Advanced search
Publication Cover
Journal of Applied Security Research Volume 19, 2024 - Issue 2
Submit an article Journal homepage
978
Views
0
CrossRef citations to date
0
Altmetric
Research Articles

Ontology-Based Metrics Computation for System Security Assurance Evaluation

Shao-Fang WenDepartment of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, NorwayCorrespondence[email protected]
ORCID Iconhttps://orcid.org/0000-0002-6228-8367View further author information
ORCID Icon &
Basel KattDepartment of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, NorwayView further author information
Pages 230-275 | Published online: 19 Dec 2022

References

  • Agrawal, A., Alenezi, M., Khan, S. A., Kumar, R., & Khan, R. A. (2019). Multi-level fuzzy system for usable-security assessment. Journal of King Saud University-Computer and Information Sciences, 34(3), 657–665.
  • Aman, W., & Khan, F. (2019). Ontology-based dynamic and context-aware security assessment automation for critical applications. In 2019 IEEE 8th Global Conference on Consumer Electronics (GCCE) (pp. 644–647). IEEE. https://doi.org/10.1109/GCCE46687.2019.9015599
  • Anderson, R. (2020). Security engineering: a guide to building dependable distributed systems. John Wiley & Sons.
  • Arindaeng, K., Laboriante, A., Lu, Z. J., & Ragavendran, V. (2018). Indoor UAV tracking system.
  • Berners-Lee, T., Hendler, J., & Lassila, O. (2001). The semantic web. Scientific American, 284(5), 34–43. https://doi.org/10.1038/scientificamerican0501-34
  • Białas, A. (2013). Ontology based model of the common criteria evaluation evidences. Theoretical and Applied Informatics, 25(2), 69–91.
  • Bosch, J., Chiang, H.-F., & Gower, M. (2012). LDM-503-2 (HSC reprocessing) test report. Retrieved July 31, 2022, from https://dmtr-51.lsst.io/DMTR-51.pdf
  • Burns, S. F. (2005). Threat modeling: A process to ensure application security. GIAC security essentials certification (GSEC) practical assignment.
  • Doynikova, E., Fedorchenko, A., & Kotenko, I. (2020). A semantic model for security evaluation of information systems. Journal of Cyber Security and Mobility, 9(2), 301-329. https://doi.org/10.13052/jcsm2245-1439.925
  • Ekclhart, A., Fenz, S., Goluch, G., & Weippl, E. (2007). Ontological mapping of common criteria’s security assurance requirements. In IFIP International Information Security Conference (pp. 85–95). Springer.
  • Falconer, S. (n.d.). Protege OntoGraf. Retrieved February 2, 2022, from https://protegewiki.stanford.edu/wiki/OntoGraf
  • Fenz, S., & Ekelhart, A. (2009). Formalizing information security knowledge. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (pp. 183–194). ACM. https://doi.org/10.1145/1533057.1533084
  • Fernandez, E. B., Yoshioka, N., Washizaki, H., & VanHilst, M. (2010). Measuring the level of security introduced by security patterns. In 2010 International Conference on Availability, Reliability and Security (pp. 565–568). IEEE.
  • Forum of Incident Response and Security Teams (2012). CVSS. Retrieved January 30, 2022, from https://www.first.org/cvss/
  • Franco Rosa, F., Jino, M., & Bonacin, R. (2018). Towards an ontology of security assessment: A core model proposal. In Information technology–New generations. Springer.
  • Gao, J., Zhang, B., Chen, X., & Luo, Z. (2013). Ontology-based model of network and computer attacks for security assessment. Journal of Shanghai Jiaotong University, 18(5), 554–562. https://doi.org/10.1007/s12204-013-1439-5
  • Gómez-Pérez, A. (1994). From knowledge based systems to knowledge sharing technology: Evaluation and assessment.
  • Gonzalez-Gil, P., Skarmeta, A. F., & Martinez, J. A. (2019). Towards an ontology for IoT context-based security evaluation. In 2019 Global IoT Summit (GIoTS) (pp. 1–6). IEEE. https://doi.org/10.1109/GIOTS.2019.8766400
  • Gritzalis, D., Karyda, M., & Gymnopoulos, L. (2002). Elaborating quantitative approaches for IT security evaluation. Security in the Information Society, 86, 67–77.
  • Gruber, T. R. (1993). A translation approach to portable ontology specifications. Knowledge Acquisition, 5(2), 199–220. https://doi.org/10.1006/knac.1993.1008
  • Herrmann, D. S. (2002). Using the common criteria for IT security evaluation. Auerbach Publications.
  • Heyman, T., Scandariato, R., Huygens, C., & Joosen, W. (2008). Using security patterns to combine security metrics. In 2008 Third International Conference on Availability, Reliability and Security (pp. 1156–1163). IEEE. https://doi.org/10.1109/ARES.2008.54
  • Jayalakshmi, T., & Santhakumaran, A. (2011). Statistical normalization and back propagation for classification. International Journal of Computer Theory and Engineering, 3, 1793–8201.
  • Kaplan, R. S., & Norton, D. P. (2005). The balanced scorecard: measures that drive performance. Harvard Business Review, 83, 172.
  • Katt, B., & Prasher, N. (2018). Quantitative security assurance metrics: REST API case studies. In Proceedings of the 12th European Conference on Software Architecture: Companion Proceedings (pp. 1–7).
  • Katt, B., & Prasher, N. (2019). Quantitative security assurance. In Exploring security in software architecture and design. IGI Global.
  • Koinig, U., Tjoa, S., & Ryoo, J. (2015). Contrology-an ontology-based cloud assurance approach. In 2015 IEEE 24th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (pp. 105–107). IEEE.
  • Kotenko, I., Polubelova, O., Saenko, I., & Doynikova, E. (2013). The ontology of metrics for security evaluation and decision support in SIEM systems. In 2013 International Conference on Availability, Reliability and Security (pp. 638–645). IEEE.
  • Liu, Y., & Jin, Z. (2015). SAEW: A security assessment and enhancement system of wireless local area networks (WLANs). Wireless Personal Communications, 82(1), 1–19. https://doi.org/10.1007/s11277-014-2188-y
  • Maroc, S., & Zhang, J. B. (2019). Context-aware security evaluation ontology for cloud services. In 2019 IEEE 4th Advanced Information Technology, Electronic and Automation Control Conference (IAEAC) (pp. 1012–1018). IEEE. https://doi.org/10.1109/IAEAC47372.2019.8997783
  • McGraw, G., Chess, B., & Migues, S. (2009). Building security in maturity model. Fortify & Cigital.
  • Mirante, D., & Cappos, J. (2013). Understanding password database compromises (Tech. Rep. TR-CSE-2013-02). Department of Computer Science and Engineering Polytechnic Institute of NYU.
  • O’Connor, M., Knublauch, H., Tu, S., Grosof, B., Dean, M., Grosso, W., & Musen, M. (2005). Supporting rule system interoperability on the semantic web with SWRL. In International Semantic Web Conference (pp. 974–986). Springer.
  • Ouedraogo, M. (2012). Towards security assurance metrics for service systems security. In International Conference on Exploring Services Science (pp. 361–370). Springer.
  • Ouedraogo, M., Khadraoui, D., Mouratidis, H., & Dubois, E. (2012). Appraisal and reporting of security assurance at operational systems level. Journal of Systems and Software, 85(1), 193–208. https://doi.org/10.1016/j.jss.2011.08.013
  • Ouedraogo, M., Mouratidis, H., Khadraoui, D., & Dubois, E. (2009). Security assurance metrics and aggregation techniques for it systems. In 2009 Fourth International Conference on Internet Monitoring and Protection (pp. 98–102). IEEE. https://doi.org/10.1109/ICIMP.2009.24
  • Ouedraogo, M., Reijo, M., Savola, H., Mouratidis, D., Preston, D., Khadraoui, D.., & Dubois, E.. (2013). Taxonomy of quality metrics for assessing assurance of security correctness. Software Quality Journal, 21(1), 67–97. https://doi.org/10.1007/s11219-011-9169-0
  • OWASP. (2017). Software assurance maturity model (SAMM). Retrieved June 3, 2022, from https://www.opensamm.org/2017/04/owasp-samm-v1-5-released/
  • OWASP. (2020). Web security testing guide (WSTG). Retrieved June 3, 2022, from https://owasp.org/www-project-web-security-testing-guide/
  • OWASP (2021a). Application security verification standard (ASVS). Retrieved June 3, 2022, from https://owasp.org/www-project-application-security-verification-standard/
  • OWASP (2021b). OWASP top 10 application security risks. Retrieved June 1, 2022, from https://owasp.org/www-project-top-ten/
  • Pham, N., & Riguidel, M. (2007). Security assurance aggregation for it infrastructures. In 2007 Second International Conference on Systems and Networks Communications (ICSNC 2007) (pp. 72–72). IEEE. https://doi.org/10.1109/ICSNC.2007.75
  • Powley, S., Perry, S., Holt, J., & Bryans, J. (2019). An evaluation ontology applied to connected vehicle security assurance. INCOSE International Symposium, 29(1), 37–52. https://doi.org/10.1002/j.2334-5837.2019.00588.x
  • Raad, J., & Cruz, C. (2015). A survey on ontology evaluation methods. In Proceedings of the International Conference on Knowledge Engineering and Ontology Development, Part of the 7th International Joint Conference on Knowledge Discovery, Knowledge Engineering and Knowledge Management.
  • Raskin, V., Hempelmann, C. F., Triezenberg, K. E., & Nirenburg, S. (2001). Ontology in information security: a useful theoretical foundation and methodological tool. In Proceedings of the 2001 Workshop on New Security Paradigms (pp. 53–59).
  • Reddy, N. (n.d.). An excellent compilation of software testing concepts (manual testing).
  • Rodes, B. D., Knight, J. C., & Wasson, K. S. (2014). A security metric based on security arguments. In Proceedings of the 5th International Workshop on Emerging Trends in Software Metrics (pp. 66–72).
  • Ross, R. S. (2011). Managing information security risk: Organization, mission, and information system view.
  • Segaran, T., Evans, C., & Taylor, J. (2009). Programming the semantic web: Build flexible applications with graph data. O'Reilly Media, Inc.
  • Shaaban, A. M., Schmittner, C., Gruber, T., Mohamed, A. B., Quirchmayr, G., & Schikuta, E. (2019). Ontology-based model for automotive security verification and validation. In Proceedings of the 21st International Conference on Information Integration and Web-Based Applications & Services (pp. 73–82).
  • Shukla, A., Katt, B., Nweke, L. O., Yeng, P. K., & Weldehawaryat, G. K. (2021). System security assurance: A systematic literature review. arXiv Preprint arXiv:2110.01904.
  • Spears, J. L., Barki, H., & Barton, R. R. (2013). Theorizing the concept and role of assurance in information systems security. Information & Management, 50(7), 598–605. https://doi.org/10.1016/j.im.2013.08.004
  • The Apache Software Foundation (2011). Apache Jena. Retrieved January 30, 2022, from https://jena.apache.org/
  • Tsoumas, B., & Gritzalis, D. (2006). Towards an ontology-based security management. In 20th International Conference on Advanced Information Networking and Applications, 2006. AINA 2006 (pp. 985–992). IEEE.
  • Tudorache, T., Nyulas, C., Noy, N. F., & Musen, M. A. (2013). WebProtégé: A collaborative ontology editor and knowledge acquisition tool for the web. Semantic Web, 4(1), 89–99. https://doi.org/10.3233/SW-2012-0057
  • Villagrán-Velasco, O., Fernández, E. B., & Ortega-Arjona, J. (2020). Refining the evaluation of the degree of security of a system built using security patterns. In Proceedings of the 15th International Conference on Availability, Reliability and Security (pp. 1–7).
  • W3C. (n.d.). RDF 1.1 XML syntax. Retrieved January 26, 2022, from https://www.w3.org/TR/rdf-syntax-grammar/
  • W3C. (2004). SWRL: A semantic web rule language combining OWL and RuleML. Retrieved June 3, 2022, from https://www.w3.org/Submission/SWRL/
  • W3C. (2012). Web ontology language (OWL). Retrieved June 3, 2022, from https://www.w3.org/OWL/
  • W3C. (2013a). SPARQL 1.1 query language. Retrieved June 3, 2022, from https://www.w3.org/TR/sparql11-query/.
  • W3C. (2013b). W3C semantic web activity. Retrieved June 3, 2022, from https://www.w3.org/2001/sw/
  • Waddell, W., Smith, D., Shufelt, J., & Caton, J. (2011). Cyberspace operations: What senior leaders need to know about cyberspace. Army War College, Carlisle Barracks, Center For Strategic Leadership.
  • Wand, Y., Storey, V. C., & Weber, R. (1999). An ontological analysis of the relationship construct in conceptual modeling. ACM Transactions on Database Systems, 24(4), 494–528. https://doi.org/10.1145/331983.331989
  • Wang, J. A., & Guo, M. (2009). OVM: an ontology for vulnerability management. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (pp. 1–4).
  • Wang, J. An, Guo, M., Wang, H., Xia, M.., & L., Zhou. (2009). Ontology-based security assessment for software products. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (pp. 1–4).
  • Weldehawaryat, G. K., & Katt, B. (2018). Towards a quantitative approach for security assurance metrics. In The 12th International Conference on Emerging Security Information.
  • Wen, S.-F., Shukla, A., & Katt, B. (2022). Developing security assurance metrics to support quantitative security assurance evaluation. Journal of Cybersecurity and Privacy, 2(3), 587–605. https://doi.org/10.3390/jcp2030030
  • Yavagal, D. S., Lee, S. W., Ahn, G.-J., & Gandhi, R. A. (2005). Common criteria requirements modeling and its uses for quality of information assurance (QoIA). In Proceedings of the 43rd Annual Southeast Regional conference-Volume 2 (pp. 130–135).
  • Zhao, W., & Liu, J. K. (2008). OWL/SWRL representation methodology for EXPRESS-driven product information model: Part II: Practice. Computers in Industry, 59(6), 590–600. https://doi.org/10.1016/j.compind.2008.02.004
  • Zhou, C., & Ramacciotti, S. (2011). Common criteria: Its limitations and advice on improvement. Information Systems Security Association ISSA Journal, 2011, 24–28.
Supercharge Your Next Research Paper: Research and write your next paper with Jenni AI.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.