A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns View Full Text


Ontology type: schema:Chapter     


Chapter Info

DATE

2019

AUTHORS

Imano Williams , Xiaohong Yuan

ABSTRACT

Nowadays, developers should incorporate software security best practices from the early stages of the software development lifecycle to build more robust software against software security attacks. However, incorporating security practices at the early stages of the SDLC is difficult for novice software developers that do not have a systematic approach to address security issues. In this paper, we proposed a preliminary method to derive abuse cases, one of software security best practices, based on use case description and attack patterns and then evaluate the method in a user study. We investigated the effectiveness of the proposed method to help novices develop abuse cases and gained insights on how a novice of software security would select keywords from use case descriptions, and select relevant attack patterns for developing abuse cases. Our main findings were (1) the approaches participants used to select the keywords and the attack patterns as they related to the use cases; (2) the approach used to select relevant attack patterns; (3) the relationship between the keywords and the attack patterns; and (4) use case based on the textual content showed the method can be effective in assisting non-experts to create abuse cases. Finally, we suggest possible approaches to select keywords more effectively and the implication of using an inference engine to build relationships between use cases and attack patterns. More... »

PAGES

239-249

References to SciGraph publications

  • 2014. Security Requirements Analysis Using Knowledge in CAPEC in ADVANCED INFORMATION SYSTEMS ENGINEERING WORKSHOPS
  • Book

    TITLE

    Information Science and Applications 2018

    ISBN

    978-981-13-1055-3
    978-981-13-1056-0

    From Grant

    Identifiers

    URI

    http://scigraph.springernature.com/pub.10.1007/978-981-13-1056-0_25

    DOI

    http://dx.doi.org/10.1007/978-981-13-1056-0_25

    DIMENSIONS

    https://app.dimensions.ai/details/publication/pub.1105777818


    Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
    Incoming Citations Browse incoming citations for this publication using opencitations.net

    JSON-LD is the canonical representation for SciGraph data.

    TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

    [
      {
        "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
        "about": [
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0803", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Computer Software", 
            "type": "DefinedTerm"
          }, 
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Information and Computing Sciences", 
            "type": "DefinedTerm"
          }
        ], 
        "author": [
          {
            "affiliation": {
              "alternateName": "North Carolina Agricultural and Technical State University", 
              "id": "https://www.grid.ac/institutes/grid.261037.1", 
              "name": [
                "North Carolina A&T State University"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Williams", 
            "givenName": "Imano", 
            "id": "sg:person.012154636715.58", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012154636715.58"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "North Carolina Agricultural and Technical State University", 
              "id": "https://www.grid.ac/institutes/grid.261037.1", 
              "name": [
                "North Carolina A&T State University"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Yuan", 
            "givenName": "Xiaohong", 
            "id": "sg:person.01315475140.47", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.01315475140.47"
            ], 
            "type": "Person"
          }
        ], 
        "citation": [
          {
            "id": "https://doi.org/10.1145/2602087.2602092", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1014100420"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-319-07869-4_32", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1016786056", 
              "https://doi.org/10.1007/978-3-319-07869-4_32"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/msp.2004.17", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1061422208"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.17706/jsw.10.4.491-498", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1068442196"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/csac.1999.816013", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1093446172"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/icre.2002.1048506", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1093989195"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/itng.2008.15", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1094823965"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/tools.2000.891363", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1094983644"
            ], 
            "type": "CreativeWork"
          }
        ], 
        "datePublished": "2019", 
        "datePublishedReg": "2019-01-01", 
        "description": "Nowadays, developers should incorporate software security best practices from the early stages of the software development lifecycle to build more robust software against software security attacks. However, incorporating security practices at the early stages of the SDLC is difficult for novice software developers that do not have a systematic approach to address security issues. In this paper, we proposed a preliminary method to derive abuse cases, one of software security best practices, based on use case description and attack patterns and then evaluate the method in a user study. We investigated the effectiveness of the proposed method to help novices develop abuse cases and gained insights on how a novice of software security would select keywords from use case descriptions, and select relevant attack patterns for developing abuse cases. Our main findings were (1) the approaches participants used to select the keywords and the attack patterns as they related to the use cases; (2) the approach used to select relevant attack patterns; (3) the relationship between the keywords and the attack patterns; and (4) use case based on the textual content showed the method can be effective in assisting non-experts to create abuse cases. Finally, we suggest possible approaches to select keywords more effectively and the implication of using an inference engine to build relationships between use cases and attack patterns.", 
        "editor": [
          {
            "familyName": "Kim", 
            "givenName": "Kuinam J.", 
            "type": "Person"
          }, 
          {
            "familyName": "Baek", 
            "givenName": "Nakhoon", 
            "type": "Person"
          }
        ], 
        "genre": "chapter", 
        "id": "sg:pub.10.1007/978-981-13-1056-0_25", 
        "inLanguage": [
          "en"
        ], 
        "isAccessibleForFree": false, 
        "isFundedItemOf": [
          {
            "id": "sg:grant.3488012", 
            "type": "MonetaryGrant"
          }
        ], 
        "isPartOf": {
          "isbn": [
            "978-981-13-1055-3", 
            "978-981-13-1056-0"
          ], 
          "name": "Information Science and Applications 2018", 
          "type": "Book"
        }, 
        "name": "A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns", 
        "pagination": "239-249", 
        "productId": [
          {
            "name": "doi", 
            "type": "PropertyValue", 
            "value": [
              "10.1007/978-981-13-1056-0_25"
            ]
          }, 
          {
            "name": "readcube_id", 
            "type": "PropertyValue", 
            "value": [
              "bffeb0ff537ebfd72cfd90e2a47e61dc8efaecad88facb0fa5dfc8c2439e98b0"
            ]
          }, 
          {
            "name": "dimensions_id", 
            "type": "PropertyValue", 
            "value": [
              "pub.1105777818"
            ]
          }
        ], 
        "publisher": {
          "location": "Singapore", 
          "name": "Springer Singapore", 
          "type": "Organisation"
        }, 
        "sameAs": [
          "https://doi.org/10.1007/978-981-13-1056-0_25", 
          "https://app.dimensions.ai/details/publication/pub.1105777818"
        ], 
        "sdDataset": "chapters", 
        "sdDatePublished": "2019-04-15T14:45", 
        "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
        "sdPublisher": {
          "name": "Springer Nature - SN SciGraph project", 
          "type": "Organization"
        }, 
        "sdSource": "s3://com-uberresearch-data-dimensions-target-20181106-alternative/cleanup/v134/2549eaecd7973599484d7c17b260dba0a4ecb94b/merge/v9/a6c9fde33151104705d4d7ff012ea9563521a3ce/jats-lookup/v90/0000000001_0000000264/records_8669_00000441.jsonl", 
        "type": "Chapter", 
        "url": "http://link.springer.com/10.1007/978-981-13-1056-0_25"
      }
    ]
     

    Download the RDF metadata as:  json-ld nt turtle xml License info

    HOW TO GET THIS DATA PROGRAMMATICALLY:

    JSON-LD is a popular format for linked data which is fully compatible with JSON.

    curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-981-13-1056-0_25'

    N-Triples is a line-based linked data format ideal for batch operations.

    curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-981-13-1056-0_25'

    Turtle is a human-readable linked data format.

    curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-981-13-1056-0_25'

    RDF/XML is a standard XML format for linked data.

    curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-981-13-1056-0_25'


     

    This table displays all metadata directly associated to this object as RDF triples.

    104 TRIPLES      23 PREDICATES      35 URIs      20 LITERALS      8 BLANK NODES

    Subject Predicate Object
    1 sg:pub.10.1007/978-981-13-1056-0_25 schema:about anzsrc-for:08
    2 anzsrc-for:0803
    3 schema:author Nd82e894f041e498e98c243de7c7fa517
    4 schema:citation sg:pub.10.1007/978-3-319-07869-4_32
    5 https://doi.org/10.1109/csac.1999.816013
    6 https://doi.org/10.1109/icre.2002.1048506
    7 https://doi.org/10.1109/itng.2008.15
    8 https://doi.org/10.1109/msp.2004.17
    9 https://doi.org/10.1109/tools.2000.891363
    10 https://doi.org/10.1145/2602087.2602092
    11 https://doi.org/10.17706/jsw.10.4.491-498
    12 schema:datePublished 2019
    13 schema:datePublishedReg 2019-01-01
    14 schema:description Nowadays, developers should incorporate software security best practices from the early stages of the software development lifecycle to build more robust software against software security attacks. However, incorporating security practices at the early stages of the SDLC is difficult for novice software developers that do not have a systematic approach to address security issues. In this paper, we proposed a preliminary method to derive abuse cases, one of software security best practices, based on use case description and attack patterns and then evaluate the method in a user study. We investigated the effectiveness of the proposed method to help novices develop abuse cases and gained insights on how a novice of software security would select keywords from use case descriptions, and select relevant attack patterns for developing abuse cases. Our main findings were (1) the approaches participants used to select the keywords and the attack patterns as they related to the use cases; (2) the approach used to select relevant attack patterns; (3) the relationship between the keywords and the attack patterns; and (4) use case based on the textual content showed the method can be effective in assisting non-experts to create abuse cases. Finally, we suggest possible approaches to select keywords more effectively and the implication of using an inference engine to build relationships between use cases and attack patterns.
    15 schema:editor Nc171234ed97043d19751fb5f770970d7
    16 schema:genre chapter
    17 schema:inLanguage en
    18 schema:isAccessibleForFree false
    19 schema:isPartOf N7dbfb889e7e6441e846685022f126687
    20 schema:name A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns
    21 schema:pagination 239-249
    22 schema:productId N5a97dc2ab65c42539737f827fd8ca12c
    23 N851c234793c648198d52d810568a8774
    24 Nbaf30e83866c41378435a8391bd0b322
    25 schema:publisher Ncaf75a237db74cfa806c3cf1c70b4285
    26 schema:sameAs https://app.dimensions.ai/details/publication/pub.1105777818
    27 https://doi.org/10.1007/978-981-13-1056-0_25
    28 schema:sdDatePublished 2019-04-15T14:45
    29 schema:sdLicense https://scigraph.springernature.com/explorer/license/
    30 schema:sdPublisher N89228edcfcc245628edcc60cc6868cd6
    31 schema:url http://link.springer.com/10.1007/978-981-13-1056-0_25
    32 sgo:license sg:explorer/license/
    33 sgo:sdDataset chapters
    34 rdf:type schema:Chapter
    35 N02d099df2ca245b5b95e81927508ce72 rdf:first sg:person.01315475140.47
    36 rdf:rest rdf:nil
    37 N5a97dc2ab65c42539737f827fd8ca12c schema:name dimensions_id
    38 schema:value pub.1105777818
    39 rdf:type schema:PropertyValue
    40 N734db70fe303480b9e93eb3f5cb32f4a schema:familyName Baek
    41 schema:givenName Nakhoon
    42 rdf:type schema:Person
    43 N7dbfb889e7e6441e846685022f126687 schema:isbn 978-981-13-1055-3
    44 978-981-13-1056-0
    45 schema:name Information Science and Applications 2018
    46 rdf:type schema:Book
    47 N851c234793c648198d52d810568a8774 schema:name doi
    48 schema:value 10.1007/978-981-13-1056-0_25
    49 rdf:type schema:PropertyValue
    50 N89228edcfcc245628edcc60cc6868cd6 schema:name Springer Nature - SN SciGraph project
    51 rdf:type schema:Organization
    52 Nb3d4678ee4a049f1a06f7f20c23a4b89 schema:familyName Kim
    53 schema:givenName Kuinam J.
    54 rdf:type schema:Person
    55 Nbaf30e83866c41378435a8391bd0b322 schema:name readcube_id
    56 schema:value bffeb0ff537ebfd72cfd90e2a47e61dc8efaecad88facb0fa5dfc8c2439e98b0
    57 rdf:type schema:PropertyValue
    58 Nc171234ed97043d19751fb5f770970d7 rdf:first Nb3d4678ee4a049f1a06f7f20c23a4b89
    59 rdf:rest Ne028ac0e80d648a8a61b954889184299
    60 Ncaf75a237db74cfa806c3cf1c70b4285 schema:location Singapore
    61 schema:name Springer Singapore
    62 rdf:type schema:Organisation
    63 Nd82e894f041e498e98c243de7c7fa517 rdf:first sg:person.012154636715.58
    64 rdf:rest N02d099df2ca245b5b95e81927508ce72
    65 Ne028ac0e80d648a8a61b954889184299 rdf:first N734db70fe303480b9e93eb3f5cb32f4a
    66 rdf:rest rdf:nil
    67 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
    68 schema:name Information and Computing Sciences
    69 rdf:type schema:DefinedTerm
    70 anzsrc-for:0803 schema:inDefinedTermSet anzsrc-for:
    71 schema:name Computer Software
    72 rdf:type schema:DefinedTerm
    73 sg:grant.3488012 http://pending.schema.org/fundedItem sg:pub.10.1007/978-981-13-1056-0_25
    74 rdf:type schema:MonetaryGrant
    75 sg:person.012154636715.58 schema:affiliation https://www.grid.ac/institutes/grid.261037.1
    76 schema:familyName Williams
    77 schema:givenName Imano
    78 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012154636715.58
    79 rdf:type schema:Person
    80 sg:person.01315475140.47 schema:affiliation https://www.grid.ac/institutes/grid.261037.1
    81 schema:familyName Yuan
    82 schema:givenName Xiaohong
    83 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.01315475140.47
    84 rdf:type schema:Person
    85 sg:pub.10.1007/978-3-319-07869-4_32 schema:sameAs https://app.dimensions.ai/details/publication/pub.1016786056
    86 https://doi.org/10.1007/978-3-319-07869-4_32
    87 rdf:type schema:CreativeWork
    88 https://doi.org/10.1109/csac.1999.816013 schema:sameAs https://app.dimensions.ai/details/publication/pub.1093446172
    89 rdf:type schema:CreativeWork
    90 https://doi.org/10.1109/icre.2002.1048506 schema:sameAs https://app.dimensions.ai/details/publication/pub.1093989195
    91 rdf:type schema:CreativeWork
    92 https://doi.org/10.1109/itng.2008.15 schema:sameAs https://app.dimensions.ai/details/publication/pub.1094823965
    93 rdf:type schema:CreativeWork
    94 https://doi.org/10.1109/msp.2004.17 schema:sameAs https://app.dimensions.ai/details/publication/pub.1061422208
    95 rdf:type schema:CreativeWork
    96 https://doi.org/10.1109/tools.2000.891363 schema:sameAs https://app.dimensions.ai/details/publication/pub.1094983644
    97 rdf:type schema:CreativeWork
    98 https://doi.org/10.1145/2602087.2602092 schema:sameAs https://app.dimensions.ai/details/publication/pub.1014100420
    99 rdf:type schema:CreativeWork
    100 https://doi.org/10.17706/jsw.10.4.491-498 schema:sameAs https://app.dimensions.ai/details/publication/pub.1068442196
    101 rdf:type schema:CreativeWork
    102 https://www.grid.ac/institutes/grid.261037.1 schema:alternateName North Carolina Agricultural and Technical State University
    103 schema:name North Carolina A&T State University
    104 rdf:type schema:Organization
     




    Preview window. Press ESC to close (or click here)


    ...