Managing Security Knowledge through Case based Reasoning

Corrado Aaron Visaggio, Francesca De Rosa



Making secure a software system is a very critical purpose, especially because it is very hard to consolidate an exhaustive body of knowledge about security risks and related countermeasures. To define a technological infrastructure for exploiting this knowledge poses many challenges. This paper introduces a system to capture, share and reuse software security knowledge within a Software Organization. The system collects knowledge in the form of misuse cases and makes use of Case Based Reasoning for implementing knowledge management processes. A reasoned analysis of the system was performed throughout a case study, in order to identify weaknesses and opportunities of improvement.


  1. A. Raman and S. Muegge, An integrated approach to security in software development methodologies, Proc. of Canadian Conference on Electrical and Computer Engineering. 2008, pp. 002011-002014
  2. C. Lai, Java Insecurity: Accounting for Subtleties That Can Compromise Code, IEEE Software, IEEE Computer Society, 2008, pp. 13-19
  3. C. Riesbeck and R. Schank, Inside Case-Based Reasoning, Riesbeck/Schank, 1989
  4. D. Ahmad and I. Arce, Vulnerability Bazaar, IEEE Security and Privacy, IEEE Computer Society, 2007, pp. 69-73
  5. D. Byers and N. Shahmehri, Design of a Process for Software Security, Proc. of the The Second International Conference on Availability, Reliability and Security (ARES), IEEE Computer Society, 2007, pp. 301-309.
  6. D. Xu and K. N. Kendall, Threat-Driven Modeling and erification of Secure Software Using Aspect-Oriented Petri Nets, IEEE Transactions on Software Engineering, IEEE Press, 2006, pp. 265-278
  7. G. Sindre, A.L. Opdahl and G.F. Brevik, Generalization/Specialization as a Structuring Mechanism for Misuse Cases. In Proc. of 2nd Symposium on Requirements Engineering for Information Security (SREIS'02), 2002
  8. J. A. Ingalsbe, L. Kunimatsu, T. Baeten and N. R. Mead, Threat Modeling: Diving into the Deep End, IEEE Software, IEEE Computer Society Press, 2008, pp. 28-34
  9. J. Steven and G. Peterson, Defining Misuse within the Development Process, IEEE Security and Privacy, IEEE Computer Society, 2006
  10. L. Wang, E. Wong and D. Xu, A Threat Model Driven Approach for Security Testing, In Proc. of the Third International Workshop on Software Engineering for Secure Systems (International Conference on Software Engineering), IEEE Computer Society, 2007, p. 10
  11. M. E. Johnson and E. Goetz,Embedding Information Security into the Organization, Security & Privacy, IEEE Computer Society, 2007, pp. 16-24
  12. N. A. Malik, M. Y. Javed and U. Mahmud, Threat Modeling in Pervasive Computing Paradigm, In Proc. of New Technologies, Mobility and Security, 2008, pp. 28-34
  13. S. Barnum and G. McGraw, Knowledge for Software Security, Security & Privacy, IEEE, 2005, pp. 74-78
  14. X. Li, and K. He, A Unified Threat Model for Assessing Threat in Web Application. In Proc. of the 2008 International Conference on Information Security and Assurance (isa 2008), 2008, pp. 142-145
  15. X. Liu and Z. Liu Evaluating Method of Security Threat Based on Attacking-Path Graph Model. In Proc. of International Conference on Computer Science and Software Engineering, 2008 , pp. 1127-1132
  16. A. Stahl, and T. Gabel. Using Evolution Programs to Learn Local Similarity Measures. In Proc. of the 5th International Conference on Case-Based Reasoning (ICCBR 2003), Trondheim, Norway, June 2003.
  17. D. Mellado, E. Fernández-Medina, and M. Piattini, ”SREPPLine: Towards a Security Requirements Engineering Process for Software Product Lines”. In Proc. of WOSIS 2007, 2007, pp. 220-232

Paper Citation

in Harvard Style

Visaggio C. and De Rosa F. (2009). Managing Security Knowledge through Case based Reasoning . In Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009) ISBN 978-989-8111-91-3, pages 127-135. DOI: 10.5220/0002200401270135

in Bibtex Style

author={Corrado Aaron Visaggio and Francesca De Rosa},
title={Managing Security Knowledge through Case based Reasoning},
booktitle={Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009)},

in EndNote Style

JO - Proceedings of the 7th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2009)
TI - Managing Security Knowledge through Case based Reasoning
SN - 978-989-8111-91-3
AU - Visaggio C.
AU - De Rosa F.
PY - 2009
SP - 127
EP - 135
DO - 10.5220/0002200401270135