Abstract
Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. This paper proposes a vulnerability-centric modeling ontology, which aims to integrate empirical knowledge of vulnerabilities into the system development process. In particular, we identify the basic concepts for modeling and analyzing vulnerabilities and their effects on the system. These concepts drive the definition of criteria that make it possible to compare and evaluate security frameworks based on vulnerabilities. We show how the proposed modeling ontology can be adopted in various conceptual modeling frameworks through examples.
Financial support from Natural Science and Engineering Research Council of Canada and Bell University Labs is gratefully acknowledged.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Asnar, Y., Moretti, R., Sebastianis, M., Zannone, N.: Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach. In: Proc. of DAWAM 2008, pp. 1240–1248. IEEE Press, Los Alamitos (2008)
Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.E.: Basic Concepts and Taxonomy of Dependable and Secure Computing. TDSC 1(1), 11–33 (2004)
Braber, F., Hogganvik, I., Lund, M.S., Stolen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the coras method. BT Technology Journal 25(1), 101–117 (2007)
Chung, L., Nixon, B.A., Yu, E., Mylopoulos, J. (eds.): Non-Functional Requirements in Software Engineering. Kluwer Academic Publishing, Dordrecht (2000)
Common Vulnerability Scoring System, http://www.first.org/cvss/
Common Weakness Enumeration, http://cwe.mitre.org/
den Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stolen, K., Aagedal, J.O.: The CORAS methodology: model-based risk assessment using UML and UP. In: UML and the unified process, pp. 332–357. IGI Publishing (2003)
Elahi, G., Yu, E.: A goal oriented approach for modeling and analyzing security trade-offs. In: Parent, C., Schewe, K.-D., Storey, V.C., Thalheim, B. (eds.) ER 2007. LNCS, vol. 4801, pp. 375–390. Springer, Heidelberg (2007)
Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: Analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Manuscript submitted to Req. Eng. Journal (2009)
Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: Proc of QoP 2008, pp. 23–30. ACM Press, New York (2008)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: Proc. of RE 2005, pp. 167–176. IEEE Press, Los Alamitos (2005)
ISO/IEC. Risk management-vocabulary-guidelines for use in standards. ISO/IEC Guide 73 (2002)
ISO/IEC. Management of Information and Communication Technology Security – Part 1: Concepts and Models for Information and Communication Technology Security Management. ISO/IEC 13335 (2004)
Jajodia, S.: Topological analysis of network attack vulnerability. In: Proc. of ASIACCS 2007, p. 2. ACM, New York (2007)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)
Krogstie, J., Opdahl, A.L., Brinkkemper, S.: Capturing dependability threats in conceptual modelling. Conceptual Modelling in Information Systems Engineering, 247–260 (2007)
Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A taxonomy of computer program security flaws. CSUR 26(3), 211–254 (1994)
Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proc. of RE 2003, p. 151. IEEE Press, Los Alamitos (2003)
Liu, Y., Man, H.: Network vulnerability assessment using bayesian networks. In: Data mining, intrusion detection, information assurance, and data networks security. Society of Photo-Optical Instrumentation Engineers, pp. 61–71 (2005)
Matulevičius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008)
McDermott, J.P.: Attack net penetration testing. In: Proc. of NSPW 2000, pp. 15–21. ACM, New York (2000)
Meyer, N., Rifaut, A., Dubois, E.: Towards a Risk-Based Security Requirements Engineering Framework. In: Proc. of REFSQ 2005 (2005)
National Vulnerability Database, http://nvd.nist.gov/
Petroski, H.: To Engineer is Human: The Role of Failure in Successful Design. St. Martin’s Press, New York (1985)
Cynthia, P., Painton, S.L.: A graph-based system for network-vulnerability analysis. In: Proc. of NSPW 1998, pp. 71–79. ACM, New York (1998)
Rostad, L.: An extended misuse case notation: Including vulnerabilities and the insider threat. In: Proc. of REFSQ 2006 (2006)
SANS, http://www.sans.org/
Schneider, F.B. (ed.): Trust in Cyberspace. National Academy Press (1998)
Schneier, B.: Attack trees. Dr. Dobb’s Journal 24(12), 21–29 (1999)
Schneier, B.: Beyond Fear. Springer, Heidelberg (2003)
Sindre, G., Opdahl, L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)
van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proc. of ICSE 2004, pp. 148–157. IEEE Press, Los Alamitos (2004)
Yu, E.: Modeling Strategic Relationships for Process Reengineering. PhD thesis, University of Toronto (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Elahi, G., Yu, E., Zannone, N. (2009). A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations. In: Laender, A.H.F., Castano, S., Dayal, U., Casati, F., de Oliveira, J.P.M. (eds) Conceptual Modeling - ER 2009. ER 2009. Lecture Notes in Computer Science, vol 5829. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04840-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-04840-1_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04839-5
Online ISBN: 978-3-642-04840-1
eBook Packages: Computer ScienceComputer Science (R0)