A Resource Centric Security Requirements Elicitation And Modeling Framework

Security analysis has aroused increasing concerns in the early stages of require-ment engineering. The earlier risk identification to be conducted, the more money canbe saved during software maintenance stage. Resource is an important concepts in se-curity analysis, since most attack and defense targets are all resources. However, thestate-of-arts within security community always focus on system’s goals and behaviors,and do not pay much attention on resource models.This paper investigate on system’s security requirement based on resources’ inter-relationship. Its contributions include:(1)First, we propose a resource-centric securemodel (RCSM) which is extended from i*modeling framework. RCSM can be usedto model interrelationships between resources, as well as actor’s operate ability andpermission on specific resource.(2)Secondly, we propose a resource-centric securi-ty analysis methodology. This method focuses on the propagation of actor’s abilitiesand permissions through resource networks, as well as system’s security requirementswhich are defined according to the usage of resources. The method mainly consists offour steps: system modeling, security requirements definition, risk identification andcountermeasure generation.(3) Thirdly, we propose an attack analysis method fromthe attacker’s viewpoint. By combining agent-oriented service reasoning and attackanalysis, this method can detect the potential attack path with his own capabilities andknowledge.(4) Finally, in order to make the proposed modeling and analysis method-s are widely used, this paper presents a NLP-based semi-automatic model extractiontechniques. The essence of the model extraction technology is defining a resource-centric secure model based semantic framework, with which RCSM model can be ex-tracted in a semi-automatic way.Based on the security analysis methodology mentioned above, a graphical model-ing and reasoning tool is built to support the whole analysis processes, which includesmodel extraction, graphical modeling and model inference.