Using requirements engineering in an automatic security policy derivation process

Mariem Graa; Nora Cuppens-Boulahia; Fabien Autrel; Hanieh Azkia; Frédéric Cuppens; Gouenou Coatrieux; Ana Cavalli; Amel Mammar

doi:10.1007/978-3-642-28879-1_11

Using requirements engineering in an automatic security policy derivation process

Mariem Graa
, Nora Cuppens-Boulahia
, Fabien Autrel
, Hanieh Azkia
, Frédéric Cuppens
, Gouenou Coatrieux
, Ana Cavalli
, Amel Mammar

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Traditionally, a security policy is defined from an informal set of requirements, generally written using natural language. It is then difficult to appreciate the compatibility degree of the manually generated security policy with the informal requirements definition. The idea of this paper is to automate the process of deriving the formal security policy, using a more structured specification of the security objectives issued by the administrator of the information system to be secured. We chose the goal-oriented methodology KAOS to express the functional objectives, then based on the results of a risk analysis, we integrate the security objectives to the obtained KAOS framework. Finally, through a process of transformation applied to this structured security objectives specification, we automatically generate the corresponding security policy. This policy is consistent with the access control model OrBAC (Organization Access Control).

Original language	English
Title of host publication	Data Privacy Management and Autonomous Spontaneous Security - 6th International Workshop, DPM 2011, and 4th International Workshop, SETOP 2011, Revised Selected Papers
Publisher	Springer Verlag
Pages	155-172
Number of pages	18
ISBN (Print)	9783642288784
DOIs	https://doi.org/10.1007/978-3-642-28879-1_11
Publication status	Published - 1 Jan 2012
Event	6th International Workshop on Data Privacy Management, DPM 2011 and 4th SETOP International Workshop on Autonomous and Spontaneous Security, SETOP 2011 - Leuven, Belgium Duration: 15 Sept 2011 → 16 Sept 2011

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7122 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	6th International Workshop on Data Privacy Management, DPM 2011 and 4th SETOP International Workshop on Autonomous and Spontaneous Security, SETOP 2011
Country/Territory	Belgium
City	Leuven
Period	15/09/11 → 16/09/11

Keywords

KAOS
OrBAC
Requirement engineering
Security policy

Access to Document

10.1007/978-3-642-28879-1_11

Cite this

Graa, M., Cuppens-Boulahia, N., Autrel, F., Azkia, H., Cuppens, F., Coatrieux, G., Cavalli, A., & Mammar, A. (2012). Using requirements engineering in an automatic security policy derivation process. In Data Privacy Management and Autonomous Spontaneous Security - 6th International Workshop, DPM 2011, and 4th International Workshop, SETOP 2011, Revised Selected Papers (pp. 155-172). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7122 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-642-28879-1_11

Graa, Mariem ; Cuppens-Boulahia, Nora ; Autrel, Fabien et al. / Using requirements engineering in an automatic security policy derivation process. Data Privacy Management and Autonomous Spontaneous Security - 6th International Workshop, DPM 2011, and 4th International Workshop, SETOP 2011, Revised Selected Papers. Springer Verlag, 2012. pp. 155-172 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{386d48ddd7c94fd7a179fbd470c9515b,

title = "Using requirements engineering in an automatic security policy derivation process",

abstract = "Traditionally, a security policy is defined from an informal set of requirements, generally written using natural language. It is then difficult to appreciate the compatibility degree of the manually generated security policy with the informal requirements definition. The idea of this paper is to automate the process of deriving the formal security policy, using a more structured specification of the security objectives issued by the administrator of the information system to be secured. We chose the goal-oriented methodology KAOS to express the functional objectives, then based on the results of a risk analysis, we integrate the security objectives to the obtained KAOS framework. Finally, through a process of transformation applied to this structured security objectives specification, we automatically generate the corresponding security policy. This policy is consistent with the access control model OrBAC (Organization Access Control).",

keywords = "KAOS, OrBAC, Requirement engineering, Security policy",

author = "Mariem Graa and Nora Cuppens-Boulahia and Fabien Autrel and Hanieh Azkia and Fr{\'e}d{\'e}ric Cuppens and Gouenou Coatrieux and Ana Cavalli and Amel Mammar",

year = "2012",

month = jan,

day = "1",

doi = "10.1007/978-3-642-28879-1\_11",

language = "English",

isbn = "9783642288784",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "155--172",

booktitle = "Data Privacy Management and Autonomous Spontaneous Security - 6th International Workshop, DPM 2011, and 4th International Workshop, SETOP 2011, Revised Selected Papers",

note = "6th International Workshop on Data Privacy Management, DPM 2011 and 4th SETOP International Workshop on Autonomous and Spontaneous Security, SETOP 2011 ; Conference date: 15-09-2011 Through 16-09-2011",

}

Graa, M, Cuppens-Boulahia, N, Autrel, F, Azkia, H, Cuppens, F, Coatrieux, G, Cavalli, A & Mammar, A 2012, Using requirements engineering in an automatic security policy derivation process. in Data Privacy Management and Autonomous Spontaneous Security - 6th International Workshop, DPM 2011, and 4th International Workshop, SETOP 2011, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7122 LNCS, Springer Verlag, pp. 155-172, 6th International Workshop on Data Privacy Management, DPM 2011 and 4th SETOP International Workshop on Autonomous and Spontaneous Security, SETOP 2011, Leuven, Belgium, 15/09/11. https://doi.org/10.1007/978-3-642-28879-1_11

Using requirements engineering in an automatic security policy derivation process. / Graa, Mariem; Cuppens-Boulahia, Nora; Autrel, Fabien et al.
Data Privacy Management and Autonomous Spontaneous Security - 6th International Workshop, DPM 2011, and 4th International Workshop, SETOP 2011, Revised Selected Papers. Springer Verlag, 2012. p. 155-172 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7122 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Using requirements engineering in an automatic security policy derivation process

AU - Graa, Mariem

AU - Cuppens-Boulahia, Nora

AU - Autrel, Fabien

AU - Azkia, Hanieh

AU - Cuppens, Frédéric

AU - Coatrieux, Gouenou

AU - Cavalli, Ana

AU - Mammar, Amel

PY - 2012/1/1

Y1 - 2012/1/1

N2 - Traditionally, a security policy is defined from an informal set of requirements, generally written using natural language. It is then difficult to appreciate the compatibility degree of the manually generated security policy with the informal requirements definition. The idea of this paper is to automate the process of deriving the formal security policy, using a more structured specification of the security objectives issued by the administrator of the information system to be secured. We chose the goal-oriented methodology KAOS to express the functional objectives, then based on the results of a risk analysis, we integrate the security objectives to the obtained KAOS framework. Finally, through a process of transformation applied to this structured security objectives specification, we automatically generate the corresponding security policy. This policy is consistent with the access control model OrBAC (Organization Access Control).

AB - Traditionally, a security policy is defined from an informal set of requirements, generally written using natural language. It is then difficult to appreciate the compatibility degree of the manually generated security policy with the informal requirements definition. The idea of this paper is to automate the process of deriving the formal security policy, using a more structured specification of the security objectives issued by the administrator of the information system to be secured. We chose the goal-oriented methodology KAOS to express the functional objectives, then based on the results of a risk analysis, we integrate the security objectives to the obtained KAOS framework. Finally, through a process of transformation applied to this structured security objectives specification, we automatically generate the corresponding security policy. This policy is consistent with the access control model OrBAC (Organization Access Control).

KW - KAOS

KW - OrBAC

KW - Requirement engineering

KW - Security policy

UR - https://www.scopus.com/pages/publications/84903853389

U2 - 10.1007/978-3-642-28879-1_11

DO - 10.1007/978-3-642-28879-1_11

M3 - Conference contribution

AN - SCOPUS:84903853389

SN - 9783642288784

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 155

EP - 172

BT - Data Privacy Management and Autonomous Spontaneous Security - 6th International Workshop, DPM 2011, and 4th International Workshop, SETOP 2011, Revised Selected Papers

PB - Springer Verlag

T2 - 6th International Workshop on Data Privacy Management, DPM 2011 and 4th SETOP International Workshop on Autonomous and Spontaneous Security, SETOP 2011

Y2 - 15 September 2011 through 16 September 2011

ER -

Graa M, Cuppens-Boulahia N, Autrel F, Azkia H, Cuppens F, Coatrieux G et al. Using requirements engineering in an automatic security policy derivation process. In Data Privacy Management and Autonomous Spontaneous Security - 6th International Workshop, DPM 2011, and 4th International Workshop, SETOP 2011, Revised Selected Papers. Springer Verlag. 2012. p. 155-172. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-28879-1_11

Using requirements engineering in an automatic security policy derivation process

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this