Advertisement

A Security Pattern Classification Based on Data Integration

  • Sébastien Salva
  • Loukmen Regainia
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 867)

Abstract

Security patterns are design patterns specialised to provide reusable and general solutions to recurring security problems. These patterns, which capture the strengths of different security approaches, are intended to make the design of maintainable and secure applications easier. The pattern community is continuously providing new security patterns (180 patterns are available at the moment). For a given problem, this growing pattern set along with their abstract presentations make the security pattern choice tedious, even for experts in software design. We contribute in this issue by presenting a method of security pattern classification based upon data extraction and integration. The pattern classification is semi-automatically inferred by means of a data-store integrating disparate publicly available security data. This classification exposes relationships among software attacks, weaknesses, security principles and security patterns. It expresses the pattern combinations that can counter a given attack. Besides the pattern classification, we show that the data-store can be used to generate Attack Defense Trees. In our context, these illustrate, for a given attack, its sub-attacks and the related defenses given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns. Finally, we evaluate on 25 human subjects the benefits of using Attack Defense Trees and a classification established for Web applications, which covers 215 attacks, 136 software weaknesses, 66 security principles and 26 security patterns.

Keywords

Security patterns Classification Data integration CAPEC attacks CWE weaknesses Attack-defense trees 

References

  1. 1.
    Rodriguez, E.: Security Design Patterns, vol. 49 (2003)Google Scholar
  2. 2.
    Schumacher, M., Roedig, U.: Security Engineering with Patterns. Engineering 2754, 1–208 (2001)Google Scholar
  3. 3.
    Slavin, R., Niu, J.: Security patterns repository (2016)Google Scholar
  4. 4.
    Alvi, A.K., Zulkernine, M.: A natural classification scheme for software security patterns. In: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, pp. 113–120 (2011)Google Scholar
  5. 5.
    Yskout, K., Heyman, T., Scandariato, R., Joosen, W.: A system of security patterns (2006)Google Scholar
  6. 6.
    Alvi, A.K., Zulkernine, M.: A comparative study of software security pattern classifications. In: 2012 Seventh International Conference on Availability, Reliability and Security, pp. 582–589 (2012)Google Scholar
  7. 7.
    Bunke, M., Koschke, R., Sohr, K.: Organizing security patterns related to security and pattern recognition requirements. Int. J. Adv. Secur. 5(1), 46–67 (2012)Google Scholar
  8. 8.
    Anand, P., Ryoo, J., Kazman, R.: Vulnerability-based security pattern categorization in search of missing patterns. In: 2014 Ninth International Conference on Availability, Reliability and Security, pp. 476–483 (2014)Google Scholar
  9. 9.
    Wiesauer, A., Sametinger, J.: A security design pattern taxonomy based on attack patterns. In: International Joint Conference on e-Business and Telecommunications, pp. 387–394 (2009)Google Scholar
  10. 10.
    Regainia, L., Salva, S.: A methodology of security pattern classification and of attack-defense tree generation. In: Camp, O., Furnell, S., Mori, P., (eds): Proceedings of the 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017, Porto, Portugal. SciTePress (2017)Google Scholar
  11. 11.
    MITRE Corporation: Common attack pattern enumeration and classification (2017)Google Scholar
  12. 12.
    Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63, 1278–1308 (1975)CrossRefGoogle Scholar
  13. 13.
    Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way, Portable Documents. Pearson Education, New York City (2001)Google Scholar
  14. 14.
    Meier, J., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Improving web application security: threats and countermeasures. Microsoft Corporation 3 (2003)Google Scholar
  15. 15.
    Dialani, V., Miles, S., Moreau, L., De Roure, D., Luck, M.: Transparent fault tolerance for web services based architectures. In: Monien, B., Feldmann, R. (eds.) Euro-Par 2002. LNCS, vol. 2400, pp. 889–898. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45706-2_126CrossRefGoogle Scholar
  16. 16.
    Meier, J.: Web application security engineering. IEEE Secur. Priv. 4, 16–24 (2006)CrossRefGoogle Scholar
  17. 17.
    Yskout, K., Scandariato, R., Joosen, W.: Do security patterns really help designers? In: Proceedings of the 37th International Conference on Software Engineering, ICSE 2015, vol. 1, pp. 292–302. IEEE Press, Piscataway (2015)Google Scholar
  18. 18.
    Fernandez, E.B., Washizaki, H., Yoshioka, N., Kubo, A., Fukazawa, Y.: Classifying security patterns. In: Zhang, Y., Yu, G., Bertino, E., Xu, G. (eds.) APWeb 2008. LNCS, vol. 4976, pp. 342–347. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78849-2_35CrossRefGoogle Scholar
  19. 19.
    Regainia, L., Salva, S.: Security pattern classification, companion site (2018). http://regainia.com/research/companion.html. Accessed 2018
  20. 20.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2012)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Munawar, H.: Security pattern catalog (2013). http://www.munawarhafiz.com/securitypatterncatalog/. Accessed 2018
  22. 22.
    Tøndel, I.A., Jensen, J., Røstad, L.: Combining misuse cases with attack trees and security activity models. In: International Conference on Availability, Reliability, and Security, ARES 2010, pp. 438–445. IEEE (2010)Google Scholar
  23. 23.
    Uzunov, A.V., Fernandez, E.B.: An extensible pattern-based library and taxonomy of security threats for distributed systems. Comput. Stand. Interfaces 36, 734–747 (2014)CrossRefGoogle Scholar
  24. 24.
    Regainia, L., Salva, S., Bouhours, C.: A classification methodology for security patterns to help fix software weaknesses. In: Proceedings of the 13th ACS/IEEE International Conference on Computer Systems and Applications AICCSA (2016)Google Scholar
  25. 25.
    MITRE Corporation: Common weakness enumeration (2017)Google Scholar
  26. 26.
    Harb, D., Bouhours, C., Leblanc, H.: Using an ontology to suggest software design patterns integration. In: Chaudron, M.R.V. (ed.) MODELS 2008. LNCS, vol. 5421, pp. 318–331. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01648-6_34CrossRefGoogle Scholar
  27. 27.
    OWASP: The open web application security project (OWASP) (2017). http://www.owasp.org
  28. 28.
    Wassermann, R., Cheng, B.H.: Security patterns. In: PLoP Conference. Michigan State University, Citeseer (2003)Google Scholar
  29. 29.
    Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40196-1_15CrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.LIMOS CNRS UMR 6158, Clermont Auvergne UniversityClermont-FerrandFrance

Personalised recommendations