基于UML软件描述的威胁提取方法

2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC) Pub Date : 2018-08-01 DOI:10.1109/ISCISC.2018.8546868

Masoumeh Zeinali, M. A. Hadavi

{"title":"基于UML软件描述的威胁提取方法","authors":"Masoumeh Zeinali, M. A. Hadavi","doi":"10.1109/ISCISC.2018.8546868","DOIUrl":null,"url":null,"abstract":"Threat modeling is one of the best practices to secure software development. A primary challenge for using this practice is how to extract threats. Existing threat extraction methods to this purpose are mainly based on penetration tests or vulnerability databases. This imposes a non-automated timeconsuming process, which fully relies on the human knowledge and expertise. In this paper, a method is presented, which can extract the threats to a software system based on the existing description of the software behavior. We elaborately describe software behavior with sequence diagrams enriched by security relevant attributes. To enrich a sequence diagram, some attributes and their associated values are added to the diagram elements and the communication between them. We have also developed a threat knowledge base from reliable sources such as CWE and CAPEC lists. Every threat in the knowledge base is described according to its occurrence conditions in the software. To extract threats of a software system, the enriched sequence diagrams describing the software behavior are matched with the threat rules in our knowledge base using a simple inference process. Results in a set of potential threats for the software system. The proposed method is applied on a software application to extract its threats. Our case study indicates the effectiveness of the proposed method compared to other existing methods.","PeriodicalId":318403,"journal":{"name":"2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC)","volume":"65 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Threat Extraction Method Based on UML Software Description\",\"authors\":\"Masoumeh Zeinali, M. A. Hadavi\",\"doi\":\"10.1109/ISCISC.2018.8546868\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Threat modeling is one of the best practices to secure software development. A primary challenge for using this practice is how to extract threats. Existing threat extraction methods to this purpose are mainly based on penetration tests or vulnerability databases. This imposes a non-automated timeconsuming process, which fully relies on the human knowledge and expertise. In this paper, a method is presented, which can extract the threats to a software system based on the existing description of the software behavior. We elaborately describe software behavior with sequence diagrams enriched by security relevant attributes. To enrich a sequence diagram, some attributes and their associated values are added to the diagram elements and the communication between them. We have also developed a threat knowledge base from reliable sources such as CWE and CAPEC lists. Every threat in the knowledge base is described according to its occurrence conditions in the software. To extract threats of a software system, the enriched sequence diagrams describing the software behavior are matched with the threat rules in our knowledge base using a simple inference process. Results in a set of potential threats for the software system. The proposed method is applied on a software application to extract its threats. Our case study indicates the effectiveness of the proposed method compared to other existing methods.\",\"PeriodicalId\":318403,\"journal\":{\"name\":\"2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC)\",\"volume\":\"65 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISCISC.2018.8546868\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCISC.2018.8546868","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

威胁建模是确保软件开发安全的最佳实践之一。使用此实践的主要挑战是如何提取威胁。现有的威胁提取方法主要基于渗透测试或漏洞数据库。这强加了一个非自动化的耗时过程，它完全依赖于人类的知识和专业知识。本文提出了一种基于现有软件行为描述提取软件系统威胁的方法。我们用序列图详细地描述了软件行为，序列图丰富了安全相关属性。为了丰富序列图，一些属性和它们的关联值被添加到图元素和它们之间的通信中。我们还开发了一个来自可靠来源的威胁知识库，如CWE和CAPEC列表。知识库中的每个威胁都根据其在软件中的发生条件进行描述。为了提取软件系统的威胁，通过一个简单的推理过程，将描述软件行为的丰富序列图与知识库中的威胁规则进行匹配。导致对软件系统的一组潜在威胁。将该方法应用于一个软件应用程序中，提取其威胁。实例研究表明，与其他现有方法相比，本文提出的方法是有效的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Threat Extraction Method Based on UML Software Description

Threat modeling is one of the best practices to secure software development. A primary challenge for using this practice is how to extract threats. Existing threat extraction methods to this purpose are mainly based on penetration tests or vulnerability databases. This imposes a non-automated timeconsuming process, which fully relies on the human knowledge and expertise. In this paper, a method is presented, which can extract the threats to a software system based on the existing description of the software behavior. We elaborately describe software behavior with sequence diagrams enriched by security relevant attributes. To enrich a sequence diagram, some attributes and their associated values are added to the diagram elements and the communication between them. We have also developed a threat knowledge base from reliable sources such as CWE and CAPEC lists. Every threat in the knowledge base is described according to its occurrence conditions in the software. To extract threats of a software system, the enriched sequence diagrams describing the software behavior are matched with the threat rules in our knowledge base using a simple inference process. Results in a set of potential threats for the software system. The proposed method is applied on a software application to extract its threats. Our case study indicates the effectiveness of the proposed method compared to other existing methods.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC)

自引率

0.00%

发文量