Goal modelling for security problem matching and pattern enforcement

Yijun Yu, Haruhiko Kaiya, Nobukazu Yoshioka, Zhenjiang Hu, Hironori Washizaki, Yingfei Xiong, Amin Hosseinian-Far

Research output: Contribution to journalArticle

Abstract

This article describes how earlier detection of security problems and the implementation of solutions would be a cost-effective approach for developing secure software systems. Developing, gathering and sharing similar repeatable programming knowledge and solutions has led to the introduction of Patterns in the 90's. The same concept has been adopted to realise reoccurring security knowledge and hence security patterns. Detecting a security problem using the patterns in requirements models may lead to its early prevention. In this article, the authors have provided an overview of security patterns in the past two decades, followed by a summary of i*/Tropos goal modelling framework. Section 2 outlines model-driven development, meta-models and model transformation, within the context of requirements engineering. They have summarised security access control types, and formally described role-based access control (RBAC) in particular as a pattern that may occur in the stakeholder requirements models. Then the authors used the i* modelling language and some elements from its constructs - model-driven queries and transformations - to describe the pattern enforcement. This is applied to a number of requirements models within the literature, and the pattern-based transformation tool they designed has automated the detection and resolution of this security pattern in several goal-oriented stakeholder requirements. Finally, the article also reflects on a variety of existing applications and future work.
Original languageEnglish
Number of pages16
JournalInternational Journal of Secure Software Engineering (IJSSE)
Volume8
Issue number3
Early online date20 Feb 2018
DOIs
Publication statusE-pub ahead of print - 20 Feb 2018

Fingerprint

Access control
Requirements engineering
Costs
Modeling languages

Keywords

  • Security patterns
  • access control
  • RBAC
  • goal models
  • model transformations

Cite this

Yu, Yijun ; Kaiya, Haruhiko ; Yoshioka, Nobukazu ; Hu, Zhenjiang ; Washizaki, Hironori ; Xiong, Yingfei ; Hosseinian-Far, Amin. / Goal modelling for security problem matching and pattern enforcement. In: International Journal of Secure Software Engineering (IJSSE). 2018 ; Vol. 8, No. 3.
@article{e95e8206799040f597591ac423b91645,
title = "Goal modelling for security problem matching and pattern enforcement",
abstract = "This article describes how earlier detection of security problems and the implementation of solutions would be a cost-effective approach for developing secure software systems. Developing, gathering and sharing similar repeatable programming knowledge and solutions has led to the introduction of Patterns in the 90's. The same concept has been adopted to realise reoccurring security knowledge and hence security patterns. Detecting a security problem using the patterns in requirements models may lead to its early prevention. In this article, the authors have provided an overview of security patterns in the past two decades, followed by a summary of i*/Tropos goal modelling framework. Section 2 outlines model-driven development, meta-models and model transformation, within the context of requirements engineering. They have summarised security access control types, and formally described role-based access control (RBAC) in particular as a pattern that may occur in the stakeholder requirements models. Then the authors used the i* modelling language and some elements from its constructs - model-driven queries and transformations - to describe the pattern enforcement. This is applied to a number of requirements models within the literature, and the pattern-based transformation tool they designed has automated the detection and resolution of this security pattern in several goal-oriented stakeholder requirements. Finally, the article also reflects on a variety of existing applications and future work.",
keywords = "Security patterns, access control, RBAC, goal models, model transformations",
author = "Yijun Yu and Haruhiko Kaiya and Nobukazu Yoshioka and Zhenjiang Hu and Hironori Washizaki and Yingfei Xiong and Amin Hosseinian-Far",
year = "2018",
month = "2",
day = "20",
doi = "10.4018/IJSSE.2017070103",
language = "English",
volume = "8",
journal = "International Journal of Secure Software Engineering (IJSSE)",
issn = "1947-3036",
publisher = "IGI Global",
number = "3",

}

Goal modelling for security problem matching and pattern enforcement. / Yu, Yijun; Kaiya, Haruhiko; Yoshioka, Nobukazu; Hu, Zhenjiang; Washizaki, Hironori; Xiong, Yingfei; Hosseinian-Far, Amin.

In: International Journal of Secure Software Engineering (IJSSE), Vol. 8, No. 3, 20.02.2018.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Goal modelling for security problem matching and pattern enforcement

AU - Yu, Yijun

AU - Kaiya, Haruhiko

AU - Yoshioka, Nobukazu

AU - Hu, Zhenjiang

AU - Washizaki, Hironori

AU - Xiong, Yingfei

AU - Hosseinian-Far, Amin

PY - 2018/2/20

Y1 - 2018/2/20

N2 - This article describes how earlier detection of security problems and the implementation of solutions would be a cost-effective approach for developing secure software systems. Developing, gathering and sharing similar repeatable programming knowledge and solutions has led to the introduction of Patterns in the 90's. The same concept has been adopted to realise reoccurring security knowledge and hence security patterns. Detecting a security problem using the patterns in requirements models may lead to its early prevention. In this article, the authors have provided an overview of security patterns in the past two decades, followed by a summary of i*/Tropos goal modelling framework. Section 2 outlines model-driven development, meta-models and model transformation, within the context of requirements engineering. They have summarised security access control types, and formally described role-based access control (RBAC) in particular as a pattern that may occur in the stakeholder requirements models. Then the authors used the i* modelling language and some elements from its constructs - model-driven queries and transformations - to describe the pattern enforcement. This is applied to a number of requirements models within the literature, and the pattern-based transformation tool they designed has automated the detection and resolution of this security pattern in several goal-oriented stakeholder requirements. Finally, the article also reflects on a variety of existing applications and future work.

AB - This article describes how earlier detection of security problems and the implementation of solutions would be a cost-effective approach for developing secure software systems. Developing, gathering and sharing similar repeatable programming knowledge and solutions has led to the introduction of Patterns in the 90's. The same concept has been adopted to realise reoccurring security knowledge and hence security patterns. Detecting a security problem using the patterns in requirements models may lead to its early prevention. In this article, the authors have provided an overview of security patterns in the past two decades, followed by a summary of i*/Tropos goal modelling framework. Section 2 outlines model-driven development, meta-models and model transformation, within the context of requirements engineering. They have summarised security access control types, and formally described role-based access control (RBAC) in particular as a pattern that may occur in the stakeholder requirements models. Then the authors used the i* modelling language and some elements from its constructs - model-driven queries and transformations - to describe the pattern enforcement. This is applied to a number of requirements models within the literature, and the pattern-based transformation tool they designed has automated the detection and resolution of this security pattern in several goal-oriented stakeholder requirements. Finally, the article also reflects on a variety of existing applications and future work.

KW - Security patterns

KW - access control

KW - RBAC

KW - goal models

KW - model transformations

UR - http://services.igi-global.com/resolvedoi/resolve.aspx?doi=10.4018/IJSSE.2017070103

UR - http://www.mendeley.com/research/goal-modelling-security-problem-matching-pattern-enforcement

U2 - 10.4018/IJSSE.2017070103

DO - 10.4018/IJSSE.2017070103

M3 - Article

VL - 8

JO - International Journal of Secure Software Engineering (IJSSE)

JF - International Journal of Secure Software Engineering (IJSSE)

SN - 1947-3036

IS - 3

ER -