Towards a Model-driven based Security Framework

Rouwaida Abdallah, Nataliya Yakymets, Agnes Lanusse

2015

Abstract

In this paper, we propose a model-driven framework for security analysis. We present a security analysis process that begins from the design phase of the system architecture then allows performing several security analysis methods. Our approach presents mainly two advantages: First, it allows the traceability of the security analysis methods with the system architecture. Second, this framework can include several security analysis methods. Moreover it allows information reuse which is complicated when we use separate methods dedicated tools. Thus, we can have more consistent and accurate security analysis results for a system. We chose to implement two methods: A qualitative method named EBIOS which is simple and helps to identify areas of focus within the system. Then, to get more accurate results, we implement a quantitative method, the Attack trees. Attack trees can be automatically generated from the Ebios analysis phase and can be completed later on to get more specific results.

References

  1. Bernardi, S., Merseguer, J., & Petriu, D. C. (2013). ModelDriven Dependability Assessment of Software Systems. Springer.
  2. Bran, S., Gérard, S. (2014): Modeling and Analysis of Real-Time and Embedded Systems with UML and MARTE. Elsevier.
  3. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. Nist special publication, 800(30), 800-30.
  4. Alberts, C., Dorofee, A., Stevens, J., & Woody, C. (2003). Introduction to the OCTAVE Approach. Pittsburgh, PA, Carnegie Mellon University.
  5. Secrétariat Général de la Défense Nationale (2004). EBIOS- Expression des Besoins et Identification des Objectifs de Sécurité.
  6. Gérard, S., Dumoulin, C., Tessier, P., & Selic, B. (2011). 19 Papyrus: A UML2 tool for domain-specific language modeling. In Model-Based Engineering of Embedded Real-Time Systems (pp. 361-368). Springer Berlin Heidelberg.
  7. Mcdonald, J., Decroix, H., Caire, R., Sanchez, J., Chollet, S., Oualha, N., Puccetti, A., Hecker, A., Chaudet, C., Piat, H., others (2013): The SINARI project: security analysis and risk assessment applied to the electrical distribution network.
  8. Basin, D., Clavel, M., & Egea, M. (2011, June). A decade of model-driven security. In Proceedings of the 16th ACM symposium on Access control models and technologies (pp. 1-10). ACM.
  9. Panesar-Walawege, R. K., Sabetzadeh, M., & Briand, L. (2013). Supporting the verification of compliance to safety standards via model-driven engineering: Approach, tool-support and empirical validation. Information and Software Technology, 55(5), 836-864.
  10. OMG, U. (2003). Profile for modeling quality of service and fault tolerance characteristics and mechanisms. Revised submission, Object Management Group.
  11. den Braber, F., Hogganvik, I., Lund, M. S., Stølen, K., & Vraalsen, F. (2007). Model-based security analysis in seven steps-a guided tour to the CORAS method. BT Technology Journal, 25(1), 101-117.
  12. Behnia, A., Rashid, R. A., & Chaudhry, J. A. (2012). A Survey of Information Security Risk Analysis Methods. Smart CR, 2(1), 79-94.
  13. Gudemann, M., & Ortmeier, F. (2011, June). Towards model-driven safety analysis. In Dependable Control of Discrete Systems (DCDS), 2011 3rd International Workshop on (pp. 53-58). IEEE.
  14. Schneier, B. (1999). Attack trees: Modeling security threats. Dr. Dobb's Journal, vol. 12, no 24, p. 21-29.
  15. International Security Technology (IST), (2002). A brief history of CORA.
  16. http://www.ist-usa.com Accessed 16-6-2013.
  17. Karabacaka B, Songukpinar I., (2005), ISRAM: Information security risk analysis method, Computer & Security, March, pp. 147-169.
  18. Ten, C. W., Liu, C. C., & Manimaran, G. (2008). Vulnerability assessment of cybersecurity for SCADA systems. Power Systems, IEEE Transactions on,23(4), 1836-1846.
  19. Saini, V., Duan, Q. & Paruchuri, V., (2008). Threat modeling using Attack trees. J. Comput. Small Coll., 23(4), 124-131.
  20. Ministerio de Administraciones Publicas (2006). Magerit - version 2 - Methodology for Information Systems Risk Analysis and Management - Book I - The Method, Madrid, 20 June.
  21. Dhouib, S., Kchir, S., Stinckwich, S., Ziadi, T., & Ziane, M. (2012). Robotml, a domain-specific language to design, simulate and deploy robotic applications. In Simulation, Modeling, and Programming for Autonomous Robots (pp. 149-160). Springer Berlin Heidelberg.
  22. Yakymets, N., Dhouib, S., Jaber, H., Lanusse, A. (2013). Model-driven safety assessment of robotic systems. In: Intelligent Robots and Systems (IROS), 2013 IEEE/RSJ International Conference on, pp.1137-1142.
  23. Secrétariat Général de la Défense Nationale (2010). EBIOS- Expression des Besoins et Identification des Objectifs de Sécurité, Méthode de Gestion des risques. http://www.ssi.gouv.fr/IMG/pdf/EBIOS-1- GuideMethodologique-2010-01-25.pdf.
  24. The consortium Sesam-Grids (2012), The Sesam-Grids Project, In http://www.sesam-grids.org/.
  25. The consortium RISC (2013), The RISC Project, http://risc.sec4scada.com/
  26. National Institute of Standards and Technology (2014). Systems Security Engineering, An Integral Approach to Building Trustworthy Resilient Systems. NIST Special Publication 800-160.
Download


Paper Citation


in Harvard Style

Abdallah R., Yakymets N. and Lanusse A. (2015). Towards a Model-driven based Security Framework . In Proceedings of the 3rd International Conference on Model-Driven Engineering and Software Development - Volume 1: SPIE, (MODELSWARD 2015) ISBN 978-989-758-083-3, pages 639-645. DOI: 10.5220/0005368706390645


in Bibtex Style

@conference{spie15,
author={Rouwaida Abdallah and Nataliya Yakymets and Agnes Lanusse},
title={Towards a Model-driven based Security Framework},
booktitle={Proceedings of the 3rd International Conference on Model-Driven Engineering and Software Development - Volume 1: SPIE, (MODELSWARD 2015)},
year={2015},
pages={639-645},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005368706390645},
isbn={978-989-758-083-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Model-Driven Engineering and Software Development - Volume 1: SPIE, (MODELSWARD 2015)
TI - Towards a Model-driven based Security Framework
SN - 978-989-758-083-3
AU - Abdallah R.
AU - Yakymets N.
AU - Lanusse A.
PY - 2015
SP - 639
EP - 645
DO - 10.5220/0005368706390645