Abstract
Complexity of modern information systems (IS), impose novel security requirements. On the other hand, the ontology paradigm aims to support knowledge sharing and reuse in an explicit and mutually agreed manner. Therefore, in this paper we set the foundations for establishing a knowledge-based, ontology-centric framework with respect to the security management of an arbitrary IS. We demonstrate that the linking between high-level policy statements and deployable security controls is possible and the implementation is achievable. This framework may support critical security expert activities with respect to security requirements identification and selection of certain controls and countermeasures. In addition, we present a structured approach for establishing a security management framework and identify its critical parts. Our security ontology is being represented in a neutral manner, based on well-known security standards, extending widely used information systems modeling approaches.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Karygiannis, T., Owens, L.: Wireless Network Security: 802.11, Bluetooth and Handheld Devices, NIST Special Publication no. 800-48, US Dept. of Commerce, USA (2002)
PAMPAS (“Pioneering Advanced Mobile Privacy and Security”) Project, EU-IST-2001-37763, Final Roadmap, Deliverable D4 (May 2003), http://www.pampas.eu.org/
DMTF CIM Policy Model v. 2.81 (February 2005), available at http://www.dmtf.org/standards/published_documents.php
Clemente F., Perez G., Blaya J., Skarmeta A.: Representing Security Policies in Web Information Systems. In: Policy Management for the Web - WWW2005 Workshop, 14th International World Wide Web Conference, Chiba, Japan (May 2005)
Gruber, T.: Toward principles for the design of ontologies used for knowledge sharing. In: Formal Ontology in Conceptual Analysis and Knowledge Representation. Kluwer Academic Publishers, Dordrecht (1993)
Decker, S., et al.: Ontobroker: Ontology based access to distributed and semi-structured information. In: Meersman, R., et al. (eds.) DS-8: Semantic Issues in Multimedia Systems. Kluwer Academic Publishers, Dordrecht (1999)
Damianou, N., et al.: The Ponder Policy Specification Language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–39. Springer, Heidelberg (2001)
ISO/IEC 17799 (2000-12-01), Information technology - Code of practice for information security management, ISO
COBIT 3rd Edition Control Objectives, IT Governance Institute (2000)
BSI, IT Baseline Protection Manual, Germany (March 2005), available at http://www.bsi.bund.de/english/index.htm
Cisco Security Advisories (March 2005), http://www.cisco.com/go/psirt/
SecurityFocus security portal (March 2005), http://www.securityfocus.com
Seclists. Org Security Mailing List Archive (March 2005), http://seclists.org
Common Vulnerabilities and Exposures (March 2005), http://www.cve.mitre.org/
OVAL–Open Vulnerability Assessment Language (March 2005), http://oval.mitre.org/
Cunningham, H., et al.: GATE: A Framework and Graphical Development Environment for Robust NLP Tools and Applications. In: Proc. of the 40th meeting of the Association for Computational Linguistics (ACL 2002), USA (July 2002)
Bontcheva, K., et al.: Evolving GATE to Meet New Challenges in Language Engineering. Natural Language Engineering (to appear)
Dean, M., et al.: OWL Web Ontology Language Reference W3C Recommendation (March 2005), http://www.w3.org/TR/owl-ref/
Noy, N., McGuiness, D.: Ontology Development 101: A Guide to Creating Your First Ontology, Stanford Knowledge Systems Laboratory Technical Report KSL-01-05 and Stanford Medical Informatics Technical Report SMI-2001-0880 (March 2001)
Holsapple, C., Joshi, K.: A collaborative approach to ontology design. Com. of the ACM 45(2), 42–47 (2002)
British Standard 7799, Part 2, Information Technology - Specification for Information Security Management System, BSI (1999)
Standards Australia and Standards New Zealand, Australian/New Zealand Standard for Risk Management 4360 (1999)
ISO/IEC 15408-1, 2, 3: Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model, Part 2: Security functional requirements, Part 3: Security assurance requirements (1999)
Nmap scanner (March 2005), available at http://www.insecure.org/nmap
Netstumbler 802.11 network scanner (March 2005), available at http://www.stumbler.net
Protégé Ontology Development Environment (March 2005), at http://protege.stanford.edu/
Westerinen, A., Schott, J.: Implementation of the CIM Policy Model Using PONDER. In: 5th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2004), Yorktown Heights, NY, USA, June 7–9. IEEE Computer Society, Los Alamitos (2004) ISBN 0-7695-2141-X
Lymberopoulos, L., Lupu, E.C., Sloman, M.S.: Ponder Policy Implementation and Validation in a CIM and Differentiated Services Framework. In: Presented at NOMS 2004, Seoul (April 2004)
Alcantara, O.D., Sloman, M.: QoS policy specification - A mapping from Ponder to the IETF, Department of Computing, Imperial College, 180 Queen’s Gate, London SW7 2BZ
Hewlett-Packard: A Primer on Policy-based Network Management, September 14 (1999)
ANSI INCITS 359-2004, “Information Technology - Role Based Access Control” (2004)
Hegering, H.-G., Abeck, S., Neumair, B.: Integrated Management of Network Systems: Concepts, Architectures and Their Operational Application. Kaufmann Publ., San Francisco (1999)
Donner, M.: Toward a Security Ontology. IEEE Security and Privacy 1(3), 6–7 (2003)
Denker, G.: Access Control and Data Integrity for DAML+OIL and DAML-S, SRI International, USA (2002)
Denker, G.: Security Mark-up and Rules, SRI International, CAIn: Dagstuhl Seminar on Rule Markup Techniques (2002)
OASIS Security Service TC. Security Assertion Markup Language (SAML) (March 2005), http://www.oasis-open.org/committees/security/
Bozsak, E., Ehrig, M., Handschub, S., Hotho, J.: KAON – Towards a Large Scale Semantic Web. In: Bauknecht, K., et al. (eds.) Proc. of the 3rd International Conference on e-Commerce and Web Technologies, EC-WEB-2002, pp. 304–313 (2002)
Kagal, L., et al.: A policy language for a pervasive computing environment. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks (2003)
Raskin, V., et al.: Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool. In: Raskin, V., et al. (eds.) Proc. of the New Security Paradigms Workshop. ACM, USA (2001)
Uszok, A., et al.: KAoS: A Policy and Domain Services Framework for Grid Computing and Semantic Web Services. In: Proc. of the Second International Conference on Trust Management (2004)
Tonti, G., et al.: Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei and Ponder. In: Proc. of the 2nd International Semantic Web Conference (2003)
Gandon, F.L., Sadeh, M.N.: Semantic web technologies to reconcile privacy and context awareness. Web Semantics Journal 1(3) (2004)
Chen, H., et al.: SOUPA: Standard ontology for ubiquitous and pervasive applications. In: Proc. of the First International Conference on Mobile and Ubiquitous Systems: Networking and Services (2004)
XACML Specification (2003), eXtensible Access Control Markup Language, v. 1.1 (March 2005), available at http://www.oasis-open.org
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tsoumas, B., Dritsas, S., Gritzalis, D. (2005). An Ontology-Based Approach to Information Systems Security Management. In: Gorodetsky, V., Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2005. Lecture Notes in Computer Science, vol 3685. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11560326_12
Download citation
DOI: https://doi.org/10.1007/11560326_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29113-8
Online ISBN: 978-3-540-31998-6
eBook Packages: Computer ScienceComputer Science (R0)