Research On Ontology Model And Its Application In Information Security Evaluation

Along with the development of information security discipline, how to model and analyze the knowledge in information security, and thus lays a more rigorous foundation for information security assessment, gradually becomes a problem to be solved urgently. The ontology model and its related technology provide a possible solution for this problem. The introduction of ontology into information security assessment is mainly because of the following three reasons:(1) structure of ontology and semantic relation between concepts described in the ontology can be used to strengthen the results of information retrieval;(2) formal description of concepts and theirs relations can make the computer “read” the information and reasoning, therefore, it is the basis of information gathering, integration and organization;(3) ontology supports knowledge visualization, and thus benefits for understanding and studying huge amount of information resources. To sum up, ontology has the ability to represent, store, retrieve and infer knowledge, and can be applied to the field where large amounts of information and implicit logical reasoning are needed. For example, ontology has been used to represent, retrieve and infer information about users and their relations in social networks. In fact, ontology has been applied to various research areas, such as medical science, genetic engineering, information searching, information security, library information science and agriculture.Ontology knowledge is introduced in this paper, including methods for building ontology, ontology inference, language for building ontology and knowledge representation paradigms, a network and computer attack ontology model is built for software security evaluation, and the attack ontology is helpful for deep understanding of the knowledge in the field of information security for learners and workers; furthermore, the necessary data resources for evaluating software security and matching security policies are provided by the attack ontology. On this basis, ontology application in information security evaluation is focused in this article. In detail, ontologies are used to handle information resources required for software security assessment by utilizing ontology storage and query; to evaluate semantic matching between security policies and security controls by ontology representation and inference; and to tackle key problem of information content security assessment — measurement of semantic similarity between concepts, by using structure of ontology. Following are detailed research findings and related methods in this paper.1. In information security assessment, evaluation of sole software is an important componet of the evaluation of the whole information system, and study of methods for security assessment is of great importance. An attack ontology model — TIV2D(Target, Influence, Vector, Vulnerability and Defense), is built and used to evaluate software security in this aritcle. The model includes five dimensions: attack impact, attack vector, attack target, vulnerability and defense. Among them, the attack impact is the loss of security property(confidentiality, integrity, availability, etc.) once the attack is succeed; the attack vector depicts how an attack reaches its target; the attack target is the object of an attack; and vulnerability refers to weaknesses in the target that might be exploited to cause loss or harm; defense is the measure or method for preventing or reducing attack impact. Furthermore, according to the attack ontology, an assessing model for analyzing software security from attack effect angle with analytic hierarchy process(AHP for short) is presented. The data of index layer(bottom level) and security property layer(middle level) are coming from the model. The security of systems is assessed by measuring the attack effect on the system, and the attack effect is the change of the system’s performance before and after attack. If the change is large, then the effect caused by the attack is obvious, and then the software is in danger; on the contrary, the attack does not cause much effect on the target, and the software is safe.2. Three indexes for assessing software security with ontology and CVSS(Common Vulnerability Scoring Systems) are presented in order to complement the shortcomings of traditional qualitative methods, and thousands of vulnerabilities are systemically analyzed, which is discovered in common software, such as Windows7, Mac OS and IE browsers etc., covering the period from 2006 to the start of 2014. The use of ontology is benefit for the storage, query and inference of data, and all information about vulnerabilities are classified and stored in the attack ontology mentioned in chapter 2, which are the basis for the calculating the three indexes; moreover, it can be easily found about the relationship among vulnerabilities, software, patches, attacks and security properties. For example, which kind of attack could be launched by exploiting what kinds of vulnerabilities(official patches are not available in time) in the software, and destroy the security properties of the software system. All these information are useful for the assessment. Not only the software security is studied from the attack effect angle, but also it is quantitatively analyzed through vulnerability discovery process. The method is designed to reflect the idea: the more vulnerabilities discovered or the higher the cumulative CVSS base score is, the software is easier to be attacked and the influence caused by the attack is larger at the same time. The three indexes reflect the threat led by vulnerabilities in the software. Noting that vulnerability analysis must consider the time factor, while the proposed method includes two important factors: software market share and official patches, which are both closely related with time.3. During the process of information system security assessment, the matching degree between current security configuration and security policy is used to judge whether the operation and maintenance of the information system is safe or not. Through formal modeling and analyzing, the matching between security policy and security control is implemented, which is valuable for improving efficiency, rigour and automation of the security assessment. The CCD algorithm for calculating concept difference and a semantic matching method used for information security policy matchmaking, which is based on ontology, are designed, and “Directional Distance” is defined and utilized to semantically match security policy and security control. Traditional ontology-based semantic matching methods only have two matching results: matching and mismatching. The results need to be subclassified for practical uses, and thus satisfy human’s requirements for semantic matching. In order to improve the semantic matching results measured by the ontology-based methods, a new method based on concept abduction theory and ontology inference is presented. The method is based on a common intuition: How many modifications(hypotheses) have to be made on the controls in order to perfectly match policies; and the less the better. Furthermore, the CCD algorithm for calculating concept difference is presented(security controls and security policies are defined as concepts in the ontology). The semantic distance between security control and security policy is measured in two directions for better matching results.4. How to identify the illegal and unhealthy information(e.g. sex, violence and reactionary remarks) included in the information through content security assessment is a very important and challenging problem. The NTL(Nonlinear Transformation of the Shortest Path Length) method for measuring semantic similarity between concepts is proposed. Semantic similarity between concepts investigates the similarity or relatedness between concept pairs; it is the basis of calculating sentence similarity and paragraph similarity. In information content security analysis, similarity between paragraphs always needs to be compared for finding special characteristics of the content, and then the security of the content is determined according to the characteristics. Measurement of concept similarity has been widely studied and researchers proposed different approaches from different angles. In summary, there are following categories: edge-counting based method, feature-based method, information content based method, distributional method and hybrid method. A hybrid method for calculating semantic similarity is designed combing the edge-counting and information content theory, and a SNTL(Simplified NTL) method is proposed based on the hybrid method. The method not only simplifies the computation but also improves precision of the results. The structure of the ontology is used to calculate essential information resources for semantic similarity calculating, such as depth of concept, the shortest path length between the concept pairs and the information content of the concept.