Security-by-Ontology: A Knowledge-Centric Approach

We present a security ontology (SO), which can be used as a basis of security management of an arbitrary information system. This SO provides capabilities, such as modeling of risk assessment knowledge, abstraction of security requirements, reusable security knowledge interoperability, aggregation and reasoning. The SO is based on the exploitation of security-related knowledge, derived from diverse sources. We demonstrate that the establishment of such a framework is feasible and, furthermore, that a SO can support critical security activities of an expert, e.g. security requirements identification, as well as selection of certain countermeasures. We also present and discuss an implementation of a specific SO. The implementation is accompanied by results regarding how a SO can be built and populated with security information.

[1]  Dimitris Gritzalis,et al.  An Ontology-Based Approach to Information Systems Security Management , 2005, MMM-ACNS.

[2]  K. D. Joshi,et al.  A collaborative approach to ontology design , 2002, CACM.

[3]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[4]  Steffen Staab,et al.  KAON - Towards a Large Scale Semantic Web , 2002, EC-Web.

[5]  Fabien L. Gandon,et al.  Semantic web technologies to reconcile privacy and context awareness , 2003, Journal of Web Semantics.

[6]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[7]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[8]  Emil C. Lupu,et al.  PONDER policy implementation and validation in a CIM and differentiated services framework , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[9]  Marc Donner,et al.  Toward a Security Ontology , 2003, IEEE Secur. Priv..

[10]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[11]  Juan A. Botía,et al.  Representing Security Policies in Web Information Systems , 2005 .

[12]  Diana Maynard,et al.  JAPE: a Java Annotation Patterns Engine , 2000 .

[13]  Jeffrey M. Bradshaw,et al.  KAoS: A Policy and Domain Services Framework for Grid Computing and Semantic Web Services , 2004, iTrust.

[14]  Telecommunications Board Computers at Risk: Safe Computing in the Information Age , 1990 .

[15]  Harry Chen,et al.  SOUPA: standard ontology for ubiquitous and pervasive applications , 2004, The First Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services, 2004. MOBIQUITOUS 2004..

[16]  N. F. Noy,et al.  Ontology Development 101: A Guide to Creating Your First Ontology , 2001 .

[17]  Sergei Nirenburg,et al.  Ontology in information security: a useful theoretical foundation and methodological tool , 2001, NSPW '01.