Decentralized Semantic Threat Graphs

Threat knowledge-bases such as those maintained by MITRE and NIST provide a basis with which to mitigate known threats to an enterprise. These centralised knowledge-bases assume a global and uniform level of trust for all threat and countermeasure knowledge. However, in practice these knowledge-bases are composed of threats and countermeasures that originate from a number of threat providers, for example Bugtraq. As a consequence, threat knowledge consumers may only wish to trust knowledge about threats and countermeasures that have been provided by a particular provider or set of providers. In this paper, a trust management approach is taken with respect to threat knowledge-bases. This provides a basis with which to decentralize and delegate trust for knowledge about threats and their mitigation to one or more providers. Threat knowledge-bases are encoded as Semantic Threat Graphs. An ontology-based delegation scheme is proposed to manage trust across a model of distributed Semantic Threat Graph knowledge-bases.

[1]  John Wack,et al.  Guidelines on Firewalls and Firewall Policy , 2002 .

[2]  Stefan Fenz,et al.  Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard , 2007 .

[3]  Bhavani M. Thuraisingham,et al.  ROWLBAC: representing role based access control in OWL , 2008, SACMAT '08.

[4]  Timothy W. Finin,et al.  Enforcing security in semantics driven policy based networks , 2011 .

[5]  Timothy W. Finin,et al.  Enforcing security in semantics driven policy based networks , 2008, 2008 IEEE 24th International Conference on Data Engineering Workshop.

[6]  Alexander Borgida,et al.  Distributed Description Logics: Directed Domain Correspondences in Federated Information Sources , 2002, OTM.

[7]  Nora Cuppens-Boulahia,et al.  An ontology-based approach to react to network attacks , 2008, 2008 Third International Conference on Risks and Security of Internet and Systems.

[8]  Javier López,et al.  Enabling Attribute Delegation in Ubiquitous Environments , 2008, Mob. Networks Appl..

[9]  James A. Hendler,et al.  Analyzing web access control policies , 2007, WWW '07.

[10]  Bhavani M. Thuraisingham Building Trustworthy Semantic Webs , 2009, IRI.

[11]  Deborah L. McGuinness,et al.  Owl web ontology language guide , 2003 .

[12]  Martin Halvey,et al.  WWW '07: Proceedings of the 16th international conference on World Wide Web , 2007, WWW 2007.

[13]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[14]  Elisa Bertino,et al.  Achieving privacy in trust negotiations with an ontology-based approach , 2006, IEEE Transactions on Dependable and Secure Computing.

[15]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[16]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[17]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[18]  J. Bao,et al.  A Survey of Formalisms for Modular Ontologies , 2006 .

[19]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[20]  S. Rudolph,et al.  Semantic Description of Behavior and Trustworthy Credentials of Web Services , 2007 .

[21]  Karen A. Scarfone,et al.  Guidelines on Securing Public Web Servers , 2002 .

[22]  Rafael Accorsi,et al.  Security and Trust Management , 2013, Lecture Notes in Computer Science.

[23]  Andrew D. Gordon,et al.  Design and Semantics of a Decentralized Authorization Language , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[24]  Simon N. Foley,et al.  Aggregating Trust Using Triangular Norms in the KeyNote Trust Management System , 2010, STM.

[25]  Simon N. Foley,et al.  Avoiding Delegation Subterfuge Using Linked Local Permission Names , 2011, Formal Aspects in Security and Trust.

[26]  Diego Calvanese,et al.  The Description Logic Handbook: Theory, Implementation, and Applications , 2003, Description Logic Handbook.

[27]  Elisa Bertino,et al.  Supporting multiple access control policies in database systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[28]  W. Richard Stevens,et al.  UNIX Network Programming: Networking APIs: Sockets and XTI , 1997 .

[29]  David Powell,et al.  Dependability Evaluation of Cooperative Backup Strategies for Mobile Devices , 2007 .

[30]  Simon N. Foley,et al.  Management of security policy configuration using a Semantic Threat Graph approach , 2011, J. Comput. Secur..

[31]  Zahir Tari,et al.  On the Move to Meaningful Internet Systems 2002: CoopIS, DOA, and ODBASE , 2002, Lecture Notes in Computer Science.

[32]  Stefano Bistarelli,et al.  A Semantic Foundation for Trust Management Languages with Weights: An Application to the RTFamily , 2008, ATC.

[33]  Vasant Honavar,et al.  Package-Based Description Logics , 2009, Modular Ontologies.

[34]  Edgar R. Weippl,et al.  Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard , 2007, 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007).

[35]  Indrajit Ray,et al.  Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[36]  W. Richard Stevens,et al.  Unix network programming , 1990, CCRV.

[37]  Ian Horrocks,et al.  Modular Reuse of Ontologies: Theory and Practice , 2008, J. Artif. Intell. Res..

[38]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..

[39]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[40]  Dieter Gollmann,et al.  Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings , 2005, ESORICS.