Decentralized Semantic Threat Graphs

  • Simon N. Foley
  • William M. Fitzgerald
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7371)


Threat knowledge-bases such as those maintained by MITRE and NIST provide a basis with which to mitigate known threats to an enterprise. These centralised knowledge-bases assume a global and uniform level of trust for all threat and countermeasure knowledge. However, in practice these knowledge-bases are composed of threats and countermeasures that originate from a number of threat providers, for example Bugtraq. As a consequence, threat knowledge consumers may only wish to trust knowledge about threats and countermeasures that have been provided by a particular provider or set of providers. In this paper, a trust management approach is taken with respect to threat knowledge-bases. This provides a basis with which to decentralize and delegate trust for knowledge about threats and their mitigation to one or more providers. Threat knowledge-bases are encoded as Semantic Threat Graphs. An ontology-based delegation scheme is proposed to manage trust across a model of distributed Semantic Threat Graph knowledge-bases.


Decentralized Threat Management Security Configuration 


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15, 706–734 (1993), CrossRefGoogle Scholar
  5. 5.
    Agarwal, S., Rudolph, S.: Semantic Description of Behavior and Trustworthy Credentials of Web Services. In: 6th International Semantic Web Conference, Busan, Korea (November 2007)Google Scholar
  6. 6.
    Agudo, I., Lopez, J., Montenegro, J.A.: Enabling attribute delegation in ubiquitous environments. Mobile Netw. Appl., 1–13 (July 2008),
  7. 7.
    Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P.: The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press (March 2003)Google Scholar
  8. 8.
    Bao, J., Voutsadakis, G., Slutzki, G., Honavar, V.: Package-Based Description Logics. In: Stuckenschmidt, H., Parent, C., Spaccapietra, S. (eds.) Modular Ontologies. LNCS, vol. 5445, pp. 349–371. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Becker, M., Fournet, C., Gordon, A.: Design and semantics of a decentralized authorization language. In: 20th IEEE Computer Security Foundations Symposium (January 2007)Google Scholar
  10. 10.
    Bertino, E., Jajodia, S., Samarati, P.: Supporting multiple access control policies in database systems. In: Proceedings of the 1996 IEEE Conference on Security and Privacy, SP 1996, pp. 94–107. IEEE Computer Society, Washington, DC (1996), Google Scholar
  11. 11.
    Bistarelli, S., Martinelli, F., Santini, F.: A Semantic Foundation for Trust Management Languages with Weights: An Application to the RT Family. In: Rong, C., Jaatun, M.G., Sandnes, F.E., Yang, L.T., Ma, J. (eds.) ATC 2008. LNCS, vol. 5060, pp. 481–495. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The keynote trust-management system, version 2 (September 1999)Google Scholar
  13. 13.
    Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 164–173. IEEE Computer Society Press, Oakland (1996)Google Scholar
  14. 14.
    Borgida, A., Serafini, L.: Distributed Description Logics: Directed Domain Correspondences in Federated Information Sources. In: Meersman, R., et al. (eds.) CoopIS 2002, DOA 2002, and ODBASE 2002. LNCS, vol. 2519, pp. 36–53. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Cuppens-Boulahia, N., Cuppens, F., de Vergara, J.E.L., Guerra, J., Debar, H., Vazquez, E.: An Ontology-Based Approach to React to Network Attacks. In: 3rd International Conference on Risk and Security of Internet and Systems (CRiSIS), Tozeur, Tunisia (October 2008)Google Scholar
  16. 16.
    Ellison, C., Frantz, B., Lampson, B., Rivest, R.L., Thomas, B., Ylonen, T.: SPKI certificate theory (September 1999)Google Scholar
  17. 17.
    Fenz, S., Goluch, G., Ekelhart, A., Riedl, B., Weippl, E.R.: Information Security Fortification by Ontological Mapping of the ISOIEC 27001 Standard. In: 13th Pacific Rim International Symposium on Dependable Computing (PRDC), Australia (December 2007)Google Scholar
  18. 18.
    Finin, T., Joshi, A., Kagal, L., Niu, J., Sandhu, R., Winsborough, W.H., Thuraisingham, B.: ROWLBAC - Representing Role Based Access Control in OWL. In: 13th Symposium on Access Control Models and Technologies, Colorado, USA (June 2008)Google Scholar
  19. 19.
    Foley, S.N., Mac Adams, W., O’Sullivan, B.: Aggregating Trust Using Triangular Norms in the KeyNote Trust Management System. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 100–115. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Foley, S.N., Fitzgerald, W.M.: Management of Security Policy Configuration using a Semantic Threat Graph Approach. Journal of Computer Security (JCS) 19(3) (2011)Google Scholar
  21. 21.
    Foley, S.N., Abdi, S.: Avoiding Delegation Subterfuge Using Linked Local Permission Names. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 100–114. Springer, Heidelberg (2012)Google Scholar
  22. 22.
    Grau, B.C., Horrocks, I., Kazakov, Y., Sattler, U.: Modular Resuse of Ontologies: Theory and Practice. Journal of Artificial Intelligence Research 31 (February 2008)Google Scholar
  23. 23.
    Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Uncover Security Design Flaws Using The STRIDE Approach,
  24. 24.
    Herzog, A., Shahmehri, N., Duma, C.: An Ontology of Information Security. International Journal of Information Security and Privacy (IJISP) 1(4) (2007)Google Scholar
  25. 25.
    Kodeswaran, P.A., Kodeswaran, S.B., Joshi, A., Finin, T.: Enforcing Security in Semantics Driven Policy Based Networks. In: 24th International Conference on Data Engineering Workshops, Secure Semantic Web, Cancun, Mexico (April 2008)Google Scholar
  26. 26.
    Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 677–686. ACM, New York (2007), Google Scholar
  27. 27.
    Li, N., Winsborough, W., Mitchell, J.: Distributed credential chain discovery in trustmanagement. Journal of Computer Security 11(3), 35–86 (2003)CrossRefGoogle Scholar
  28. 28.
    Ray, I., Poolsapassit, N.: Using Attack Trees to Identify Malicious Attacks from Authorized Insiders. In: De Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. 29.
    Schneier, B.: Secrets and Lies Digital Security in Networked World. Wiley Publishing (2004)Google Scholar
  30. 30.
    Smith, M.K., Welty, C., McGuinness, D.L.: OWL Web Ontology Language Guide. W3C Recommendation, Technical Report (2004)Google Scholar
  31. 31.
    Squicciarini, A.C., Bertino, E., Ferrari, E., Ray, I.: Achieving Privacy in Trust Negotiations with an Ontology-Based Approach. IEEE Transactions on Dependable and Secure Computing 3(1) (2006)Google Scholar
  32. 32.
    Stevens, R.: Unix Network Programming, Networking API’s: Sockets and XTI, 2nd edn., vol. 1. Prentice Hall (1998)Google Scholar
  33. 33.
    Thuraisingham, B.: Building Trustworthy Semantic Webs. AUERBACH (2007)Google Scholar
  34. 34.
    Tracy, M., Jansen, W., Scarfone, K., Winograd, T.: Guidelines on Securing Public Web Servers: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-44, Version 2 (September 2009)Google Scholar
  35. 35.
    Wack, J., Cutler, K., Pole, J.: Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology. NIST-800-41 (2002)Google Scholar
  36. 36.
    Wang, Y., Haase, P., Bao, J.: A survey of formalisms for modular ontologies. In: International Joint Conference on Artificial Intelligence (IJCAI 2007) Workshop (2007)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Simon N. Foley
    • 1
  • William M. Fitzgerald
    • 1
  1. 1.Cork Constraint Computation Centre, Computer Science DepartmentUniversity College CorkIreland

Personalised recommendations