Abstract
Managing the configuration of heterogeneous enterprise security mechanisms is a wholly complex task. The effectiveness of a configuration may be constrained by poor understanding and/or management of the overall security policy requirements, which may, in turn, unnecessarily expose the enterprise to known threats. This paper proposes a threat management approach, whereby knowledge about the effectiveness of mitigating countermeasures is used to guide the autonomic configuration of security mechanisms. This knowledge is modeled in terms of Semantic Threat Graphs, a variation of the traditional Threat/Attack Tree, extended in order to relate semantic information about security configuration with threats, vulnerabilities and countermeasures. An ontology-based approach to representing and reasoning over this knowledge is taken. A case study on Network Access Controls demonstrates how threats can be analyzed and how automated configuration recommendations can be made based on catalogues of best-practice countermeasures.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Mauw, S., Oostdijk, M.: Foundations of Attack Trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)
Stamatelatos, M., Vesely, W., Dugan, J., Fragola, J., Minarick, J., Railsback, J.: Fault Tree Handbook with Aerospace Applications. NASA Office of Safety and Mission Assurance NASA Headquarters, Washington, DC 20546, Version 1.1 (August 2002)
Schneier, B.: Secrets and Lies Digital Security in Networked World. Wiley Publishing, Chichester (2004)
Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: 1st International Conference on Availability, Reliability and Security (ARES), Vienna (April 2006)
Edge, K., Raines, R., Grimaila, M., Baldwin, R., Bennington, R., Reuter, C.: The Use of Attack and Protection Trees to Analyze Security for an Online Banking System. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS 2007) (2007)
Eddy, W.: RFC 4987: TCP SYN Flooding Attacks and Common Mitigations (August 2007), http://ietf.org
Taniar, D., Rahayu, J.W.: Web Semantics Ontology. Idea Publishing (2006)
Baader, F., Calvanese, D., McGuinness, D., Nardi, D., Patel-Schneider, P.: The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press, Cambridge (2003)
Fitzgerald, W.M., Foley, S.N., Foghlú, M.O.: Network Access Control Interoperation using Semantic Web Techniques. In: 6th International Workshop on Security In Information Systems (WOSIS), Barcelona, Spain (June 2008)
Foley, S.N., Fitzgerald, W.M.: Semantic Web and Firewall Alignment. In: First International Workshop on Secure Semantic Web (SSW 2008), Cancun, Mexico. IEEE CS Press, Los Alamitos (2008)
IANA: RFC 3330: Special-Use IPv4 Addresses (September 2002), http://ietf.org
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., Lear, E.: RFC1918: Address Allocation for Private Internets (Febuary 1996), http://ietf.org
Wack, J., Cutler, K., Pole, J.: Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology. NIST-800-41 (2002)
Tracy, M., Jansen, W., Scarfone, K., Winograd, T.: Guidelines on Securing Public Web Servers: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-44, Version 2 (September 2007)
Shirey, R.: RFC 2828: Internet Security Glossary (May 2000), http://ietf.org
Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Uncover Security Design Flaws Using The STRIDE Approach (2009), http://microsoft.com/
Gennari, J., Musen, M.A., Fergerson, R.W., Grosso, W.E., Crubezy, M., Eriksson, H., Noy, N.F., Tu., S.W.: The Evolution of Protege: An Environment for Knowledge-Based Systems Development. Journal of Human-Computer Studies 58(1) (2003)
FIRST: Common Vulnerability Scoring System (2009), http://first.org/cvss/
International, C.: Common Vulnerabilities and Exposures (2009), http://cve.mitre.org/
Meier, J., Mackma, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Improving Web Application Security: Threats and Countermeasures. Microsoft Press (2003)
OSVDB: Open Source Vulnerability Database (2009), http://osvdb.org/
O’Connor, M.J., Knublauch, H., Tu, S.W., Grossof, B., Dean, M., Grosso, W.E., Musen, M.A.: Supporting Rule System Interoperability on the Semantic Web with SWRL. In: Gil, Y., Motta, E., Benjamins, V.R., Musen, M.A. (eds.) ISWC 2005. LNCS, vol. 3729, pp. 974–986. Springer, Heidelberg (2005)
Ferguson, P.: RFC 2827: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing (May 2000), http://ietf.org
Smith, M.K., Welty, C., McGuinness, D.L.: OWL Web Ontology Language Guide. W3C Recommendation, Technical Report (2004)
Parsia, B., Sirin, E.: Pellet: An OWL DL Reasoner. In: McIlraith, S.A., Plexousakis, D., van Harmelen, F. (eds.) ISWC 2004. LNCS, vol. 3298. Springer, Heidelberg (2004)
Friedman-Hil, E.J.: Jess the Rule Engine for the Java Platform. Version 7.0p1 (2006)
Camtepe, S.A., ulent Yener, B.: Modeling and Detection of Complex Attacks. In: 3rd International Conference on Security and Privacy in Communications Networks, Secure Comm, Nice, France (September 2007)
Opel, A.: Design and Implementation of a Support Tool for Attack Trees. Internship Thesis, Otto-von-Guericke University Magdeburg (March 2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Foley, S.N., Fitzgerald, W.M. (2009). An Approach to Security Policy Configuration Using Semantic Threat Graphs. In: Gudes, E., Vaidya, J. (eds) Data and Applications Security XXIII. DBSec 2009. Lecture Notes in Computer Science, vol 5645. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03007-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-03007-9_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03006-2
Online ISBN: 978-3-642-03007-9
eBook Packages: Computer ScienceComputer Science (R0)