Skip to main content
SpringerLink
Log in

Quantitative Evaluation of Systems with Security Patterns Using a Fuzzy Approach

  • Conference paper
On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops (OTM 2006)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 4277))

Abstract

The importance of Software Security has been evident, since it has been shown that most attacks to software systems are based on vulnerabilities caused by software poorly designed and developed. Furthermore, it has been discovered that it is desirable to embed security already at design phase. Therefore, patterns aiming at enhancing the security of a software system, called security patterns, have been suggested. The main target of this paper is to propose a mathematical model, based on fuzzy set theory, in order to quantify the security characteristics of systems using security patterns. In order to achieve this we first determine experimentally to what extent specific security patterns enhance several security aspects of systems. To determine this, we have developed two systems, one without security patterns and one containing them and have experimentally determined the level of the higher robustness to attacks of the latter. The proposed mathematical model follows.

An erratum to this chapter can be found at http://dx.doi.org/10.1007/11915034_125.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Amoroso, E.: Fundamentals of Computer Security Technology. Prentice-Hall, Englewood Cliffs (1994)

    MATH  Google Scholar 

  2. Anley, C.: Advanced SQL Injection in SQL Server Applications, NGSSoftware whitepaper (2002)

    Google Scholar 

  3. Berry, C.A., Carnell, J., Juric, M.B., Kunnumpurath, M.M., Nashi, N., Romanosky, S.: J2EE Design Patterns Applied, Wrox Press (2002)

    Google Scholar 

  4. Blakley, B., Heath, C. and Members of the Open Group Security Forum: Security Design Patterns, Open Group Technical Guide (2004)

    Google Scholar 

  5. Braga, A., Rubira, C., Dahab, R.: Tropyc: A Pattern Language for Cryptographic Software. In: Proceedings of the 5th Conference on Pattern Languages of Programming (PLoP 1998) (1998)

    Google Scholar 

  6. Brooke, P.J., Paige, R.F.: Fault Trees for Security System Design and Analysis. Computers and Security 22(3), 256–264 (2003)

    Article  Google Scholar 

  7. Cai, K.-Y.: Introduction to Fuzzy Reliability. Kluwer Academic Publishers, Dordrecht (1996)

    MATH  Google Scholar 

  8. Cai, K.-Y.: System Failure Engineering and Fuzzy Methodology, An Introductory Overview. Fuzzy Sets and Systems 83, 113–133 (1996)

    Article  Google Scholar 

  9. Chen, S.-J., Chen, S.-M.: Fuzzy Risk Analysis Based on Similarity Measures of Generalized Fuzzy Numbers. IEEE Transactions on Fuzzy Sets and Systems 11(1) (2003)

    Google Scholar 

  10. Cgisecurity.com, Cross Site Scripting questions and answers, http://www.cgisecurity.com/articles/xss-faq.shtml

  11. Fernandez, E.: Metadata and authorization patterns (2000), http://www.cse.fau.edu/~ed/MetadataPatterns.pdf

  12. Friedl, S.: SQL Injection Attacks by Example, http://www.unixwiz.net/techtips/sql-injection.html

  13. Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns, Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading (1995)

    Google Scholar 

  14. Halkidis, S.T., Chatzigeorgiou, A., Stephanides, G.: A Qualitative Evaluation of Security Patterns. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  15. Hoglund, G., McGraw, G.: Exploiting Software, How to Break Code. Addison-Wesley, Reading (2004)

    Google Scholar 

  16. Howard, M., LeBlanc, D.: Writing Secure Code. Microsoft Press (2002)

    Google Scholar 

  17. Hu, D.: Preventing Cross-Site Scripting Vulnerability, SANS Institute whitepaper (2004)

    Google Scholar 

  18. Kienzle, D., Elder, M.: Security Patterns for Web Application Development, Univ. of Virginia Technical Report (2002)

    Google Scholar 

  19. Klein, A.: Divide and Conquer. HTTP Response Splitting, Web Cache Poisoning Attacks and Related Topics, Sanctum whitepaper (2004)

    Google Scholar 

  20. Lee Brown, F., Di Vietri, J., Diaz de Villegas, G., Fernandez, E.: The Authenticator Pattern. In: Proceedings of the 6th Conference on Pattern Languages of Programming (PLoP 1999) (1999)

    Google Scholar 

  21. Livshits, B., Lam, M.S.: Proceedings of the 14th USENIX Security Symposium (2005)

    Google Scholar 

  22. Livshits, B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis, Stanford University Technical Report (2005)

    Google Scholar 

  23. Mahmoud, Q.: Security Policy: A Design Pattern for Mobile Java Code. In: Proceedings of the 7th Conference on Pattern Languages of Programming (PLoP 2000) (2000)

    Google Scholar 

  24. Mouratidis, H., Giorgini, P., Schumacher, M.: Security Patterns for Agent Systems. In: Proceedings of the Eighth European Conference on Pattern Languages of Programs (EuroPLoP 2003) (2003)

    Google Scholar 

  25. Pullum, L.L.: Software Fault Tolerance Techniques and Implementation. Artech House Publishers (2001)

    Google Scholar 

  26. Roman, E., Sriganesh, R.P., Brose, G.: Mastering Enterprise JavaBeans, 3rd edn. Wiley, Chichester (2005)

    Google Scholar 

  27. Romanosky, S.: Enterprise Security Patterns (2002), http://www.romanosky.net/papers/EnterpriseSecurityPatterns.pdf

  28. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger Password Authentication Using Browser Extensions. In: Proceedings of the 14th USENIX Security Symposium (2005)

    Google Scholar 

  29. Scambray, J., Shema, M.: Hacking Exposed Web Applications. McGraw-Hill, New York (2002)

    Google Scholar 

  30. Spett, K.: Cross-Site Scripting, Are your web applications vulnerable? SPI Labs whitepaper

    Google Scholar 

  31. SPI Labs, SQL Injection, Are Your Web Applications Vulnerable? SPI Labs whitepaper

    Google Scholar 

  32. Spinnelis, D.: Code Quality: The Open Source Perspective. Addison-Wesley, Reading (2006)

    Google Scholar 

  33. Steel, C., Nagappan, R., Lai, R.: Core Security Patterns, Best Practices and Strategies for J2EE, Web Services, and Identity Management. Prentice-Hall, Englewood Cliffs (2006)

    Google Scholar 

  34. Viega, J., McGraw, G.: Building Secure Software, How to Avoid Security Problems the Right Way. Addison-Wesley, Reading (2002)

    Google Scholar 

  35. Yoder, J., Barcalow, J.: Architectural Patterns for enabling application security. In: Proceedings of the 4th Conference on Pattern Languages of Programming (PLoP 1997) (1997)

    Google Scholar 

  36. Weiss, M.: Patterns for Web Applications. In: Proceedings of the 10th Conference on Pattern Languages of Programming (PLoP 2003) (2003)

    Google Scholar 

  37. Wu, T.: A Real-World Analysis of Kerberos Password Security. In: Proceedings of the 1999 Network and Distributed System Symposium (1999)

    Google Scholar 

  38. Zimmerman, H.-J.: Fuzzy Set Theory and its Applications, 3rd edn. Kluwer Academic, Dordrecht (1996)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Applied Informatics, University of Macedonia, Egnatia 156, GR-54006, Thessaloniki, Greece

    Spyros T. Halkidis, Alexander Chatzigeorgiou & George Stephanides

Authors
  1. Spyros T. Halkidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexander Chatzigeorgiou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. George Stephanides
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. STARLab, Vrije Universiteit Brussel (VUB), Bldg G/10, Pleinlaan 2, 1050, Brussels, Belgium

    Robert Meersman

  2. School of Computer Science and Information Technology, RMIT University, Bld 10.10, 376-392 Swanston Street, 3001, Melbourne, VIC, Australia

    Zahir Tari

  3. Facultad de Informática, Universidad Politécnica de Madrid, Campus de Montegancedo S/N, 28660, Boadilla del Monte, Madrid, Spain

    Pilar Herrero

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Halkidis, S.T., Chatzigeorgiou, A., Stephanides, G. (2006). Quantitative Evaluation of Systems with Security Patterns Using a Fuzzy Approach. In: Meersman, R., Tari, Z., Herrero, P. (eds) On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops. OTM 2006. Lecture Notes in Computer Science, vol 4277. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11915034_79

Download citation

  • DOI: https://doi.org/10.1007/11915034_79

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-48269-7

  • Online ISBN: 978-3-540-48272-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation