@INPROCEEDINGS{Heurix_Massenpseudonymisierungvonpersoenlichen_2009, Author = {Johannes Heurix and Thomas Neubauer}, title = {Massenpseudonymisierung von pers{\"o}nlichen medizinischen Daten}, booktitle = {DACH Security}, year = {2009}, month = {1}, }
Mark Strembeck and Uwe Zdun, "An Approach for the Systematic Development of Domain-Specific Languages," Software: Practice and Experience (SP&E), vol. 39, iss. 15, 2009. BibTeX

@ARTICLE{Strembeck_An_Approach_for_the_Systematic_2009, Author = {Mark Strembeck and Uwe Zdun}, title = {An Approach for the Systematic Development of Domain-Specific Languages}, journal = {Software: Practice and Experience (SP&E)}, year = {2009}, month = {10}, volume = {39}, number = {15}, }
A Min Tjoa and Stefan Fenz and Marcus Hudec, "Ontology-based Generation of Bayesian Networks," in International Conference on Complex, Intelligent and Software Intensive Systems, 2009. CISIS ’09., 2009, pp. 712-717. BibTeX | PDF

@INPROCEEDINGS{Fenz_OntologybasedGenerationof_2009, Author = {{A Min} Tjoa and Stefan Fenz and Marcus Hudec}, title = {Ontology-based Generation of {Bayesian} Networks}, booktitle = {International Conference on Complex, Intelligent and Software Intensive Systems, 2009. CISIS '09.}, year = {2009}, month = {1}, abstract = {Bayesian networks are indispensable for determining the probability of events which are influenced by various components. Bayesian probabilities encode degrees of belief about certain events and a dynamic knowledge body is used to strengthen, update, or weaken these assumptions. The creation of Bayesian networks requires at least three challenging tasks: (i) the determination of relevant influence factors, (ii) the determination of relationships between the identified influence factors, and (iii) the calculation of the conditional probability tables for each node in the Bayesian network. Based on existing domain ontologies, we propose a method for the ontology-based generation of Bayesian networks. The ontology is used to provide the necessary knowledge about relevant influence factors, their relationships, their weights, and the scale which represents potential states of the identified influence factors. The developed method enables, based on existing ontologies, the semi-automatic generation and alternation of Bayesian networks.}, pdf = {2009 - Fenz - Ontology-based Generation of Bayesian Networks.pdf}, pages = {712-717}, publisher = {IEEE Computer Society}, }
Markus Huber and Simon Tjoa and Stewart Kowalski and Marcus Nohlberg, "Towards Automating Social Engineering Using Social Networking Sites," in Computational Science and Engineering, IEEE International Conference on, 2009, pp. 117-124. BibTeX | PDF

@INPROCEEDINGS{Huber_TowardsAutomatingSocial_2009, Author = {Markus Huber and Simon Tjoa and Stewart Kowalski and Marcus Nohlberg}, title = {Towards Automating Social Engineering Using Social Networking Sites}, booktitle = {Computational Science and Engineering, IEEE International Conference on}, year = {2009}, month = {1}, pdf = {2009 - Huber - Towards Automating Social Engineering Using Social Networking Sites.pdf}, volume = {3}, pages = {117-124}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Andreas Ekelhart, "Formalizing Information Security Knowledge," in Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security, 2009, pp. 183-194. BibTeX | PDF

@INPROCEEDINGS{Fenz_FormalizingInformationSecurity_2009, Author = {Stefan Fenz and Andreas Ekelhart}, title = {Formalizing Information Security Knowledge}, booktitle = {Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security}, year = {2009}, month = {1}, abstract = {Unified and formal knowledge models of the information security domain are fundamental requirements for supporting and enhancing existing risk management approaches. This paper describes a security ontology which provides an ontological structure for information security domain knowledge. Besides existing best-practice guidelines such as the German IT Grundschutz Manual also concrete knowledge of the considered organization is incorporated. An evaluation conducted by an information security expert team has shown that this knowledge model can be used to support a broad range of information security risk management approaches.}, pdf = {2009 - Fenz - Formalizing Information Security Knowledge.pdf}, pages = {183-194}, publisher = {ACM}, note = {978-1-60558-394-5}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Ontologiebasiertes IT Risikomanagement," in D.A.CH Security 2009, 2009, pp. 14-24. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologiebasiertesITRisikomanagement_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Ontologiebasiertes IT Risikomanagement}, booktitle = {D.A.CH Security 2009}, year = {2009}, month = {1}, abstract = {Informationssicherheitsrisikomanagement (Information Security Risk Management, ISRM) stellt einen effizienten Zugang zur Bewertung, Verringerung und Evaluierung von Informationssicherheitsrisiken dar. Bereits bestehende ISRM-Ans{\"a}tze sind weitgehend akzeptiert, setzen jedoch sehr detailliertes Informationssicherheitswissen und genaue Kenntnisse des tats{\"a}chlichen Unternehmensumfeldes voraus. Die inad{\"a}quate Umsetzung von ISRM gef{\"a}hrdet die planm{\"a}{\ss}ige Umsetzung der Unternehmensstrategie und kann zu einer Minderung des Unternehmenswertes f{\"u}hren. Der vorliegende Beitrag pr{\"a}sentiert das AURUM Tool, welches die Schwachstellen bestehender Ans{\"a}tze adressiert und Entscheidungstr{\"a}ger bei der Auswahl eines effizienten IT-Sicherheitsportfolios unter Ber{\"u}cksichtigung organisationsspezifischer, technischer und wirtschaftlicher Anforderungen unterst{\"u}tzt.}, pdf = {2009 - Ekelhart - Ontologiebasiertes IT Risikomanagement.pdf}, pages = {14-24}, publisher = {Syssec}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Automated Risk and Utility Management," in 2009 Sixth International Conference on Information Technology: New Generations, 2009, pp. 393-398. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_AutomatedRiskand_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Automated Risk and Utility Management}, booktitle = {2009 Sixth International Conference on Information Technology: New Generations}, year = {2009}, month = {1}, abstract = {Information security breaches pose major threats to the reliable execution of corporate strategies and may have negative effects on business value. Information security risk management (ISRM) provides an effective approach for assessing, mitigating, and evaluating information security risks. Existing ISRM approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents the AURUM prototype that supports decision makers in selecting security measures according to organization-specific technical and economical requirements.}, pdf = {2009 - Ekelhart - Automated Risk and Utility Management.pdf}, pages = {393-398}, publisher = {IEEE Computer Society}, }
Edgar R. Weippl and Benjamin Böck, "The Handbook of Technology Management." Wiley and Sons, 2009. BibTeX

@INBOOK{Bock_acceptedforpublicationSocialEngineering_2009, Author = {{Edgar R.} Weippl and Benjamin Böck}, title = {The Handbook of Technology Management}, year = {2009}, month = {1}, chapter = {accepted for publication: Social Engineering}, publisher = {Wiley and Sons}, }
Edgar R. Weippl and Markus Klemen and Philippe Benditsch and Gerald Futschek, "OCG IT-Security Zertifikat fuer Nutzer," in IRIS 2008, 2008. BibTeX

@INPROCEEDINGS{Benditsch_OCGITSecurityZertifikat_2008, Author = {{Edgar R.} Weippl and Markus Klemen and Philippe Benditsch and Gerald Futschek}, title = {OCG IT-Security Zertifikat fuer Nutzer}, booktitle = {IRIS 2008}, year = {2008}, month = {1}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Semantic Potential of existing Security Advisory Standards," in Proceedings of the FIRST2008 Conference, 2008. BibTeX | PDF

@INPROCEEDINGS{Fenz_SemanticPotentialof_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Semantic Potential of existing Security Advisory Standards}, booktitle = {Proceedings of the FIRST2008 Conference}, year = {2008}, month = {1}, abstract = {New discoveries made on a nearly daily basis and the constantly growing amount of vulnerabilities in software products have led to the distribution of great numbers of vendor dependent vulnerability information over various channels such as mailing lists and RSS (Really Simple Syndication) feeds. However, the format of these messages presents a major problem as it lacks standardized, semantic information, resulting in very time-intensive, expensive, and error-prone processing due to the necessary human involvement. Recent developments in the field of IT security have increased the need for a sound semantic security advisory standard that allows for automatic processing of relevant security advisories in a more precise and timely manner. This would reduce pressure on organizations trying to keep their complex infrastructures secure and up-to-date by complying with standards, such as Basel II and local legislations. This paper conducts an evaluation of existing security advisory standards to identify usable semantic standards, which enable the automated processing of security advisories to ensure faster reaction times and precise response to new threats and vulnerabilities. In this way IT management can concentrate on solutions rather than on filtering messages.}, pdf = {2008 - Fenz - Semantic Potential of Existing Security Advisory Standards.pdf}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek, "Automatic Network Protocol Analysis," in 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008, 2008. BibTeX | PDF

@INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2008, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek}, sbahotlist = {true}, title = {Automatic Network Protocol Analysis}, booktitle = {15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, February 2008}, year = {2008}, month = {1}, pdf = {Wondracek_AutomaticNetworkProtocol_2008.pdf}, }
Christopher Kruegel and Engin Kirda and Guenther Starnberger, "A botnet protocol based on Kademlia," in International Conference on Security and Privacy in Communication Networks (SecureComm), 2008. BibTeX | PDF

@INPROCEEDINGS{Starnberger_botnetprotocolbased_2008, Author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger}, sbahotlist = {true}, title = {A botnet protocol based on Kademlia}, booktitle = {International Conference on Security and Privacy in Communication Networks (SecureComm)}, year = {2008}, month = {9}, pdf = {Starnberger_botnetprotocolbased_2008.pdf}, note = {Istanbul, Turkey,}, }
Stefan Fenz and Thomas Neubauer and Bernhard Riedl and Veronika Grascher, "Pseudonymization for improving the privacy in e-Health applications," in Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008, 2008, pp. 255-264. BibTeX | PDF

@INPROCEEDINGS{Riedl_Pseudonymizationimprovingprivacy_2008, Author = {Stefan Fenz and Thomas Neubauer and Bernhard Riedl and Veronika Grascher}, sbahotlist = {true}, title = {Pseudonymization for improving the privacy in e-Health applications}, booktitle = {Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008}, year = {2008}, month = {1}, pdf = {2008 - Riedl - Pseudonymization for Improving the Privacy in e-Health Applications.pdf}, pages = {255-264}, publisher = {IEEE Computer Society}, note = {978-0-7695-3075-8}, }
Gerald Quirchmayr and Gernot Goluch and Simon Tjoa and Stefan Jakoubi, "Deriving Resource Requirements Applying Risk-Aware Business Process Modeling and Simulation," in Proceedings of the 16th European Conference on Information Systems (ECIS), 2008. BibTeX

@INPROCEEDINGS{Jakoubi_DerivingResourceRequirements_2008, Author = {Gerald Quirchmayr and Gernot Goluch and Simon Tjoa and Stefan Jakoubi}, sbahotlist = {true}, title = {Deriving Resource Requirements Applying Risk-Aware Business Process Modeling and Simulation}, booktitle = {Proceedings of the 16th European Conference on Information Systems (ECIS)}, year = {2008}, month = {1}, abstract = {Today, companies face the challenge to effectively and efficiently perform their business processes as well as to guarantee their continuous operation. To meet the economic requirements, companies often consult business process management experts. The robustness and continuity of operations is separately considered in other domains such as business continuity management and risk management. The shortcoming of this separation is that in most cases a common reasoning and information basis is missing. With the risk-aware process modeling and simulation methodology named ROPE we fill this gap and combine the strengths of the aforementioned domains. In this paper, we present new ROPE simulation capabilities focusing on the determination of resource requirements considering the impact of occurring threats on business processes. Furthermore, we introduce an example scenario to clarify how a company can benefit from applying these extensions.}, }
Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck, "Integration of an Ontological Information Security Concept in Risk Aware Business Process Management," in Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008, 2008, pp. 377-385. BibTeX | PDF

@INPROCEEDINGS{Goluch_IntegrationofOntological_2008, Author = {Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck}, sbahotlist = {true}, title = {Integration of an Ontological Information Security Concept in Risk Aware Business Process Management}, booktitle = {Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008}, year = {2008}, month = {1}, pdf = {2008 - Goluch - Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management.pdf}, pages = {377-385}, publisher = {IEEE Computer Society}, note = {978-0-7695-3075-8}, }
Christopher Kruegel and Engin Kirda and Guenther Starnberger, "Overbot – A botnet protocol based on Kademlia," in 4th International Conference on Security and Privacy in Communication Networks (SecureComm), 2008. BibTeX | PDF

@INPROCEEDINGS{Starnberger_Overbotbotnet_2008, Author = {Christopher Kruegel and Engin Kirda and Guenther Starnberger}, sbahotlist = {true}, title = {Overbot - A botnet protocol based on Kademlia}, booktitle = {4th International Conference on Security and Privacy in Communication Networks (SecureComm)}, year = {2008}, month = {9}, pdf = {Starnberger_Overbotbotnet_2008.pdf}, publisher = {Istanbul, Turkey}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner, "XML Security – A comparative literature review," Journal of Systems and Software, vol. 81, pp. 1715-1724, 2008. BibTeX | PDF

@ARTICLE{Ekelhart_XMLSecurity_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner}, sbahotlist = {true}, title = {XML Security - A comparative literature review}, journal = {Journal of Systems and Software}, year = {2008}, month = {1}, abstract = {Since the turn of the millenium, Working Groups of the W3C have been concentrating on the development of XML based security standards, which are paraphrased as XML Security. XML Security consists of three recommendations: XML (Digital) Signature, XML Encryption and XML Key Management Specification (XKMS), all of them published by the W3C. By means of a review of the available literature the authors draw several conclusions about the status quo of XML Security. Furthermore the current state and focuses of research as well as the existing challenges are derived. Trends to different application areas - e.g. use of XML Security for Mobile Computing - are also outlined. Based on this information the analyzed results are discussed and a future outlook is predicted.}, pdf = {2008 - Ekelhart - XML security -- A Comparative Literature Review.pdf}, volume = {81}, pages = {1715-1724}, note = {ISSN: 0164-1212}, }
Christopher Kruegel and Engin Kirda and Sean McAllister, "Leveraging User Interactions for In-Depth Testing of Web Applications," RAID ’08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection, pp. 191-210, 2008. BibTeX

@ARTICLE{1433021, Author = {Christopher Kruegel and Engin Kirda and Sean McAllister}, title = {Leveraging User Interactions for In-Depth Testing of Web Applications}, journal = {RAID '08: Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection}, year = {2008}, month = {1}, pages = {191--210}, publisher = {Springer-Verlag}, }
Johannes Heurix and Thomas Neubauer, "Defining Secure Business Processes with Respect to Multiple Objectives," in Proceedings of the Third International Conference on Availability, Reliability and Security ARES, 2008. BibTeX

@INPROCEEDINGS{Neubauer_DefiningSecureBusiness_2008, Author = {Johannes Heurix and Thomas Neubauer}, title = {Defining Secure Business Processes with Respect to Multiple Objectives}, booktitle = {{P}roceedings of the {T}hird {I}nternational {C}onference on {A}vailability, {R}eliability and {S}ecurity {ARES}}, year = {2008}, month = {1}, publisher = {IEEE Computer Society}, }
Edgar R. Weippl, "Handbook of Research on Information Security and Assurance." Idea Group, 2008. BibTeX

@INBOOK{Weippl_SecurityAwarenessVirtualEnvironmentsandELearning_2008, Author = {{Edgar R.} Weippl}, title = {Handbook of Research on Information Security and Assurance}, year = {2008}, month = {1}, chapter = {Security Awareness: Virtual Environments and E-Learning}, publisher = {Idea Group}, }
Edgar R. Weippl, "Preface to Social Implications of Data Mining and Information Privacy: Interdisciplinary Frameworks and Solutions." IGI Global, 2008. BibTeX

@INBOOK{Weippl__2008, Author = {{Edgar R.} Weippl}, title = {Preface to Social Implications of Data Mining and Information Privacy: Interdisciplinary Frameworks and Solutions}, year = {2008}, month = {1}, publisher = {IGI Global}, }
Edgar R. Weippl and Joe Luca, ED-MEDIA Conference Proceedings, AACE, 2008. BibTeX

@BOOK{Weippl_EDMEDIAConferenceProceedings_2008, Author = {{Edgar R.} Weippl and Joe Luca}, title = {ED-MEDIA Conference Proceedings}, year = {2008}, month = {1}, publisher = {AACE}, }
Edgar R. Weippl and Martin Ebner, "Security Privacy Challenges in E-Learning 2.0," in E-Learn 2008, 2008. BibTeX

@INPROCEEDINGS{Weippl_SecurityPrivacyChallenges_2008, Author = {{Edgar R.} Weippl and Martin Ebner}, title = {Security Privacy Challenges in E-Learning 2.0}, booktitle = {E-Learn 2008}, year = {2008}, month = {1}, }
Johannes Heurix and Thomas Neubauer, "Multiobjective Decision Support for defining Secure Business Processes: A Case Study," in Proceedings of the Ninth International Conference on Information Integration and Web-based Applications Services, 2008. BibTeX

@INPROCEEDINGS{Neubauer_MultiobjectiveDecisionSupport_2008, Author = {Johannes Heurix and Thomas Neubauer}, title = {Multiobjective Decision Support for defining Secure Business Processes: A Case Study}, booktitle = {Proceedings of the Ninth International Conference on Information Integration and Web-based Applications Services}, year = {2008}, month = {1}, publisher = {OCG}, }
Edgar R. Weippl and Bernhard Riedl, "Handbook of Research on Mobile Multimedia, Second Edition." Information Science Reference, 2008, p. IX. BibTeX

@INBOOK{Weippl_SecurityTrustandPrivacyonMobileDevicesandMultimediaApplications_2008, Author = {{Edgar R.} Weippl and Bernhard Riedl}, title = {Handbook of Research on Mobile Multimedia, Second Edition}, year = {2008}, month = {1}, chapter = {Security, Trust and Privacy on Mobile Devices and Multimedia Applications}, pages = {Chapter IX}, publisher = {Information Science Reference}, note = {ISBN: 978-1-60566-046-2}, }
Edgar R. Weippl and Markus Klemen and Stefan Raffeiner, "The Semantic Web for Knowledge and Data Management: Technologies and Practices." Idea Group, 2008, pp. 38-48. BibTeX

@INBOOK{Weippl_ImprovingStorageConceptsforSemanticModelsandOntologies_2008, Author = {{Edgar R.} Weippl and Markus Klemen and Stefan Raffeiner}, title = {The Semantic Web for Knowledge and Data Management: Technologies and Practices}, year = {2008}, month = {1}, chapter = {Improving Storage Concepts for Semantic Models and Ontologies}, pages = {38--48}, publisher = {Idea Group}, }
Edgar R. Weippl, "Encyclopedia of Data Warehousing and Mining." Idea Group, 2008. BibTeX

@INBOOK{Weippl_DatabaseSecurityandStatisticalDatabaseSecurity_2008, Author = {{Edgar R.} Weippl}, title = {Encyclopedia of Data Warehousing and Mining}, year = {2008}, month = {1}, chapter = {Database Security and Statistical Database Security}, publisher = {Idea Group}, }
Gerald Quirchmayr and Simon Tjoa and Stefan Jakoubi, "Enhancing Business Impact Analysis and Risk Assessment applying a Risk-Aware Business Process Modeling and Simulation Methodology," in Proceedings of the 3rd International Conference on Availability, Reliability and Security, 2008. BibTeX

@INPROCEEDINGS{Tjoa_EnhancingBusinessImpact_2008, Author = {Gerald Quirchmayr and Simon Tjoa and Stefan Jakoubi}, title = {Enhancing {B}usiness {I}mpact {A}nalysis and {R}isk {A}ssessment applying a {R}isk-{A}ware {B}usiness {P}rocess {M}odeling and {S}imulation {M}ethodology}, booktitle = {Proceedings of the 3rd {I}nternational {C}onference on {A}vailability, {R}eliability and {S}ecurity}, year = {2008}, month = {1}, abstract = {Driven by the steadily growing number of natural disasters, the threat of terrorist and other criminal attacks as well as changed legislation and regulations, companies are increasingly forced to prepare against threats that endanger the survivability of crucial business activities. As a consequence, management has to pay more attention to business continuity issues including serious management commitment and more appropriate funding. Business impact analysis and risk assessment concepts enable adequate business continuity planning as they deliver essential information about the impact of resources' disruption on business. In this paper we present how these concepts can be enhanced through the application of the ROPE (Risk-Oriented Process Evaluation) methodology enabling risk-aware business process management and simulation. Moreover, we present essential extensions of the ROPE simulation capabilities leading to a more efficient and effective business continuity planning.}, }
Thomas Neubauer and Christian Stummer and Jan Pichler, "Multiobjective Selection of Software Components: A Case Study," in Proceedings of the IEEE Asia-Pacific Services Computing Conference, 2008. BibTeX

@INPROCEEDINGS{Neubauer_MultiobjectiveSelectionof_2008, Author = {Thomas Neubauer and Christian Stummer and Jan Pichler}, title = {Multiobjective Selection of Software Components: A Case Study}, booktitle = {Proceedings of the IEEE Asia-Pacific Services Computing Conference}, year = {2008}, month = {1}, }
Thomas Neubauer and Thomas Mueck, "PIPE: Ein System zur Pseudonymisierung von Gesundheitsdaten," in Proceedings of e-Health 2008, 2008. BibTeX

@INPROCEEDINGS{Neubauer_PIPEEinSystem_2008, Author = {Thomas Neubauer and Thomas Mueck}, title = {{PIPE:} Ein System zur Pseudonymisierung von Gesundheitsdaten}, booktitle = {Proceedings of e-Health 2008}, year = {2008}, month = {1}, }
Johannes Heurix and Thomas Neubauer, "Objective Types for the Valuation of Secure Business Processes," in Proceedings of the 7th IEEE/ACIS International Conference on Computer and Information Science, 2008. BibTeX

@INPROCEEDINGS{Neubauer_ObjectiveTypesValuation_2008, Author = {Johannes Heurix and Thomas Neubauer}, title = {Objective Types for the Valuation of Secure Business Processes}, booktitle = {Proceedings of the 7th IEEE/ACIS International Conference on Computer and Information Science}, year = {2008}, month = {1}, publisher = {IEEE Computer Society}, }
Thomas Neubauer and Bernhard Riedl, "Improving Patients Privacy with Pseudonymization," in Proceedings of the International Congress of the European Federation for Medical Informatics, 2008. BibTeX

@INPROCEEDINGS{Neubauer_ImprovingPatientsPrivacy_2008, Author = {Thomas Neubauer and Bernhard Riedl}, title = {Improving Patients Privacy with Pseudonymization}, booktitle = {Proceedings of the International Congress of the European Federation for Medical Informatics}, year = {2008}, month = {1}, }
Thomas Neubauer and Bernhard Riedl and Veronika Grascher and Mathias Kolb, "Economic and Security Aspects of the Appliance of a Threshold Scheme in e-Health," in Proceedings of the Third International Conference on Availability, Reliability and Security ARES, 2008. BibTeX

@INPROCEEDINGS{Riedl_EconomicandSecurity_2008, Author = {Thomas Neubauer and Bernhard Riedl and Veronika Grascher and Mathias Kolb}, title = {Economic and Security Aspects of the Appliance of a Threshold Scheme in e-Health}, booktitle = {{P}roceedings of the {T}hird {I}nternational {C}onference on {A}vailability, {R}eliability and {S}ecurity {ARES}}, year = {2008}, month = {1}, }
Gerald Quirchmayr and Gernot Goluch and Simon Tjoa and Stefan Jakoubi, "Extension of a Methodology for Risk-Aware Business Process Modeling and Simulation Enabling Process-Oriented Incident Handling Support," in The 22st International Conference on Advanced Information Networking and Applications, 2008. BibTeX

@INPROCEEDINGS{Tjoa_ExtensionofMethodology_2008, Author = {Gerald Quirchmayr and Gernot Goluch and Simon Tjoa and Stefan Jakoubi}, title = {Extension of a Methodology for Risk-Aware Business Process Modeling and Simulation Enabling Process-Oriented Incident Handling Support}, booktitle = {The 22st International Conference on Advanced Information Networking and Applications}, year = {2008}, month = {1}, abstract = {Increasingly, companies face the challenges to perform their business processes effectively as well as efficiently and to simultaneously assure the continuity of these processes. As the majority of companies rely on IT, it is essential to establish effective incident handling. In this paper, we introduce new extensions of the risk-aware business process management framework ROPE (Risk- Oriented Process Evaluation) in order to support the improvement of the management and execution of business processes. We further discuss the advantages of those extensions and how they can support the implementation of standards and best-practices such as the NIST SP800-61 (Computer Security Incident Handling Guide).}, publisher = {IEEE Society}, }
Edgar R. Weippl and Simon Tjoa and Stefan Jakoubi, ARES Conference Proceedings, IEEE, 2008. BibTeX

@BOOK{Tjoa_ARESConferenceProceedings_2008, Author = {{Edgar R.} Weippl and Simon Tjoa and Stefan Jakoubi}, title = {ARES Conference Proceedings}, year = {2008}, month = {1}, publisher = {IEEE}, }
Thomas Neubauer and Bernhard Riedl and Veronika Grascher, "A Secure e-Health Architecture based on the Appliance of Pseudonymization," Journal of Software, 2008. BibTeX

@ARTICLE{Riedl_SecureeHealthArchitecture_2008, Author = {Thomas Neubauer and Bernhard Riedl and Veronika Grascher}, title = {A Secure e-Health Architecture based on the Appliance of Pseudonymization}, journal = {Journal of Software}, year = {2008}, month = {1}, }
Engin Kirda and Corrado Leita and Marc Dacier and Olivier Thonnard and Fabian Pouget and Van Hau Pham and Eduardo Ramirez Silva, "The Leurre.com Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet," in In Proceedings of the 1st WOMBAT workshop, 2008. BibTeX

@INPROCEEDINGS{Leita_LeurrecomProjectCollecting_2008, Author = {Engin Kirda and Corrado Leita and Marc Dacier and Olivier Thonnard and Fabian Pouget and {Van Hau} Pham and Eduardo Ramirez Silva}, title = {The Leurre.com Project: Collecting Internet Threats Information using a Worldwide Distributed Honeynet}, booktitle = {In Proceedings of the 1st WOMBAT workshop}, year = {2008}, month = {4}, publisher = {IEEE Computer Society}, }
A Min Tjoa and Amin Anjomshoaa and Mansoor Ahmed, "Context-Based Privacy Management of Personal Information Using Semantic Desktop: SemanticLIFE Case Study," Proceedings of the 10th International Conference on Informationb Integration and Web-based Application & Services, pp. 214-221, 2008. BibTeX

@ARTICLE{TUW-168902, Author = {{A Min} Tjoa and Amin Anjomshoaa and Mansoor Ahmed}, title = {Context-Based Privacy Management of Personal Information Using Semantic Desktop: SemanticLIFE Case Study}, journal = {Proceedings of the 10th International Conference on Informationb Integration and Web-based Application {\&} Services}, year = {2008}, month = {1}, pages = {214--221}, publisher = {Oesterreichische Computer Geselschaft}, note = {Vortrag: iiWAS 2008, Linz; 2008-11-24 -- 2008-11-26}, }
Mark Strembeck and Bernd Simon and Kasra Seirafi and Gustaf Neumann and Asmund Realfsen, "Evaluate – An Innovative Service for Learning Performance Monitoring in Businesses," in Workshop on E-Learning for Business Needs, 2008. BibTeX

@INPROCEEDINGS{Simon_Evaluate_An_Innovative_Service_2008, Author = {Mark Strembeck and Bernd Simon and Kasra Seirafi and Gustaf Neumann and Asmund Realfsen}, title = {Evaluate - An Innovative Service for Learning Performance Monitoring in Businesses}, booktitle = {Workshop on E-Learning for Business Needs}, year = {2008}, month = {5}, }
Mark Strembeck and Jan Mendling, "Influence Factors of Understanding Business Process Models," in 11th International Conference on Business Information Systems (BIS), 2008. BibTeX

@INPROCEEDINGS{Mendling_Influence_Factors_of_Understan_2008, Author = {Mark Strembeck and Jan Mendling}, title = {Influence Factors of Understanding Business Process Models}, booktitle = {11th International Conference on Business Information Systems (BIS)}, year = {2008}, month = {5}, }
Mark Strembeck and Jan Mendling and Karsten Ploesser, "Specifying Separation of Duty Constraints in BPEL4People Processes," in 11th International Conference on Business Information Systems (BIS), 2008. BibTeX

@INPROCEEDINGS{Mendling_Specifying_Separation_of_Duty__2008, Author = {Mark Strembeck and Jan Mendling and Karsten Ploesser}, title = {Specifying Separation of Duty Constraints in BPEL4People Processes}, booktitle = {11th International Conference on Business Information Systems (BIS)}, year = {2008}, month = {5}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Fortification of IT security by automatic security advisory processing," in Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, AINA2008, 2008, pp. 575-582. BibTeX | PDF

@INPROCEEDINGS{Fenz_FortificationofIT_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Fortification of IT security by automatic security advisory processing}, booktitle = {Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, AINA2008}, year = {2008}, month = {3}, abstract = {The past years have seen the rapid increase of security related incidents in the field of information technology. IT infrastructures in the commercial as well as in the governmental sector are becoming evermore heterogeneous which increases the complexity of handling and maintaining an adequate security level. Especially organizations which are hosting and processing highly sensitive data are obligated to establish a holistic company-wide security approach. We propose a novel security concept to reduce this complexity by automatic assessment of security advisories. A central entity collects vulnerability information from various sources, converts it into a standardized and machine-readable format and distributes it to its subscribers. The subscribers are then able to automatically map the vulnerability information to the ontological stored infrastructure data to visualize newly-discovered software vulnerabilities. The automatic analysis of vulnerabilities decreases response times and permits precise response to new threats and vulnerabilities, thus decreasing the administration complexity and increasing the IT security level.}, pdf = {2008 - Fenz - Fortification of IT Security by Automatic Security Advisory Processing.pdf}, pages = {575-582}, publisher = {IEEE Computer Society}, }
Christopher Kruegel and Giovanni Vigna and Luca Foschini and Ashish Thypliyal and Lorenzo Cavallaro, "A Parallel Architecture for Stateful, High-Speed Intrusion Detection," in International Conference on Information Systems Security (ICISS) , Lecture Notes in Computer Science, 2008. BibTeX

@INPROCEEDINGS{Foschini_ParallelArchitectureStateful_2008, Author = {Christopher Kruegel and Giovanni Vigna and Luca Foschini and Ashish Thypliyal and Lorenzo Cavallaro}, title = {A Parallel Architecture for Stateful, High-Speed Intrusion Detection}, booktitle = {International Conference on Information Systems Security (ICISS) , Lecture Notes in Computer Science}, year = {2008}, month = {12}, publisher = {Springer Verlag}, }
Stefan Fenz, "Ontology- and Bayesian-based information security risk management." 2008. BibTeX

@INPROCEEDINGS{Fenz_OntologyandBayesianbased_2008, Author = {Stefan Fenz}, title = {Ontology- and Bayesian-based information security risk management}, year = {2008}, month = {10}, }
Engin Kirda and Corrado Leita and Julio Canto and Marc Dacier, "Large Scale Malware Collection: Lessons Learned," in IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing System, 2008. BibTeX | PDF

@INPROCEEDINGS{Canto_LargeScaleMalware_2008, Author = {Engin Kirda and Corrado Leita and Julio Canto and Marc Dacier}, title = {Large Scale Malware Collection: Lessons Learned}, booktitle = {IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing System}, year = {2008}, month = {10}, pdf = {Canto_LargeScaleMalware_200.pdf}, note = {Naples, Italy}, }
A Min Tjoa and Stefan Fenz, "Ontology- and Bayesian-based Threat Probability Determination," in Proceedings of the Junior Scientist Conference 2008, 2008, pp. 69-70. BibTeX

@INPROCEEDINGS{Fenz_OntologyandBayesianbased_2008a, Author = {{A Min} Tjoa and Stefan Fenz}, title = {Ontology- and Bayesian-based Threat Probability Determination}, booktitle = {Proceedings of the Junior Scientist Conference 2008}, year = {2008}, month = {11}, abstract = {Information security risk management is crucial for ensuring long-term business success and thus numerous approaches to implementing an adequate information security risk management strategy have been proposed. The subjective threat probability determination is one of the main reasons for an inadequate information security strategy endangering the organization in performing its mission. To address the problem this research project proposes an ontology- and Bayesian-based approach for determining asset-specific and comprehensible threat probabilities. The elaborated concepts enable risk managers to comprehensibly quantify the current security status of their organization.}, pages = {69-70}, publisher = {Vienna University of Technology}, }
Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Vika Felmetsger and Nenad Jovanovic, "Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications," in Security and Privacy, 2008, p. 15. BibTeX | PDF

@INPROCEEDINGS{Cova_ComposingStaticand_2008, Author = {Christopher Kruegel and Engin Kirda and Davide Balzarotti and Giovanni Vigna and Marco Cova and Vika Felmetsger and Nenad Jovanovic}, title = {Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications}, booktitle = {Security and Privacy}, year = {2008}, month = {5}, pdf = {Cova_ComposingStaticand_.pdf}, pages = {15}, publisher = {IEEE Security and Privacy}, }
Markus Huber and Stewart Kowalski and Marcus Nohlberg, "Measuring Readiness for Automated Social Engineering," in In CD ROM Proceedings of the 7th Security Conference, 2008. BibTeX | PDF

@INPROCEEDINGS{nohlberghuber2008, Author = {Markus Huber and Stewart Kowalski and Marcus Nohlberg}, title = {Measuring Readiness for Automated Social Engineering}, booktitle = {In CD ROM Proceedings of the 7th Security Conference}, year = {2008}, month = {6}, pdf = {Measuring Readiness against Automated Social Engineering_2008_final_93.pdf}, }
Joern Marc Schmidt, "A Chemical Memory Snapshot," in Proceedings of Smart Card Research and Advanced Application Conference — CARDIS, 2008. BibTeX

@INPROCEEDINGS{Schmidt_ChemicalMemorySnapshot_2008, Author = {Joern Marc Schmidt}, title = {A Chemical Memory Snapshot}, booktitle = {Proceedings of Smart Card Research and Advanced Application Conference -- CARDIS}, year = {2008}, month = {9}, abstract = {Smart cards and embedded systems are part of everyday life. A lot of them contain sensitive data like keys used in secure applications. These keys have to be transferred from non-volatile to static memory to generate signatures or encrypt data. Hence, the possibility to read out the static memory of a device is a crucial security threat. This paper presents a new technique to read out secret data from the internal static memory of a cryptographic evice. A chemical reaction of the top metal layer of a decapsulated chip is used to identify lines connected to the positive power supply. Using this information, we are able to obtain the content of memory cells like the secret key of a cryptographic system.}, publisher = {Springer}, note = {To be published}, }
Christopher Kruegel and Engin Kirda and Eric Medvet, "Visual Similarity-Based Phishing Detection," in IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks, 2008. BibTeX | PDF

@INPROCEEDINGS{Medvet_VisualSimilarityBasedPhishing_2008, Author = {Christopher Kruegel and Engin Kirda and Eric Medvet}, title = {Visual Similarity-Based Phishing Detection}, booktitle = {IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks}, year = {2008}, month = {9}, pdf = {Medvet_VisualSimilarityBasedPhishing_2008.pdf}, }
Christopher Kruegel and Engin Kirda and Sean McAllister, "Expanding Human Interactions for In-Depth Testing of Web Applications," in 11th Symposium on Recent Advances in Intrusion Detection (RAID), Boston, MA, 2008. BibTeX | PDF

@INPROCEEDINGS{McAllister_ExpandingHumanInteractions_2008, Author = {Christopher Kruegel and Engin Kirda and Sean McAllister}, title = {Expanding Human Interactions for In-Depth Testing of Web Applications}, booktitle = {11th Symposium on Recent Advances in Intrusion Detection (RAID), Boston, MA}, year = {2008}, month = {9}, pdf = {McAllister_ExpandingHumanInteractions_2008.pdf}, }
Marcel Medwed and Joern Marc Schmidt, "A Generic Fault Countermeasure Providing Data and Program Flow Integrity," in Fault Diagnosis and Tolerance in Cryptography, Third International Workshop, FDTC 2008, Washington DC, USA, August 10, 2008, Proceedings, 2008. BibTeX

@INPROCEEDINGS{Medwed_GenericFaultCountermeasure_2008, Author = {Marcel Medwed and Joern Marc Schmidt}, title = {{A Generic Fault Countermeasure Providing Data and Program Flow Integrity}}, booktitle = {Fault Diagnosis and Tolerance in Cryptography, Third International Workshop, FDTC 2008, Washington DC, USA, August 10, 2008, Proceedings}, year = {2008}, month = {8}, abstract = {So far many software countermeasures against fault attacks have been proposed. However, most of them are tailored to a specific cryptographic algorithm or focus on securing the processed data only. In this work we present a generic and elegant approach by using a highly fault secure algebraic structure. This structure is compatible to finite fields and rings and preserves its error detection property throughout addition and multiplication. Additionally, we introduce a method to generate a fingerprint of the instruction sequence. Thus, it is possible to check the result for data corruption as well as for modifications in the program flow. This is even possible if the order of the instructions is randomized. Furthermore, the properties of the countermeasure allow the deployment of error detection as well as error diffusion. We point out that the overhead for the calculations and for the error checking within this structure is reasonable and that the transformations are efficient. In addition we discuss how our approach increases the security in various kinds of fault scenarios.}, publisher = {IEEE-CS Press}, note = {To be published}, }
Christoph Herbst and Joern Marc Schmidt, "A Practical Fault Attack on Square and Multiply," in Fault Diagnosis and Tolerance in Cryptography, Third International Workshop, FDTC 2008, Washington DC, USA, August 10, 2008, Proceedings, 2008. BibTeX

@INPROCEEDINGS{Schmidt_PracticalFaultAttack_2008, Author = {Christoph Herbst and Joern Marc Schmidt}, title = {A Practical Fault Attack on Square and Multiply}, booktitle = {Fault Diagnosis and Tolerance in Cryptography, Third International Workshop, FDTC 2008, Washington DC, USA, August 10, 2008, Proceedings}, year = {2008}, month = {8}, abstract = {In order to provide security for a device, cryptographic algorithms are implemented on them. Even devices using a cryptographically secure algorithm may be vulnerable to implementation attacks like side channel analysis or fault attacks. Most fault attacks on RSA concentrate on the vulnerability of the Chinese Remainder Theorem to fault injections. A few other attacks on RSA which do not use this speed-up technique have been published. Nevertheless, these attacks require a quite precise fault injection like a bit flip or target a special operation without any possibility to check if the fault was injected in the intended way, like in safe-error attacks. In this paper we propose a new attack on square and multiply, based on a manipulation of the control flow. Furthermore, we show how to realize this attack in practice using non-invasive spike attacks and discuss impacts of different side channel analysis countermeasures on our attack. The attack was performed using low cost equipment.}, publisher = {IEEE-CS Press}, note = {To be published}, }
Mark Strembeck and Uwe Zdun, "Modeling Interdependent Concern Behavior Using Extended Activity Models," Journal of Object Technology (JOT), vol. 7, iss. 6, 2008. BibTeX

@ARTICLE{Zdun_Modeling_Interdependent_Concer_2008, Author = {Mark Strembeck and Uwe Zdun}, title = {Modeling Interdependent Concern Behavior Using Extended Activity Models}, journal = {Journal of Object Technology (JOT)}, year = {2008}, month = {7}, volume = {7}, number = {6}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Interactive Selection of ISO 27001 Controls under Multiple Objectives," in Proceedings of the Ifip Tc 11 23rd International Information Security Conference, IFIPSec 2008, 2008, pp. 477-492. BibTeX | PDF

@INPROCEEDINGS{Neubauer_InteractiveSelectionof_2008, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Interactive Selection of ISO 27001 Controls under Multiple Objectives}, booktitle = {Proceedings of the Ifip Tc 11 23rd International Information Security Conference, IFIPSec 2008}, year = {2008}, month = {7}, pdf = {2008 - Neubauer - Interactive Selection of ISO 27001 Controls under Multiple Objectives.pdf}, volume = {278_2008}, pages = {477-492}, publisher = {Springer}, }
Christopher Kruegel and Giovanni Vigna and Marco Cova, "There Is No Free Phish: An Analysis of," in Usenix Workshop on Offensive Technologies (WOOT), 2008, p. 8. BibTeX | PDF

@INPROCEEDINGS{MarcoCova_ThereIsNo_2008, Author = {Christopher Kruegel and Giovanni Vigna and Marco Cova}, title = {There Is No Free Phish: An Analysis of }, booktitle = {Usenix Workshop on Offensive Technologies (WOOT)}, year = {2008}, month = {7}, pdf = {MarcoCova_ThereIsNo_2008.pdf}, pages = {8}, note = {Usenix Workshop on Offensive Technologies (WOOT),}, }
Edgar R. Weippl, "Cyber Attacks and the article 5 of the Treaty of NATO," Euro Atlantic Quarterly, p. 22, 2008. BibTeX | PDF

@ARTICLE{weippl_gca, Author = {{Edgar R.} Weippl}, title = {Cyber Attacks and the article 5 of the Treaty of NATO}, journal = {Euro Atlantic Quarterly}, year = {2008}, month = {1}, pdf = {Papers\Weippl\gca_article5.doc}, pages = {22}, note = {ISSN 1336-8761}, }
Christopher Kruegel and Engin Kirda and Sean McAllister, "Leveraging User INteractions for IN-Depth- Testing of Weg Applications," in Symposium on Recent Advances in Intrusion Detection, 2008. BibTeX

@INPROCEEDINGS{Allister_SymposiumRecentAdvances_2008, Author = {Christopher Kruegel and Engin Kirda and Sean McAllister}, title = {Leveraging User INteractions for IN-Depth- Testing of Weg Applications}, booktitle = {Symposium on Recent Advances in Intrusion Detection}, year = {2008}, month = {1}, }
Thomas Neubauer and Christian Stummer, "Interactive Decision Support for multiobjective COTS Selection," in Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007, 2007. BibTeX

@INPROCEEDINGS{Neubauer_InteractiveDecisionSupport_2007, Author = {Thomas Neubauer and Christian Stummer}, sbahotlist = {true}, title = {{Interactive Decision Support for multiobjective COTS Selection}}, booktitle = {Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007}, year = {2007}, month = {1}, }
Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis," in Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007. BibTeX

@INPROCEEDINGS{Yin_PanoramaCapturingSystemwide_2007, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song}, sbahotlist = {true}, title = {Panorama: {C}apturing {S}ystem-wide {I}nformation {F}low for {M}alware {D}etection and {A}nalysis}, booktitle = {Proceedings of the 14th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity}, year = {2007}, month = {11}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Security Ontologies: Improving Quantitative Risk Analysis," in Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007, 2007, pp. 156-162. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityOntologiesImproving_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {Security Ontologies: Improving Quantitative Risk Analysis}, booktitle = {Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007}, year = {2007}, month = {1}, pdf = {2007 - Ekelhart - Security Ontologies Improving Quantitative Risk Analysis.pdf}, pages = {156-162}, publisher = {IEEE Computer Society}, note = {0-7695-2755-8}, }
Christopher Kruegel and Engin Kirda and Martin Szydlowski, "Secure Input for Web Applications," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX

@INPROCEEDINGS{Szydlowski_SecureInputWeb_2007, Author = {Christopher Kruegel and Engin Kirda and Martin Szydlowski}, sbahotlist = {true}, title = {Secure {I}nput for {W}eb {A}pplications}, booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007}, year = {2007}, month = {12}, }
Christopher Kruegel and Engin Kirda and Andreas Moser, "Limits of Static Analysis for Malware Detection," in Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) 2007, 2007. BibTeX | PDF

@INPROCEEDINGS{Moser_LimitsofStatic_2007, Author = {Christopher Kruegel and Engin Kirda and Andreas Moser}, sbahotlist = {true}, title = {Limits of {S}tatic {A}nalysis for {M}alware {D}etection}, booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ({ACSAC}) 2007}, year = {2007}, month = {12}, pdf = {Moser_LimitsofStatic_2007.pdf}, }
Christopher Kruegel and Engin Kirda and Thomas Raffetseder, "Building Anti-Phishing Browser Plug-Ins: An Experience Report," in Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE), 2007. BibTeX

@INPROCEEDINGS{Raffetseder_BuildingAntiPhishingBrowser_2007, Author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder}, sbahotlist = {true}, title = {Building Anti-Phishing Browser Plug-Ins: An Experience Report}, booktitle = {Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS) 29th International Conference on Software Engineering (ICSE)}, year = {2007}, month = {5}, publisher = {IEEE Computer Society Press}, }
Christopher Kruegel and Engin Kirda and Andreas Moser, "Exploring Multiple Execution Paths for Malware Analysis," in Proceedinga of the IEEE Symposium on Security and Privacy 2007, 2007. BibTeX

@INPROCEEDINGS{Moser_ExploringMultipleExecution_2007, Author = {Christopher Kruegel and Engin Kirda and Andreas Moser}, sbahotlist = {true}, title = {Exploring Multiple Execution Paths for Malware Analysis}, booktitle = {Proceedinga of the IEEE Symposium on Security and Privacy 2007}, year = {2007}, month = {5}, abstract = {Malicious code or malware is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked. The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.}, publisher = {IEEE Computer Society Press}, }
Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song, "Dynamic Spyware Analysis," in Proceedings of the USENIX Annual Technical Conference, 2007. BibTeX

@INPROCEEDINGS{Egele_DynamicSpywareAnalysis_2007, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Heng Yin and Dawn Song}, sbahotlist = {true}, title = {Dynamic Spyware Analysis}, booktitle = {Proceedings of the USENIX Annual Technical Conference}, year = {2007}, month = {6}, }
Christopher Kruegel and Davide Balzarotti and William Robertson and Giovanni Vigna, "Improving Signature Testing Through Dynamic Data Flow Analysis," in Proceedings of the 23rd Annual Computer Security Applications Conference ACSAC 2007, 2007. BibTeX

@INPROCEEDINGS{Balzarotti_ImprovingSignatureTesting_2007, Author = {Christopher Kruegel and Davide Balzarotti and William Robertson and Giovanni Vigna}, sbahotlist = {true}, title = {Improving Signature Testing Through Dynamic Data Flow Analysis}, booktitle = {Proceedings of the 23rd {A}nnual {C}omputer {S}ecurity {A}pplications {C}onference ACSAC 2007}, year = {2007}, month = {12}, }
Gerald Quirchmayr and Simon Tjoa and Stefan Jakoubi, "ROPE: A Methodology for Enabling the Risk-Aware Modeling and Simulation of Business Processes," in Proceedings of the 15th European Conference on Information Systems (ECIS 2007), 2007. BibTeX

@INPROCEEDINGS{Jakoubi_ROPEMethodologyEnabling_2007, Author = {Gerald Quirchmayr and Simon Tjoa and Stefan Jakoubi}, sbahotlist = {true}, title = {ROPE: A Methodology for Enabling the Risk-Aware Modeling and Simulation of Business Processes}, booktitle = {Proceedings of the 15th European Conference on Information Systems (ECIS 2007)}, year = {2007}, month = {1}, abstract = {Risk management is essential regarding the maintenance of a companys business processes. The ability of companies to prevent risks as well as to respond quickly and appropriately to emerging threats is increasingly becoming a crucial success factor. In order to cope with these challenges, companies constitute business process and risk management approaches. Traditional business process management focuses on the economical optimization of processes. Apart from that, risk management designs robust business processes to strengthen the resilience of daily business. Both domains try to improve business, but both approach this goal from a different view on the understanding of improvement. Due to the fact that optimizing recommendations of business process management and risk management may be contradictory, we propose one unified method that unites both points of views to enable risk-aware business process management and optimization. In this paper, we introduce the ROPE (Risk-Oriented Process Evaluation) methodology which combines capabilities of business process management, risk management and business continuity management to support the holistic evaluation of business processes not only regarding their economic efficiency but also their robustness and security. The basis for this combination are the refinement of business process activities into four atomic elements (Conditions, Actions, Resources and Environments) and a process-oriented way of modeling threats as well as security, counter and recovery measures. In this paper we demonstrate how to enable risk-aware business process management and simulation through the application of the ROPE methodology.}, }
Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi, "A Layout-Similarity-Based Approach for Detecting Phishing Pages," in Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)., 2007. BibTeX

@INPROCEEDINGS{Rosiello_LayoutSimilarityBasedApproachDetecting_2007, Author = {Christopher Kruegel and Engin Kirda and Angelo Rosiello and Fabrizio Ferrandi}, sbahotlist = {true}, title = {A Layout-Similarity-Based Approach for Detecting Phishing Pages}, booktitle = {Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).}, year = {2007}, month = {1}, }
Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt, "Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis," in In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007), 2007. BibTeX

@INPROCEEDINGS{Vogt_CrossSiteScripting_2007, Author = {Christopher Kruegel and Engin Kirda and Florian Nentwich and Giovanni Vigna and Nenad Jovanovic and Philipp Vogt}, sbahotlist = {true}, title = {Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis}, booktitle = {In Proceedings of 14th Annual Network and Distributed System Security Symposium (NDSS 2007)}, year = {2007}, month = {2}, }
Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek, "Automatic Network Protocol Analysis," in Proceedings of the Network and Distributed System Security Symposium Conference (NDSS), San Diego 2007, 2007. BibTeX

@INPROCEEDINGS{Wondracek_AutomaticNetworkProtocol_2007, Author = {Christopher Kruegel and Engin Kirda and Paolo Milani Comparetti and Gilbert Wondracek}, sbahotlist = {true}, title = {Automatic {N}etwork {P}rotocol {A}nalysis}, booktitle = {Proceedings of the {N}etwork and {D}istributed {S}ystem {S}ecurity {S}ymposium {C}onference ({NDSS}), {S}an {D}iego 2007}, year = {2007}, month = {1}, }
Alexander Schatten and Heinz Roth and Josef Schiefer and Martin Suntinger, "Simulating Business Process Scenarios for event-based Systems," in Proceedings of the 15th European Conference on Information Systems (ECIS 2007), 2007. BibTeX

@INPROCEEDINGS{Schiefer_SimulatingBusinessProcess_2007, Author = {Alexander Schatten and Heinz Roth and Josef Schiefer and Martin Suntinger}, sbahotlist = {true}, title = {Simulating Business Process Scenarios for event-based Systems}, booktitle = {Proceedings of the 15th European Conference on Information Systems (ECIS 2007)}, year = {2007}, month = {1}, abstract = {Todays networked business environment requires systems which are adaptive and easy to integrate. Event-based systems have been developed and used to control business processes with loosely coupled systems. Research and product development focused so far on efficiency issues, but neglected simulation support to build robust and efficient event-driven applications. In this paper, we propose a simulation model that allows imitating real-world operations of business processes in order to improve efficiency and effectiveness of event-based systems. Our approach uses discrete eventsimulation and a graphical model for defining event sequences for business process scenarios. For better handling the complexity and variability of business processes, we use a hybrid simulation approach, which is able to combine various ways to compose event sequences and generate representative event data. As an example, we show how annotated WS-BPEL process descriptions can be used to automatically generate event sequences representing typical process execution paths for simulation purposes.}, }
Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals, "SecuBat: A Web Vulnerability Scanner," in Proceedings of The 15th International World Wide Web Conference (WWW 2006), 2006. BibTeX

@INPROCEEDINGS{Kals_SecuBatWebVulnerability_2006, Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic and Stefan Kals}, sbahotlist = {true}, title = {SecuBat: A Web Vulnerability Scanner}, booktitle = {Proceedings of The 15th International World Wide Web Conference (WWW 2006)}, year = {2006}, month = {5}, abstract = {As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.}, }
Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Preventing Cross Site Request Forgery Attacks," in In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006. BibTeX

@INPROCEEDINGS{Jovanovic_PreventingCrossSite_2006, Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic}, sbahotlist = {true}, title = {Preventing Cross Site Request Forgery Attacks}, booktitle = {In Proceedings of IEEE International Conference on Security and Privacy in Communication Networks (SecureComm)}, year = {2006}, month = {8}, abstract = {The web has become an indispensable part of our lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast, Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack, the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem, it is largely unknown by web application developers. As a result, there exist many web applications that are vulnerable to XSRF. Unfortunately, existing mitigation approaches are time-consuming and error-prone, as they require manual effort to integrate defense techniques into existing systems. In this paper, we present a solution that provides a completely automatic protection from XSRF attacks. More precisely, our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications, without negatively affecting their behavior.}, }
Christopher Kruegel and Engin Kirda and Nenad Jovanovic, "Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).," in Proceedings of the IEEE Symposium on Security and Privacy 2006, 2006. BibTeX

@INPROCEEDINGS{Jovanovic_PixyStaticAnalysis_2006, Author = {Christopher Kruegel and Engin Kirda and Nenad Jovanovic}, sbahotlist = {true}, title = {Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper).}, booktitle = {Proceedings of the IEEE Symposium on Security and Privacy 2006}, year = {2006}, month = {5}, publisher = {IEEE Computer Society Press}, }
Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks, "Behavior-Based Spyware Detection," in Proceedings of USENIX Security 06, 2006. BibTeX

@INPROCEEDINGS{Kirda_BehaviorBasedSpywareDetection_2006, Author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Richard A. Kemmerer and Greg Banks}, sbahotlist = {true}, title = {Behavior-Based Spyware Detection}, booktitle = {Proceedings of USENIX Security 06}, year = {2006}, month = {8}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps," in Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005, 2005, pp. 135-151. BibTeX | PDF

@INPROCEEDINGS{Weippl_SemanticDesktopSemantic_2005, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps}, booktitle = {Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005}, year = {2005}, month = {10}, pdf = {2005 - Weippl - The Semantic Desktop.pdf}, number = {4623}, pages = {135-151}, }
Edgar R. Weippl and Eva Gahleitner and Wernher Behrendt and Juergen Palkoska, "On Cooperatively Creating Dynamic Ontologies," in Proceedings of the 16th ACM Conference on Hypertext and Hypermedia, 2005. BibTeX

@INPROCEEDINGS{Gahleitner_CooperativelyCreatingDynamic_2005, Author = {{Edgar R.} Weippl and Eva Gahleitner and Wernher Behrendt and Juergen Palkoska}, sbahotlist = {true}, title = {On Cooperatively Creating Dynamic Ontologies}, booktitle = {Proceedings of the 16th ACM Conference on Hypertext and Hypermedia}, year = {2005}, month = {9}, publisher = {ACM}, }
Edgar R. Weippl and Viesturs Kaugers, "Recent developments in model-driven architecture and security," Journal of Information Technology Theory and Application (JITTA), vol. 3, iss. 4, pp. 133-139, 1900. BibTeX | PDF

@ARTICLE{Neubauer_MultiobjectiveDecisionSupport_2008_full, Author = {Johannes Heurix and Thomas Neubauer}, title = {{Multiobjective Decision Support for defining Secure Business Processes: A Case Study}, journal = {International Journal of Business Intelligence and Data Mining}, year = {2008}, month = {1}, volume = {3}, number = {2}, pages = {177-195}, publisher = {OCG}, } @INPROCEEDINGS{Christodorescu_MiningSpecificationsof_2007, Author = {Christopher Kruegel and Mihai Christodorescu and Somesh Jha}, title = {Mining Specifications of Malicious Behavior}, booktitle = {Proceedings of the European Software Engineering Conference and the ACM Symposium on the Foundations of Software Engineering (ESEC FSE).}, year = {2007}, month = {9}, } @INPROCEEDINGS{Stermsek_User_Profile_Refinement_Using__2007, Author = {Mark Strembeck and Gustaf Neumann and Gerald Stermsek}, title = {User Profile Refinement Using Explicit User Interest Modeling}, booktitle = {37. Jahrestagung der Gesellschaft für Informatik (GI)}, year = {2007}, month = {9}, abstract = {In this paper, we present an approach to refine user profiles that were derived from Web server logs in an automated procedure. In most application scenarios, such automatically derived profiles can only deliver a preliminary result and require human interaction for further refinement. We describe the individual steps to enhance and refine derived user profiles which can be used for personalization purposes (e.g. information filtering). In particular, the user can choose to refine the profile manually or use supporting techniques, such as ontologies, that assist him in the refinement process. In addition to information included in automatically derived profiles, the user thus explicitly provides information to refine his profile.}, } @INPROCEEDINGS{Latif_QuestionDrivenSemantics_2007, Author = {{Edgar R.} Weippl and Khalid Latif}, title = {Question Driven Semantics Interpretation for Collaborative Knowledge Engineering and Ontology Reuse}, booktitle = {IEEE International Conference on Information Reuse and Integration}, year = {2007}, month = {8}, } @ARTICLE{Zdun_Object_based_and_class_based_c_2007, Author = {Mark Strembeck and Uwe Zdun and Gustaf Neumann}, title = {Object-based and class-based composition of transitive mixins}, journal = {Information and Software Technology}, year = {2007}, month = {8}, volume = {49}, number = {8}, } @INPROCEEDINGS{Rozsnyai_EventCloud_2007, Author = {Alexander Schatten and Josef Schiefer and Szabolcs Rozsnyai and Roland Vecera}, title = {Event Cloud - Searching for Correlated Business Events}, booktitle = {Proceedings of the 4th IEEE International Conference on Enterprise Computing, E-Commerce and E-Services (IEEE 07)}, year = {2007}, month = {7}, abstract = {Market players that can respond to critical business events faster than their competitors will end up as winners in the fast moving economy. Event-based systems have been developed and used to implement networked and adaptive business environments based on loosely coupled systems. In this paper, we introduce Event Cloud, a system that allows searching for business events in a variety of contexts that also take the relationships between events into consideration. Event Cloud supports knowledge workers in their daily operations in order to perform investigations and analyses based on historical events. It enables users to search in large sets of historical events which are correlated and indexed in a data staging process with an easy-to-use search interface. For improving the search results, we propose an index based ranking system. We present an architecture for the Event Cloud system, which supports a continuous near real-time integration of business events with the aim of decreasing the time it takes to make them available for searching purposes. We have fully implemented the proposed architecture and discuss implementation details.}, pages = {409-420}, publisher = {IEEE Computer Society}, } @INPROCEEDINGS{Weippl_SecurityOntologiesHow_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Security Ontologies: How to Improve Understanding of Complex Relationships}, booktitle = {Proceedings of the World Conference on Educational Multimedia, Hypermedia and Telecommunications 2007}, year = {2007}, month = {6}, abstract = {It is commonly accepted that simulation can provide a valuable tool in improving learning. Building on a complex knowledge base of IT security related concepts we offer our students a simulation to experience how different safeguards can influence the outcome of security incidents. The goal is to teach students that countermeasures have to cost-effective, that is, the cost of installing and operating safeguards should not exceed the anticipated benefit.}, pdf = {2007 - Weippl - Security Ontologies How to Improve Understanding of Complex Relationships.pdf}, pages = {404-407}, publisher = {AACE}, } @INPROCEEDINGS{Strembeck_VIDIHIP_A_Web_Service_based_In_2007, Author = {Mark Strembeck and Otto Plhal}, title = {VIDIHIP - A Web Service based Integration Platform for Power Plant Control Systems}, booktitle = {IEEE International Conference on Service-Oriented Computing and Applications (SOCA)}, year = {2007}, month = {6}, abstract = {European energy supply companies typically run a conglomerate of different, geographically distributed power plants. Unfortunately, the corresponding power plant control systems are based on proprietary technology and an integration of these control systems is a very complex task. We thus conducted a project to build an integration platform for power plant control systems that is based on open standards and technologies. In this paper, we describe the Vienna District Heating Integration Platform (VIDIHIP). VIDIHIP is based on Web Service technology and allows for the integration of arbitrary (heterogenous) power plant control systems. It provides a consistent interface to access different decentralized control systems and each standard Web browser can be used as a control front-end for VIDIHIP.}, } @INPROCEEDINGS{Stermsek_A_User_Profile_Derivation_Appr_2007, Author = {Mark Strembeck and Gustaf Neumann and Gerald Stermsek}, title = {A User Profile Derivation Approach based on Log-File Analysis}, booktitle = {International Conference on Information and Knowledge Engineering (IKE)}, year = {2007}, month = {6}, } @INPROCEEDINGS{Ekelhart_OntologicalMappingof_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch}, title = {Ontological Mapping of Common Criterias Security Assurance Requirements}, booktitle = {New Approaches for Security, Privacy and Trust in Complex Environments, Proceedings of the IFIP TC 11 22nd International Information Security Conference, IFIPSEC2007, May 14-16}, year = {2007}, month = {5}, abstract = {The Common Criteria (CC) for Information Technology Security Evaluation provides comprehensive guidelines for the evaluation and certification of IT security regarding data security and data privacy. Due to the very complex and time-consuming certification process a lot of companies abstain from a CC certification. We created the CC Ontology tool, which is based on an ontological representation of the CC catalog, to support the evaluator at the certification process. Tasks such as the planning of an evaluation process, the review of relevant documents or the creating of reports are supported by the CC Ontology tool. With the development of this tool we reduce the time and costs needed to complete a certification.}, volume = {232_2007}, pages = {85-95}, publisher = {International Federation for Information Processing ,}, note = {978-0-387-72366-2}, } @INPROCEEDINGS{Ekelhart_SecurityIssuesUse_2007, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Security Issues for the Use of Semantic Web in e-Commerce}, booktitle = {Business Information Systems, 10th International Conference on Business Information Systems, BIS 2007}, year = {2007}, month = {4}, pdf = {2007 - Ekelhart - Security Issues for the Use of Semantic Web in e-Commerce.pdf}, number = {978-3-540-}, pages = {1-13}, publisher = {Springer Berlin Heidelberg}, } @INPROCEEDINGS{Goluch_CASSISComputerbased_2007, Author = {Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Bernhard Riedl}, title = {CASSIS - Computer-based Academy for Security and Safety in Information Systems}, booktitle = {Proceedings of the 2nd Conference on Availability, Reliability and Security, ARES2007}, year = {2007}, month = {4}, abstract = {Information technologies and society are highly interwoven nowadays, but in both, the private and business sector, users are often not aware of security issues or lack proper security skills. The branch of information technology security is growing constantly but attacks against the vocational sector as well as the personal sector still cause great losses each day. Considering that the end-user is the weakest link of the security chain we aim to raise awareness, regarding IT security, and train and educate IT security skills by establishing a European-wide initiative and framework.}, pdf = {2007 - Goluch - CASSIS.pdf}, pages = {730-740}, publisher = {IEEE Computer Society}, note = {978-0-7695-2775-8}, } @INPROCEEDINGS{Fenz_InformationSecurityFortification_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch and Bernhard Riedl}, title = {Information Security Fortification by Ontological Mapping of the ISO IEC 27001 Standard}, booktitle = {Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC2007}, year = {2007}, month = {12}, pdf = {2007 - Fenz - Information Security Fortification by Ontological Mapping of the ISOIEC 27001 Standard.pdf}, pages = {381-388}, publisher = {IEEE Computer Society}, note = {0-7695-3054-0}, } @INPROCEEDINGS{Neubauer_BusinessProcessBased_2007, Author = {Thomas Neubauer}, title = {Business Process Based Valuation and Selection of IT Investments, Development and Implementation of a Method for the Interactive Selection of IT Investments under Multiple Objectives}, year = {2007}, month = {10}, } @INPROCEEDINGS{Raffetseder_DetectingSystemEmulators_2007, Author = {Christopher Kruegel and Engin Kirda and Thomas Raffetseder}, title = {Detecting System Emulators}, booktitle = {Proceedings of the Information Security Conference (ISC)}, year = {2007}, month = {10}, } @INPROCEEDINGS{Rozsnyai_SolutionArchitectureDetecting_2007, Author = {Alexander Schatten and Josef Schiefer and Szabolcs Rozsnyai}, title = {Solution Architecture for Detecting and Preventing Fraud in Real Time}, booktitle = {Proceedings of the The Second International Conference on Digital Information Management (ICDIM07)}, year = {2007}, month = {10}, abstract = {Fraud has been an issue since the very beginnings of commerce. Today, as business moved into the online era, this topic has become a major issue in e-commerce. In this paper, we introduce a solution architecture for detection and preventing fraud in real time by using an event-based system called SARI (Sense and Respond Infrastructure). We present the architecture and components for a realtime fraud management solution which can be easily adapted to the business needs of domain experts and business users. The SARI system provides functions to monitor customer behavior as well as it can steer and optimize customer processes in real time. For illustrating our approach, we show fraud scenarios of an online gambling service provider.}, publisher = {IEEE}, } @INPROCEEDINGS{Schmidt_OpticalandEM_2007, Author = {Michael Hutter and Joern Marc Schmidt}, title = {Optical and EM Fault-Attacks on CRT-based RSA: Concrete Results}, booktitle = {Proceedings of the Austrochip 2007}, year = {2007}, month = {10}, abstract = {RSA is a well-known algorithm that is used in various cryptographic systems like smart cards and e-commerce applications. This article presents practical attacks on implementations of RSA that use the Chinese Remainder Theorem (CRT). The attacks have been performed by inducing faults into a cryptographic device through optical and electromagnetic injections. We show optical attacks using fibre-optic light guides. Furthermore, we present a new non-invasive electromagnetic fault-attack using high-frequency spark gaps. All attacks have been performed using low-cost equipment.}, pages = {61--67}, publisher = {Verlag der Technischen Universit}, note = {ISBN 978-3-902465-87-0}, } @INPROCEEDINGS{Abramowicz_Securityaspectsin_2007, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Witold Abramowicz and Dominik Zyskowski and Monika Kaczmarek}, title = {Security aspects in Semantic Web Services Filtering}, booktitle = {Proceedings of the 9th @WAS International Conference on Information Integration and Web-based Applications \& Services (iiWAS2007)}, year = {2007}, month = {1}, abstract = {Security and trust aspects, perceived as difficult to quantify, have been neglected in various service interactions. However, factors related to security and trust are in fact crucial in the overall value of service quality. A security ontology that enables a quantification of risks related to the usage of Semantic Web services in enterprise information systems was created to meet users' requirements and enhance Semantic Web services with machine processable security information. This article presents how this security ontology can be integrated into the Web service description and how it enhances the process of Web services filtering.}, pdf = {2007 - Abramowicz - Security Aspects in Semantic Web Services Filtering.pdf}, volume = {229}, pages = {21-31}, publisher = {Austrian Computer Society}, } @INBOOK{Bock_SocialEngineering_2007, Author = {{Edgar R.} Weippl and Markus Klemen and Benjamin Böck}, title = {The Handbook of Computer Networks}, year = {2007}, month = {1}, chapter = {Social Engineering}, publisher = {Wiley}, } @ARTICLE{Ekelhart_Architecturalapproachhandling_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart and Gernot Goluch}, title = {Architectural approach for handling semi-structured data in an user-centered working environment}, journal = {International Journal of Web Information Systems}, year = {2007}, month = {1}, abstract = {Purpose of this paper Today the amount of all kind of digital data (e.g., documents and e-mails), existing on every user's computer, is continuously growing. Users are faced with huge difficulties when it comes to handling the existing data pool and finding specific information respectively. We aim to discover new ways of searching and finding semi-structured data by integrating semantic metadata. Design/methodology/approach The proposed architecture allows cross border searches spanning various applications and operating system activities (e.g., file access and network traffic) and improves the human working process by offering context specific, automatically generated links that are created using ontologies. Findings The proposed semantic enrichment of automated gathered data is a useful approach to reflect the human way of thinking which is accomplished by remembering relations rather than keywords or tags. The proposed architecture supports the goals of supporting the human working process by managing and enriching personal data, e.g. by providing a database model which supports the semantic storage idea through a generic and flexible structure or the modular structure and composition of data collectors. Originality/value Available programs to manage personal data usually offer searches either via keywords or full text search. Each of these existing search methodologies has its shortcomings and apart from that, people tend to forget names of specific objects. It is often easier to remember the context of a situation in which e.g. a file was created or a website was visited. By proposing our architectural approach for handling semi-structured data we are able to offer sophisticated and more applicable search mechanism regarding the way of human thinking.}, pdf = {2007 - Ekelhart - Architectural Approach for Handling Semi-Structured Data in a User-Centered Working Environment.pdf}, volume = {3}, number = {3}, pages = {198-211}, note = {ISSN: 1744-0084}, } @INPROCEEDINGS{Ekelhart_Formalthreatdescriptions_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Thomas Neubauer}, title = {Formal threat descriptions for enhancing governmental risk assessment}, booktitle = {Proceedings of the First International Conference on Theory and Practice of Electronic Governance}, year = {2007}, month = {1}, abstract = {Compared to the last decades, we have recently seen more and more governmental applications which are provided via the Internet directly to the citizens. Due to the long history of IT systems in the governmental sector and the connection of these legacy systems to newer technologies, most governmental institutions are faced with a heterogeneous IT environment. More and more governmental duties and responsibilities rely solely on IT systems which have to be highly dependable to ensure the proper operation of these governmental services. An increasing amount of software vulnerabilities and the generally heightened physical threat level due to terror attacks and natural disasters demand for a holistic IT security approach which captures, manages, and secures the entire governmental IT infrastructure. Our contribution is (1) a novel inventory solution, (2) a mechanism to embed the virtual IT infrastructure data into a physical model provided by our security ontology, and (3) a methodology to automatically identify threatened assets and to reason on the current security status based on formal threat definitions taking software configurations and physical locations into account. A prototypical implementation of the aforementioned concepts shows how these concepts help governmental institutions to secure their IT infrastructure in a holistic and systematic way to fortify their IT systems in an appropriate way against current and future threats.}, pdf = {2007 - Ekelhart - Formal Threat Descriptions for Enhancing Governmental Risk Assessment.pdf}, volume = {232}, pages = {40-43}, publisher = {ACM}, note = {978-1-59593-822-0}, } @ARTICLE{Jakoubi_EnablingRiskAwareModeling_2007, Author = {Gerald Quirchmayr and Simon Tjoa and Stefan Jakoubi}, title = {Enabling the Risk-Aware Modeling and Simulation of Business Processes}, journal = {JISSec - Journal of Information System Security}, year = {2007}, month = {1}, abstract = {Risk management is essential regarding the maintenance of a company's business processes. The ability of companies to prevent risks as well as to respond quickly and appropriately to emerging threats is increasingly becoming a crucial success factor. In order to cope with these challenges, companies constitute business process and risk management approaches. Traditional business process management focuses on the economical optimization of processes. Apart from that, risk management provides the design of robust business processes to strengthen the resilience of daily business. Both domains aim at improving business performance, but they approach this goal from a different view on the understanding of improvement. Due to the fact that optimizing recommendations of business process management and risk management may be contradictory, we propose one unified method which integrates both points of views to enable risk-aware business process management and optimization. In this paper, we introduce the ROPE (Risk-Oriented Process Evaluation) methodology which combines capabilities of business process management, risk management and business continuity management to support the holistic evaluation of business processes not only regarding their economic efficiency but also their robustness and security. The basis for this combination is the refinement of business process activities into four atomic elements (Conditions, Actions, Resources and Environments) and a process-oriented way of modeling threats, preventive and reactive counter measures as well as recovery measures. In this paper we demonstrate how risk-aware business process management and simulation can be enabled through the application of the ROPE methodology.}, } @INBOOK{Klemen_BusinessRequirementsofBackupSystems_2007, Author = {{Edgar R.} Weippl and Markus Klemen and Thomas Neubauer}, title = {The Handbook of Computer Networks}, year = {2007}, month = {1}, chapter = {Business Requirements of Backup Systems}, publisher = {Wiley}, } @INPROCEEDINGS{Ludl_EffectivenessofTechniques_2007, Author = {Christopher Kruegel and Engin Kirda and Sean McAllister and Christian Ludl}, title = {On the Effectiveness of Techniques to Detect Phishing Sites}, booktitle = {Proceedings of the Conference on the Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA).}, year = {2007}, month = {1}, abstract = {Phishing is an electronic online identity theft in which the attackers use a combination of social engineering and web site spoofing techniques to trick a user into revealing confidential information. This information is typically used to make an illegal economic profit (e.g., by online banking transactions, purchase of goods using stolen credentials, etc.). Although simple, phishing attacks are remarkably effective. As a re- sult, the numbers of successful phishing attacks have been continuously increasing and many anti-phishing solutions have been proposed. One popular and widely-deployed solution is the integration of blacklist-based anti-phishing techniques into browsers. However, it is currently unclear how effective such blacklisting approaches are in mitigating phishing at- tacks in real-life. In this paper, we report our findings on analyzing the effectiveness of two popular anti-phishing solutions. Over a period of three weeks, we automatically tested the effectiveness of the blacklists maintained by Google and Microsoft with 10,000 phishing URLs. Fur- thermore, by analyzing a large number of phishing pages, we explored the existence of page properties that can be used to identify phishing pages.}, } @INPROCEEDINGS{Neubauer_ResearchAgendaAutonomous_2007, Author = {Gernot Goluch and Thomas Neubauer and Bernhard Riedl}, title = {A Research Agenda for Autonomous Business Process Management}, booktitle = {{P}roceedings of the {S}econd {I}nternational {C}onference on {A}vailability, {R}eliability and {S}ecurity {ARES}}, year = {2007}, month = {1}, publisher = {IEEE Computer Society}, } @INPROCEEDINGS{Neubauer_MultiobjectiveDecisionSupport_2007, Author = {Johannes Heurix and Thomas Neubauer}, title = {Multiobjective Decision Support for defining Secure Business Processes}, booktitle = {Proceedings of the Ninth International Conference on Information Integration and Web-based Applications Services}, year = {2007}, month = {1}, publisher = {OCG}, } @ARTICLE{Neubauer_Pseudonymisierungzursicheren_2007, Author = {Thomas Neubauer and Bernhard Riedl and Thomas Mueck}, title = {Pseudonymisierung zur sicheren Umsetzung des elektronischen Gesundheitsakts}, journal = {OCG Journal}, year = {2007}, month = {1}, volume = {4}, } @INPROCEEDINGS{Neubauer_Entscheidungsunterstuetzungfuerdie_2007, Author = {Thomas Neubauer and Christian Stummer}, title = {{E}ntscheidungsunterst{\"u}tzung f{\"u}r die {A}uswahl von {S}oftwarekomponenten bei mehrfachen {Z}ielsetzungen}, booktitle = {Tagungsband Wirtschaftsinformatik}, year = {2007}, month = {1}, } @INPROCEEDINGS{Riedl_ComparativeLiteratureReview_2007, Author = {{Edgar R.} Weippl and Gernot Goluch and Bernhard Riedl and Stefan Poechlinger}, title = {Comparative Literature Review on RFID Security and Privacy}, booktitle = {Proceedings of The 9th International Conference on Information Integration and Web-based Applications and Services (iiWAS2007)}, year = {2007}, month = {1}, } @INPROCEEDINGS{Riedl_ApplyingThresholdScheme_2007, Author = {Thomas Neubauer and Bernhard Riedl and Veronika Grascher}, title = {Applying a Threshold Scheme to the Pseudonymization of Health Data}, booktitle = {Proceedings of the 13th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC'07)}, year = {2007}, month = {1}, } @INPROCEEDINGS{Riedl_SecureAccessto_2007, Author = {Bernhard Riedl and Oliver Jorns}, title = {Secure {A}ccess to {E}mergency {D}ata in an {e-H}ealth Architecture}, booktitle = {Proceeding of {T}he 9th {I}nternational {C}onference on {I}nformation {I}ntegration and {W}eb-based {A}pplications and {S}ervices (ii{WAS}2007)}, year = {2007}, month = {1}, abstract = {The introduction of the electronic health record (EHR) promises a decrease of costs as well as a better service quality for the patients. Nevertheless, with this planned life-long storage of sensitive data security issues arise, exemplarily privacy related-problems. Our approach PIPE (Pseudonymization of Information for Privacy in e-Health) guarantees appropriate security for personal data. Besides the anamnesis data, a special subset of medical data, emergency data exist, which has to be available just-in-time. Hence, complex authentication purposes occur. We provide a novel ad-hoc authentication mechanism for emergency data, which is based on the notion of pseudonyms.}, } @PATENT{Riedl_Dataprocessingsystem_2007, Author = {Thomas Neubauer and Bernhard Riedl and Oswald Boehm}, title = {Data processing system for processing of object data}, booktitle = {PCT-Provisional-Application}, year = {2007}, month = {1}, } @PATENT{Riedl_Dataprocessingsystem_2007a, Author = {Thomas Neubauer and Bernhard Riedl and Oswald Boehm}, title = {Data processing system for processing of object data}, booktitle = {US-Provisional-Application}, year = {2007}, month = {1}, } @PATENT{Riedl_DatenverarbeitungssystemzurVerarbeitung_2007, Author = {Thomas Neubauer and Bernhard Riedl and Oswald Boehm}, title = {Datenverarbeitungssystem zur {V}erarbeitung von {O}bjektdaten}, booktitle = {Austrian Patent, Nr. 503291, September}, year = {2007}, month = {1}, } @INPROCEEDINGS{Riedl_securearchitecturepseudonymization_2007, Author = {Gernot Goluch and Thomas Neubauer and Bernhard Riedl and Oswald Boehm and Gert Reinauer and Alexander Krumboeck}, title = {A secure architecture for the pseudonymization of medical data}, booktitle = {Proceedings of the Second International Conference on Availability, Reliability and Security (ARES)}, year = {2007}, month = {1}, pages = {318-324}, } @INPROCEEDINGS{Rozsnyai_ConceptsandModels_2007, Author = {Alexander Schatten and Josef Schiefer and Szabolcs Rozsnyai}, title = {Concepts and Models for Typing Events for Event-Based Systems}, booktitle = {Proceedings of the Inaugural International Conference on Distributed Event-Based Systems (DEBS 2007)}, year = {2007}, month = {1}, abstract = {Event-based systems are increasingly gaining widespread attention for applications that require integration with loosely coupled and distributed systems for time-critical business solutions. In this paper, we show concepts and models for representing, structuring and typing events. We discuss existing event models in the field and introduce the event model of the event-based system SARI for illustrating various typing concepts. The typing concepts cover topics such as type inheritance and exheritance, dynamic type inferencing, attribute types, as well as the extendibility and addressability of events. We show how the typing concepts evolved and depend on the implemented eventbased systems which use different approaches for the event processing such as graphical approaches, or approaches, that use Java code, SQL code, or ECA (event-condition-action) rules.}, publisher = {ACM}, } @INPROCEEDINGS{Schiefer_EventDrivenRulesSensing_2007, Author = {Josef Schiefer and Szabolcs Rozsnyai and Christian Rauscher and Gerd Saurer}, title = {Event-Driven Rules for Sensing and Responding to Business Situations}, booktitle = {Proceedings of the Inaugural International Conference on Distributed Event-Based Systems (DEBS 2007)}, year = {2007}, month = {1}, abstract = {Event-based systems have been developed and used to implement networked and adaptive business environments based on loosely coupled systems in order to respond faster to critical business events. In this paper, we introduce a rule management systemwhich is able to sense and evaluate events in order to respond to changes in a business environment or customer needs. It enables users to graphically compose comprehensive event-triggered rules, which can be used to control the processing of services. For the definition of a rule set, users can independently define event conditions, event patterns and correlation-related information which can be combined for modeling complex business situations. We have fully implemented the proposed system with a serviceoriented approach and illustrate our approach with an order management business case.}, publisher = {ACM}, } @ARTICLE{Weippl_DependabilityinEAssessment_2007, Author = {{Edgar R.} Weippl}, title = {Dependability in E-Assessment}, journal = {International Journal on E-Learning}, year = {2007}, month = {1}, volume = {6}, number = {2}, publisher = {AACE}, } @ARTICLE{Weippl_SecurityConsiderationsin_2007, Author = {{Edgar R.} Weippl}, title = {Security Considerations in M-Learning: Threats and Countermeasures}, journal = {Advanced Technology for Learning}, year = {2007}, month = {1}, volume = {4}, number = {2}, pages = {1--7}, publisher = {Acta Press}, } @INBOOK{Weippl_EinsatzvonAuditsinWikisanStellevonZugriffskontrollenalssozioorganisatorischeSicherheitsmassnahme_2007, Author = {{Edgar R.} Weippl and Bernhard Riedl and Veronika Grascher}, title = {Wikis im {S}ocial {W}eb}, year = {2007}, month = {1}, chapter = {Einsatz von Audits in Wikis an Stelle von Zugriffskontrollen als sozio-organisatorische Sicherheitsmassnahme}, pages = {190--198}, publisher = {OCG Austrian Computer Society}, } @INPROCEEDINGS{Neubauer_ExtendingBusinessProcess_2007, Author = {Thomas Neubauer and Christian Stummer}, title = {Extending Business Process Management to Determine Efficient IT Investments}, booktitle = {Proceedings of the 2007 ACM Symposium on Applied Computing}, year = {2007}, month = {1}, } @INPROCEEDINGS{Klinkoff_Extending.NETSecurity_2006, Author = {Christopher Kruegel and Engin Kirda and Giovanni Vigna and Patrick Klinkoff}, title = {Extending .NET Security to Unmanaged Code}, booktitle = {In Proceedings of the 9th Information Security Conference (ISC 2006)}, year = {2006}, month = {September}, abstract = {The number of applications that are downloaded from the Internet and executed on-the-fly is increasing every day. Unfortunately, not all of these applications are benign, and, often, users are unsuspecting and unaware of the intentions of a program. To facilitate and secure this growing class of mobile code, Microsoft introduced the .NET framework, a new development and runtime environment where machineindependent byte-code is executed by a virtual machine. An important feature of this framework is that it allows access to native libraries to support legacy code or to directly invoke the Windows API. Such native code is called unmanaged (as opposed to managed code). Unfortunately, the execution of unmanaged native code is not restricted by the .NET security model, and, thus, provides the attacker with a mechanism to completely circumvent the framework's security mechanisms. The approach described in this paper uses a sandboxing mechanism to prevent an attacker from executing malicious, unmanaged code that is not permitted by the security policy. Our sandbox is implemented as two security layers, one on top of the Windows API and one in the kernel. Also, managed and unmanaged parts of an application are automatically separated and executed in two different processes. This ensures that potentially unsafe code can neither issue system calls not permitted by the .NET security policy nor tamper with the memory of the .NET runtime. Our proof-of-concept implementation is transparent to applications and secures unmanaged code with a generally acceptable performance penalty. To the best of our knowledge, the presented architecture and implementation is the first solution to secure unmanaged code in .NET.}, } @ARTICLE{Weippl_SarbanesOxleyActCompliance_2006, Author = {{Edgar R.} Weippl and Mathias Strasser}, title = {Sarbanes-Oxley Act Compliance: Strategies for Implementing a Audit Committee Complaints Procedure}, journal = {Information Systems Control Journal}, year = {2006}, month = {8}, volume = {4}, number = {10}, publisher = {ISACA}, } @INPROCEEDINGS{Egele_UsingStaticProgram_2006, Author = {Christopher Kruegel and Engin Kirda and Manuel Egele and Martin Szydlowski}, title = {Using Static Program Analysis to Aid Intrusion Detection}, booktitle = {Proceedings of Detection of Intrusions and Malware and Vulnerability Assessment}, year = {2006}, month = {7}, abstract = {The Internet, and in particular the world-wide web, have become part of the everyday life of millions of people. With the growth of the web, the demand for on-line services rapidly increased. Today, whole industry branches rely on the Internet to do business. Unfortunately, the success of the web has recently been overshadowed by frequent reports of security breaches. Attackers have discovered that poorly written web applications are the Achilles heel of many organizations. The reason is that these applications are directly available through firewalls and are often developed by programmers who focus on features and tight schedules instead of security. In previous work, we developed an anomaly-based intrusion detection system that uses learning techniques to identify attacks against webbased applications. That system focuses on the analysis of the request parameters in client queries, but does not take into account any information about the protected web applications themselves. The result are imprecise models that lead to more false positives and false negatives than necessary. In this paper, we describe a novel static source code analysis approach for PHP that allows us to incorporate information about a web application into the intrusion detection models. The goal is to obtain a more precise characterization of web request parameters by analyzing their usage by the program. This allows us to generate more precise intrusion detection models. In particular, our analysis allows us to determine the names of request parameters expected by a program and provides information about their types, structure, or even concrete value sets. Our experimental evaluation demonstrates that the information derived statically from web applications closely characterizes the parameter values observed in real-world traffic.}, } @INPROCEEDINGS{Bayer_TTAnalyzeToolAnalyzing_2006, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer}, title = {TTAnalyze: A Tool for Analyzing Malware}, booktitle = {Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference}, year = {2006}, month = {4}, note = {Best Paper Award}, } @INPROCEEDINGS{Zdun_Modeling_Composition_in_Dynami_2006, Author = {Mark Strembeck and Uwe Zdun}, title = {Modeling Composition in Dynamic Programming Environments with Model Transformations}, booktitle = {5th International Symposium on Software Composition (SC), }, year = {2006}, month = {3}, } @ARTICLE{Weippl_UseofTest_2006, Author = {{Edgar R.} Weippl}, title = {On the Use of Test Centers in e-Assessment}, journal = {eLearning Reports}, year = {2006}, month = {2}, volume = {0}, number = {7}, } @INPROCEEDINGS{Ekelhart_SecurityOntologySimulating_2006, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, title = {Security Ontology: Simulating Threats to Corporate Assets}, booktitle = {Information Systems Security, Second International Conference, ICISS 2006}, year = {2006}, month = {12}, pdf = {2006 - Ekelhart - Security Ontology Simulating Threats to Corporate Assets.pdf}, volume = {4332_2006}, pages = {249-259}, publisher = {Springer Berlin Heidelberg}, note = {978-3-540-68962-1}, } @INPROCEEDINGS{Ekelhart_OntologybasedBusinessKnowledge_2006, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, title = {Ontology-based Business Knowledge for Simulating Threats to Corporate Assets}, booktitle = {Practical Aspects of Knowledge Management, 6th International Conference, PAKM 2006}, year = {2006}, month = {12}, pdf = {2006 - Ekelhart - Ontology-based Business Knowledge for Simulating Threats to Corporate Assets.pdf}, volume = {4333_2006}, pages = {37-48}, publisher = {Springer Berlin Heidelberg}, note = {978-3-540-49998-5}, } @INPROCEEDINGS{Fenz_OntologybasedITSecurityPlanning_2006, Author = {Stefan Fenz and {Edgar R.} Weippl}, title = {Ontology-based IT-Security Planning}, booktitle = {Proceedings of the 12th Pacific Rim International Symposium on Dependable Computing, PRDC2006}, year = {2006}, month = {12}, abstract = {IT-security has become a much diversified field and small and medium sized enterprises (SMEs), in particular, do not have the financial ability to implement a holistic IT-security approach. We thus propose a security ontology, to provide a solid base for an applicable and holistic IT-security approach for SMEs, enabling low-cost risk management and threat analysis.}, pdf = {2006 - Fenz - Ontology-based IT Security Planning.pdf}, pages = {389-390}, publisher = {IEEE Computer Society}, note = {9353421}, } @INPROCEEDINGS{Neubauer_WorkshopbasedMultiobjectiveSecurity_2006, Author = {{Edgar R.} Weippl and Thomas Neubauer and Christian Stummer}, title = {Workshop-based Multiobjective {S}ecurity Safeguard Selection}, booktitle = {Proceedings of the irst International Conference on Availability, Reliability and Security (ARES)}, year = {2006}, month = {1}, pages = {366--373}, publisher = {IEEE Computer Society}, } @ARTICLE{Bayer_DynamicAnalysisof_2006, Author = {Christopher Kruegel and Engin Kirda and Ulrich Bayer and Andreas Moser}, title = {Dynamic Analysis of Malicious Code}, journal = {Journal in Computer Virology}, year = {2006}, month = {1}, abstract = {Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.}, publisher = {Springer Computer Science}, } @INPROCEEDINGS{Goluch_NichtabstreitbarkeitundAudits_2006, Author = {{Edgar R.} Weippl and Gernot Goluch}, title = {Nichtabstreitbarkeit und Audits in ELearning}, booktitle = {IRIS 2006}, year = {2006}, month = {1}, } @INPROCEEDINGS{Neubauer_DigitalSignatureswith_2006, Author = {{Edgar R.} Weippl and Stefan Biffl and Thomas Neubauer}, title = {Digital Signatures with Familiar Appearance for e-Government Documents: Authentic PDF}, booktitle = {Proceedings of the International Conference on Availability, Reliability and Security (ARES'06)}, year = {2006}, month = {1}, pages = {723-731}, } @INPROCEEDINGS{Neubauer_DigitalePDFSignaturenmit_2006, Author = {{Edgar R.} Weippl and Thomas Neubauer and Arno Hollosi}, title = {Digitale {P}{D}{F}-{S}ignaturen mit der {B}\"urgerkarte}, booktitle = {Proceedings of D-A-CH Security 2006}, year = {2006}, month = {1}, } @INPROCEEDINGS{Weippl_AddressingWeakestLink_2006, Author = {{Edgar R.} Weippl}, title = {Addressing the Weakest Link: How to improve teaching of IT security}, booktitle = {Proceedings of ED-MEDIA 2006}, year = {2006}, month = {1}, } @INBOOK{Weippl_Chapter3SecurityandTrustinMobileMultimedia_2006, Author = {{Edgar R.} Weippl}, title = {Handbook of Research on Mobile Multimedia}, year = {2006}, month = {1}, chapter = {Chapter 3:Security and Trust in Mobile Multimedia}, pages = {22--37}, publisher = {Idea Group}, } @ARTICLE{Weippl_SecurityAspectsof_2006, Author = {{A Min} Tjoa and {Edgar R.} Weippl and Andreas Holzinger}, title = {Security Aspects of Ubiquitous Computing in Health Care}, journal = {e\&i}, year = {2006}, month = {1}, volume = {2006}, number = {4}, pages = {156--161}, publisher = {Springer Verlag}, note = {http://dx.doi.org/10.1007/s00502-006-0336}, } @INBOOK{Weippl_ImplementingITSecurityforSmallandMediumSizedEnterprises_2006, Author = {{Edgar R.} Weippl and Markus Klemen}, title = {Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues}, year = {2006}, month = {1}, chapter = {Implementing IT Security for Small and Medium-Sized Enterprises}, publisher = {Idea Group}, } @INBOOK{Weippl_SecuringMobileCommunicationRADIUSinaWindowsEnvironment_2006, Author = {{Edgar R.} Weippl and Jamil Wahbeh}, title = {Mobile Multimedia: Communication Engineering Perspective}, year = {2006}, month = {1}, chapter = {Securing Mobile Communication: RADIUS in a Windows Environment}, pages = {101--116}, publisher = {Nova Science Publishers}, } @INPROCEEDINGS{Winkler_EmpiricalStudyIntegrating_2006, Author = {Stefan Biffl and Gernot Goluch and Dietmar Winkler and Ramona Varvaroi}, title = {An Empirical Study On Integrating Analytical Quality Assurance Into Pair Programming}, booktitle = {Proceedings of 5th ACM-IEEE International Symposium on Empirical Software Engineering}, year = {2006}, month = {1}, abstract = {The success of software projects depends on the ability of a human planner to understand the relationships of tasks and their temporal uncertainty and hence the visualization thereof. In this paper we report on an empirical study that compares the performance of two techniques to visualize task relationships and temporal uncertainties: traditional ``best-practice'' PERT charts and recently introduced PlanningLines. Main results of the study are: (a) while PERT charts are well suited for reading single attributes, PlanningLines better support users in judging temporal task uncertainty; (b) both experiment rounds shows consistent results regarding the strengths and limitations of the techniques. Overall, these results suggest that a combination of PERT charts and PlanningLines has the potential to significantly improve the planning support of project managers and software engineers.}, } @INPROCEEDINGS{Neubauer_SecureBusinessProcess_2006, Author = {Markus Klemen and Stefan Biffl and Thomas Neubauer}, title = {Secure Business Process Management: A Roadmap}, booktitle = {Proceedings of the First International Conference on Availability, Reliability and Security (ARES)}, year = {2006}, month = {1}, pages = {457--464}, publisher = {IEEE Computer Society}, } @INPROCEEDINGS{Weippl_SemanticStorageReport_2005, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Gernot Goluch and Manfred Linnert}, title = {Semantic Storage: A Report on Performance and Flexibility}, booktitle = {Database and Expert Systems Applications, 16th International Conference, DEXA 2005}, year = {2005}, month = {8}, abstract = {Desktop search tools are becoming more popular. They have to deal with increasing amounts of locally stored data. Another approach is to analyze the semantic relationship between collected data in order to preprocess the data semantically. The goal is to allow searches based on relationships between various objects instead of focusing on the name of objects. We introduce a database architecture based on an existing software prototype, which is capable of meeting the various demands for a semantic information manager. We describe the use of an association table which stores the relationships between events. It enables adding or removing data items easily without the need for schema modifications. Existing optimization techniques of RDBMS can still be used.}, pdf = {2005 - Weippl - Semantic Storage A Report on Performance and Flexibility:2005 - Weippl - Semantic Storage A Report on Performance and Flexibility.pdf}, volume = {3588_2005}, pages = {586-595}, publisher = {Springer Berlin Heidelberg}, } @INPROCEEDINGS{Kalinyaprak_ELearningwithoutText_2005, Author = {{Edgar R.} Weippl and Gerald Futschek and Hakan Kalinyaprak and Georg Blaha}, title = {E-Learning without Text and Language: A Language-Free Learning Model}, booktitle = {Proceedings of EDMEDIA 2005}, year = {2005}, month = {6}, } @INPROCEEDINGS{Biffl_EmpiricalinvestigationVisualization_2005, Author = {Stefan Biffl and Gernot Goluch and Silvia Miksch and Bettina Thurnher and Dietmar Winkler and Wolfgang Aigner}, title = {An Empirical investigation on the Visualization of Temporal Uncertainties in Software Engineering Project Planning}, booktitle = {Proceedings of 5th ACM-IEEE International Symposium on Empirical Software Engineering}, year = {2005}, month = {1}, abstract = {The success of software projects depends on the ability of a human planner to understand the relationships of tasks and their temporal uncertainty and hence the visualization thereof. In this paper we report on an empirical study that compares the performance of two techniques to visualize task relationships and temporal uncertainties: traditional ``best-practice'' PERT charts and recently introduced PlanningLines. Main results of the study are: (a) while PERT charts are well suited for reading single attributes, PlanningLines better support users in judging temporal task uncertainty; (b) both experiment rounds shows consistent results regarding the strengths and limitations of the techniques. Overall, these results suggest that a combination of PERT charts and PlanningLines has the potential to significantly improve the planning support of project managers and software engineers.}, } @ARTICLE{Neubauer_GeschaftsprozessmanagementEineempirische_2005, Author = {Stefan Biffl and Thomas Neubauer}, title = {Gesch\"aftsprozessmanagement -{E}ine empirische {S}tudie zum {S}tatus quo in \"Osterreich, der {S}chweiz und {D}eutschland}, journal = {O{CG} {J}ournal}, year = {2005}, month = {1}, volume = {5}, } @INPROCEEDINGS{Neubauer_BusinessProcessbasedValuation_2005, Author = {Markus Klemen and Stefan Biffl and Thomas Neubauer}, title = {Business {P}rocess-based {V}aluation of {IT}-{S}ecurity}, booktitle = {International {ACM} {C}onference on {S}oftware {E}ngineering, {P}roceedings of the seventh international workshop on economics-driven software engineering research ({EDSER}'05)}, year = {2005}, month = {1}, } @ARTICLE{Nguyen_TowardGridBasedZeroLatency_2005, Author = {{A Min} Tjoa and {Edgar R.} Weippl and {Tho Manh} Nguyen and Peter Brezany}, title = {Toward a Grid-Based Zero-Latency Data Warehousing Implementation for Continuous Data Streams Processing}, journal = {International Journal of Data Warehousing and Mining}, year = {2005}, month = {1}, volume = {1}, number = {4}, pages = {22-55}, publisher = {Idea Group}, } @INPROCEEDINGS{Weippl_PrivacyinElearning_2005a, Author = {{A Min} Tjoa and {Edgar R.} Weippl}, title = {Privacy in E-learning: How to Implement Anonymity}, booktitle = {Proceedings the 3rd ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-05), Workshop on E-Learning Online Communities (eLOC)}, year = {2005}, month = {1}, } @INPROCEEDINGS{Weippl_DependabilityinEAssessment_2005, Author = {{Edgar R.} Weippl}, title = {Dependability in E-Assessment}, booktitle = {Proceedings of ED-MEDIA 2005}, year = {2005}, month = {1}, } @ARTICLE{Weippl_SecurityinELearning_2005, Author = {{Edgar R.} Weippl}, title = {Security in E-Learning}, journal = {ACM ELearn Magazine}, year = {2005}, month = {1}, note = {\url{http://www.elearnmag.org/subpage.cfm?section=tutorials&article=19-1}}, } @INBOOK{Weippl_SecurityinELearning_2005a, Author = {{Edgar R.} Weippl}, title = {The Handbook of Information Security}, year = {2005}, month = {1}, chapter = {Security in E-Learning}, publisher = {John Wiley \& Sons}, note = {ISBN 0-471-64833-7}, } @INBOOK{Weippl_ComputerSecurityintheContextofELearning_2005, Author = {{Edgar R.} Weippl}, title = {Encyclopedia of E-Commerce, E-Government and Mobile Commerce}, year = {2005}, month = {1}, chapter = {Computer Security in the Context of E-Learning}, pages = {135--140}, publisher = {Idea Group, Publish}, } @INPROCEEDINGS{Weippl_NonRepudiationandAudits_2005, Author = {{Edgar R.} Weippl}, title = {Non-Repudiation and Audits in E-Learning, invited paper}, booktitle = {Proceedings of E-Learn 2005}, year = {2005}, month = {1}, pages = {1785--1790}, } @BOOK{Weippl_SecurityinELearning_2005b, Author = {{Edgar R.} Weippl}, title = {Security in E-Learning}, year = {2005}, month = {1}, publisher = {Springer NY}, note = {ISBN 0-387-24341-0, \url{http://www.e-learning-security.org}}, } @ARTICLE{Weippl_UseofTest_2005, Author = {{Edgar R.} Weippl}, title = {On the Use of Test Centers in E-Assessment}, journal = {published in elearningreports.com}, year = {2005}, month = {1}, } @ARTICLE{Weippl_PrivacyinELearning_2005, Author = {{A Min} Tjoa and {Edgar R.} Weippl}, title = {Privacy in E-Learning: Anonymity, Pseudonyms and Authenticated Usage}, journal = {Interactive Technology and Smart Education (ITSE)}, year = {2005}, month = {1}, volume = {2005}, number = {2}, pages = {247--256}, publisher = {Troubador Publishing Ltd.}, } @ARTICLE{weippl_ag, Author = {{Edgar R.} Weippl}, title = {Security in Mobile Multimedia}, journal = {Journal of Communication Engineering}, year = {2004}, month = {1}, pdf = {Papers/Weippl/ag_2004_weippl.pdf}, volume = {1}, number = {1}, pages = {59--69}, note = {ISSN 1693-5152}, } @ARTICLE{weippl_ae, Author = {{Edgar R.} Weippl and Wolfgang Essmayr and Stefan Probst}, title = {Role-Based Access Controls: Status, Dissemination, and Prospects for Generic Security Mechanisms}, journal = {International Journal of Electronic Commerce Research}, year = {2004}, month = {1}, pdf = {Papers/Weippl/ae_2002_essmayr.pdf}, volume = {4}, number = {1}, pages = {127--156}, publisher = {Kluwer}, } @INPROCEEDINGS{Neubauer_ValueBasedDecisionSupport_2004, Author = {Thomas Neubauer}, title = {Value-{B}ased {D}ecision {S}upport in {S}oftware {E}ngineering}, booktitle = {Proceedings of the Alpine {S}oftware {E}ngineering {W}orkshop 2004}, year = {2004}, month = {1}, } @ARTICLE{weippl_aa, Author = {{Edgar R.} Weippl and Wolfgang Essmayr}, title = {Personal Trusted Devices for web services: Revisiting Multilevel Security}, journal = {Mobile Networks and Applications, Kluwer}, year = {2003}, month = {1}, pdf = {Papers/Weippl/aa_weippl_monet_121.pdf}, volume = {8}, number = {2}, pages = {151--157}, } @ARTICLE{weippl_af, Author = {{Edgar R.} Weippl and Wolfgang Essmayr and Ludwig Klug}, title = {A New Approach to Secure Federated Information Bases using Agent Technology}, journal = {Journal of Database Management, Kluwer}, year = {2003}, month = {1}, pdf = {Papers/Weippl/af_2002_JDM.pdf}, volume = {14}, number = {1}, pages = {48--68}, } @ARTICLE{weippl_ga, Author = {{Edgar R.} Weippl}, title = {The Transition from E-commerce to M-commerce: Why Security should be the enabling technology}, journal = {Journal of Information Technology Theory and Application (JITTA)}, year = {2001}, month = {1}, volume = {3}, number = {4}, pages = {17--19}, note = {\url{http://peffers.net/journal/volume3_4/ecpreface.pdf}}, } @INPROCEEDINGS{weippl_bk, Author = {{Edgar R.} Weippl and Wolfgang Essmayr}, title = {Fine Grained Replication in Distributed Databases: A Taxonomy and Practical Considerations}, booktitle = {Proceedings of the 11th International Conference on Database and Expert Systems Applications (DEXA)}, year = {2000}, month = {9}, publisher = {LNCS Springer}, } @INPROCEEDINGS{weippl_bl, Author = {{Edgar R.} Weippl and Wolfgang Essmayr}, title = {Identity Mapping: An Approach to Unravel Enterprise Security Management Policies}, booktitle = {Proceedings of the 16th IFIP World Computer Congress}, year = {2000}, month = {8}, publisher = {Kluwer}, } @INPROCEEDINGS{weippl_bm, Author = {{Edgar R.} Weippl and Hans Lohninger}, title = {Knowledge Landscapes: A VR Interface for CBT Knowledge Bases}, booktitle = {10th European-Japanese Conference on Information Modeling and Knowledge Bases}, year = {2000}, month = {5}, note = {Reprinted in Kangassalo H., Jaakkola H., Kawaguchi E. (eds), Information Modelling and Knowledge Bases XII, 271-274, ISBN 1-58603-1635. IOS Press, Amsterdam, 2001.}, } @INPROCEEDINGS{weippl_bj, Author = {{Edgar R.} Weippl and Hans Lohninger}, title = {Teach Me: Leveraging CBT-Course Efficiency Using Improved User Interfaces}, booktitle = {Proceedings of the International Conference on Information and Communication Technologies for Education (EDICT)}, year = {2000}, month = {12}, pages = {355-362}, } @INPROCEEDINGS{weippl_bo, Author = {{Edgar R.} Weippl and Hans Lohninger}, title = {Evaluating CBT Software Usage in Schools and Universities}, booktitle = {Proceedings of the 19th IDCE World Conference On Open Learning And Distance Education}, year = {1999}, month = {6}, } @INPROCEEDINGS{weippl_bp, Author = {{Edgar R.} Weippl and Hans Lohninger}, title = {Special Requirements for Information Visualization in CBT}, booktitle = {Proceedings of Edu Compugraphics 97}, year = {1997}, month = {12}, pages = {133-139}, note = {ISBN 972-8342-02-0}, } @INPROCEEDINGS{Kaugers_Recent_developments_in_model_d_2010, Author = {{Edgar R.} Weippl and Viesturs Kaugers}, title = {Recent developments in model-driven architecture and security}, booktitle = {NA}, year = {1900}, month = {NA}, abstract = {Security is definitely one of the most important aspects in business information systems. This aspect is strongly related to costs, risks and reputation of organization. Currently innovative way to develop software is offered by model-driven architecture. This architecture uses models and transformations to generate executable code. Along with model-driven architecture there is one more approach based on mentioned methodology for developing secure systems. its called model-driven security. It uses the same principles as model-driven security but also introduces new ones like special languages for modeling security requirements, frameworks for building secure systems and means to define security policies. This paper describes current situation, presents overview of topical and perspective model-driven architecture and security developments and gives conclusions on the subject.}, note = {Unpublished yet}, }