Managing Software Security Knowledge in Context: An Ontology Based Approach

In the setting of software development, knowledge can be both dynamic and situation specific, and the complexity of knowledge usually exceeds the capacity of individuals to solve problems by themselves. Software developers not only require knowledge about the general security concepts but also about the context for which software is being developed. With traditional security knowledge formats, which are usually organized in a security-centric way, it is difficult for knowledge users to retrieve the desired security information to fulfill the requirements of their working context. In order to effectively regulate the operation of security knowledge and be an essential part of practical software development practices, we argue that security knowledge must first incorporate additional features, that is, to first specify which contextual information is to be handled, and then represent the security knowledge in a format that is understandable and acceptable to the individuals. This study introduces a novel ontology approach for modeling security knowledge in a context-sensitive manner where the security knowledge can be retrieved while taking the context of the application in hand into consideration. In this paper, we present our security ontology with the design concepts and the evaluation process.

[1]  Neeraj Suri,et al.  Threat Modeling the Cloud: An Ontology Based Approach , 2018, IOSec@RAID.

[2]  Romilla Syed,et al.  Cybersecurity Vulnerability Management: An Ontology-Based Conceptual Model , 2018, AMCIS.

[3]  Ellis E. Eghan,et al.  Tracing known security vulnerabilities in software repositories - A Semantic Web enabled modeling approach , 2016, Sci. Comput. Program..

[4]  Hongji Yang,et al.  An ontology-based approach to security pattern selection , 2016, International Journal of Automation and Computing.

[5]  Martin Wirsing,et al.  An Ontology for Secure Web Applications , 2015, Int. J. Softw. Informatics.

[6]  Deborah Stacey,et al.  Approaches , methods , metrics , measures , and subjectivity in ontology evaluation : A survey , 2014 .

[7]  S. Kanmani,et al.  Ontology-based representation of reusable security requirements for developing secure web applications , 2013 .

[8]  Ying Liang,et al.  A Security Ontology with MDA for Software Development , 2013, 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery.

[9]  Christian Bonnet,et al.  The STAC (security toolbox: attacks & countermeasures) ontology , 2013, WWW '13 Companion.

[10]  Csongor Nyulas,et al.  WebProtégé: A collaborative ontology editor and knowledge acquisition tool for the Web , 2013, Semantic Web.

[11]  Matt Bishop,et al.  A Clinic for "Secure" Programming , 2010, IEEE Security & Privacy.

[12]  Stefan Fenz,et al.  Formalizing information security knowledge , 2009, ASIACCS '09.

[13]  Edward Errington,et al.  Being there: closing the gap between learners sand contextual knowledge using near-world scenarios , 2009 .

[14]  Minzhe Guo,et al.  An Ontology-based Approach to Model Common Vulnerabilities and Exposures in Information Security , 2009 .

[15]  Rafael Valencia-García,et al.  Modelling Reusable Security Requirements based on an Ontology Framework , 2009, J. Res. Pract. Inf. Technol..

[16]  Beatrice Gralton,et al.  Washington DC - USA , 2008 .

[17]  Peyman Akhavan,et al.  Exploring the contextual dimensions of organization from knowledge management perspective , 2008 .

[18]  Arthur C. Graesser,et al.  Organizing Instruction and Study to Improve Student Learning. IES Practice Guide. NCER 2007-2004. , 2007 .

[19]  Dimitris Gritzalis,et al.  Towards an Ontology-based Security Management , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[20]  Renata Mendes de Araujo,et al.  Reinforcing Shared Context to Improve Collaboration , 2005, Rev. d'Intelligence Artif..

[21]  D. Holdstock Past, present--and future? , 2005, Medicine, conflict, and survival.

[22]  Marko Grobelnik,et al.  A SURVEY OF ONTOLOGY EVALUATION TECHNIQUES , 2005 .

[23]  Jin Song Dong,et al.  Semantic Space: an infrastructure for smart spaces , 2004, IEEE Pervasive Computing.

[24]  Scott Henninger,et al.  Case-Based Knowledge Management Tools for Software Development , 1997, Automated Software Engineering.

[25]  Flávia Maria Santoro,et al.  A Conceptual Framework for Analyzing the Use of Context in Groupware , 2003, CRIWG.

[26]  C. K. Cheng,et al.  A Context-Based Knowledge Management Framework for Software Development , 2003 .

[27]  Kaustubh Supekar,et al.  OntoGenie: Extracting Ontology Instances from WWW , 2003 .

[28]  M. Lindvall,et al.  Knowledge management in software engineering , 2002, IEEE Software.

[29]  Michael Gruninger,et al.  ONTOLOGY Applications and Design , 2002 .

[30]  Michael Grüninger,et al.  Introduction , 2002, CACM.

[31]  P. Brézillon,et al.  Making context explicit in communicating objects , 2002 .

[32]  G. Goldkuhl,et al.  CONTEXTUAL KNOWLEDGE ANALYSIS - UNDERSTANDING KNOWLEDGE AND ITS RELATIONS TO ACTION AND COMMUNICATION , 2001 .

[33]  N. F. Noy,et al.  Ontology Development 101: A Guide to Creating Your First Ontology , 2001 .

[34]  Roland Klemke Context Framework - an Open Approach to Enhance Organisational Memory Systems with Context Modelling Techniques , 2000, PAKM.

[35]  P. Brézillon,et al.  Contextual knowledge sharing and cooperation in intelligent assistant systems , 1999 .

[36]  Michael Uschold,et al.  Ontologies: principles, methods and applications , 1996, The Knowledge Engineering Review.

[37]  Thomas R. Gruber,et al.  Toward principles for the design of ontologies used for knowledge sharing? , 1995, Int. J. Hum. Comput. Stud..

[38]  Thomas R. Gruber,et al.  A translation approach to portable ontology specifications , 1993, Knowl. Acquis..

[39]  Bill Curtis,et al.  A field study of the software design process for large systems , 1988, CACM.