managing information systems security ... - infosec.aueb.gr › publications › phd thesis tsoumas...
TRANSCRIPT
Managing Information Systems
Security through exploiting
Ontologies
Bill Tsoumas
February 2007
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 2
ΟΙΚΟΝΟΜΙΚΟ ΠΑΝΕΠΙΣΤΗΜΙΟ ΑΘΗΝΩΝ
ΤΜΗΜΑ ΠΛΗΡΟΦΟΡΙΚΗΣ
ΔΙΑΤΡΙΒΗ
για την απόκτηση Διδακτορικού Διπλώματος
του Τμήματος Πληροφορικής
Βασιλείου Τσούμα
Διαχείριση Ασφάλειας Πληροφοριακών Συστημάτων
με Οντολογίες
Συμβουλευτική Επιτροπή:
Επιβλέπων:
Γκρίτζαλης Δημήτρης,
Αναπληρωτής Καθηγητής
Οικονομικό Πανεπιστήμιο Αθηνών
Μέλη:
Αποστολόπουλος Θεόδωρος,
Καθηγητής
Οικονομικό Πανεπιστήμιο Αθηνών
Σπινέλλης Διομήδης,
Αναπληρωτής Καθηγητής
Οικονομικό Πανεπιστήμιο Αθηνών
Αθήνα, Φεβρουάριος 2007
Εξεταστική Επιτροπή:
Γκρίτζαλης Δημήτρης, Αναπληρωτής Καθηγητής, Πρόεδρος
Οικονομικό Πανεπιστήμιο Αθηνών
Πάγκαλος Γεώργιος, Καθηγητής
Αριστοτέλειο Πανεπιστήμιο Θεσσαλονίκης
Κάτσικας Σωκράτης, Καθηγητής
Πανεπιστήμιο Αιγαίου
Αποστολόπουλος Θεόδωρος, Καθηγητής
Οικονομικό Πανεπιστήμιο Αθηνών
Πολύζος Γεώργιος, Καθηγητής
Οικονομικό Πανεπιστήμιο Αθηνών
Σπινέλλης Διομήδης, Αναπληρωτής Καθηγητής
Οικονομικό Πανεπιστήμιο Αθηνών
Μαυρίδης Ιωάννης, Επίκουρος Καθηγητής
Πανεπιστήμιο Μακεδονίας
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 3
"Η έγκριση διδακτορικής διατριβής υπό του Τμήματος Πληροφορικής του Οικονομικού
Πανεπιστημίου Αθηνών δεν υποδηλοί αποδοχή των γνωμών του συγγραφέως".
(Ν. 5343/ 1932, αρθρ. 202)
Οικονομικό Πανεπιστήμιο Αθηνών
Σελ. 5
ΠΡΟΛΟΓΟΣ ΚΑΙ ΕΥΧΑΡΙΣΤΙΕΣ
Μετά το τέλος μιας ερευνητικής προσπάθειας με σεβαστή χρονική διάρκεια, ο δρών
συνήθως δεν πιστεύει ότι ήρθε η στιγμή για τη συγγραφή αυτής της ενότητας.
Εκτιμώντας ότι η παρούσα διατριβή έχει μια ελάχιστη συμβολή στο ερευνητικό
αντικείμενο, και σίγουρα σοφότερος απ’ ότι στην αρχή αυτού του ταξιδιού, θα ήθελα να
ευχαριστήσω τους συνάδελφους και φίλους που υποστήριξαν ποικιλοτρόπως αυτή την
προσπάθεια. Πρώτα και κύρια, εκφράζω τις θερμές μου ευχαριστίες στον επιβλέποντα
συνάδελφο, Αναπληρωτή Καθηγητή του τμήματος Πληροφορικής του Οικονομικού
Πανεπιστημίου της Αθήνας (ΟΠΑ) κ. Δημήτρη Γκρίτζαλη, για την εμπιστοσύνη και τη
συνεχή στήριξή του όλα αυτά τα χρόνια. Πέρα από τις επί μακρόν συζητήσεις μας για τα
ουσιαστικά της έρευνας θέματα, το μεγαλύτερο κέρδος από τη συνεργασία μας ήταν η
διεύρυνση της αντίληψης σε μένα της ολιστικής θέασης του αντικειμένου της ασφάλειας
ΠΣ πέρα από τις τεχνικές εκφάνσεις της, κάτι που στην είσοδό μου στο χώρο
κυριολεκτικά –και συνειδητά– αγνοούσα. Η διακριτική στήριξη των μελών της
Τριμελούς Επιτροπής παρακολούθησης της διατριβής, δηλ. του Καθηγητή κ. Θεόδωρου
Αποστολόπουλου και του Αναπληρωτή Καθηγητή κ. Διομήδη Σπινέλλη κύρια σε θέματα
ερευνητικών κατευθύνσεων της διατριβής ήταν πολύτιμη και διαρκής. Δεν μπορώ να
παραβλέψω τη συμβολή του Ομότιμου Καθηγητή κ. Ευάγγελου Κιουντούζη, για την
κριτική του ματιά και την προσήλωσή του στην αξία των μεθοδολογικών προσεγγίσεων.
Η φιλοσοφική του στάση απέναντι στη διδασκαλία (γενικότερα) και στην έρευνα
(ειδικότερα) στάθηκε πηγή έμπνευσης και συνεχούς καλόπιστης αμφισβήτησης προς
κάθε κατεύθυνση, παρέχοντας τελικά πλείστα ερεθίσματα προς βελτίωση.
Από τον μακρύ κατάλογο των συναδέλφων και φίλων που επηρέασαν την έκβαση της
εργασίας αυτής δεν θα μπορούσα να εξαιρέσω τα μέλη της ερευνητικής ομάδας σε
Ασφάλεια Πληροφοριών και Προστασία Κρίσιμων Υποδομών του Οικονομικού
Πανεπιστημίου. Ειδική μνεία γίνεται στους Κώστα Μουλίνο, Θοδωρή Τρύφωνα και
Γιάννη Ηλιάδη, με τους οποίους συμπορευτήκαμε για ένα μεγάλο διάστημα σε
ερευνητικό επίπεδο κατά τη διάρκεια της δικής τους διατριβής και που οι απόψεις τους
με επηρέασαν βαθιά, όντες πιο ώριμοι ερευνητές και υπό διαφορετικό πρίσμα ο καθένας.
Οι συζητήσεις μας ήταν πλούσιες σε νοητικά ερεθίσματα, και πιστεύω ότι κι εγώ με τη
σειρά μου συνέβαλα σε ένα μικρό βαθμό στην επιτυχία των δικών τους πονημάτων.
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 6
Εξαιρετικά σημαντική βοήθεια προσέφεραν οι Νατάσα Μιχαηλίδου, Παναγιώτης
Παπαγιαννακόπουλος και Χαράλαμπος Τριποδιανός με τους οποίους συν-υλοποιήθηκαν
σημαντικά proof-of-concept μέρη της διατριβής. Ο συνάδελφος Στέλιος Δρίτσας, έχοντας
σχεδόν παράλληλη χρονικά πορεία στην έρευνα, υποστήριξε έντονα, διαρκώς και με το
δικό του προσωπικό τρόπο τη δουλειά μου μέχρι σήμερα. Περαιτέρω, οι Σωκράτης
Κάτσικας, Κώστας Λαμπρινουδάκης, Λάζαρος Γυμνόπουλος, Μαριάνθη Θεοχαρίδου,
Γιάννης Μαριάς και Αγγελική Τσώχου έχουν συμβάλλει ποικιλοτρόπως σε διάφορα
στάδια της παρούσας έρευνας.
Στη διαμόρφωση της διατριβής σημαντικό ρόλο έπαιξε και η εμπειρία που απέκτησα
κατά την ενασχόλησή μου στο τμήμα του Ελέγχου και Ασφάλειας Πληροφοριακών
Συστημάτων της Ernst & Young, αφού η καθημερινή τριβή με πρακτικά προβλήματα
ελέγχου και ασφάλειας επηρέασε το ερευνητικό μου ενδιαφέρον προς αυτή την
κατεύθυνση. Δράττομαι της ευκαιρίας να ευχαριστήσω όλους τους συναδέλφους του
τμήματος Ελεγκτών Πληροφοριακών Συστημάτων, με ειδική αναφορά στους Χρήστο
Σεφέρη και Δρ. Κυριάκο Τσιφλάκο για τις διευκολύνσεις που παρείχαν ώστε να
μπορέσω να ολοκληρώσω το έργο μου.
Τέλος, θα ήθελα να ευχαριστήσω τους γονείς μου Διονυσία και Νίκο για όσα μου έχουν
προσφέρει μέχρι σήμερα, ο καθένας από τη δική του πλευρά και με τις δικές του
δυνατότητες, και τη σύντροφό μου, Έφη, για την αγάπη, υπομονή και ανοχή της καθ’
όλη τη διάρκεια της εκπόνησης. Αυτή η διατριβή αφιερώνεται στη μητέρα μου η οποία
μου δίδαξε αμίλητη όλα όσα δε διδάσκονται σε πανεπιστήμια και δε γράφονται σε
βιβλία, αλλά είναι ότι δίνει νόημα στη ζωή – και μάλιστα άνευ αντιτίμου.
Αθήνα, 30 Ιανουαρίου 2007
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 7
Στη μητέρα μου Διονυσία
We are realists. We dream the impossible.
~ Ernesto “Che” Guevara
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 8
References
1. Agentcities RTD IST Project (IST-2000-28385) (2003). “Deliverable D3.4:
Harmonising Heterogeneous Security Models & Addressing Ownership Using an
Ontological Approach” (available at
http://www.agentcities.org/EURTD/index.php?target=results, August 2006)
2. Agrawal, D., Calo, S., Giles, J., Lee, K.-W. and Verma, D. (2005). “Policy
Management for Networked Systems and Applications”. In Proceedings of 9th
IFIP/IEEE International Symposium on Integrated Network Management, Nice,
France, IEEE, May 2005.
3. Agrawal, D., Giles, J., Lee, K.-W. and Lobo, J.(2005). “Policy Ratification”. In
Proceedings of 6th IEEE International Workshop on Policies for Distributed Systems
and Networks, Stockholm, Sweden, IEEE, June 2005.
4. Alberts, C. and Dorofee, A., (2001). “OCTAVE Method Implementation Guide
Version 2.0”, Carnegie Mellon, Software Engineering Institute, CERT Coordination
Centre. Available at http://www.cert.org/octave/download/intro.html (August 2005).
5. ANSI INCITS 359-2004. (2004). American National Standards Institute,
International Committee for Information Technology Standards (ANSI/INCITS),
“Information Technology – Role Based Access Control”.
6. Antσn, A., Carter, A., Dempster, J., & Siege, D. (2001). “Deriving Goals from a Use-
Case Based Requirements Specification for an Electronic Commerce System”.
Requirements Engineering Journal, Springer-Verlag London, 6, 63-73.
7. Antσn, A. I. "Goal-Based Requirements Analysis." In Proceedings of International
Conference on Requirements Engineering (ICRE '96), Colorado Springs, Colorado,
April 1996.
8. Appelt, D. (1996). “The Common Pattern Specification Language”. Technical report,
SRI International, Artificial Intelligence Center.
9. Appelt, D. (1999). “An Introduction to Information Extraction”, Artificial
Intelligence Communications, 12(3):161–172.
10. Standards Australia and Standards New Zealand. (1999) – “Australian/New Zealand
Standard Handbook of Information Security Risk Management 4360 (AS/NZS
4360)”.
11. Ashby, W. R. (1956). “An introduction to cybernetics”. Chapman & Hall, London.
12. Bandara A. K., Lupu E., Moffett J. D., Russo A., (2004). “A Goal-based Approach to
Policy Refinement”, 5th IEEE International Workshop on Policies for Distributed
Systems and Networks (POLICY 2004), pp: 229-239.
13. Bandara A. K. (2005). “A Formal Approach to Analysis and Refinement of Policies”.
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 9
Doctoral Thesis, Imperial College of Science, Technology and Medicine, University
of London, London.
14. Barker, S. (2000). “Security Policy Specification in Logic”. In Proceedings of Int.
Conf. on Artificial Intelligence (ICAI00), Las Vegas, Nevada, USA, June 2000.
15. Barker, S. (2001a). “Access Control Policies as Logic Programs”. Technical Report:
Imperial College of Science, Technology and Medicine, London.
16. Barker, S. and Rosenthal, A. (2001b). “Flexible Security Policies in SQL”. In
Proceedings of Fifteenth Annual IFIP WG 11.3 Working Conf. on Database and
Application Security, Niagara on the Lake, Ontario, Canada, 15-18 July 2001.
17. Baskerville, R., (1993). “Information Systems Security Design Methods: Implications
for Information Systems Development”. ACM Computing Surveys, 1993. 25(4). 375-
414.
18. Beigi, M. S., Calo, S. and Verma, D. (2004). “Policy Transformation Techniques in
Policy-based Systems Management”. In Proceedings of International Workshop on
Policies for Distributed Systems and Networks, Yorktown Heights, New York, IEEE,
June 2004.
19. Ben Achour, C., Rolland, C., & Souveyet, C. (1998). “A proposal for improving the
quality of the organisation of scenario collections”. Paper presented at the Fourth
International Workshop on Requirements Engineering: Foundation for Software
Quality (REFSQ'98), Pisa, Italy.
20. Berners-Lee, T. Hendler, J. and Lassila, O. (2001). “The Semantic Web”, In
Scientific American. Available at :
http://www.scientificamerican.com/article.cfm?articleID=00048144-10D2-1C70-
84A9809EC588EF21&catID=2 (March 2005)
21. Biddle, B. J. and Thomas, E. J. (1979). “Role theory: concepts and research”. New
York, Robert E. Krieger Publishing Company, 1979.
22. Bjφrck, F. (2001). “Security Scandinavian Style”. Licentiate thesis,
23. Stockholm University & Royal Institue of Technology.
24. BOLERO consortium. (1995). “Bolero project – Final Report”, DGXIII/B6 under
INFOSEC '94 contract S2302, EU.
25. Bozsak, E., Ehrig, M., Handschub, S., Hotho, A. et al. (2002). “KAON - Towards a
Large Scale Semantic Web”. In Bauknecht, K.; Min Tjoa, A.; Quirchmayr, G. (Eds.):
Proc. of the 3rd International Conference on E-Commerce and Web Technologies,
pp. 304-313.
26. Bray T., Paoli J., Sperberg-McQueen C. M., and Maler E., (2000). Bray, T., Paoli, J.,
Sperberg-McQueen, C. M., Maler, E. and Yergeau, F. “Extensible Markup Language
(XML) 1.0 (Fourth Edition)”, W3C Recommendation, Technical report, World Wide
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 10
Web Consortium, http://www.w3.org/TR/REC-xml, October 2006.
27. Brickley D. and Guha R. (2000). “Resource Description Framework (RDF) Schema
Specification 1.0”, W3C Recommendation, http://www.w3.org/TR/2000/CR-rdf-
schema-20000327/, December 2004.
28. BSI (2003). “IT Baseline Protection Manual (IT-Grundschutz Manual)”, Federal
Office for Information Security (BSI), Germany. Available at
http://www.bsi.bund.de/english/gshb/manual/download/index.html (August 2006).
29. British Standards Institution. (2001). “BS7799 Part 1. Information technology – Code
of practice for information security management”. British Standards Institution,
London.
30. British Standards Institution. (2002). “BS7799 Part 2. Information security
management systems — Specification with guidance for use”. British Standards
Institution, London.
31. British Standards Institution. (2005). “Introducing the parts of the BS 7799
Standards”. Available at http://www.bsi-
global.com/Education/Information_Security/intro.xalter (February 2005).
32. BugTraq mailing list (http://seclists.org/lists/bugtraq)
33. Burgess, M. (1995). “A Site Configuration Engine”. USENIX Computing systems
8(3), 1995.
34. Casassa Mont, M., Baldwin, A. and Goh, C. (2000) “POWER Prototype: Towards
Integrated Policy-Based Management”. IEEE/IFIP Network Operations and
Management Symposium, (NOMS2000), ed. J. Hong, R., Weihmayer, Hawaii, May
2000, pp. 789-802.
35. The Center for Democracy and Technology, Available at www.cdt.org (July 2006)
36. CERT Coordination Center. (2006). Available at http://www.cert.org.
37. Chivers, H.R. (2006). “Security Design Analysis”. Doctoral Thesis, University of
York.
38. Chomicki, J., Lobo, J. and Naqvi, S. (2000). “A Logic Programming Approach to
Conflict Resolution in Policy Management”. In Proceedings of 7th Int. Conf. on
Principles of Knowledge Representation and Reasoning (KR2000), Breckenridge,
Colorado, USA, Morgan Kaufmann, April 2000.
39. Chung, L., Nixon, B. A., Yu, E., & Mylopoulos, J. (2000). “Non-Functional
Requirements in Software Engineering”. Kluwer Academic Publishers.
40. Clemente, F., Perez, G., Blaya, J., Skarmeta, A. (2005). “Representing Security
Policies, in Web Information Systems”. In Proc. of the Policy Management for the
Web Workshop (WWW 2005), Japan.
41. Felix Clemente, G. P. (2005). “Representing security policies in web information
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 11
systems”. In Proceedings of WWW 2005.
42. Committee on National Security Systems (CNSS). (2006). “CNSS National
Information Assurance (IA) Glossary”. Available at
http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf (September 2006)
43. C&A Systems Security Ltd. (2006). “COBRA Suite”. United Kingdom (August
2006).
44. Cockburn, A. (1995). “Structuring use cases with goals”. [Online]. Available at
http://alistair.cockburn.us/index.php/Structuring_use_cases_with_goals/ (October
2006).
45. Committee of Sponsoring Organizations of the Treadway Commission (COSO).
(1992). “Internal Control Integrated Framework”, USA
46. Insight Consulting Limited. (2005). “CRAMM Risk Assessment Tool Overview”,
(Available at http://www.cramm.com/riskassesment.htm (May 2005).
47. Communications Security Establishment (CSE). (1996). “A Guide to Risk
Assessment and Safeguard Selection for Information Technology Systems”.
Government of Canada. Available at : http://www.cse-
cst.gc.ca/en/documents/knowledge_centre/gov_publications/itsg/mg3.pdf (March
2005).
48. Cunningham H., Maynard D., Bontcheva K., Tablan V. (2002). “GATE: A
Framework and Graphical Development Environment for Robust NLP Tools and
Applications”, Proceedings of the 40th Anniversary Meeting of the Association for
Computational Linguistics (ACL'02), pp. 168-175.
49. Cunningham H., Maynard D., Bontcheva K., Tablan V., Ursu C., Dimitrov M.,
Dowman M., Aswani N. (2006). “Developing Language Processing Components with
GATE Version 4 (a User Guide)”, Available at http://gate.ac.uk/documentation.html
(August 2006).
50. Cunningham H. (1999). “Information Extraction: a User Guide (revised version)”,
Research Memorandum CS–99–07, Department of Computer Science, University of
Sheffield.
51. Cuppens F., Saurel, C. (1996). “Specifying a security policy: a case study”, p. 123,
Ninth IEEE Computer Security Foundations Workshop.
52. Damianou N., Dulay N., Lupu E., Sloman M. (2001). “The Ponder Specification
Language”, Workshop on Policies for Distributed Systems and Networks
(Policy2001), HP Labs Bristol, pp. 18-38.
53. Damianou, N., Bandara, A. K., Sloman, M. S. and Lupu, E. C. (2002). ”A Survey of
Policy Specification Approaches”, available at http://citeseer.ist.psu.edu/540402.html
(December 2006).
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 12
54. Damianou, N. (2002b). “A Policy Framework for Management of Distributed
Systems”. Doctoral Thesis, Imperial College of Science, Technology and Medicine,
University of London, London.
55. DAML. (2004). The DARPA Agent Markup Language Homepage (2004) Available
at: http://www.daml.org/ (March 2005)
56. DAML+OIL (March 2001) Reference Description W3C Note 18 December 2001.
Available at http://www.w3.org/TR/daml+oil-reference/ (August 2006)
57. Dardenne, A., Lamsweerde, A. v., & Fickas, S. (1993). “Goal-directed Requirements
Acquisition”. Science of Computer Programming, 20, 3-50.
58. Darimont, R. and van Lamsweerde, A. (1996). “Formal Refinement Patterns for
Goal-Driven Requirements Elaboration.” 4th ACM Symposium on the Foundations
of Software Engineering (FSE4): 179-190, 1996.
59. Darimont, R. (1995). “Process Support for Requirements Elaboration”. Unpublished
PhD Thesis, Universite Catholique de Louvain, Louvain-la-Neuve.
60. de Albuquerque J.P., Krumm H., de Geus P.L. (2005). “Policy Modeling and
Refinement for Network Security Systems”. In Proceedings of the Sixth IEEE
International Workshop on Policies for Distributed Systems and Networks (POLICY
’05), pp. 24-33.
61. Dean M., et al. (2004). “OWL Web Ontology Language Reference”, W3C Recom-
mendation, available at http://www.w3.org/TR/owl-ref/
62. DeMarco, T. and Lister, T. (1999). “Peopleware: Productive Projects and Teams”,
2nd ed., Dorset House Publishing Co., New York.
63. Denning Dorothy E., Denning Peter J. (1997). “Internet Besieged: Countering
Cyberspace Scofflaws”, Addison-Wesley Pub Co (Sd).
64. Ellesson, E. (2001). “CIM Core Policy Model”. Distributed Management Task Force.
65. DMTF, WBEM Solutions Inc. (2003) “CIM Tutorial”, Available at:
http://www.wbemsolutions.com/tutorials/CIM/ (Οκτώβριος 2004)
66. DMTF. (2006). “Common Information Model v. 2.12”, available at
http://www.dmtf.org/standards/cim/cim_schema_v212/ (June 2006).
67. Distributed Management Task Force. (2005). “Web-based Enterprise Management
(WBEM) Initiative”, http://www.dmtf.org/standards/wbem/ (February 2005).
68. DTI and Coopers, P. W. (2002). “Information security breaches survey 2002”.
Technical report, Department of Trade and Industry.
69. DTI. (2000). “Information security breaches survey 2000 technical report”. Technical
report, Department of Trade and Industry.
70. Eclipse - Integrated Development Environment (IDE) for Java and Perl. (2006).
Available at http://www.eclipse.org (August 2006).
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 13
71. Electronic Frontier Foundation. (2006). Available at www.eff.org (August 2006)
72. Efstratiou, C., Friday, A., Davies, N. and Cheverst, K. (2002). “Utilising the Event
Calculus for Policy Driven Adaptation on Mobile Systems”. In Proceedings of Third
Int. Workshop on Policies for Distributed Systems and Networks (POLICY-2002),
Monterey, CA, USA, IEEE Press, June 2002.
73. Ehrmann, H. (2002). “Unternehmensplannung”. Friedrich Kiehl Verlag, 4th edition.
74. Enron. (2001). Financial scandal of Enron. Available at
http://www.yaleeconomicreview.com/issues/summer2006/enron.php (September
2006)
75. Ernst & Young. (2005). “Global Information Security Survey 2005”.
76. Fensel D., Horrocks I., Harmelen F., Decker S., Erdmann M., and Klein M. (2000).
“OIL in a nutshell”, In Proc. Of the 12th Eur. Workshop on Knowledge Acquisition,
Modelling, and Management (EKAW’00), 1937: 1–16.
77. Fensel D., Harmelen F., Horrocks I., McGuinness D. L., and Patel-Schneider P. F.
(2001). “OIL: An ontology infrastructure for the semantic web”. In IEEE Intelligent
Systems, 16(2):38–45.
78. S.N. Foley, S. Bistaelli, B. O'Sullivan, J. Herbert and G. Swart. (2005). “Multilevel
Security and Quality of Protection”, First Workshop on Quality of Protection, Como,
Italy, September 2005.
79. Friedman-Hill, E. (2005). “JESS – The Rule Engine for the Java Platform”, Sandia
National Laboratories, http://herzberg.ca.sandia.gov/jess/index.shtml (November.
2005)
80. French Security Incident Response Team (former K-OTik Security Advisories),
http://www.frsirt.com/english/
81. Fyodor. (2003). Nmap scanner. Available at http://www.insecure.org/nmap (August
2006).
82. GATE framework. (2006). A General Architecture for Text Engineering. Available at
http://www.gate.ac.uk (August 2006).
83. Gerber, M. and von Solms, R. (2005). “Management of risk in the information age”.
Computers & Security, 24(1):16-30.
84. GFi. (2002). LANguard network scanner. Available at
http://www.gfi.com/lannetscan/ (August 2006).
85. Giorgini, P., Massacci, F., and Zannone, N. (2005c). “Security and Trust
Requirements Engineering”. Volume 3655, pp. 237–272.
86. F. Giunchiglia, J. Mylopoulos, and A. Perini. (2002). “The Tropos Development
Methodology : Processes, Models and Diagrams”. In Proceedings of the 2002
Autonomous Agents and Multi-Agent systems.
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 14
87. Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Richardson, R. (2004). “2004
CSI/FBI computer crime and security survey”. Technical report, CSI/FBI.
88. Greenspan, S., Mylopoulos, J., & Borgida, A. (1994, May 16-21). “On Formal
Requirements Modeling Languages: RML Revisited”. 16th International Conference
on Software Engineering (ICSE-94), Sorrento, Italy.
89. Gritzalis, D. and Tsoumas, V. “Assurance-by-ontology: An introduction and a
paradigm proposal”. In NATO ARW on Information Security Assurance and
Security, June 3-4 2005, Tetuan, Morocco.
90. Gritzalis, D., Tsoumas, V., “An assurance-by-ontology paradigm proposal: Elements
of security knowledge management”. In Information Assurance and Computer
Security (NATO Security through Science Series: Information and Communication
Security, Vol. 6), pp. 15-30, Johnson T., et al. (Eds.), IOS Press, 2006.
91. Gruber T. (1993). “Toward principles for the design of ontologies used for
knowledge sharing”. In Formal Ontology in Conceptual Analysis and Knowledge
Representation. Kluwer Academic Publishers.
92. Gymnopoulos L., Tsoumas V., Soupionis I., Gritzalis S. (2005). “A generic Grid
security policy reconciliation framework”. In Internet Research: Electronic
Networking Applications and Policy, Vol. 15, No. 5. (January 2005), pp. 508-517.
93. Gymnopoulos L., Tsoumas V., Soupionis J., Gritzalis S. (2005). “Enhancing Security
Policy Negotiation in the GRID”. In Proceedings of the INC'2005 5th International
Network Conference, S. Furnell and S. K. Katsikas (Eds.), July 2005, Samos, Greece,
published by University of Plymouth.
94. Hayton, R. J., Bacon, J. M. and Moody, K. (1998). “Access Control in an Open
Distributed Environment”. In Proceedings of IEEE Symposium on Security and
Privacy, Oakland, California, U.S.A., May 1998.
95. Heflin J., Munoz-Avila H. (2002). “LCW-Based Agent Planning for the Semantic
Web”. In Ontologies and the Semantic Web, 2002 AAAI Workshop WS-0211, pages
63--70, Menlo Park, CA, Nov. 2002.
96. Heflin, J. (Editor), Web Ontology Working Group. (2004). “OWL Web Ontology
Language Use Cases and Requirements”, W3C Recommendation 10 February 2004.
Available at http://www.w3.org/TR/webont-req/ (Σεπτέμβριος 2006).
97. Helmer, G., Wong, J., Slagell, M., Honavar, V., Miller, L., and Lutz, R. (2001). “A
software fault tree approach to requirements analysis of an intrusion detection
system”. In Proceedings of Symposium on Requirements Engineering for Information
Security, Center for Education and Research in Information Assurance and Security,
Purdue University.
98. Hendler J. and McGuinness D. L. (2000). ”The DARPA Agent Markup Language”.
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 15
In IEEE Intelligent Systems, 15(6):67–73.
99. Hepple M. (2000). “Independence and commitment: Assumptions for rapid training
and execution of rule-based POS taggers”. In Proceedings of the 38th Annual
Meeting of the Association for Computational Linguistics (ACL-2000).
100. Hoagland, J. (2000). “Specifying and Implementing Security Policies Using LaSCO,
the Language for Security Constraints on Objects”. Doctoral Thesis, UC Davis,
March 2000.
101. Holsapple C., Joshi K. (2002). “A collaborative approach to ontology design”, Com.
of the ACM, 45(2):42-47.
102. Horrocks, I., Patel-Schneider P. F., Boley, H., Tabet, S., Grosof, B., Dean, M. (2004).
“SWRL: A Semantic Web Rule Language Combining OWL and RuleML”. W3C
Member Submission. Available at http://www.w3.org/Submission/SWRL/ (August
2006).
103. Hφne Κ. and Eloff J. (2002). “Information security policy - what do international
information security standards say?”. In Computers & Security, Vol. 21, No 5,
pp.402-409.
104. Imamura T., Tatsubori M., Nakamura Y., Christopher Giblin. (2005). “Web Services
Security Configuration in a Service-Oriented Architecture”, στο International World
Wide Web Conference, Special interest tracks and posters of the 14th international
conference on World Wide Web, σσ. 1120-1121, ACM, Chiba, Japan, May 2005
105. ISO. (1996). “ISO/IEC TR 13335-1:1996 Information technology – Guidelines for
the management of IT Security – Part 1: Concepts and models for IT Security”.
International Organization for Standardization and International Electrotechnical
Commission Joint Technical Committee (ISO/IEC JTC 1), Switzerland.
106. ISO. (1997). “ISO/IEC TR 13335-2:1997 Information technology – Guidelines for
the management of IT Security – Part 2: Managing and planning IT Security”.
International Organization for Standardization and International Electrotechnical
Commission Joint Technical Committee (ISO/IEC JTC 1), Switzerland.
107. ISO. (1998). “ISO/IEC TR 13335-3:1998 Information technology – Guidelines for
the management of IT Security – Part 3: Techniques for the management of IT
Security”. International Organization for Standardization and International
Electrotechnical Commission Joint Technical Committee (ISO/IEC JTC 1),
Switzerland.
108. ISO. (2000). “ISO/IEC TR 13335-4:2000 Information technology – Guidelines for
the management of IT Security – Part 4: Selection of safeguards”. International
Organization for Standardization and International Electrotechnical Commission Joint
Technical Committee (ISO/IEC JTC 1), Switzerland.
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 16
109. ISO. (2001). “ISO/IEC TR 13335-5:2001 Information technology – Guidelines for
the management of IT Security – Part 5: Management guidance on network security”.
International Organization for Standardization and International Electrotechnical
Commission Joint Technical Committee (ISO/IEC JTC 1), Switzerland.
110. ISO. (2004). “ISO 14001:2004 Environmental management systems — Requirements
with guidance for use”. International Organization for Standardization and
International Electrotechnical Commission Joint Technical Committee (ISO/IEC JTC
1), Switzerland.
111. ISO. (1999). “14750:1999 Information technology – Open Distributed Processing –
Interface Definition Language”. International Organization for Standardization and
International Electrotechnical Commission Joint Technical Committee (ISO/IEC JTC
1), Switzerland.
112. ISO. (1999). “ISO 15048 Information technology – Security techniques – Evaluation
criteria for IT security (Common Criteria)”. International Organization for
Standardization and International Electrotechnical Commission Joint Technical
Committee (ISO/IEC JTC 1), Switzerland.
113. ISO. (2000). “17799:2000 Information technology — Code of practice for
information security management”. International Organization for Standardization
and International Electrotechnical Commission Joint Technical Committee (ISO/IEC
JTC 1), Switzerland.
114. ISO. (2005). “17799:2005 Information technology – Security techniques – Code of
practice for information security management”. International Organization for
Standardization and International Electrotechnical Commission Joint Technical
Committee (ISO/IEC JTC 1), Switzerland.
115. ISO. (2000). “ISO 9001:2000, Quality management systems — Requirements”.
International Organization for Standardization and International Electrotechnical
Commission Joint Technical Committee (ISO/IEC JTC 1), Switzerland.
116. ISO.(2006). “ISO/IEC 15504 (SPICE): Information Technology - Software Process
Assessment, (2003-2006)”. Available at
http://www.isospice.typepad.com/isospice_is15504/ (February 2005)
117. International Standard Organization (http://www.iso.org/)
118. Internet Security Systems. (2006). “X-Force Database”. Available at
http://xforce.iss.net/xforce/search.php (June 2006)
119. ITGI. (2000). “COBIT 3rd Edition Control Objectives”. IT Governance Institute.
Available at http://www.ITgovernance.org (October 2006).
120. ITGI. (2000). “Control Objectives for Information and related Technology (COBIT
3rd edition)”. IT Governance Institute (http://www.ITgovernance.org).
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 17
121. OGC. (2003). “IT Infrastructure Library (ITIL)”. Office of Government Commerce.
122. Jajodia, S., Samarati, P. and Subrahmanian, V. S. (1997a). “A Logical Language for
Expressing Authorisations”. In Proceedings of IEEE Symposium on Security and
Privacy, Oakland, USA, IEEE, 1997a.
123. Jajodia, S., Samarati, P., Sapino, M. L and Subrahmanian, V. S. (2000). “Flexible
Support for Multiple Access Control Policies”. ACM Transactions on Database
Systems 26(2): 214-260, 2000.
124. Kagal L., Finin, T. and Joshi, A. (2003). “A policy language for a pervasive
computing environment”. In 4th IEEE International Workshop on Policies for
Distributed Systems and Networks.
125. Karygiannis Τ., Owens L. (2002). “Wireless Network Security: 802.11, Bluetooth
and Handheld Devices”. NIST Special Publication no. 800-48, U.S. Dept. of
Commerce, USA.
126. Kavakli, E. and Loucopoulos P. (2004). “Goal Driven Requirements Engineering:
Analysis and Critique of Current Methods”. In Information Modeling Methods and
Methodologies (Adv. topics of Database Research), John Krogstie, Terry Halpin and
Keng Siau (eds), IDEA Group, pp 102 - 124.
127. Keromytis, A. D., Ioannidis, S., Greenwald, M. and Smith, J. (2003). “The
STRONGMAN Architecture”, Proceedings of DARPA Information Survivability
Conference and Exhibition, vol 1, σσ. 178–188. IEEE Press, April 2003
128. Knottenbelt, J. A. and Clark, K. L. (2004). “An Architecture for Contract-based
Communicating Agents”. In Proceedings of Second European Workshop on Multi-
Agent Systems, Barcelona, Spain, December 2004.
129. Kramar, T. (2002). “Dekonstruierte Dimensionen: Das Jahr, in dem die Physik
postmodern wurde”. Presse, 08. Jan.
130. Lambrinoudakis C., Tsoumas V., Karyda M., Ikonomopoulos S., “Secure e-Voting:
The Current Landscape”, στο βιβλίο Secure Electronic Voting: Trends and
Perspectives, Capabilities and Limitations, D. Gritzalis (Ed.), Kluwer Academic
Publishers, 2002.
131. Lambrinoudakis C., Tsoumas V., Karyda M, Gritzalis, D., Katsikas, S. (2003).
“Electronic Voting Systems: The Impact of System Actors to the Overall Security
Level”, 18th IFIP International Information Security Conference, May 2003, Athens,
Greece
132. Lambrinoudakis C., Kokolakis, S., Karyda M, Tsoumas V., Gritzalis, D., Katsikas, S.
(2003). “Electronic Voting Systems: Security Implications of the Administrative
Workflow”, DEXA 2003 (TRUSTBUS workshop), Sep. 2003, Prague.
133. Lano, K. and Haughton, H. (1996). “Specification in B: an Introduction using the B-
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 18
Toolkit”. London, Imperial College Press, 1996.
134. Lassila O. and Swick R. R. (1999). “Resource Description Framework (RDF) Model
and Syntax Specification”, W3C Recommendation, Technical report, World Wide
Web Consortium, http://www.w3.org/TR/1999/REC-rdf-syntax-19990222/
(December 2004).
135. Leite, J.C., Rossi, G., Balaguer, F., Maiorana, V., Kaplan, G., Hadad, G. and
Oliveiros, A. (1997). “Enhancing a Requirements Baseline with Scenarios”. In
Requirements Engineering Journal, 2(4), pages 184-198.
136. Letier, E., & van Lamsweerde, A. (2002). “Agent - Based Tactics for Goal-Oriented
Requirements Elaboration”. In the 24th International Conference on Software
Engineering, ICSE'2002, Orlando, Florida.
137. Lobo, J., Bhatia, R. and Naqvi, S. (1999). “A Policy Description Language”. In
Proceedings of 16th National Conf. on Artificial Intelligence, Orlando, Florida, USA,
18-22 July 1999.
138. Loucopoulos, P., & Kavakli, E. (1995). “Enterprise Modelling and the Teleological
Approach to Requirements Engineering”. International Journal of Intelligent and
Cooperative Information Systems, 4(1), 45-79.
139. Lupu E., Sloman M., Dulay N., Damianou N. (2000). “Ponder: Realising Enterprise
Viewpoint Concepts”, 4th International Enterprise Distributed Object Computing
Conference (EDOC 2000) pp: 66-75.
140. Lόck I. and Krumm,H. (2003). “Model-Based Security Service Configuration”,
University of Dortmund.
141. Lόck I., Schδfer, C., and Krumm,H. (2001). “Model-Based Tool-Assistance for
Packet-Filter Design”. In M. Sloman, J. Lobo and E. Lupu (Eds.), Proceedings of
POLICY 2001: Workshop on Policies for Distributed Systems and Networks, 1995 in
Lecture Notes in Computer Science pp. 120-136, Springer-Verlag, Berlin Heidelberg
2001.
142. Manna, Z. and Pnueli, A. (1992). “The Temporal Logic of Reactive and Concurrent
Systems”, Springer-Verlag.
143. Maynard D., Cunningham H., Bontcheva K., Catizone R., Demetriou G., Gaizauskas
R., Hamza O., Hepple M., Herring P., Mitchell B., Oakes M., Peters W., Setzer A.,
Stevenson M., Tablan V., Ursu C. and Wilks Y. (2000). “A Survey of Uses of
GATE”, Technical Report CS–00–06, Department of Computer Science, University
of Sheffield.
144. Meyer, J. J. Ch., Wieringa, R. J. and Dignum, F. P. M. (1996). “The Role of Deontic
Logic in the Specification of Information Systems”. Utrecht University, Department
of Computer Science Document Number UU-CS-1996-55, ISSN: 0924-3275,
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 19
December 1996.
145. Michael, James B., Ong, L. V. and Rowe, Neil C. (2001). “Natural Language
Processing Support for Developing Policy-Governed Software Systems”. In 39th
International Conference on Object-Oriented Languages and Systems, Santa Barbara,
California, July-August 2001.
146. Miller J. (2001). “HELP! How to specify policies?”, [ON-LINE],
http://enterprise.shl.com/policy/help.pdf (December 2004).
147. Moffett, J.D. and Sloman, M.S., 1991, “The Representation of Policies as System
Objects”, Conference on Organizational Computer Systems, pp.171-184.
148. Moffett, J. and Sloman, M. S. (1993). “Policy Hierarchies for Distributed Systems
Management”. In IEEE Journal on Selected Areas in Communications 11(9 - Special
Issue on Network Management): 1404-14.
149. Moore, B., Ellesson, E., Strassner, J. and Westerinen A. (2001). "Policy Core
Information Model – Version 1 Specification." Network Working Group. Available
as RFC3060, at http://www.ietf.org/rfc/rfc3060.txt.
150. Moulinos K., Iliadis J., Tsoumas V. (2004). “Towards Secure Sealing of Privacy
Policies”. In Information Management & Computer Security journal, Volume 12, No
4, MCB University Press, August 2004, selected as a Highly Commented Paper at the
Literati Club Awards for Excellence 2005.
151. Mylopoulos, J., Chung, L., & Nixon, B. (1992). “Representing and Using
Nonfunctional Requirements: A Process-Oriented Approach”. In IEEE Transactions
on Software Engineering, SE-18(6), 483-497.
152. Netstumbler 802.11 network scanner. (2002). Available at http://www.stumbler.net
(August 2006).
153. NIST SP – 800-18 Rev. 1 (2006). “Guide for Developing Security Plans for Federal
Information Systems”. National Institute of Standards and Technology (NIST).
154. NIST SP 800-12 (1995). “An Introduction to Computer Security: The NIST
Handbook”. National Institute of Standards and Technology (NIST), October 1995.
Available at http://csrc.nist.gov/publications/nistpubs/800-12/ (August 2006).
155. NIST SP - 800-14 (1996). “Generally Accepted Principles and Practices for Securing
Information Technology Systems”. National Institute of Standards and Technology
(NIST).
156. NIST SP 800-30 (2002). “Risk Management Guide for Information Technology
Systems, SP 800-30”. National Institute of Standards and Technology (NIST),
January 2002. Available at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-
30.pdf (August 2006).
157. NIST SP – 800-33. (2001). “Underlying Technical Models for Information
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 20
Technology Security”. Recommendations of the National Institute of Standards and
Technology (NIST), December 2001. Available at
http://csrc.nist.gov/publications/nistpubs/ (August 2006).
158. NIST SP – 800-40. (2005). “Creating a Patch and Vulnerability Management
Program”. Recommendations of the National Institute of Standards and Technology
(NIST), November 2005. Available at http://csrc.nist.gov/publications/nistpubs/
(August 2006).
159. NIST (2002). “International Standard ISO/IEC 17799:2000 Code of Practice for
Information Security Management - Frequently Asked Questions”. National Institute
of Standards and Technology's (NIST's) Information Technology Laboratory.
160. NIST/SCAP. (2006). “XCCDF - The Extensible Configuration Checklist Description
Format”. National Institute of Standards and Technology. Available at
http://nvd.nist.gov/scap/xccdf/xccdf.cfm (August 2006).
161. Noy N., McGuiness D. (2001). “Ontology Development 101: A Guide to Creating
Your First Ontology”, Stanford Knowledge Systems Laboratory Technical Report
KSL-01-05 and Stanford Medical Informatics Technical Report SMI-2001-0880,
March 2001.
162. NIST. (2006). National Vulnerability Database. National Institute of Standards and
Technology. Available at http://nvd.nist.gov/ (August 2006).
163. OMG. (2001). “OMG Unified Modeling Language Specification,Version 1.4”. Object
Management Group.
164. Ortalo, R. (1998). “A Flexible Method for Information System Security Policy
Specification”. In Proceedings of 5th European Symposium on Research in Computer
Security (ESORICS 98), Louvainla-Neuve, Belgium, Springer-Verlag, pp. 67-84,
September 1998.
165. The Open Source Vulnerability Database (http://www.osvdb.org)
166. OWL. W3C Recommendation. (2004). “The Ontology Web Language”. Available at
http://www.w3.org/TR/owl-features/ (August 2006)
167. W3C. (2004). “W3C Recommendation (10-02-2004) OWL Guide”. Available at
http://www.w3.org/TR/owl-guide/ (August 2006)
168. Parker, D.B. (1995). “A new framework for information security to avoid information
anarchy”. In Ellof, J. and von Solms, S. (eds.), Information security – the next
decade, Chapman & Hall, London.
169. Persaud A., Nmap::Parser module v. 1.05. (2005). Available at
http://search.cpan.org/~apersaud/Nmap-Parser-1.05/Parser.pm (August 2006).
170. Michael Polanyi, M. (1962). “Personal Knowledge”. University of Chicago Press,
Chicago, ΗΠΑ (referral from Spiegler, I. (2000). “Knowledge Management: A New
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 21
Idea or a Recycled Concept?”. In Communications of the Association for Information
Systems, vol.3, art. 2, June 2000)
171. Protégé Ontology Development Environment. (2005). Available at
http://protege.stanford.edu/ (December 2006).
172. Protégé SWRLJessTab, (Available at http://protege.cim3.net/cgi-
bin/wiki.pl?SWRLJessTab (December 2006).
173. Protégé-OWL plugin and API. (2006). Available at
http://protege.stanford.edu/overview/protege-owl.html (December 2006).
174. RACER reasoner. (2006). Available at http://www.racer-systems.com/ (August
2006).
175. Raskin V., Hempelmann C, Triezenberg K., Nirenburg S. (2001). “Ontology in
Information Security: A Useful Theoretical Foundation and Methodological Tool”. In
V. Raskin, et al. (Eds.), Proc. of the New Security Paradigms Workshop, New York.
ACM.
176. Ribeiro, C., Zuquete, A. and Ferreira, P. (2001). “SPL: An access control language
for security policies with complex constraints”. In Proceedings of Network and
Distributed System Security Symposium (NDSS’01), San Diego, California, February
2001.
177. RiskWatch. (2006). RiskWatch Inc. Available at
http://www.riskwatch.com/ProductSheets/RWIS_Product_Flyer_0705.pdf (January
2006).
178. Rolland, C., Souveyet, C., & Ben Achour, C. (1998). “Guiding Goal Modeling Using
Scenarios”. IEEE Trnansactions on Software Engineering, 24(12), 1055-1071.
179. Rolland, C., Grosz, G., & Kla, R. (1999). “Experience with Goal-Scenario Coupling
in Requirements Engineering”. In Fourth IEEE International Symposium on
Requirements Engineering (RE'99), p. 74.
180. Russo A., Miller R., Nuseibeh B. and Kramer J. (2002). “An Abductive Approach for
Analysing Event-Based Requirements Specifications”. In 18th Int. Conf. on Logic
Programming (ICLP), pp. 22-37.
181. SANS. (2006). “The SANS Security Policy Project”. Available at
http://www.sans.org/resources/policies/ (September 2006).
182. SANS. (2006). “SANS Glossary of Terms Used in Security and Intrusion Detection”.
Available at http://www.sans.org/resources/glossary.php (September 2006)
183. Schneier, B. (1999). “Attack Trees”, Dr. Dobbs Journal, December 1999.
184. Schoderbek, P., Schoderbek, C., and Kefalas, A. (1990). “Management Systems -
Conceptual Considerations”. Richard D. IRWIN Inc., 4th edition.
185. Schumacher, M. (2003). “Security Engineering with Patterns”. PhD Thesis, Lecture
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 22
Notes in Computer Science, LNCS 2754, Springer.
186. Searle, J. R. (1969). "Speech Acts: An Essay in the Philosophy of Language".
Cambridge, Cambridge University Press.
187. Sergot, M.J., F. Sadri, R. A. Kowalski, F. Kriwaczek, P. Hammond, and H. T. Cory.
(1986). The British Nationality Act as a Logic Program. In Communications of the
ACM, Vol. 29, No. 5, May 1986, pp. 370- 386.
188. Security Focus. (2006). Security Focus Vulnerability Database, available at
http://www.securityfocus.com/vulnerabilities (December 2006).
189. Sheyner, O., Haines, J., Jha, S., Lippmann, R. and Wing, J.M. (2002). “Automated
Generation and Analysis of Attack Graphs”, Proceedings of the 2002 IEEE
Symposium on Security and Privacy, IEEE, pp. 273-284.
190. Sibley, Edgar H., Michael, James Bret and Wexelblat, Richard L. (1992). “Use of an
Experimental Policy Workbench: Description and Preliminary Results”. In Database
Security, V: Status and Prospects, C. E. Landwehr and S. Jajodia (Eds.), Elsevier
Science Publishers, Amsterdam, The Netherlands, pp. 47-76.
191. Sindre,G., Opdahl, A. (2000). “Eliciting Security Requirements with misuse cases”.
In Proceedings of TOOLS Pacific 2000, pp. 120-131, 20-23, November 2000.
192. Sloman, M. S. (1994b). "Policy Driven Management for Distributed Systems."
Journal of Network and Systems Management 2(4): 333-360.
193. Smartfrog. (2006). Available at http://www.smartfrog.org/ (August 2006)
194. Smith, G. (2000). "The Object-Z Specification Language". Hingham, MA, Kluwer
Academic Publishers, 2000.
195. Soldal, Lund M. Hogganvik, I. Seehusen, F. Stolen, K. (2003). ”UML profile for
security assessment”. In Technical report STF40 A03066, SINTEF Telecom and
Informatics. Available at : http://heim.ifi.uio.no/~massl/uml-sa/uml-sa-report1.pdf
(January 2005).
196. T. C. Son and J. Lobo. (2001). “Reasoning about Policies Using Logic Programs”. In
Proceedings of AAAI Spring Symposium on Answer Set Programming: Towards
Efficient and Scalable Knowledge Representation and Reasoning, Stanford
University, CA, March 2001.
197. Sowa, J.F. (1984). “Conceptual Structures”. Addison Wesley.
198. Sowa, J.F., (2000). “Knowledge Representation”. Brooks/Cole.
199. Spivey, J. M. (1989). “An Introduction to Z and Formal Specifications.” In IEE/BCS
Software Engineering Journal 4(1): 40-50.
200. Stergiou, C. Vouros, G. (2003). “Knowledge Representation”. Available at
http://www.samos.aegean.gr/icsd/konsterg/teaching/KR/Lecture1.ppt (May 2005).
201. Straub D. (1990). “Effective IS Security: An Empirical Study”, Information System
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 23
Research, Vol. 1, No. 3, pp. 255-276.
202. BSI. (2001). “TickIT”. TickIT Office, British Standards Institute (BSI), UK.
203. Tripodianos Ch., Tsoumas, B., Gritzalis, D. (2006). “A Database of Technical
Countermeasures and Refinement Techniques: A rule-based approach”, Technical
Report, Information Security and Critical Infrastructure Protection Research Group,
Athens University of Economics and Business, Dept. of Informatics, September
2006.
204. Tripodianos Ch., Tsoumas, B., Gritzalis, D. (2007). “A Database of Technical
Countermeasures and Refinement Techniques: A rule-based approach”, Information
Security and Critical Infrastructure Protection Research Group, Athens University of
Economics and Business, Dept. of Informatics, January 2007 (submitted).
205. Tsoumas B., Gritzalis, D. (2006). “Towards an Ontology-based Security
Management”. In IEEE 20th International Conference on Advanced Information
Networking and Applications (AINA 2006), April 18 – 20, 2006, Vienna University
of Technology, Vienna, Austria.
206. Tsoumas V., Tryfonas Τ. (2004). “From risk analysis to effective security
management: Towards an automated approach”, Information Management &
Computer Security journal, Vol. 12, No 1, 2004, selected as a Highly Commented
Paper at the Literati Club Awards for Excellence 2005.
207. Tsoumas B., Dritsas S., Gritzalis D. (2005). “An ontology-based approach to
information system security management”. In Third International Workshop
"Mathematical Methods, Models and Architectures for Computer Networks Security"
(MMM_ACNS-05), September 24-28, 2005, St. Petersburg, Russia.
208. Tsoumas, B., Papagiannakopoulos, P., Dritsas, S., Gritzalis, D. (2006). “Security-by-
Ontology: A knowledge-centric approach”. In IFIP International Information Security
Conference, Karlstad, Sweden, 22-24 May 2006.
209. Uszok, A., Bradshaw, J., Jeffers, R., Suri, N., Hayes, P., Breedy, M., Bunch, L.,
Johnson, M., Kulkarni, S. and Lott, J. (2003). “KAoS Policy and Domain Services:
Toward a Description-Logic Approach to Policy Representation, Deconfliction, and
Enforcement”. In Proceedings of 4th IEEE Workshop on Policies for Networks and
Distributed Systems (Policy 2003), Lake Como, Italy, IEEE, June 2003.
210. van Lamsweerde, A., Darimont, R. and Massonet, P. (1995). “Goal-Directed
Elaboration of Requirements for a Meeting Scheduler: Problems and Lessons
Learnt”. In Proceedings of 2nd IEEE Symposium on Requirements Engineering (RE
'95), York, UK, IEEE Computer Society Press, March 1995.
211. van Lamsweerde A.. (2004). “Elaborating Security Requirements by Construction of
Intentional Anti-Models”, in Proceedings of the 26th International Conference on
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 24
Software Engineering, IEEE, Edinburgh, Scotland, May 2004.
212. Verma, D. C. (2001). “Policy-Based Networking: Architecture and Algorithms”. New
Riders Publishing.
213. Vermeulen, C. and von Solms, R. (2002). “The information security management
toolbox - taking the pain out of security management”. Inf. Manag. Comput. Security
10(3): 119-125.
214. Virmani, A. Lobo, J. and Kohli, M. (2000). “Netmon: network management for the
SARAS softswitch”. In Proceedings of 2000 IEEE/IFIP Network Operations and
Management Seminar (NOMS 2000), Hawaii, April 2000.
215. von Solms, B. (2001). “Information Security - a Multidimensional Discipline”.
Computers & Security, 20:504-508.
216. van Assem, M., Gangemi, A. and Schreiber, G. (2006). “RDF/OWL Representation
of WordNet”, W3C Working Draft. Available at http://www.w3.org/TR/wordnet-rdf/
(December 2006).
217. World Wide Web Consortium (W3C). (2006). Available at http://www.w3.org/
(August 2006).
218. Wei, H., Frinke, D., Carter, O., and Ritter, C. (2001b). “Cost-benefit analysis for
network intrusion detection systems”. In CSI 28th Annual Computer Security
Conference.
219. Weiser M. (1991). “The Computer for the Twenty-First Century”, Scientific
American, Vol. 265, No. 3, pp. 94-104, September 1991.
220. Westerinen, A. and Schott, J. (2004). “Implementation of the CIM Policy Model
Using Ponder”. In Proceedings of 5th IEEE International Workshop on Policies for
Distributed Systems and Networks, p. 207, Yorktown Heights, NY, IEEE.
221. Wieringa, R. J. and Meyer, J.-J. C. (1998). “Applications of Deontic Logic in
Computer Science: A Concise Overview.” In Proceedings of Practical Reasoning and
Rationality (PRR 98), Brighton, UK, John Wiley & Sons, August 1998.
222. Wies, R. (1994). “Policies and Network Systems Management – Formal Definition
and Architecture”, Journal of Network and Systems Management, σσ. 63-83, vol.2,
no.1, Plenum Press, March 1994.
223. Wies, R. (1995). “Using a Classification of Management Policies for Policy
Specification and Policy Transformation”. In Proceedings of the Fourth International
Symposium on Integrated Network Management (ISINM '95), Santa Barbara,
California, May 1995.
224. Wilson J, Turban E. and Zviran M (1992). “Information Systems Security: A
Managerial Perspective”. International Journal of Information Management, 12, pp.
105-119.
Διαχείριση Ασφάλειας ΠΣ με Οντολογίες
Οικονομικό Πανεπιστήμιο Αθηνών Σελ. 25
225. Wojcik,M.N., Proulx, D., Baker, J.,and Roberge, R.J. (2005). “Introduction to
OVAL: A Language to Determine the Presence of Computer Vulnerabilities and
Configuration Issues”. Available at http://oval.mitre.org (July 2005).
226. Wood C. (2000). “An Unappreciated Reason Why Security Policies Fail”. Computer
Fraud and Security, 10, pp. 13-14.
227. WordNet. (2006). Available at http://wordnet.princeton.edu/ (September 2006).
228. WorldCom. (2002). Financial scandal of WorldCom. Available at
http://www.cbsnews.com/stories/2002/06/26/national/main513473.shtml (August
2006).
229. Zuccato, A. (2005). “Holistic Information Security Management Framework for
electronic commerce”. PhD thesis, Karlstad University.