An Ontology-Based Approach to Information Systems Security Management

Complexity of modern information systems (IS), impose novel security requirements. On the other hand, the ontology paradigm aims to support knowledge sharing and reuse in an explicit and mutually agreed manner. Therefore, in this paper we set the foundations for establishing a knowledge-based, ontology-centric framework with respect to the security management of an arbitrary IS. We demonstrate that the linking between high-level policy statements and deployable security controls is possible and the implementation is achievable. This framework may support critical security expert activities with respect to security requirements identification and selection of certain controls and countermeasures. In addition, we present a structured approach for establishing a security management framework and identify its critical parts. Our security ontology is being represented in a neutral manner, based on well-known security standards, extending widely used information systems modeling approaches.

[1]  Jeffrey M. Bradshaw,et al.  Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei, and Ponder , 2003, SEMWEB.

[2]  Thomas R. Gruber,et al.  Toward principles for the design of ontologies used for knowledge sharing? , 1995, Int. J. Hum. Comput. Stud..

[3]  Emil C. Lupu,et al.  PONDER policy implementation and validation in a CIM and differentiated services framework , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[4]  Standards New Zealand.,et al.  Risk management guidelines: companion to AS/NZS 4360:2004 , 2004 .

[5]  Sebastian Abeck,et al.  Integrated Management of Networked Systems: Concepts, Architectures and their Operational Application , 1999 .

[6]  조영섭,et al.  OASIS SAML(Security Assertion Markup Language) v2.0 고찰 및 활용 , 2006 .

[7]  Marc Donner,et al.  Toward a Security Ontology , 2003, IEEE Secur. Priv..

[8]  Jorge Lobo,et al.  Policies for Distributed Systems and Networks , 2001, Lecture Notes in Computer Science.

[9]  Andrea Westerinen,et al.  Implementation of the CIM Policy Model using PONDER , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[10]  Dieter Fensel,et al.  Ontobroker: Ontology Based Access to Distributed and Semi-Structured Information , 1999, DS-8.

[11]  Jeffrey M. Bradshaw,et al.  KAoS: A Policy and Domain Services Framework for Grid Computing and Semantic Web Services , 2004, iTrust.

[12]  Kenneth G. Paterson,et al.  Pioneering advanced mobile privacy and security , 2004 .

[13]  Harry Chen,et al.  SOUPA: standard ontology for ubiquitous and pervasive applications , 2004, The First Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services, 2004. MOBIQUITOUS 2004..

[14]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[15]  Juan A. Botía,et al.  Representing Security Policies in Web Information Systems , 2005 .

[16]  Kalina Bontcheva,et al.  Evolving GATE to meet new challenges in language engineering , 2004, Natural Language Engineering.

[17]  Marc Donner Hey, Robot! , 2003, IEEE Secur. Priv..

[18]  K. D. Joshi,et al.  A collaborative approach to ontology design , 2002, CACM.

[19]  Fabien L. Gandon,et al.  Semantic web technologies to reconcile privacy and context awareness , 2003, Journal of Web Semantics.

[20]  N. F. Noy,et al.  Ontology Development 101: A Guide to Creating Your First Ontology , 2001 .

[21]  Nicola Guarino,et al.  Formal ontology, conceptual analysis and knowledge representation , 1995, Int. J. Hum. Comput. Stud..

[22]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[23]  Steffen Staab,et al.  KAON - Towards a Large Scale Semantic Web , 2002, EC-Web.

[24]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[25]  A T Karygiannis,et al.  Wireless Network Security: 802.11, Bluetooth and Handheld Devices , 2002 .

[26]  Kalina Bontcheva,et al.  GATE: an Architecture for Development of Robust HLT applications , 2002, ACL.

[27]  Sergei Nirenburg,et al.  Ontology in information security: a useful theoretical foundation and methodological tool , 2001, NSPW '01.

[28]  Ian Horrocks,et al.  OWL Web Ontology Language Reference-W3C Recommen-dation , 2004 .