An Extended Ontology for Security Requirements

  • Fabio Massacci
  • John Mylopoulos
  • Federica Paci
  • Thein Thun Tun
  • Yijun Yu
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 83)

Abstract

Security concerns for physical, software and virtual worlds have captured the attention of researchers and the general public, thanks to a series of dramatic events during the past decade. Unsurprisingly, this has resulted in increased research activity on topics that relate to security requirements. At the very core of this activity lies the problem of determining a suitable set of concepts (aka ontology) for modeling security requirements. Many proposals for such ontologies exist in the literature. The main objective of this paper is to amalgamate and extend the security ontologies proposed in [1] and [2]. The amalgamation includes a careful comparison of primitive concepts in Problem Frames and Secure Tropos, but also offers a novel account for rather nebulous security concepts, such as those of vulnerability and threat. The new concepts are justified and related to the literature. Moreover, the paper offers a number of security requirements adopted from industrial case studies, along with their respective representation in terms of the proposed ontology.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Massacci, F., Mylopoulos, J., Zannone, N.: Computer-aided support for secure tropos. Automated Software Engg. 14(3), 341–364 (2007)CrossRefGoogle Scholar
  2. 2.
    Haley, C.B., Laney, R.C., Moffett, J.D., Nuseibeh, B.: Security requirements engineering: A framework for representation and analysis. IEEE Trans. Software Eng. 34(1), 133–153 (2008)CrossRefGoogle Scholar
  3. 3.
    Gruber, T.R.: Toward principles for the design of ontologies used for knowledge sharing. Int. J. Hum.-Comput. Stud. 43(5-6), 907–928 (1995)CrossRefGoogle Scholar
  4. 4.
    Blanco, C., Lasheras, J., Valencia-García, R., Fernández-Medina, E., Toval, A., Piattini, M.: A systematic review and comparison of security ontologies. In: ARES 2008: Proceedings of the 2008 Third International Conference on Availability, Reliability and Security, pp. 813–820. IEEE Computer Society Press, Washington, DC, USA (2008)CrossRefGoogle Scholar
  5. 5.
    Zannone, N.: A requirements engineering methodology for trust, security, and privacy (2006)Google Scholar
  6. 6.
    Jackson, M.: Problem frames: analyzing and structuring software development problems. Addison-Wesley Longman Publishing Co., Inc., Boston (2001)Google Scholar
  7. 7.
    Secure change projectGoogle Scholar
  8. 8.
    Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8, 203–236 (2004)CrossRefMATHGoogle Scholar
  9. 9.
    Yu, E.S.K.: Modelling strategic relationships for process reengineering. PhD thesis, Toronto, Ont., Canada, Canada, Adviser-Mylopoulos, John (1995)Google Scholar
  10. 10.
    Liu, L., Yu, E.S.K., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: [27], pp. 151–161 (2003)Google Scholar
  11. 11.
    Lin, L., Nuseibeh, B., Ince, D.C., Jackson, M., Moffett, J.D.: Introducing abuse frames for analysing security requirements. In: [27], pp. 371–372 (2003)Google Scholar
  12. 12.
    van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: ICSE, pp. 148–157. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  13. 13.
    Nuseibeh, B., Haley, C.B., Foster, C.: Securing the skies: In requirements we trust. IEEE Computer 42(9), 64–72 (2009)CrossRefGoogle Scholar
  14. 14.
    Hall, J.G., Rapanotti, L., Jackson, M.: Problem frame semantics for software development. Software and System Modeling 4(2), 189–198 (2005)CrossRefGoogle Scholar
  15. 15.
    Laney, R.C., Tun, T.T., Jackson, M., Nuseibeh, B.: Composing features by managing inconsistent requirements. In: du Bousquet, L., Richier, J.L. (eds.) ICFI, pp. 129–144. IOS Press, Amsterdam (2007)Google Scholar
  16. 16.
    Gangemi, A., Guarino, N., Masolo, C., Oltramari, A., Schneider, L.: Sweetening ontologies with DOLCE. Knowledge Engineering and Knowledge Management: Ontologies and the Semantic Web, 223–233 (2002)Google Scholar
  17. 17.
    Gangemi, A., Presutti, V.: Ontology Design Patterns. In: Handbook of Ontologies, 2nd edn., Springer, Berlin (pres)Google Scholar
  18. 18.
    Cordy, J.R.: Txl - a language for programming language tools and applications. Electron. Notes Theor. Comput. Sci. 110, 3–31 (2004)CrossRefGoogle Scholar
  19. 19.
    Blanco, C., Lasheras, J., Garcia, R.V., Fernandez-Medina, E.: A systematic review and comparison of security ontologies (2008)Google Scholar
  20. 20.
    Denker, G., Kagal, L., Finin, T., Sycara, K., Paoucci, M.: Security for daml web services: Annotation and matchmaking. In: Second International Semantic Web Conference (2003)Google Scholar
  21. 21.
    Dobson, G., Sawyer, P.: Revisiting ontology-based requirements engineering in the age of semantic web. International Seminar on Dependable Requirements Engineering of computerised Systems at NPPs (2006)Google Scholar
  22. 22.
    Fenz, S., Weippl, E.: Ontology based it-security planning. In: Twelve Pacific Rim International Symposium on Dependable Computing (2006)Google Scholar
  23. 23.
    Firesmith, D.: Engineering safety related requirements for software intensive systems. In: 27th International Conference on Software Engineering (2005)Google Scholar
  24. 24.
    Karyda, M., Balopoulos, T., Gymnopoulos, L., Kokolakis, S., Lambrinoudakis, C., Gritzalis, S., Dritsas, S.: An ontology for secure e-government applications. In: International Conference on Availability, Reliability and Security (2006)Google Scholar
  25. 25.
    Kim, A., Luo, J., Kang, M.: Securit ontology for annotating resources. In: 4th International Conference on Ontologies, Databases, and Applications of Semantics (2005)Google Scholar
  26. 26.
    Undercoffer, J., Joshi, A., Pinkston, J.: Modeling computer attacks: An ontology for intrusion detection. In: 6th International Symposium on Recent Advances in Intrusion Detection, pp. 113–135. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    In: RE 11th IEEE International Conference on Requirements Engineering (RE 2003), September 8-12. IEEE Computer Society, Los Alamitos (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Fabio Massacci
    • 1
  • John Mylopoulos
    • 1
  • Federica Paci
    • 1
  • Thein Thun Tun
    • 2
  • Yijun Yu
    • 2
  1. 1.Department of Information Engineering and Computer ScienceUniversity of TrentoItaly
  2. 2.Department of ComputingThe Open UniversityUK

Personalised recommendations