WM2SP16 Keynote: Current and Future challenge of Model and Modelling on Security and Privacy
-
Upload
national-institute-of-informatics -
Category
Software
-
view
121 -
download
0
Transcript of WM2SP16 Keynote: Current and Future challenge of Model and Modelling on Security and Privacy
Copyright 2016 GRACE Center All Rights Reserved.
Current and Future challenge of Model and Modelling on Security and Privacy
Nobukazu Yoshioka, National Institute of Informatics14th November 2016
the 1st Workshop International Workshop for Models and Modelling on Security and Privacy (WM2SP-16)
@Gifu
2Copyright 2016 GRACE Center All Rights Reserved. WM2SP-16
3Copyright 2016 GRACE Center All Rights Reserved.
What’s Security or Privacy Model?n What’s is a Model on Computing?
WM2SP-16
A computer representation or scientific description of something
MathematicsGraphical or GraphStructured LanguageNatural Language
Longman Dictionary 4th Edition
Security Aspector
Private Aspect
4Copyright 2016 GRACE Center All Rights Reserved.
For instance
WM2SP-16
UML based Model
5Copyright 2016 GRACE Center All Rights Reserved.
For instance
WM2SP-16
Goal Oriented Requirements Engineering
6Copyright 2016 GRACE Center All Rights Reserved. WM2SP-16
7Copyright 2016 GRACE Center All Rights Reserved.
What’s Security or Privacy Modelling?n What’s is Modelling on Computing?
WM2SP-16
the process of making a scientific or computer model of something to show how it works or to understand it better
Longman Dictionary 4th Edition
MathematicsGraphical or GraphStructured LanguageNatural Language
Security Aspector
Private Aspect
Why model?To whom? What? How?
Who make? When?
8Copyright 2016 GRACE Center All Rights Reserved.
For Instance …
WM2SP-16
Domain Analysis
Requirements Engineering
Architecture Specification
Business Planning
Design
ImplementatoinMaintenance & Managements@Runtime
@in Advance
Computer
Response team
Librarian
UserManager
Engineer
M
M
M
M
M
M
MM
M
Why?
When?
To Whom?
9Copyright 2016 GRACE Center All Rights Reserved.
My Talk1. Current Models and Modelling on Security and Privacy
1. Conceptual Model: SIG, Common Criteria, STIX, SCPM… 2. UML: Misusecase, UMLsec, secureUML3. GORE: SecureTropos, i*/Tropos, KAOS
2. Research Challenges on the Security and Privacy Model and Modelling1. Operation on Models on Security and Privacy with consistency2. Hybrid Models on Security and Privacy3. Big data and Machine Learning on Security and Privacy
Modelling
WM2SP-16
Copyright 2016 GRACE Center All Rights Reserved.
WHAT?Security and Privacy Activities
WM2SP-16
11Copyright 2016 GRACE Center All Rights Reserved.
Security Activities by
WM2SP-16
7 Categories
Area
12Copyright 2016 GRACE Center All Rights Reserved. WM2SP-16
NICE: The National Initiative for Cybersecurity Education
NICE Cybersecurity Workforce Framework
https://www.nist.gov/image/16itl013niceframeworkpng
13Copyright 2016 GRACE Center All Rights Reserved.
Task for Systems Requirements Planning
WM2SP-16
14Copyright 2016 GRACE Center All Rights Reserved. WM2SP-16
KnowledgeSkillAbility
15Copyright 2016 GRACE Center All Rights Reserved.
Models to support Security Tasks
WM2SP-16
Models
Models
Models
16Copyright 2016 GRACE Center All Rights Reserved.
Security Activities by
WM2SP-16
The Building Security In Maturity Model: BSIMM6
17Copyright 2016 GRACE Center All Rights Reserved. WM2SP-16
Building Security In Maturity Model (BSIMM) Version 6
Models for Attack Patterns
Copyright 2016 GRACE Center All Rights Reserved.
WHEN?Security Lifecycle
WM2SP-16
19Copyright 2016 GRACE Center All Rights Reserved.
Security Activities for Security Lifecycle
WM2SP-16
Microsoft Security Development Lifecycle https://www.microsoft.com/en-us/sdl/
ModelsModels Models Models
Copyright 2016 GRACE Center All Rights Reserved.
WHAT’s Security?Security Conceptual Model
WM2SP-16
21Copyright 2016 GRACE Center All Rights Reserved.
Security Aspectn Asset: data or service to be protectedn Stakeholder: owner of an asset or actors of assetsn Security objective: security goals to satisfy securityn Threat: Possibility to harm to assetsn Attack: Activities trying to violate security goalsn Attacker: Actors to attack assetsn Vulnerability: Weakness of a system to violate security
goalsn Countermeasure: Activities to prevent, mitigate or avoid
attacksn Risk: Possibility to success attack and degree of the
damage
WM2SP-16
22Copyright 2016 GRACE Center All Rights Reserved.
Security Goal Conceptual Model
WM2SP-16
Cappelli, C., Cunha, H., Gonzalez-Baixauli, B., & Leite, J. (2010). Transparency versus security. Proceedings of the 2010 ACM Symposium on Applied Computing - SAC ’10, 298.
23Copyright 2016 GRACE Center All Rights Reserved.
Security Conceptual Model by Haley
Haley, C. B., Laney, R., & Moffett, J. D. (2008). Security Requirements Engineering : A Framework for Representation and Analysis. IEEE Transactions on Software Engineering, 34(1), 133–153.
WM2SP-16
24Copyright 2016 GRACE Center All Rights Reserved.
Security Conceptual Model by Taguchi
Taguchi, K., Yoshioka, N., Tobita, T., & Kaneko, H. (2010). Aligning security requirements and security assurance using the common criteria. In SSIRI 2010 - 4th IEEE International Conference on Secure Software Integration and Reliability Improvement (pp. 69–77).WM2SP-16
25Copyright 2016 GRACE Center All Rights Reserved.
Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™)
WM2SP-16http://stixproject.github.io/getting-started/whitepaper/
26Copyright 2016 GRACE Center All Rights Reserved.
STIX Models for Security Response
WM2SP-16
27Copyright 2016 GRACE Center All Rights Reserved.
KAOS & Attack Tree for Threat Analysisn by A. Lamsweerden Refine system goal with AND/OR
refinementn Analysis Anti-Goal to threaten security
goals
Anti-Goal = Obstacle = Security Threat B. Schneier, “Attack trees: modeling security threats,” Dr. Dobb’s Journal, December 1999.
WM2SP-16
van Lamsweerde, A. (2004). Elaborating Security Requirements by Construction of Intentional Anti-Models. Proceedings. 26th International Conference on Software Engineering, 26(May), 148–157.
28Copyright 2016 GRACE Center All Rights Reserved.
GORE: i*/Secure Tropos
Actor
Goal
Dependency
Goal Refinement(AND/OR)
i*/Tropos
Secure Tropos
Security is a constraintAn attacker as an actor
GORE: Goal Oriented Requirements EngineeringWM2SP-16
29Copyright 2016 GRACE Center All Rights Reserved.
Usecase for Security: Misuse cases/Abuse Casesn Abuse Cases
n by J. McDermottn with Abuse Actor
n Misuse Casesn by G. Sindren Relation between Threat
and Countermeasure
Misuse Cases
Metamodel
WM2SP-16
30Copyright 2016 GRACE Center All Rights Reserved.
Threat Analysis by CORAS
WM2SP-16
Solhaug, B., & Stølen, K. (2013). The CORAS Language – Why it is Designed the Way it is. Safety, Reliability, Risk and Life-Cycle Performance of Structures and Infrastructures, 3155–3162.
31Copyright 2016 GRACE Center All Rights Reserved.
Access Control Model: SecureUML
Generate J2EE configuration
※David Basin:Model Driven Security
Metamodel
n UML Profile by David Basinn Role Based Access Control(RBAC)Modeln Automatic Generation of Security Configuration
WM2SP-16
32Copyright 2016 GRACE Center All Rights Reserved.
Security Design Model: UMLsecn Design Model for Secure System
by Jan Jurjensn Stereo Types for Security Design
and the semantics
Secure Protocol for integrity
Security Context
Control Flow Dependency
Data Flow DependencyWM2SP-16
Jürjens, J. (2002). UMLsec: Extending UML for secure systems development. Proceedings of the 5th International Conference on The Unified Modeling Language, 412–425.
33Copyright 2016 GRACE Center All Rights Reserved.
Models For Security Activities
WM2SP-16
KAOSi*, Secure
TroposMisuse Cases…
UMLsec
34Copyright 2016 GRACE Center All Rights Reserved.
Security Modelling
WM2SP-16
Liu, L., Yu, E., & Mylopoulos, J. (2003). Security and Privacy Requirements Analysis within a Social Setting (p. 151). JOUR.
Copyright 2016 GRACE Center All Rights Reserved.
WHAT’s Privacy?Privacy Conceptual Model
WM2SP-16
36Copyright 2016 GRACE Center All Rights Reserved.
Is Privacy a subset of Security?
Privacy Requirements≒ Confidentiality of Personally Identifiable Information+ Confidentiality of information about users + ability to control them
something private facts = events or data
⊆ Security Requirements
Privacy:1) the state of being able to be alone2) the state of being free from public attention
(Longman Dictionary)The ability of an individual or group to seclude themselves or information about themselves andthereby reveal themselves selectively. (wikipedia)
WM2SP-16
37Copyright 2016 GRACE Center All Rights Reserved.
Privacy Conceptual Model by PriS
WM2SP-16
Kalloniatis, C., Kavakli, E., & Gritzalis, S. (2008). Addressing privacy requirements in system design: The PriS method. Requirements Engineering, 13(3), 241–255. JOUR.
38Copyright 2016 GRACE Center All Rights Reserved.
Modelling by LINDDUN
WM2SP-16
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., & Joosen, W. (2011). A privacy threat analysis framework: Supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering, 16(1), 3–32. JOUR.
39Copyright 2016 GRACE Center All Rights Reserved.
Integrated Model of Security and Privacy
WM2SP-16
Mouratidis, H., Islam, S., Kalloniatis, C., & Gritzalis, S. (2013). A framework to support selection of cloud providers based on security and privacy requirements. Journal of Systems and Software, 86(9), 2276–2293. JOUR.
40Copyright 2016 GRACE Center All Rights Reserved.
Metamodel for Security and Privacy Knowledge in Cloud Services
WM2SP-16
41Copyright 2016 GRACE Center All Rights Reserved.
“All in One” Model on Security and Privacy?
WM2SP-16
All in One Model
Various Views for each activity
Copyright 2016 GRACE Center All Rights Reserved.
DIFFICULTY
WM2SP-16
43Copyright 2016 GRACE Center All Rights Reserved.
ModelsModelsModels
Difficulty (1) Consistency between Models
WM2SP-16
Models Models Models Models Models
Threat Models
Attack Models
Attack Models
AttackModels
44Copyright 2016 GRACE Center All Rights Reserved.
Security Model vs. Privacy Model
Security Requirements for Privacy(e.g., confidentiality of personal information)
Privacy Requirements for Security(e.g., consent)
Privacy Security
Disclosure of Organizational Assets
Disclosure of Personally identifiable information
Security RequirementsPrivacy Requirements
User participation, TransparencyMinimal data collection
AvailabilityIntegrity
Minimal Privilege
Risk to Users Risk to Business
Disclosure of Private Behavior(Privacy Assets)
ServiceRisk Assessment with organization
WM2SP-16
45Copyright 2016 GRACE Center All Rights Reserved.
Conflicts between Security & Privacy Model
Security Functions become Privacy threats(e.g., Identification threatens privacy)
Privacy constricts Security Requirements
Privacy Security
Privacy SecurityPrivacy Functions become Security threats
(e.g., anonymity makes hard to detect attackers)
Security constricts Privacy Requirements
How to solve? Need Trade-‐off?
WM2SP-16
46Copyright 2016 GRACE Center All Rights Reserved.
Difficulty (2) Security and Privacy Riskn Risk = Damage × Probability
n Statistical Modeln Data for estimation is needed
n Some incidents affect each othersn Risk reasoning is needed
n Risk is changeable
WM2SP-16
47Copyright 2016 GRACE Center All Rights Reserved.
Difficulty (3) Modelling @DesignDefinition of Model at Design stage is difficultn New Threat & Attackn Privacy Preference Modeln Runtime configuration is changeable
n Network Configuration, Cloud Environment
Ø Model Creation @RuntimeØ Adaptation @Runtime
WM2SP-16
Copyright 2016 GRACE Center All Rights Reserved.
CHALLENGE
WM2SP-16
49Copyright 2016 GRACE Center All Rights Reserved.
Challenge (1) Model Operations
WM2SP-16
Privacy Models
Security Models
Solution Model
MAINTENANCEIMPLEMENTATIONDESIGNREQUIREMENTS
Network Model
Solution Model
Organization Model
refactaringfeedback
50Copyright 2016 GRACE Center All Rights Reserved.
Conflict between Security and Privacy Pattern
Authentication PatternsAnonymous Access Patterns
Privacy Goal:Never identify me
Security Goal:Identify attackers
Pseudonym Authentication Patterns
Security Goal:Identify only attackers
Privacy Enhanced Security:Minimal Indentation
Security meets Privacy
WM2SP-16
51Copyright 2016 GRACE Center All Rights Reserved.
Win-Win Pattern of Security and Privacy
(2) Notify Aberrant
Privacy InformationIdentifiable Information
(1)Monitoring with a Pseudonym
(3) Catch a criminal
SupervisorSecurity Officer
I don’t know who you are
Gun
I don’t watch your naked body
Identification Provider
Separation of Duty
Service Provider
Pseudonym Authentication PatternsIdentifiable Information
Pseudonym Provide a Service with a Pseudonym
authenticateWM2SP-16
52Copyright 2016 GRACE Center All Rights Reserved.
Challenge (2) Hybrid Model
WM2SP-16
Privacy Models
Security Models
Solution Model
Model Composition
Hybrid ModelPrivacy Models
Security Models
Risk Risk
Logical
Statistic
53Copyright 2016 GRACE Center All Rights Reserved.
Challenge (3) Big data and Machine Learning
WM2SP-16
Privacy Models
Security Models
Solution Model
MAINTENANCEIMPLEMENTATIONDESIGNREQUIREMENTS
Network Model
Solution Model
refactaringfeedback
System Log
User Log
Environment Log
Model CreationSelf-Adaptation
Framework/Library
PatternsIncident Case
CatalogDevelopment
Log Repository
Recommendation
54Copyright 2016 GRACE Center All Rights Reserved.
Conclusions1. Current Model and Modelling on Security and Privacy
1. UML: Misusecase, UMLsec, secureUML2. GORE: SecureTropos, i*/Tropos, KAOS3. Meta-model: SIG, Common Criteria, STIX, SCPM…
2. Research Challenge on the Security and Privacy Model and Modelling1. Operation on Models on Security and Privacy with consistency2. Hybrid Models on Security and Privacy3. Big data and Machine Learning on Security and Privacy
Modelling
WM2SP-16