Management of heterogeneous security access control configuration using an ontology engineering approach

2013 IEEE Conference on Communications and Network Security (CNS)

2013

Abstract-The Security Content Automation Protocol (SCAP) provides a standardized approach to specifying system configuration, vulnerability, patch and compliance management. SCAP comprises a family of existing standards, such as the Open Source Vulnerability Language (OVAL) and the Common Platform Enumeration (CPE). Defining new or extending existing SCAP content is non-trivial and potentially error-prone. For example, specifying a vulnerability in OVAL may appear straightforward, however, the challenge is to specify the vulnerability in such as way that it is consistent with respect to, not just other OVAl data, but also data described under any other standards in SCAP.This paper identifies a number of consistency problems that can occur in SCAP specifications and these are illustrated using examples from existing OVAL, CPE, CVE and CCE repositories. It is argued that an ontology-based approach can be used as a means of providing a uniform vocabulary for specifying SCAP data and its relationships. A SCAP ontology is developed based on Semantic Threat Graphs and it is argued that its use can help to ensure consistency across large-scale SCAP repositories.

show abstract

Section: F Non-ambiguous Definition Namesmentioning

confidence: 99%

Avoiding inconsistencies in the Security Content Automation Protocol

2013 IEEE Conference on Communications and Network Security (CNS)

2013

show abstract

“…An ontology provides a conceptual and formal model of a domain of interest. Ontologies are developed for infrastructure-level access-control mechanisms [2] (Linux iptables and TCP-Wrapper firewalls) and applicationlevel access-control mechanisms [3] (Openfire and Ejabbered XMPP servers).…”

Section: Approachmentioning

confidence: 99%

“…Ontologies for best practice standards for firewalls, Email servers, Web servers and XMPP servers, are developed [2], [3]. For example, XEP-0205 [4] and NIST SP800-123 [5] recommend multiple countermeasures such as connection throttling that mitigate against the threat of Denial of Service, when hosting an XMPP server.…”

Section: Approachmentioning

confidence: 99%

Federated autonomic Network Access Control

2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG)

Adams

2011

“…This paper builds on previous firewall centric research [3]- [5] to model and reason about SAN switch security configurations.…”

Section: Related Researchmentioning

confidence: 99%

“…A formal model for switch security configuration is developed using Description Logic [2]. This approach builds on previous research [3]- [5] that demonstrated the effectiveness of using Description Logic to model and reason about firewall rules.…”

Section: Introductionmentioning

confidence: 99%

Reasoning about the security configuration of SAN switch fabrics

2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG)

2011