Software security vulnerability patterns based on ontology

被引:0
作者
Hu, Xuan [1 ,2 ]
Chen, Junming [1 ,2 ]
Li, Haifeng [3 ]
机构
[1] Information Security Center, The Fifth Research Institute of Electronics, Ministry of Industry and Information Technology, Guangzhou
[2] The Ministry of Industry and Information Technology Key Laboratory of Performance and Reliability Testing and Evaluation for Basic Software and Hardware, Guangzhou
[3] School of Reliability and Systems Engineering, Beihang University, Beijing
来源
Beijing Hangkong Hangtian Daxue Xuebao/Journal of Beijing University of Aeronautics and Astronautics | 2024年 / 50卷 / 10期
关键词
ontology; pattern; penetration testing; software error; software security vulnerabilities;
D O I
10.13700/j.bh.1001-5965.2022.0783
中图分类号
学科分类号
摘要
This paper studies the lifetime of software security vulnerabilities under the DevSecOps framework aiming at the conceptual confusion problem of research on software errors and software security vulnerabilities. This work provides a definition of software security vulnerability pattern together with vulnerability characteristics, and uses ontology to represent it. It is based on four scenarios of introducing vulnerabilities in the life cycle of software security vulnerabilities. An ontology is an explicit specification of a conceptualization, which can solve the problems of ambiguity, inconsistency, difficulty in sharing, and excessive dependence on personnel knowledge and experience caused by the dispersion of analysis knowledge in the field of software security vulnerability research. A three-layer model for vulnerability analysis is built, comprising the event representation layer, behavior action layer, and vulnerability technology layer, based on the study of software security vulnerability patterns and accounting for the macro event performance. The example application implements penetration testing according to the hierarchical structure of the bulit model, including security risk analysis, threat modeling, vulnerability analysis, and penetration attacks. The experimental results show that the improved penetration testing method based on the software security vulnerability pattern ontology library proposed in this paper is scientific and effective. © 2024 Beijing University of Aeronautics and Astronautics (BUAA). All rights reserved.
引用
收藏
页码:3084 / 3099
页数:15
相关论文
共 28 条
[1]  
DENNING D E R., Cryptography and data security, pp. 191-265, (1982)
[2]  
LONGLEY D, SHAIN M, CAELLI W., Information security: Dictionary of concepts, standards and terms, pp. 9-23, (1992)
[3]  
BISHOP M, BAILEY D., A critical analysis of vulnerability taxonomies: CSE-96-11, pp. 1-15, (1996)
[4]  
KISSEL R., Glossary of key information security terms: NIST IR 7298 Revision 2, pp. 212-213, (2013)
[5]  
Information security technology-glossary: GB/T25069—2010, pp. 42-43, (2011)
[6]  
SHIREY R., Internet security glossary, version 2: FYI, RFC 4949, pp. 333-334, (2007)
[7]  
YUAN Z M, XIAO Y, WU W, Et al., Research on the software vulnerability analysis architecture with the knowledge, exploration and state plane, Journal of Cyber Security, 4, 6, pp. 10-33, (2019)
[8]  
SHAHMEHRI N, MAMMAR A, DE OCA E M, Et al., An advanced approach for modeling and detecting software vulnerabilities, Information and Software Technology, 54, 9, pp. 997-1013, (2012)
[9]  
WANG J, GUO M M, CAMARGO J., An ontological approach to computer system security, Information Security Journal: A Global Perspective, 19, 2, pp. 61-73, (2010)
[10]  
MU D L., A research on vulnerability discovery, identification and diagnosis, pp. 1-2, (2019)
123