SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies. Within a network of more than 70 companies, 15 Austrian and international universities and research institutions, and many additional international research partners we jointly work on research challenges ranging from organizational to technical security to strengthen Europe’s Cybersecurity capabilities.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT


Verification, Validation, and Evaluation in Information Security Risk Management

Our article “Verification, Validation, and Evaluation in Information Security Risk Management” (Authors: Stefan Fenz and Andreas Ekelhart) got accepted at IEEE Security & Privacy. Check out the preprint at the IEEE Digital Library.

Over the last four decades, various information security risk management (ISRM) approaches have emerged. However, there is a lack of sound verification, validation, and evaluation methods for these approaches. While restrictions, such as the impossibility of measuring exact values for probabilities and follow-up costs, obviously exist, verification, validation, and evaluation of research is essential in any field, and ISRM is no exception. Individual approaches exist, but so far there is no systematic overview of the available methods. In this article we survey verification, validation and evaluation methods referenced in ISRM literature and discuss in which ISRM phases the methods should be applied. The selection of appropriate methods is demonstrated with a potential real-world example. This systematic analysis draws conclusions on the current status of ISRM verification, validation and evaluation and can serve as a reference for researchers and users of ISRM approaches who aim to establish trust in their results.

Markus Huber at CMU

Markus Huber will work this summer on his research in Social Networking Privacy and Security at Carnegie Mellon University with Alessandro Acquisti.

Technical report: Friend-In-The-Middle (FITM) Attacks

Abstract. In the ongoing arms race between spammers and the multi-million dollar anti-spam industry, the number of unsolicited e-mail messages (better known as “spam”) and phishing has increased heavily in the last decade. In this paper, we show that our novel friend-in-the-middle attack on social networking sites (SNSs) can be used to harvest social data in an automated fashion. This social data can then be exploited for large-scale attacks such as context-aware spam and social-phishing. We prove the feasibility of our attack exemplarily on Facebook and identify possible consequences based on a mathematical model and simulations. Alarmingly, all major SNSs are vulnerable to our attack as they fail to secure the network layer appropriately.


“INFORM” awarded 2nd place

The SBA FIT-IT proposal “INFORM” (Internet Forensic Framework) has been awarded the 2nd place in the competition for the best proposal among all proposals for “Trust in IT-Systems” in 2009.

The goal of “INFORM” is to study current challenges in computer forensics and to produce tools that enricht the toolset of a forensic analysist. In the traditional approach, the seizure of the suspects hard drives is used to analyse traces of malicious activities. With the widesread availability of hard drive encryption tools, online file storate systems and bootable Linux distributions that leave no traces on the hard drive, new tools and procedures are needed to support the evidence collection process. Social networks and anonymization networks pose further challenges for online forensics that will be adressed by “INFORM”.

The news report on futurezone and derstandard.

Social Engineering Bot and Porn Sites

Our researchers of ISecLab have recently released some nice papers that are quoted on slashdot (see 1 and 2). More news reports on PCWorld, BBC and darkreading.

IMPACT 2010: May 6

We celebrate the new grant COMET-K1 (more…)

“Digital Genome” Safeguards Dying Data Formats

quoted from ACM  Queue: “European researchers have deposited a “digital genome” time capsule inside a data storage facility known as the Swiss Fort Knox, which contains a blueprint that future generations can use to read data stored using obsolete technology. The capsule is the result of the four-year Planets project, which was launched to preserve the world’s digital assets as technology changes. “The time capsule being deposited inside Swiss Fort Knox contains the digital equivalent of the genetic code of different data formats,” says British Library archivist Adam Farquhar. Planets project researchers note that the European Union alone loses at least three billion euros worth of digital information every year. “Unlike hieroglyphics carved in stone or ink on parchment, digital data has a shelf life of years, not millennia,” says University of Technology of Vienna professor Andreas Rauber. The project aims to preserve data DNA, the information and tools to access and read historical digital material and prevent digital memory loss into the next century. “If we can nail the next 100 years, we figure we will be able to nail the next 100 years as well,” Farquhar says.

(more…) (Andreas Rauber @ SBA)

Guest talks and visiting researchers from the university of Deusto.

Pablo García Bringas and Igor Santos Grueiro visited SBA Research and we plan to collaborate in the area of privacy and forensics in social networks.

New Key Researcher: Prof. Stefanie Rinderle-Ma

We are happy to have a new key research who focuses on workflow systems and security: Prof. Stefanie Rinderle-Ma (at the University of Vienna)

ARES 2010 Keynotes online

This year’s ARES conference was a great success. We really enjoyed our two keynotes; the videos of Gene Spafford and Ross Anderson are now online! (more on keynotes…)

May 6, 2010: Impact 2010

Our annual event for partners, researchers and everyone who is interested in the research of our center (more…)

Best Paper Award: Context Oriented Analysis of Web 2.0 Social Network Contents

ACIIDS 2010: Context Oriented Analysis of Web 2.0 Social Network Contents (Amin Anjomshoaa, Vo Sao Khue, AMin Tjoa, Edgar Weippl, Michael Hollauf)

ADV Forum IT-Management: Statistische Sicherheitsanalyse von SecLookOn

April 13, 2010 Passwort war gestern – SecLookOn ist heute! Statistische Sicherheitsanalyse von SecLookOn

Forensic Workshop: Memory analysis with Andreas Schuster

Andreas Schuster will present a special forensics workshop ragarding memory analysis. The workshop will take place on the 22/23 of april, 2010 and will focus on:

  • Intel x86 hardware platform
  • Random Access Memory (RAM)
  • Techniques of adressing
  • Forensic backup of the RAM, methods and tools
  • Windows memory management
  • Objects of the system kernel
  • Applied techniques for analysis
  • Use of the Microsoft debugger and the volatility framework
  • Excercises on memory dumps

The course will be held in German.

ADV Seminar: 20. April 2010 SaaS (ASP) – „EDV aus der Steckdose“

ADV Seminar 8. April 2010 Virtualisierung: Storage und Applications

Guest Talk Prof. Müller: Does the Current Security Research only Solve Known Problems?

Guest Talk Prof. Müller: Does the Current Security Research only Solve Known Problems?

So far, security meant access control. Statistics show that this paradigm becomes less sufficient, therefore applications of cloud computing and service orientation are at risk. One wants not only to have access, but also the assurance that agreements will be fulfilled at any time. This so-called „usage control“ is understood as the known reliability complemented with security and the accuracy of the services. Vulnerabilities allow via an inevitable interference the deriving of information, made possible only through unreliable information flows. The lecture presents the current starting and security situation based on statistics about security breaches. Especially due to the shortcomings of the security research vulnerabilities have occurred which today can be summarized under the term “compliance” and are very difficult to combat. This involves security problems in processes. Therefore, the DFG (German Research Foundation) has established a priority program entitled “Reliably Secure Systems” for which the lecturer is also responsible. The point is to expand the security question beyond access control by incorporating reliability. The practical and technical challenges are in the focus of this presentation.

ACM SAC 2010

Today, Stefan Fenz presents the paper “Ontology-based Generation of IT-Security Metrics” at the 25th ACM Symposium on Applied Computing.

Security Ontology online

Click here to browse and edit the security ontology online.

ADV zu Gast bei SBA Research zum Thema “Cloud & Virtualization Security”

Mar 2, 2010 @SBA:

17:30 – 17:50, SBA: “Cloud-Tools” und Auswirkungen auf Sicherheitsanforderungen
17:50 – 18:25, SBA-Partner Security Research: Sicherheit und Virtualisierung
18:25 – 19:00, SBA-Partner factline: Bedeutung der Verlässlichkeit und Sicherheit für Zusammenarbeit über Web-Plattformen

Guest talk by Grant Osborne

The ‘Explore, Investigate and Correlate’ (EIC) Conceptual Framework for Digital Forensics Information Visualisation
by Grant Osborne, University of  Adelaide, South Australia

Martin Mulazzani at Purdue

From March to May and from August to December 2010 Martin Mulazzani will work on his research in Privacy and Forensics at Purdue University in Elisa Bertino’s group.

Mar 29, 2010, Guest lecture (Prof. Günter Müller): Löst die aktuelle Sicherheitsforschung nur die bekannten Probleme?


Titel: Löst die aktuelle Sicherheitsforschung nur die bekannten Probleme?


Sicherheit war bisher Zugangskontrolle. Statistiken zeigen, dass dieses Paradigma immer weniger ausreicht und dass dadurch die Anwendungen des Cloud Computing und der Service-orientierung gefährdet sind. Man will n icht nur Zugang haben, sondern auch die Gewissheit, dass Vereinbarungen zu jeder Zeit eingehalten werden. Diese so geannte Nutzungskontrolle ist eigentlich die bekannte Zuverlässigkeit verstanden als die Sicherheit ergänzt um die Korrektheit der Dienste. Sicherheitslücken ermöglichen durch die unvermeidlichen Interferenzen die Ableitung von Informationen, die nur durch unzulässige Informationsflüsse möglich sind.

Der Vortrag stellt die gegenwärtige Ausgangs- und Sicherheitslage anhand von Statistiken über Sicherheitsverletzungen vor. Gerade durch die Defizite der Sicherheitsforschung ist es zu Schwachstellen gekommen, die man heute unter dem Begriff “Compliance” zusammengefasst nur sehr aufwändig bekämpfen kann. Es handelt sich dabei um Sicherheitsprpobleme bei Prozessen. Hierzu hat die DFG (Deutsche Forschungsgemeinschaft) unter dem Titel “zuverlässig sichere Systeme” ein Schwerpunktprogramm eingerichtet, das den Vortragende mitverantwortet. Es geht darum die Sicherheitsfrage über die Zugangskontrolle hinaus um die Zuverlässigkeit zu erweitern. Die praktischen und technischen Herausforderungen dazu stehen im Mittelpunkt des Vortrages.

Guest lecture by Prof. Rinderle-Ma

Guest lecture by Prof. Rinderle-Ma on “Evolution von organisatorischen Strukturen und deren Effekte in prozessorientierten Informationssystemen”  (Feb 2, 10 am, SBA)

KIRAS Project: Forensics

SBA Research received a research grant to develop guidelines for forensic analysis of Web 2.0 technologies.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.