DOCSLIB.ORG

Visualizations in Vulnerability Management Marco Krebs

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Visualizations in Vulnerability Management Marco Krebs Visualizations in Vulnerability Management Marco Krebs Technical Report RHUL–MA–2013– 8 01 May 2013 Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom www.ma.rhul.ac.uk/tech Title Visualizations in Vulnerability Management Version of this document 1.0 (released) Student Marco Krebs Student number 080401461 Date March 08, 2012 Supervisor William Rothwell Submitted as part of the requirements for the award of the MSc in Information Security of the University of London. ! Acknowledgements ACKNOWLEDGEMENTS! This is the place to express my thanks to all the people who have supported me over the last couple of months. However, I would like to single out a few names. For example, there is Marc Ruef with whom I touched base on the initial idea for this thesis during a lunch discussion. We share a similar experience on security testing and found out that we were both not fully satisfied with the way the results are provided to the client. Another thank you goes to Jan Monsch, the creator of DAVIX. He was able to draw my attention to the subject of visualization when we worked together as security analysts. Quite a few items of his personal library moved to my place for the duration of this thesis. I would also like to thank William Rothwell for becoming my project supervisor and for his ongoing support. He received the first status report in October last year and has been providing valuable feedback since. Few people have read the project report as many times as he did. Bruno, your tough feedback has been very much appreciated. Now I know why you have been so successful in your job over the last couple of years. You have been officially elected to be on the reviewer’s list for the next one. Greg surprised me again with his speed and professionalism when it came to reviewing about 100 pages in a row. I would like to say thanks as well to Christoph and Didi who have voluntarily helped with the proof-reading of this document. And last, but not least, a huge thank you goes to Sue for her love and support over the years of study (and beyond). Now the duty is on her as she has become a student, too. Visualizations in vulnerability management Page 1 of 96 Table of contents, list of tables, list of figures, terms and definitions TABLE!OF!CONTENTS! EXECUTIVE SUMMARY 7! 1! INTRODUCTION 8! 1.1! MOTIVATION 8! 1.2! BACKGROUND 8! 1.3! OBJECTIVES/PROJECT GOALS 9! 1.4! PROJECT SCOPE 10! 1.5! METHODS USED 11! 1.6! DOCUMENT OUTLINE 11! 2! BASIC VISUALIZATION THEORY 12! 2.1! BENEFITS OF VISUALIZATION 12! 2.2! VISUAL PERCEPTION 13! 2.3! RULES TO CREATE A VISUAL REPRESENTATION 14! 2.4! CONCLUSION 17! 3! VISUALIZATIONS FOR VULNERABILITY MANAGEMENT 18! 3.1! THE INFORMATION VISUALIZATION PROCESS 18! 3.2! VISUALIZATIONS COMMONLY USED IN VULNERABILITY MANAGEMENT 21! 3.2.1! WEAKNESS TABLE/LIST OF VULNERABILITIES 21! 3.2.2! LINE CHARTS, BAR CHARTS, AND PIE CARTS 22! 3.2.3! RISK HEAT MAP 24! 3.2.4! RADAR CHART/COBWEB 25! 3.3! VISUALIZATIONS THAT PROVIDE ADDITIONAL CONTEXT 26! 3.3.1! TREEMAPS 26! 3.3.2! NODE-LINK GRAPHS 28! 3.3.3! ATTACK TREES/ATTACK GRAPHS 30! 3.3.4! RADIAL TREE LAYOUTS 35! 3.4! CONCLUSION 36! 4! VULNERABILITY SCORING AND CATEGORIZATION FRAMEWORKS 37! 4.1! POPULAR VULNERABILITY SCORING SYSTEMS 37! 4.1.1! MICROSOFT SEVERITY RATING SYSTEM (MSRS) 37! 4.1.2! SYMANTEC DEEPSIGHT THREAT MANAGEMENT SYSTEM 38! 4.1.3! COMMON VULNERABILITY SCORING SYSTEM (CVSS) 40! 4.2! POPULAR VULNERABILITY CLASSIFICATION AND CATEGORIZATION SYSTEMS 44! 4.2.1! COMMON VULNERABILITIES AND EXPOSURES (CVE) DATABASE 44! 4.2.2! COMMON WEAKNESS ENUMERATION (CWE) 45! 4.2.3! COMMON ATTACK PATTERN ENUMERATION AND CLASSIFICATION (CAPEC) 47! 4.2.4! OPEN SOURCE VULNERABILITY DATABASE (OSVDB) 47! 4.3! VULNERABILITY SCORING AND CLASSIFICATION SYSTEM USED IN THIS WORK 48! 4.4! CONCLUSION 51! 5! INFORMATION VISUALIZATION IN ACTION (FROM NESSUS FILE TO GRAPH) 53! 5.1! PROBLEM DEFINITION AND MESSAGE 53! 5.2! DATA ANALYSIS 53! 5.3! PROCESS INFORMATION 55! 5.4! VISUAL TRANSFORMATION 58! 5.5! VIEW TRANSFORMATION 60! 5.6! INTERPRET AND DECIDE 64! Visualizations in vulnerability management Page 2 of 96 Table of contents, list of tables, list of figures, terms and definitions 5.7! VULNERABILITY MANAGEMENT APPLICATION REFERENCE MODEL 67! 5.8! CONCLUSION 69! 6! CONCLUSION 71! 6.1! SUMMARY 71! 6.2! REFLECTION OF ACHIEVEMENTS 72! 6.3! FUTURE WORK 73! 6.4! OUTLOOK 73! BIBLIOGRAPHY 74! APPENDIX A – VISUALIZATIONS FOR FURTHER REFERENCE 84! APPENDIX B – SOURCE CODE LISTINGS 87! APPENDIX C – PROJECT TIMELINE AND DOCUMENT HISTORY 95! ! ! ! Visualizations in vulnerability management Page 3 of 96 Table of contents, list of tables, list of figures, terms and definitions LIST!OF!FIGURES! Figure 1: Pre-attentively processed visual attributes. In this case, hue and intensity "pop out" to our attention immediately. Source [RM09] ________________________________________________ 13! Figure 2: Selection of pre-attentively processed visual attributes grouped by form. Source [RM09] _ 14! Figure 3: Illustration of the six Gestalt principles. Source [RM08] ___________________________ 15! Figure 4: The information visualization process. In six stages, data is turned into information. Source [RM08, JS10, RM09, CW04, GC07] _________________________________________________ 18! Figure 5: Line chart representing the development of open issues over time. _________________ 23! Figure 6: Vulnerabilities in the Open Source Vulnerability Database by quarter by type. The “classics” such as XSS, SQL injection, or buffer overflows persist. Source [OSVDB] ____________________ 23! Figure 7: Sample risk heat map showing security issues positioned in a matrix. The position is based on impact potential and likelihood of occurrence. _______________________________________ 24! Figure 8: Risk heat map by vulnerability scores created from Symantec’s DeepSight service. The color-coding shows vulnerabilities whose scoring values exceed a certain threshold. ___________ 24! Figure 9: Radar chart on OWASP Top 10 application vulnerabilities for three web applications. Application C contains the least number of issues and thus shows the smallest footprint. ________ 25! Figure 10: Treemap graph of port scan results for three hosts. Unprivileged ports have been aggregated for better readability. ____________________________________________________ 26! Figure 11: Treemap for Nessus vulnerability scan on the 192.168.1/24 subnet. The output is color- coded by severity level (CVSS base score). ___________________________________________ 28! Figure 12: Node-link graph example. Graph properties are described in DOT language. _________ 29! Figure 13: Example of a simple network (a) and a partial attack graph for this network (b). The attacker starts on the black node on the top (the attacker host). Source [LI05a] ________________ 30! Figure 14: Three types of attack graphs. The predictive attack graph (b) does not contain redundant information but still holds the information on the vulnerabilities. Source [LI05a] ________________ 31! Figure 15: Aggregated attack graph. The N nodes can be used to attack further systems. The U letters represent vulnerable systems in the same subnet. Source [LI06] _____________________ 32! Figure 16: Attack graph metrics for two different configuration choices. The best choice is evaluated based on the calculation of the likelihood values of exploitation. Source [SN10] _______________ 33! Figure 17: RadialNet/Zenmap network topology view. Starting from the scanning machine in the center, it shows the network distance to each destination host. Source [JM08] ________________ 35! Figure 18: An overview of the CVSS version 2 metric groups. Source [CVSS] _________________ 40! Figure 19: CVSSv2 Calculator. The CVSS scores are calculated on a menu-based selection of metrics. Source [CVSScalc] ________________________________________________________ 43! Figure 20: CWE-809, the OWASP Top Ten web application security risks 2010. Source [CWE] ___ 45! Figure 21: An excerpt of the overall CWE structure. The red boxes have been imported into the National Vulnerability Database. Source [NVDB] _______________________________________ 46! Figure 22: CAPEC-1000, mechanisms of attack. Known attack patterns have been categorized and are listed in a hierarchical tree structure. Source [CAPEC] ________________________________ 47! Figure 23: Vulnerability classification by OSVDB. Of special interest in this context is the attack type. Source [OSVDB] ________________________________________________________________ 48! Figure 24: The improved vulnerability scoring system proposed for this work. _________________ 49! Figure 25: First network graph generated from a Nessus NBE file using my NBE parser and AfterGlow. Traceroute information is extracted and translated into the DOT language. ___________________ 57! Figure 26: Network graph created using my improved NBE parser. A color scheme is applied so that the nodes are colorized according to the most severe vulnerability found. ____________________ 58! Figure 27: Variation of the network graph presented in Figure 26. A node’s size is affected by the number of vulnerabilities assigned to it. _______________________________________________ 59! Figure 28: The information seeking mantra proclaims providing an overview first before going into detail. This graph identifies each host and the number of vulnerabilities assigned to it. __________ 60! Figure 29: Scan results for thirty-three systems presented in the GraphViz neato layout. ________ 61! Figure
Load more

Recommended publications
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • Vulnerability Management: Overview
    Resource ID: w-013-3774 Cybersecurity Tech Basics: Vulnerability Management: Overview SEAN ATKINSON, CIS™ (CENTER FOR INTERNET SECURITY), WITH PRACTICAL LAW INTELLECTUAL PROPERTY & TECHNOLOGY Search the Resource ID numbers in blue on Westlaw for more. A Practice Note providing an overview of what Design, implementation, or other vendor oversights that create defects in commercial IT products (see Hardware and Software cyber vulnerability management programs Defects). are, how they work, and the key role they play Poor setup, mismanagement, or other issues in the way an in any organization’s information security organization installs and maintains its IT hardware and software components (see Unsecured Configurations). program. This Note discusses common types of Vulnerability management programs address these issues. Other cyber vulnerabilities and core process steps for common vulnerabilities that organizations must also tackle in their implementing and maintaining a vulnerability information security programs include: management program to decrease cybersecurity Gaps in business processes. Human weaknesses, such as lack of user training and awareness. risks. It also addresses common pitfalls that Poorly designed access controls or other safeguards. can lead to unnecessary cyber incidents and Physical and environmental issues. data breaches. Unlike threats, organizations can often directly control their vulnerabilities and therefore minimize the opportunities for threat actors. Most organizations depend on a combination of commercial and custom-developed hardware and software products to support their Organizations that develop their own in-house software should information technology (IT) needs. These technology components use security by design techniques to avoid creating vulnerabilities. inevitably include vulnerabilities in their design, setup, or the code that For more information on assessing overall data security risks and runs them.
    [Show full text]
  • Paper Title (Use Style: Paper Title)
    Observing Access Control Policies Using Scrabble Games Suzana Ahmad Nasiroh Omar Faculty of Computer and Mathematical Sciences, Faculty of Computer and Mathematical Sciences UiTM Shah Alam UiTM Shah Alam Selangor Malaysia. Selangor Malaysia [email protected] [email protected] Siti Zaleha Zainal Abidin Stephan Reiff-Marganiec Faculty of Computer and Mathematical Sciences, Department of Computer Science, UiTM Shah Alam University of Leicester Selangor Malaysia. United Kingdom [email protected] [email protected] Abstract—Access control is concerned with the policies that users in collaborative environments. The implementation of manage data sharing activities. It is an important aspect of e- the policies is often not a trivial task in the development of an service in many application domains such as education, health application involving data sharing. The provision of access and business. However, there is limited support in most control policies mechanisms is the weaknesses of most existing programming languages and programming environments for programming language and development tools. implementing access control policies. High-level features, such as access control management policies are usually hard coded by In this paper, we attempt to identify a collection of useful skilled programmers, who are often scarce in many applications access control policies that are common in many data sharing such as e-services. In this paper, we present an abstraction of applications. We consider an abstraction of various access control management policies in the form of extended collaborative data sharing application in the form of variation scrabble in its rules. The needs of access control policies of rules of scrabble game.
    [Show full text]
  • Creating a Patch and Vulnerability Management Program
    Special Publication 800-40 Version 2.0 Creating a Patch and Vulnerability Management Program Recommendations of the National Institute of Standards and Technology (NIST) Peter Mell Tiffany Bergeron David Henning NIST Special Publication 800-40 Creating a Patch and Vulnerability Version 2.0 Management Program Recommendations of the National Institute of Standards and Technology Peter Mell Tiffany Bergeron David Henning C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 November 2005 U.S. Department of Commerce Carlos M. Gutierrez, Secretary Technology Administration Michelle O'Neill, Acting Under Secretary of Commerce for Technology National Institute of Standards and Technology William A. Jeffrey, Director CREATING A PATCH AND VULNERABILITY MANAGEMENT PROGRAM Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-40 Version 2.0 Natl.
    [Show full text]
  • Malware Risks and Mitigation Report
    MALWARE RISKS AND MITIGATION REPORT June 2011 BITS A DIVISION OF THE FINANCIAL SERVICES ROUNDTABLE 1001 PENNSYLVANIA AVENUE NW SUITE 500 SOUTH WASHINGTON, DC 20004 202-289-4322 WWW.BITS.ORG BITS Malware Risk and Mitigation Report Table of Contents 1. Executive Summary ..............................................................................................................3 2. Malware Evolution................................................................................................................3 2.1 Malware Categories...............................................................................................................................5 2.2 Malware Example .................................................................................................................................8 2.3 Polymorphic Malware ........................................................................................................................10 3. Malware Supply and Demand ............................................................................................ 10 3.1 The Malware Industry ........................................................................................................................11 3.2 Malware Supply Chain........................................................................................................................13 3.3 Beyond Crime......................................................................................................................................14 4. Malware in Financial
    [Show full text]
  • Comparative Programming Languages CM20253
    We have briefly covered many aspects of language design And there are many more factors we could talk about in making choices of language The End There are many languages out there, both general purpose and specialist And there are many more factors we could talk about in making choices of language The End There are many languages out there, both general purpose and specialist We have briefly covered many aspects of language design The End There are many languages out there, both general purpose and specialist We have briefly covered many aspects of language design And there are many more factors we could talk about in making choices of language Often a single project can use several languages, each suited to its part of the project And then the interopability of languages becomes important For example, can you easily join together code written in Java and C? The End Or languages And then the interopability of languages becomes important For example, can you easily join together code written in Java and C? The End Or languages Often a single project can use several languages, each suited to its part of the project For example, can you easily join together code written in Java and C? The End Or languages Often a single project can use several languages, each suited to its part of the project And then the interopability of languages becomes important The End Or languages Often a single project can use several languages, each suited to its part of the project And then the interopability of languages becomes important For example, can you easily
    [Show full text]
  • Learning Standards for Career Development and Teaching
    DOCUMENT RESUME ED 400 435 CE 072 793 TITLE Learning Standards for Career Development and Occupational Studies. Revised Edition. INSTITUTION New York State Education Dept., Albany. PUB DATE Jul 96 NOTE 103p. PUB TYPE Guides Classroom Use Teaching Guides (For Teacher)(052) EDRS PRICE MF01/PC05 Plus Postage. DESCRIPTORS *Career Development; 'Career Education; Competence; Elementary Secondary Education; Employment Potential; *Evaluation Criteria; *Integrated Curriculum; Job Skills; Learning Activities; Mastery Learning; *Specifications; *Standards; Vocational Education IDENTIFIERS New York ABSTRACT This document contains four learning standards for career development and occupational studies at three levels: elementary, intermediate, and commencement. The first section consists of these four standards:(1) career development, (2) integrated learning,(3a) universal foundation skills, and (3b) career majors. The format for displaying the standardsincludes the following: key ideas regarding the standard; performance indicators describing expectations for students and designated for one of the three levels; and sample tasks suggesting evidence of progress toward the standard at a given level. Selected sample tasks are followed by an asterisk indicating their appropriateness forinclusion in a student's career plan. The second section provides samples of student work that are intended to begin the process of articulating the performance standards at each level of achievement. Each sample indicates level, context, performance indicators, and commentary.
    [Show full text]
  • Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD Whoami?
    Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD whoami? Senior Director of a Red Team PSIRT Case Manager Data Analyst Internet Crime Investigator Security Evangelist Behavioral Psychologist @kym_possible Vulnerability Management Vulnerability management is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities", especially in software and firmware. Vulnerability management is integral to computer security and network security. Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configuration, and susceptibility to malware. Unknown vulnerabilities, such as a zero-day attack may be found with fuzz testing, which can identify certain kinds of vulnerabilities, such as a buffer overflow exploit with relevant test cases. Such analyses can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file). Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), or educating users about social engineering. So Vuln Mgmt is A NetSec Issue! Cost to Fix Vulnerabilities The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in
    [Show full text]
  • Attackers and Their Tools Who Is Attacking Our Network? in This Presentation We Will Investigate Threat, Vulnerability, and Risk
    Principles of Cyber Security Attackers and Their Tools Who is Attacking Our Network? In this presentation we will investigate Threat, Vulnerability, and Risk . Threat • Is a potential danger to an asset such as data or the network. Vulnerability and Attack Surface • A vulnerability is a weakness in a system or its design that could be exploited by a threat. • Attack surface describes different points where an attacker could get into a system and could get to the data (Example – operating system without security patches) . Exploit • Is a mechanism used to leverage a vulnerability to compromise an asset. • A Remote exploit works over the network. • A Local exploit is when a threat actor has user or administrative access to the end system. Risk • Likelihood that a threat will exploit a vulnerability of an asset and result in an undesirable consequence. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Who is Attacking Our Network? What exactly are Hackers? Hacker vs. Threat Actor . White Hat Hackers • Ethical hackers who use their programming skills for good, ethical, and legal purposes. • Perform penetration tests to discover vulnerabilities and work with developers to address cyber issues . Grey Hat Hackers • Commit crimes and do unethical things but not for personal gain or to cause damage. Black Hat Hackers • Unethical criminals who violate security for personal gain, or for malicious reasons, such as attacking networks. It is important to note: Threat actors is a term used to describe grey and black hat hackers. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Who is Attacking Our Network? Evolution of Threat Actors .
    [Show full text]
  • Life and Writings of Juán De Valdés, Otherwise Valdesso, Spanish
    fS" '"%IIMiiiK'i«a?..;?L.l!"3" "e VaWes 3 1924 029 olln 228 370 DATE DUE DECQjpg Cornell University Library ^^,^4^€^^/ The original of tliis book is in tlie Cornell University Library. There are no known copyright restrictions in the United States on the use of the text. http://www.archive.org/details/cu31924029228370 LIFE AND WEITINGS OP JUAN DE VALDES. LONDON PHIKTED BY SPOTTISWOODE AND CO. NEW-STREET SQUARE LIFE AND WEITINGS OF JUAN DE YALDES, SPAl^ISH EEFOEMER IN THE SIXTEENTH CENTURY, BY BENJAMIN B?^'^FFEN. WITH ^ 'translation from tfte Italian OF HIS BY JOHN T. BETTS. TAUJESIO HISPANTTS SCarPTORE SUPEKBIAT ORBIS. Daniel Rogers. NON 'MoBTruBA.~&iulia Oomaga's Motto, p. 112. ^ LONDON: BEENAED QUAEITCH, 15 PICCADILLY. 1865. ix [_T/te Hghf of Tramlation and npprodiiHiov reserved^ *®6cse JWeUitatfons \xitxt UEStpeB to txtxtt tn tje goul t^E lobe ana fear of C&oii; anti tSeg ougfit to 6e realr, not in tfic Surrg of iustness, ftut in rettwmtnt; in fragments, get smtessiklB ; tje reaUer laging tjbem at once astfte loSen fie is foearg.' ANSELM. /]^36f;f .^^^^- "'^ I T!.3 "^^ Pre:i:lonc White Library PREFACE The book entitled The Hundred and Ten Considera- tions OF SiSNiOK John Valdesso, printed at Oxford in 1638, 4to., has become scarce. It is shut up in libraries, and should a stray copy come abroad, it is rarely to be obtained by him who seeks for it. This is not so much because the work is sought for by many, and largely known; for the principles it teaches are almost as much in advance of the present times as they were in the days of the 'sainted George Herbert' and Nicholas Ferrar, who first published it in English.
    [Show full text]
  • Scénarisation D'environnements Virtuels: Vers Un Équilibre Entre Contrôle, Cohérence Et Adaptabilité
    Scénarisation d’environnements virtuels : vers un équilibre entre contrôle, cohérence et adaptabilité Camille Barot To cite this version: Camille Barot. Scénarisation d’environnements virtuels : vers un équilibre entre contrôle, co- hérence et adaptabilité. Autre. Université de Technologie de Compiègne, 2014. Français. NNT : 2014COMP1615. tel-01130812 HAL Id: tel-01130812 https://tel.archives-ouvertes.fr/tel-01130812 Submitted on 12 Mar 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Par Camille BAROT Scénarisation d’environnements virtuels : vers un équilibre entre contrôle, cohérence et adaptabilité Thèse présentée pour l’obtention du grade de Docteur de l’UTC Soutenue le 24 février 2014 Spécialité : Technologies de l’Information et des Systèmes D1615 Thèse pour l’obtention du grade de Docteur de l’Université de Technologie de Compiègne Spécialité : Technologies de l’Information et des Systèmes Scénarisation d’environnements virtuels. Vers un équilibre entre contrôle, cohérence et adaptabilité. par Camille Barot Soutenue le 24 février 2014 devant un jury composé de : M. Ronan CHAMPAGNAT Maître de Conférences (HDR) Université de la Rochelle Rapporteur M. Stéphane DONIKIAN Directeur de Recherche (HDR) INRIA Rennes-Bretagne Rapporteur M. Stacy MARSELLA Professor Northeastern University Examinateur Mme Indira MOUTTAPA-THOUVENIN Enseignant-Chercheur (HDR) Université de Technologie de Compiègne Examinatrice M.
    [Show full text]
  • Visualizing and Analyzing Software Infrastructures Architecture
    featurearchitecture Visualizing and Analyzing Software Infrastructures Adam Buchsbaum, Yih-Farn Chen, Huale Huang, Eleftherios Koutsofios, John Mocenigo, and Anne Rogers, AT&T Labs—Research Michael Jankowsky, AT&T Business Services Spiros Mancoridis, Drexel University Large ompanies frequently need to redesign their software infrastruc- corporations tures in response to marketplace changes, but they must do so typically run carefully so that the new architecture will not disrupt existing op- complex C erations or increase operating costs unnecessarily. To support infrastructures these goals, system architects have long recognized the need to build a involving repository of information about all of their company’s systems and their in- hundreds or terfaces. Using this information, architects create system interface diagrams thousands of software systems. to help them study the existing architecture. ucts and service offerings. Since these queries As marketplaces At AT&T, these diagrams used to be created are unexpected and therefore the diagrams change, these and updated manually, published annually, not published, manually producing all these and distributed throughout the business units. diagrams could take a long time. This situa- infrastructures The process of manually drawing system tion would likely delay the reengineering deci- must be interface diagrams is tedious and error-prone: sion process. redesigned. The a simple diagram showing all the interconnec- We built a system called Enterprise Navi- Enterprise tions to a single system could take 30 minutes gator to let users make ad hoc queries about or more to draw, and the diagram often be- an enterprise software architecture and then Navigator system comes obsolete before it is published.
    [Show full text]