Improved security requirements engineering using knowledge representation

We introduce in this paper a security meta-model for our SysML-Sec framework, developed to improve the security requirements engineering process through the explicit representation of security concerns with knowledge representation techniques. This meta-model enables the specification of ontological concepts which define the semantics of the security artifacts introduced through SysML-Sec diagrams. This meta-model also enables representing the relationships that tie several such concepts together. This representation is then used for reasoning about the knowledge introduced by system designers as well as security experts through the graphical environment of the SysML-Sec framework. In addition to its documentary aspect, such a meta-model makes it possible to introduce different types of verifications of security requirements and threats, and especially consistency checks regarding the content of all diagrams. We finally present a prototype that integrates meta-model descriptions into the SysML-Sec framework and its implementation using Semantic Web technologies.

[1]  Muhammad Sabir Idrees,et al.  A requirement engineering driven approach to security architecture design for distributed embedded systems. (Ingénierie des exigences pour la conception d'architectures de sécurité de systèmes embarqués distribués) , 2012 .

[2]  Jeff Z. Pan,et al.  Towards Ontology-driven Requirements Engineering , 2011 .

[3]  Ludovic Piètre-Cambacédès,et al.  Cross-fertilization between safety and security engineering , 2013, Reliab. Eng. Syst. Saf..

[4]  Alexander V. Lyubimov,et al.  Ontology-based analysis of information security standards and capabilities for their harmonization , 2010, SIN.

[5]  Ludovic Apvrille SysML-Sec: A model-driven environment for developing secure embedded systems , 2013 .

[6]  Dimitris Gritzalis,et al.  Towards an Ontology-based Security Management , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[7]  Nima Kaviani,et al.  Ontologies and Software Engineering , 2009, Handbook on Ontologies.

[8]  Myong H. Kang,et al.  Security Ontology for Annotating Resources , 2005, OTM Conferences.

[9]  Henson Graves,et al.  Integrating SysML and OWL , 2009 .

[10]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[11]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[12]  Jan Jürjens Using UMLsec and goal trees for secure systems development , 2002, SAC '02.

[13]  Bashar Nuseibeh,et al.  Security Requirements Engineering for Evolving Software Systems: A Survey , 2010, Int. J. Secur. Softw. Eng..

[14]  E. Ras,et al.  Self-organized Reuse of Software Engineering Knowledge Supported by Semantic Wikis , 2005 .

[15]  R. Karban,et al.  An ontology for State Analysis: Formalizing the mapping to SysML , 2012, 2012 IEEE Aerospace Conference.

[16]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[17]  Mark S. Fox,et al.  A Requirement Ontology for Engineering Design , 1996 .

[18]  L. Stein,et al.  OWL Web Ontology Language - Reference , 2004 .

[19]  Roy Oberhauser,et al.  Ontology-based Representation of Compliance Requirements for Service Processes , 2007, SBPM.

[20]  Edgar R. Weippl,et al.  Security Ontologies: Improving Quantitative Risk Analysis , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[21]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[22]  Stephen Cranefield UML and the Semantic Web , 2001, SWWS.

[23]  Costas Lambrinoudakis,et al.  An ontology for secure e-government applications , 2006, First International Conference on Availability, Reliability and Security (ARES'06).