• DocumentCode
    182068
  • Title

    Vulnerability-Based Security Pattern Categorization in Search of Missing Patterns

  • Author

    Anand, Priya ; Jungwoo Ryoo ; Kazman, Rick

  • Author_Institution
    Coll. of Inf. Sci. & Technol., Pennsylvania State Univ., University Park, PA, USA
  • fYear
    2014
  • fDate
    8-12 Sept. 2014
  • Firstpage
    476
  • Lastpage
    483
  • Abstract
    A Security Pattern encapsulates security design expertise that addresses recurring information security problems in the form of a credentialed solution. It also presents potential problems and trade-offs in its application. This paper proposes a novel classification model for security patterns. Based on our review of more than one hundred security patterns, we categorize security patterns according to the type of vulnerability they address and also identify similar or identical patterns with different names. Our literature review indicates that there exists very little research on the categorization of security patterns based on vulnerabilities. Any attackers need to exploit existing vulnerabilities to break the security of an information system. To solve security problems effectively, we have to fix their root causes, which are vulnerabilities. The primary contribution of this paper is twofold: (1) to propose a novel security pattern classification model that helps software designers choose an appropriate security pattern once they know the type of a vulnerability they would like to remove and (2) to identify missing security patterns, which naturally emerge as a result of classifying security patterns according to the vulnerabilities they address. The identification of missing patterns could be useful in soliciting help to develop more patterns from the security community to tackle the vulnerabilities currently not handled by the existing patterns.
  • Keywords
    data mining; pattern classification; security of data; credentialed solution; identical pattern identification; information security problems; information system; missing pattern search; missing security pattern identification; security design encapsulation; security pattern classification model; security problems; similar pattern identification; vulnerability-based security pattern categorization; Authentication; Authorization; Availability; Encoding; Permission; Software; Categorization; Security Patterns; Vulnerabilities;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Availability, Reliability and Security (ARES), 2014 Ninth International Conference on
  • Conference_Location
    Fribourg
  • Type

    conf

  • DOI
    10.1109/ARES.2014.71
  • Filename
    6980321