Abstract
We present a security ontology (SO), which can be used as a basis of security management of an arbitrary information system. This SO provides capabilities, such as modeling of risk assessment knowledge, abstraction of security requirements, reusable security knowledge interoperability, aggregation and reasoning. The SO is based on the exploitation of security-related knowledge, derived from diverse sources. We demonstrate that the establishment of such a framework is feasible and, furthermore, that a SO can support critical security activities of an expert, e.g. security requirements identification, as well as selection of certain countermeasures. We also present and discuss an implementation of a specific SO. The implementation is accompanied by results regarding how a SO can be built and populated with security information.
Chapter PDF
Similar content being viewed by others
References
National Research Council: Computers At Risk: Safe Computing in The Information Age, System Security Study Committee/Nat.ional Academy Press, Washington (1991).
British Standard 7799, Part 2 (1999), Information Technology-Specification for Information Security Management System, BSI.
Baskerville, R.: Research Notes: Research Directions in Information Systems Security, International Journal of Information Management, 14(5), 385–387, 1994
DMTF CIM Policy Model v. 2.9, available at http://www.dmtf.org
Donner, M.: Toward a Security Ontology, IEEE Security and Privacy, Vol. 1–3, (2003).
Denker, G.: Access Control and Data Integrity for DAML+OIL and DAML-S, SRI International, USA (2002).
Clemente, F., et. al: Representing Security Policies, in Web Information Systems, in Proc. of the Policy Management for the Web Workshop (WWW 2005), Japan (2005).
OASIS Security Service TC, SAML, available at http://www.oasis-open.org.
XACML Specification v. 1.1, available at http://www.oasis-open.org.
Bozsak, E., Ehrig, M., Handschub, S., Hotho, J.: KAON — Towards a Large Scale Semantic Web, in Proc. of the 3rd EC-WEB Conference, Bauknecht, K., et al. (Eds.), France (2002).
Kagal, L. et al.: A policy language for a pervasive computing environment, 4th IEEE International Workshop on Policies for Distributed Systems and Networks, Italy (2003).
Lymberopoulos, L., Lupu, E., Sloman, M.: Ponder Policy Implementation and Validation in a CIM and Differentiated Services Framework, in Proc. of the 9th IEEE/IFIP Network Operations and Management Symposium, Seoul, South Korea (2004).
Alcantara, O., Sloman, M.: QoS policy specification-A mapping from Ponder to the IETF, Dept. of Computing, Imperial College, United Kingdom.
Raskin, V. et al.: Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool, in Proc. of the New Security Paradigms Workshop, V. Raskin, et al. Eds. USA (2001).
Uszok, A. et al.: KAoS: A Policy and Domain Services Framework for Grid Computing and Semantic Web Services, 2nd Intl. Conference on Trust Management, UK (2004).
Gandon, L., Sadeh, N.: Semantic web technologies to reconcile privacy and context awareness, Web Semantics Journal, Vol. 1, No. 3 (2004).
Chen, H. et al.: SOUPA: Standard ontology for ubiquitous and pervasive applications, in Proc. of the 1st International Conference on Mobile and Ubiquitous Systems: Networking and Services, USA (2004).
Gruber T.: Toward principles for the design of ontologies used for knowledge sharing, in Formal Ontology in Conceptual Analysis and Knowledge Representation. Kluwer Academic Publishers (1993).
Noy N., McGuiness D., “Ontology Development 101: A Guide to Creating Your First Ontology”, Stanford Knowledge Systems Laboratory Technical Report KSL-01-05 and Stanford Medical Informatics Technical Report SMI-2001-0880, March 2001.
Holsapple C, Joshi K., “A collaborative approach to ontology design”, Comm. of the ACM, 45(2):42–47, 2002.
Tsoumas, V., Dritsas, S., Gritzalis, D.: An Ontology-Based Approach to Information Systems Security Management, in 3rd Intl. Conference on Mathematical Models, Methods and Architectures for Computer Network Security (MMM-2005), Russia (2005).
ISO/IEC 17799, Information technology-Code of practice for information security management, ISO (2000).
Australian/New Zealand Standard for Risk Management 4360 (1999).
United Kingdom Central Computer and Telecommunication Agency. CCTA Risk Analysis and Management Method: User Manual, v. 3.0, UK CCTA (1996).
Protégé Ontology Development Environment, at http://protege.stanford.edu/
Ernest Friedman-Hill, “JESS — The Rule Engine for the Java Platform”, Sandia National Laboratories, http://herzberg.ca.sandia.gov/jess/index.shtml (Nov. 2005)
Damianou, N. et al.: The Ponder Policy Specification Language, in Proc. of the Policies for Distributed Systems and Networks Workshop, Lecture Notes in Computer Science, Vol. 1995. Springer-Verlag, (2001) 18–39.
Nmap scanner, available at http://www.insecure.org/nmap
Cunningham, H. et al.: GATE: A Framework and Graphical Development Environment for Robust NLP Tools and Applications, in Proc. of the 40th meeting of the Association for Computational Linguistics (ACL’02), USA (2002).
Cunningham, H., Maynard, D., Tablan, V.: JAPE: a Java Annotation Patterns Engine, (2nd edition), Dept. of Computer Science, Univ. of Sheffield, United Kingdom (2000).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 International Federation for Information Processing
About this paper
Cite this paper
Tsoumas, B., Papagiannakopoulos, P., Dritsas, S., Gritzalis, D. (2006). Security-by-Ontology: A Knowledge-Centric Approach. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds) Security and Privacy in Dynamic Environments. SEC 2006. IFIP International Federation for Information Processing, vol 201. Springer, Boston, MA. https://doi.org/10.1007/0-387-33406-8_9
Download citation
DOI: https://doi.org/10.1007/0-387-33406-8_9
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-33405-9
Online ISBN: 978-0-387-33406-6
eBook Packages: Computer ScienceComputer Science (R0)