Information Technology Reference
In-Depth Information
CIM is advantageous for our approach in that the model can be mapped to struc-
tured specifications such as OWL [4].
2.2 Ontologies: Their Use in Knowledge Modeling
An ontology is “an explicit specification of a conceptualization” [5]. Ontologies are
discussed in the literature as means to support knowledge sharing and reuse [6]. This
reusability approach is based on the assumption that if a modeling scheme - i.e. on-
tology - is explicitly specified and mutually agreed by the parties involved, then it is
possible to share, reuse and extend knowledge. It is obvious that there is no “silver-
bullet” ontology - in other words, it is unlikely that there will be a single, common on-
tology for all domains of human activity. This led to the concept of newsgroup metap-
hor or domain specific ontology, in order to define the terminology for a group of pe-
ople that share a common view on a specific domain [6]. Ontologies can be used to
describe structurally heterogeneous information sources of different levels of abstrac-
tion, such as found on security policy documents and RA outputs, helping both people
and machines to communicate in a concise manner, a manner which is based not only
on the syntax of security requirements, but on their semantics as well.
An ontology is comprised by three major building blocks:
concepts
,
relationships
and
constraints
. Concepts are abstract terms, which are typically organized in
taxono-
mies
. Hierarchical concepts are linked with an
“is-a”
relationship. Furthermore, con-
cepts can have
properties
(or
attributes
), which help establishing relationships betwe-
en non-hierarchical concepts. Attributes may have a specific type like STRING, IN-
TEGER, BOOLEAN, etc.
Axioms
are rules that are valid in the modeled domain, fi-
nally constraining the possible (i.e. meaningful) interpretations for the defined con-
cepts. There are simple symmetric, inverse or transitive axioms and complex rules
consisting of several relations. Ontologies provide for
inheritance
in an object-orient-
ed manner, with
instances
being concrete occurrences of abstract concepts.
Ontologies are a vital part of our framework, which is described next.
3 Proposed Security Architecture
In the following paragraphs we present a generic architecture for IS security manage-
ment based on an ontology-centric approach. The main idea is to associate the secu-
rity requirements (“
what
”) stemming from the security knowledge sources with the
appropriate actions (“
how
”) and eventually deploy them to the IS. To accomplish
these tasks, four main phases exist: a) building the SO in order to simulate the under-
lying IS, b) capturing the IS security requirements (“
what
”) from high-level policy
statements into appropriate instances of the SO concepts, c) matching every security
requirement with the appropriate technical security control (“
how
”) that effectively
produces a population of (
what, how
) pairs for every IS device instance, and d) the
actual deployment of the identified actions to the IS, which can be accomplished by
piping the necessary data to a policy-based management platform, such as Ponder [7].
Figure 1 depicts the architecture under consideration, whereas a detailed description
of required steps is given in section 4.
Our approach is modular enough, in such a way that enhancements in any given
component(s) can be applied with a minimal overhead to the architecture. The propos-
ed security architecture is based on the combination of several methods, techniques
