research-article

Ontology-based security assessment for software products

Authors:

Ju An Wang,

Minzhe Guo,

Hao Wang,

Min Xia,

Linfeng ZhouAuthors Info & Claims

CSIIRW '09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies

Article No.: 15, Pages 1 - 4

https://doi.org/10.1145/1558607.1558625

Published: 13 April 2009 Publication History

Get Access

Abstract

This paper proposes an ontology-based approach to analyzing and assessing the security posture for software products. It provides measurements of trust for a software product based on its security requirements and evidence of assurance, which are retrieved from an ontology built for vulnerability management. Our approach differentiates with the previous work in the following aspects: (1) It is a holistic approach emphasizing that the system assurance cannot be determined or explained by its component assurance alone. Instead, the software system as a whole determines its assurance level. (2) Our approach is based on widely accepted standards such as CVSS, CVE, CWE, CPE, and CAPEC. Our ontology integrated these standards seamlessly thus provides a solid foundation for security assessment. (3) Automated tools have been built to support our approach, delivering the environmental scores for software products.

References

[1]

Peter Mell, Karen Scarfone, and Sasha Romanosky, A Complete Guide to the Common Vulnerability Scoring System (CVSS), Version 2.0, Forum of Incident Response and Security Teams, http://www.first.org/cvss/cvss-guide.html (July 2007).

Google Scholar

[2]

J. A. Wang, M. Xia, and F. Zhang, "Metrics for Information Security Vulnerabilities, Journal of Applied Global Research, Volume 1, No. 1, 2008, pp. 48--58.

Google Scholar

[3]

J. A. Wang, Fengwei Zhang and Min Xia, "Temporal Metrics for Software Vulnerabilities," in Proceedings of CSIIRW'08, May 12--14, 2008, Oak Ridge, TN, USA.

Digital Library

Google Scholar

[4]

NHS and NIST, National Vulnerability Database (NVD), automating vulnerability management, security measurement, and compliance checking, http://nvd.nist.gov/scap.cfm.

Google Scholar

[5]

Ekelhart A. et al., "Security Ontologies: Improving Quantitative Risk Analysis," in Proceedings of the 40^th Annual Hawaii International Conference on System Sciences (HICSS'07), 2007.

Digital Library

Google Scholar

[6]

Goluch G. et al., "Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management," in Proceedings of the 41^st Hawaii International Conference on System Sciences, 2008.

Digital Library

Google Scholar

[7]

Matt Bishop, Computer Security, Art and Science, Addison-Wesley, 2003. ISBN 0201440997.

Google Scholar

[8]

NIST, Information Security Automation Program (ISAP), Automating Vulnerability Management, Security Measurement, and Compliance, Version 1.0 Beta, revised on May 22, 2007.

Google Scholar

[9]

Franz Baader et al. Description Logic Handbook: Theory, Implementation and Application. Cambridge University Press, 2003.

Digital Library

Google Scholar

[10]

N. F. Noy and D. L. McGuinness. Ontology Development 101: A Guide to Creating Your First Ontology. Standford Knowledge Systems Laboratory Technical Report KSL-01-05.

Google Scholar

[11]

T. Gruber. Towards Principles for the Design of Ontologies used for Knowledge Sharing. International Journal of Human-Computer Studies, 1995. 43(5/6): 907--928.

Digital Library

Google Scholar

[12]

Common Vulnerabilities and Exposures. {Online}. The MITRE Corporation. Available: http://cve.mitre.org/.

Google Scholar

[13]

Common Platform Enumeration (CPE). http://cpe.mitre.org/, November, 2008.

Google Scholar

[14]

Common Weakness Enumeration (CWE). http://cwe.mitre.org/, February, 2009.

Google Scholar

Cited By

View all

Wu JWu J(2024)The Framework of Cyber Resilience Engineering Empowered by Endogenous Security and SafetyCyber Resilience System Engineering Empowered by Endogenous Security and Safety10.1007/978-981-97-0116-2_5(279-330)Online publication date: 30-Oct-2024
https://doi.org/10.1007/978-981-97-0116-2_5
Wen SKatt B(2023)SAEOn: An Ontological Metamodel for Quantitative Security Assurance EvaluationComputer Security. ESORICS 2022 International Workshops10.1007/978-3-031-25460-4_35(605-624)Online publication date: 18-Feb-2023
https://doi.org/10.1007/978-3-031-25460-4_35
Wen SKatt B(2022)Ontology-Based Metrics Computation for System Security Assurance EvaluationJournal of Applied Security Research10.1080/19361610.2022.215719019:2(230-275)Online publication date: 19-Dec-2022
https://doi.org/10.1080/19361610.2022.2157190
Show More Cited By

Index Terms

Ontology-based security assessment for software products

Recommendations

Security metrics for software systems
ACMSE '09: Proceedings of the 47th annual ACM Southeast Conference

Security metrics for software products provide quantitative measurement for the degree of trustworthiness for software systems. This paper proposes a new approach to define software security metrics based on vulnerabilities included in the software ...
Ontology of Metrics for Cyber Security Assessment
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Development of metrics that are valuable for assessing security and decision making is an important element of efficient counteraction to cyber threats. The paper proposes an ontology of metrics for cyber security assessment. The developed ontology is ...
OVM: an ontology for vulnerability management
CSIIRW '09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies

In order to reach the goals of the Information Security Automation Program (ISAP) [1], we propose an ontological approach to capturing and utilizing the fundamental concepts in information security and their relationship, retrieving vulnerability data ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CSIIRW '09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies

April 2009

952 pages

ISBN:9781605585185

DOI:10.1145/1558607

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CSIIRW '09

CSIIRW '09: Fifth Cyber Security and Information Intelligence Research Workshop

April 13 - 15, 2009

Tennessee, Oak Ridge, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
686
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)0

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Wu JWu J(2024)The Framework of Cyber Resilience Engineering Empowered by Endogenous Security and SafetyCyber Resilience System Engineering Empowered by Endogenous Security and Safety10.1007/978-981-97-0116-2_5(279-330)Online publication date: 30-Oct-2024
https://doi.org/10.1007/978-981-97-0116-2_5
Wen SKatt B(2023)SAEOn: An Ontological Metamodel for Quantitative Security Assurance EvaluationComputer Security. ESORICS 2022 International Workshops10.1007/978-3-031-25460-4_35(605-624)Online publication date: 18-Feb-2023
https://doi.org/10.1007/978-3-031-25460-4_35
Wen SKatt B(2022)Ontology-Based Metrics Computation for System Security Assurance EvaluationJournal of Applied Security Research10.1080/19361610.2022.215719019:2(230-275)Online publication date: 19-Dec-2022
https://doi.org/10.1080/19361610.2022.2157190
Shao YWu YYang MLuo TWu J(2021)A Large-Scale Study on Vulnerabilities in Linux using Vtopia2021 IEEE 21st International Conference on Software Quality, Reliability and Security Companion (QRS-C)10.1109/QRS-C55045.2021.00157(01-10)Online publication date: Dec-2021
https://doi.org/10.1109/QRS-C55045.2021.00157
Russo EDi Sorbo AVisaggio CCanfora G(2019)Summarizing vulnerabilities’ descriptions to support experts during vulnerability assessment activitiesJournal of Systems and Software10.1016/j.jss.2019.06.001156:C(84-99)Online publication date: 1-Oct-2019
https://dl.acm.org/doi/10.1016/j.jss.2019.06.001
Mavroeidis VJøsang A(2018)Data-Driven Threat Hunting Using SysmonProceedings of the 2nd International Conference on Cryptography, Security and Privacy10.1145/3199478.3199490(82-88)Online publication date: 16-Mar-2018
https://dl.acm.org/doi/10.1145/3199478.3199490
Jevremovic AShimic GVeinovic MRistic N(2017)IP Addressing: Problem-Based Learning Approach on Computer NetworksIEEE Transactions on Learning Technologies10.1109/TLT.2016.258343210:3(367-378)Online publication date: 1-Jul-2017
https://doi.org/10.1109/TLT.2016.2583432
Wen TZhang YWu QYang G(2015)ASVC: An Automatic Security Vulnerability Categorization Framework Based on Novel Features of Vulnerability DataJournal of Communications10.12720/jcm.10.2.107-11610:2(107-116)Online publication date: 2015
https://doi.org/10.12720/jcm.10.2.107-116
Kamongi PKotikela SKavi KGomathisankaran MSinghal A(2013)VULCANProceedings of the 2013 IEEE 7th International Conference on Software Security and Reliability10.1109/SERE.2013.31(218-226)Online publication date: 18-Jun-2013
https://dl.acm.org/doi/10.1109/SERE.2013.31
Oktay KGomathisankaran MKantarcioglu MMehrotra SSinghal A(2013)Towards Data Confidentiality and a Vulnerability Analysis Framework for Cloud ComputingSecure Cloud Computing10.1007/978-1-4614-9278-8_10(213-238)Online publication date: 7-Dec-2013
https://doi.org/10.1007/978-1-4614-9278-8_10
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Security metrics for software systems

Ontology of Metrics for Cyber Security Assessment

OVM: an ontology for vulnerability management