Advanced Search
Volume 50 Issue 10
Oct.  2024
Turn off MathJax
Article Contents
Journal of Beijing University of Aeronautics and Astronautics  > 2024  >  50(10): 3084-3099.
HU X,CHEN J M,LI H F. Software security vulnerability patterns based on ontology[J]. Journal of Beijing University of Aeronautics and Astronautics,2024,50(10):3084-3099 (in Chinese) doi: 10.13700/j.bh.1001-5965.2022.0783
Citation: HU X,CHEN J M,LI H F. Software security vulnerability patterns based on ontology[J]. Journal of Beijing University of Aeronautics and Astronautics,2024,50(10):3084-3099 (in Chinese) doi: 10.13700/j.bh.1001-5965.2022.0783
shu

Software security vulnerability patterns based on ontology

doi: 10.13700/j.bh.1001-5965.2022.0783
  • 1.

    Information Security Center,The Fifth Research Institute of Electronics,Ministry of Industry and Information Technology,Guangzhou 511370,China

  • 2.

    The Ministry of Industry and Information Technology Key Laboratory of Performance and Reliability Testing and Evaluation for Basic Software and Hardware,Guangzhou 511370,China

  • 3.

    School of Reliability and Systems Engineering,Beihang University,Beijing 100191,China

Funds:  National Key Research and Development Program of China (2021YFB2012205)
More Information
  • Corresponding author: E-mail:47507346@qq.com
  • Received Date: 15 Sep 2022
  • Accepted Date: 02 Dec 2022
    • Available Online: 16 Dec 2022
  • Publish Date: 14 Dec 2022
    Abstract

  • This paper studies the lifetime of software security vulnerabilities under the DevSecOps framework aiming at the conceptual confusion problem of research on software errors and software security vulnerabilities. This work provides a definition of software security vulnerability pattern together with vulnerability characteristics, and uses ontology to represent it. It is based on four scenarios of introducing vulnerabilities in the life cycle of software security vulnerabilities. An ontology is an explicit specification of a conceptualization, which can solve the problems of ambiguity, inconsistency, difficulty in sharing, and excessive dependence on personnel knowledge and experience caused by the dispersion of analysis knowledge in the field of software security vulnerability research. A three-layer model for vulnerability analysis is built, comprising the event representation layer, behavior action layer, and vulnerability technology layer, based on the study of software security vulnerability patterns and accounting for the macro event performance. The example application implements penetration testing according to the hierarchical structure of the bulit model, including security risk analysis, threat modeling, vulnerability analysis, and penetration attacks. The experimental results show that the improved penetration testing method based on the software security vulnerability pattern ontology library proposed in this paper is scientific and effective.

     

    • FullText(HTML)
  • loading
    • References(28)
  • [1]
    DENNING D E R. Cryptography and data security[M]. Boston: Addison-Wesley, 1982: 191-265.
    [2]
    LONGLEY D, SHAIN M, CAELLI W. Information security: Dictionary of concepts, standards and terms[M]. New York: Macmillan, 1992: 9-23.
    [3]
    BISHOP M, BAILEY D. A critical analysis of vulnerability taxonomies: CSE-96-11 [R]. Davis: Department of Computer Science at the University of California at Davis, 1996: 1-15.
    [4]
    KISSEL R. Glossary of key information security terms: NIST IR 7298 Revision 2[R]. Gaithersburg: NIST, 2013: 212-213.
    [5]
    国家市场监督管理总局, 国家标准化管理委员会. 信息安全技术 术语: GB/T25069—2010 [S]. 北京: 中国标准出版社, 2011: 42-43.

    State Administration for Market Regulation, Standardization Administration of the People’s Republic of China. Information security technology-glossary : GB/T25069—2010 [S]. Beijing: Standards Press of China, 2011: 42-43(in Chinese).
    [6]
    SHIREY R. Internet security glossary, version 2: FYI, RFC 4949[R]. Virginia: Network Working Group, 2007: 333-334.
    [7]
    袁子牧, 肖扬, 吴炜, 等. 知识、探索与状态平面组织的软件漏洞分析架构研究[J]. 信息安全学报, 2019, 4(6): 10-33.

    YUAN Z M, XIAO Y, WU W, et al. Research on the software vulnerability analysis architecture with the knowledge, exploration and state plane[J]. Journal of Cyber Security, 2019, 4(6): 10-33 (in Chinese).
    [8]
    SHAHMEHRI N, MAMMAR A, DE OCA E M, et al. An advanced approach for modeling and detecting software vulnerabilities[J]. Information and Software Technology, 2012, 54(9): 997-1013. doi: 10.1016/j.infsof.2012.03.004
    [9]
    WANG J, GUO M M, CAMARGO J. An ontological approach to computer system security[J]. Information Security Journal: A Global Perspective, 2010, 19(2): 61-73. doi: 10.1080/19393550903404902
    [10]
    慕冬亮. 软件漏洞发现、识别及诊断技术的研究[D]. 南京: 南京大学, 2019: 1-2.

    MU D L. A research on vulnerability discovery, identification and diagnosis[D]. Nanjing: Nanjing University, 2019: 1-2(in Chinese) .
    [11]
    BASS L, WEBER I, ZHU L. DevOps: A software architect’s perspective[M]. New Jersey: Addison-Wesley Professional, 2015: 80-105.
    [12]
    KIM G, HUMBLE J, DEBOIS P, 等. DevOps实践指南[M]. 刘征, 王磊, 马博文, 等, 译. 北京: 人民邮电出版社, 2018: 4-22.

    KIM G, HUMBLE J, DEBOIS P, et al. The DevOps handbook[M]. Translated by PLIU Z, WANG L, MA B W, et al, Beijing: osts&telecom Press, 2018: 4-22(in Chinese).
    [13]
    MACDONALD N, HEAD I. DevSecOps: How to seamlessly integrate security into DevOps[EB/OL]. (2016-09-30)[2022-06-27]. https://www.gartner.com/en/documents/3463417/devsecops-how-to-seamlessly-integrate-security-into-devo.
    [14]
    徐仁佐. 基于软件知识的测试方法[J]. 武汉大学学报(自然科学版), 2000, 46(1): 61-62.

    XU R Z. The testing method based on software knowledge[J]. Wuhan University Journal (Natural Science Edition), 2000, 46(1): 61-62 (in Chinese).
    [15]
    ALEXANDER C. The timeless way of building[M]. New York: Oxford University Press, 1979: 246-248.
    [16]
    国家市场监督管理总局, 国家标准化管理委员会. 信息安全技术 网络安全漏洞分类分级指南: GB/T 30279—2020[S]. 北京: 中国标准出版社, 2020: 1-5.

    State Administration for Market Regulation, Standardization Administration of the People’s Republic of China. Information security technology—Guidelines for categorization and classification of cybersecurity vulnerability: GB/T 30279—2020[S]. Beijing: Standards Press of China, 2020: 1-5(in Chinese).
    [17]
    张雪芹, 徐金瑜, 顾春华. 基于本体的信息安全漏洞关联分析[J]. 华东理工大学学报(自然科学版), 2014, 40(1): 125-131. doi: 10.3969/j.issn.1006-3080.2014.01.022

    ZHANG X Q, XU J Y, GU C H. Information security vulnerability association analysis based on ontology technology[J]. Journal of East China University of Science and Technology (Natural Science Edition), 2014, 40(1): 125-131 (in Chinese). doi: 10.3969/j.issn.1006-3080.2014.01.022
    [18]
    GRUBER T R. A translation approach to portable ontology specifications[J]. Knowledge Acquisition, 1993, 5(2): 199-220. doi: 10.1006/knac.1993.1008
    [19]
    GRUBER T R. Toward principles for the design of ontologies used for knowledge sharing[J]. International Journal of Human-Computer Studies, 1995, 43(5-6): 907-928. doi: 10.1006/ijhc.1995.1081
    [20]
    KUREYCHIK V M, SAFRONENKOVA I B. Ontology-based approach to design problem formalization[C]//Proceedings of the International Seminar on Electron Devices Design and Production. Piscataway: IEEE Press, 2019: 1-5.
    [21]
    李霖, 王红. 基于形式化本体的基础地理信息分类[J]. 武汉大学学报(信息科学版), 2006, 31(6): 523-526.

    LI L, WANG H. Classification of fundamental geographic information based on formal ontology[J]. Geomatics and Information Science of Wuhan University, 2006, 31(6): 523-526 (in Chinese).
    [22]
    HU X, LIU J. Ontology construction and evaluation of UAV FCMS software requirement elicitation considering geographic environment factors[J]. IEEE Access, 2020, 8: 106165-106182. doi: 10.1109/ACCESS.2020.2998843
    [23]
    HAMDULLA A, YILAHUN H, ABDURAHMAN K, et al. A hierarchical clustering based relation extraction method for domain ontology[C]//Proceedings of the 9th International Symposium on Parallel Architectures, Algorithms and Programming. Piscataway: IEEE Press, 2018: 36-40.
    [24]
    NICKERSON C, KENNED D, SMITH E, et al. Penetration testing execution standard[EB/OL]. (2014-08-16)[2024-06-27]. http://www.pentest-standard.org/index.php/Main_Page.
    [25]
    MORAIS S V, DE SÁ A O, RUST L F, et al. Malicious traffic description: Toward a data model for mitigating security threats to home IoT[J]. IEEE Communications Standards Magazine, 2021, 5(3): 48-55. doi: 10.1109/MCOMSTD.011.2100011
    [26]
    孙跃, 司冠林, 徐小天, 等. 电力物联网终端设备渗透测试技术研究[C]//全国智能用电工程建设经验交流会论文集. 湛江: 中国会议, 2020: 19-22.

    SUN Y, SI G L, XU X T, et al. Research on penetration testing technology of power IoT terminal equipment[C]//Proceedings of the National Intelligent Electricity Engineering Construction Experience Exchange Conference. Zhanjiang: China Conference, 2020: 19-22(in Chinese).
    [27]
    中国信息通信研究院. 物联网安全态势综述[J]. 保密科学技术, 2018(9): 12-20.

    China Academy of Information and Communications Technology. Overview of internet of things security situation[J]. Secrecy Science and Technology, 2018(9): 12-20(in Chinese).
    [28]
    王海峰, 李朝阳, 吕政权, 等. 泛在电力物联网环境下网络安全攻击研究[J]. 浙江电力, 2019, 38(12): 76-81.

    WANG H F, LI Z Y, LYU Z Q, et al. Survey on cyber attack in the context of ubiquitous power Internet of Things[J]. Zhejiang Electric Power, 2019, 38(12): 76-81 (in Chinese).
    • Relative Articles
    • Supplements(0)
    • Cited By
  • 加载中

Catalog

    通讯作者: 陈斌, bchen63@163.com
    • 1. 

      沈阳化工大学材料科学与工程学院 沈阳 110142

    1. 本站搜索
    2. 百度学术搜索
    3. 万方数据库搜索
    4. CNKI搜索

    Figures(15)  / Tables(2)

    Get Citation
    PDF
    XML

    Article Metrics

    Article views(252) PDF downloads(9) Cited by()
    Proportional views
    Related

    Copyright © Journal of Beijing University of Aeronautics and Astronautics

    Address: Editorial Department of Journal of Beijing University of Aeronautics and Astronautics, 37 Xueyuan Road, Haidian District, Beijing Post Code: 100191 Email: jbuaa@buaa.edu.cn

    Supported by: Beijing Renhe Information Technology Co., Ltd.  

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return