مرور الگوهاي امنيت رايانهاي و پیشنهاد یک دیدگاه جدید
محورهای موضوعی : فناوری اطلاعات و ارتباطات
سید هادی سجادی
1
(عضو هیات علمی)
رضا کلانتری
2
(عضو هیات علمی)
کلید واژه: امنیت اطلاعات, الگوی امنیت, تهدید, آسیب پذیری, حمله, هستان شناسی,
چکیده مقاله :
در اين مقاله، نخست به شیوه ای بدیع به موضوع چرایی استفاده از الگوهاي امنيت رايانهاي و مزایای آن پرداخته شده است. سپس ضمن معرفي اجمالي فضاي مواجهات امنيت رايانهاي در قالب هستان شناسي، برای اولين بار سه ديدگاه در زمينة مرور الگوهاي اين حوزه، شناسائي و از یکدیگر تمیز داده شده است. اين سه ديدگاه شامل ديدگاه الگوهاي امن، ديدگاه الگوهاي امنيت و ديدگاه چارچوب و سيستم به الگوهاي امنيت است. دو ديدگاه اول و سوم به طور خلاصه توضيح داده شده و ديدگاه دوم نيز ازمنظر سازمان الگوها شامل پنج نوع سازماندهی، مورد تحقيق مفصل قرار گرفته است. پنج نوع گفته شده شامل سازماندهي بر اساس چرخة عمر نرم افزار، سازماندهي بر-اساس بازنمايي سطوح منطقي، سازماندهي براساس طبقهبندي تهديد-پايه، سازماندهي براساس طبقهبندي حمله-پايه و سازماندهي براساس دامنةكاربرد است. در اين نوع معرفي الگوها، مخاطب از منظری جامع با گفتمان الگوهاي امنيت رايانهاي آشناشده و آگاهي لازم براي استفاده بهتر از اين الگوها را كسب مينمايد. درانتها، ايدة اين پژوهش در قالب معرفي نوعي جديد از سازماندهي به منظور تسهيل در استفاده و آدرسدهي مناسب تر الگوها ارائه شده است. در اين ايده بيان شده است که دستهبنديهاي موجود، عمدتاً ايستا و پيشانِگربوده و از پويايي لازم و خصلت پسانِگري برخوردار نيستند و ايدة مبتني بر پوشش همة ذينفعان و هستان شناسي امنيت، ميتواند اين خاصيت را داشته باشد و به علاوه، الگوهاي چابك را نيز در خود جاي دهد. مبتني بر اين ايده و تحليلهاي مرتبط، فضاي فعاليتهاي پژوهشي آينده نيز براي مخاطب آشكار ميگردد.
In this article first the use of computer security models and its benefits are discussed in a novel way. Then, while briefly introducing the space of computer security encounters in the form of ontology, for the first time, three perspectives in the study of patterns in this field have been identified and distinguished from each other. These three perspectives include the view of secure models, the view of security models, and the view of the framework and system to security models. The first and third perspectives are briefly explained and the second perspective is studied in detail from the perspective of the organization of patterns, including the five types of organization. The five types mentioned include software-based lifecycle organization, logical-level organization-based organization, threat-based classification-based organization, attack-based classification-based organization, and application-based organization. In this type of introduction of patterns, the audience acquires a comprehensive view of the discourse of computer security patterns and acquires the necessary knowledge to make better use of these patterns. Finally, the analysis and idea of this research is presented in the form of introducing a new type of organization in order to facilitate the proper use and addressing of patterns. In this idea, it is stated that the existing categories are mostly static and forward-looking and do not have the necessary dynamism and backwardness, and the idea of covering all stakeholders and security ontology can have this feature and, in addition, include agile patterns as well. .
[1] http://www.oxforddictionarries.com,[Online].
[2] Schumacher, Markus. "Security patterns and security standards-with selected security patterns for anonymity and privacy." In Privacy,” European Conference on Pattern Languages of Programs (EuroPLoP. 2003.
[3] Xu, Xiwei, HMN Dilum Bandara, Qinghua Lu, Ingo Weber, Len Bass, and Liming Zhu. "A decision model for choosing patterns in blockchain-based applications." In 2021 IEEE 18th International Conference on Software Architecture (ICSA], pp. 47-57. IEEE, 2021.
[4] Marko, Nadja, Joaquim Maria Castella Triginer, Christoph Striecks, Tobias Braun, Reinhard Schwarz, Stefan Marksteiner, Alexandr Vasenev et al. "Guideline for Architectural Safety, Security and Privacy Implementations Using Design Patterns: SECREDAS Approach." In International Conference on Computer Safety, Reliability, and Security, pp. 39-51. Springer, Cham, 2021.
[5] Chifor, Bogdan-Cosmin, Ștefan-Ciprian Arseni, and Ion Bica. "IoT Cloud Security Design Patterns." In Big Data Platforms and Applications, pp. 113-164. Springer, Cham, 2021.
[6] Fenz, Stefan, Thomas Pruckner, and Arman Manutscheri. "Ontological mapping of information security best-practice guidelines." In International Conference on Business Information Systems, pp. 49-60. Springer, Berlin, Heidelberg, 2009.
[7] Yoshioka, Nobukazu, Hironori Washizaki, and Katsuhisa Maruyama. "A survey on security patterns." Progress in informatics 5, no. 5 (2008]: 35-47.
[8] http://www.symantec.com/security_response/publications/threatreport.jsp, [Online].
[9] https://www.us-cert.GOF, [Online].
[10]https://docs.microsoft.com/en-us/previous-versions/windows/desktop/cc307406 (v=msdn.10], [Online].
[11] https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet, [Online].
[12] Grance, Tim, Joan Hash, and Marc Stevens. Security considerations in the information system development life cycle. US Department of Commerce, Technology Administration, National Institute of Standards and Technology, 2004.
[13] National Bureau of Standards, and National Bureau of Standards. Federal Information Processing Standards Publication: Standard Security Label for Information Transfer. US Department of Commerce, National Institute of Standards and Technology, 1994.
[14] Chad Dougherty, Kirk Sayre, Robert C. Seacord, David Svoboda, Kazuya Togashi (JPCERT/CC], Secure Design Patterns, TECHNICAL REPORT CMU/SEI-2009-TR-010 ESC-TR-2009-010, http://cert.org/,[Online], March 2009; Updated October 2009.
[15] Schumacher, Markus. Security engineering with patterns: origins, theoretical models, and new applications. Vol. 2754. Springer Science & Business Media, 2003.
[16] Barabanov, Alexander, and Denis Makrushin. "Security audit logging in microservice-based systems: survey of architecture patterns." arXiv preprint arXiv:2102.09435 (2021].
[17] Blakley, Bob, and Craig Heath. "Security design patterns technical guide–Version 1." Open Group (OG] (2004].
[18] Schumacher, Markus, Eduardo Fernandez-Buglioni, Duane Hybertson, Frank Buschmann, and Peter Sommerlad. Security Patterns: Integrating security and systems engineering. John Wiley & Sons, 2013.
[19] Steel, Christopher, Ramesh Nagappan, and Ray Lai. "The alchemy of security design methodology, patterns, and reality checks." Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management, Prentice Hall 1088 (2005].
[20] Hafiz, Munawar, Paul Adamczyk, and Ralph E. Johnson. "Organizing security patterns." IEEE software 24, no. 4 (2007]: 52-60.
[21] Wiesauer, Andreas, and Johannes Sametinger. "A security design pattern taxonomy based on attack patterns." In International Joint Conference on e-Business and Telecommunications, pp. 387-394. 2009.
[22] "https://capec.mitre.org," [Online].
[23] M. K. R. &. S. K. Bunke, "Application-Domain Classification for Security Patterns," In Proceedings of the International Conferences on Pervasive Patterns and Applications, IARIA Conferences. XPS , 2011.
[24] Dove, Rick, and Laura Shirey. "On discovery and display of agile security patterns." In Conf Syst Eng Res, Stevens Institute of Technology, Hoboken, NJ. 2010.
[25] "www.ISC2.org," [Online].
[26] Laplante, Philip A. What every engineer should know about software engineering. CRC Press, 2007.
[27] C. C. F. K. J. &. L. F. Y. S. Huang, " A Study on Information Security Management with Personal Data Protection," In 2011 IEEE 17th International Conference on Parallel and Distributed Systems (pp. 624-630]. IEEE, (2011, December].
[28] Pub, F. I. P. S. "Minimum security requirements for federal information and information systems." (2005].
[29] A. I. Standard, " In InformationTechnology-security Techniques-Code of Practice for Information Security Controls", (AS ISO/IEC 27002: 2015], 2015