Mal-Activity Diagrams for Capturing Attacks on Business Processes

Sindre, Guttorm

doi:10.1007/978-3-540-73031-6_27

Guttorm Sindre¹

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 4542))

Included in the following conference series:

International Working Conference on Requirements Engineering: Foundation for Software Quality

1373 Accesses
40 Citations

Abstract

Security is becoming an increasingly important issue for IT systems, yet it is often dealt with as separate from mainstream systems and software development and in many cases neglected or addressed post-hoc, yielding costly and unsatisfactory solutions. One idea to improve the focus on security might be to include such concerns into mainstream diagram notations used in information systems analysis, and one existing proposal for this is misuse cases, allowing for representation of attack use cases together with the normal legitimate use cases of a system. While this technique has shown much promise, it is not equally useful for all kinds of attack. In this paper we look into another type of technique that could complement misuse cases for early elicitation of security requirements, namely mal-activity diagrams. These allow the inclusion of hostile activities together with legitimate activities in business process models. Through some examples and a small case study, mal-activity diagrams are shown to have strengths in many aspects where misuse cases have weaknesses.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Liu, L., Yu, E., Mylopoulos, J.: Security and Privacy Requirements Analysis within a Social Setting. 11th International Requirements Engineering Conference (RE’03), Monterey Bay, CA, 8-12 September, pp. 151–160. IEEE Press, New York (2003)
Google Scholar
Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requirements Engineering 10, 34–44 (2005)
Article Google Scholar
van Lamsweerde, A., Brohez, S., De Landtsheer, R., Janssens, D.: Froim System Goals to Intruder Anti-Goals: Attack Generation and Resolution for Security Requirements Engineering. In: Heytmeier, C., Mead, N. (eds.) 2nd International Workshop on Requirements Engineering for High Assurance Systems (RHAS’03), Carnegie Mellon University, September 8, pp. 49–56. Monterey Bay, CA (2003)
Google Scholar
Haley, C.B., Moffett, J., Laney, R., Nuseibeh, B.: Arguing Security: Validating Security Requirements Using Structured Argumentation. In: 3rd Symposium on Requirements Engineering for Information Security (SREIS 2005), Paris, France, (August 29, 2005)
Google Scholar
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002 - The Unified Modeling Language. Model Engineering, Concepts, and Tools. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Google Scholar
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)
Google Scholar
Sindre, G., Opdahl, A.L.: Eliciting Security Requirements by Misuse Cases. In: Henderson-Sellers, B., Meyer, B. (eds.) TOOLS Pacific 2000, Sydney, pp. 120–131. IEEE CS Press, Los Alamitos (2000)
Google Scholar
Jackson, M.: Problem Frames. Addison-Wesley, London (2001)
Google Scholar
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley Publishing, Inc, Indianapolis (2002)
Google Scholar
Lin, L., Nuseibeh, B., Ince, D., Jackson, M.: Using Abuse Frames to Bound the Scope of Security Problems. In: Maiden, N.A.M. (ed.) 12th IEEE International Requirements Engineering Conference (RE’04), Kyoto, Japan, IEEE (2004)
Google Scholar
Diallo, M.H., Romero-Mariona, J., Sim, S.E., Richardson, D.J.: A Comparative Evaluation of Three Approaches to Specifying Security Requirements. REFSQ’06, Luxembourg (2006)
Google Scholar
Rodriguez, A., Fernandez-Medina, E., Piattini, M.: Capturing Security Requirements in Business Processes through a UML 2. In: Roddick, J.F., Benjamins, V.R., Si-Saïd Cherfi, S., Chiang, R., Claramunt, C., Elmasri, R., Grandi, F., Han, H., Hepp, M., Lytras, M., Mišić, V.B., Poels, G., Song, I.-Y., Trujillo, J., Vangenot, C. (eds.) ER 2006 Workshops. LNCS, vol. 4231, pp. 6–9. Springer, Heidelberg (2006)
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Computer and Information Science, Norwegian University of Science and Technology, NO-7491 Trondheim, Norway
Guttorm Sindre

Authors

Guttorm Sindre
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Pete Sawyer Barbara Paech Patrick Heymans

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Sindre, G. (2007). Mal-Activity Diagrams for Capturing Attacks on Business Processes. In: Sawyer, P., Paech, B., Heymans, P. (eds) Requirements Engineering: Foundation for Software Quality. REFSQ 2007. Lecture Notes in Computer Science, vol 4542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73031-6_27

Download citation

DOI: https://doi.org/10.1007/978-3-540-73031-6_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73030-9
Online ISBN: 978-3-540-73031-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics