A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations

Authors:
Golnaz Elahi;Eric Yu;Nicola Zannone
Affiliations:
Department of Computer Science, University of Toronto,;Faculty of Information, University of Toronto,;Eindhoven University of Technology,
Venue:
ER '09 Proceedings of the 28th International Conference on Conceptual Modeling
Year:
2009

Citing 19
Cited 0

A taxonomy of computer program security flaws

ACM Computing Surveys (CSUR)
A graph-based system for network-vulnerability analysis

Proceedings of the 1998 workshop on New security paradigms
Attack net penetration testing

Proceedings of the 2000 workshop on New security paradigms
Trust in Cyberspace

Trust in Cyberspace
Modelling strategic relationships for process reengineering

Modelling strategic relationships for process reengineering
Security and Privacy Requirements Analysis within a Social Setting

RE '03 Proceedings of the 11th IEEE International Conference on Requirements Engineering
The CORAS methodology: model-based risk assessment using UML and UP

UML and the unified process
Elaborating Security Requirements by Construction of Intentional Anti-Models

Proceedings of the 26th International Conference on Software Engineering
Basic Concepts and Taxonomy of Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing
Eliciting security requirements with misuse cases

Requirements Engineering
Modeling Security Requirements Through Ownership, Permission and Delegation

RE '05 Proceedings of the 13th IEEE International Conference on Requirements Engineering
Topological analysis of network attack vulnerability

ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
Model-based security analysis in seven steps --- a guided tour to the CORAS method

BT Technology Journal
Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach

ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development

CAiSE '08 Proceedings of the 20th international conference on Advanced Information Systems Engineering
Measuring network security using dynamic bayesian network

Proceedings of the 4th ACM workshop on Quality of protection
A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities

Requirements Engineering - Special Issue on RE'09: Security Requirements Engineering; Guest Editors: Eric Dubois and Haralambos Mouratidis
A goal oriented approach for modeling and analyzing security trade-offs

ER'07 Proceedings of the 26th international conference on Conceptual modeling
Secure Systems Development with UML

Secure Systems Development with UML

Quantified Score

Hi-index	0.00

Visualization

Abstract

Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. This paper proposes a vulnerability-centric modeling ontology, which aims to integrate empirical knowledge of vulnerabilities into the system development process. In particular, we identify the basic concepts for modeling and analyzing vulnerabilities and their effects on the system. These concepts drive the definition of criteria that make it possible to compare and evaluate security frameworks based on vulnerabilities. We show how the proposed modeling ontology can be adopted in various conceptual modeling frameworks through examples.