WM2SP16 Keynote: Current and Future challenge of Model and Modelling on Security and Privacy

Copyright 2016 GRACE Center All Rights Reserved.

Current and Future challenge of Model and Modelling on Security and Privacy

Nobukazu Yoshioka, National Institute of Informatics14th November 2016

the 1st Workshop International Workshop for Models and Modelling on Security and Privacy (WM2SP-16)

@Gifu

3Copyright 2016 GRACE Center All Rights Reserved.

What’s Security or Privacy Model?n What’s is a Model on Computing?

WM2SP-16

A computer representation or scientific description of something

MathematicsGraphical or GraphStructured LanguageNatural Language

Longman Dictionary 4th Edition

Security Aspector

Private Aspect


For instance

WM2SP-16

UML based Model


For instance

WM2SP-16

Goal Oriented Requirements Engineering


What’s Security or Privacy Modelling?n What’s is Modelling on Computing?

WM2SP-16

the process of making a scientific or computer model of something to show how it works or to understand it better

Longman Dictionary 4th Edition

MathematicsGraphical or GraphStructured LanguageNatural Language

Security Aspector

Private Aspect

Why model?To whom? What? How?

Who make? When?


For Instance …

WM2SP-16

Domain Analysis

Requirements Engineering

Architecture Specification

Business Planning

Design

ImplementatoinMaintenance & Managements@Runtime

@in Advance

Computer

Response team

Librarian

UserManager

Engineer

M

M

M

M

M

M

MM

M

Why?

When?

To Whom?


My Talk1. Current Models and Modelling on Security and Privacy

1. Conceptual Model: SIG, Common Criteria, STIX, SCPM… 2. UML: Misusecase, UMLsec, secureUML3. GORE: SecureTropos, i*/Tropos, KAOS

2. Research Challenges on the Security and Privacy Model and Modelling1. Operation on Models on Security and Privacy with consistency2. Hybrid Models on Security and Privacy3. Big data and Machine Learning on Security and Privacy

Modelling

WM2SP-16


WHAT?Security and Privacy Activities

WM2SP-16


Security Activities by

WM2SP-16

7 Categories

Area


NICE: The National Initiative for Cybersecurity Education

NICE Cybersecurity Workforce Framework

https://www.nist.gov/image/16itl013niceframeworkpng


Task for Systems Requirements Planning

WM2SP-16


KnowledgeSkillAbility


Models to support Security Tasks

WM2SP-16

Models

Models

Models


Security Activities by

WM2SP-16

The Building Security In Maturity Model: BSIMM6


Building Security In Maturity Model (BSIMM) Version 6

Models for Attack Patterns


WHEN?Security Lifecycle

WM2SP-16


Security Activities for Security Lifecycle

WM2SP-16

Microsoft Security Development Lifecycle https://www.microsoft.com/en-us/sdl/

ModelsModels Models Models


WHAT’s Security?Security Conceptual Model

WM2SP-16


Security Aspectn Asset: data or service to be protectedn Stakeholder: owner of an asset or actors of assetsn Security objective: security goals to satisfy securityn Threat: Possibility to harm to assetsn Attack: Activities trying to violate security goalsn Attacker: Actors to attack assetsn Vulnerability: Weakness of a system to violate security

goalsn Countermeasure: Activities to prevent, mitigate or avoid

attacksn Risk: Possibility to success attack and degree of the

damage

WM2SP-16


Security Goal Conceptual Model

WM2SP-16

Cappelli, C., Cunha, H., Gonzalez-Baixauli, B., & Leite, J. (2010). Transparency versus security. Proceedings of the 2010 ACM Symposium on Applied Computing - SAC ’10, 298.


Security Conceptual Model by Haley

Haley, C. B., Laney, R., & Moffett, J. D. (2008). Security Requirements Engineering  : A Framework for Representation and Analysis. IEEE Transactions on Software Engineering, 34(1), 133–153.

WM2SP-16


Security Conceptual Model by Taguchi

Taguchi, K., Yoshioka, N., Tobita, T., & Kaneko, H. (2010). Aligning security requirements and security assurance using the common criteria. In SSIRI 2010 - 4th IEEE International Conference on Secure Software Integration and Reliability Improvement (pp. 69–77).WM2SP-16


Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™)

WM2SP-16http://stixproject.github.io/getting-started/whitepaper/


STIX Models for Security Response

WM2SP-16


KAOS & Attack Tree for Threat Analysisn by A. Lamsweerden Refine system goal with AND/OR

refinementn Analysis Anti-Goal to threaten security

goals

Anti-Goal = Obstacle = Security Threat B. Schneier, “Attack trees: modeling security threats,” Dr. Dobb’s Journal, December 1999.

WM2SP-16

van Lamsweerde, A. (2004). Elaborating Security Requirements by Construction of Intentional Anti-Models. Proceedings. 26th International Conference on Software Engineering, 26(May), 148–157.


GORE: i*/Secure Tropos

Actor

Goal

Dependency

Goal Refinement(AND/OR)

i*/Tropos

Secure Tropos

Security is a constraintAn attacker as an actor

GORE: Goal Oriented Requirements EngineeringWM2SP-16


Usecase for Security: Misuse cases/Abuse Casesn Abuse Cases

n by J. McDermottn with Abuse Actor

n Misuse Casesn by G. Sindren Relation between Threat

and Countermeasure

Misuse Cases

Metamodel

WM2SP-16


Threat Analysis by CORAS

WM2SP-16

Solhaug, B., & Stølen, K. (2013). The CORAS Language – Why it is Designed the Way it is. Safety, Reliability, Risk and Life-Cycle Performance of Structures and Infrastructures, 3155–3162.


Access Control Model: SecureUML

Generate J2EE configuration

※David Basin：Model Driven Security

Metamodel

n UML Profile by David Basinn Role Based Access Control（RBAC）Modeln Automatic Generation of Security Configuration

WM2SP-16


Security Design Model: UMLsecn Design Model for Secure System

by Jan Jurjensn Stereo Types for Security Design

and the semantics

Secure Protocol for integrity

Security Context

Control Flow Dependency

Data Flow DependencyWM2SP-16

Jürjens, J. (2002). UMLsec: Extending UML for secure systems development. Proceedings of the 5th International Conference on The Unified Modeling Language, 412–425.


Models For Security Activities

WM2SP-16

KAOSi*, Secure

TroposMisuse Cases…

UMLsec


Security Modelling

WM2SP-16

Liu, L., Yu, E., & Mylopoulos, J. (2003). Security and Privacy Requirements Analysis within a Social Setting (p. 151). JOUR.


WHAT’s Privacy?Privacy Conceptual Model

WM2SP-16


Is Privacy a subset of Security?

Privacy Requirements≒ Confidentiality of Personally Identifiable Information+ Confidentiality of information about users + ability to control them

something private facts = events or data

⊆ Security Requirements

Privacy:1) the state of being able to be alone2) the state of being free from public attention

(Longman Dictionary)The ability of an individual or group to seclude themselves or information about themselves andthereby reveal themselves selectively. (wikipedia)

WM2SP-16


Privacy Conceptual Model by PriS

WM2SP-16

Kalloniatis, C., Kavakli, E., & Gritzalis, S. (2008). Addressing privacy requirements in system design: The PriS method. Requirements Engineering, 13(3), 241–255. JOUR.


Modelling by LINDDUN

WM2SP-16

Deng, M., Wuyts, K., Scandariato, R., Preneel, B., & Joosen, W. (2011). A privacy threat analysis framework: Supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering, 16(1), 3–32. JOUR.


Integrated Model of Security and Privacy

WM2SP-16

Mouratidis, H., Islam, S., Kalloniatis, C., & Gritzalis, S. (2013). A framework to support selection of cloud providers based on security and privacy requirements. Journal of Systems and Software, 86(9), 2276–2293. JOUR.


Metamodel for Security and Privacy Knowledge in Cloud Services

WM2SP-16


“All in One” Model on Security and Privacy?

WM2SP-16

All in One Model

Various Views for each activity


DIFFICULTY

WM2SP-16


ModelsModelsModels

Difficulty (1) Consistency between Models

WM2SP-16

Models Models Models Models Models

Threat Models

Attack Models

Attack Models

AttackModels


Security Model vs. Privacy Model

Security Requirements for Privacy(e.g., confidentiality of personal information)

Privacy Requirements for Security(e.g., consent)

Privacy Security

Disclosure of Organizational Assets

Disclosure of Personally identifiable information

Security RequirementsPrivacy Requirements

User participation, TransparencyMinimal data collection

AvailabilityIntegrity

Minimal Privilege

Risk to Users Risk to Business

Disclosure of Private Behavior(Privacy Assets)

ServiceRisk Assessment with organization

WM2SP-16


Conflicts between Security & Privacy Model

Security Functions become Privacy threats(e.g., Identification threatens privacy)

Privacy constricts Security Requirements

Privacy Security

Privacy SecurityPrivacy Functions become Security threats

(e.g., anonymity makes hard to detect attackers)

Security constricts Privacy Requirements

How to solve? Need Trade-‐off?

WM2SP-16


Difficulty (2) Security and Privacy Riskn Risk = Damage × Probability

n Statistical Modeln Data for estimation is needed

n Some incidents affect each othersn Risk reasoning is needed

n Risk is changeable

WM2SP-16


Difficulty (3) Modelling @DesignDefinition of Model at Design stage is difficultn New Threat & Attackn Privacy Preference Modeln Runtime configuration is changeable

n Network Configuration, Cloud Environment

Ø Model Creation @RuntimeØ Adaptation @Runtime

WM2SP-16


CHALLENGE

WM2SP-16


Challenge (1) Model Operations

WM2SP-16

Privacy Models

Security Models

Solution Model

MAINTENANCEIMPLEMENTATIONDESIGNREQUIREMENTS

Network Model

Solution Model

Organization Model

refactaringfeedback


Conflict between Security and Privacy Pattern

Authentication PatternsAnonymous Access Patterns

Privacy Goal:Never identify me

Security Goal:Identify attackers

Pseudonym Authentication Patterns

Security Goal:Identify only attackers

Privacy Enhanced Security:Minimal Indentation

Security meets Privacy

WM2SP-16


Win-Win Pattern of Security and Privacy

(2) Notify Aberrant

Privacy InformationIdentifiable Information

(1)Monitoring with a Pseudonym

(3) Catch a criminal

SupervisorSecurity Officer

I don’t know who you are

Gun

I don’t watch your naked body

Identification Provider

Separation of Duty

Service Provider

Pseudonym Authentication PatternsIdentifiable Information

Pseudonym Provide a Service with a Pseudonym

authenticateWM2SP-16


Challenge (2) Hybrid Model

WM2SP-16

Privacy Models

Security Models

Solution Model

Model Composition

Hybrid ModelPrivacy Models

Security Models

Risk Risk

Logical

Statistic


Challenge (3) Big data and Machine Learning

WM2SP-16

Privacy Models

Security Models

Solution Model

MAINTENANCEIMPLEMENTATIONDESIGNREQUIREMENTS

Network Model

Solution Model

refactaringfeedback

System Log

User Log

Environment Log

Model CreationSelf-Adaptation

Framework/Library

PatternsIncident Case

CatalogDevelopment

Log Repository

Recommendation


Conclusions1. Current Model and Modelling on Security and Privacy

1. UML: Misusecase, UMLsec, secureUML2. GORE: SecureTropos, i*/Tropos, KAOS3. Meta-model: SIG, Common Criteria, STIX, SCPM…

2. Research Challenge on the Security and Privacy Model and Modelling1. Operation on Models on Security and Privacy with consistency2. Hybrid Models on Security and Privacy3. Big data and Machine Learning on Security and Privacy

Modelling

WM2SP-16

WM2SP16 Keynote: Current and Future challenge of Model and Modelling on Security and Privacy

Software

Transcript of WM2SP16 Keynote: Current and Future challenge of Model and Modelling on Security and Privacy