Towards developing consistent misuse case models

Secure software development should begin at the early stages of the development life cycle. Misuse case modeling is a technique that stems from traditional use case modeling, which facilitates the elicitation and modeling functional security requirements at the requirements phase. Misuse case modeling is an effective vehicle to potentially identify a large subset of these threats. It is therefore crucial to develop high quality misuse case models otherwise end system developed will be vulnerable to security threats. Templates to describe misuse cases are populated with syntax-free natural language content. The inherent ambiguity of syntax-free natural language coupled with the crucial role of misuse case models in development can have a very detrimental effect. This paper proposes a structure that will guide misuse case authors towards developing consistent misuse case models. This paper also presents a process that utilizes this structure to ensure the consistency of misuse case models as they evolve, eliminating potential damages caused by inconsistencies. A tool was developed to provide automation support for the proposed structure and process. The feasibility and application of this approach were demonstrated using two real-world case studies.     

Using security robustness analysis for early-stage validation of functional security requirements

Security is nowadays an indispensable requirement in software systems. Traditional software engineering processes focus primarily on business requirements, leaving security as an afterthought to be addressed via generic “patched-on” defensive mechanisms. This approach is insufficient, and software systems need to have security functionality engineered within in a similar fashion as ordinary business functional requirements. Functional security requirements need to be elicited, analyzed, specified and validated at the early stages of the development life cycle. If the functional security requirements were not properly validated, then there is a risk of developing a system that is insecure, deeming it unusable. Acceptance testing is an effective technique to validate requirements. However, an ad hoc approach to develop acceptance tests will suffer the omission of important tests. This paper presents a systematic approach to develop executable acceptance tests that is specifically geared for model-based secure software engineering processes. The approach utilizes early-stage artifacts, namely misuse case and domain models, and robustness diagrams. The feasibility of the proposed approach is demonstrated by applying it to a real-world system. The results show that a comprehensive set of security acceptance tests can be developed based upon misuse case models for early-stage validation of functional security requirements.     

A scientific evaluation of the misuse case diagrams visual syntax

ContextMisuse case modeling is a well-known technique in the domain of capturing and specifying functional security requirements. Misuse case modeling provides a mechanism for security analysts to consider and account for security requirements in the early stages of a development process instead of relying on generic defensive mechanisms that are augmented to software systems towards the latter stages of development.ObjectiveMany research contributions in the area of misuse case modeling have been devoted to extending the notation to increase its coverage of additional security related semantics. However, there lacks research that evaluates the perception of misuse case models by its readers. A misread or misinterpreted misuse case model can have dire consequences downstream leading to the development of an insecure system.MethodThis paper presents an assessment of the design of the original misuse case modeling notation based on the Physics of Notations framework. A number of improvements to the notation were suggested. A survey and a controlled experiment were carried out to compare the cognitive effectiveness of the new notation in comparison to the original notation.ResultsThe survey had 55 participants for have mostly indicated that the new notation is more semantically transparent than the original notation. The results of the experiment show that subjects reading diagrams developed using the new notation performed their tasks an average 6 min quicker, while in general the subjects performed their tasks in approximately 14.5 min. The experimental tasks only required subjects reading diagrams and not creating them.ConclusionThe main finding of this paper is that the use of colors and icons has improved the readability of misuse case diagrams. Software engineering notations are usually black and white. It is expected that the readability of other software notations will improve if they utilize colors and icons.     

Cost-Effective Security

To be successful, application software needs compelling functionality, availability within the right timeframe, and a reasonable price. But equally critical, teams must get nonfunctional characteristics right - performance, scalability, manageability, maintainability, usability, and, of course, security. The authors introduced misuse or abuse cases as counterparts to use cases and explained that although use cases capture functional requirements, abuse cases describes how users can misuse a svstem with malicious intent, thereby identifying additional security requirements. Another prior installment discussed how to fit misuse and abuse cases into the development process by defining who should write them, when to do so, and how to proceed. In this article, we discuss what abuse cases bring to software development in terms of planning. We don't assumes fixed budget is assigned to security measure's but that budgetary constraints apply to the project as a whole. We believe it's reasonable, and often accessary, to trade funtionality against security, so the question isn't how to prioritize security requirements but how to prioritize the development effort across both functional and security requirements.     

Comparing attack trees and misuse cases in an industrial setting

The last decade has seen an increasing focus on addressing security already during the earliest stages of system development, such as requirements determination. Attack trees and misuse cases are established techniques for representing security threats along with their potential mitigations. Previous work has compared attack trees and misuse cases in two experiments with students. The present paper instead presents an experiment where industrial practitioners perform the experimental tasks in their workplace. The industrial experiment confirms a central finding from the student experiments: that attack trees tend to help identifying more threats than misuse cases. It also presents a new result: that misuse cases tend to encourage identification of threats associated with earlier development stages than attack trees. The two techniques should therefore be considered complementary and should be used together in practical requirements work.     

中文非功能需求描述的识别与分类方法研究

非功能需求描述系统质量相关的属性,是软件设计决策的重要依据和评估标准.与功能需求的描述相比,非功能需求描述通常比较分散,且往往是隐含的.当采集到的需求原始描述内容较多时,逐一进行人工判别和整理需要耗费大量的时间和精力.针对中文自然语言描述的需求文本,提出了自动化的非功能需求识别和分类方法.其中,识别过程旨在从文本中提取出可能包含非功能需求的语句,尽可能地缩小人工检查的范围.分类过程则进一步将包含非功能需求的语句划分到性能、可靠性、可用性、安全性、可维护性这五大类非功能需求类型之中.分类训练和实验测试基于课题组工作项目整理的实验数据集进行,最终,基于一个工业界的实际应用案例数据,验证了方法的有效性.     

From misuse cases to mal-activity diagrams: bridging the gap between functional security analysis and design

Secure software engineering is concerned with developing software systems that will continue delivering its intended functionality despite a multitude of harmful software technologies that can attack these systems from anywhere and at anytime. Misuse cases and mal-activity diagrams are two techniques to model functional security requirements address security concerns early in the development life cycle. This allows system designers to equip their systems with security mechanisms built within system design rather than relying on external defensive mechanisms. In a model-driven engineering process, misuse cases are expected to drive the construction of mal-activity diagrams. However, a systematic approach to transform misuse cases into mal-activity diagrams is missing. Therefore, this process remains dependent on human skill and judgment, which raises the risk of developing mal-activity diagrams that are inconsistent with the security requirements described in misuse cases, leading to the development of an insecure system. This paper presents an authoring structure for misuse cases and a transformation technique to systematically perform this desired model transformation. A study was conducted to evaluate the proposed technique using 46 attack stories outlined in a book by a former well-known hacker (Mitnick and Simon in The art of deception: controlling the human element of security, Wiley, Indianapolis, 2002). The results indicate that applying the proposed technique produces correct mal-activity diagrams from misuse cases.     

Towards an Ontological Approach to Information System Security and Safety Requirement Modeling and Reuse

ABSTRACT

Misuse cases are currently used to identify safety and security threats and subsequently capture safety and security requirements. There is limited consensus to the precise meaning of the basic terminology used for use/misuse case concepts. This paper delves into the use of ontology for the formal representation of the use-misuse case domain knowledge for eliciting safety and security requirements. We classify misuse cases into different category to reflect different type of misusers. This will allow participants during the requirement engineering stage to have a common understanding of the problem domain. We enhanced the misuse case domain to include abusive misuse case and vulnerable use case in order to boost the elicitation of safety requirements. The proposed ontological approach will allow developer to share and reuse the knowledge represented in the ontology thereby avoiding ambiguity and inconsistency in capturing safety and security requirements. OWL protégé 3.3.1 editor was used for the ontology coding. An illustration of the use of the ontology is given with examples from the health care information system.     

Security requirement derivation by noun–verb analysis of use–misuse case relationships: a case study using positive train control

Use cases and misuse cases, respectively, state the interactions that an actor can have and a mal-actor be prevented from having with a system. The cases do not specify either the security requirements or the associated attributes that a system must possess to operate in a secure manner. We present an algorithmic, domain-independent approach rooted in verb–noun analysis of use cases and misuse cases to generate system requirements and the associated security attributes. We illustrate the utility of this general five-step method using Positive train control (PTC) (a command and control system used to navigate trains in a railway grid) as a case study. This approach allows the designer to protect against the effect of wireless vulnerabilities on the safety of PTC systems.     

Quality attribute modeling and quality aware product configuration in software product lines

In software product line engineering, the customers mostly concentrate on the functionalities of the target product during product configuration. The quality attributes of a target product, such as security and performance, are often assessed until the final product is generated. However, it might be very costly to fix the problem if it is found that the generated product cannot satisfy the customers’ quality requirements. Although the quality of a generated product will be affected by all the life cycles of product development, feature-based product configuration is the first stage where the estimation or prediction of the quality attributes should be considered. As we know, the key issue of predicting the quality attributes for a product configured from feature models is to measure the interdependencies between functional features and quality attributes. The current existing approaches have several limitations on this issue, such as requiring real products for the measurement or involving domain experts’ efforts. To overcome these limitations, we propose a systematic approach of modeling quality attributes in feature models based on domain experts’ judgments using the analytic hierarchical process (AHP) and conducting quality aware product configuration based on the captured quality knowledge. Domain experts’ judgments are adapted to avoid generating the real products for quality evaluation, and AHP is used to reduce domain experts’ efforts involved in the judgments. A prototype tool is developed to implement the concepts of the proposed approach, and a formal evaluation is carried out based on a large-scale case study.     

基于E语言的故障建模方法研究

为适应故障注入的自动化和实时性要求,针对试验人员需在试验开始前给出故障信息和编写试验方案,提出产品故障、元故障和故障模型概念,提取产品故障和元故障特征。在此基础上,采用IEEE Std 1647TM-2006的“E”功能验证语言,描述故障特征、构建故障模型,并给出故障模式的描述方式。最后以某电子飞行显示系统为应用案例,案例表明,故障模型及其描述方法可有效地提高故障注入的自动化和实时性水平。     

新的无证书代理签名方案

利用双线性映射设计一个新的无证书代理签名方案。在最强的安全模型下,该方案给出了正式的安全证明,它的安全性基于计算Diffie-Hellman问题的困难性。并且该方案满足诸如可验证性、强不可否认性、强可识别性、防止签名滥用等安全性质。鉴于该方案安全、高效和无证书管理的优点,它可广泛应用于电子商务、电子拍卖等方面。     

一种安全需求分析中的用例漏洞检测方法

提出一种基于攻击模式的用例漏洞检测方法,用于对需求分析人员设计的用例图进行漏洞检测。该方法以形式化用例作为基础,把误用例作为安全攸关信息的载体、设置为用例的特殊属性。通过与用户的交互完成误用例相关属性的信息采集,并进一步运用这些信息计算出用例的误用例指数。将此指数与预定义的攻击模式相关指数进行对比,以此来判断该用例是否与某个特定误用例、某些特定攻击模式相关。从而检测到用例图中的用例漏洞,并在此基础上提出可行建议。     

Investigating the Role of Use Cases in the Construction of Class Diagrams

Several approaches have been proposed for the transition from functional requirements to object-oriented design. In a use case-driven development process, the use cases are important input for the identification of classes and their methods. There is, however, no established, empirically validated technique for the transition from use cases to class diagrams. One recommended technique is to derive classes by analyzing the use cases. It has, nevertheless, been reported that this technique leads to problems, such as the developers missing requirements and mistaking requirements for design. An alternative technique is to identify classes from a textual requirements specification and subsequently apply the use case model to validate the resulting class diagram. This paper describes two controlled experiments conducted to investigate these two approaches to applying use case models in an object-oriented design process. The first experiment was conducted with 53 students as subjects. Half of the subjects used a professional modelling tool; the other half used pen and paper. The second experiment was conducted with 22 professional software developers as subjects, all of whom used one of several modelling tools. The first experiment showed that applying use cases to validate class diagrams constructed from textual requirements led to more complete class diagrams than did the derivation of classes from a use case model. In the second experiment, however, we found no such difference between the two techniques. In both experiments, deriving class diagrams from the use cases led to a better structure of the class diagrams. The results of the experiments therefore show that the technique chosen for the transition from use cases to class diagrams affects the quality of the class diagrams, but also that the effects of the techniques depend on the categories of developer applying it and on the tool with which the technique is applied.     

有效的无证书代理签名方案

利用双线性映射设计一个有效的无证书代理签名方案。在最强的安全模型下,方案给出了正式的安全证明。它的安全性基于计算Diffie-Hellman问题的困难性。分析显示新方案满足诸如可验证性、强不可否认性、强可识别性、防止签名滥用等安全性质。鉴于方案的安全、高效和无证书管理的优点,它可广泛应用于电子商务、移动代理系统等方面。     

入侵检测技术的研究与进展

入侵检测系统(IDS)作为一门新兴的安全技术，是网络安全系统中的重要组成部分。该文阐述了入侵检测系统的基本原理和功能模块，从数据源、检测方法和检测定时三个方面描述了入侵检测系统的分类，并对目前国内外入侵检测技术的研究现状作了介绍和分析。随着计算机技术和网络技术的高速发展，海量存储和高带宽的传输技术，都使得集中式的入侵检测越来越不能满足系统需求。由此指出，分布式入侵检测(DID)必将逐渐成为入侵检测乃至整个网络安全领域的研究重点，为进行入侵检测技术的研究提供一定的技术和理论依据。     

一种基于安全网管的大规模网络误用检测方法

由内部网络误用引起的安全问题已日益成为网络安全管理研究领域中的一个难题。论文提出了一种有效的误用检测方法,并实现了一个原型系统。该方法借鉴了对等网技术的优点,利用IP欺骗原理和ICMP回响功能来完成检测。实验证明,在由若干子网组成的大规模网络中,该方法可以高效地检测出任意一个子网内是否存在网络误用。