Security patterns are reusable solutions, which enable the design of maintainable systems or applications that have to meet security requirements. The generic nature of security patterns and their growing number make their choices difficult, even for experts in software design. We propose to contribute in this issue by presenting a methodology of security pattern classification based upon data integration. The classification exhibits relationships among 215 software attacks, 66 security principles and 26 security patterns. It expresses pattern combinations, which are countermeasures to a given attack. This classification is semiautomatically inferred by means of a data-store integrating disparate publicly available security data. Besides pattern classification, we show that the data-store can be used to generate Attack Defence Trees. In our context, these illustrate, for a given attack, its sub-attacks, steps, techniques and the related defences given under the form of security pattern combinations. Such trees make the pattern classification more readable even for beginners in security patterns.
Security patterns are generic solutions that can be applied since early stages of software life to overcome recurrent security weaknesses. Their generic nature and growing number make their choice difficult, even for experts in system design. To help them on the pattern choice, this paper proposes a semiautomatic methodology of classification and the classification itself, which exposes relationships among software weaknesses, security principles and security patterns. It expresses which patterns remove a given weakness with respect to the security principles that have to be addressed to fix the weakness. The methodology is based on seven steps, which anatomize patterns and weaknesses into set of more precise sub-properties that are associated through a hierarchical organization of security principles. These steps provide the detailed justifications of the resulting classification and allow its upgrade. Without loss of generality, this classification has been established for Web applications and covers 185 software weaknesses, 26 security patterns and 66 security principles.
Web Services fall under the so-called emerging technologies category and are getting more and more used for Internet applications or business transactions. Since web services are often the foundation of large applications, they need to be reliable and robust. So, we propose in this paper, a robustness testing method of statefull web services, modeled with STS (Symbolic Transition Systems). We analyze the web service observability and the hazard effectiveness in a SOAP environment. Then, we propose a test case generation method based on the two hazards "Using unusual values" and "Replacing /Adding operation names", which are the only ones which can be applied. The Amazon E-commerce web service is taken as example.
Event logs are helpful to figure out what is happening in a system or to diagnose the causes that led to an unexpected crash or security issue. Unfortunately, their growing sizes and lacks of abstraction make them difficult to interpret, especially when a system integrates several communicating components. This paper proposes to learn models of communicating systems, e.g., Web service compositions, distributed applications, or IoT systems, from their event logs in order to help engineers understand how they are functioning and diagnose them. Our approach, called CkTail, generates one Input Output Labelled Transition System (IOLTS) for every component participating in the communications and dependency graphs illustrating another viewpoint of the system architecture. Compared to other model learning approaches, CkTail improves the precision of the generated models by better recognising sessions in event logs. Experimental results obtained from 9 case studies show the effectiveness of CkTail to recover accurate and general models along with component dependency graphs.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.