Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WM2SP16 Keynote: Current and Future challenge of Model and Modelling on Security and Privacy

233 views

Published on

My talk includes current models and modelling on Security and Privacy: Conceptual Models such as SIG, Common Criteria, STIX, SCPM, UML based models such as Misusecase, UMLsec, secureUML, and GORE models such as SecureTropos, i*/Tropos, KAOS etc.
Additionally, research challenges on the Security and Privacy Model and Modelling are discussed.
Operation on Models on Security and Privacy with consistency
Hybrid Models on Security and Privacy
Big data and Machine Learning on Security and Privacy Modelling

Published in: Software
  • Be the first to comment

WM2SP16 Keynote: Current and Future challenge of Model and Modelling on Security and Privacy

  1. 1. Copyright 2016 GRACE Center All Rights Reserved. Current and Future challenge of Model and Modelling on Security and Privacy Nobukazu Yoshioka, National Institute of Informatics 14th November 2016 the 1st Workshop International Workshop for Models and Modelling on Security and Privacy (WM2SP-16) @Gifu
  2. 2. 2 Copyright 2016 GRACE Center All Rights Reserved. WM2SP-­16
  3. 3. 3 Copyright 2016 GRACE Center All Rights Reserved. What’s Security or Privacy Model? n What’s is a Model on Computing? WM2SP-­16 A computer representation or scientific description of something Mathematics Graphical  or  Graph Structured  Language Natural  Language Longman  Dictionary  4th Edition Security  Aspect or Private  Aspect
  4. 4. 4 Copyright 2016 GRACE Center All Rights Reserved. For instance WM2SP-­16 UML  based  Model
  5. 5. 5 Copyright 2016 GRACE Center All Rights Reserved. For instance WM2SP-­16 Goal  Oriented  Requirements  Engineering
  6. 6. 6 Copyright 2016 GRACE Center All Rights Reserved. WM2SP-­16
  7. 7. 7 Copyright 2016 GRACE Center All Rights Reserved. What’s Security or Privacy Modelling? n What’s is Modelling on Computing? WM2SP-­16 the process of making a scientific or computer model of something to show how it works or to understand it better Longman  Dictionary  4th Edition Mathematics Graphical  or  Graph Structured  Language Natural  Language Security  Aspect or Private  Aspect Why  model? To  whom?  What?  How? Who  make?  When?
  8. 8. 8 Copyright 2016 GRACE Center All Rights Reserved. For Instance … WM2SP-­16 Domain Analysis Requirements Engineering Architecture Specification Business Planning Design Implementatoin Maintenance & Managements @Runtime @in  Advance Computer Response  team Librarian User Manager Engineer M M M M M M M M M Why? When? To  Whom?
  9. 9. 9 Copyright 2016 GRACE Center All Rights Reserved. My Talk 1. Current Models and Modelling on Security and Privacy 1. Conceptual Model: SIG, Common Criteria, STIX, SCPM… 2. UML: Misusecase, UMLsec, secureUML 3. GORE: SecureTropos, i*/Tropos, KAOS 2. Research Challenges on the Security and Privacy Model and Modelling 1. Operation on Models on Security and Privacy with consistency 2. Hybrid Models on Security and Privacy 3. Big data and Machine Learning on Security and Privacy Modelling WM2SP-­16
  10. 10. Copyright 2016 GRACE Center All Rights Reserved. WHAT? Security and Privacy Activities WM2SP-­16
  11. 11. 11 Copyright 2016 GRACE Center All Rights Reserved. Security Activities by WM2SP-­16 7  Categories Area
  12. 12. 12 Copyright 2016 GRACE Center All Rights Reserved. WM2SP-­16 NICE:  The  National  Initiative  for  Cybersecurity  Education   NICE Cybersecurity Workforce Framework https://www.nist.gov/image/16itl013niceframeworkpng
  13. 13. 13 Copyright 2016 GRACE Center All Rights Reserved. Task for Systems Requirements Planning WM2SP-­16
  14. 14. 14 Copyright 2016 GRACE Center All Rights Reserved. WM2SP-­16 Knowledge Skill Ability
  15. 15. 15 Copyright 2016 GRACE Center All Rights Reserved. Models to support Security Tasks WM2SP-­16 Models Models Models
  16. 16. 16 Copyright 2016 GRACE Center All Rights Reserved. Security Activities by WM2SP-­16 The Building Security In Maturity Model: BSIMM6
  17. 17. 17 Copyright 2016 GRACE Center All Rights Reserved. WM2SP-­16 Building  Security  In  Maturity  Model  (BSIMM)  Version  6 Models for Attack Patterns
  18. 18. Copyright 2016 GRACE Center All Rights Reserved. WHEN? Security Lifecycle WM2SP-­16
  19. 19. 19 Copyright 2016 GRACE Center All Rights Reserved. Security Activities for Security Lifecycle WM2SP-­16 Microsoft  Security  Development  Lifecycle  https://www.microsoft.com/en-­us/sdl/ ModelsModels Models Models
  20. 20. Copyright 2016 GRACE Center All Rights Reserved. WHAT’s Security? Security Conceptual Model WM2SP-­16
  21. 21. 21 Copyright 2016 GRACE Center All Rights Reserved. Security Aspect n Asset: data or service to be protected n Stakeholder: owner of an asset or actors of assets n Security objective: security goals to satisfy security n Threat: Possibility to harm to assets n Attack: Activities trying to violate security goals n Attacker: Actors to attack assets n Vulnerability: Weakness of a system to violate security goals n Countermeasure: Activities to prevent, mitigate or avoid attacks n Risk: Possibility to success attack and degree of the damage WM2SP-­16
  22. 22. 22 Copyright 2016 GRACE Center All Rights Reserved. Security Goal Conceptual Model WM2SP-­16 Cappelli,  C.,  Cunha,  H.,  Gonzalez-­Baixauli,  B.,  &  Leite,  J.  (2010).  Transparency  versus  security.   Proceedings  of  the  2010  ACM  Symposium  on  Applied  Computing  -­ SAC  ’10,  298.
  23. 23. 23 Copyright 2016 GRACE Center All Rights Reserved. Security Conceptual Model by Haley Haley,  C.  B.,  Laney,  R.,  &  Moffett,  J.  D.  (2008).   Security  Requirements  Engineering  :  A  Framework   for  Representation  and  Analysis.  IEEE  Transactions   on  Software  Engineering,  34(1),  133–153. WM2SP-­16
  24. 24. 24 Copyright 2016 GRACE Center All Rights Reserved. Security Conceptual Model by Taguchi Taguchi,  K.,  Yoshioka,  N.,  Tobita,  T.,  &  Kaneko,  H.  (2010).  Aligning  security  requirements  and   security  assurance  using  the  common  criteria.  In  SSIRI  2010  -­ 4th  IEEE  International  Conference   on  Secure  Software  Integration  and  Reliability  Improvement (pp.  69–77). WM2SP-­16
  25. 25. 25 Copyright 2016 GRACE Center All Rights Reserved. Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™) WM2SP-­16 http://stixproject.github.io/getting-­started/whitepaper/
  26. 26. 26 Copyright 2016 GRACE Center All Rights Reserved. STIX Models for Security Response WM2SP-­16
  27. 27. 27 Copyright 2016 GRACE Center All Rights Reserved. KAOS & Attack Tree for Threat Analysis n by A. Lamsweerde n Refine system goal with AND/OR refinement n Analysis Anti-Goal to threaten security goals Anti-Goal = Obstacle = Security Threat B.  Schneier,  “Attack  trees:  modeling  security   threats,”  Dr.  Dobb’s Journal,  December  1999. WM2SP-­16 van  Lamsweerde,  A.  (2004).  Elaborating  Security  Requirements  by   Construction  of  Intentional  Anti-­Models.  Proceedings.  26th  International   Conference  on  Software  Engineering,  26(May),  148–157.
  28. 28. 28 Copyright 2016 GRACE Center All Rights Reserved. GORE: i*/Secure Tropos Actor Goal Dependency Goal  Refinement (AND/OR) i*/Tropos Secure Tropos Security is a constraintAn attacker as an actor GORE:  Goal  Oriented  Requirements  Engineering WM2SP-­16
  29. 29. 29 Copyright 2016 GRACE Center All Rights Reserved. Usecase for Security: Misuse cases/Abuse Cases n Abuse Cases n by J. McDermott n with Abuse Actor n Misuse Cases n by G. Sindre n Relation between Threat and Countermeasure Misuse Cases Metamodel WM2SP-­16
  30. 30. 30 Copyright 2016 GRACE Center All Rights Reserved. Threat Analysis by CORAS WM2SP-­16 Solhaug,  B.,  &  Stølen,  K.  (2013).  The  CORAS  Language  – Why  it  is  Designed  the   Way  it  is.  Safety,  Reliability,  Risk  and  Life-­Cycle  Performance  of  Structures  and   Infrastructures,  3155–3162.  
  31. 31. 31 Copyright 2016 GRACE Center All Rights Reserved. Access Control Model: SecureUML Generate J2EE configuration ※David Basin:Model Driven Security Metamodel n UML Profile by David Basin n Role Based Access Control(RBAC) Model n Automatic Generation of Security Configuration WM2SP-­16
  32. 32. 32 Copyright 2016 GRACE Center All Rights Reserved. Security Design Model: UMLsec n Design Model for Secure System by Jan Jurjens n Stereo Types for Security Design and the semantics Secure Protocol for integrity Security Context Control Flow Dependency Data Flow DependencyWM2SP-­16 Jürjens,  J.  (2002).  UMLsec:  Extending  UML  for   secure  systems  development.  Proceedings  of   the  5th  International  Conference  on  The  Unified   Modeling  Language,  412–425.
  33. 33. 33 Copyright 2016 GRACE Center All Rights Reserved. Models For Security Activities WM2SP-­16 KAOS i*, Secure Tropos Misuse Cases… UMLsec
  34. 34. 34 Copyright 2016 GRACE Center All Rights Reserved. Security Modelling WM2SP-­16 Liu,  L.,  Yu,  E.,  &  Mylopoulos,  J.  (2003).  Security  and  Privacy  Requirements   Analysis  within  a  Social  Setting  (p.  151).  JOUR.  
  35. 35. Copyright 2016 GRACE Center All Rights Reserved. WHAT’s Privacy? Privacy Conceptual Model WM2SP-­16
  36. 36. 36 Copyright 2016 GRACE Center All Rights Reserved. Is Privacy a subset of Security? Privacy Requirements ≒ Confidentiality of Personally Identifiable Information + Confidentiality of information about users + ability to control them something private facts = events or data ⊆ Security Requirements Privacy: 1) the state of being able to be alone 2) the state of being free from public attention (Longman Dictionary) The ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively. (wikipedia) WM2SP-­16
  37. 37. 37 Copyright 2016 GRACE Center All Rights Reserved. Privacy Conceptual Model by PriS WM2SP-­16 Kalloniatis,  C.,  Kavakli,  E.,  &  Gritzalis,  S.  (2008).  Addressing  privacy  requirements  in   system  design:  The  PriS method.  Requirements  Engineering,  13(3),  241–255.  JOUR.  
  38. 38. 38 Copyright 2016 GRACE Center All Rights Reserved. Modelling by LINDDUN WM2SP-­16 Deng,  M.,  Wuyts,  K.,  Scandariato,  R.,  Preneel,  B.,  &  Joosen,  W.  (2011).  A   privacy  threat  analysis  framework:  Supporting  the  elicitation  and  fulfillment   of  privacy  requirements.  Requirements  Engineering,  16(1),  3–32.  JOUR.
  39. 39. 39 Copyright 2016 GRACE Center All Rights Reserved. Integrated Model of Security and Privacy WM2SP-­16 Mouratidis,  H.,  Islam,  S.,  Kalloniatis,  C.,  &  Gritzalis,  S.   (2013).  A  framework  to  support  selection  of  cloud   providers  based  on  security  and  privacy   requirements.  Journal  of  Systems  and  Software,   86(9),  2276–2293.  JOUR.  
  40. 40. 40 Copyright 2016 GRACE Center All Rights Reserved. Metamodel for Security and Privacy Knowledge in Cloud Services WM2SP-­16
  41. 41. 41 Copyright 2016 GRACE Center All Rights Reserved. “All in One” Model on Security and Privacy? WM2SP-­16 All in One Model Various  Views  for  each  activity
  42. 42. Copyright 2016 GRACE Center All Rights Reserved. DIFFICULTY WM2SP-­16
  43. 43. 43 Copyright 2016 GRACE Center All Rights Reserved. ModelsModelsModels Difficulty (1) Consistency between Models WM2SP-­16 Models Models Models Models Models Threat Models Attack Models Attack Models Attack Models
  44. 44. 44 Copyright 2016 GRACE Center All Rights Reserved. Security  Model  vs.  Privacy  Model Security  Requirements  for  Privacy (e.g.,  confidentiality  of  personal  information)   Privacy  Requirements  for  Security (e.g.,  consent) Privacy Security Disclosure  of   Organizational    Assets Disclosure  of   Personally   identifiable   information   Security  RequirementsPrivacy  Requirements User  participation,   Transparency Minimal  data   collection Availability Integrity Minimal  Privilege Risk  to  Users Risk  to  Business Disclosure  of   Private  Behavior (Privacy  Assets)   Service Risk  Assessment   with  organization WM2SP-­16
  45. 45. 45 Copyright 2016 GRACE Center All Rights Reserved. Conflicts between Security & Privacy Model Security  Functions  become  Privacy  threats (e.g.,  Identification  threatens  privacy) Privacy  constricts Security  Requirements Privacy Security Privacy SecurityPrivacy  Functions  become  Security  threats (e.g.,  anonymity  makes  hard  to  detect  attackers) Security  constricts Privacy  Requirements How  to  solve?      Need  Trade-­‐off? WM2SP-­16
  46. 46. 46 Copyright 2016 GRACE Center All Rights Reserved. Difficulty (2) Security and Privacy Risk n Risk = Damage × Probability n Statistical Model n Data for estimation is needed n Some incidents affect each others n Risk reasoning is needed n Risk is changeable WM2SP-­16
  47. 47. 47 Copyright 2016 GRACE Center All Rights Reserved. Difficulty (3) Modelling @Design Definition of Model at Design stage is difficult n New Threat & Attack n Privacy Preference Model n Runtime configuration is changeable n Network Configuration, Cloud Environment Ø Model Creation @Runtime Ø Adaptation @Runtime WM2SP-­16
  48. 48. Copyright 2016 GRACE Center All Rights Reserved. CHALLENGE WM2SP-­16
  49. 49. 49 Copyright 2016 GRACE Center All Rights Reserved. Challenge (1) Model Operations WM2SP-­16 Privacy Models Security Models Solution Model MAINTENANCEIMPLEMENTATIONDESIGNREQUIREMENTS Network Model Solution Model Organization Model refactaring feedback
  50. 50. 50 Copyright 2016 GRACE Center All Rights Reserved. Conflict between Security and Privacy Pattern Authentication  PatternsAnonymous  Access  Patterns Privacy  Goal: Never  identify  me Security  Goal: Identify  attackers Pseudonym  Authentication  Patterns Security  Goal: Identify  only  attackers Privacy  Enhanced  Security: Minimal  Indentation Security  meets  Privacy WM2SP-­16
  51. 51. 51 Copyright 2016 GRACE Center All Rights Reserved. Win-Win Pattern of Security and Privacy (2)  Notify  Aberrant Privacy  Information Identifiable   Information (1)Monitoring  with  a   Pseudonym (3)  Catch  a  criminal SupervisorSecurity  Officer I don’t know who you are Gun I don’t watch your naked body Identification  Provider Separation  of  Duty Service  Provider Pseudonym  Authentication  Patterns Identifiable   Information Pseudonym Provide  a  Service  with   a  Pseudonym authenticate WM2SP-­16
  52. 52. 52 Copyright 2016 GRACE Center All Rights Reserved. Challenge (2) Hybrid Model WM2SP-­16 Privacy Models Security Models Solution Model Model  Composition Hybrid  Model Privacy Models Security Models Risk Risk Logical Statistic
  53. 53. 53 Copyright 2016 GRACE Center All Rights Reserved. Challenge (3) Big data and Machine Learning WM2SP-­16 Privacy Models Security Models Solution Model MAINTENANCEIMPLEMENTATIONDESIGNREQUIREMENTS Network Model Solution Model refactaring feedback System Log User Log Environment Log Model  Creation Self-­Adaptation Framework/ Library PatternsIncident Case Catalog Development Log Repository Recommendation
  54. 54. 54 Copyright 2016 GRACE Center All Rights Reserved. Conclusions 1. Current Model and Modelling on Security and Privacy 1. UML: Misusecase, UMLsec, secureUML 2. GORE: SecureTropos, i*/Tropos, KAOS 3. Meta-model: SIG, Common Criteria, STIX, SCPM… 2. Research Challenge on the Security and Privacy Model and Modelling 1. Operation on Models on Security and Privacy with consistency 2. Hybrid Models on Security and Privacy 3. Big data and Machine Learning on Security and Privacy Modelling WM2SP-­16

×