DocumentCode
182068
Title
Vulnerability-Based Security Pattern Categorization in Search of Missing Patterns
Author
Anand, Priya ; Jungwoo Ryoo ; Kazman, Rick
Author_Institution
Coll. of Inf. Sci. & Technol., Pennsylvania State Univ., University Park, PA, USA
fYear
2014
fDate
8-12 Sept. 2014
Firstpage
476
Lastpage
483
Abstract
A Security Pattern encapsulates security design expertise that addresses recurring information security problems in the form of a credentialed solution. It also presents potential problems and trade-offs in its application. This paper proposes a novel classification model for security patterns. Based on our review of more than one hundred security patterns, we categorize security patterns according to the type of vulnerability they address and also identify similar or identical patterns with different names. Our literature review indicates that there exists very little research on the categorization of security patterns based on vulnerabilities. Any attackers need to exploit existing vulnerabilities to break the security of an information system. To solve security problems effectively, we have to fix their root causes, which are vulnerabilities. The primary contribution of this paper is twofold: (1) to propose a novel security pattern classification model that helps software designers choose an appropriate security pattern once they know the type of a vulnerability they would like to remove and (2) to identify missing security patterns, which naturally emerge as a result of classifying security patterns according to the vulnerabilities they address. The identification of missing patterns could be useful in soliciting help to develop more patterns from the security community to tackle the vulnerabilities currently not handled by the existing patterns.
Keywords
data mining; pattern classification; security of data; credentialed solution; identical pattern identification; information security problems; information system; missing pattern search; missing security pattern identification; security design encapsulation; security pattern classification model; security problems; similar pattern identification; vulnerability-based security pattern categorization; Authentication; Authorization; Availability; Encoding; Permission; Software; Categorization; Security Patterns; Vulnerabilities;
fLanguage
English
Publisher
ieee
Conference_Titel
Availability, Reliability and Security (ARES), 2014 Ninth International Conference on
Conference_Location
Fribourg
Type
conf
DOI
10.1109/ARES.2014.71
Filename
6980321
Link To Document