A DSL for Specifying Autonomic Security Management Strategies

  • Ruan He
  • Marc Lacoste
  • Jacques Pulou
  • Jean Leneutre
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6514)


Existing self-protection frameworks so far hardly addressed the specification of autonomic security adaptation strategies which guide risk-aware selection or reconfiguration of security mechanisms. Domain-Specific Languages (DSL) present many benefits to achieve this goal in terms of simplicity, automated strategy verification, and run-time integration. This paper presents a DSL to describe security adaptation policies. The DSL is based on the condition-action approach and on a taxonomy of threats and applicable reactions. The DSL also allows to capture trade-offs between security and other concerns such as energy efficiency during the decision making phase. A translation mechanism to refine the DSL into a run-time representation, and integrate adaptation policies within legacy self-protection frameworks is also presented.


Intrusion Detection System System Administrator Adaptation Policy Security Objective Authorization Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Workshop on Logical Foundations of an Adaptive Security Infrastructure (WOLFASI). In: conjunction with Workshop on Foundations on Computer Security, FCS (2004)Google Scholar
  2. 2.
    Agosta, J., et al.: Towards Autonomic Enterprise Security: Self-Defending Platforms, Distributed Detection, and Adaptive Feedback. Intel. Technology Journal 10(4) (2006)Google Scholar
  3. 3.
    Agrawal, D., Lee, K.-W., Lobo, J.: Policy-Based Management of Networked Computing Systems. IEEE Communications Magazine 43(10), 69–75 (2005)CrossRefGoogle Scholar
  4. 4.
    Alia, M., Lacoste, M., He, R., Eliassen, F.: Putting Together QoS and Security in Autonomic Pervasive Systems. In: International Symposium on QoS and Security for Wireless and Mobile Networks (Q2SWinet) (2010)Google Scholar
  5. 5.
    Ayed, S., Cuppens-Boulahia, N., Cuppens, F.: An Integrated Model for Access Control and Information Flow Requirements. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 111–125. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Blanco, C., Lasheras, J., Valencia-Garcia, R., Fernandez-Medina, E., Alvarez, J., Piattini, M.: A Systematic Review and Comparison of Security Ontologies. In: International Conference on Availability, Reliability and Security (ARES) (2008)Google Scholar
  7. 7.
    Chebaro, O., Broto, L., Bahsoun, J.-P., Hagimont, D.: Self-TUNe-ing of a J2EE Clustered Application. In: International Workshop on Engineering of Autonomic and Autonomous Systems (EASe) (2009)Google Scholar
  8. 8.
    Chess, D., Palmer, C., White, S.: Security in an Autonomic Computing Environment. IBM Systems Journal 42(1), 107–118 (2003)CrossRefGoogle Scholar
  9. 9.
    Claudel, B., De Palma, N., Lachaize, R., Hagimont, D.: Self-protection for Distributed Component-Based Applications. In: Datta, A.K., Gradinariu, M. (eds.) SSS 2006. LNCS, vol. 4280, pp. 184–198. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Coma, C., Cuppens-Boulahia, N., Cuppens, F., Cavalli, A.R.: Context Ontology for Secure Interoperability. In: International Conference on Availability, Reliability and Security (ARES) (2008)Google Scholar
  11. 11.
    Cuppens, F., Gombault, S., Sans, T.: Selecting Appropriate Counter-Measures in an Intrusion Detection Framework. In: IEEE Computer Security Foundations Workshop (CSFW) (2004)Google Scholar
  12. 12.
    Cuppens, N., Cuppens, F., Lopez de Vergara, J., Guerra, J., Debar, H., Vazquez, E.: An Ontology-based Approach to React to Network Attacks. In: International Conference on Risk and Security of Internet and Systems (CRiSIS) (2008)Google Scholar
  13. 13.
    Debar, H., Thomas, Y., Boulahia-Cuppens, N., Cuppens, F.: Using Contextual Security Policies for Threat Response. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 109–128. Springer, Heidelberg (2006)Google Scholar
  14. 14.
    He, R., Lacoste, M.: Applying Component-Based Design to Self-Protection of Ubiquitous Systems. In: 3rd ACM Workshop on Software Engineering for Pervasive Services (SEPS) (2008)Google Scholar
  15. 15.
    He, R., Lacoste, M., Leneutre, J.: A Policy Management Framework for Self-Protection of Pervasive Systems. In: International Conference on Autonomic and Autonomous Systems (ICAS) (2010)Google Scholar
  16. 16.
    He, R., Lacoste, M., Leneutre, J.: Virtual Security Kernel: A Component-Based OS Architecture for Self-Protection. In: IEEE International Symposium on Trust, Security and Privacy for Emerging Applications (TSP) (2010)Google Scholar
  17. 17.
    Kephart, J., Walsh, W.: An Artificial Intelligence Perspective on Autonomic Computing Policies. In: IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY) (2004)Google Scholar
  18. 18.
    Kim, A., Luo, J., Kang, M.: Security Ontology for Annotating Resources. In: International Conference on Ontologies, Databases, and Application of Semantics, ODBASE (2005)Google Scholar
  19. 19.
    Lacoste, M., Jarboui, T., He, R.: A Component-Based Policy-Neutral Architecture for Kernel-Level Access Control. Annals of Telecommunications 64(1-2), 121–146 (2009)CrossRefGoogle Scholar
  20. 20.
    Mernik, M., Heering, J., Sloane, A.: When and How to Develop Domain-Specific Languages. ACM Computing Surveys 37(4), 316–344 (2005)CrossRefGoogle Scholar
  21. 21.
    Muller, P.-A., Fleurey, F., Jézéquel, J.-M.: Weaving Executability into Object-Oriented Meta-languages. In: Briand, L.C., Williams, C. (eds.) MoDELS 2005. LNCS, vol. 3713, pp. 264–278. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    NIST. A Survey of Access Control Models. In: NIST Privilege (Access) Management Workshop (2009),
  23. 23.
    Serrano, M., van der Meer, S., Strassner, J., Paoli, S., Kerr, A., Storni, C.: Trust and Reputation Policy-Based Mechanisms for Self-protection in Autonomic Communications. In: González Nieto, J., Reif, W., Wang, G., Indulska, J. (eds.) ATC 2009. LNCS, vol. 5586, pp. 249–267. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Simmonds, A., Sandilands, P., van Ekert, L.: An Ontology for Network Security Attacks. In: Manandhar, S., Austin, J., Desai, U., Oyanagi, Y., Talukder, A.K. (eds.) AACC 2004. LNCS, vol. 3285, pp. 317–323. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Strassner, J., de Souza, J.N., Raymer, D., Samudrala, S., Davy, S., Barrett, K.: The Design of a New Policy Model to Support Ontology-Driven Reasoning for Autonomic Networking. In: Latin American Network Operations and Management Symposium (LANOMS) (2007)Google Scholar
  26. 26.
    Twidle, K., Dulay, N., Lupu, E., Sloman, M.: Ponder2: A Policy System for Autonomous Pervasive Environments. In: International Conference on Autonomic and Autonomous Systems (ICAS) (2009)Google Scholar
  27. 27.
    Undercoffer, J., Joshi, A., Pinkston, J.: Modeling Computer Attacks: An Ontology for Intrusion Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 113–135. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    van Deursen, A., Klint, P., Visser, J.: Domain-Specific Languages: An Annotated Bibliography. ACM SIGPLAN Notices 35(6), 26–36 (2000)CrossRefGoogle Scholar
  29. 29.
    Verma, D., Calo, S.B., Cirincione, G.: A State Transition Model for Policy Specification. IBM Research Report RC24766 (March 2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Ruan He
    • 1
  • Marc Lacoste
    • 1
  • Jacques Pulou
    • 1
  • Jean Leneutre
    • 2
  1. 1.Orange LabsFrance
  2. 2.Telecom ParisTechFrance

Personalised recommendations