Abstract
The potential for problems due to malicious code increases in direct proportion with the number of COTS software used in a system. Because of this, many practitioners have used a variety of techniques to address potential attacks. Yet, little guidance has been offered as to which techniques work best, when, and under what conditions. To rectify this problem, we have created a framework that can be used to help those interested in addressing vulnerabilities with a solution. The framework matches defenses to attacks using a risk-based approach that focuses on providing cost-effective protection.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Charette, R.: Software Engineering Risk Analysis and Management. McGraw-Hill, New York (1989)
Reifer, D.: Final Report, Software Protection Framework. Reifer Consultants, Inc. (2004)
Charkrabarti, A., Manimaran, G.: Internet Infrastructure Security: A Taxonomy. IEEE Network 16(6), 13–21 (2002)
Landwehr, C., Bull, A., McDermott, J., Choi, W.: A Taxonomy of Computer Program Security Flaws. ACM Computing Surveys 26(3), 211–254 (1994)
House, L.: ATSIT Technical Report. Battelle National Labs (2004)
Hermann, D.: Using the Common Criteria for Information Technology Security Evaluation. Auerbach Publications (2003)
Debar, H., Dacier, M., Wespi, A.: Towards a Taxonomy of Intrusion-Detection Systems. Computer Networks 31(8), 805–822 (1999)
Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy. Technical Report 99-15, Department of Computer Engineering, Chalmers University (2000)
Houle, K., Weaver, G.: Trends in Denial of Service Attack Technology. CERT Advisory (2001)
Mirkovic, M., Reiher, P.: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. ACM SIGCOMM Computer Communications Review 34(2), 39–54 (2004)
Butler, S.: Security Attribute Evaluation Method: A Cost-Benefit Approach. In: Proceedings of ICSE 2003 (2002)
Whittaker, J., Thompson, H.: How to Break Software Security – Effective Techniques for Security Testing. Addison-Wesley, Reading (2003)
Stallings, W.: Network and Internetwork Security. Prentice-Hall, Englewood Cliffs (1995)
Graff, M., Van Wyk, K.: Secure Coding – Principles and Practices. O’Reilly & Associates, Inc. Sebastopol (2003)
Young, S., Horwitz, S.: Protecting C Programs from Attacks via Invalid Pointer References. In: Proceedings of ESEC/FSE 2003 (2003)
Fawcett, T., Provost, F.: Activity Monitoring: Noticing Interesting Changes in Behavior. In: Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (August 1999)
Kim, G., Spafoord, E.: The Design and Implementation of Tripwire: A File System Integrity Checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security (1994)
Hoglund, G., McGraw, G.: Exploiting Software – How to Break Code. Addison-Wesley, Reading (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Reifer, D.J., Baxi, P., Hirata, F., Schifman, J., Tsao, R. (2005). Addressing Malicious Code in COTS: A Protection Framework. In: Franch, X., Port, D. (eds) COTS-Based Software Systems. ICCBSS 2005. Lecture Notes in Computer Science, vol 3412. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30587-3_26
Download citation
DOI: https://doi.org/10.1007/978-3-540-30587-3_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24548-3
Online ISBN: 978-3-540-30587-3
eBook Packages: Computer ScienceComputer Science (R0)