Security ontology proposal for mobile applications Sofien BEJI, Nabil El Kadhi ECCE Dept Chairman Ahlia Univ. Bahrain and LERIA EPITECH France, RIADI ENSI Tunisia [email protected], [email protected]

Mobility is an emerging area that comes up with several technologies and stakeholders. Dealing with the security requirement for mobile applications means acquiring all the knowledge and the available technologies for the design and deployment of a reliable and usable countermeasure. Not only the field lacks of standards but also requires several quality constraints. To assist developers to face such a challenge, we propose a knowledge base solution through the conceptualization of a security ontology. The ontology was implemented in OWL-DL semantic language with Protégé 4 tool. The ontology schema and instantiation are commented, target use is mentioned through its integration in a whole approach for security in the mobile world.

Our first section will be a presentation of the mobile applications landscape. Since we are in a bottom-up approach, we will discuss in the next section the problem origin which is vulnerabilities and constraints of the mobile world and why we are dealing with this ontology. Next, we will tackle the core problem by presenting our contribution through an ontology that conceptualize the security in the field of mobile applications. Querying our ontology will provide developers with the appropriate security countermeasures and policies according to the available resources and constraints of the mobile context. Such ontology is of big interest unless it is used and deployed in its context, this is the object of the last section where an instantiation model of the ontology is designed and commented.

1. Introduction

2. Classification of mobile applications

Mobility is defining the future of computing systems and mobile devices are pervading our society and lifestyles. During 2007, an extensive research was commission by the GSM Association[1] in 17 countries across Europe, Asia and North America. Over 2,500 consumers were surveyed and two-thirds of them said that they expect to begin using their mobile phone to pay at point of sale. Moreover, 50% of the 240 merchants from 10 countries surveyed see promotional opportunities in using the mobile phone as a payment device [2]. Equipped with low resources and broadcasting sensitive data in an uncontrolled media, mobile applications are suspected to be opened to new threats and attacks. Hence it is worthy to focus on security aspects in the mobility field. Dealing with security in such a context can be achieved through attacks analysis followed by vulnerabilities classification and the binding of security services. Unfortunately, there are several constraints and side effects that should be deeply evaluated in order to deal with security in the mobile world.

Mobile applications are software programs running through a permanent or partial wireless connection within a mobile device. We are mainly interested in four categories of applications : thick client application, web application, synchronization and messaging. This classification relies on the use context and the associated technology. Synchronization is a computer to device data transfer that aims to keep both of components in a coherent state. JME[3] and .Net Compact Framework [4] are the leading platforms that fits device capabilities, recently at summer 2008, a new Google's platform named Android [5] was introduced. According to the global context of our case study which focus on the mobile applications in the telephony field, JME was the widely deployed platform and it is adopted by the world's leading cellular phone manufacturers e.g. Nokia, SonyEricsson, Siemens and Samsung. JME is based on configurations and profiles where a configuration defines groups of products based on the available processor power and memory of each

Abstract

device. A profile defines a set of Application Programming Interface (API) which reside on top of a configuration and offers access to device specific capabilities. Mobile phones belong to Connected Limited Device Configuration (CLDC) and Mobile Information Device Profile (MIDP ). Thin clients applications are mainly web based ones. WAP 1.x and WAP 2.0 are the leading generations of mobile web. WAP 1.0 and WAP 1.2 were WAP Forum consortium initiatives [6]. WAP 2.0 is a convergence specification to a best practice technologies mainly based on xHTML and xHTML Mobile Profile languages [7], which are W3C [8] standards. The messaging service includes both text and multimedia messages and the Short Message Service or SMS [9] is one of the most popular services used in mobile communication. Since SMS is mainly used for person-to-person communication, some mobile services like SMS banking has led this service to a professional use. SMS is also used as a token in several authentication schemes. For more details about this classification, see [10].

3. Attacks and vulnerabilities analysis Several mobile applications attacks have been recently reported. In our study, we suggest two major classes of attacks, the first one is relative to the device and the second belongs to the environment. The device includes the physical resources, the SIM card [11] in the case of Global System for Mobile communications or GSM and the hosted applications. The environment is the wireless network that bears the link to the back end of the application if it exists. According to the synchronization and distribution of the attack steps, there are two kinds of attacks, one session and multisession. In this paper, we focus mainly on one session attacks. Further details and an interesting example of multi-session attacks in the mobile world is available in [12].

3.1 The STRIDE model In order to point out the vulnerabilities of mobile applications attacks and to get a specific taxonomy of attacks, we will conduct an analysis according to the STRIDE [13] threat model. STRIDE is a Microsoft threat model that describes a six categories threats. STRIDE is the acronym of Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege.

3.1.1 Spoofing A typical client side attack is the SMS spoofing which is a very feasible threat due to the injection of SMS with a spoofed originator ID [14]. Moreover in GSM networks, the device implements the A5 algorithm which encrypts the over-the-air communication with the Base Transceiver Station or BTS[11]. According to [15] the cryptanalysis of the A5/1 algorithm is feasible in a so reduced time. Once the A5 algorithm cracked and the ciphering key discovered, a hacker can originate calls and messages. Even though the A5 weakness and others have been corrected in 3G networks, new threats have been reported. In the case of the GSM network, there is only oneway authentication which can lead to the network spoofing by a faked station especially in the case of a bad network coverage [16], this is called an over the air cracking attack. 3.1.2 Tampering It's about physical tampering rather than injection like in standard network and computing, Memory stick could be unplugged or device may be theft. Because of its personal use, tampering is performed differently, data is frequently tampered across the network rather than inside the device. Obviously, tampering remains a feasible attack due to some weaknesses in the JME platform for example but it's not as popular as in standard computing and cyberspace. A detailed study of JME weakness is available in [17]. 3.1.3 Repudiation The Session initiation protocol is a IETF standard that holds the session management of a multimedia conversation between participants. The SIP invite message attack [18] is a spoofing vulnerability that has been reported in some phone adapters. The Vonage VT 2142-VD phone from MOTOROLA receives SIP INVITE message without authentication. Hence the phone sets up a call and could establish a communication with a spam source. This attack was reported in several mobile devices like Motorolla and BlackBerry. 3.1.4 Information disclosure This is the typical threat of the wireless world. Several attacks have been reported, Man-in-the middle[19], Bluesnarfing [20], disclosure of Global

Positioning System or GSM position informations, to name just a few. Not only the wireless transmission but also the physical aspect of mobile devices facilitates these attacks. The phishing [21] attack, one of the famous today attack is also a disclosure of sensitive informations like login tokens. Phishing is easily performed with a 200 pixels screen than with a standard 19 inches one.

3.1.5 Denial of service(DOS) Bluetooth attacks [20] like blocking of acknowledging responses or keeping the device in the await state rather in the standby state are typical DOS attacks that target the battery. A mobile device may be also victim of a malformed content through an SMS or an MMS post [22].

3.1.6 Elevation of privilege Elevation of privilege is the threat that take place in an organization with several users and distinguish hierarchical roles. Elevation of privilege may be presented differently in the case of a mobile device with mostly one user. In fact the potential danger is not in the selection of who has the rights to use a service but rather in the allowed services available. Sensitive services like « making a call » or « sending a message » require operator or user permissions to be invoked. This was a snippet of some attacks specific to the mobile environment. Obviously, there are additional attacks like those related to web applications e.g. code injection or cookies attacks that may be conducted either in mobile or standard environment. More details on these common attacks may be found in [36]. Through our attacks survey of mobile applications, we have confirmed predictable attacks that may be bound to three classes of threats. It's about network threats, device threats and digital convergence threats. Not only mobility is a relatively new emerging IT field but it merges also several technologies and stakeholders to the same application. This diversity brings a lack of standards and confusion inside the developer team. Several skills are required to deal with security ranging from network, to low level programming skills like smart cards. We argue that the context in which mobile applications are used adds some aggravation factors that tackle the set up of a secure environment but from an other side, some typical attacks in conventional computing are very limited. In fact, stack overflow and all the memory attacks are far from being as popular as in the PC

computing world. Injections mainly dedicated to server side or Data Base Management Systems in the case of SQL are very rare inside a mobile device. The personal use and the limited number of roles to one, also reduces the threats due to the elevation of privileges. We conclude that security in mobile computing suffers mainly from the environment threats, the lack of resources but offers some built-in countermeasures like the personal use that satisfy the access control security service.

4. Security applications.

resources

for

mobile

According to [35] the security services are Authentication, Access control, Non repudiation, Integrity, and Confidentiality. To implement, deploy and use the mentioned services, we have to use mechanisms. According to our survey of mobile security, the main actors and the services they offer can be summarized as presented in Table 1. Table 1. Security Actors for the mobile field. Actor Description Examples Device All cryptographic JME security platform features, hashing API. functions, key management. Smart card SIM, UICC

Some cryptographic Javacard : features, hashing, key security API storing.

Protocols The existing security and protocols like key schemes exchange, authentication schemes.

SKID, ChallengeResponse, DiffieHellman

Server side

Some resources consuming operations may be outsourced by the server side.

Encryption, Random number generator.

Content provider

The content may be Data right protected from being management, copied or tampered watermarking from its provider.

Mobile The telecommunication Network provider may contribute Operator in authentication and authorization.

Distribution of certificates, Code signing

Third party

A Certificates authority Repository of is a valuable tier for the certificates, security process. Certificates Revocation list, a time stamp authority

Device physical features

Depending on The device, some security features may be available.

Biometric authenticatio n, memory locking

5. Mobility constraints and non-functional requirements Analysis Considering the requested security services and already preferred ones by mobile actors, mobile applications are subject to several constraints ranging from the physical aspects which presents a security weakness for the user to a short life cycle influenced by the time-to-market pressure. Because of its physical aspect, a mobile device phone has a small display unit and a limited input keypad. Recently, the display units of new models have recorded a real improvement e.g HTC HD or IPhone models, but they still lack of space if compared to regular PC screens or laptops. The second type of constraint is the processing and computing capabilities. The energy limitation, is also one additional physical property that has an influence on the implementation and deployment of security especially for the confidentiality service. In addition to the latter physical constraints, mobile phones suffer from network coverage and low bandwidth. The partially connected state has a hard effect on the choice, design and deployment of a solution where an on-line identity verification for example is required. The organizational aspect plays also a sensitive role in security. In fact several stakeholders are involved in the process of development and each stakeholder has its own security policies that should cope with the service that he offers. For the operator for example, device should block any hosted application from getting access to unauthorized services like SMS sending. Any of the stakeholders has its own set of security policies and the application team developers has to synchronize all these rules. Finally and also in the business field, the time-to-market property of mobile applications and the large target imposes that the software development period should be as short as possible. Fig. 1 gives a summary of the presented constraints.

Figure 1. Mobile applications constraints.

6. Security assurance: requirement for an ontology With diversified actors, roles and constraints , it is time-consuming and a complex task to establish effective countermeasures. A data model or a knowledge base may be used to express these terms but these solutions are suitable for a specific use. Data model are tied to application whereas knowledge base are suitable for a particular Knowledge-Based System. What we target is, to share and provide concepts that will be consistently used across the community of the mobile field and not to be dependable of the use case. A formal knowledge design of the mobile security concepts will be of a big interest to provide a solid base for an applicable approach. Hence we have adopted the ontology formalism to capture and express the knowledge required for a mobile security domain. In Artificial Intelligence, an ontology is “the specification of a conceptualization. That is, defined terms and the relationships between them, usually in some formal and preferably machine readable format”[23]. The proposed ontology will provide a means of representing, a conceptualization of mobile security. Hence the proposed ontology will mark up the concepts of mobile security in a well-understood and consistent manner, it will also formalize the relationships and influence between the given concepts. Developers and integrators of mobile applications are our target users.

6.1 Ontology presentation 6.1.1 Overview Our proposed ontology deals with the mobile context and aims at a first stage to set up a knowledge formal model about security in the mobile context with the associated concepts. The second target is to point

out the possible countermeasures that should be applied for the satisfaction of the security requirement in the special context of mobility. Our ontology is intended to answer the following questions : Q1: What are mechanisms associated to security services in the mobile field ? Q2: What are the mechanisms offered by each actor ? Q3: What are the used technologies for implementing a mechanism ? Q4: What are relationships between security and other non functional requirements ? Q5: How does vulnerabilities affect threats ? Q6: What are the mechanisms that should be used to mitigate a threat ? There are many security ontologies in the literature like those presented by [24][25][26][27] and each one is defined by a specific kind of use. Imports and reuse are the basics of ontology knowledge sharing, in fact we have partially based our ontology on the works of Herzog, Shahmehri and Duma [24] which deals with security for information systems. For the ontology structure, we note that we will not describe all concepts and relationships but rather the most relevant ones. Our survey has led to the set of classes : Vulnerability, Threat, Asset, Constraints, Actor, Mechanism, Resource, Service and ValueTypes. Even though , we are dealing with the same ontology, we argue that our proposal is semantically composed of three sub-ontologies. We have: the AssetVulnerability-Threat ontology (AVTo), the MobileProfile ontology (MPo) and the DefenseMechanism ontology (DMo). Fig. 2 gives an overview of the main ontology with some relationships between sub-ontologies.

We have made this distinction in order to enable reuse and sharing. Our main topic is security but it is useful for the mobile field community to get access to some of these sub-ontology for additional requirements. The MPo defines the available features of a given kind of use with the associated resources. Fig. 3 denotes the mobile profile top classes. Each mobile profile uses some values from the resources class and this classification is related to the available resources. We have defined mainly the wide and near field profiles. Bluetooth applications for example belong to the near field profile and is constrained by the response time. On the other hand, the messaging profile which is a sub-class of the wide profile is constrained by the data size and the number of messages. The top class Resource deals with the available resources for the mobile field. The hierarchy in Fig. 5 shows the Resource main classes with the hardware part including the memory, processing, input/output and network. Through our survey of [24][25], the AssetVulnerability-Threat is a widely adopted sub-ontology where top classes and main relationships are the same and only sub classes of vulnerabilities differ from one context to an other. Our contribution was through the enrichment of the ontology with special vulnerabilities and associated threats of the mobile context.

Figure 3. The Mobile Profile ontology. Finally, the DMo deals with the security services and the associated security mechanisms. Some security services are largely adopted countermeasures like the typical sub-class algorithm which includes Symmetric, Asymmetric or Digital Signature whereas others are mobile specific like SIM locking for example. Obviously, class instances are different from those deployed in regular computing to those of the mobile field. More details are available in Fig. 4. For the Constraints class, it includes non functional requirements (NFR) such as usability and portability, this class will be more explained in the next section.

Figure 2. The main ontology

The former properties group reflects the relationships of the concepts. As shown in Fig. 2, victimOf, Threatens, enabledBy and existsOn are relationships for the AVTo classes. Provide, Satisfy, Use, Require to name just a few are used for the DMo classes. Satisfy reflects the relationship between the security service and the associated mechanisms. The Provide relationship links semantically the actor with the security mechanisms. Implement is used at a lower layer where we can associate API and actors. As an illustration of the semantic expressiveness, we can give the axioms below : SmartCard Provide some SymmetricEncryption. SymmetricEncryption Satisfice some Confidentiality, WPKI Require some CertificationAuthority. The later object properties group which is QualitySatisfaction include contextual properties that denote the impact of the profiles, actors and mechanisms on the other non functional requirements. We use the labeled verbs Make, Help, Hurt, Break which are inspired from the NFR framework proposed by [28]. The NFR Framework is a goal-oriented approach for addressing NFRs. This framework represents NFRs as softgoals to be satisficed. Our approach is partially inspired from the NFR framework, the difference resides in that we use knowledge engineering to design softgoals whereas this is done visually with the NFR framework. Each one of the actor and mechanisms class has relationship with the quality constraints class.

Figure 4. The mechanism class hierarchy. Two entry points are possible, either from threats or from security services. If we deal with assets protection, our ontology entry point should be security services which are in relationship with mechanisms, actors, constraints and resources. 6.1.2 Relationships Two kinds of properties contribute to the modeling of the ontology, the first set is named data properties, it contributes to the static description of the class and has a basic data type range like String or int e.g. “SymmetricAlgorithm hasKeyLength int”. The second type of properties reflects existing relationships between classes and is called object properties. Since their importance for our ontology, we will focus on the object properties.

Figure 5. The resource hierarchy class.

Here are some examples: SmartCard Help some portability, SmartCard Hurt some timeliness. 6.1.3 Implementation Mainly two standardized languages are used for semantic expressiveness, RDF (Resource Description Framework)[29], and OWL (Ontology Web Language) [30]. RDF is a W3C standard based on the XML syntax designed for the reuse and extension of metadata semantics. RDF Schema extends RDF by adding relations to RDF terms. OWL is also a W3C standard based on DAML+OIL [31]. We have used the Protégé OWL version 4 tool [32] to implement our ontology. Protégé is a free and open source semantic editor available under three sublanguages lite, DL and full. OWL Lite supports users needing a classification hierarchy and simple constraint features. OWL DL supports users who want the maximum of expressiveness without losing computational completeness and decidability(all computations will finish in finite time) of reasoning systems. OWL Full is meant for users who want maximum expressiveness and the syntactic freedom of RDF with no computational guarantees. Since our requirements are deeper than a simple classification or taxonomy, we have used the DL version. The computation guarantee is also necessary to get results in reasonable time after querying the ontology.

Figure 6. Ontology instance through UML object diagram.

7. Theoretical case study Since our main target is a whole mobile security approach that will handle security during different phases of the software development life cycle, we try through this example to show how the ontology will be used. Let's consider the hypothetical case of Mobile ticketing.

6.1.4 Ontology instance : object model We argue that an efficient way of understanding our ontology is through an instance. In fact, in Fig. 6, we have made the choice to give the UML object diagram[33] as a snapshot for the situation where the confidentiality service is required in the case of a SMS application. Due to space limitation, several details have been dropped from the diagram, only the main relationships are designed. The protection of the stored messages is satisfied by using the SymmetricEncryption mechanism. The Actor USIM card implements the DES BlockCipher algorithm. The instance DES-FIPS46-1 has several data properties like the SecretKey, InitialisationVector, BlockSize of the algorithm and ChainingMode. As showing, the Video object here is used for Random Number Generation to generate the secret key. The use of the USIM actor hurts the efficiency NFR and requires additional skills.

Figure 7. Mobile ticketing use case. The user can buy tickets on-line from his mobile device and store it locally. Our approach is driven by the use case. We will start by the use case diagram to end with proposals of countermeasures. Let's consider the use case in Fig 7. When buying a ticket, the customer should make a payment. Once payment done, the ticket should be locally stored on the customer device. Optionally, the customer may subscribe to the service to get discount or receive news.

7.1 Identify security services Since our starting point is the requirements, we will adopt the use case diagram to depict the security requirements. In fact, according to the approach proposed by [34], the use case meta-model contains 4 meta-elements which are, Actor, Use case, Actor-use case association and System. For these elements, we should define the associated security requirements. For

example in Fig. 8, the Make payment use case require three security services : Confidentiality, Integrity and Non repudiation.

7.2 Getting associated security mechanisms and actors Once requirements pointed out, we will get the mechanism instances from the ontology that Provide each one of the security requirement. Let's focus on the confidentiality of the “Store Digital Ticket” topic. According to section 6.1.2, we have the Satisfy relationship between Mechanism and Services, hence a Satisfy some Mechanisms query will come up with SymmetricEncryption, AsymmetricEncryption and the associated algorithms as sub-classes.

SymmetricEncryption Help Timeliness. SymmetricEncryption Require KeyStore. According to the available resources for the application and with user interaction, some actors and mechanisms would be kept while the others may be eliminated. This was a reduced case study for only the confidentiality topic of the system with a limited number of instances in the knowledge base of the ontology. In real situation, and with several instances for each class, the set of combinations will be very important and each solution should be ranked for a better filtering. Moreover, each application deals with one or several profiles, Ticketing may be used in near field profile or through messaging or even in web form. Hence, through several iterations, the system users can build up a scenarios of countermeasures which are appropriate for a given situation.

8. Conclusion and future works Figure 8. Use case with security requirements. For the class Actor, we have the Provide Relationship that links Mechanisms to actors. Platform, SmartCard and Device are possible candidates. A subset of Individuals may be JME, .NET-CF, Android, JavaCard, Secure MemoryCard. In this situation, several combinations are possible.

7.3 Refinement according to constraints A first filtering will depend on the available actors and resources. As mentioned earlier in the ontology instance example, the used SmartCard may implement or not the required SymmetricEncryption algorithm. An other kind of constraint may be relative to the mobile operator that may provide or not the appropriate network bandwidth or latency. Secondly, each mechanism has features and side effects. Semantic relationship between mechanisms and constraints will affect the selection of the appropriate solution. We can give a sample of technical and quality constraints. JavaCard Help portability. Asymmetric encryption Hurt efficiency. Asymmetric encryption Use long keys. AsymmetricEncryption Require KeyStore. Keys generation Use Random Number Generation source.

In this paper, a survey of mobile applications vulnerabilities and attacks was given at the first sections. The comparison according to the STRIDE model was shown as a reference to standard computer security. Through a bottom up methodology, we have led a survey of mobile applications security which led us to an ontology based conceptualization. In fact, several security ontologies exist in the literature whereas the one proposed is based on the mobile field with focus on Actors of the mobile arena e.g. device and manufacturer. The mobile security ontology was designed according to a three sub-ontologies composition that enable reuse and sharing for additional mobility fields. We have tried also through our ontology to conceptualize not only the semantic relationships between actors and the security services or goals they offer but also the side effects of security on the additional non functional requirements. Obviously imports from additional ontologies to enrich these NFRs are needed. Like mentioned previously, our ontology is a component of a whole approach that starts with the requirements to end with design and implementation. Thus, the ontology will play the intelligent part of offering recommended countermeasures in a special context. The on going work is the experimentation, and refinement of the ontology. One important and consistent task concerning the whole approach will be the update of the application design according to the obtained countermeasures from the ontology querying.

10. References [1] The GSM Association, http://www.gsm.org [2] The GSM Association, Market Research, 2007, http://gsmworld.com/our-work/programmesandinitiatives/mobile-money/market_research.htm. [3] M. J. Yuan, Entreprise J2ME, Developing Mobile JAVA Applications, Ed. Upper Saddle River: Prentice Hall PTR, 2006, pp. 20-25. [4] D. Fox and J. Box, Building solutions with the Microsoft .NET Compact Framework, Addison-Wesley Professional, 2003. [5] Android platform documentation, http://code.google.com/ android/documentation.html. [6] The WAP forum, http://www.wapforum.org. [7] XHTML™ 1.0 The Extensible HyperText Markup Language. Available at: http://www.w3.org/TR/xhtml1. S. M. Schafer, HTML, XHTML, and CSS Bible, Wiley, 2008, pp. 223-330. [8] World Wide Web Consortium, http://www.w3c.org [9] A. Tanenbaum, Réseaux, 3rd edition, Prentice Hall, 1997, pp. 271-273. [10] S. Beji, N. El Kadhi, "An Overview of Mobile Applications Architecture and the Associated Technologies," icwmc,pp.77-83, 2008 The Fourth International Conference on Wireless and Mobile Communications, 2008, doi.ieeecomputersociety.org/10.1109/ICWMC.2008.55. [11] G. L. Bodic, Mobile Messaging Technologies and Services: SMS, EMS and MMS, John Wiley & Sons , 2005, pp. 1-30. [12] R. Racic, D. Ma and H. Chen, “Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone’s Battery”, SecureComm 2006: Second International Conference on Security and Privacy in Communication Networks, Baltimore USA Aug. 2006. [13] T. Gallagher, B. Jeffries, and L. Landauer, Chasser les failles de sécurité, Microsoft Press, 2007, Washington, USA, pp. 20-21. [14] H. Rongyu, Z. Guolei b, C. Chaowen, X. Hui, Q. Xi, Q. Zheng, "A PK-SIM card based end-to-end security framework for SMS", Computer Standards and Interfaces, June 2008. [15] A. Biryukov, A. Shamir, and D. Wagner, “Real Time Cryptanalysis of A5/1 on PC”. [16] V. Bocan, V. Cretu, “Threats and Countermeasures in GSM Networks”, Journal of Networks, Volume 1, Number 1, May 2006. [17] Debbabi, M. Saleh, C.Talhi and S. Zhioua, “Security Evaluation of J2ME CLDC Embedded Java Platform”, Journal of Object Technology, 2006. [18] D. Geneiatakis, T. Dagiuklas1, C. Lambrinoudakis, G.Kambourakis and S. Gritzalis, "Novel Protecting Mechanism for SIP-Based Infrastructure against Malformed Message Attacks: Performance Evaluation Study", Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 51 , July 2007, pp. 2580-2593. [19] B. Schneier, Cryptographie appliquée, 2ème Edition, WILEY, Paris, 1997.

[20] A. Solon, M. Callaghan, J. Harkin, and T. McGinnity, “Case Study on the Bluetooth Vulnerabilities in Mobile Devices”. International Journal of Computer Science and Network Security, VOL.6 No.4, April 2006. [21] T. Seyrat, “Cross Site Scripting and phishing”, JIP Tunisia, Avril 2005. [22] C. Mulliner, G. Vigna, “Vulnerability analysis of MMS user agent”, 23rd third Chaos Communication Congress, Berlin, December 2006. [23] Hendler J., “Agents and the Semantic Web”, IEEE Intelligent Systems, Vol 16 No 2, pp 30-37. [24] A. Herzog, N. Shahmehri, C. Duma, “An Ontology of Information Security”, International Journal of Information Security and Privacy, Volume 1, Issue 4, 2007. [25] A. Kim, J. Luo, and Myong Kang, “Security Ontology for Annotating Resources”, LNCS 3761, pp. 1483 – 1499. Springer-Verlag Berlin Heidelberg 2005. [26] V. Raskin, C. F. Hempelmann, K. E. Triezenberg, S. Nirenburg, "Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool", Proceedings of the 2001 workshop on New security paradigms, Cloudcroft, New Mexico, Pages: 53-59. [27] M. Ahmed, A. Anjomshoaa, T. M. Nguyen, and A Min Tjoa, "Towards an Ontology-based Organizational Risk Assessment in Collaborative Environments Using the SemanticLIFE”, International Conference on Availability, Reliability and Security, ARES 2007. [28] J. Mylopoulos, L. Chung, and B. A. Nixon. “Representing and using nonfunctional requirements: A process-oriented approach” IEEE Transactions on Software Engineering, 18, 1992, pp.483–497. Brickley, D. & Guha 1999, ‘Resource Description [29] Specification of the Resource Description Framework (RDF), Available at: http://www.w3.org/RDF. [30] OWL Web Ontology Language Guide, http://www.w3.org/TR/2004/REC-owl-guide-20040210. S. Lauesen, H. Younessi, “Six Styles for Usability Requirements”, Proceedings of REFSQ’98, Presses Universitaires de Namur, 1988. [31] Connolly D., Harmelen .F, Horrocks I., McGuinness D.,Patel-Schneider, P. A. Stein, 'DAML+OIL Reference Description, W3C Note'. [32] The OWL protege web page, http://protege.stanford.edu/overview/protege-owl.html. [33] Booch, Rumbaugh, Jacobson, Le guide de l'utilisateur UML, Eyrolles, 2000, pp. 207-214. [34] S. Supakkul, L. Chung, "A UML Profile for GoalOriented and Use Case-Driven Representation of NFRs and FRs", Proceedings of the 2005 Third ACIS Int'l Conference on Software Engineering Research, Management and Applications (SERA’05), 2005, IEEE. [35] ISO 7498-2: Information Processing Systems—Open System Interconnection—Basic Reference Model – Part 2: Security Architecture, 1989. [36] S. Beji, N. El Kadhi, "Towards a Mobile Applications Security Approach", SAM'08 - The 2008 International Conference on Security and Management, Nevada, USA (July 14-17, 2008).

Security Ontology proposal for mobile applications

phone to pay at point of sale. Moreover, 50% of ... there are two kinds of attacks, one session and multi- session. .... regular PC screens or laptops. The second ...

811KB Sizes 2 Downloads 208 Views

Recommend Documents

Security Ontology proposal for mobile applications
Asymmetric or Digital Signature whereas others are mobile specific like SIM locking for example. Obviously, class instances are different from those deployed in ...

Security Ontology proposal for mobile applications
The Vonage VT. 2142-VD phone from MOTOROLA receives SIP .... the business field, the time-to-market property of mobile applications and the large target ...

CITY OF MOBILE, ALABAMA REQUEST FOR PROPOSAL ...
Apr 30, 2016 - State company name and all contact information including the name, ... and became disabled prior to age 19 while covered by the City of.

Biperpedia: An Ontology for Search Applications - Research at Google
contains up to two orders of magnitude more attributes than Free- base. An attribute ... the top 100 attributes and 0.52 for the top 5000 attributes). In addition to its .... Name, domain class, and range: The name of an attribute in. Biperpedia is a

Towards a Mobile Applications Security Approach
back the guidelines for secure mobile applications .... storage, performance are quite limited comparing to .... 'telecom/cal.vcs' for the devices calendar file.

Developing an Ontology for Cyber Security Knowledge Graphs (PDF ...
Official Full-Text Paper (PDF): Developing an Ontology for Cyber Security Knowledge Graphs. ... Figure 1: Entities and Relations in the STUCCO Ontology.

Estimating Demand for Mobile Applications
Stern School of Business, New York University & Wharton. School, University of Pennsylvania [email protected]. Sang Pil Han. College of Business, City University of Hong Kong [email protected] .... discussed users' usage patterns of voice call

proposal for recruitment through onbo (mobile ... -
and technical expertise we have an excellent understanding and a 360-degree ... colleges and Universities across India to meet the requirements. gboxz Family ...

Customizing Mobile Applications - CiteSeerX
The advantage of Xrdb is that clients accessing a central server do not need a ..... The PARCTAB is a hand held wireless device that communicates with ...

Extending an Ontology Editor for Domain-related Ontology Patterns ...
Reuse: An Application in the Collaboration Domain.pdf. Extending an Ontology Editor for Domain-related Ontolog ... Reuse: An Application in the Collaboration ...

Customizing Mobile Applications
by convention, re-read configuration files when they receive the HUP signal; ... The X windowing system provides a server-based resource manager, Xrdb [3], ...

Extending an Ontology Editor for Domain-related Ontology Patterns ...
Extending an Ontology Editor for Domain-related Ontolo ... Reuse: An Application in the Collaboration Domain.pdf. Extending an Ontology Editor for ...

pre-proposal for finance wg guidelines for proposal -
OB will e recompensed between General Assemblies (GAs); and ... That the General Assembly (GA) authorize the FWG to open a checking account at WECU as ...

Request for Proposal - Ning
Sep 3, 2013 - Synopsis: Enhancing Mobile Populations' Access to HIV and AIDS Services, Information and. Support a 5 year project funded by Big Lottery ...

request for proposal - AOS92
Feb 26, 2015 - In the event taxes are imposed on the services purchased, the District will not be responsible for payment of the taxes. The vendor shall absorb the taxes entirely. Upon request, the District's Tax Exempt Certificate will be furnished.

request for proposal - AOS92
Feb 26, 2015 - We are currently reducing the number of small printers in our inventory, so any proposal must be able to adjust based on future changes in printer inventory. The AOS92 computing environment consists of approximately 2,000 devices inclu

Designing Mobile Persuasion: Using Pervasive Applications ... - GitHub
Keywords: Mobile social media, design, persuasion, climate change, transportation ... Transportation, together with food and shelter, is one of the biggest carbon ...

Mobile Marketing Applications & Casestudies - Phuc.pdf ...
Mobile Marketing Applications & Casestudies - Phuc.pdf. Mobile Marketing Applications & Casestudies - Phuc.pdf. Open. Extract. Open with. Sign In. Main menu.

Query-driven Ontology for BigData.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Query-driven ...