Security Pattern Mining: Systematic Review and Proposal

Santiago Moral-García, Santiago Moral-Rubio, Eduardo Fernández-Medina

Abstract

Organizations have suffered an increase in cyber attacks in recent years. For this reason, they need to guarantee confidentiality, integrity and availability of their information assets. To do this, they should seek support from security architectures. Security patterns are a good way to design security architectures, but most current security patterns are not applicable to this field. In a previous work, we defined a new pattern template to support the design of security architectures. After that work, we realized that it was necessary to discover and identify new security patterns adapted to this template, in order to facilitate the work of those security engineers who design architectures. A good way to discover and identify new patterns is pattern mining; therefore, in this paper we have carried out a Systematic Review (SR) of security pattern mining. After performing the SR, we have reached the conclusion that the proposals analyzed do not fulfill all main requirements to cover our needs. That’s the reason why we have defined a high-level architecture of a new framework to discover, design and document security patterns focused on the design of security architectures.

References

  1. (ISC)2. (2011). The International Information Systems Security Certification Consortium, from http://www.isc2.org/
  2. Biolchini, J., Mian, P. G., Natali, A. C. C. and Travassos, G. H. (2005). Systematic Review in Software Engineering. Systems Engineering and Computer Science Department COPPE / UFRJ: Rio de Janeiro.
  3. Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P. and Stal., M. (1996). Patternoriented software architecture: A system of patterns. Wiley.
  4. Fernandez, E., Washizaki, H., Yoshioka, N., Kubo, A. and Fukazawa, Y. (2008). Classifying Security Patterns Progress in WWW Research and Development (pp. 342-347).
  5. Fernandez, E. B., Washizaki, H. and Yoshioka, N. (2008). Abstract security patterns. Proceedings of the 15th Conference on Pattern Languages of Programs, Nashville, Tennessee.
  6. Hafiz, M., Adamczyk, P. and Johnson, R. E. (2007). Organizing Security Patterns. Software, IEEE, 24(4), 52-60.
  7. IC3. (2009). 2009 Internet Crime Report: Internet Crime Complaint Center.
  8. ISACA. (2011). Information Systems Audit and Control Association, from http:// www.isaca.org/
  9. ISF. (2011). The Information Security Forum - the world's leading independent authority on information security, from https://www.securityforum.org/
  10. Kerth, N. L. and Cunningham, W. (1997). Using Patterns to Improve Our Architectural Vision. IEEE Software, 23, 53-59.
  11. Kienzle, D. M., Elder, M. C., Tyree, D. and Edwards-Hewitt, J. (2006). Security patterns repository, version 1.0.
  12. Kitchenham, B. (2004). Procedures for Perfoming Systematic Review. Joint Technical Report, Software Engineering Group, Department of Computer Scinece Keele University, United Kingdom and Empirical Software Engineering, National ICT Australia Ltd.: Australia.
  13. Moral-García, S., Ortiz, R., Moral-Rubio, S., Vela, B., Garzás, J. and Fernández-Medina, E. (2010). A new Pattern Template to Support the Design of Security Architectures. PATTERNS 2010, The second International Conference on Pervasive Patterns and Applications, Lisbon (Portugal). pp. 66-71
  14. Okubo, T. and Tanaka, H. (2008). Web security patterns for analysis and design. Proceedings of the 15th Conference on Pattern Languages of Programs, Nashville, Tennessee.
  15. Ortiz, R., Moral-García, S., Moral-Rubio, S., Vela, B., Garzás, J. and Fernández-Medina, E. (2010). Applicability of Security Patterns. On the Move to Meaningful Internet Systems: OTM 2010, 6426, 672-684.
  16. OSA. (2011). Open Security Architecture, from http://www.opensecurityarchitecture.org/ cms/index.php
  17. OWASP. (2011). The Open Web Application Security Project, from http://www.owasp.org
  18. Rising, L. and Delano, D. E. (1998). The Patterns handbook: Cambridge University Press.
  19. Rosado, D. G., Gutiérrez, C., Fernández-Medina, E. and Piattini, M. (2006). Security patterns and requirements for internet-based applications. Internet Research: Electronic Networking Applications and Policy, 16, 519-536.
  20. Ryoo, J., Laplante, P. and Kazman, R. (2010). A Methodology for Mining Security Tactics from Security Patterns. HICSS 2010 - the 43rd Hawaii International Conference on System Sciences, Honolulu, Hawaii
  21. SANS. (2011). SANS Intitute - Computer Security Training, Network Research & Resources, from http://www.sans.org/
  22. Schumacher, M. (2003). Security Engineering with patterns - Origins, Theoretical Model, and New Applications (Vol. LCNS 2754): Springer-Verlag.
  23. Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F. and Sommerlad, P. (2006). Security Patterns: Integrating Security and Systems Engineering: Wiley.
  24. Stallings, W. (2007). Network security essentials: applications and standards: Prentice Hall.
  25. Yskout, K., Heyman, T., Scandariato, R. and Joosen, W. (2006). An inventory of security patterns. Technical Report CW-469, Katholieke Universiteit Leuven, Department of Computer Science.
Download


Paper Citation


in Harvard Style

Moral-García S., Moral-Rubio S. and Fernández-Medina E. (2011). Security Pattern Mining: Systematic Review and Proposal . In Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011) ISBN 978-989-8425-61-4, pages 13-24. DOI: 10.5220/0003558900130024


in Bibtex Style

@conference{wosis11,
author={Santiago Moral-García and Santiago Moral-Rubio and Eduardo Fernández-Medina},
title={Security Pattern Mining: Systematic Review and Proposal},
booktitle={Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)},
year={2011},
pages={13-24},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003558900130024},
isbn={978-989-8425-61-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)
TI - Security Pattern Mining: Systematic Review and Proposal
SN - 978-989-8425-61-4
AU - Moral-García S.
AU - Moral-Rubio S.
AU - Fernández-Medina E.
PY - 2011
SP - 13
EP - 24
DO - 10.5220/0003558900130024