@phdthesis{Milenkoski2016, author = {Milenkoski, Aleksandar}, title = {Evaluation of Intrusion Detection Systems in Virtualized Environments}, url = {http://nbn-resolving.de/urn:nbn:de:bvb:20-opus-141846}, school = {Universit{\"a}t W{\"u}rzburg}, year = {2016}, abstract = {Virtualization allows the creation of virtual instances of physical devices, such as network and processing units. In a virtualized system, governed by a hypervisor, resources are shared among virtual machines (VMs). Virtualization has been receiving increasing interest as away to reduce costs through server consolidation and to enhance the flexibility of physical infrastructures. Although virtualization provides many benefits, it introduces new security challenges; that is, the introduction of a hypervisor introduces threats since hypervisors expose new attack surfaces. Intrusion detection is a common cyber security mechanism whose task is to detect malicious activities in host and/or network environments. This enables timely reaction in order to stop an on-going attack, or to mitigate the impact of a security breach. The wide adoption of virtualization has resulted in the increasingly common practice of deploying conventional intrusion detection systems (IDSs), for example, hardware IDS appliances or common software-based IDSs, in designated VMs as virtual network functions (VNFs). In addition, the research and industrial communities have developed IDSs specifically designed to operate in virtualized environments (i.e., hypervisorbased IDSs), with components both inside the hypervisor and in a designated VM. The latter are becoming increasingly common with the growing proliferation of virtualized data centers and the adoption of the cloud computing paradigm, for which virtualization is as a key enabling technology. To minimize the risk of security breaches, methods and techniques for evaluating IDSs in an accurate manner are essential. For instance, one may compare different IDSs in terms of their attack detection accuracy in order to identify and deploy the IDS that operates optimally in a given environment, thereby reducing the risks of a security breach. However, methods and techniques for realistic and accurate evaluation of the attack detection accuracy of IDSs in virtualized environments (i.e., IDSs deployed as VNFs or hypervisor-based IDSs) are lacking. That is, workloads that exercise the sensors of an evaluated IDS and contain attacks targeting hypervisors are needed. Attacks targeting hypervisors are of high severity since they may result in, for example, altering the hypervisors's memory and thus enabling the execution of malicious code with hypervisor privileges. In addition, there are no metrics and measurement methodologies for accurately quantifying the attack detection accuracy of IDSs in virtualized environments with elastic resource provisioning (i.e., on-demand allocation or deallocation of virtualized hardware resources to VMs). Modern hypervisors allow for hotplugging virtual CPUs and memory on the designated VM where the intrusion detection engine of hypervisor-based IDSs, as well as of IDSs deployed as VNFs, typically operates. Resource hotplugging may have a significant impact on the attack detection accuracy of an evaluated IDS, which is not taken into account by existing metrics for quantifying IDS attack detection accuracy. This may lead to inaccurate measurements, which, in turn, may result in the deployment of misconfigured or ill-performing IDSs, increasing the risk of security breaches. This thesis presents contributions that span the standard components of any system evaluation scenario: workloads, metrics, and measurement methodologies. The scientific contributions of this thesis are: A comprehensive systematization of the common practices and the state-of-theart on IDS evaluation. This includes: (i) a definition of an IDS evaluation design space allowing to put existing practical and theoretical work into a common context in a systematic manner; (ii) an overview of common practices in IDS evaluation reviewing evaluation approaches and methods related to each part of the design space; (iii) and a set of case studies demonstrating how different IDS evaluation approaches are applied in practice. Given the significant amount of existing practical and theoretical work related to IDS evaluation, the presented systematization is beneficial for improving the general understanding of the topic by providing an overview of the current state of the field. In addition, it is beneficial for identifying and contrasting advantages and disadvantages of different IDS evaluation methods and practices, while also helping to identify specific requirements and best practices for evaluating current and future IDSs. An in-depth analysis of common vulnerabilities of modern hypervisors as well as a set of attack models capturing the activities of attackers triggering these vulnerabilities. The analysis includes 35 representative vulnerabilities of hypercall handlers (i.e., hypercall vulnerabilities). Hypercalls are software traps from a kernel of a VM to the hypervisor. The hypercall interface of hypervisors, among device drivers and VM exit events, is one of the attack surfaces that hypervisors expose. Triggering a hypercall vulnerability may lead to a crash of the hypervisor or to altering the hypervisor's memory. We analyze the origins of the considered hypercall vulnerabilities, demonstrate and analyze possible attacks that trigger them (i.e., hypercall attacks), develop hypercall attack models(i.e., systematized activities of attackers targeting the hypercall interface), and discuss future research directions focusing on approaches for securing hypercall interfaces. A novel approach for evaluating IDSs enabling the generation of workloads that contain attacks targeting hypervisors, that is, hypercall attacks. We propose an approach for evaluating IDSs using attack injection (i.e., controlled execution of attacks during regular operation of the environment where an IDS under test is deployed). The injection of attacks is performed based on attack models that capture realistic attack scenarios. We use the hypercall attack models developed as part of this thesis for injecting hypercall attacks. A novel metric and measurement methodology for quantifying the attack detection accuracy of IDSs in virtualized environments that feature elastic resource provisioning. We demonstrate how the elasticity of resource allocations in such environments may impact the IDS attack detection accuracy and show that using existing metrics in such environments may lead to practically challenging and inaccurate measurements. We also demonstrate the practical use of the metric we propose through a set of case studies, where we evaluate common conventional IDSs deployed as VNFs. In summary, this thesis presents the first systematization of the state-of-the-art on IDS evaluation, considering workloads, metrics and measurement methodologies as integral parts of every IDS evaluation approach. In addition, we are the first to examine the hypercall attack surface of hypervisors in detail and to propose an approach using attack injection for evaluating IDSs in virtualized environments. Finally, this thesis presents the first metric and measurement methodology for quantifying the attack detection accuracy of IDSs in virtualized environments that feature elastic resource provisioning. From a technical perspective, as part of the proposed approach for evaluating IDSsthis thesis presents hInjector, a tool for injecting hypercall attacks. We designed hInjector to enable the rigorous, representative, and practically feasible evaluation of IDSs using attack injection. We demonstrate the application and practical usefulness of hInjector, as well as of the proposed approach, by evaluating a representative hypervisor-based IDS designed to detect hypercall attacks. While we focus on evaluating the capabilities of IDSs to detect hypercall attacks, the proposed IDS evaluation approach can be generalized and applied in a broader context. For example, it may be directly used to also evaluate security mechanisms of hypervisors, such as hypercall access control (AC) mechanisms. It may also be applied to evaluate the capabilities of IDSs to detect attacks involving operations that are functionally similar to hypercalls, for example, the input/output control (ioctl) calls that the Kernel-based Virtual Machine (KVM) hypervisor supports. For IDSs in virtualized environments featuring elastic resource provisioning, our approach for injecting hypercall attacks can be applied in combination with the attack detection accuracy metric and measurement methodology we propose. Our approach for injecting hypercall attacks, and our metric and measurement methodology, can also be applied independently beyond the scenarios considered in this thesis. The wide spectrum of security mechanisms in virtualized environments whose evaluation can directly benefit from the contributions of this thesis (e.g., hypervisor-based IDSs, IDSs deployed as VNFs, and AC mechanisms) reflects the practical implication of the thesis.}, subject = {Eindringerkennung}, language = {en} } @phdthesis{Holz2015, author = {Holz, Elisa Mira}, title = {Systematic evaluation of non-invasive brain-computer interfaces as assistive devices for persons with severe motor impairment based on a user-centred approach - in controlled settings and independent use}, url = {http://nbn-resolving.de/urn:nbn:de:bvb:20-opus-126334}, school = {Universit{\"a}t W{\"u}rzburg}, year = {2015}, abstract = {Brain-computer interfaces (BCIs) are devices that translate signals from the brain into control commands for applications. Within the last twenty years, BCI applications have been developed for communication, environmental control, entertainment, and substitution of motor functions. Since BCIs provide muscle independent communication and control of the environment by circumventing motor pathways, they are considered as assistive technologies for persons with neurological and neurodegenerative diseases leading to motor paralysis, such as amyotrophic lateral sclerosis (ALS), muscular dystrophy, spinal muscular atrophy and stroke (K{\"u}bler, Kotchoubey, Kaiser, Wolpaw, \& Birbaumer, 2001). Although most researcher mention persons with severe motor impairment as target group for their BCI systems, most studies include healthy participants and studies including potential BCI end-users are sparse. Thus, there is a substantial lack of studies that investigate whether results obtained in healthy participants can be transferred to patients with neurodegenerative diseases. This clearly shows that BCI research faces a translational gap between intense BCI research and bringing BCI applications to end-users outside the lab (K{\"u}bler, Mattia, Rupp, \& Tangermann, 2013). Translational studies are needed that investigate whether BCIs can be successfully used by severely disabled end-users and whether those end-users would accept BCIs as assistive devices. Another obvious discrepancy exists between a plethora of short-term studies and a sparse number of long-term studies. BCI research thus also faces a reliability gap (K{\"u}bler, Mattia, et al., 2013). Most studies present only one BCI session, however the few studies that include several testing sessions indicate high inter- and intra-individual variance in the end-users' performance due to non-stationarity of signals. Long-term studies, however, are needed to demonstrate whether a BCI can be reliably used as assistive device over a longer period of time in the daily-life of a person. Therefore there is also a great need for reliability studies. The purpose of the present thesis was to address these research gaps and to bring BCIs closer to end-users in need, especially into their daily-lives, following a user-centred design (UCD). The UCD was suggested as theoretical framework for bringing BCIs to end-users by K{\"u}bler and colleagues (K{\"u}bler et al., 2014; Zickler et al., 2011). This approach aims at the close and iterative interaction between BCI developers and end-users with the final goal to develop BCI systems that are accepted as assistive devices by end-users. The UCD focuses on usability, that is, how well a BCI technology matches the purpose and meets the needs and requirements of the targeted end-users and was standardized with the ISO 9241-210. Within the UCD framework, usability of a device can be defined with regard to its effectiveness, efficiency and satisfaction. These aspects were operationalized by K{\"u}bler and colleagues to evaluate BCI-controlled applications. As suggested by Vaughan and colleagues, the number of BCI sessions, the total usage duration and the impact of the BCI on the life of the person can be considered as indicators of usefulness of the BCI in long-term daily-life use (Vaughan, Sellers, \& Wolpaw, 2012). These definitions and metrics for usability and usefulness were applied for evaluating BCI applications as assistive devices in controlled settings and independent use. Three different BCI applications were tested and evaluated by in total N=10 end-users: In study 1 a motor-imagery (MI) based BCI for gaming was tested by four end-users with severe motor impairment. In study 2, a hybrid P300 event-related (ERP) based BCI for communication was tested by four severely motor restricted end-users with severe motor impairment. Study 1 and 2 are short-term studies conducted in a controlled-setting. In study 3 a P300-ERP BCI for creative expression was installed for long-term independent use at the homes of two end-users in the locked-in state. Both end-users are artists who had gradually lost the ability to paint after being diagnosed with ALS. Results reveal that BCI controlled devices are accepted as assistive devices. Main obstacles for daily-life use were the not very aesthetic design of the EEG-cap and electrodes (cap is eye-catching and looks medical), low comfort (cables disturb, immobility, electrodes press against head if lying on a head cushion), complicated and time-consuming adjustment, low efficiency and low effectiveness, and not very high reliability (many influencing factors). While effectiveness and efficiency in the MI based BCI were lower compared to applications using the P300-ERP as input channel, the MI controlled gaming application was nevertheless better accepted by the end-users and end-users would rather like to use it compared to the communication applications. Thus, malfunctioning and errors, low speed, and the EEG cap are rather tolerated in gaming applications, compared to communication devices. Since communication is essential for daily-life, it has to be fast and reliable. BCIs for communication, at the current state of the art, are not considered competitive with other assistive devices, if other devices, such as eye-gaze, are still an option. However BCIs might be an option when controlling an application for entertainment in daily-life, if communication is still available. Results demonstrate that BCI is adopted in daily-life if it matches the end-users needs and requirements. Brain Painting serves as best representative, as it matches the artists' need for creative expression. Caveats such as uncomfortable cap, dependence on others for set-up, and experienced low control are tolerated and do not prevent BCI use on a daily basis. Also end-users in real need of means for communication, such as persons in the locked-in state with unreliable eye-movement or no means for independent communication, do accept obstacles of the BCI, as it is the last or only solution to communicate or control devices. Thus, these aspects are "no real obstacles" but rather "challenges" that do not prevent end-users to use the BCI in their daily-lives. For instance, one end-user, who uses a BCI in her daily-life, stated: "I don't care about aesthetic design of EEG cap and electrodes nor amplifier". Thus, the question is not which system is superior to the other, but which system is best for an individual user with specific symptoms, needs, requirements, existing assistive solutions, support by caregivers/family etc.; it is thereby a question of indication. These factors seem to be better "predictors" for adoption of a BCI in daily-life, than common usability criterions such as effectiveness or efficiency. The face valid measures of daily-life demonstrate that BCI-controlled applications can be used in daily-life for more than 3 years, with high satisfaction for the end-users, without experts being present and despite a decrease in the amplitude of the P300 signal. Brain Painting re-enabled both artists to be creatively active in their home environment and thus improved their feelings of happiness, usefulness, self-esteem, well-being, and consequently quality of life and supports social inclusion. This thesis suggests that BCIs are valuable tools for people in the locked-in state.}, subject = {Gehirn-Computer-Schnittstelle}, language = {en} } @article{ShityakovFoersterRethwilmetal.2014, author = {Shityakov, Sergey and F{\"o}rster, Carola and Rethwilm, Axel and Dandekar, Thomas}, title = {Evaluation and Prediction of the HIV-1 Central Polypurine Tract Influence on Foamy Viral Vectors to Transduce Dividing and Growth-Arrested Cells}, doi = {10.1155/2014/487969}, url = {http://nbn-resolving.de/urn:nbn:de:bvb:20-opus-112763}, year = {2014}, abstract = {Retroviral vectors are potent tools for gene delivery and various biomedical applications. To accomplish a gene transfer task successfully, retroviral vectors must effectively transduce diverse cell cultures at different phases of a cell cycle. However, very promising retroviral vectors based on the foamy viral (FV) backbone lack the capacity to efficiently transduce quiescent cells. It is hypothesized that this phenomenon might be explained as the inability of foamy viruses to form a pre-integration complex (PIC) with nuclear import activity in growth-arrested cells, which is the characteristic for lentiviruses (HIV-1). In this process, the HIV-1 central polypurine tract (cPPT) serves as a primer for plus-strand synthesis to produce a "flap" element and is believed to be crucial for the subsequent double-stranded cDNA formation of all retroviral RNA genomes. In this study, the effects of the lentiviral cPPT element on the FV transduction potential in dividing and growth-arrested (G1/S phase) adenocarcinomic human alveolar basal epithelial (A549) cells are investigated by experimental and theoretical methods. The results indicated that the HIV-1 cPPT element in a foamy viral vector background will lead to a significant reduction of the FV transduction and viral titre in growth-arrested cells due to the absence of PICs with nuclear import activity.}, subject = {Evaluation}, language = {en} } @article{MengMusekampSeekatzetal.2013, author = {Meng, Karin and Musekamp, Gunda and Seekatz, Bettina and Glatz, Johannes and Karger, Gabriele and Kiwus, Ulrich and Knoglinger, Ernst and Schubmann, Rainer and Westphal, Ronja and Faller, Hermann}, title = {Evaluation of a self-management patient education program for patients with chronic heart failure undergoing inpatient cardiac rehabilitation: study protocol of a cluster randomized controlled trial}, series = {BMC Cardiovascular Disorders}, journal = {BMC Cardiovascular Disorders}, doi = {10.1186/1471-2261-13-60}, url = {http://nbn-resolving.de/urn:nbn:de:bvb:20-opus-96852}, year = {2013}, abstract = {Background Chronic heart failure requires a complex treatment regimen on a life-long basis. Therefore, self-care/self-management is an essential part of successful treatment and comprehensive patient education is warranted. However, specific information on program features and educational strategies enhancing treatment success is lacking. This trial aims to evaluate a patient-oriented and theory-based self-management educational group program as compared to usual care education during inpatient cardiac rehabilitation in Germany. Methods/Design The study is a multicenter cluster randomized controlled trial in four cardiac rehabilitation clinics. Clusters are patient education groups that comprise HF patients recruited within 2 weeks after commencement of inpatient cardiac rehabilitation. Cluster randomization was chosen for pragmatic reasons, i.e. to ensure a sufficient number of eligible patients to build large-enough educational groups and to prevent contamination by interaction of patients from different treatment allocations during rehabilitation. Rehabilitants with chronic systolic heart failure (n = 540) will be consecutively recruited for the study at the beginning of inpatient rehabilitation. Data will be assessed at admission, at discharge and after 6 and 12 months using patient questionnaires. In the intervention condition, patients receive the new patient-oriented self-management educational program, whereas in the control condition, patients receive a short lecture-based educational program (usual care). The primary outcome is patients' self-reported self-management competence. Secondary outcomes include behavioral determinants and self-management health behavior (symptom monitoring, physical activity, medication adherence), health-related quality of life, and treatment satisfaction. Treatment effects will be evaluated separately for each follow-up time point using multilevel regression analysis, and adjusting for baseline values. Discussion This study evaluates the effectiveness of a comprehensive self-management educational program by a cluster randomized trial within inpatient cardiac rehabilitation in Germany. Furthermore, subgroup-related treatment effects will be explored. Study results will contribute to a better understanding of both the effectiveness and mechanisms of a self-management group program as part of cardiac rehabilitation.}, language = {en} } @phdthesis{Schumm2009, author = {Schumm, Irene}, title = {Lessons Learned From Germany's 2001-2006 Labor Market Reforms}, url = {http://nbn-resolving.de/urn:nbn:de:bvb:20-opus-43705}, school = {Universit{\"a}t W{\"u}rzburg}, year = {2009}, abstract = {In der Dissertation werden die Gesetze zur Reform des Arbeitsmarktes in Deutschland, besser bekannt als Hartz-Reformen, untersucht. Zun{\"a}chst wird ein {\"U}berblick {\"u}ber die wichtigsten {\"A}nderungen aus den vier Reform-Paketen gegeben sowie die Effekte, welche man sich davon versprach. Des Weiteren werden zwei grundlegende Reformmaßnahmen, n{\"a}mlich die Zusammenlegung der Arbeitslosen- und Sozialhilfe (Hartz IV) sowie die Verk{\"u}rzung der Bezugsdauer der Arbeitslosenversicherungsleistung, analysiert, um deren Auswirkungen auf das individuelle Verhalten und die aggregierte {\"O}konomie zu evaluieren. Diese Untersuchung geschieht im Rahmen eines Matching-Modells mit optimaler verweildauerabh{\"a}ngiger Suchleistung. Mit Hilfe von Semi-Markov-Methoden, deren Anwendung in der Arbeitsmarkttheorie beschrieben wird, findet schließlich eine Aggregierung statt. Auf diese Weise k{\"o}nnen die Auswirkungen der Hartz-IV-Reformen auf die Verweildauer in Arbeitslosigkeit, die optimale Suchleistung und die Arbeitslosigkeit quantifiziert werden.}, subject = {Hartz-Reform}, language = {en} }