Predicting Network Attacks Using Ontology-Driven Inference

Graph knowledge models and ontologies are very powerful modeling and re asoning tools. We propose an effective approach to model network attacks and attack prediction which plays important roles in security management. The goals of this study are: First we model network attacks, their prerequisites and consequences using knowledge representation methods in order to provide description logic reasoning and inference over attack domain concepts. And secondly, we propose an ontology-based system which predicts potential attacks using inference and observing information which provided by sensory inputs. We generate our ontology and evaluate corresponding methods using CAPEC, CWE, and CVE hierarchical datasets. Results from experiments show significant capability improvements comparing to traditional hierarchical and relational models. Proposed method also reduces false alarms and improves intrusion detection effectiveness.Comment: 9 page

Informacijos saugos reikalavimų harmonizavimo, analizės ir įvertinimo automatizavimas

The growing use of Information Technology (IT) in daily operations of enterprises requires an ever-increasing level of protection over organization’s assets and information from unauthorised access, data leakage or any other type of information security breach. Because of that, it becomes vital to ensure the necessary level of protection. One of the best ways to achieve this goal is to implement controls defined in Information security documents. The problems faced by different organizations are related to the fact that often, organizations are required to be aligned with multiple Information security documents and their requirements. Currently, the organization’s assets and information protection are based on Information security specialist’s knowledge, skills and experience. Lack of automated tools for multiple Information security documents and their requirements harmonization, analysis and visualization lead to the situation when Information security is implemented by organizations in ineffective ways, causing controls duplication or increased cost of security implementation. An automated approach for Information security documents analysis, mapping and visualization would contribute to solving this issue. The dissertation consists of an introduction, three main chapters and general conclusions. The first chapter introduces existing Information security regulatory documents, current harmonization techniques, information security implementation cost evaluation methods and ways to analyse Information security requirements by applying graph theory optimisation algorithms (Vertex cover and Graph isomorphism). The second chapter proposes ways to evaluate information security implementation and costs through a controls-based approach. The effectiveness of this method could be improved by implementing automated initial data gathering from Business processes diagrams. In the third chapter, adaptive mapping on the basis of Security ontology is introduced for harmonization of different security documents; such an approach also allows to apply visualization techniques for harmonization results presentation. Graph optimization algorithms (vertex cover algorithm and graph isomorphism algorithm) for Minimum Security Baseline identification and verification of achieved results against controls implemented in small and medium-sized enterprises were proposed. It was concluded that the proposed methods provide sufficient data for adjustment and verification of security controls applicable by multiple Information security documents.Dissertatio

Security-Driven Software Evolution Using A Model Driven Approach

High security level must be guaranteed in applications in order to mitigate risks during the deployment of information systems in open network environments. However, a significant number of legacy systems remain in use which poses security risks to the enterprise’ assets due to the poor technologies used and lack of security concerns when they were in design. Software reengineering is a way out to improve their security levels in a systematic way. Model driven is an approach in which model as defined by its type directs the execution of the process. The aim of this research is to explore how model driven approach can facilitate the software reengineering driven by security demand. The research in this thesis involves the following three phases. Firstly, legacy system understanding is performed using reverse engineering techniques. Task of this phase is to reverse engineer legacy system into UML models, partition the legacy system into subsystems with the help of model slicing technique and detect existing security mechanisms to determine whether or not the provided security in the legacy system satisfies the user’s security objectives. Secondly, security requirements are elicited using risk analysis method. It is the process of analysing key aspects of the legacy systems in terms of security. A new risk assessment method, taking consideration of asset, threat and vulnerability, is proposed and used to elicit the security requirements which will generate the detailed security requirements in the specific format to direct the subsequent security enhancement. Finally, security enhancement for the system is performed using the proposed ontology based security pattern approach. It is the stage that security patterns derived from security expertise and fulfilling the elicited security requirements are selected and integrated in the legacy system models with the help of the proposed security ontology. The proposed approach is evaluated by the selected case study. Based on the analysis, conclusions are drawn and future research is discussed at the end of this thesis. The results show this thesis contributes an effective, reusable and suitable evolution approach for software security

An Ontology-Based Context Model for Managing Security Knowledge in Software Development

Software security has been the focus of the security community and practitioners over the past decades. Much security information is widely available in books, open literature or on the internet. We argue that the generated huge mass of information has resulted in a form of information overload to software engineers who usually finish reading it without being able to apply those principles clearly to their own application context. Our research tackles software security issues from a knowledge management perspective. In this paper, we present an ontology approach to model the knowledge of software security in a context- sensitive manner, supporting software engineers and learners to enable the correlation process between security domain knowledge and their working context. We also propose a web-based application for security knowledge sharing and learning where the ontology is adopted as the central knowledge repository

Methods and techniques for generation and integration of Web ontology data

University of Technology, Sydney. Faculty of Information Technology.Data integration over the web or across organizations encounters several unfavorable features: heterogeneity, decentralization, incompleteness, and uncertainty, which prevent information from being fully utilized for advanced applications such as decision support services. The basic idea of ontology related approaches for data integration is to use one or more ontology schemas to interpret data from different sources. Several issues will come up when actually implementing the idea: (1) How to develop the domain ontology schema(s) used for the integration; (2) How to generate ontology data for domain ontology schema if the data are not in the right format and to create and manage ontology data in an appropriate way; (3) How to improve the quality of integrated ontology data by reducing duplications and increasing completeness and certainty. This thesis focuses on the above issues and develops a set of methods to tackle them. First, a key information mining method is developed to facilitate the development of interested domain ontology schemas. It effectively extracts from the web sites useful terms and identifies taxonomy information which is essential to ontology schema construction. A prototype system is developed to use this method to help create domain ontology schemas. Second, this study develops two complemented methods which are light weighted and more semantic web oriented to address the issue of ontology data generation. One method allows users to convert existing structured data (mostly XML data) to ontology data; another enables users to create new ontology data directly with ease.In addition, a web-based system is developed to allow users to manage the ontology data collaboratively and with customizable security constraints. Third, this study also proposes two methods to perform ontology data matching for the improvement of ontology data quality when an integration happens. One method uses the clustering approach. It makes use of the relational nature of the ontology data and captures different situations of matching, therefore resulting in an improvement of performance compared with the traditional canopy clustering method. The other method goes further by using a learning mechanism to make the matching more adaptive. New features are developed for training matching classifier by exploring particular characteristics of ontology data. This method also achieves better performance than those with only ordinary features. These matching methods can be used to improve data quality in a peer-to-peer framework which is proposed to integrate available ontology data from different peers

Avocado (Persea americana) and cherimoya (Annona cherimola) crop ontologies facilitate data interoperability among different descriptors in biological databases

Subtropical fruits, like avocado and cherimoya, are key crops for food security in a wide range of countries, with an increasing commercial importance worldwide. Even though their importance is starting to be recognized and high throughput sequencing approaches are currently being used to characterize genome­wide patterns from natural diversity populations and breeding stocks, currently ontological available information for these subtropical fruits crops is scarce and often not based in internationally standardized formats. Thus, the challenge to correlate the expanding molecular information data available with plant phenotype and crop traits remains an important issue in breeding programs for these crops. With the aim to facilitate future analyses we present a controlled vocabulary for harmonizing the annotation of phenotypic and genomic data for these crops. These new ontologies represent an extended ontology to fit avocado and cherimoya traits commonly used in variety descriptions, mainly established by Biodiversity International and the International Union for the Protection of New Varieties of Plants (UPOV), but also custom ad hoc descriptors. The developed ontology includes measurable or observable characteristics of plants as well as abiotic and biotic stress susceptibility. The resource is available in standard OBO formats ready to be used in GMOD and Tripal inspired biological databases to allow data sharing and reusability. The approach followed here can be of interest to other crops in which standardized ontologies are still missing.Universidad de Málaga. Campus de Excelencia Internacional Andalucía Tech. This work is supported by MINECO (AGL2013-43732- R and AGL2016-77267-R) to Iñaki Hormaza, (RYC-2011-08839) to Antonio Matas and (BES-2014-068832) to Alicia Talavera Júdez

Semantic-Based Access Control Mechanisms in Dynamic Environments

The appearance of dynamic distributed networks in early eighties of the last century has evoked technologies like pervasive systems, ubiquitous computing, ambient intelligence, and more recently, Internet of Things (IoT) to be developed. Moreover, sensing capabil- ities embedded in computing devices offer users the ability to share, retrieve, and update resources on anytime and anywhere basis. These resources (or data) constitute what is widely known as contextual information. In these systems, there is an association between a system and its environment and the system should always adapt to its ever-changing environment. This situation makes the Context-Based Access Control (CBAC) the method of choice for such environments. However, most traditional policy models do not address the issue of dynamic nature of dynamic distributed systems and are limited in addressing issues like adaptability, extensibility, and reasoning over security policies. We propose a security framework for dynamic distributed network domain that is based on semantic technologies. This framework presents a flexible and adaptable context-based access control authoriza- tion model for protecting dynamic distributed networks’ resources. We extend our secu- rity model to incorporate context delegation in context-based access control environments. We show that security mechanisms provided by the framework are sound and adhere to the least-privilege principle. We develop a prototype implementation of our framework and present the results to show that our framework correctly derives Context-Based au- thorization decision. Furthermore, we provide complexity analysis for the authorization framework in its response to the requests and contrast the complexity against possible op- timization that can be applied on the framework. Finally, we incorporate semantic-based obligation into our security framework. In phase I of our research, we design two lightweight Web Ontology Language (OWL) ontologies CTX-Lite and CBAC. CTX-Lite ontology serves as a core ontology for context handling, while CBAC ontology is used for modeling access control policy requirements. Based on the two OWL ontologies, we develop access authorization approach in which access decision is solely made based on the context of the request. We separate context operations from access authorization operations to reduce processing time for distributed networks’ devices. In phase II, we present two novel ontology-based context delegation ap- proaches. Monotonic context delegation, which adopts GRANT version of delegation, and non-monotonic for TRANSFER version of delegation. Our goal is to present context del- egation mechanisms that can be adopted by existing CBAC systems which do not provide delegation services. Phase III has two sub-phases, the first is to provide complexity anal- ysis of the authorization framework. The second sub-phase is dedicated to incorporating semantic-based obligation