6.4.3 Security Ontology Validation
To evaluate the usefulness of ontology, consistent answers must be given to real world questions when using it for inference. According to [162], competency questions have been defined and used to validate the proposed ontology.
In this section, a number of questions are listed which are likely involved in the project development and come up with by the developers. The questions are designed as indicative of what the ontology can handle and reason about rather than as exhaustive as possible. Each of the questions is firstly expressed formally as a DL-query, which is a query language that can be used to query RDF and OWL-DL ontologies, and then the query results are presented with comments in appropriated place. Figure 6-12 illustrates one of the query executions in Protégé Editor. Several of competency questions designed for validating the proposed security ontology are shown as follows.
Figure 6-12 Example of Query Result in Protégé Editor
Q1: Which assets are confidential?
DL Query: Asset and (SecurityAttribute value Confidential)) DL Result: Internal data
Sensitive data Sensitive process
Q2: Which threats threaten the integrity attribute of internal data assets in the network layer?
DL Query: Threat and (threaten some (Asset and (Asset value InternalData) and (SecurityAttribute value Integrity)) and (resideOn value Network)) DL Result: Spoofing
Session Hijacking
Q3: Which security patterns protect the sensitive data against network eavesdropping threat?
DL Query: SecurityPattern and (hasProblem some (Threat and (Threat value NetworkEavesdropping) and (threaten value SensitiveData)))
DL Result: Secure pipe
Secure communication Secure Association
Q4: Which security patterns can be used in Web and J2EE domain to address the SQL injection threat?
DL Query: SecurityPattern and (hasDomain value WebAndJ2EE) and (hasProblem and (Threat value SQLInjection))
DL Result: Input validator
6.4.4 Ontology based Security Pattern Selecting
Security patterns are used by developers to fulfil the security requirements. In this section, a method is developed to identify and retrieve the “right” security patterns from the security pattern base to fulfil the security requirements elicited from the previous evolution stage. Then, the selected patterns will be instantiated and integrated into the system design model. Figure 6-13 depicts the pattern selecting process.
To facilitate the selection of security patterns from pattern repository, a pattern search engine is designed. For a given security requirement, pattern search engine will try to find one or more security patterns that fulfil it. Two kinds of people can be the potential
users of this search engine. One of them is the software system developer. This kind of users can input the specific request according to the security requirement or treat the whole security requirement list as the input, and then the search engine attempts to match the security requirements with the security patterns by inferring the proposed security ontology using Protégé OWL API and then search the corresponding security pattern specification from the pattern repository. The other kind of user is the security pattern developers who update the patterns and its corresponding ontology description in both security pattern repository and security ontology repository.
The patterns have been organised and classified with the proposed multiple aspects method with the consideration of dependency relationships between patterns.
Figure 6-13 Pattern Selection Process
The pattern search engine can be implemented by incorporating OWL API and is composed of four functions:
• Input function. An input function receives the user’s required security requirement or takes the set of security requirements as input.
• Infer function. An infer function infers the developed security ontology to find the security patterns according to the user input by using OWL API. The core of infer function is the algorithms realising the mapping.
• Search function. A search function will search the security pattern repository according to the mapping result of infer function and returns the development specification of the selected patterns which can be used by developer.
• Output function. An output function returns the mapping index between security requirement and mitigation security patterns.
The key part of the pattern search engine are some algorithms that match the security patterns with required security requirements until either there are no more security requirements existing, or no more security patterns which can be matched with them. In order to extract the corresponding results from the proposed security ontology, the Protégé OWL API can be used to encode the competency questions in the algorithm structure. The OWL API is a Java application interface and reference implementation for creating, manipulating and serialising OWL Ontologies [78]. In the following, two of representative algorithms are given in a pseudo code format to show how the search engine performs the infer function.
By incorporating OWL API, Algorithm 1 is used to determine the assets threatened by a given threat with the consideration of a given stakeholder. In GetRelated(x, y) function,
x is a given concept, while y is a relation (also called object property in Protégé OWL). GetRelated(x, y) function returns a collection of concepts which are related with x via y.
The GetInstances(x) function returns a collection of instances (also called individuals in Protégé OWL) belonging to concept x.
Algorithm 1 Asset Owned by a Given Stakeholder and Threatened by a Given
Threat Input T is the given threat
Output A is the asset array
Initialisation A=∅
procedure getAsset(T, S) return A 1. T← given threat
2. S← given stakeholder 3. A←Null
{* A returns a collection of asset owned by S and threatened by T *} 4. RAL←GetRelated(T, sr:hasAsset)
{*sr:hasAsset specifies that the object property “hasAsset” in security requirement subontology “sr” as the relation *}
5. for i← 0 to RAL.Length do 6. I← GetInstances(RAL[i])
{*Exact the instances from each of related asset classes *} 7. for j←0 to I. Length do
8. if I[j].sr:ownedBy==S then
{*sr:ownedBy specifies that the object property “ownedBy” in security requirement subontology “sr” as the relation *}
9. A.Add(I[j]) 10. end if
11. end for 12. end for 13. return A