Enhancing Model Driven Security through Pattern Refinement Techniques

Security requirements are typically defined at a business abstract level by non-technical security officers. However, in order to fulfill the security requirements, technical security controls or mechanisms have to be considered and deployed on the target system. Based on these security controls security patterns have to be selected. The MDS (Model Driven Security) approach uses security requirement models at a high level of abstraction to automatically generate security artefacts that configure security services. The main drawback of the current MDS solutions is that they consider just one security pattern for each security requirement. Current SOA and cloud services are scattered across multiple heterogeneous security domains. Partners and clients with different security infrastructures are changing continuously, which requires the support of multiple patterns for the same security service. The challenge is to provide configurable security services that can support different patterns. In order to overcome this shortcoming we propose a framework that integrates pattern refinement to the MDS approach. In this approach a security pattern refinement layer is added to the traditional MDS layers. The pattern refinement layer supports the configuration of one security service with different patterns, which are stored in a pattern catalog. For example, our approach enables the generation of security artefacts that configure a non-repudiation service to support both fair non-repudiation and naive non-repudiation patterns.

[1]  Ruth Breu,et al.  Towards a MOF/QVT-Based domain architecture for model driven security , 2006, MoDELS'06.

[2]  Hironori Washizaki,et al.  Report on the 2nd Workshop on Software Patterns and Quality: (SPAQu'08) , 2008 .

[3]  Alexander K. Wißpeintner,et al.  Extended Description Techniques for Security Engineering , 2001, SEC.

[4]  Ruth Breu,et al.  SeAAS - A Reference Architecture for Security Services in SOA , 2009, J. Univers. Comput. Sci..

[5]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[6]  Eduardo B. Fernández,et al.  A Pattern-Driven Security Process for SOA Applications , 2008, ARES.

[7]  Yuichi Nakamura,et al.  Adding Authentication to Model Driven Security , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[8]  Jean-Marc Jézéquel,et al.  ≪UML≫ 2002 — The Unified Modeling Language , 2002, Lecture Notes in Computer Science.

[9]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[10]  Mario Piattini,et al.  A BPMN Extension for the Modeling of Security Requirements in Business Processes , 2007, IEICE Trans. Inf. Syst..

[11]  Mario Piattini,et al.  Security patterns and requirements for internet-based applications , 2006, Internet Res..

[12]  Mario Piattini,et al.  Comparison of Security Patterns , 2006 .

[13]  Christoph Meinel,et al.  Modelling Security Goals in Business Processes , 2008, Modellierung.

[14]  Markus Schumacher,et al.  Security Engineering with Patterns: Origins, Theoretical Models, and New Applications , 2003 .

[15]  Hironori Washizaki,et al.  Abstract security patterns , 2008 .

[16]  John C. Mitchell,et al.  A derivation system and compositional logic for security protocols , 2005, J. Comput. Secur..

[17]  Andreas Schaad,et al.  Model-driven business process security requirement specification , 2009, J. Syst. Archit..

[18]  Ulrich Lang,et al.  Developing Secure Distributed Systems with CORBA , 2002 .

[19]  Ruth Breu,et al.  Security engineering for service-oriented architectures , 2008 .

[20]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.