Corporate security solutions for BYOD: A novel user-centric and self-adaptive system

Survey on BYOD solutions (state of the art).Background in corporate security.Novel user-centric self-adaptive system.Open-source, multiplatform system.Architecture description.Self-adaptation.Applications of Data Mining in this scope.Applications of Machine Learning in this scope.Applications of Evolutionary Algorithms in this scope.Beyond the state of the art.With respect to existing tools.With respect to the scientific part. Companies and particularly their Chief Security Officers (CSOs) want to ensure that their Security Policies are followed, but this becomes a difficult goal to achieve at the point employees are able to use, or bring, their personal devices at work, in a practice that has been named "Bring Your Own Device" (BYOD). Since this BYOD philosophy is being adopted by many companies everyday, a number of solutions have appeared in the market so that it can be implemented in a secure way and comply with the Security Policies mentioned above. In this paper we propose a taxonomy to classify the features of BYOD systems. This taxonomy is used to present an overview of BYOD security solutions.Also, we describe a novel, adaptive and free software system named MUSES (Multi-platform Usable Endpoint Security), able to securely manage BYOD environments. MUSES has been developed to cope with security issues with regard to enterprise security policies, but as a user-centric tool. It considers users' behavior in order to adapt, improve, and even increase the defined set of security rules. To do this, the system applies Machine Learning and Computational Intelligence techniques, being also able to predict future security incidences produced by these users. The MUSES framework, which has released its first prototype in early 2015, is compared with the most relevant solutions offered by other companies to deal with the same issues, remarking the advantages that our system offers with respect to them.

[1]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[2]  Rolf Oppliger Security and Privacy in an Online World , 2011, Computer.

[3]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[4]  Hormazd Romer,et al.  Best practices for BYOD security , 2014 .

[5]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[6]  Arunkumar Gangula,et al.  Survey on Mobile Computing Security , 2013, 2013 European Modelling Symposium.

[7]  Hiroshi Motoda,et al.  Feature Extraction, Construction and Selection: A Data Mining Perspective , 1998 .

[8]  Agusti Solanas,et al.  Advances in Artificial Intelligence for Privacy Protection and Security , 2009 .

[9]  J. MacQueen Some methods for classification and analysis of multivariate observations , 1967 .

[10]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[11]  Juan Julián Merelo Guervós,et al.  Going a Step Beyond the Black and White Lists for URL Accesses in the Enterprise by Means of Categorical Classifiers , 2014, IJCCI.

[12]  Marius Kloft,et al.  Automatic feature selection for anomaly detection , 2008, AISec '08.

[13]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[14]  Jocelyn Armarego,et al.  BRING YOUR OWN DEVICE ORGANISATIONAL INFORMATION SECURITY AND PRIVACY , 2015 .

[15]  Bruce Ratner,et al.  Statistical and Machine-Learning Data Mining: Techniques for Better Predictive Modeling and Analysis of Big Data , 2011 .

[16]  Nathalie Japkowicz,et al.  The class imbalance problem: A systematic study , 2002, Intell. Data Anal..

[17]  Jean-Marc Seigneur,et al.  MUSES D7.2 - Policy recommendations for the existing legal framework , 2014 .

[18]  Toomas Kirt,et al.  OPTIMIZING IT SECURITY COSTS BY EVOLUTIONARY ALGORITHMS , 2010 .

[19]  William J. Kettinger,et al.  A New Open Door: The Smartphone's Impact on Work-to-Life Conflict, Stress, and Resistance , 2012, Int. J. Electron. Commer..

[20]  John A. Clark,et al.  MLS security policy evolution with genetic programming , 2008, GECCO '08.

[21]  Martín Abadi,et al.  Early security classification of skype users via machine learning , 2013, AISec.

[22]  Su Chang,et al.  P2P botnet detection using behavior clustering & statistical tests , 2009, AISec '09.

[23]  Omar F. El-Gayar,et al.  Security Policy Compliance: User Acceptance Perspective , 2012, 2012 45th Hawaii International Conference on System Sciences.

[24]  Radford M. Neal Pattern Recognition and Machine Learning , 2007, Technometrics.

[25]  Robert K. Cunningham,et al.  Evaluating and Strengthening Enterprise Network Security Using Attack Graphs , 2005 .

[26]  Rolf H. Weber,et al.  Internet of Things - Legal Perspectives , 2010 .

[27]  Ying Wah Teh,et al.  Big Data Clustering: A Review , 2014, ICCSA.

[28]  Jiawei Han,et al.  Frequent pattern mining: current status and future directions , 2007, Data Mining and Knowledge Discovery.

[29]  Ken Sharman,et al.  A Genetic Programming Approach for Bankruptcy Prediction Using a Highly Unbalanced Database , 2007, EvoWorkshops.

[30]  Santosh Kumar,et al.  Genetic Algorithms in Intrusion Detection Systems: A Survey , 2014 .

[31]  Rawaa Dawoud Al-Dabbagh,et al.  Genetic Algorithm Approach for Risk Reduction of Information Security , 2012 .

[32]  Juan Julián Merelo Guervós,et al.  MUSES: a corporate user-centric system which applies computational intelligence methods , 2014, SAC.

[33]  Wei Lu,et al.  Detecting New Forms of Network Intrusion Using Genetic Programming , 2004, Comput. Intell..

[34]  V. Samaras A BYOD Enterprise Security Architecture for accessing SaaS cloud services , 2013 .

[35]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[36]  Juan Julián Merelo Guervós,et al.  Enforcing corporate security policies via computational intelligence techniques , 2014, GECCO.

[37]  Stefan Kraxberger,et al.  Android Security Permissions - Can We Trust Them? , 2011, MobiSec.

[38]  Jeffrey M. Voas,et al.  BYOD: Security and Privacy Considerations , 2012, IT Professional.

[39]  Álvaro Herrero,et al.  Computational Intelligence in Security for Information Systems - CISIS'09, 2nd International Workshop, Burgos, Spain, 23-26 September 2009 Proceedings , 2009, CISIS.

[40]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[41]  Michael Grüninger,et al.  Introduction , 2002, CACM.

[42]  Rawaa Dawoud Al-Dabbagh,et al.  GENETIC ALGORITHM APPROACH FOR RISK REDUCTION OF INFORMATIONSECURITY , 2012 .

[43]  Marc Busch,et al.  A Survey of Trust and Risk Metrics for a BYOD Mobile Worker World : Third International Conference on Social Eco-Informatics , 2013 .

[44]  D. Fogel Evolutionary algorithms in theory and practice , 1997, Complex..

[45]  D. E. Goldberg,et al.  Genetic Algorithms in Search , 1989 .

[46]  Charles C. Wood,et al.  Information Security Policies Made Easy , 1994 .

[47]  Antonio Scarfò,et al.  New Security Perspectives around BYOD , 2012, 2012 Seventh International Conference on Broadband, Wireless Computing, Communication and Applications.

[48]  M. Tiffany A Survey of Event Correlation Techniques and Related Topics , 2002 .

[49]  Hiroshi Motoda,et al.  Feature Extraction, Construction and Selection , 1998 .

[50]  Keng Siau,et al.  A review of data mining techniques , 2001, Ind. Manag. Data Syst..

[51]  Wenting Li,et al.  Towards a User-Friendly Security-Enhancing BYOD Solution , 2013 .

[52]  Arati Baliga,et al.  Rootkits on smart phones: attacks, implications and opportunities , 2010, HotMobile '10.

[53]  Alessandro Armando,et al.  Enabling BYOD through secure meta-market , 2014, WiSec '14.

[54]  Ehab Al-Shaer,et al.  Synthetic security policy generation via network traffic clustering , 2010, AISec '10.

[55]  Isabelle Guyon,et al.  An Introduction to Variable and Feature Selection , 2003, J. Mach. Learn. Res..

[56]  David E. Goldberg,et al.  Genetic Algorithms in Search Optimization and Machine Learning , 1988 .

[57]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[58]  Gregory D. Abowd,et al.  Towards a Better Understanding of Context and Context-Awareness , 1999, HUC.

[59]  John R. Koza,et al.  Genetic programming - on the programming of computers by means of natural selection , 1993, Complex adaptive systems.

[60]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[61]  José María de Fuentes,et al.  Automatic Rule Generation Based on Genetic Programming for Event Correlation , 2009, CISIS.

[62]  George Danezis Inferring privacy policies for social networking services , 2009, AISec '09.

[63]  Miguel Soriano,et al.  Design of Cryptographic Protocols by Means of Genetic Algorithms Techniques , 2006, SECRYPT.