Abstract
We present the continuation of our work on a three-level framework, which can be used to model and analyze the identification- authentication- authorization policies. Finding the gaps in such policies is challenging. We explore the cases when operations become accessible to the user because of flawed or missing authentication methods. Our objective is to model the domain and find such vulnerabilities. Our proposed framework has three levels. Each level is built on top of a previous one. The first is ontological, where we model the static domain in OWL; the second is logical, where we model the dynamic using SWRL; and the third is analytical level, where we utilize the reasoner to get the results. In this paper, we present the algorithm, which finds vulnerable situations in the policies or confirms that there are no vulnerable situations. We have modelled a couple of policies from different user-based applications to validate our approach as well as demonstrate the feasibility of using it on policies from the actual systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, V.: Towards the ontology of ISO/IEC 27005: 2011 risk management standard. In: International Symposium on Human Aspects of Information Security and Assurance (2016)
Bataityte, K., Vassilev, V., Gill, O.J.: Ontological foundations of modelling security policies for logical analytics. In: Artificial Intelligence Applications and Innovations (2020)
Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. ASIACCS ’09, New York, NY, USA, pp. 183–194. Association for Computing Machinery (2009). https://doi.org/10.1145/1533057.1533084
Herzog, A., Shahmehri, N., Duma, C.: An ontology of information security. IJISP 1, 1–23 (2007). https://doi.org/10.4018/jisp.2007100101
Horrocks, I., F. Patel-Schneider, P., Boley, Haroldand Tabet, S., Grosof, B., Dean, M.: Swrl: a semantic web rule language combining owl and ruleml (2004). https://www.w3.org/Submission/SWRL/
Moreira, E., Martimiano, L., Brandão, A., Bernardes, M.: Ontologies for information security management and governance. Inf. Manag. Comput. Secur. 16, 150–165 (2008). https://doi.org/10.1108/09685220810879627
Parkin, S., van Moorsel, A., Coles, R.: An information security ontology incorporating human-behavioral implications, pp. 46–55 (2009). https://doi.org/10.1145/1626195.1626209
Penelova, M.: Access control models. Cybern. Inf. Technol. 21, 77–104 (2021). https://doi.org/10.2478/cait-2021-0044
Ramanauskaitė, S., Olifer, D., Goranin, N., Cenys, A.: Security ontology for adaptive mapping of security standards. Int. J. Comput. Commun. Control (IJCCC) 8, 813–825 (2013). https://doi.org/10.15837/ijccc.2013.6.764
Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 157–177. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15618-7_13
Szeredi, P., Lukácsy, G., Benkő, T.: The Semantic Web Explained: The Technology and Mathematics Behind Web 3.0. Cambridge University Press, New York (2014)
Acknowledgments
This research has been partially funded by Lloyds Banking Group in London, UK. However, the results and the opinions formulated in the paper are the author’s only. No actual data from the bank has been used in the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Disclosure of Interests
The authors have no competing interests to declare that are relevant to the content of this article.
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bataityte, K., Vassilev, V., Gill, O.J. (2024). Finding Logical Vulnerability in Policies Using Three-Level Semantic Framework. In: Maglogiannis, I., Iliadis, L., Macintyre, J., Avlonitis, M., Papaleonidas, A. (eds) Artificial Intelligence Applications and Innovations. AIAI 2024. IFIP Advances in Information and Communication Technology, vol 714. Springer, Cham. https://doi.org/10.1007/978-3-031-63223-5_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-63223-5_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-63222-8
Online ISBN: 978-3-031-63223-5
eBook Packages: Computer ScienceComputer Science (R0)