Keywords:
Astract: Voice over IP (VoIP) is in wide use today, replacing phone lines in many scenarios. However, often, security isn´t considered well enough, even though many security attacks are already known. More research on VoIP security is needed to enhance the level of security of VoIP systems and to show the implications of failing to take appropriate security measures. This paper presents an architecture and implementation of a robust and flexible VoIP test environ- ment for security related tests. Experiences using the im- plemented environment for different VoIP security tests are shown to demonstrate the suitability of the proposed test en- vironment for research purposes.

Keywords:
Astract: One of the main security ob jectives for systems connected to the Internet which provide services like Voice over Inter- net Protocol (VoIP) is to ensure robustness against security attacks to fulfill Quality of Service (QoS). To avoid system failures during attacks service providers have to integrate countermeasures which have to be tested. This work evalu- ates a test approach to determine the efficiency of counter- measures to fulfill QoS for Session Initiation Protocol (SIP) based VoIP systems even under attack. The main ob jective of the approach is the evaluation of service availability of a System Under Test (SUT) during security attacks, e.g., De- nial of Service (DoS) attacks. Therefore, a simulated system load based on QoS requirements is combined with different security attacks. The observation of the system is based on black-box testing. By monitoring quality metrics of SIP transactions the behavior of the system is measurable. The concept was realized as a prototype and was evaluated using different VoIP systems. For this, multiple security attacks are integrated to the testing scenarios. The outcome showed that the concept provides sound test results, which reflect the behavior of SIP systems availability under various at- tacks. Thus, security problems can be found and QoS for SIP-based VoIP communication under attack can be pre- dicted.

Keywords:
Astract: Current research on historical project data is rarely touching on the subject of security related information. Learning how security is treated in projects and which parts of a software are historically security relevant or prone to security changes can enhance the security strategy of a software project. We present a mining methodology for security related changes by modifying an existing method of software repository analysis. We use the gathered security changes to find out more about the nature of security in the FreeBSD project and we try to establish a link between the identified security changes and a tracker for security issues (security advisories). We give insights how security is presented in the FreeBSD project and show how the mined data and known security problems are connected.

Keywords: Anonymization, Pseudonymization, Research and Teaching, l-Diversity, Diversity, k-Anonymity, Data Privacy, Security
Astract: Personal Data, concerning unique individuals, requires accurate treatment ever since. To avoid the disclosure of these unique individuals through the exploit of personal data during electronic ex- change, certain steps can be taken, including anonymization- and pseudonymization-techniques. In the first instance we focus on the comparison of current anonymization- and pseudonymization- techniques and then continue with the proposal for a verifying-component which is going to be rea- lized within the scope of a case-study at the Technical University of Vienna. Purpose of the compo- nent is the delivery of a decision-base for the peer-to-peer exchange of medical data so no unique individuals can be identified during the exploit of this data. Therefore the component assures a cer- tain standard of pseudonymity for the medical data in regards of diversity and anonymity. Finally a proposal for the verifying-component is made in the last section of this scientific work. Re- search showed that current anonymization and pseudonymization methods are insufficient in terms of security and attacks on them, so that a maximum level of security cannot be guaranteed at this point of time.

Keywords:
Astract: The paper discusses foundations and requirements for testing security robustness aspects in operational environments while adhering to defined protection values for data. It defines the problem space and special characteristics of security testing in large IT infrastructures. In this area there are different environments with varying characteristics, e.g., regarding confidentiality of data. Common environments based on an existing IT project are defined. Testing in dedicated test environments is state of the art, however, sometimes this is not sufficient and testing in operational environments is required. Case studies showed many restrictions in the security test process, e.g., limited access for testers, which have to be addressed. The problems of testing in these operational environments are pointed out. Experiences and some current solution approaches for testing these special environments are shown (e.g., usage of disaster/recovery mechanism).