Automated Generation of Attack Routes for Service Security Analysis - A Preliminary Report

i* modeling has been used to characterize service-oriented computing in terms of intentional concepts such as agents, goals, dependencies, as well as services they provide or consume. The intentional models provide a rich basis for various security related reasoning, such as vulnerability analysis, attack and countermeasure evaluation, risk assessment, etc. In this work, we aim to explore a reasoning method over the i* models that goes beyond evaluating the satisfaction of security properties. We propose a service security modeling approach for automated generation of attack routes against a specific service. We analyze the security level for each service by using the resulting models. We aim to discover countermeasures and incorporate them into the security analysis process.

[1]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[2]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[3]  Qiang Liu,et al.  Towards a service requirements modelling ontology based on agent knowledge and intentions , 2008, Int. J. Agent Oriented Softw. Eng..

[4]  Daniel Amyot,et al.  Compliance Analysis Based on a Goal-oriented Requirement Language Evaluation Methodology , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[5]  Haralambos Mouratidis,et al.  Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development , 2008, CAiSE.

[6]  Eric S. K. Yu,et al.  Towards modelling and reasoning support for early-phase requirements engineering , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[7]  Eric S. K. Yu,et al.  Modeling and analysis of security trade-offs - A goal oriented approach , 2009, Data Knowl. Eng..

[8]  Neil A. M. Maiden,et al.  PRiM: An i*-based process reengineering method for information systems specification , 2008, Inf. Softw. Technol..

[9]  Eric S. K. Yu,et al.  A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities , 2010, Requirements Engineering.

[10]  Lin Liu,et al.  Building toward Capability Specifications of Web Services Based on an Environment Ontology , 2008, IEEE Transactions on Knowledge and Data Engineering.

[11]  Markus Strohmaier,et al.  Analyzing Knowledge Transfer Effectiveness--An Agent-Oriented Modeling Approach , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).