Skip to main content

Finding Logical Vulnerability in Policies Using Three-Level Semantic Framework

  • Conference paper
  • First Online:
Artificial Intelligence Applications and Innovations (AIAI 2024)

Abstract

We present the continuation of our work on a three-level framework, which can be used to model and analyze the identification- authentication- authorization policies. Finding the gaps in such policies is challenging. We explore the cases when operations become accessible to the user because of flawed or missing authentication methods. Our objective is to model the domain and find such vulnerabilities. Our proposed framework has three levels. Each level is built on top of a previous one. The first is ontological, where we model the static domain in OWL; the second is logical, where we model the dynamic using SWRL; and the third is analytical level, where we utilize the reasoner to get the results. In this paper, we present the algorithm, which finds vulnerable situations in the policies or confirms that there are no vulnerable situations. We have modelled a couple of policies from different user-based applications to validate our approach as well as demonstrate the feasibility of using it on policies from the actual systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 299.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://protege.stanford.edu/

References

  1. Agrawal, V.: Towards the ontology of ISO/IEC 27005: 2011 risk management standard. In: International Symposium on Human Aspects of Information Security and Assurance (2016)

    Google Scholar 

  2. Bataityte, K., Vassilev, V., Gill, O.J.: Ontological foundations of modelling security policies for logical analytics. In: Artificial Intelligence Applications and Innovations (2020)

    Google Scholar 

  3. Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. ASIACCS ’09, New York, NY, USA, pp. 183–194. Association for Computing Machinery (2009). https://doi.org/10.1145/1533057.1533084

  4. Herzog, A., Shahmehri, N., Duma, C.: An ontology of information security. IJISP 1, 1–23 (2007). https://doi.org/10.4018/jisp.2007100101

    Article  Google Scholar 

  5. Horrocks, I., F. Patel-Schneider, P., Boley, Haroldand Tabet, S., Grosof, B., Dean, M.: Swrl: a semantic web rule language combining owl and ruleml (2004). https://www.w3.org/Submission/SWRL/

  6. Moreira, E., Martimiano, L., Brandão, A., Bernardes, M.: Ontologies for information security management and governance. Inf. Manag. Comput. Secur. 16, 150–165 (2008). https://doi.org/10.1108/09685220810879627

    Article  Google Scholar 

  7. Parkin, S., van Moorsel, A., Coles, R.: An information security ontology incorporating human-behavioral implications, pp. 46–55 (2009). https://doi.org/10.1145/1626195.1626209

  8. Penelova, M.: Access control models. Cybern. Inf. Technol. 21, 77–104 (2021). https://doi.org/10.2478/cait-2021-0044

    Article  Google Scholar 

  9. Ramanauskaitė, S., Olifer, D., Goranin, N., Cenys, A.: Security ontology for adaptive mapping of security standards. Int. J. Comput. Commun. Control (IJCCC) 8, 813–825 (2013). https://doi.org/10.15837/ijccc.2013.6.764

    Article  Google Scholar 

  10. Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 157–177. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15618-7_13

    Chapter  Google Scholar 

  11. Szeredi, P., Lukácsy, G., Benkő, T.: The Semantic Web Explained: The Technology and Mathematics Behind Web 3.0. Cambridge University Press, New York (2014)

    Book  Google Scholar 

Download references

Acknowledgments

This research has been partially funded by Lloyds Banking Group in London, UK. However, the results and the opinions formulated in the paper are the author’s only. No actual data from the bank has been used in the paper.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Karolina Bataityte .

Editor information

Editors and Affiliations

Ethics declarations

Disclosure of Interests

The authors have no competing interests to declare that are relevant to the content of this article.

Rights and permissions

Reprints and permissions

Copyright information

© 2024 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bataityte, K., Vassilev, V., Gill, O.J. (2024). Finding Logical Vulnerability in Policies Using Three-Level Semantic Framework. In: Maglogiannis, I., Iliadis, L., Macintyre, J., Avlonitis, M., Papaleonidas, A. (eds) Artificial Intelligence Applications and Innovations. AIAI 2024. IFIP Advances in Information and Communication Technology, vol 714. Springer, Cham. https://doi.org/10.1007/978-3-031-63223-5_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-63223-5_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-63222-8

  • Online ISBN: 978-3-031-63223-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics