My talk includes current models and modelling on Security and Privacy: Conceptual Models such as SIG, Common Criteria, STIX, SCPM, UML based models such as Misusecase, UMLsec, secureUML, and GORE models such as SecureTropos, i*/Tropos, KAOS etc.
Additionally, research challenges on the Security and Privacy Model and Modelling are discussed.
Operation on Models on Security and Privacy with consistency
Hybrid Models on Security and Privacy
Big data and Machine Learning on Security and Privacy Modelling
Software Project Health Check: Best Practices and Techniques for Your Product...
WM2SP16 Keynote: Current and Future challenge of Model and Modelling on Security and Privacy
1. Copyright 2016 GRACE Center All Rights Reserved.
Current and Future challenge of Model and
Modelling on Security and Privacy
Nobukazu Yoshioka, National Institute of Informatics
14th November 2016
the 1st Workshop International Workshop for Models
and Modelling on Security and Privacy (WM2SP-16)
@Gifu
3. 3
Copyright 2016 GRACE Center All Rights Reserved.
What’s Security or Privacy Model?
n What’s is a Model on Computing?
WM2SP-16
A computer representation or scientific description of
something
Mathematics
Graphical or Graph
Structured Language
Natural Language
Longman Dictionary 4th Edition
Security Aspect
or
Private Aspect
4. 4
Copyright 2016 GRACE Center All Rights Reserved.
For instance
WM2SP-16
UML based Model
5. 5
Copyright 2016 GRACE Center All Rights Reserved.
For instance
WM2SP-16
Goal Oriented Requirements Engineering
7. 7
Copyright 2016 GRACE Center All Rights Reserved.
What’s Security or Privacy Modelling?
n What’s is Modelling on Computing?
WM2SP-16
the process of making a scientific or computer model of
something to show how it works or to understand it better
Longman Dictionary 4th Edition
Mathematics
Graphical or Graph
Structured Language
Natural Language
Security Aspect
or
Private Aspect
Why model?
To whom? What? How?
Who make? When?
8. 8
Copyright 2016 GRACE Center All Rights Reserved.
For Instance …
WM2SP-16
Domain
Analysis
Requirements
Engineering
Architecture
Specification
Business
Planning
Design
Implementatoin
Maintenance &
Managements
@Runtime
@in Advance
Computer
Response team
Librarian
User
Manager
Engineer
M
M
M
M
M
M
M
M
M
Why?
When?
To Whom?
9. 9
Copyright 2016 GRACE Center All Rights Reserved.
My Talk
1. Current Models and Modelling on Security and Privacy
1. Conceptual Model: SIG, Common Criteria, STIX, SCPM…
2. UML: Misusecase, UMLsec, secureUML
3. GORE: SecureTropos, i*/Tropos, KAOS
2. Research Challenges on the Security and Privacy Model
and Modelling
1. Operation on Models on Security and Privacy with consistency
2. Hybrid Models on Security and Privacy
3. Big data and Machine Learning on Security and Privacy
Modelling
WM2SP-16
10. Copyright 2016 GRACE Center All Rights Reserved.
WHAT?
Security and Privacy Activities
WM2SP-16
11. 11
Copyright 2016 GRACE Center All Rights Reserved.
Security Activities by
WM2SP-16
7 Categories
Area
12. 12
Copyright 2016 GRACE Center All Rights Reserved. WM2SP-16
NICE: The National Initiative for Cybersecurity Education
NICE Cybersecurity Workforce Framework
https://www.nist.gov/image/16itl013niceframeworkpng
13. 13
Copyright 2016 GRACE Center All Rights Reserved.
Task for Systems Requirements Planning
WM2SP-16
15. 15
Copyright 2016 GRACE Center All Rights Reserved.
Models to support Security Tasks
WM2SP-16
Models
Models
Models
16. 16
Copyright 2016 GRACE Center All Rights Reserved.
Security Activities by
WM2SP-16
The Building Security In
Maturity Model: BSIMM6
17. 17
Copyright 2016 GRACE Center All Rights Reserved. WM2SP-16
Building Security In Maturity Model (BSIMM) Version 6
Models
for Attack
Patterns
18. Copyright 2016 GRACE Center All Rights Reserved.
WHEN?
Security Lifecycle
WM2SP-16
19. 19
Copyright 2016 GRACE Center All Rights Reserved.
Security Activities for Security Lifecycle
WM2SP-16
Microsoft Security Development Lifecycle https://www.microsoft.com/en-us/sdl/
ModelsModels Models Models
20. Copyright 2016 GRACE Center All Rights Reserved.
WHAT’s Security?
Security Conceptual Model
WM2SP-16
21. 21
Copyright 2016 GRACE Center All Rights Reserved.
Security Aspect
n Asset: data or service to be protected
n Stakeholder: owner of an asset or actors of assets
n Security objective: security goals to satisfy security
n Threat: Possibility to harm to assets
n Attack: Activities trying to violate security goals
n Attacker: Actors to attack assets
n Vulnerability: Weakness of a system to violate security
goals
n Countermeasure: Activities to prevent, mitigate or avoid
attacks
n Risk: Possibility to success attack and degree of the
damage
WM2SP-16
22. 22
Copyright 2016 GRACE Center All Rights Reserved.
Security Goal Conceptual Model
WM2SP-16
Cappelli, C., Cunha, H., Gonzalez-Baixauli, B., & Leite, J. (2010). Transparency versus security.
Proceedings of the 2010 ACM Symposium on Applied Computing - SAC ’10, 298.
23. 23
Copyright 2016 GRACE Center All Rights Reserved.
Security Conceptual Model by Haley
Haley, C. B., Laney, R., & Moffett, J. D. (2008).
Security Requirements Engineering : A Framework
for Representation and Analysis. IEEE Transactions
on Software Engineering, 34(1), 133–153.
WM2SP-16
24. 24
Copyright 2016 GRACE Center All Rights Reserved.
Security Conceptual Model by Taguchi
Taguchi, K., Yoshioka, N., Tobita, T., & Kaneko, H. (2010). Aligning security requirements and
security assurance using the common criteria. In SSIRI 2010 - 4th IEEE International Conference
on Secure Software Integration and Reliability Improvement (pp. 69–77).
WM2SP-16
25. 25
Copyright 2016 GRACE Center All Rights Reserved.
Standardizing Cyber Threat Intelligence
Information with the Structured Threat Information
eXpression (STIX™)
WM2SP-16
http://stixproject.github.io/getting-started/whitepaper/
26. 26
Copyright 2016 GRACE Center All Rights Reserved.
STIX Models for Security Response
WM2SP-16
27. 27
Copyright 2016 GRACE Center All Rights Reserved.
KAOS & Attack Tree for Threat Analysis
n by A. Lamsweerde
n Refine system goal with AND/OR
refinement
n Analysis Anti-Goal to threaten security
goals
Anti-Goal = Obstacle = Security Threat B. Schneier, “Attack trees: modeling security
threats,” Dr. Dobb’s Journal, December 1999.
WM2SP-16
van Lamsweerde, A. (2004). Elaborating Security Requirements by
Construction of Intentional Anti-Models. Proceedings. 26th International
Conference on Software Engineering, 26(May), 148–157.
28. 28
Copyright 2016 GRACE Center All Rights Reserved.
GORE: i*/Secure Tropos
Actor
Goal
Dependency
Goal Refinement
(AND/OR)
i*/Tropos
Secure Tropos
Security is a constraintAn attacker as an actor
GORE: Goal Oriented Requirements Engineering
WM2SP-16
29. 29
Copyright 2016 GRACE Center All Rights Reserved.
Usecase for Security: Misuse cases/Abuse Cases
n Abuse Cases
n by J. McDermott
n with Abuse Actor
n Misuse Cases
n by G. Sindre
n Relation between Threat
and Countermeasure
Misuse Cases
Metamodel
WM2SP-16
30. 30
Copyright 2016 GRACE Center All Rights Reserved.
Threat Analysis by CORAS
WM2SP-16
Solhaug, B., & Stølen, K. (2013). The CORAS Language – Why it is Designed the
Way it is. Safety, Reliability, Risk and Life-Cycle Performance of Structures and
Infrastructures, 3155–3162.
31. 31
Copyright 2016 GRACE Center All Rights Reserved.
Access Control Model: SecureUML
Generate J2EE configuration
※David Basin:Model Driven Security
Metamodel
n UML Profile by David Basin
n Role Based Access Control(RBAC) Model
n Automatic Generation of Security Configuration
WM2SP-16
32. 32
Copyright 2016 GRACE Center All Rights Reserved.
Security Design Model: UMLsec
n Design Model for Secure System
by Jan Jurjens
n Stereo Types for Security Design
and the semantics
Secure Protocol for integrity
Security Context
Control Flow Dependency
Data Flow DependencyWM2SP-16
Jürjens, J. (2002). UMLsec: Extending UML for
secure systems development. Proceedings of
the 5th International Conference on The Unified
Modeling Language, 412–425.
33. 33
Copyright 2016 GRACE Center All Rights Reserved.
Models For Security Activities
WM2SP-16
KAOS
i*, Secure
Tropos
Misuse
Cases…
UMLsec
34. 34
Copyright 2016 GRACE Center All Rights Reserved.
Security Modelling
WM2SP-16
Liu, L., Yu, E., & Mylopoulos, J. (2003). Security and Privacy Requirements
Analysis within a Social Setting (p. 151). JOUR.
35. Copyright 2016 GRACE Center All Rights Reserved.
WHAT’s Privacy?
Privacy Conceptual Model
WM2SP-16
36. 36
Copyright 2016 GRACE Center All Rights Reserved.
Is Privacy a subset of Security?
Privacy Requirements
≒ Confidentiality of Personally Identifiable Information
+ Confidentiality of information about users + ability to control them
something private facts = events or data
⊆ Security Requirements
Privacy:
1) the state of being able to be alone
2) the state of being free from public attention
(Longman Dictionary)
The ability of an individual or group to seclude
themselves or information about themselves and
thereby reveal themselves selectively. (wikipedia)
WM2SP-16
37. 37
Copyright 2016 GRACE Center All Rights Reserved.
Privacy Conceptual Model by PriS
WM2SP-16
Kalloniatis, C., Kavakli, E., & Gritzalis, S. (2008). Addressing privacy requirements in
system design: The PriS method. Requirements Engineering, 13(3), 241–255. JOUR.
38. 38
Copyright 2016 GRACE Center All Rights Reserved.
Modelling by LINDDUN
WM2SP-16
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., & Joosen, W. (2011). A
privacy threat analysis framework: Supporting the elicitation and fulfillment
of privacy requirements. Requirements Engineering, 16(1), 3–32. JOUR.
39. 39
Copyright 2016 GRACE Center All Rights Reserved.
Integrated Model of Security and Privacy
WM2SP-16
Mouratidis, H., Islam, S., Kalloniatis, C., & Gritzalis, S.
(2013). A framework to support selection of cloud
providers based on security and privacy
requirements. Journal of Systems and Software,
86(9), 2276–2293. JOUR.
40. 40
Copyright 2016 GRACE Center All Rights Reserved.
Metamodel for Security and Privacy Knowledge in
Cloud Services
WM2SP-16
41. 41
Copyright 2016 GRACE Center All Rights Reserved.
“All in One” Model on Security and Privacy?
WM2SP-16
All in One
Model
Various Views for each activity
43. 43
Copyright 2016 GRACE Center All Rights Reserved.
ModelsModelsModels
Difficulty (1) Consistency between Models
WM2SP-16
Models Models Models Models Models
Threat
Models
Attack
Models
Attack
Models
Attack
Models
44. 44
Copyright 2016 GRACE Center All Rights Reserved.
Security
Model
vs.
Privacy
Model
Security
Requirements
for
Privacy
(e.g.,
confidentiality
of
personal
information)
Privacy
Requirements
for
Security
(e.g.,
consent)
Privacy Security
Disclosure of
Organizational Assets
Disclosure of
Personally
identifiable
information
Security RequirementsPrivacy Requirements
User participation,
Transparency
Minimal data
collection
Availability
Integrity
Minimal Privilege
Risk to Users Risk to Business
Disclosure of
Private Behavior
(Privacy Assets)
Service
Risk Assessment
with organization
WM2SP-16
45. 45
Copyright 2016 GRACE Center All Rights Reserved.
Conflicts between Security & Privacy Model
Security
Functions
become
Privacy
threats
(e.g.,
Identification
threatens
privacy)
Privacy
constricts Security
Requirements
Privacy Security
Privacy SecurityPrivacy
Functions
become
Security
threats
(e.g.,
anonymity
makes
hard
to
detect
attackers)
Security
constricts Privacy
Requirements
How
to
solve?
Need
Trade-‐off?
WM2SP-16
46. 46
Copyright 2016 GRACE Center All Rights Reserved.
Difficulty (2) Security and Privacy Risk
n Risk = Damage × Probability
n Statistical Model
n Data for estimation is needed
n Some incidents affect each others
n Risk reasoning is needed
n Risk is changeable
WM2SP-16
47. 47
Copyright 2016 GRACE Center All Rights Reserved.
Difficulty (3) Modelling @Design
Definition of Model at Design stage is difficult
n New Threat & Attack
n Privacy Preference Model
n Runtime configuration is changeable
n Network Configuration, Cloud Environment
Ø Model Creation @Runtime
Ø Adaptation @Runtime
WM2SP-16
49. 49
Copyright 2016 GRACE Center All Rights Reserved.
Challenge (1) Model Operations
WM2SP-16
Privacy
Models
Security
Models
Solution
Model
MAINTENANCEIMPLEMENTATIONDESIGNREQUIREMENTS
Network
Model
Solution
Model
Organization
Model
refactaring
feedback
50. 50
Copyright 2016 GRACE Center All Rights Reserved.
Conflict between Security and Privacy Pattern
Authentication
PatternsAnonymous
Access
Patterns
Privacy
Goal:
Never
identify
me
Security
Goal:
Identify
attackers
Pseudonym
Authentication
Patterns
Security
Goal:
Identify
only
attackers
Privacy
Enhanced
Security:
Minimal
Indentation
Security meets Privacy
WM2SP-16
51. 51
Copyright 2016 GRACE Center All Rights Reserved.
Win-Win Pattern of Security and Privacy
(2)
Notify
Aberrant
Privacy
Information
Identifiable
Information
(1)Monitoring
with
a
Pseudonym
(3)
Catch
a
criminal
SupervisorSecurity
Officer
I don’t know who
you are
Gun
I don’t watch your
naked body
Identification
Provider
Separation
of
Duty
Service
Provider
Pseudonym
Authentication
Patterns
Identifiable
Information
Pseudonym Provide
a
Service
with
a
Pseudonym
authenticate
WM2SP-16
52. 52
Copyright 2016 GRACE Center All Rights Reserved.
Challenge (2) Hybrid Model
WM2SP-16
Privacy
Models
Security
Models
Solution
Model
Model Composition
Hybrid Model
Privacy
Models
Security
Models
Risk Risk
Logical
Statistic
53. 53
Copyright 2016 GRACE Center All Rights Reserved.
Challenge (3) Big data and Machine Learning
WM2SP-16
Privacy
Models
Security
Models
Solution
Model
MAINTENANCEIMPLEMENTATIONDESIGNREQUIREMENTS
Network
Model
Solution
Model
refactaring
feedback
System Log
User Log
Environment
Log
Model Creation
Self-Adaptation
Framework/
Library
PatternsIncident
Case
Catalog
Development
Log Repository
Recommendation
54. 54
Copyright 2016 GRACE Center All Rights Reserved.
Conclusions
1. Current Model and Modelling on Security and Privacy
1. UML: Misusecase, UMLsec, secureUML
2. GORE: SecureTropos, i*/Tropos, KAOS
3. Meta-model: SIG, Common Criteria, STIX, SCPM…
2. Research Challenge on the Security and Privacy Model
and Modelling
1. Operation on Models on Security and Privacy with consistency
2. Hybrid Models on Security and Privacy
3. Big data and Machine Learning on Security and Privacy
Modelling
WM2SP-16