Ex-20

1. Use case , class  , sequence ,collaboration, state chart , activity, compnent , deployment diagrams are used in UML. Describe each of eight diagrams used in UML .

Use Case diagram -Contains actors, user cases and association for capturing the functional requirements and depict behaviors of the system from an external point of views.

* Actor:- A person, organization or external system, which play a role to in the system.
* Use case: A sequence of action of measurable values to an actor.
* Association: Connecting an actor to a use case. Represent the actor involved in interaction with the use case in the system.

Class diagram -illustrate the classes and attributes of the system, the interface and inter-relationships. The class, attributes and interface would be quite straightforward.  However the relationship could be quite complicated due to multiplicity, generalization and associations.

Sequence diagram – Consists of objects and invocation messages.  Sequence diagram indicates the order of invocations in the system and the creation of different objects.

Collaboration diagram – Consists of objects and messages focusing on the communications between objects and is quite similar to sequence diagram.

State chart diagram – Consists of state, transition, events and actions and showing various state of the entity and the change of states in response to different events. State diagram is not usually required except for complicated logic.

Activity diagram – Consists of activities and decisions showing the major flowcharts and data flow diagrams to illustrate the flow of codes.

Component diagram – Consists of major system components such as classifiers and artifacts and their inter-relation.  It is a high level overview of the system.

Deployment diagram – Consists of deployment elements mainly hardware such as servers and their relationship and logic connections/configuration.  Deployment diagram can be considered as a logical topography of the system.

Reference;

Castillo, C. & Richards, K. (2007) Why model with UML?. Retrieved May 29, 2009 from http://www.netbeans.org/kb/55/uml-why-model.html.

Woo, J (n.d.). UML diagrams . Retrieved May 29, 2009 from http://www.cs.umbc.edu/courses/undergraduate/CMSC445/Fall06/UML%20Diagrams.ppt#273,28,Communication%20diagram

Ex-19

1. Give a description in your own words of the ACID properties of a transaction.

ACID properties of a transaction represents atomicity, consistency, isolation and durability of the transaction.

Atomicity:

Atomicity refers to the ability of the DBMS to guarantee that either all of the tasks of a transaction are performed or none of them are. For example, the transfer of funds from one account to another can be completed or it can fail for a multitude of reasons, but atomicity guarantees that one account won’t be debited if the other is not credited.

Consistency:

The Consistency property ensures that the database remains in a consistent state before the start of the transaction and after the transaction is over. Consistency states that only valid data will be written to the database. If, for some reason, a transaction is executed that violates the database’s consistency rules, the entire transaction will be rolled back and the database will be restored to a state consistent with those rules.

Isolation:

Isolation refers to the requirement that other operations cannot access or see the data in an intermediate state during a transaction. This constraint is required to maintain the performance as well as the consistency between transactions in a Database management system.

Durability:

Durability refers to the guarantee that once the user has been notified of success, the transaction will persist, and not be undone. This means it will survive system failure, and that the database system has checked the integrity constraints and won’t need to abort the transaction.

Reference :

What is ACID, Retrieved May 27 , 299 from

http://en.wikipedia.org/wiki/ACID

2. Describe a TP monitor environment. How can a TP monitor stop an operating system being overwhelmed?

Transaction processing monitor, a program that monitors a transaction as it passes from one stage in a process to another. The TP monitor’s purpose is to ensure that the transaction processes completely or, if an error occurs, to take appropriate actions.

TP monitors are especially important in three-tier architectures that employ load balancing because a transaction may be forwarded to any of several servers. In fact, many TP monitors handle all the load balancing operations, forwarding transactions to different servers based on their availability.

The types of jobs performed through the TP monitor are: process management, transaction management, and client/server communication management. TP monitor can stop an operation system being overwhelmed by maintaining a pool of processes and queues transactions so that the clients can take turn to use the pool.

Reference :

TP Monitor, Retrieved May 27 , 299 from

http://www.webopedia.com/TERM/T/TP_monitor.html

3. What is difference in load balancing with traditional and transactional MOM, RPC and conversations?

RPC- Remote Procedure Call is a synchronous communication where the calling application must stop processing or is blocked from proceeding until receiving the response from the remote procedure. RPC is simple but performance is a great concern. In particular, RPC requires lot of processing power and the numerous exchanges between the client and server cause high memory usage and network traffic.

MOM – Message Orientated Middle ware support asynchronous communication in 2 models, the point to point messaging and message queue models. The advantage of message queue is that the remote program does not require being active while message is sent by the calling program. Both the calling and remote program can process at the own pace without disruption by the middle ware.

However, Transaction Process Monitoring has greater performance advantage in load balancing over both RPC and MOM. TP monitoring would implement the following in load balancing:

i. Use queued input buffer to protect against peak in the workload.
ii. Priority scheduling to prioritize messages.

Reference;

Linthicum, D.S. (1998). Middleware performance. Retrieved May 27, 2009 from http://www.dbmsmag.com/9808d07.html.

4. Why is a two-phase commit protocol better than a one-phase atomic commit protocol?

With one-phase atomic commit protocol, a server could make a decision unilaterally to abort transaction. As a result, the consistency of the transaction would be affected.

Two-phase commit protocol (2PC, sometimes referred as TPC [1] ) is a distributed algorithm that lets all nodes in a distributed system agree to commit a transaction. The protocol results in either all nodes committing the transaction or aborting, even in the case of network failures or node failures. However, the protocol will not handle more than one random site failure at a time so this is better than the previous.

Reference;

http://wapedia.mobi/en/Two-phase-commit_protocol

Ex-18

1. A simple demonstration of the threading module in Python that uses both a lock and semaphore to control concurrency is by Ted Herman at the University of Iowa. The code and sample output below are worth a look. Report your findings.

The program starts several threads at once and and only allow certain threads to be run simultaneously and the program will end once all the threads are finished running.

*** The program initiates 10 threads one by one by calling start tasks().
*** Loop and wait till all threads are done.
***”run(self)” shows each thread locks and unlocks the resources.
o Allow each threads a random delay time.
o Request a new quota for current thread. If concurrent threads exceeds limit then exit this block.
o Locks the control viable “running” exclusively, not allow to be updated by others.
o Unlocks the control viable “running”, allows the other thread to run.
o Assumes the current thread is finished after certain delay time.
o Decreases number of running threads.
o Unlocks the control viable “running”, allows the others to update it.
o Release the quota of concurrent limit.

Once run this program , the values of the output processing times will be different depend on the  processing speeds of computer that the program is used.

The meaning of the functions are derived from python refferece library on 299, 2009 from http://www.python.org/doc/2.5.2/lib/module-threading.html

Ex-17

1. Thread Synchronization

The ability to synchronize the activities of various threads. A thread synchronizes itself with another thread by putting itself to sleep. Before doing so, the thread notifies the operating system as to what event has to occur in order for the thread to resume execution.

2. Locks:
It is used to prevent conflict by ensuring that only one thread can access the resource at a time. It might be read or write lock.

Once the lock has been assigned to a particular thread, only the thread processing the lock could process it.  The lock would then be released when they are no longer required.

3. Deadlock:

It describes a situation where two or more threads are blocked forever, waiting for each others response. When Deadlock runs, it’s extremely likely that both threads will block when they attempt to invoke back. The  block will not end, because each thread is waiting for the other to exit.

4.  Semaphores;

A semaphore is similar to a lock for an object or method. When a thread enters into a semaphores protected section, the thread must acquire the semaphore in order to process through the section.  After the thread is through the section, the semaphores would be released for any thread.  Difference between semaphore and lock are that lock is mutually exclusive where semaphores exists more than one to a maximum number defined by the application.

5. Mutex (mutual exclusion)

A mutex is  a common name for a program object that negotiates mutual exclusion among threads, also called a lock.

This is  used in concurrent programming to avoid the simultaneous use of a common resource, such as a global variable, by pieces of computer code called critical sections.

6. Thread

A thread is an execution of a chunk of code which can be processed in parallel with the execution of other chunk codes.  Computer with multi-process can process different thread in parallel at the same time.Every thread has a priority. Threads with higher priority are executed in preference to threads with lower priority.

7. Event

Event can be considered as action, changes or transactions in concurrent programming.The associated script is written to response to such action or user response as event handling scripts.

8.          Waitable timer.

A waitable timer is a synchronized object, which would signal its state when the specified period is expired.  There are 3 types of waitable timer in concurrent programming as follows:-

• manual-reset timer
• synchronization timer
• periodic timer

Reference ;

Venners, B. (1997). How the Java virtual machine performs thread synchronization. Javaworld.com. Retrieved may29th, 2009 from

http://www.javaworld.com/javaworld/jw-07-1997/jw-07-hood.html

Winquist, N. (2005). Mutex vs. semaphore, what is the difference? Retrieved may 29th, 2009 from http://koti.mbnet.fi/niclasw/MutexSemaphore.html.

http://en.wikipedia.org/wiki/Mutual_exclusion

Ex-16

1. Visit an e-commerce website and survey the mode of payment allowed. Would you trust the site with your business?

I visited www.ebay.com which is one of most famous auction and selling site in the world to buy any products.

Payment mehods;

1. Credit card payments are given the first priority of purchasing by secured pay pal system used.

2. Personal / Bank cheques

3. Money Orders and Bank Deposit

are used as payment methods and i trust this wensite and i have never encountered any fraud or issues with this website so far in purchasing items.

2. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?

• Comprehensive security and privacy policies to safeguard the security and privacy of customer data;
• Implement security measures to protect the systems, servers and networks. Measures including installing firewall, SSL for pages collecting customer information, virus scanning software to detect virus with scheduled online updating for virus signature etc.;
• Strictly policies regarding collection, storing, modification and subsequent destroy of customer data. These policies should be strictly followed and made known to the customers;
• All customers should be pre-registered with unique username and passwords. The password should be forced to be renewed at a pre-set period.

Secure the web site by SSL certificate which is issued by trusted third party Certificate Authority like Verisign and Entrust can be verified by the customers where customer can view the certificate details, like issuer,  and expiry date through web browser.

3. Visit the Verisign web site – what solutions does it offer for e-commerce?

VeriSign offers security advice and services to various sectors including Customer Products and Retail, Media and Entertainment, Financial Services, Public sectors, Health care and Life Sciences and Telecommunications by providing enterprise security services ,identity and authentication services and many more

Verisign is providing a wide range of solutions across various industries, from healthcare to financial service, and different size of companies, from SMB to big enterprise. Its solutions for e-commerce include issuing SSL Certificate and digital ID, Security Risk Management, Security Consultancy, Fraud Detection, and even mobile or wireless solution.

Reference:

http://www.verisign.com/

http://www.verisign.com/ssl/ssl-information-center/ecommerce-trust-ssl/

4. Visit the TRUSTe web site. Describe what services and solutions are offered.

· Web privacy seal – concerns measures to protect customers’ privacy;
· E-mail privacy seal – concerns measures in handling e-mails sent to customers;
· EU Safe Harbor seal – concerns compliance with international privacy laws in
US and European parties;
· International services – services for certifying foreign-language privacy policies
and administer disputes resolution in international level;
· Children’s privacy seal – concerns compliance with the Children’s Online
Privacy Protection Act (COPPA); and
· Trusted downloaded program – program for certifying download sites not
exhibiting surreptitious activities, and are distributed in a responsible manner.

Reference ;

TRUSTe, Retrieved 29th may 2009 from

http://en.wikipedia.org/wiki/TRUSTe

6. The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?

Other than the use of digital certificates and passports, there are smart cards containing both the private and public keys and the use of biometric data for validating the legitimate users to avoid identity theft

Ex-15

1.  What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?

Yes, a firewall is a good security investment because it is

A firewall helps to screen out many kinds of malicious Internet traffic before it reaches your computer. Some firewalls can also help to prevent other people from using computer to attack other computers without network knowledge.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This, more than anything, helps prevent vandals from logging into machines on your network.

Hardware firewall nowadays always exists together with router which is convenient and efficient in protecting the internal networks from public access via the Internet.  On the other hand, software firewall is now included in operation systems and anti virus guards.

Cisco and Juniper are the main vendor and they manufacture both hardware and built in software  firewalls.

2. Find out if your university or workplace has a backup policy in place. Is it followed and enforced?

My work place has a strong back up policy enforced accoridng to the work nature of the departments. The finance division has a real time back up system by using high storage servers and other department database servers are sheduled to start the back up process from midnight every day.

3. Most of the anti virus software perform an active scanning of the user activity on the Internet, detecting downloads and attachments in e-mails. Hackers have readily available resources to create new viruses. How easy is it to find a virus writing kit? Search the Internet and find such a tool. For example, see what you can find at http://vx.netlux.org/dat/vct.shtml.

It seems so easy to find a virus writing kit from the Internet.  I search “Virus Writing Kit” using Google and there were approximately 3,510,000 websites matching the above search.

When I visited http://vx.netlux.org/dat/vct.shtml, there were many software for virus writing kit available from the websites.  It is amazing to note how easy to obtain a virus writing kit from the Internet and how important that appropriate security measures should be in place to protect our computer systems.

References ;

Firewall,
http://personalfirewall.comodo.com/download_firewall.html

Juniper Networks
http://www.juniper.net/us/en/products-services/security/netscreen/

Cisco

http://www.cisco.com/en/US/products/ps5708/Products_Sub_Category_Home.html

Ex-14

1.What are the cookies and how they used to improve security?

When a client request of webpage from a web server, the server would send the required HTTP object to the client together with a piece of state information stored in the client computer.  A range of valid URL would be stored in the state object.  When future request of HTTP object is made by the client with the URL fallen within the valid URL range, the current values of the state object would be transmitted from the client to the server.  The state of object is the cookie.

Cookie can be used to improve security. For example, client can store the authentication codes into 2 parts. The first part of the authentication code could be stored as cookie assessable by the server. The second part of the authentication code cannot be assessable by the server.

The transmission of the 1st part of the authentication code would be carried out at the back-end with minimum chances of being observed by other closed by the client machine. Thus, the security of accessing the site would be improved.

Reference :

Netscape (n.d.). Persistent client state HTTP cookies. Retrieved may 29th, 2009 from http://wp.netscape.com/newsref/std/cookie_spec.html.

2. Can the use of cookies be a security risk?

Yes, the use of cookie can be a security risk.  Some server use cookie to store users’ logjn name and passwords in order to save time for logging into the server every time.  Under the situation, an eavesdropper armed with a packet sniffer could simply intercept the cookie as it passes from your browser to the server and gaining access to the server site.

Ex-13

1. List and describe your experince with a secure site.

I do always keep in touch with www.cisco.com for my learning purpose and to update me on latest technologies and techniques which is useful to my work and to get many vital information related to the field.

I have noticed when i try to login to the site with using my user id or password , or when i try to track my certification with the cisco certification tracking system the URL changes from “http” to “https” which means the page is secured.

Also furhter when i observed in to my mozilla web browswer i noticed a yellow “lock” sighn in the right side below corner which said “verified by verisign trust network”.

Further when i investigate by double clicking the sighn i noticed the site is encrypted with hogh grade encryption (AES -128 Bit) and few other login information.

2. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?

Compared with SSL, SET has the following advantages over SSL:-
a. Higher Privacy via cryptography making intercepted message unreadable.

b. Higher Integrity via hashing and signing assuring message sent are not modified.

c. Authentication via digital certificate assuring parties involved in the transaction from denying their participation in the transaction.

d. Customers’ credit cards information not accessible by merchants.

However SET has the following drawbacks compared with SSL;-

a. more complex and slower transaction.

b. require client software installation.
c. high processing cost.
d. lack of standard specification causing interoperability problems between SET applications.

e. Problems in systems integration with merchants’ front-end and back-end applications.

Nowadays, SET is still not common in use because of the issues mentioend above as is slow and the high processing cost. In addition, it requires the agent while SSL is not required.

Reference:
Ahsan, M.S. (2002). SET vs SSL. Retrieved on 29th May 2009 from
http://islab.oregonstate.edu/koc/ece478/02Report/CA.pdf.

Ex-12

1. Find out about SET and the use of RSA-128 bit encription for e-commerce.

SET is secure electronic transaction protocol which is a open protocol for securing electronic transactions developed jointly by Visa, Master Card and IBM. SET relies on cryptography. SET employs both symmetric and asymmetric encryption mechanism. Transaction details are encrypted with 56-bit session key in form of Data Encryption Standard (DES) and the session key is transmitted by asymmetric mechanism, public –key encryption.

RSA was first described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT. RSA encryption is important to the e-commerce, it is the industry standard for securing application.

RSA-128 bit encryption is considered unbreakable and is adopted as standard feature by BusinessObject XI which is considered as the most flexible and scalable businesses intelligence (BI) platform.

References:
http://en.wikipedia.org/wiki/Secure_electronic_transaction

2. What can you find out about network and host-based intrusion detection systems?

Network Based Intrusion Detection

Network-based intrusion detection systems use raw network packets as the data source. A network-based IDS typically utilizes a network adapter running in promiscuous mode to monitor and analyze all traffic in real-time as it travels across the network. Its attack recognition module uses four common techniques to recognize an attack signature:
· Pattern, expression or bytecode matching,
· Frequency or threshold crossing
· Correlation of lesser events
· Statistical anomaly detection

Host Based Intrusion Detection

Host-based intrusion detection was common practice to review audit logs for suspicious activity. Host-based intrusion detection systems are powerful tools for understanding previous attacks and determining proper methods to defeat their future application.

Host-based IDS use audit logs, but they are much more automated, having evolved sophisticated and responsive detection techniques.

Host based IDS typically monitor system, event, security logs and system log. When any of these files change, the IDS compares the new log entry with attack signatures to see if there is a match. If so, the system responds with administrator alerts and other calls to action.

References:

Internet Security Systems (1998). Network- vs. Host-based Intrusion Detection. Retrieved April 14, 2008 from http://documents.iss.net/whitepapers/nvh_ids.pdf.

3. What is “phishing” ?

“Phishing” is a form of Internet fraud that aims to steal valuable information such as credit cards, social security numbers, user IDs and passwords using techniques pretend as a trustworthy source in an electronic communication media.

References:

Wikipedia. (2008). Phishing. Retrieved may 29th, 2009 from http://en.wikipedia.org/wiki/Phishing.

Introduction!

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!