Upload
trinhthien
View
220
Download
0
Embed Size (px)
Citation preview
An#approach#for#security#requirements#defini5on#based#on#security#and#domain#ontologies#Amina&Souag1,&Camille&Salinesi1,&Isabelle&Wa4au2&&1&CRI,&&Paris&1&Sorbonne&University&&2CEDRIC?CNAM&&&ESSEC&Business&School,&France&
&
Ideas & Objectives
- Ontologies are known to be rich sources of knowledge, and, being structured and equipped with reasoning tools, they form a powerful tool to guide the requirements analysis.
- Mobilization of two types of ontologies in the process of requirements engineering: ontology of security and ontology of the domain at hand.
- Demonstrate that the combined use of these two types of ontologies to support this SRE is a key success factor in the definition of security requirements of high quality.
Validation (in progress) Experts’ criticism: qualitative validation of the method.
Controlled experience: quantitative validation of the approach.
Context - Security is a discipline concerned with protecting systems from a wide range of threats that break the system by exploiting a vulnerability.
- Security requirements are conditions defined on the environment that needs
to be fulfilled in order to mitigate risks and achieve security goals expressed
by stakeholders.
Perspectives
Defense of the thesis ! !
Figures - 40 million people’s banking details
stolen from a well-known US bank
in 2013
- The cost of cybercrime
reached $110B in the world in 2012
Problems - Security requirements difficult to express, to elicit, to identify and to manage. - Security and domain knowledge not explicitly defined and formulated well. - Security requirements methods that produce generic security requirements, not specific to the domain at hand.
A Method
<Verb>'+'<security'criterion>'+''<Asset>''
Security'criterion'
Vulnerability'
Threat'
Security))goa
ls)
Concept'1'
Security'requirement'
Concept'2'
Concept'3'
Security))m
odel)
Threat,)vul,..)
Security))requirements)specifica:on)document)
'Security)criterion)1:)Asset'1,'Asset'2.'..''Req1.)<Agent1>'should'<AcBon>'<Asset>.''''Req)2.))'
Concept'4'
Core)Security)ontology)
A)par:cular)Domain)Ontology)
A core security ontology
A tool
- Formalizing the security and the domain knowledge (well formed ontologies).
- Formalizing the stakeholders’ security goals (verb, criterion, asset).
- A mechanism to make the generic security knowledge more domain specific.
- Reasoning on input security requirements goals, security ontology and a domain ontology.
- Mapping rules, and production rules to add new elements to a security requirements model based on knowledge extracted from both security and domain ontologies.
- Producing an output security requirements model and a specification document.