Enhancing Model Driven Security through Pattern Refinement Techniques

  • Basel Katt
  • Matthias Gander
  • Ruth Breu
  • Michael Felderer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7542)


Security requirements are typically defined at a business abstract level by non-technical security officers. However, in order to fulfill the security requirements, technical security controls or mechanisms have to be considered and deployed on the target system. Based on these security controls security patterns have to be selected. The MDS (Model Driven Security) approach uses security requirement models at a high level of abstraction to automatically generate security artefacts that configure security services. The main drawback of the current MDS solutions is that they consider just one security pattern for each security requirement. Current SOA and cloud services are scattered across multiple heterogeneous security domains. Partners and clients with different security infrastructures are changing continuously, which requires the support of multiple patterns for the same security service. The challenge is to provide configurable security services that can support different patterns. In order to overcome this shortcoming we propose a framework that integrates pattern refinement to the MDS approach. In this approach a security pattern refinement layer is added to the traditional MDS layers. The pattern refinement layer supports the configuration of one security service with different patterns, which are stored in a pattern catalog. For example, our approach enables the generation of security artefacts that configure a non-repudiation service to support both fair non-repudiation and naive non-repudiation patterns.


Security Policy Security Requirement Security Service Security Domain Security Pattern 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security: From UML Models to Access Control Infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006)CrossRefGoogle Scholar
  2. 2.
    Datta, A., Derek, A., Mitchell, J., Pavlovic, D.: A derivation system and compositional logic for security protocols. J. Comput. Secur. 13(3), 423–482 (2005)CrossRefGoogle Scholar
  3. 3.
    David, R., Carlos, G., Fernandez-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. Internet Research 16(5), 519–536 (2006)CrossRefGoogle Scholar
  4. 4.
    Delessy, N., Fernandez, E.B.: A Pattern-Driven Security Process for SOA Applications. In: ARES 2008: Proceedings of the 2008 Third International Conference on Availability, Reliability and Security, pp. 416–421. IEEE Computer Society, Washington, DC (2008)CrossRefGoogle Scholar
  5. 5.
    Fernandez, E.B., Washizaki, H., Yoshioka, N.: Abstract Security Patterns. In: SPAQu 2008 - 2nd Int. Workshop on Software Patterns and Quality (2008),
  6. 6.
    Hafner, M.: SECTET A Domain Architecture for Model Driven Security. PhD Thesis (November 2006)Google Scholar
  7. 7.
    Hafner, M., Breu, R.: Security Engineering for Service-oriented Architectures. Springer (October 2008)Google Scholar
  8. 8.
    Hafner, M., Memon, M., Breu, R.: SeAAS - A Reference Architecture for Security Services in SOA. Journal of Universal Computer Science 15(15), 2916–2936 (2009), Scholar
  9. 9.
    Juerjens, J.: Secure Systems Development with UML. Springer (2004)Google Scholar
  10. 10.
    Lang, U., Schreiner, R.: Developing Secure Distributed Systems with CORBA. Artech House, Inc., Norwood (2002)zbMATHGoogle Scholar
  11. 11.
    OASIS. Extensible Access Control Markup Language (XACML) (2006),
  12. 12.
    Rodriguez, A., Fernandez-Medina, E., Piattini, M.: A BPMN Extension for the Modeling of Security Requirements in Business Processes. IEICE - Transactions on Information and Systems E90-D(4), 745–752 (2007)CrossRefGoogle Scholar
  13. 13.
    Rosado, D.G., Fernandez-Medina, E., Piattini, M.: Comparison of Security Patterns. IJCSNS -International Journal of Computer Science and Network Security 6(2B), 139–146 (2006)Google Scholar
  14. 14.
    Satoh, F., Nakamura, Y., Ono, K.: Adding Authentication to Model Driven Security. In: ICWS 2006: Proceedings of the IEEE International Conference on Web Services, pp. 585–594. IEEE Computer Society, Washington, DC (2006)CrossRefGoogle Scholar
  15. 15.
    Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications. Springer-Verlag New York, Inc., Secaucus (2003)CrossRefzbMATHGoogle Scholar
  16. 16.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Wimmel, G., Wisspeintner, A.: Extended Description Techniques for Security Engineering. In: Dupuy, M., Paradinas, P. (eds.) Trusted Information. IFIP, vol. 65, pp. 469–485. Springer, Boston (2002)CrossRefGoogle Scholar
  18. 18.
    Wolter, C., Menzel, M., Christoph, M., et al.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211–223 (2009)CrossRefGoogle Scholar
  19. 19.
    Wolter, C., Menzel, M., Meinel, C.: Modelling Security Goals in Business Processes. In: Modellierung, pp. 197–212 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Basel Katt
    • 1
  • Matthias Gander
    • 1
  • Ruth Breu
    • 1
  • Michael Felderer
    • 1
  1. 1.University of InnsbruckAustria

Personalised recommendations