A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations

Elahi, Golnaz; Yu, Eric; Zannone, Nicola

doi:10.1007/978-3-642-04840-1_10

Cited by 39 publications

(22 citation statements)

References 22 publications

(33 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The prediction rate of proposed system results are compared against security ontology [12] and tabulated in the Table 1. From the Table 1 it is clear that the proposed system predict more attacks with the help of the inference process than the existing system.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Prediction and Classification of Web Application Attacks using Vulnerability Ontology

Salini¹,

Shenbagam²

2015

IJCA

View full text Add to dashboard Cite

Web application security is the major security concern for ebusiness and information sharing communities. Research showed that more than 75% attacks are being deployed at application layer and almost 90% applications are vulnerable to the attacks. This is due to the avoidance of security requirements during implementation by the developer because they are not trained on solving security issues and often need to depend on security experts.In this paper, an approach for effective defenses against the application level attacks is proposed. The proposed system is an ontology based system that can predict and classify web application attacks. The system effectively stores threat, vulnerability and attack information. The attacks can be predicted by analyzing vulnerability and threats. The attacks are classified based on severity level of the attacks on security goals. Moreover, the system also provides suggestion for prevention and countermeasure to the predicted attacks, thereby assisting the developers in developing secure web applications. The results were promising when compared to the conventional method of knowledge base.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Moreover, the dependency on security experts to check the web application security can also be minimized. Security ontology [12] which exists provides taxonomy for threats, vulnerabilities and attacks but lacks to infer the knowledge to predict the attacks and does not classify attacks.…”

Section: Introductionmentioning

confidence: 99%

Prediction and Classification of Web Application Attacks using Vulnerability Ontology

Salini¹,

Shenbagam²

2015

IJCA

View full text Add to dashboard Cite

show abstract

“…Elahi et al [16] compared three existing techniques to model vulnerabilities, e.g., i*, misuse modeling and CORAS, and tried to identify common concepts of vulnerabilities in order to develop an ontology or a set of vocabularies in a security domain. The obtained concepts and their relationships can be a meta model of vulnerability models for integrating different security requirements analysis methods, and the aim of this research is different from ours.…”

Section: Related Workmentioning

confidence: 99%

Modeling Security Threat Patterns to Derive Negative Scenarios

Abe

Hayashi

Saeki

2013

2013 20th Asia-Pacific Software Engineering Conference (APSEC)

View full text Add to dashboard Cite

The elicitation of security requirements is a crucial issue to develop secure business processes and information systems of higher quality. Although we have several methods to elicit security requirements, most of them do not provide sufficient supports to identify security threats. Since threats do not occur so frequently, like exceptional events, it is much more difficult to determine the potentials of threats exhaustively rather than identifying normal behavior of a business process. To reduce this difficulty, accumulated knowledge of threats obtained from practical setting is necessary. In this paper, we present the technique to model knowledge of threats as patterns by deriving the negative scenarios that realize threats and to utilize them during business process modeling. The knowledge is extracted from Security Target documents, based on the international Common Criteria Standard, and the patterns are described with transformation rules on sequence diagrams. In our approach, an analyst composes normal scenarios of a business process with sequence diagrams, and the threat patterns matched to them derives negative scenarios. Our approach has been demonstrated on several examples, to show its practical application.

show abstract

“…Elahi et al [3] represented the conceptual framework with ontology as the metadata model. They compared multiple conceptual frameworks including the i* framework, which can model malicious behavior and vulnerabilities with ontology.…”

Section: Related Workmentioning

confidence: 99%

“…Though there is much work to provide techniques for attack modeling, for example, identifying various attack routes with visualization and calculating the most plausible attack route by using the stochastic method in each route, the conceptual framework to elicit common concepts has not been yet identified in this area. [3] Thus, it is essential to research and study framework that can create requirements based on common and generalized concepts, because it still needs to progress under a complex security environment. In this paper, we have conducted research on understanding the problem domain using defined relationships between concepts and extended relationships based on the security conceptual framework, and creating security requirements.…”

Section: Introductionmentioning

confidence: 99%

Conceptual Framework for Understanding Security Requirements: A Preliminary Study on Stuxnet

Kim

Lee

2015

Requirements Engineering in the Big Data Era

View full text Add to dashboard Cite

Abstract. As we analyze the latest occurring Advanced Persistent Threats (APT), we understand that attackers tend to conduct their methods by various means and ways, and are not limited to just a single pattern. Even though threats are represented by using a variety of modeling techniques, very little research has been done to learn about the security requirements needed from the understanding of commonly rooted causes of these threats. We propose a layered conceptual framework to better understand the problem from specific instances to generalized abstractions, so that it can eventually provide a good set of security requirements. In this framework, we propose building the ontology based on the Goal-based Model and Activity Diagram, and showing how to understand the context of the problem domain with extended relationships between concepts. We expect that our work can provide a foundation of good insight of the problem domain of security requirements and that we elicit security requirements through this work based on a preliminary case study on Stuxnet.

show abstract

A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations

Cited by 39 publications

References 22 publications

Prediction and Classification of Web Application Attacks using Vulnerability Ontology

Prediction and Classification of Web Application Attacks using Vulnerability Ontology

Modeling Security Threat Patterns to Derive Negative Scenarios

Conceptual Framework for Understanding Security Requirements: A Preliminary Study on Stuxnet

Contact Info

Product

Resources

About