A Generic Metamodel for IT Security Attack Modeling for Distributed Systems

Understanding and discussing the security aspects of IT systems during their development is challenging for both domain specialists and IT experts - neglecting this aspect leads to communication problems and, eventually, to less secure systems. An important factor for these challenges is the distribution and variety of basic IT security concepts, attacks, and countermeasures, e.g., in the standard literature. In this paper, we propose a generic metamodel for IT security capturing both its major concepts and their relationships to each other. With a focus on attacks, we show how this model is applied to different scenarios in distributed systems, i.e., Peer-to-Peer systems, Service-oriented Architectures, and Mobile ad hoc Networks. This allows for a better understanding of IT security in general and attacks in particular, thus, enabling effective communication between different parties during the development of security-critical IT systems.

[1]  Markus Schumacher,et al.  Security Engineering with Patterns: Origins, Theoretical Models, and New Applications , 2003 .

[2]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[3]  Jing Deng,et al.  Wireless ad hoc networks , 2003 .

[4]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[5]  Mike P. Papazoglou,et al.  Service-oriented computing: concepts, characteristics and directions , 2003, Proceedings of the Fourth International Conference on Web Information Systems Engineering, 2003. WISE 2003..

[6]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[7]  Mihaela Cardei,et al.  A Survey of Attacks and Countermeasures in Mobile Ad Hoc Networks , 2007 .

[8]  Nils Gruschka,et al.  SOA and Web Services: New Technologies, New Standards - New Attacks , 2007, ECOWS 2007.

[9]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[10]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[11]  Paul Watson,et al.  Experiments Towards Adaptation of Concurrent Workflows , 2007, ECOWS 2007.

[12]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[13]  Mary Baker,et al.  Mitigating routing misbehavior in mobile ad hoc networks , 2000, MobiCom '00.

[14]  Robert Tappan Morris,et al.  Security Considerations for Peer-to-Peer Distributed Hash Tables , 2002, IPTPS.

[15]  Klaus Wehrle,et al.  Peer-to-Peer Systems and Applications , 2005, Peer-to-Peer Systems and Applications.

[16]  Miguel Castro,et al.  Secure routing for structured peer-to-peer overlay networks , 2002, OSDI '02.

[17]  Bruce Schneier,et al.  Beyond fear - thinking sensibly about security in an uncertain world , 2003 .

[18]  Djamel Djenouri,et al.  A survey of security issues in mobile ad hoc and sensor networks , 2005, IEEE Communications Surveys & Tutorials.

[19]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[20]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[21]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[22]  Nicolai M. Josuttis,et al.  Soa In Practice The Art Of Distributed System Design , 2007 .

[23]  강문설 [서평]「The Unified Modeling Language User Guide」 , 1999 .