University of Limerick
Browse
Salehie, M.pdf (342.27 kB)

Requirements-driven adaptive security: protecting variable assets at runtime

Download (342.27 kB)
conference contribution
posted on 2012-10-10, 15:35 authored by Mazeiar Salehie, Liliana Pasquale, Inah Omoronyia, Raian Ali, Bashar Nuseibeh
Security is primarily concerned with protecting assets from harm. Identifying and evaluating assets are therefore key activities in any security engineering process – from modeling threats and attacks, discovering existing vulnerabilities, to selecting appropriate countermeasures. However, despite their crucial role, assets are often neglected during the development of secure software systems. Indeed, many systems are designed with fixed security boundaries and assumptions, without the possibility to adapt when assets change unexpectedly, new threats arise, or undiscovered vulnerabilities are revealed. To handle such changes, systems must be capable of dynamically enabling different security countermeasures. This paper promotes assets as first-class entities in engineering secure software systems. An asset model is related to requirements, expressed through a goal model, and the objectives of an attacker, expressed through a threat model. These models are then used as input to build a causal network to analyze system security in different situations, and to enable, when necessary, a set of countermeasures to mitigate security threats. The causal network is conceived as a runtime entity that tracks relevant changes that may arise at runtime, and enables a new set of countermeasures. We illustrate and evaluate our proposed approach by applying it to a substantive example concerned with security of mobile phones.

Funding

Study on Aerodynamic Characteristics Control of Slender Body Using Active Flow Control Technique

Japan Society for the Promotion of Science

Find out more...

History

Publication

Proceedings of 20th International Requirements Engineering Conference (RE'12);

Note

peer-reviewed

Other Funding information

SFI, ERC, UTRC

Language

English

Usage metrics

    University of Limerick

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC