Threat modeling of cloud systems with ontological security pattern catalog
Abstract
This work considers challenges, related to the lack of methods of automatic threat modeling and well-formed data sources of threats and countermeasures as well as techniques to collect such security knowledge. Cloud computing domain has been in a focus of security scientists and experts for decade, however it is still a problem to make secure the use of cloud systems and their applications, because of distributed nature, variety of deployment models, and different stakeholders. Towards automation of the threat modeling process we have proposed an ontological approach both to analysis of a system design (by an ontology-driven threat modeling framework) and creation of security patterns (by an ontological schema of security pattern). This work briefly describes those efforts and concentrated on an ontological catalog of cloud system threats. The work offers an Academic Cloud Computing Threat Patters (ACCTP) catalog as a way of the threat modeling of cloud systems and a set of design primitives as means of learning cloud security challenges.
Full Text:
PDFReferences
Yskout K. et al. Threat modeling: from infancy to maturity //Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: New Ideas and Emerging Results. – 2020. – С. 9-12.
Tuma K. et al. Automating the early detection of security design flaws //Proceedings of the 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems. – 2020. – С. 332-342.
Xiong W., Lagerström R. Threat modeling–A systematic literature review //Computers & security. – 2019. – Т. 84. – С. 53-69.
Schaad A., Binder D. Ml-supported identification and prioritization of threats in the OVVL threat modelling tool //IFIP Annual Conference on Data and Applications Security and Privacy. – Springer, Cham, 2020. – С. 274-285.
Cagnazzo M. et al. Threat modeling for mobile health systems //2018 IEEE Wireless Communications and Networking Conference Workshops (WCNCW). – IEEE, 2018. – С. 314-319.
Schmittner C. et al. Threat modeling in the railway domain //International Conference on Reliability, Safety, and Security of Railway Systems. – Springer, Cham, 2019. – С. 261-271.
Johnson P., Lagerström R., Ekstedt M. A meta language for threat modeling and attack simulations //Proceedings of the 13th International Conference on Availability, Reliability and Security. – 2018. – С. 1-8.
Berger B. J., Sohr K., Koschke R. The Architectural Security Tool Suite—ARCHSEC //2019 19th International Working Conference on Source Code Analysis and Manipulation (SCAM). – IEEE, 2019. – С. 250-255.
Faily S. et al. Contextualisation of data flow diagrams for security analysis //International Workshop on Graphical Models for Security. – Springer, Cham, 2020. – С. 186-197.
Brazhuk A. Security patterns based approach to automatically select mitigations in ontology-driven threat modelling // Open Semantic Technologies for Intelligent Systems (OSTIS). – 2020. – №. 4. – С. 267-272
Brazhuk A., Olizarovich E. Format and Usage Model of Security Patterns in Ontology-Driven Threat Modelling //Russian Conference on Artificial Intelligence. – Springer, Cham, 2020. – С. 382-392.
Kudryavtsev D., Gavrilova T. An Overview of Practical Ontology Implementation in Decision Support Systems //International Conference Cyber-Physical Systems and Control. – Springer, Cham, 2019. – С. 19-26.
Klyshinsky E. et al. Formalization of Medical Records Using an Ontology: Patient Complaints //International Conference on Analysis of Images, Social Networks and Texts. – Springer, Cham, 2019. – С. 143-153.
Golenkov V. V. et al. Semantic technologies of intelligent systems design and semantic associative computers //Doklady BGUIR. – 2019. – №. 3. – С. 42-50.
Sikos L. F. OWL ontologies in cybersecurity: conceptual modeling of cyber-knowledge //AI in Cybersecurity. – Springer, Cham, 2019. – С. 1-17.
Takahashi T. et al. Web of cybersecurity: Linking, locating, and discovering structured cybersecurity information //International Journal of Communication Systems. – 2018. – Т. 31. – №. 3.
Doynikova E., Fedorchenko A., Kotenko I. A semantic model for security evaluation of information systems //Journal of Cyber Security and Mobility. – 2020. – С. 301–330.
Martins B. F. et al. Conceptual Characterization of Cybersecurity Ontologies //IFIP Working Conference on The Practice of Enterprise Modeling. – Springer, Cham, 2020. – С. 323-338.
Mavroeidis V., Bromander S. Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence //2017 European Intelligence and Security Informatics Conference (EISIC). – IEEE, 2017. – С. 91-98.
Washizaki H. et al. Taxonomy and literature survey of security pattern research //2018 IEEE Conference on Application, Information and Network Security (AINS). – IEEE, 2018. – С. 87-92.
Jafari A. J., Rasoolzadegan A. Security patterns: A systematic mapping study //Journal of Computer Languages. – 2020. – Т. 56.
Xia T. et al. Cloud security and privacy metamodel //Proceedings of the 6th International Conference on Model-Driven Engineering and Software Development. – 2018. – С. 379-386.
Salva S., Regainia L. A catalogue associating security patterns and attack steps to design secure applications //Journal of Computer Security. – 2019. – Т. 27. – №. 1. – С. 49-74.
Hamid B., Gürgens S., Fuchs A. Security patterns modeling and formalization for pattern-based development of secure software systems //Innovations in Systems and Software Engineering. – 2016. – Т. 12. – №. 2. – С. 109-140.
Guan H., Yang H., Wang J. An ontology-based approach to security pattern selection //International Journal of Automation and Computing. – 2016. – Т. 13. – №. 2. – С. 168-182.
Vale A. P., Fernandez E. B. An ontology for security patterns //2019 38th International Conference of the Chilean Computer Science Society (SCCC). – IEEE, 2019. – С. 1-8.
Catteddu D. et al. Cloud computing risk assessment //European Network and Information Security Agency (ENISA). – 2009. – С. 583-592.
Saripalli P., Walters B. Quirc: A quantitative impact and risk assessment framework for cloud security //2010 IEEE 3rd international conference on cloud computing. – Ieee, 2010. – С. 280-288.
Gonzalez N. et al. A quantitative analysis of current security concerns and solutions for cloud computing //Journal of Cloud Computing: Advances, Systems and Applications. – 2012. – Т. 1. – №. 1.
SEcure Cloud computing for CRitical infrastructure IT. [Online]. Available: https://www.seccrit.eu, Accessed on: Nov 27, 2016.
Fernandez E. B., Monge R., Hashizume K. Building a security reference architecture for cloud systems //Requirements Engineering. – 2016. – Т. 21. – №. 2. – С. 225-249.
Rath A. et al. Security Pattern for Cloud SaaS: From System and Data Security to Privacy Case Study in AWS and Azure //Computers. – 2019. – Т. 8. – №. 2. – С. 34.
Soltys M. Cybersecurity in the AWS Cloud //arXiv preprint arXiv:2003.12905. – 2020.
Sen A., Madria S. Application design phase risk assessment framework using cloud security domains //Journal of Information Security and Applications. – 2020. – Т. 55. – С. 102617.
Mozzaquatro B. A. et al. An ontology-based cybersecurity framework for the internet of things //Sensors. – 2018. – Т. 18. – №. 9. – С. 3053.
Choi C., Choi J. Ontology-based security context reasoning for power IoT-cloud security service //IEEE Access. – 2019. – Т. 7.
Xiao Y. et al. Edge computing security: State of the art and challenges //Proceedings of the IEEE. – 2019. – Т. 107. – №. 8.
Wilhjelm C., Younis A. A. A Threat Analysis Methodology for Security Requirements Elicitation in Machine Learning Based Systems //2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C). – IEEE, 2020. – С. 426-433.
Venkata R. Y., Kamongi P., Kavi K. An Ontology-Driven Framework for Security and Resiliency in Cyber Physical Systems //ICSEA 2018. – 2018. – С. 23.
Wen S. F., Katt B. Managing Software Security Knowledge in Context: An Ontology Based Approach //Information. – 2019. – Т. 10. – №. 6. – С. 216.
Välja M. et al. Automating threat modeling using an ontology framework //Cybersecurity. – 2020. – Т. 3. – №. 1. – С. 1-20.
Islam C., Babar M. A., Nepal S. Architecture-centric support for integrating security tools in a security orchestration platform //European Conference on Software Architecture. – Springer, Cham, 2020. – С. 165-181.
Refbacks
- There are currently no refbacks.
Abava Кибербезопасность IT Congress 2024
ISSN: 2307-8162