nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

A Security Pattern Classification Based on Data Integration

verfasst von : Sébastien Salva, Loukmen Regainia

Erschienen in: Information Systems Security and Privacy

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Security patterns are design patterns specialised to provide reusable and general solutions to recurring security problems. These patterns, which capture the strengths of different security approaches, are intended to make the design of maintainable and secure applications easier. The pattern community is continuously providing new security patterns (180 patterns are available at the moment). For a given problem, this growing pattern set along with their abstract presentations make the security pattern choice tedious, even for experts in software design. We contribute in this issue by presenting a method of security pattern classification based upon data extraction and integration. The pattern classification is semi-automatically inferred by means of a data-store integrating disparate publicly available security data. This classification exposes relationships among software attacks, weaknesses, security principles and security patterns. It expresses the pattern combinations that can counter a given attack. Besides the pattern classification, we show that the data-store can be used to generate Attack Defense Trees. In our context, these illustrate, for a given attack, its sub-attacks and the related defenses given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns. Finally, we evaluate on 25 human subjects the benefits of using Attack Defense Trees and a classification established for Web applications, which covers 215 attacks, 136 software weaknesses, 66 security principles and 26 security patterns.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel How to Quantify Graph De-anonymization Risks

Nächstes Kapitel Forensic Analysis of Android Runtime (ART) Application Heap Objects in Emulated and Real Devices

https://talend.com/.

https://sourceforge.net/projects/bexpred/.

https://github.com/continuumsecurity/RopeyTasks.

https://github.com/psiinon/bodgeit.

Rodriguez, E.: Security Design Patterns, vol. 49 (2003)

Schumacher, M., Roedig, U.: Security Engineering with Patterns. Engineering 2754, 1–208 (2001)

Slavin, R., Niu, J.: Security patterns repository (2016)

Alvi, A.K., Zulkernine, M.: A natural classification scheme for software security patterns. In: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, pp. 113–120 (2011)

Yskout, K., Heyman, T., Scandariato, R., Joosen, W.: A system of security patterns (2006)

Alvi, A.K., Zulkernine, M.: A comparative study of software security pattern classifications. In: 2012 Seventh International Conference on Availability, Reliability and Security, pp. 582–589 (2012)

Bunke, M., Koschke, R., Sohr, K.: Organizing security patterns related to security and pattern recognition requirements. Int. J. Adv. Secur. 5(1), 46–67 (2012)

Anand, P., Ryoo, J., Kazman, R.: Vulnerability-based security pattern categorization in search of missing patterns. In: 2014 Ninth International Conference on Availability, Reliability and Security, pp. 476–483 (2014)

Wiesauer, A., Sametinger, J.: A security design pattern taxonomy based on attack patterns. In: International Joint Conference on e-Business and Telecommunications, pp. 387–394 (2009)

10.

Regainia, L., Salva, S.: A methodology of security pattern classification and of attack-defense tree generation. In: Camp, O., Furnell, S., Mori, P., (eds): Proceedings of the 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017, Porto, Portugal. SciTePress (2017)

11.

MITRE Corporation: Common attack pattern enumeration and classification (2017)

12.

Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63, 1278–1308 (1975)CrossRef

13.

Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way, Portable Documents. Pearson Education, New York City (2001)

14.

Meier, J., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Improving web application security: threats and countermeasures. Microsoft Corporation 3 (2003)

15.

Dialani, V., Miles, S., Moreau, L., De Roure, D., Luck, M.: Transparent fault tolerance for web services based architectures. In: Monien, B., Feldmann, R. (eds.) Euro-Par 2002. LNCS, vol. 2400, pp. 889–898. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45706-2_126CrossRef

16.

Meier, J.: Web application security engineering. IEEE Secur. Priv. 4, 16–24 (2006)CrossRef

17.

Yskout, K., Scandariato, R., Joosen, W.: Do security patterns really help designers? In: Proceedings of the 37th International Conference on Software Engineering, ICSE 2015, vol. 1, pp. 292–302. IEEE Press, Piscataway (2015)

18.

Fernandez, E.B., Washizaki, H., Yoshioka, N., Kubo, A., Fukazawa, Y.: Classifying security patterns. In: Zhang, Y., Yu, G., Bertino, E., Xu, G. (eds.) APWeb 2008. LNCS, vol. 4976, pp. 342–347. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78849-2_35CrossRef

19.

Regainia, L., Salva, S.: Security pattern classification, companion site (2018). http://regainia.com/research/companion.html. Accessed 2018

20.

Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2012)MathSciNetCrossRef

21.

Munawar, H.: Security pattern catalog (2013). http://www.munawarhafiz.com/securitypatterncatalog/. Accessed 2018

22.

Tøndel, I.A., Jensen, J., Røstad, L.: Combining misuse cases with attack trees and security activity models. In: International Conference on Availability, Reliability, and Security, ARES 2010, pp. 438–445. IEEE (2010)

23.

Uzunov, A.V., Fernandez, E.B.: An extensible pattern-based library and taxonomy of security threats for distributed systems. Comput. Stand. Interfaces 36, 734–747 (2014)CrossRef

24.

Regainia, L., Salva, S., Bouhours, C.: A classification methodology for security patterns to help fix software weaknesses. In: Proceedings of the 13th ACS/IEEE International Conference on Computer Systems and Applications AICCSA (2016)

25.

MITRE Corporation: Common weakness enumeration (2017)

26.

Harb, D., Bouhours, C., Leblanc, H.: Using an ontology to suggest software design patterns integration. In: Chaudron, M.R.V. (ed.) MODELS 2008. LNCS, vol. 5421, pp. 318–331. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01648-6_34CrossRef

27.

OWASP: The open web application security project (OWASP) (2017). http://www.owasp.org

28.

Wassermann, R., Cheng, B.H.: Security patterns. In: PLoP Conference. Michigan State University, Citeseer (2003)

29.

Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40196-1_15CrossRefMATH

Titel: A Security Pattern Classification Based on Data Integration
verfasst von: Sébastien Salva
Loukmen Regainia
Verlag: Springer International Publishing
Buch: Information Systems Security and Privacy
Print ISBN: 978-3-319-93353-5

Electronic ISBN: 978-3-319-93354-2

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-319-93354-2_6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"