Skip to main content
SpringerLink
Log in

A Security Pattern Classification Based on Data Integration

  • Conference paper
  • First Online:
Information Systems Security and Privacy (ICISSP 2017)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 867))

Included in the following conference series:

  • 435 Accesses

Abstract

Security patterns are design patterns specialised to provide reusable and general solutions to recurring security problems. These patterns, which capture the strengths of different security approaches, are intended to make the design of maintainable and secure applications easier. The pattern community is continuously providing new security patterns (180 patterns are available at the moment). For a given problem, this growing pattern set along with their abstract presentations make the security pattern choice tedious, even for experts in software design. We contribute in this issue by presenting a method of security pattern classification based upon data extraction and integration. The pattern classification is semi-automatically inferred by means of a data-store integrating disparate publicly available security data. This classification exposes relationships among software attacks, weaknesses, security principles and security patterns. It expresses the pattern combinations that can counter a given attack. Besides the pattern classification, we show that the data-store can be used to generate Attack Defense Trees. In our context, these illustrate, for a given attack, its sub-attacks and the related defenses given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns. Finally, we evaluate on 25 human subjects the benefits of using Attack Defense Trees and a classification established for Web applications, which covers 215 attacks, 136 software weaknesses, 66 security principles and 26 security patterns.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://talend.com/.

  2. 2.

    https://sourceforge.net/projects/bexpred/.

  3. 3.

    https://github.com/continuumsecurity/RopeyTasks.

  4. 4.

    https://github.com/psiinon/bodgeit.

References

  1. Rodriguez, E.: Security Design Patterns, vol. 49 (2003)

    Google Scholar 

  2. Schumacher, M., Roedig, U.: Security Engineering with Patterns. Engineering 2754, 1–208 (2001)

    Google Scholar 

  3. Slavin, R., Niu, J.: Security patterns repository (2016)

    Google Scholar 

  4. Alvi, A.K., Zulkernine, M.: A natural classification scheme for software security patterns. In: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, pp. 113–120 (2011)

    Google Scholar 

  5. Yskout, K., Heyman, T., Scandariato, R., Joosen, W.: A system of security patterns (2006)

    Google Scholar 

  6. Alvi, A.K., Zulkernine, M.: A comparative study of software security pattern classifications. In: 2012 Seventh International Conference on Availability, Reliability and Security, pp. 582–589 (2012)

    Google Scholar 

  7. Bunke, M., Koschke, R., Sohr, K.: Organizing security patterns related to security and pattern recognition requirements. Int. J. Adv. Secur. 5(1), 46–67 (2012)

    Google Scholar 

  8. Anand, P., Ryoo, J., Kazman, R.: Vulnerability-based security pattern categorization in search of missing patterns. In: 2014 Ninth International Conference on Availability, Reliability and Security, pp. 476–483 (2014)

    Google Scholar 

  9. Wiesauer, A., Sametinger, J.: A security design pattern taxonomy based on attack patterns. In: International Joint Conference on e-Business and Telecommunications, pp. 387–394 (2009)

    Google Scholar 

  10. Regainia, L., Salva, S.: A methodology of security pattern classification and of attack-defense tree generation. In: Camp, O., Furnell, S., Mori, P., (eds): Proceedings of the 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017, Porto, Portugal. SciTePress (2017)

    Google Scholar 

  11. MITRE Corporation: Common attack pattern enumeration and classification (2017)

    Google Scholar 

  12. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63, 1278–1308 (1975)

    Article  Google Scholar 

  13. Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way, Portable Documents. Pearson Education, New York City (2001)

    Google Scholar 

  14. Meier, J., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Improving web application security: threats and countermeasures. Microsoft Corporation 3 (2003)

    Google Scholar 

  15. Dialani, V., Miles, S., Moreau, L., De Roure, D., Luck, M.: Transparent fault tolerance for web services based architectures. In: Monien, B., Feldmann, R. (eds.) Euro-Par 2002. LNCS, vol. 2400, pp. 889–898. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45706-2_126

    Chapter  Google Scholar 

  16. Meier, J.: Web application security engineering. IEEE Secur. Priv. 4, 16–24 (2006)

    Article  Google Scholar 

  17. Yskout, K., Scandariato, R., Joosen, W.: Do security patterns really help designers? In: Proceedings of the 37th International Conference on Software Engineering, ICSE 2015, vol. 1, pp. 292–302. IEEE Press, Piscataway (2015)

    Google Scholar 

  18. Fernandez, E.B., Washizaki, H., Yoshioka, N., Kubo, A., Fukazawa, Y.: Classifying security patterns. In: Zhang, Y., Yu, G., Bertino, E., Xu, G. (eds.) APWeb 2008. LNCS, vol. 4976, pp. 342–347. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78849-2_35

    Chapter  Google Scholar 

  19. Regainia, L., Salva, S.: Security pattern classification, companion site (2018). http://regainia.com/research/companion.html. Accessed 2018

  20. Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2012)

    Article  MathSciNet  Google Scholar 

  21. Munawar, H.: Security pattern catalog (2013). http://www.munawarhafiz.com/securitypatterncatalog/. Accessed 2018

  22. Tøndel, I.A., Jensen, J., Røstad, L.: Combining misuse cases with attack trees and security activity models. In: International Conference on Availability, Reliability, and Security, ARES 2010, pp. 438–445. IEEE (2010)

    Google Scholar 

  23. Uzunov, A.V., Fernandez, E.B.: An extensible pattern-based library and taxonomy of security threats for distributed systems. Comput. Stand. Interfaces 36, 734–747 (2014)

    Article  Google Scholar 

  24. Regainia, L., Salva, S., Bouhours, C.: A classification methodology for security patterns to help fix software weaknesses. In: Proceedings of the 13th ACS/IEEE International Conference on Computer Systems and Applications AICCSA (2016)

    Google Scholar 

  25. MITRE Corporation: Common weakness enumeration (2017)

    Google Scholar 

  26. Harb, D., Bouhours, C., Leblanc, H.: Using an ontology to suggest software design patterns integration. In: Chaudron, M.R.V. (ed.) MODELS 2008. LNCS, vol. 5421, pp. 318–331. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01648-6_34

    Chapter  Google Scholar 

  27. OWASP: The open web application security project (OWASP) (2017). http://www.owasp.org

  28. Wassermann, R., Cheng, B.H.: Security patterns. In: PLoP Conference. Michigan State University, Citeseer (2003)

    Google Scholar 

  29. Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40196-1_15

    Chapter  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. LIMOS CNRS UMR 6158, Clermont Auvergne University, Clermont-Ferrand, France

    Sébastien Salva & Loukmen Regainia

Authors
  1. Sébastien Salva
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Loukmen Regainia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sébastien Salva .

Editor information

Editors and Affiliations

  1. Consiglio Nazionale delle Ricerche, Pisa, Italy

    Paolo Mori

  2. Plymouth University, Plymouth, United Kingdom

    Steven Furnell

  3. MODESTE/ESEO, Angers, France

    Olivier Camp

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Salva, S., Regainia, L. (2018). A Security Pattern Classification Based on Data Integration. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2017. Communications in Computer and Information Science, vol 867. Springer, Cham. https://doi.org/10.1007/978-3-319-93354-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-93354-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-93353-5

  • Online ISBN: 978-3-319-93354-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation