Ontology-based security assessment for software products

Authors:
Ju An Wang;Minzhe Guo;Hao Wang;Min Xia;Linfeng Zhou
Affiliations:
Southern Polytechnic State University, Marietta, GA;Southern Polytechnic State University, Marietta, GA;Southern Polytechnic State University, Marietta, GA;Southern Polytechnic State University, Marietta, GA;Southern Polytechnic State University, Marietta, GA
Venue:
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Year:
2009

Citing 5
Cited 2

Toward principles for the design of ontologies used for knowledge sharing

International Journal of Human-Computer Studies - Special issue: the role of formal ontology in the information technology
The description logic handbook: theory, implementation, and applications

The description logic handbook: theory, implementation, and applications
Security Ontologies: Improving Quantitative Risk Analysis

HICSS '07 Proceedings of the 40th Annual Hawaii International Conference on System Sciences
Integration of an Ontological Information Security Concept in Risk Aware Business Process Management

HICSS '08 Proceedings of the Proceedings of the 41st Annual Hawaii International Conference on System Sciences
Temporal metrics for software vulnerabilities

Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead

Vulnerability categorization using Bayesian networks

Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Measuring and ranking attacks based on vulnerability analysis

Information Systems and e-Business Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper proposes an ontology-based approach to analyzing and assessing the security posture for software products. It provides measurements of trust for a software product based on its security requirements and evidence of assurance, which are retrieved from an ontology built for vulnerability management. Our approach differentiates with the previous work in the following aspects: (1) It is a holistic approach emphasizing that the system assurance cannot be determined or explained by its component assurance alone. Instead, the software system as a whole determines its assurance level. (2) Our approach is based on widely accepted standards such as CVSS, CVE, CWE, CPE, and CAPEC. Our ontology integrated these standards seamlessly thus provides a solid foundation for security assessment. (3) Automated tools have been built to support our approach, delivering the environmental scores for software products.