Advertisement

Towards an Ontology of Security Assessment: A Core Model Proposal

  • Ferrucio de Franco Rosa
  • Mario Jino
  • Rodrigo Bonacin
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 738)

Abstract

SecAOnto (Security Assessment Ontology) aims at formalizing the knowledge on “Security Assessment”. A conceptual formalization of this area is needed, given that there is an overlap of the “Information Security” and “Systems Assessment” areas, concepts are ambiguous, terminology is confounding, and important concepts are not defined. Nineteen papers on ontology, out of 80 papers of interest, have been selected to be discussed. Most of them are proposals of ontologies on information security; here we propose an ontology to deal specifically with security assessment aspects and particularities. SecAOnto is OWL-based, is publicly available and is devised to be used as a common and extensible model for security assessment. Its foundation comes from glossaries, vocabularies, taxonomies, ontologies, and market’s guidelines. The initial version of the ontology, its core model, as well as an application are presented. Our proposal is meant to be useful for security researchers who wish to formalize knowledge in their systems, methods and techniques.

Keywords

Security assessment Information security Knowledge formalization OWL Ontology  

References

  1. 1.
    L. Viljanen, Towards an ontology of trust. Computer (Long. Beach. Calif) 3592, 175–184 (2005)Google Scholar
  2. 2.
    F.F. Rosa, M. Jino, A survey of security assessment ontologies, in Advances in Intelligent Systems and Computing (AISC), 569th edn, ed. by J. Kacprzyk (Springer, 2017), pp. 166–173Google Scholar
  3. 3.
    C.P. de Barros, F. de Franco Rosa, A.F. Balcão Filho, Software testing with emphasis on finding security defects, in IADIS—The 12th International Conference on WWW/Internet (2013), pp. 226–228Google Scholar
  4. 4.
    N. Guarino, Formal ontology and information systems, in ACM International Conference in Formal Ontology and Information Systems (1998)Google Scholar
  5. 5.
    J. Biolchini, P.G. Mian, A. Candida, C. Natali, Systematic review in software engineering. Engineering 679, 165–176 (2005)Google Scholar
  6. 6.
    B. Kitchenham, Procedures for performing systematic reviews (Keele Univ., Keele, UK) 33, no. TR/SE-0401, 28 (2004)Google Scholar
  7. 7.
    F. de Franco Rosa, M. Jino, R. Bonacin, The Security Assessment Domain: A Survey of Taxonomies and Ontologies (Renato Archer Information Technology Center (CTI), Campinas, Brazil, 2017)Google Scholar
  8. 8.
    A. Souag, C. Salinesi, R. Mazo, I. Comyn-Wattiau, A Security Ontology for Security Requirements Elicitation (2015)Google Scholar
  9. 9.
    D. Feledi, S. Fenz, Challenges of web-based information security knowledge sharing, in 2012 Seventh Int. Conf. Availability, Reliab. Secur. (2012), pp. 514–521Google Scholar
  10. 10.
    A. Herzog, N. Shahmehri, C. Duma, An ontology of information security. Int. J. Inf. Secur. Priv. 1(4), 1–23 (2007)CrossRefGoogle Scholar
  11. 11.
    S. Fenz, A. Ekelhart, Formalizing information security knowledge, in … 4th Int. Symp. Inf. … (2009), p. 183Google Scholar
  12. 12.
    A. Evesti, R. Savola, E. Ovaska, J. Kuusijarvi, The design, instantiation, and usage of information security measuring ontology, in Proc. 4th IEEE Int. Conf. Self-Adaptive Self-Organizing Syst., no. c (2011), pp. 204–212Google Scholar
  13. 13.
    H. Zhu, Q. Huo, Developing a software testing ontology in UML for a software growth environment of web-based applications, in Softw. Evol. with UML (2005), pp. 1–34 Google Scholar
  14. 14.
    P. Salini, S. Kanmani, Ontology-based representation of reusable security requirements for developing secure web applications (2013)Google Scholar
  15. 15.
    A.D. Khairkar, D.D. Kshirsagar, S. Kumar, Ontology for detection of web attacks, in Proc.—2013 Int. Conf. Commun. Syst. Netw. Technol. CSNT 2013 (2013), pp. 612–615Google Scholar
  16. 16.
    P. Salini, S. Kanmani, A knowledge-oriented approach to security requirements engineering for e-voting system. Int. J. Comput. Appl. 49(11), 21–25 (2012)Google Scholar
  17. 17.
    M. Grobler, J.J. van Vuuren, L. Leenen, Implementation of a cyber security policy in South Africa: reflection on progress and the way forward. ICT Crit. Infrastruct. Soc. 386(2012), 215–225 (2012)CrossRefGoogle Scholar
  18. 18.
    F.-H. Liu, W.-T. Lee, Constructing enterprise information network security risk management mechanism by ontology. J. Appl. Sci. Eng. 13(1), 79–87 (2010)Google Scholar
  19. 19.
    I. Kotenko, O. Polubelova, I. Saenko, E. Doynikova, The ontology of metrics for security evaluation and decision support in SIEM systems, in Proc.—2013 Int. Conf. Availability, Reliab. Secur. ARES 2013 (2013), pp. 638–645Google Scholar
  20. 20.
    W. Kang, Y. Liang, A security ontology with MDA for software development, in Proc.—2013 Int. Conf. Cyber-Enabled Distrib. Comput. Knowl. Discov. CyberC 2013 (2013), pp. 67–74Google Scholar
  21. 21.
    A. Gyrard, C. Bonnet, K. Boudaoud, A. Gyrard, C. Bonnet, K. Boudaoud, T. Stac, S. Toolbox, A. Gyrard, C. Bonnet, The STAC (Security Toolbox: Attacks & Countermeasures) ontology (2014)Google Scholar
  22. 22.
    U. Koinig, S. Tjoa, J. Ryoo, Contrology—an ontology-based cloud assurance approach, in 2015 IEEE 24th Int. Conf. Enabling Technol. Infrastruct. Collab. Enterp. (2015), pp. 105–107Google Scholar
  23. 23.
    S. Ramanauskaite, D. Olifer, N. Goranin, A. Čenys, Security ontology for adaptive mapping of security standards. Int. J. Comput. Commun. Control 8(6), 878–890 (2013)CrossRefGoogle Scholar
  24. 24.
    D. Jutla, L. Xu, Privacy agents and ontology for the semantic web. Am. Conf. Inf. Syst., 1760–1767 (2004)Google Scholar
  25. 25.
    V. Raskjn, C. F. Hempelmann, S. Nirenburg, W. Lafayette, Ontology in information security: a useful theoretical foundation and methodological tool, in Work. New Secur. Paradig. (2002), pp. 53–59Google Scholar
  26. 26.
    L. Obrst, P. Chase, R. Markeloff, Developing an ontology of the cyber security domain, in Seventh Int. Conf. Semant. Technol. for. Intell. Defense, Secur.—STIDS 2012 (2012), pp. 49–56Google Scholar
  27. 27.
    P.M.S. Bueno, M. Jino, W.E. Wong, Diversity oriented test data generation using metaheuristic search techniques. Inf. Sci. (NY). 259, 490–509 (2011)CrossRefGoogle Scholar
  28. 28.
    ISO/IEC, ISO/IEC 27001:2013 Information Technology—Security Techniques—Information Security Management Systems—Requirements (2013)Google Scholar
  29. 29.
    F. de Franco Rosa, M. Jino, L.A.L. Teixeira Junior, Security Assessment Ontology—SecAOnto (2017), https://github.com/ferruciof/Files/blob/master/SecAOnto/SecAOnto_V4.owl. Accessed 12 Jan 2017
  30. 30.
    A. Lozano-Tello, A. Gomez-Perez, ONTOMETRIC: a method to choose the appropriate ontology. J. Database Manag. 15(2), 1–18 (2004)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Ferrucio de Franco Rosa
    • 1
  • Mario Jino
    • 2
  • Rodrigo Bonacin
    • 1
    • 3
  1. 1.Information Technology Center Renato ArcherCampinasBrazil
  2. 2.FEEC–University of CampinasCampinasBrazil
  3. 3.Faculty of Campo Limpo PaulistaCampo Limpo PaulistaBrazil

Personalised recommendations