一种安全需求分析中的用例漏洞检测方法被引量：1

Method to detect leaks of use case in security requirement analysis

下载PDF

导出

摘要提出一种基于攻击模式的用例漏洞检测方法,用于对需求分析人员设计的用例图进行漏洞检测。该方法以形式化用例作为基础,把误用例作为安全攸关信息的载体、设置为用例的特殊属性。通过与用户的交互完成误用例相关属性的信息采集,并进一步运用这些信息计算出用例的误用例指数。将此指数与预定义的攻击模式相关指数进行对比,以此来判断该用例是否与某个特定误用例、某些特定攻击模式相关。从而检测到用例图中的用例漏洞,并在此基础上提出可行建议。 A method based on attack patterns is proposed to help software designers to detect the leaks of use cases in the original designed use case diagram.Then some feasible mitigations can be expected.The method,based on the formulation of use cases,takes misuse cases as the special attributes of use case which are concerned to security.The information involved potential misuse case is supposed to be got from the interaction with customer.On this basis,the misuse-point can be calculated.The comparison between the misuse-point of target use case and the ones of defined attack patterns can justify whether the target use case is related to certain misuse cases or attack patterns.Thus the possible leaks of use cases will be exposed.Further,the feasible mitigations turn to be available.

作者李晓红王翔宇冯志勇

机构地区天津大学计算机科学与技术学院

出处《计算机工程与应用》 CSCD 北大核心 2010年第5期51-54,65,共5页 Computer Engineering and Applications

基金国家自然科学基金No.90718023 国家高技术研究发展计划(863)No.2007AA01Z130~~

关键词安全需求分析误用例攻击模式 security requirement analysis misuse case attack pattern

分类号 TP311.5 [自动化与计算机技术—计算机软件与理论]

引文网络
相关文献

参考文献5

1Wing J M.A specifier's introduction to formal methods[J].IEEE JNL,1990,23(9):10-22.
2Salas P A P,Krishnan P,Ross K J.Model-based security vulnerability testing[C] //Proeeedings of the 2007 Australian Software Englneering Conference,Australia.Washington DC,USA:IEEE Computer Society,ASWEC,2007:284-296.
3Hallberg N,Hallberg J.The Usage-centric Security Requirements engineering(USeR)method[C] //Information Assurance Workshop,2006:34-41.
4Pauli J J,Xu Dian-xiang.Misuse case-based design and analysis of secure software architecture[C] //Intemational Conference on Information Technology Ceding and Computing(ITCC'05),Las Vegas.Washington DC,USA:IEEE Computer Society,2005,2:398-403.
5Sindre G,Opdahl A L.Templates for misuse case description[C] //Proc 7th International Workshop on Requirements Engineering:Foundation of Software Quality(REFSQ'2001),2001.

同被引文献12

1Gunther Gediga, Kai Christoph Hamhorg, Ivo Duntsch. Evaluation of software system [J]. Encyclopedia of Computer Science, 2001, (2010-8-30), http: //wenku. baidu, com/view/51f9ba03a6c30c2259019eed, html.
2Michael Pagels. DAML: The DARPA agent marku language [Z/OL]. BBN Rosslyn Office, (2011-09-09), http: //www. daml. org/2006-01-13.
3李晓红,冯志勇,王祥宇.基于安全缺陷的软件可信性评价方法[C]//2010CCF中国计算机大会论文集.杭州,中国:中国计算机学会,2010.
4ISO/IEC 15408. Information technology-security techniques-evaluation criteria for IT security [R]. (2010-05-07), http.- //www. iso. org/iso/catalogue_detail. htm?csnumber = 40612. 2010.
5LI Xiaohong, MENG Guozhu, FENG Zhiyong, LI Xu, PAN Dong. A framework based security-knowledge database for vulnerabilities detection of business logic [C]// Proceedings of the 2010 International Conference on Optics, Photonics and Energy Engineering (OPEE). Wuhan, China: Institute of Electrical and Electronics Engineers, Inc., 2010: 292 - 297.
6XING Jinliang, LI Xiaohong, CAO Yan, FENG Zhiyong, LIU Ran. Information Flow Analysis of Web Service Net [C]// Proceedings of the 10th IEEE International Conference on Computer and Information Technology (CIT2010). Bradford, West Yorkshire, UK: IEEE Computer Socity, 2010- 1622-1626.
7LI Xiaohong, CAO Yan, FENG Zhiyong, LIU Ran. Web service security analysis model based on program slicing [C]// Proceedings of the 10th International Conference on Quality Software, (QSBS10). Zhangjiajie, China: Conference Publishing Service, 2010: 4 - 22 - 428. (EI20104313329114).
8LI Xiaohong, HU Chang, FENG Zhiyong. An approach to obtain software security vulnerabilities based on vertical search [C]// 2011 3rd International Conference on Mechanical and Electronics Engineering, vol. 4. Hong Kong, China:Science Technology Press, 2011: 310-313.
9LI Xiaohong, LIU Fengxu, FENG Zhiyong, XING Jinliang. A knowledge based threat analysis in trustworthy software engineering [C]// 2011 3rd International Conference on Mechanical and Electronics Engineering g, vol. 4. Hong Kong, China: Science & Technology Press, 2011: 314-317.
10何可,李晓红,冯志勇.活动图模型驱动的Web应用程序测试方法[J].计算机应用,2010,30(9):2365-2369. 被引量：6

引证文献1

1李晓红,王翔宇,张涛,易锦,冯志勇.基于缺陷分析与测试评审的软件可信性评价方法[J].清华大学学报（自然科学版）,2011,51(10):1287-1293. 被引量：5

二级引证文献5

1刘贵堂,周正,周鲁苹.软件行为的一种静态可信度量模型[J].海军航空工程学院学报,2012,27(4):459-463. 被引量：2
2王英.基于故障树的雷达软件安全性检验研究[J].无线互联科技,2013,10(3):127-127.
3陶红伟,赵杰.改进的基于属性的软件可信性度量模型[J].武汉大学学报（理学版）,2017,63(2):151-157. 被引量：2
4孙晶,刘丽丽.开源软件可信性评价方法[J].计算机工程与设计,2017,38(12):3272-3278. 被引量：1
5农嘉,罗峻文.基于数据驱动的软件可靠性预测模型[J].内蒙古师范大学学报（自然科学汉文版）,2018,47(1):49-54. 被引量：4

1王慧霞.工业以太网在工业自动化系统中的运用及其发展趋势[J].杂文月刊（下半月）,2016(3):183-183.
2姚远.信息安全技术及其应用[J].信息技术与信息化,2014(8):157-158.
3陈吟月.SQL Server2000安装安全性探究[J].现代情报,2005,25(5):122-123. 被引量：1
4王昌.一个简单WEB使用模式算法的电子商务应用[J].计算机系统应用,2007,16(2):39-42. 被引量：1
5谢永成,董今朝,李光升,魏宁.基于模式相关的改进BP神经网络算法[J].计算机系统应用,2013,22(12):100-103. 被引量：1
6唐林,孙睿.国际智能电网互操作性标准化的进展[J].科技创新导报,2010,7(28):113-113. 被引量：3
7李畅.空间数据管理与3S技术[J].高等函授学报（自然科学版）,2005,18(5):48-51.
8杨海峰.ICT也需构建精神家园[J].通信世界,2009(18).
9殷锋社,汤小明.实时系统最坏执行时间分析及测试[J].电子测试,2013,24(5X):95-96. 被引量：2
10张瑞杰.手机打车软件的国内外比较与借鉴[J].经济视野,2014,0(11):459-459.

计算机工程与应用

2010年第5期

浏览历史

内容加载中请稍等...

一种安全需求分析中的用例漏洞检测方法被引量：1

参考文献5

同被引文献12

引证文献1

二级引证文献5

相关作者

相关机构

相关主题

浏览历史

一种安全需求分析中的用例漏洞检测方法 被引量：1

参考文献5

同被引文献12

引证文献1

二级引证文献5

相关作者

相关机构

相关主题

浏览历史

一种安全需求分析中的用例漏洞检测方法被引量：1