O. T. Arogundade,A. T. Akinwale,Z. Jin,X. G. Yang

DOI: https://doi.org/10.1080/19393555.2011.652290

2012-01-01

Abstract:ABSTRACT Misuse cases are currently used to identify safety and security threats and subsequently capture safety and security requirements. There is limited consensus to the precise meaning of the basic terminology used for use/misuse case concepts. This paper delves into the use of ontology for the formal representation of the use-misuse case domain knowledge for eliciting safety and security requirements. We classify misuse cases into different category to reflect different type of misusers. This will allow participants during the requirement engineering stage to have a common understanding of the problem domain. We enhanced the misuse case domain to include abusive misuse case and vulnerable use case in order to boost the elicitation of safety requirements. The proposed ontological approach will allow developer to share and reuse the knowledge represented in the ontology thereby avoiding ambiguity and inconsistency in capturing safety and security requirements. OWL protégé 3.3.1 editor was used for the ontology coding. An illustration of the use of the ontology is given with examples from the health care information system.

Honghong Jiang,Xiaohu Yang

DOI: https://doi.org/10.1109/TENCON.2009.5396045

2009-01-01

Abstract:A large portion of software project failures are caused by incomplete and incorrect requirements. Thus, requirement elicitation is a very critical step in the software development lifecycle. Information gathered from customers needs to be interpreted, analyzed and validated. Customers could hardly articulate their requirement accurately which may cause the misunderstanding. Furthermore, inconsistency may exist between requirements proposed by different customers. In this paper, we propose a model to elicit performance requirement from customers for financial information system (FIS) based on ontology. This model divides the performance requirements into three levels: system level, subsystem level and component level. Each level has respective performance metrics and aims at different roles of stakeholders. Between levels, ontology's inference function is used to validate and complete the requirements. This model is illustrated in a study of performance requirement acquiring for a fund information preparation system.

Oluwasefunmi 'Tale Arogundade,Olusola J. Adeniran,Zhi Jin,Xiaoguang Yang

DOI: https://doi.org/10.4018/ijsse.2016070101

2016-01-01

International Journal of Secure Software Engineering

Abstract:Resource allocation decisions can be enhanced by performing risk assessment during the early development phase. In order to improve and maintain the security of the Information System IS, hereafter, there is need to build risk analysis model that can dynamically analyze threat data collected during the operational lifetime of the IS. In this paper the authors propose an ontological approach to accomplishing this goal. They present analyzer model and architecture, an agent-based risk analysis system ARAS which gathers identified threats events, probe them and correlates those using ontologies. It explores both quantitative and qualitative risk analysis techniques using real events data for probability predictions of threats based on an existing designed security ontology. To validate the feasibility of the approach a case study on e-banking system has been conducted. Simulated IDS output serves as input into the risk analysis system. The authors used JADE to implement the agents, protégé OWL to create the ontology and ORACLE 11g SQL developer for the database. Optimistic results were obtained.

Fengjie Zhan,Xiaoyu Wang,Huaxiao Liu,Lei Liu

DOI: https://doi.org/10.1007/978-3-662-48634-4_9

2015-01-01

Abstract:With the popularization of the application of the embedded system, the embedded software has been developed rapidly and then becomes a new growing power. So the research on the safety requirements of the embedded software is becoming more and more important. However, for the analysis of safety requirements, a very important step is the description of safety requirements. This paper proposes a description method of the embedded software based on ontology. And ontology is good for sharing and reuse of knowledge, as well as automatic reasoning. For the embedded software, we use ontology to define the concepts and their relations, and then we construct a model to describe the common concepts. Finally, we give an example to prove our model useful.

O. T. Arogundade,A. T. Akinwale,Z. Jin,X. G. Yang

DOI: https://doi.org/10.4018/jisp.2011100102

2011-01-01

International Journal of Information Security and Privacy

Abstract:This paper proposes an enhanced use-misuse case model that allows both safety and security requirements to be captured during requirements elicitation. The proposed model extends the concept of misuse case by incorporating vulnerable use case and abuse case notations and relations that allows understanding and modeling different attackers and abusers behaviors during early stage of system development life cycle and finishes with a practical consistent combined model for engineering safety and security requirements.The model was successfully applied using health care information system gathered through the university of Kansas HISPC project. The authors were able to capture both security and safety requirements necessary for effective functioning of the system. In order to enhance the integration of the proposed model into risk analysis, the authors give both textual and detailed description of the model. The authors compare the proposed approach with other existing methods that identify and analyze safety and security requirements and discovered that it captures more security and safety threats.

Haibo Hu,Dan Yang,Hong Xiang,Li Fu,Chunxiao Ye,Ren Li

DOI: https://doi.org/10.5220/0003588301030112

2011-01-01

Abstract:Eliciting security requirements is critical but hard for non-expert to fulfill an exhaustive analysis on large body of security knowledge. Emerging models in requirements engineering (RE) society release some burden of such difficulty, as well as security ontologies are booming for knowledge sharing and reuse. There exists necessity for the synergy of them, such as utilizing security ontology (So) as the back end of Knowledge Base (KB) for capturing security requirements by using known RE models. Research advances in the Semantic Web (Sw) community provide a common framework of technologies that allows data to be shared and reused across boundaries of various application and community. This paper proposes a knowledge base which is constructed on So and Misuse Case Model (McM), by representing them into Owl., (Web Ontology Language). Semantic rules can be derived from the correlation of So and MCM to be utilized for reasoning and querying security knowledge via Mcm-based requirements elicitation. The proposed KB coordinates So with a specific RE model to facilitate knowledge sharing to be a foundation for eliciting security requirements automatically.

Xuejiao Xing,Botao Zhong,Hanbin Luo,Heng Li,Haitao Wu

DOI: https://doi.org/10.1016/j.compind.2019.04.001

IF: 10

2019-01-01

Computers in Industry

Abstract:Safety risk identification of metro construction is a knowledge-intensive process involving various stakeholders and communities. Currently, safety risk information related to decision making in metro construction is ill-structurally stored in various disordered formats, which hinders knowledge sharing and reuse. This study develops a domain ontology (SRI-Onto) to formalize safety risk knowledge in metro construction to support safety risk identification. An ontology development method with five steps is adopted. The SRI-Onto organizes safety risk knowledge into seven unified classes (i.e. project, construction activity, risk factor, risk, risk grade, risk consequence, and risk prevention measure). Defined classes, together with corresponding properties and relations, are coded using the Protégé platform. Finally, the SRI-Onto is evaluated theoretically and practically, using criteria-based and application-based evaluations respectively. Results indicate that the SRI-Onto possesses the necessary and essential criteria to serve the purpose of knowledge sharing and reuse. Further, the SRI-Onto is predicted to be generally applicable to safety risk identification of metro construction.

Rui Li,Shilong Ma,Wentao Yao

DOI: https://doi.org/10.1109/cit/iucc/dasc/picom.2015.126

2015-01-01

Abstract:As a kind of critical system, safety-critical system is always used for the key areas such as aerospace, national defense, transportation, nuclear energy, health and so on, which require the high security. Due to the inherent defects which caused by the complexity of the organizational structure, and the external threats which caused by the open and dynamic environment, some unexpected results will be produced inevitably which reduce the credibility of the safety-critical system. Therefore, requirements analysis for credibility validation has gradually become an essential work. However, there still lacks a systematic method to guide the elicitation of trustworthiness requirements. In this paper, we present an ontology-based requirements analysis method to elicit and model the credibility-related requirements. Using the formal representation, we model the system from static and dynamic aspects, model the inherent defects and the external threats that may exist. Further, we enable a set of rules to reason the requirements from the knowledge base we build. At last, the approach is evaluated on a mission electronic system.

JIN Zhi

DOI: https://doi.org/10.3321/j.issn:0254-4164.2000.05.006

2000-01-01

Chinese Journal of Computers

Abstract:This paper presents a new approach to support the elicitation process. Based on the enterprise information systems, this approach is using the enterprise ontology and the domain ontology as the requirements meta models to steer domain users describing their real systems systematically. By reusing the domain software models, the requirements model of the target system can be constructed automatically. Compared with the available approaches for requirements elicitation, the approach presented in the paper shows the following significant features. First, it interacts with domain users using domain terminology, not software terminology, so allows the involvement of domain users. Secondly, it is possible to guarantee a complete, consistent and unambiguous requirements specification under the guidance of these meta models. Finally, it supports the automated construction of application requirements models with the help of its rich knowledge.

Hu Xuan,Wang Yichen,Liu Bin,Lu Minyan

2009-01-01

Abstract:Nowadays, there are many researches on the ontology-based software requirements elicitation approach. However, there are still some disadvantages. One of the disadvantages is lacking of researches on military aircraft systems (MAS) ontology. Another is lacking of ontology-based software safety requirements elicitation approaches. This paper adopts ontology to construct the safety requirements knowledge multi-ontology framework (SRKMOF) of MAS. Moreover it introduces the software safety requirements error pattern (SSREP) which can be merged into the foregoing framework to enrich ontology knowledge. Furthermore the multi-ontology based safety requirements elicitation approach can be obtained. The SSREP can be weaved into the task ontology (TO) by aspect-oriented method (AOM). Finally, a case study is presented to validate the effectiveness of the proposed safety requirements elicitation approach. The results show that the number of safety requirements errors in safety requirements document obtained by the proposed approach is less than the comparative approach. It shows that the proposed approach is effective.

Tong Li,Xiaowei Wang,Yeming Ni

DOI: https://doi.org/10.1016/j.is.2020.101699

IF: 3.18

2022-02-01

Information Systems

Abstract:<p>Along with the rapid development of socio-technical systems, people are playing an increasingly important role in information system and have actually become an essential system component. However, unlike technology-based attacks that have been investigated for decades, social engineering attacks have not been efficiently addressed. In particular, due to the interdisciplinary nature of social engineering, there is a lack of consensus on its definition, hindering the further development of this research field. In this paper, we propose a comprehensive and fundamental ontology of social engineering based on a systematic review of existing social engineering taxonomies and ontologies in order to provide a theoretical foundation for social engineering analysis. The essential contributions of this paper include: (1) propose a comprehensive ontology of social engineering and precisely specify ontological definitions of its essential concepts based on Situation Calculus; (2) enumerate and summarize a set of social engineering techniques and present their fine-grained classification based on the proposed ontology; (3) incorporate psychology and sociology knowledge into social engineering analysis, encapsulating such knowledge in terms of a formalized ontology. We have evaluated our ontology based on a set of real social engineering attacks, the results of which show the usefulness of our proposal.</p>

computer science, information systems

Siv Hilde Houmb,Shareeful Islam,Eric Knauss,Jan Jürjens,Kurt Schneider

DOI: https://doi.org/10.1007/s00766-009-0093-9

2009-11-28

Requirements Engineering

Abstract:Building secure systems is difficult for many reasons. This paper deals with two of the main challenges: (i) the lack of security expertise in development teams and (ii) the inadequacy of existing methodologies to support developers who are not security experts. The security standard ISO 14508 Common Criteria (CC) together with secure design techniques such as UMLsec can provide the security expertise, knowledge, and guidelines that are needed. However, security expertise and guidelines are not stated explicitly in the CC. They are rather phrased in security domain terminology and difficult to understand for developers. This means that some general security and secure design expertise are required to fully take advantage of the CC and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution design, which is needed for proof of requirements fulfilment. This paper describes a security requirements engineering methodology called SecReq. SecReq combines three techniques: the CC, the heuristic requirements editor HeRA, and UMLsec. SecReq makes systematic use of the security engineering knowledge contained in the CC and UMLsec, as well as security-related heuristics in the HeRA tool. The integrated SecReq method supports early detection of security-related issues (HeRA), their systematic refinement guided by the CC, and the ability to trace security requirements into UML design models. A feedback loop helps reusing experience within SecReq and turns the approach into an iterative process for the secure system life-cycle, also in the presence of system evolution.

computer science, information systems, software engineering

Ítalo Oliveira,Tiago Prince Sales,João Paulo A. Almeida,Riccardo Baratella,Mattia Fumagalli,Giancarlo Guizzardi

DOI: https://doi.org/10.1007/s10270-024-01149-1

2024-02-17

Software & Systems Modeling

Abstract:Enterprise Risk Management involves the process of identification, evaluation, treatment, and communication regarding risks throughout the enterprise. To support the tasks associated with this process, several frameworks and modeling languages have been proposed, such as the Risk and Security Overlay (RSO) of ArchiMate. An ontological investigation of this artifact would reveal its adequacy, capabilities, and limitations w.r.t. the domain of risk and security. Based on that, a language redesign can be proposed as a refinement. Such analysis and redesign have been executed for the risk elements of the RSO grounded in the Common Ontology of Value and Risk . The next step along this line of research is to address the following research problems: What would be the outcome of an ontological analysis of security-related elements of the RSO? That is, can we identify other semantic deficiencies in the RSO through an ontological analysis? Once such an analysis is provided, can we redesign the security elements of the RSO accordingly, in order to produce an improved artifact? Here, with the aid of the Reference Ontology for Security Engineering (ROSE) and the ontological theory of prevention behind it, we address the remaining gap by proceeding with an ontological analysis of the security-related constructs of the RSO. The outcome of this assessment is an ontology-based redesign of the ArchiMate language regarding security modeling. In a nutshell, we report the following contributions: (1) an ontological analysis of the RSO that identifies six limitations concerning security modeling; (2) because of the key role of the notion of prevention in security modeling, the introduction of the ontological theory of prevention in ArchiMate; (3) a well-founded redesign of security elements of ArchiMate; and (4) ontology-based security modeling patterns that are logical consequences of our proposal of redesign due to its underlying ontology of security. As a form of evaluation, we show that our proposal can describe risk treatment options, according to ISO 31000. Finally, besides presenting multiple examples, we proceed with a real-world illustrative application taken from the cybersecurity domain.

computer science, software engineering

Yuqin Lee,Wenyun Zhao

DOI: https://doi.org/10.1109/imsccs.2006.188

2006-01-01

Abstract:Domain requirements are fundamental for software reuse and are the product of domain analysis. This paper presents an ontology based approach to elicit and analyze domain requirements. An ontology definition is given out. Problem domain is decomposed into several sub problem domains by using subjective decomposition method. The top-down refinement method is used to refine each sub problem domain into primitive requirements. Abstract stakeholders are used instead of real ones when decomposing problem domain and domain primitive requirements are represented by ontology. Not only domain commonality, variability and qualities are presented, but also reasoning logic is used to detect and handle incompleteness and inconsistency of domain requirements. In addition, a case of 'spot and futures transaction' domain is used to illustrate the approach

Golnaz Elahi,Eric Yu,Tong Li,Lin Liu

DOI: https://doi.org/10.1109/compsac.2011.48

2011-01-01

Abstract:Various governmental or academic institutes survey current security trends, and report vulnerabilities, security breaches, and their costs. However, it is unclear whether (and how) practitioners analyze these vulnerabilities and attacks to arrive at security requirements and decide on security solutions. What modeling methods are used for eliciting, analyzing, and documenting security requirements in real-world practice? This paper intends to answer such questions through a survey of security requirements engineering practices. 374 software professionals from 237 International and Chinese firms participated in the survey. The results show businesses often try to consider security from early stages of the development life cycle, however, ultimately, security is left to be built into the system at the implementation phase. We observed that practitioners favour qualitative risk assessment rather than quantitative approaches, and this helps them consider more varieties of factors when comparing alternative security design solutions.

Alfred Ka Yiu Wong,Nandan Paranesh,Pradeep Ray

DOI: https://doi.org/10.1142/s0218213006003120

IF: 1.1

2006-01-01

International Journal on Artificial Intelligence Tools

Abstract:In the past decade, ontology has been actively researched in various domains. The different ontological tasks range from simple language modeling in the linguistic domain, to semantic integration in the semantic web, and recently to application-specific tasks such as financial fraud management. We follow the trend and attempt to tackle some of the ontological problems in security management. The most complicated problem out of all is the semantic interoperability problem that is evident in the existence of various types of security elements such as IDS, firewall and virus scanner. Another problem is related to the semantic modeling tasks required for autonomous and intelligent reasoning. Semantic modeling of security events is essential for automatic and intelligent event correlation tasks that analyze semantically the different sources of security information to more accurately present the holistic network security status. We present in this paper a novel and formal ontology mapping approach and security ontology for the supporting and possibly resolution of these problems.

Xiaohong Chen,Zhi Jin

DOI: https://doi.org/10.1142/s0218194016500029

IF: 1.007

2016-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Requirements elicitation is one of the most important and challenging issues in requirements engineering. This paper proposes a systematic approach for capturing the software requirements from the expected interactions between the software-to-be and its interactive environment. Firstly, the software environment ontology and the interaction ontology are developed for serving as the meta-models for the descriptions of the interactive environment and the interactions. Then a process has been proposed for guiding the analysts to capture the software requirements step by step from descriptions of the interactive environment and the expected interactions. Finally, a case study has been presented for illustrating the usage of our approach.

Loredana Mocean,Miranda-Petronella Vlad

DOI: https://doi.org/10.2478/raft-2024-0017

2024-06-01

Land Forces Academy Review

Abstract:Abstract In this paper we propose a cybersecurity ontology model designed for universities, aiming to facilitate the management and protection of sensitive data and information within the context of the growing cybersecurity threats. The proposed ontology includes four distinct hierarchical levels: the basic level, the conceptual level, the instance level and the relationships level. At the basic level, it defines essential terms and principles of cybersecurity, including concepts like vulnerability, threat, cyber-attack, security policies and security rules. At the conceptual level, the ontology categorizes information and cybersecurity systems, embracing domains such as data protection, authentication, authorization, and auditing. At the instance level, the ontology describes specific examples of information and cybersecurity systems used in universities, such as the library management system or the accounting management system. At the relationships level, the ontology establishes links between different categories of information and cybersecurity systems, as well as between these systems and the entities that use them, such as students, professors and administrative staff. By implementing this cybersecurity ontology, universities can improve the management and protection of their sensitive data and information, as well as respond more efficiently to cybersecurity threats.

Ge Li,Zhi Jin,Yan Xu,Yangyang Lu

DOI: https://doi.org/10.1007/978-3-642-25975-3_19

2011-01-01

Abstract:Requirements elicitation is one of the hardest and most critical parts of software development. Ontology technology provides a good way to support this work. In the literature, there many methods proposed about how to make use of ontology in requirement elicitation. However most of such methods assume that there already exists some domain ontology for reuse. Different from this works, our approach breaks this assumption and claims that we should merge the ontology acquiring process and the requirement elicitation process together. In order to do that, this paper proposes an upper level ontology for process centered problem domain to help the analysts to represent the requirement, and defines an engineerable process to guide the ontology acquiring integrated requirement elicitation process. In the end, we make a case study in the taxation domain to illustrate the effectiveness of our approach.

Junlu Yan,Junwen Liu,Hetian Feng,Tian Wang,Bilang Zhang,Jiarui Zhang

DOI: https://doi.org/10.1109/yac63405.2024.10598700

2024-01-01

Abstract:With the increasing complexity of power systems and the evolving nature of cyber threats, traditional security management methods are facing growing challenges. The effective integration of cyber security and physical security is key to enhancing overall safety. This study proposes an innovative ontological design approach aimed at constructing a comprehensive semantic network suitable for the integration of these two safety aspects within power systems. Initially, ontologies for cyber security and physical security were designed separately, defining the key entities and their attributes for each. Subsequently, these two ontologies were effectively combined to form a comprehensive ontology model that fully reflects the integration needs of cyber and physical security. This model not only reveals the intrinsic connections between cyber and physical security but also provides new strategies and methods for identifying and preventing cross-domain security threats. Through empirical analysis and case studies, this study validates the effectiveness of the proposed method in enhancing the security of power systems, especially in facilitating early detection and response to security incidents. The findings of this research offer a new perspective and tool for power system security management, holding significant theoretical and practical implications for the deep integration of cyber and physical security.