Automating threat modeling using an ontology framework

Threat modeling is of increasing importance to IT security, and it is a complex and resource demanding task. The aim of automating threat modeling is to simplify model creation by using data that are already available. However, the collected data often lack context; this can make the automated models less precise in terms of domain knowledge than those created by an expert human modeler. The lack of domain knowledge in modeling automation can be addressed with ontologies. In this paper, we introduce an ontology framework to improve automatic threat modeling. The framework is developed with conceptual modeling and validated using three different datasets: a small scale utility lab, water utility control network, and university IT environment. The framework produced successful results such as standardizing input sources, removing duplicate name entries, and grouping application software more logically.

[1]  Irit Hadar,et al.  Applying ontology-based rules to conceptual modeling: a reflection on modeling decision making , 2007, Eur. J. Inf. Syst..

[2]  José Luis Borbinha,et al.  An Application of Semantic Techniques to the Analysis of Enterprise Architecture Models , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[3]  P. Willett,et al.  Modeling threats , 2004, IEEE Potentials.

[4]  Ruth Breu,et al.  Enterprise Architecture Documentation: Current Practices and Future Directions , 2013, Wirtschaftsinformatik.

[5]  Robert Woitsch,et al.  A new paradigm for the continuous alignment of business and IT: Combining enterprise architecture modelling and enterprise ontology , 2016, Comput. Ind..

[6]  Mathias Ekstedt,et al.  A Meta Language for Threat Modeling and Attack Simulations , 2018, ARES.

[7]  KaragiannisDimitris,et al.  A new paradigm for the continuous alignment of business and IT , 2016 .

[8]  Mathias Ekstedt,et al.  Architecture analysis of enterprise systems modifiability: a metamodel for software change cost estimation , 2010, Software Quality Journal.

[9]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[10]  Marc M. Lankhorst,et al.  Enterprise architecture modelling--the issue of integration , 2004, Adv. Eng. Informatics.

[11]  Sabine Buckl,et al.  A Survival Analysis of Application Life Spans based on Enterprise Architecture Models , 2009, EMISA.

[12]  Sebastian Schrittwieser,et al.  TAON: an ontology-based approach to mitigating targeted attacks , 2016, iiWAS.

[13]  Dianxiang Xu,et al.  Threat-driven modeling and verification of secure software using aspect-oriented Petri nets , 2006, IEEE Transactions on Software Engineering.

[14]  Peter Torr,et al.  Demystifying the threat modeling process , 2005, IEEE Security & Privacy Magazine.

[15]  Erhard Rahm,et al.  Data Cleaning: Problems and Current Approaches , 2000, IEEE Data Eng. Bull..

[16]  Eric D. Knapp,et al.  Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems , 2011 .

[17]  H. Sofia Pinto,et al.  Ontologies: How can They be Built? , 2004, Knowledge and Information Systems.

[18]  Giancarlo Guizzardi,et al.  Ontology Patterns: Clarifying Concepts and Terminology , 2013, WOP.

[19]  S. Shankar Sastry,et al.  Rethinking security properties, threat models, and the design space in sensor networks: A case study in SCADA systems , 2009, Ad Hoc Networks.

[20]  Khurram Shahzad,et al.  Securi CAD by Foreseeti: A CAD Tool for Enterprise Cyber Security Management , 2015, 2015 IEEE 19th International Enterprise Distributed Object Computing Workshop.

[21]  John Steven,et al.  Threat Modeling - Perhaps It's Time , 2010, IEEE Security & Privacy.

[22]  Karsten Sohr,et al.  Extracting and Analyzing the Implemented Security Architecture of Business Applications , 2013, 2013 17th European Conference on Software Maintenance and Reengineering.

[23]  Daniel Massey,et al.  A framework for resilient Internet routing protocols , 2004, IEEE Network.

[24]  José Luis Borbinha,et al.  Enterprise Architecture Model Analysis Using Description Logics , 2014, 2014 IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations.

[25]  Margus Välja,et al.  A Framework for Automatic IT Architecture Modeling: Applying Truth Discovery , 2019, Complex Syst. Informatics Model. Q..

[26]  Roman Walser,et al.  Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastructures: A Literature Review Considering the NIST Cybersecurity Framework , 2018, NordSec.

[27]  Barry W. Boehm,et al.  Value Driven Security Threat Modeling Based on Attack Path Analysis , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[28]  Robert Winter,et al.  Complexity Levels of Representing Dynamics in EA Planning , 2009, CIAO! / EOMAS.

[29]  José Luis Borbinha,et al.  Using Ontologies for Enterprise Architecture Integration and Analysis , 2014, Complex Syst. Informatics Model. Q..

[30]  Mathias Ekstedt,et al.  Analyzing the Effectiveness of Attack Countermeasures in a SCADA System , 2017, SPSR-SG@CPSWeek.

[31]  Rudolf Ramler,et al.  Integrating Threat Modeling and Automated Test Case Generation into Industrialized Software Security Testing , 2019, CECC.

[32]  Robert Lagerström,et al.  Extended Influence Diagrams for System Quality Analysis , 2007, J. Softw..

[33]  Dianxiang Xu,et al.  Automated Security Test Generation with Formal Threat Models , 2012, IEEE Transactions on Dependable and Secure Computing.

[34]  Antonio Picariello,et al.  An approach to ontology integration for ontology reuse in knowledge based digital ecosystems , 2015, MEDES.

[35]  Hans-Georg Fill,et al.  Enabling Risk-Aware Enterprise Modeling using Semantic Annotations and Visual Rules , 2017, ECIS.

[36]  Prithviraj Patil,et al.  Remote agent based automated framework for threat modelling, vulnerability testing of SOA solutions and web services , 2012, World Congress on Internet Security (WorldCIS-2012).

[37]  Steffen Staab,et al.  Ontology Learning for the Semantic Web , 2002, IEEE Intell. Syst..

[38]  Aldo Gangemi,et al.  Ontology Design Patterns , 2005 .

[39]  Mark Lycett,et al.  4D-SETL - A Semantic Data Integration Framework , 2016, ICEIS.

[40]  Gerd Wagner,et al.  An Ontologically Well-Founded Profile for UML Conceptual Models , 2004, CAiSE.

[41]  DoHyunsook,et al.  A threat model-based approach to security testing , 2013 .

[42]  Thomas R. Gruber,et al.  Toward principles for the design of ontologies used for knowledge sharing? , 1995, Int. J. Hum. Comput. Stud..

[43]  D. Berube,et al.  Microwaving the heart , 2004, IEEE Potentials.

[44]  Gregory Zacharewicz,et al.  An ontology-driven framework towards building enterprise semantic information layer , 2013, Adv. Eng. Informatics.

[45]  Robert Meersman,et al.  On Using Conceptual Data Modeling for Ontology Engineering , 2004, J. Data Semant..

[46]  Ferhat Özgür Çatak,et al.  Sensor Based Cyber Attack Detections in Critical Infrastructures Using Deep Learning Algorithms , 2019, Comput. Sci..

[47]  Thomas H. Morris,et al.  Developing a Hybrid Intrusion Detection System Using Data Mining for Power Systems , 2015, IEEE Transactions on Smart Grid.

[48]  Jakob Axelsson,et al.  A systematic mapping of the research literature on system-of-systems engineering , 2015, 2015 10th System of Systems Engineering Conference (SoSE).

[49]  Gerd Wagner,et al.  On the General Ontological Foundations of Conceptual Modeling , 2002, ER.

[50]  I I Barankova,et al.  Minimizing information security risks based on security threat modeling , 2020, Journal of Physics: Conference Series.

[51]  Eduardo B. Fernández,et al.  Enterprise security pattern: a new type of security pattern , 2014, Secur. Commun. Networks.

[52]  Yu Tian,et al.  Threat Modeling for Cyber Range: An Ontology-Based Approach , 2018, CSPS.

[53]  Danny Dhillon,et al.  Developer-Driven Threat Modeling: Lessons Learned in the Trenches , 2011, IEEE Security & Privacy.

[54]  Mario E. Sánchez,et al.  iArchiMate: A Tool for Managing Imperfection in Enterprise Models , 2014, 2014 IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations.

[55]  Robert Lagerström,et al.  Threat modeling - A systematic literature review , 2019, Comput. Secur..

[56]  Ruth Breu,et al.  Enterprise Architecture Documentation: Empirical Analysis of Information Sources for Automation , 2013, 2013 46th Hawaii International Conference on System Sciences.

[57]  Dianxiang Xu,et al.  A threat model‐based approach to security testing , 2013, Softw. Pract. Exp..

[58]  Jun Luo,et al.  Energy-theft detection issues for advanced metering infrastructure in smart grid , 2014, Tsinghua Science and Technology.

[59]  Edgar R. Weippl,et al.  Security Ontology: Simulating Threats to Corporate Assets , 2006, ICISS.