Towards a Semantic Web-enabled Knowledge Base to Elicit Security Requirements for Misuse Cases

Haibo Hu, Dan Yang, Hong Xiang, Li Fu, Chunxiao Ye, Ren Li

Abstract

Eliciting security requirements is critical but hard for non-expert to fulfill an exhaustive analysis on large body of security knowledge. Emerging models in requirements engineering (RE) society release some burden of such difficulty, as well as security ontologies are booming for knowledge sharing and reuse. There exists necessity for the synergy of them, such as utilizing security ontology (SO) as the back end of Knowledge Base (KB) for capturing security requirements by using known RE models. Research advances in the Semantic Web (SW) community provide a common framework of technologies that allows data to be shared and reused across boundaries of various application and community. This paper proposes a knowledge base which is constructed on SO and Misuse Case Model (MCM), by representing them into OWL (Web Ontology Language). Semantic rules can be derived from the correlation of SO and MCM to be utilized for reasoning and querying security knowledge via MCM-based requirements elicitation. The proposed KB coordinates SO with a specific RE model to facilitate knowledge sharing to be a foundation for eliciting security requirements auto-matically.

References

  1. Falcarin, P., Morisio, M.: Developing secure software and systems, in IEC NetworkSecurity: Technology Advances, Strategies, and Change Drivers. IEC, (2004) 15-22
  2. Tondel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of us: A survey. IEEE Software. 20-27 (2008).
  3. Mouratidis, H., Giorgini, P., Manson, G.: When security meets software engineering: a case of modelling secure information systems. Information Systems. 30, 8, (2005) 609-629 Firesmith D. Engineering security requirements. Journal of Object Technology. 2, 1, (2003) 53-68
  4. Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements engineering. 15, 1, 7-40 (2010).
  5. Mellado, D., Blanco, C., Sánchez, L.E., Fernández-Medina, E.: A systematic review of security requirements engineering. Computer Standards & Interfaces. 32, 153-165 (2010).
  6. van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. Proceedings of the 26th International Conference on Software Engineering.
  7. IEEE CS, (2004) 148-157
  8. Sindre, G., Opdahl, A.L.: Eliciting security requirements by misuse cases. Proceedings of the 37th International Conference on Technology of Object-oriented Languages and Systems, (2000) 120-131
  9. McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. Proceedings of the 15th Annual Computer Security Applications Conference. IEEE CS, (1999) 55-66
  10. 10. Jürjens, J. UMLsec: extending UML for secure systems development. Proceedings of the 5th International Conference on the Unified Modeling Language. LNCS, vol. 2460. Springer, (2002) 412-425
  11. 11. Yu, E., Liu, L., Mylopoulos, J.: A social ontology for integrating security and software engineering. In Mouratidis H. and Giorgini P. ed., Integrating Security and Software Engineering: Advances and Future Visions. Idea Group Publishing, (2006) 70-105
  12. 12. Dubois E., Mayer N., Rifaut A.: Improving risk-based security analysis with i*. In Yu E. et al ed, Social Modeling for Requirements Engineering. The MIT Press, (2011) 281-311
  13. 13. Giorgini P., Mouratidis H., Zannone N.: Modelling security and trust with secure Tropos, In Mouratidis H. and Giorgini P. ed., Integrating Security and Software Engineering: Advances and Future Visions. Idea Group Publishing, (2006) 70-105
  14. 14. Mouratidis H., Giorgini P.: Secure Tropos: extending i* and Tropos to model security throughout the development process. In Yu E. et al ed, Social Modeling for Requirements Engineering. The MIT Press, (2011) 363-402
  15. 15. Lin, L., Nuseibeh, B., Ince, D., Jackson, M.: Using abuse frames to bound the scope of security problems. Proceedings of the 12th IEEE International Conference on Requirements Engineering. IEEE CS, (2004) 354-355
  16. 16. Cheng, B.H.C., Konrad, S., Campbell, L.A., Wassermann, R.: Using security patterns to model and analyze security. In IEEE Workshop on Requirements for High Assurance Systems. (2003) 13-22
  17. 17. Herzog, A., Shahmehri, N., Duma, C.: An ontology of information security. International Journal of Information Security and Privacy. 1, 4, (2007) 1-23
  18. 18. Lasheras, J., Valencia-Garcia, R., Fernandez-Breis, J.T., Toval, A.: Modelling reusable security requirements based on an ontology framework. Journal of Research and Practice in Information Technology. 41, 2, (2009) 119-133
  19. 19. Dardenne A., van Lamsweerde A., Fickas S.: Goal-directed requirements acquisition. Science of Computer Programming. 20,1-2, (1993) 3-50
  20. 20. Yu, E.S.K.: Towards modelling and reasoning support for early-phase requirements engineering. Proceedings of the 3rd International Symposium on Requirements Engineering, IEEE, (1997) 226-235
  21. 21. Giunchiglia, F., Mylopoulos, J., Perini, A.: The Tropos software development methodology: Processes, models and diagrams. Proceedings of the 1st International Joint Conference on: Autonomous Agents and Multi-agent Systems. ACM, (2002) 35-36.
  22. 22. Jacobson I., Christerson M., Jonsson P., Overgaard G.: Object-Oriented Software Engineering - A Use Case Driven Approach, Addison-Wesley, (1992)
  23. 23. Jackson M.: Problem Frames: Analysing and Structuring Software Development Problems Addison-Wesley (2001)
  24. 24. Blanco, C. et al.: Basis for an integrated security ontology according to a systematic review of existing proposals. Computer Standards and Interfaces, online first publication, (2011) doi:10.1016/j.csi.2010.12.002
  25. 25. Thomas R.G.: A translation approach to portable ontology specifications. Knowledge Acquisition. 5, 2, (1993) 199-220
  26. 26. Alexander, I.: Misuse cases help to elicit non-functional requirements. Computing and Control Engineering Journal. 14, 1, (2003) 40-45
  27. 27. Sindre, G., Opdahl, A.L. Templates for misuse case description. Proc. of the 7th International Workshop on Requirements Engineering, Foundation for Software Quality (REFSQ' 01). (2001) 4-5
  28. 28. Alexander, I.: Initial industrial experience of misuse cases in trade-off analysis. Proceedings of IEEE Joint International Conference on Requirements Engineering (RE'02). IEEE CS, (2002) 61-68
  29. 29. Hartong, M., Goel, R., Wijesekera, D.: Meta-models for misuse cases. Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies. ACM, (2009) 33:1-4
  30. 30. Whittle, J., Wijesekera, D., Hartong, M.: Executable misuse cases for modeling security concerns. Proceedings of the 30th international conference on Software engineering (ICSE'08). ACM, (2008) 121-130
  31. 31. Visaggio, C.A., de Rosa, F.: Managing security knowledge through case based reasoning. Proceedings of the 7th International Workshop on Security in Information Systems, WOSIS'2009 , INSTICC Press. (2009) 127-136
  32. 32. Visaggio, C.A., de Rosa, F.: A System for Managing Security Knowledge using Case. Journal of Universal Computer Science. 15, 15, (2009) 3059-3078
  33. 33. ISO/IEC, ISO/IEC 15408-1: Information Technology - Security Techniques - Evaluation Criteria for Security. Part I: introduction and general model, ISO/IEC, Switzerland, 1999.
  34. 34. ISO/IEC 27002: Information technology: Security techniques - Code of practice for information security management, (2005)
  35. 35. Alberts, C. Dorofee, A.: Managing information security risks: The OCTAVE (SM) approach, Addison Wesley, Boston (2002)
  36. 36. MAGERIT: Methodology for information systems risk analysis and management. http://www.csi.map.es/csi/pg5m20.htm. (last viewed on 15 Mar. 2011)
  37. 37. CORAS: A platform for risk analysis of security critical systems http://www2.nr.no/coras/, (last viewed on 15 Mar. 2011)
  38. 38. Schumacher, M.: Toward a security core ontology. Security Engineering with Patterns, Lecture Notes in Computer Science, vol. 2754. Springer, (2003) 87-96
  39. 39. Crespo, Á.G., Gómez-Berbís, J.M., Colomo-Palacios, R., Alor-Hernández, G.: SecurOntology: A semantic web access control framework, Computer Standard and Interfaces. 33, 1, (2011) 42-49
  40. 40. Tsoumas, B., Gritzalis, D. Towards an ontology-based security management. 20th International Conference on Advanced Information Networking and Applications, IEEE CS, (2006) 985-990
  41. 41. Undercoffer, J., Joshi, A., Pinkston, J.: Modeling computer attacks: an ontology for intrusion detection, The Sixth International Symposium on Recent Advances in Intrusion Detection, LNCS vol. 2802. Springer, (2003) 113-135
  42. 42. Wang, J., Guo, M., Camargo, J.: An ontological approach to computer system security, Information Security Journal: A Global Perspective. 19, 2, (2010) 61-73
  43. 43. Lassila, O, Swick, R.R.: Resource Description Framework (RDF) Model and Syntax Specification. Available online: http://www.w3.org/TR/1999/REC-rdf-syntax-19990222/. (last viewed on 15 Mar. 2011).
  44. 44. Bechhofer, S. et al. OWL Web Ontology Language Reference, W3C recommendation. 10, 2006-01. http://www.w3.org/TR/ owl-ref/. (last viewed on 15 Mar. 2011)
  45. 45. Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P.F.: The description logic handbook. Cambridge University Press (2003)
  46. 46. Horrocks, I., Patel-Schneider, P.F., Boley, H., Tabet, S., Grosof, B., Dean, M.: SWRL: A semantic web rule language combining OWL and RuleML. W3C Member submission. 21, (2004). Available online: http://www.w3.org/Submission/SWRL/. (last viewed on 15 Mar. 2011)
  47. 47. Boley, H., Tabet, S., Wagner, G.: Design rationale of RuleML: a markup language for Semantic Web rule”. Proc. Semantic Web Working Symp, (2001) 381-401
  48. 48. O'Connor, M., Das, A.: SQWRL: A query language for OWL. In Proceedings of Workshop on OWL: Experiences and Directions (OWLED). (2009)
Download


Paper Citation


in Harvard Style

Hu H., Yang D., Xiang H., Fu L., Ye C. and Li R. (2011). Towards a Semantic Web-enabled Knowledge Base to Elicit Security Requirements for Misuse Cases . In Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011) ISBN 978-989-8425-61-4, pages 103-112. DOI: 10.5220/0003588301030112


in Bibtex Style

@conference{wosis11,
author={Haibo Hu and Dan Yang and Hong Xiang and Li Fu and Chunxiao Ye and Ren Li},
title={Towards a Semantic Web-enabled Knowledge Base to Elicit Security Requirements for Misuse Cases },
booktitle={Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)},
year={2011},
pages={103-112},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003588301030112},
isbn={978-989-8425-61-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)
TI - Towards a Semantic Web-enabled Knowledge Base to Elicit Security Requirements for Misuse Cases
SN - 978-989-8425-61-4
AU - Hu H.
AU - Yang D.
AU - Xiang H.
AU - Fu L.
AU - Ye C.
AU - Li R.
PY - 2011
SP - 103
EP - 112
DO - 10.5220/0003588301030112