Volume 13 Number 2
April 2016
Article Contents
Hui Guan, Hongji Yang and Jun Wang. An Ontology-based Approach to Security Pattern Selection. International Journal of Automation and Computing, vol. 13, no. 2, pp. 168-182, 2016. doi: 10.1007/s11633-016-0950-1
Cite as: Hui Guan, Hongji Yang and Jun Wang. An Ontology-based Approach to Security Pattern Selection. International Journal of Automation and Computing, vol. 13, no. 2, pp. 168-182, 2016. doi: 10.1007/s11633-016-0950-1

An Ontology-based Approach to Security Pattern Selection

  • Received: 2014-07-01
Fund Project:

This work was supported by Research Project of Education department of Liaoning Province (No. L2013156), National Scholarship (No. 201208210386), and Key Industry Problem Plan of Liaoning Province (No. 2012219001).

  • Usually, the security requirements are addressed by abstracting the security problems arising in a specific context and providing a well proven solution to them. Security patterns incorporating proven security expertise solution to the recurring security problems have been widely accepted by the community of security engineering. The fundamental challenge for using security patterns to satisfy security requirements is the lack of defined syntax, which makes it impossible to ask meaningful questions and get semantically meaningful answers. Therefore, this paper presents an ontological approach to facilitating security knowledge mapping from security requirements to their corresponding solutions-security patterns. Ontologies have been developed usingWeb Ontology Language (OWL) and then incorporated into a security pattern search engine which enables sophisticated search and retrieval of security patterns using the proposed algorithm. Applying the introduced approach allows security novices to reuse security expertise to develop secure software system.
  • [1] M. Schumacher. Security Engineering with Patterns: Origins, Theoretical Models, and New Applications, Berlin, Germany: Springer-Verlag, 2003.
    [2] M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Buschmann, P. Sommerlad. Security Patterns: Integrating Security and Systems Engineering, Chichester, UK: John Wiley & Sons, 2006.
    [3] M. Bunke, R. Koschke, K. Sohr. Organizing security patterns related to security and pattern recognition requirements. International Journal on Advances in Security, vol. 5, no. 1-2, pp. 46-67, 2012.
    [4] E. Gamma, R. Helm, R. Johnson, J. Vlissides. Design Patterns: Elements of Reusable Object-oriented Software, Boston, USA: Pearson Education, 1994.
    [5] T. Heyman, K. Yskout, R. Scandariato, W. Joosen. An analysis of the security patterns landscape. In Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems, IEEE Computer Society, Minneapolis, MN, pp. 3, 2007.
    [6] J. Viega, G. McGraw. Building Secure Software: How to Avoid Security Problems the Right Way, Boston, USA: Addison-Wesley Professional, 2001.
    [7] B. H. C. Cheng, S. Konrad, L. A. Campbell, R. Wassermann. Using security patterns to model and analyze security requirements. IEEE Workshop on Requirements for High Assurance Systems, pp. 13-22, 2003.
    [8] D. M. Kienzle, M. C. Elder. Final Technical Report: Security Patterns for Web Application Development, University of Virginia, USA, 2002.
    [9] D. M. Kienzle, M. C. Elder, D. Tyree, J. Edwards-Hewitt. Security Patterns Repository Version 1.0. DARPA, Washington DC, 2002.
    [10] B. Blakley, C. Heath. Security Design Patterns Technical Guide-Version 1. G031, Technical Report, the Open Group, UK, 2004.
    [11] S. T. Halkidis, A. Chatzigeorgiou, G. Stephanides. A qualitative evaluation of security patterns. In Proceedings of the 6th International Conference, Lecture Notes in Computer Science, Springer, Malaga, Spain, vol. 3269, pp. 132-144, 2004.
    [12] M. A. Laverdiere, A. Mourad, A. Hanna, M. Debbabi. Security design patterns: survey and evaluation. In Proceedings of Canadian Conference on Electrical and Computer Engineering, IEEE, Ottawa, Canada, pp. 1605-1608, 2006.
    [13] M. Hafiz, R. E. Johnson. Security Patterns and Their Classification Schemes, University of Illinois at UrbanaChampaign Department of Computer Science, Technical Report for Mcrosoft0s Pattems and Practices Group, USA, 2006.
    [14] M. Hafiz, P. Adamczyk, R. E. Johnson. Organizing security patterns. IEEE Software, vol. 24, no. 4, pp. 52-60, 2007.
    [15] D. Hatebur, M. Heisel, H. Schmidt. Analysis and component-based realization of security requirements. In Proceedings of 3rd International Conference on Availability, Reliability and Security, IEEE, Barcelona, Spain, pp. 195-203, 2008.
    [16] P. El Khoury, A. Mokhtari, E. Coquery, M. S. Hacid. An ontological interface for software developers to select security patterns. In Proceedings of the 19th International Workshop on Database and Expert Systems Application, IEEE, Turin, Italy, pp. 297-301, 2008.
    [17] S. Montero, P. Díaz, I. Aedo. A semantic representation for domain-specific patterns. In Proceedings of International Symposium, Lecture Notes in Computer Science, Springer, Salzburg, Austria, pp. 129-140, 2005.
    [18] A. Herzog, N. Shahmehri, C. Duma. An ontology of information security. International Journal of Information Security and Privacy, vol. 1, no. 4, pp. 1-23, 2007.
    [19] M. Whitman, H. Mattord. Principles of Information Security (2nd Edition), Boston, USA: Course Technology, 2005.
    [20] S. Fenz, A. Ekelhart. Formalizing information security knowledge. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ACM, Sydney, Australia, pp. 183-194, 2009.
    [21] J. L. Velasco, R. Valencia-García, J. T. Fernández-Breis, A. Toval. Modelling reusable security requirements based on an ontology framework. Journal of Research and Practice in Information Technology, vol. 41, no. 2, pp. 119-133, 2009.
    [22] B. Tsoumas, D. Gritzalis. Towards an ontology-based security management. In Proceedings of the 20th International Conference on Advanced Information Networking and Applications, IEEE, Vienna, Austria, pp. 985-992, 2006.
    [23] G. Dobson, P. Sawyer. Revisiting ontology-based requirements engineering in the age of the semantic web. In Proceedings of the International Seminar on Dependable Requirements Engineering of Computerised Systems at NPPs, IFE, Halden, Norway, 2006.
    [24] G. Denker, L. Kagal, T. Finin. Security in the semantic web using OWL. Information Security Technical Report, vol. 10, no. 1, pp. 51-58, 2005.
    [25] M. Karyda, T. Balopoulos, S. Dritsas, L. Gymnopoulos, S. Kokolakis, C. Lambrinoudakis, S. Gritzalis. An ontology for secure e-government applications. In Proceedings of the 1st International Conference on Availability, Reliability and Security, IEEE, Vienna, Austria, pp. 5, 2006.
    [26] H. Guan, W. R. Chen, L. Liu, H. J. Yang. Environmentdriven threats elicitation for web applications. In Proceedings of the 5th KES International Conference, Lecture Notes in Computer Science, Springer, Manchester, UK, vol. 6682, pp. 291-300, 2011.
    [27] H. Guan, W. R. Chen, L. Liu, H. J. Yang. Estimating security risk for web applications using security vectors. Journal of Computers, vol. 23, no. 1, pp. 54-70, 2012.
    [28] J. Lasheras, R. Valencia-García, J. T. Fernández-Breis, A. Toval. Modelling reusable security requirements based on an ontology framework. Journal of Research and Practice in Information Technology, vol. 41, no. 2, pp. 119-133, 2009.
    [29] ISO/IEC 17799-272002. Code of Practice for Information Security Management, 2005.
    [30] C. Steel, R. Nagappan, R. Lai. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management, Englewood Cliffs, USA: Prentice-Hall, 2005.
    [31] S. T. Halkidis, A. Chatzigeorgiou, G. Stephanides. A practical evaluation of security patterns. In Proceedings of the International Conference on Artificial Intelligence and Digital Communications, Thessalonikj, Greece, pp. 37-44, 2006.
    [32] E. B. Fernandez, N. Yoshioka, H. Washizaki, M. VanHilst. Measuring the level of security introduced by security patterns. In Proceedings of International Conference on Availability, Reliability, and Security, IEEE, Krakow, Poland, pp. 565-568, 2010.
    [33] J. Yoder, J. Barcalow. Architectural patterns for enabling application security. In Proceedings of the 4th Conference on Pattern Languages of Programming, USA, 1998.
    [34] F. Bushmann, R. Meunier, H. Rohnert, P. Sommerlad, M. Stal. Pattern-Oriented Software Architecture Volume 1: A System of Patterns, Chichester, UK: John Wiley & Sons, 1996.
    [35] M. VanHilst, E. B. Fernandez, F. Braz. A multi-dimensional classification for users of security patterns. Journal of Research & Practice in Information Technology, vol. 41, no. 2, pp. 87-97, 2009.
    [36] F. Swiderski, W. Snyder. Threat Modeling, Redmond, USA: Microsoft Press, 2004.
    [37] T. R. Gruber. Toward principles for the design of ontologies used for knowledge sharing. International Journal of Human-Computer Studies, vol. 43, no. 5-6, pp. 907-928, 1995.
    [38] M. Donner. Toward a security ontology. IEEE Security & Privacy, vol. 1, no. 3, pp. 6-7, 2003.
    [39] V. Raskin, C. F. Hempelmann, K. E. Triezenberg, S. Nirenburg. Ontology in information security: A useful theoretical foundation and methodological tool. In Proceedings of the Workshop on New Security Paradigms, ACM, New York, USA, pp. 53-59, 2001.
    [40] A. Gomez-Perez, M. Fernández-López, O. Corcho. Ontological Engineering, London, UK: Springer London, 2004.
    [41] BSI. BS7799 | Code of Practice for Information Security Management, 1999.
    [42] J. D. Meier, A. Mackman, S. Vasireddy, M. Dunner, R. Escamila, A. Murukan. Improving Web Application Security: Threats and Countermeasures, Redmond, USA: Microsoft Press, 2003.
  • 加载中
  • [1] N. R. Nayak, P. K. Dash, R. Bisoi. A Hybrid Time Frequency Response and Fuzzy Decision Tree for Non-stationary Signal Analysis and Pattern Recognition . International Journal of Automation and Computing, 2019, 16(3): 398-412.  doi: 10.1007/s11633-018-1113-3
    [2] Guo-Han Lin, Jing Zhang, Liu Zhao-Hua. Hybrid Particle Swarm Optimization with Differential Evolution for Numerical and Engineering Optimization . International Journal of Automation and Computing, 2018, 15(1): 103-114.  doi: 10.1007/s11633-016-0990-6
    [3] Santosh Kumar Vipparthi, ShyamKrishna Nagar. Local Extreme Complete Trio Pattern for Multimedia Image Retrieval System . International Journal of Automation and Computing, 2016, 13(5): 457-467.  doi: 10.1007/s11633-016-0978-2
    [4] Abhijit Gosavi, Anish Parulekar. Solving Markov Decision Processes with Downside Risk Adjustment . International Journal of Automation and Computing, 2016, 13(3): 235-245.  doi: 10.1007/s11633-016-1005-3
    [5] Syeda Mariam Muzammal, Munam Ali Shah, Si-Jing Zhang, Hong-Ji Yang. Conceivable Security Risks and Authentication Techniques for Smart Devices: A Comparative Evaluation of Security Practices . International Journal of Automation and Computing, 2016, 13(4): 350-363.  doi: 10.1007/s11633-016-1011-5
    [6] Dang-Dang Niu, Lei Liu, Xin Zhang, Shuai Lü, Zhuang Li. Security Analysis Model, System Architecture and Relational Model of Enterprise Cloud Services . International Journal of Automation and Computing, 2016, 13(6): 574-584.  doi: 10.1007/s11633-016-1014-2
    [7] Shuang Huang,  Chun-Jie Zhou,  Shuang-Hua Yang,  Yuan-Qing Qin. Cyber-physical System Security for Networked Industrial Processes . International Journal of Automation and Computing, 2015, 12(6): 567-578.  doi: 10.1007/s11633-015-0923-9
    [8] R. I. Minu,  K. K. Thyagharajan. Semantic Rule Based Image Visual Feature Ontology Creation . International Journal of Automation and Computing, 2014, 11(5): 489-499.  doi: 10.1007/s11633-014-0832-3
    [9] Xun Xu,  Hsiang-Hung Hsiao,  Wei-Lin Wang. FuzEmotion as a Backward Kansei Engineering Tool . International Journal of Automation and Computing, 2012, 9(1): 16-23.  doi: 10.1007/s11633-012-0611-y
    [10] Lei Liu, Feng Yang, Peng Zhang, Jing-Yi Wu, Liang Hu. SVM-based Ontology Matching Approach . International Journal of Automation and Computing, 2012, 9(3): 306-314.  doi: 10.1007/s11633-012-0649-x
    [11] Jin-Liang Wang, Huai-Ning Wu, Zhi-Chun Yang. Passivity Analysis of Impulsive Complex Networks . International Journal of Automation and Computing, 2011, 8(4): 484-489.  doi: 10.1007/s11633-011-0607-z
    [12] Ajit Kumar Verma,  A. Srividya,  P. G. Ramesh. A Systemic Approach to Integrated E-maintenance of Large Engineering Plants . International Journal of Automation and Computing, 2010, 7(2): 173-179.  doi: 10.1007/s11633-010-0173-9
    [13] Chen-Guang Guo, Yong-Xian Liu, Shou-Ming Hou, Wei Wang. Innovative Product Design Based on Customer Requirement Weight Calculation Model . International Journal of Automation and Computing, 2010, 7(4): 578-583.  doi: 10.1007/s11633-010-0543-3
    [14] Xiao-Feng Di,  Yu-Shun Fan. Implementation of Enterprises Interoperation Based on Ontology . International Journal of Automation and Computing, 2010, 7(3): 303-309.  doi: 10.1007/s11633-010-0507-7
    [15] Ljubisa Papic, Milorad Pantelic, Joseph Aronov, Ajit Kumar Verma. Statistical Safety Analysis of Maintenance Management Process of Excavator Units . International Journal of Automation and Computing, 2010, 7(2): 146-152.  doi: 10.1007/s11633-010-0146-z
    [16] Shaofeng Liu,  Chris McMahon,  Mansur Darlington,  Steve Culley,  Peter Wild. EDCMS:A Content Management System for Engineering Documents . International Journal of Automation and Computing, 2007, 4(1): 56-70.  doi: 10.1007/s11633-007-0056-x
    [17] Renkuan Guo, Charles Ernie Love. Grey Repairable System Analysis . International Journal of Automation and Computing, 2006, 3(2): 131-144.  doi: 10.1007/s11633-006-0131-8
    [18] Ioannis A. Papazoglou,  Panagiotis Saravanos,  Ieronymos Giakoumatos,  Olga N. Aneziris. Quantified Risk Assessment for Plants Producing and Storing Explosives . International Journal of Automation and Computing, 2006, 3(2): 184-191.  doi: 10.1007/s11633-006-0184-8
    [19] Magda Bogalecka,  Krzysztof Kolowrocki. Probabilistic Approach to Risk Analysis of Chemical Spills at Sea . International Journal of Automation and Computing, 2006, 3(2): 117-124.  doi: 10.1007/s11633-006-0117-6
    [20] Zai-Li Yang, Jin Wang, Steve Bonsall, Jian-Bo Yang, Quan-Gen Fang. A Subjective Risk Analysis Approach of Container Supply Chains . International Journal of Automation and Computing, 2005, 2(1): 85-92.  doi: 10.1007/s11633-005-0085-2
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

Metrics

Abstract Views (4604) PDF downloads (2256) Citations (0)

An Ontology-based Approach to Security Pattern Selection

Fund Project:

This work was supported by Research Project of Education department of Liaoning Province (No. L2013156), National Scholarship (No. 201208210386), and Key Industry Problem Plan of Liaoning Province (No. 2012219001).

Abstract: Usually, the security requirements are addressed by abstracting the security problems arising in a specific context and providing a well proven solution to them. Security patterns incorporating proven security expertise solution to the recurring security problems have been widely accepted by the community of security engineering. The fundamental challenge for using security patterns to satisfy security requirements is the lack of defined syntax, which makes it impossible to ask meaningful questions and get semantically meaningful answers. Therefore, this paper presents an ontological approach to facilitating security knowledge mapping from security requirements to their corresponding solutions-security patterns. Ontologies have been developed usingWeb Ontology Language (OWL) and then incorporated into a security pattern search engine which enables sophisticated search and retrieval of security patterns using the proposed algorithm. Applying the introduced approach allows security novices to reuse security expertise to develop secure software system.

Hui Guan, Hongji Yang and Jun Wang. An Ontology-based Approach to Security Pattern Selection. International Journal of Automation and Computing, vol. 13, no. 2, pp. 168-182, 2016. doi: 10.1007/s11633-016-0950-1
Citation: Hui Guan, Hongji Yang and Jun Wang. An Ontology-based Approach to Security Pattern Selection. International Journal of Automation and Computing, vol. 13, no. 2, pp. 168-182, 2016. doi: 10.1007/s11633-016-0950-1
Reference (42)

Catalog

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return