The Open UniversitySkip to content
 

Requirements-driven adaptive security: protecting variable assets at runtime

Salehie, Mazeiar; Pasquale, Liliana; Omoronyia, Inah; Ali, Raian and Nuseibeh, Bashar (2012). Requirements-driven adaptive security: protecting variable assets at runtime. In: 20th International Requirements Engineering Conference (RE'12), 24-28 September 2012, Chicago, USA, pp. 111–120.

Full text available as:
[img]
Preview
PDF (Accepted Manuscript) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
Download (234Kb) | Preview
URL: http://ulir.ul.ie/bitstream/handle/10344/2598/Sale...
DOI (Digital Object Identifier) Link: http://dx.doi.org/10.1109/RE.2012.6345794
Google Scholar: Look up in Google Scholar

Abstract

Security is primarily concerned with protecting assets from harm. Identifying and evaluating assets are therefore key activities in any security engineering process – from modeling threats and attacks, discovering existing vulnerabilities, to selecting appropriate countermeasures. However, despite their crucial role, assets are often neglected during the development of secure software systems. Indeed, many systems are designed with fixed security boundaries and assumptions, without the possibility to adapt when assets change unexpectedly, new threats arise, or undiscovered vulnerabilities are revealed. To handle such changes, systems must be capable of dynamically enabling different security countermeasures. This paper promotes assets as first-class entities in engineering secure software systems. An asset model is related to requirements, expressed through a goal model, and the objectives of an attacker, expressed through a threat model. These models are then used as input to build a causal network to analyze system security in different situations, and to enable, when necessary, a set of countermeasures to mitigate security threats. The causal network is conceived as a runtime entity that tracks relevant changes that may arise at runtime, and enables a new set of countermeasures. We illustrate and evaluate our proposed approach by applying it to a substantive example concerned with security of mobile phones.

Item Type: Conference Item
Copyright Holders: 2012 IEEE
ISBN: 1-4673-2785-9, 978-1-4673-2785-5
Keywords: security requirements; adaptation; causal reasoning
Academic Unit/Department: Mathematics, Computing and Technology > Computing & Communications
Interdisciplinary Research Centre: Centre for Research in Computing (CRC)
Related URLs:
Item ID: 35011
Depositing User: Danielle Lilly
Date Deposited: 05 Nov 2012 09:43
Last Modified: 20 Oct 2013 12:22
URI: http://oro.open.ac.uk/id/eprint/35011
Share this page:

Actions (login may be required)

View Item
Report issue / request change

Policies | Disclaimer

© The Open University   + 44 (0)870 333 4340   general-enquiries@open.ac.uk