Ontology-Based Metrics Computation for System Security Assurance Evaluation

Figures & data

Figure 1. Compositions of the security assurance evaluation model.

Table 1. Exemplary assurance criteria in web applications.

Security requirement criteria	Vulnerability criteria
Authentication	Broken access control
Access control	Cryptographic failure
Validation, sanitization, and encoding	Injection
Data protection	Identification and authentication failure

Table 2. Exemplary assurance elements (security requirement elements).

Security requirement criteria	Security requirement element
Authentication	Password security
	Credential storage
	Credential recovery
	One time verifier
Validation, sanitization, and encoding	Input validation
	Sanitization and sandboxing
	Output encoding
	Deserialization prevention

Table 3. Exemplary assurance conditions (security requirement conditions).

Security requirement element	Security requirement condition
Password security	The passwords should be at least 64 characters are permitted, and passwords of more than 128 characters are denied.
	Password truncation is not performed. However, consecutive multiple spaces may be replaced by a single space.
	Any printable Unicode character, including language-neutral characters, such as spaces and Emojis, is permitted in passwords.
	Password change functionality requires the user’s current and new passwords.
	A password strength meter is provided to help users set a stronger password.

Figure 2. Sample hierarchical structure of the security assurance evaluation.

Table 4. Symbols used in the assurance evaluation.

Symbol	Description
AT	Assurance target
SRP	Security requirement perspective
VUP	Vulnerability perspective
SRC	Security requirement criteria
VUC	Vulnerability criteria
SRE	Security requirement element
VUE	Vulnerability element
SRD	Security requirement condition
VUD	Vulnerability condition

Table 5. Assurance level.

Assurance level	Security level
[0.0–1.0]	No Security
[1.0–4.0]	Low Security
[4.0–7.0]	Moderate Security
[7.0–9.0]	Good Security
[9.0–10.0]	Excellent Security

Figure 3. Overview of the ontology-based approach for generating security assurance metrics.

Figure 4. Classes of the security assurance ontology in Protégé.

Figure 5. Illustration of relationships between classes.

Table 6. Objective properties of the security assurance ontology.

Object property	Domain	Range
hasAssurancePerspective	Assurance target	Assurance perspective
hasAssuranceCriteria	Assurance perspective	Assurance criteria
hasAssuranceElement	Assurance criteria	Assurance element
hasAssuranceCondition	Assurance element	Assurance condition

Figure 6. Configurations of data properties in Protégé.

Table 7. Data properties and their annotations.

Data property	Short name	Sequence
AT-SAL	Security assurance level	5
AT-SAS	Security assurance score	4
SRP-PER	Performance of overall security requirements	3
SRP-MAX	Max. score of overall security requirements	3
SRP-ACT	Actual score of overall security requirements	3
SRC-WGH	Weight factor of SRC
SRC-ACT	Actual score of SRC	2
SRC-FF	Number of full fulfilled security requirements in SRC	2
SRC-PF	Number of partially fulfilled security requirements in SRC	2
SRC-NF	Number of unfulfilled security requirements in SRC	2
SRE-ACT	Actual score of SRE	1
SRD-ACT	Actual score of SRD
VUP-MAX	Max. score of overall security vulnerabilities	3
VUP-ACT	Actual score of overall security vulnerabilities	3
VUC-RSK	Risk factor of VUC
VUC-ACT	Actual score of VUC	2
VUC-EE	Number of existing vulnerabilities in VUC	2
VUC-NE	Number of non-existed vulnerabilities in VUC	2
VUE-ACT	Actual score of VUE	1
VUD-ACT	Actual score of SRD

Figure 7. Encoding classes in RDF/XML.

Figure 8. Encoding data properties in RDF/XML.

Table 8. Excerpt of SWRL rules used within the ontology.

No.	Rule
R01	AssuranceTarget(?t) → AT-SAL(?t, 0)
R02	AssuranceTarget(?t) → AT-SAS(?t, 0)
R03	AP-SecurityRequirement(?sr) → SRP-ACT(?sr, 0)
R04	AP-SecurityRequirement(?sr) → SRP-MAX(?sr, 0)
R05	AP-SecurityRequirement(?sr) → SRP-PER(?sr, 0)
R06	AC-SecurityRequirement(?sr) → SRC-ACT(?sr, 0)
R07	AC-SecurityRequirement(?sr) → SRC-WGH(?sr, 0)
R08	AC-SecurityRequirement(?sr) → SRC-FF(?sr, 0)
R09	AC-SecurityRequirement(?sr) → SRC-PF(?sr, 0)
R10	AC-SecurityRequirement(?sr) → SRC-NF(?sr, 0)
R11	AE-SecurityRequirement(?sr) → SRE-ACT(?sr, 0)
R12	AD-SecurityRequirement(?sr) → SRD-ACT(?sr, 0)
R13	AP-Vulnerability(?vu) → VUP-ACT(?vu, 0)
R14	AP-Vulnerability(?vu) → VUP-MAX(?vu, 0)
R15	AC-Vulnerability(?vu) → VUC-ACT(?vu, 0)
R16	AC-Vulnerability(?vu) → VUC-EE(?vu, 0)
R17	AC-Vulnerability(?vu) → VUC-NE(?vu, 0)
R18	AC-Vulnerability(?vu) → VUC-RSK(?vu, 0)
R19	AE-Vulnerability(?vu) → VUE-ACT(?vu, 0)
R20	AD-Vulnerability(?vu) → VUD-ACT(?vu, 0)

Figure 9. Implementation of the metrics calculation engine.

Figure 10. Configuration of individuals in Protégé.

Figure 11. SWRL Rules in Protégé and the corresponding inferences.

Figure 12. The SPARQL statement and the execution result of CQ 1.

Figure 13. The SPARQL statement and the execution result of CQ 2.

Figure 14. The SPARQL statement and the execution result of CQ 3.

Figure 15. Implementation architecture of the prototyped ontology-based application.

Figure 16. The Prototyped application using the ontology-based approach.

Figure 17. The user interface for security requirement metrics.

Figure 18. The user interface for vulnerability metrics.

Figure 19. The data property configurations for the case study.

Figure 20. The result of the case study (scenario).