Skip to main content
SpringerLink
Log in
SpringerLink
Log in

A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations

  • Conference paper
Conceptual Modeling - ER 2009 (ER 2009)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 5829))

Included in the following conference series:

Abstract

Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. This paper proposes a vulnerability-centric modeling ontology, which aims to integrate empirical knowledge of vulnerabilities into the system development process. In particular, we identify the basic concepts for modeling and analyzing vulnerabilities and their effects on the system. These concepts drive the definition of criteria that make it possible to compare and evaluate security frameworks based on vulnerabilities. We show how the proposed modeling ontology can be adopted in various conceptual modeling frameworks through examples.

Financial support from Natural Science and Engineering Research Council of Canada and Bell University Labs is gratefully acknowledged.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Asnar, Y., Moretti, R., Sebastianis, M., Zannone, N.: Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach. In: Proc. of DAWAM 2008, pp. 1240–1248. IEEE Press, Los Alamitos (2008)

    Google Scholar 

  2. Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.E.: Basic Concepts and Taxonomy of Dependable and Secure Computing. TDSC 1(1), 11–33 (2004)

    Google Scholar 

  3. Braber, F., Hogganvik, I., Lund, M.S., Stolen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the coras method. BT Technology Journal 25(1), 101–117 (2007)

    Article  Google Scholar 

  4. Chung, L., Nixon, B.A., Yu, E., Mylopoulos, J. (eds.): Non-Functional Requirements in Software Engineering. Kluwer Academic Publishing, Dordrecht (2000)

    MATH  Google Scholar 

  5. Common Vulnerability Scoring System, http://www.first.org/cvss/

  6. Common Weakness Enumeration, http://cwe.mitre.org/

  7. den Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stolen, K., Aagedal, J.O.: The CORAS methodology: model-based risk assessment using UML and UP. In: UML and the unified process, pp. 332–357. IGI Publishing (2003)

    Google Scholar 

  8. Elahi, G., Yu, E.: A goal oriented approach for modeling and analyzing security trade-offs. In: Parent, C., Schewe, K.-D., Storey, V.C., Thalheim, B. (eds.) ER 2007. LNCS, vol. 4801, pp. 375–390. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  9. Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: Analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Manuscript submitted to Req. Eng. Journal (2009)

    Google Scholar 

  10. Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: Proc of QoP 2008, pp. 23–30. ACM Press, New York (2008)

    Chapter  Google Scholar 

  11. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: Proc. of RE 2005, pp. 167–176. IEEE Press, Los Alamitos (2005)

    Google Scholar 

  12. ISO/IEC. Risk management-vocabulary-guidelines for use in standards. ISO/IEC Guide 73 (2002)

    Google Scholar 

  13. ISO/IEC. Management of Information and Communication Technology Security – Part 1: Concepts and Models for Information and Communication Technology Security Management. ISO/IEC 13335 (2004)

    Google Scholar 

  14. Jajodia, S.: Topological analysis of network attack vulnerability. In: Proc. of ASIACCS 2007, p. 2. ACM, New York (2007)

    Chapter  Google Scholar 

  15. Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)

    Google Scholar 

  16. Krogstie, J., Opdahl, A.L., Brinkkemper, S.: Capturing dependability threats in conceptual modelling. Conceptual Modelling in Information Systems Engineering, 247–260 (2007)

    Google Scholar 

  17. Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A taxonomy of computer program security flaws. CSUR 26(3), 211–254 (1994)

    Article  Google Scholar 

  18. Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proc. of RE 2003, p. 151. IEEE Press, Los Alamitos (2003)

    Google Scholar 

  19. Liu, Y., Man, H.: Network vulnerability assessment using bayesian networks. In: Data mining, intrusion detection, information assurance, and data networks security. Society of Photo-Optical Instrumentation Engineers, pp. 61–71 (2005)

    Google Scholar 

  20. Matulevičius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  21. McDermott, J.P.: Attack net penetration testing. In: Proc. of NSPW 2000, pp. 15–21. ACM, New York (2000)

    Chapter  Google Scholar 

  22. Meyer, N., Rifaut, A., Dubois, E.: Towards a Risk-Based Security Requirements Engineering Framework. In: Proc. of REFSQ 2005 (2005)

    Google Scholar 

  23. National Vulnerability Database, http://nvd.nist.gov/

  24. Petroski, H.: To Engineer is Human: The Role of Failure in Successful Design. St. Martin’s Press, New York (1985)

    Google Scholar 

  25. Cynthia, P., Painton, S.L.: A graph-based system for network-vulnerability analysis. In: Proc. of NSPW 1998, pp. 71–79. ACM, New York (1998)

    Google Scholar 

  26. Rostad, L.: An extended misuse case notation: Including vulnerabilities and the insider threat. In: Proc. of REFSQ 2006 (2006)

    Google Scholar 

  27. SANS, http://www.sans.org/

  28. Schneider, F.B. (ed.): Trust in Cyberspace. National Academy Press (1998)

    Google Scholar 

  29. Schneier, B.: Attack trees. Dr. Dobb’s Journal 24(12), 21–29 (1999)

    Google Scholar 

  30. Schneier, B.: Beyond Fear. Springer, Heidelberg (2003)

    Google Scholar 

  31. Sindre, G., Opdahl, L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)

    Article  Google Scholar 

  32. van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proc. of ICSE 2004, pp. 148–157. IEEE Press, Los Alamitos (2004)

    Google Scholar 

  33. Yu, E.: Modeling Strategic Relationships for Process Reengineering. PhD thesis, University of Toronto (1995)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Toronto,  

    Golnaz Elahi

  2. Faculty of Information, University of Toronto,  

    Eric Yu

  3. Eindhoven University of Technology,  

    Nicola Zannone

Authors
  1. Golnaz Elahi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nicola Zannone
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Federal University of Minas Gerais, Av. Antônio Carlos 6627, Prédio do ICEx, sala 4010, Pampulha , Belo, 31270-901, Horizonte, MG, Brazil

    Alberto H. F. Laender

  2. Dipartimento di Scienze dell’Informazione, DICo, Università degli Studi di Milano, Comelico, 39/41, 20135, Milano, Italy

    Silvana Castano

  3. Hewlett-Packard Laboratories, 1501 Page Mill Rd., 94304, Palo Alto, CA, USA

    Umeshwar Dayal

  4. Department of Information Engineering and Computer Science, University of Trento, Via sommarive 14, 38050, Povo (Trento), Italy

    Fabio Casati

  5. Instituto de Informática, Universidade Federal do Rio Grande do Sul (UFRGS), Caixa Postal 15.064, 91.501-970, Porto Alegre, RS, Brasil

    José Palazzo M. de Oliveira

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Elahi, G., Yu, E., Zannone, N. (2009). A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations. In: Laender, A.H.F., Castano, S., Dayal, U., Casati, F., de Oliveira, J.P.M. (eds) Conceptual Modeling - ER 2009. ER 2009. Lecture Notes in Computer Science, vol 5829. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04840-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04840-1_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04839-5

  • Online ISBN: 978-3-642-04840-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation