Skip to Main content Skip to Navigation

Méthodologie d'ingénierie des exigences de sécurité réseau

Sravani Teja Bulusu 1
1 IRIT-SIERA - Service IntEgration and netwoRk Administration
IRIT - Institut de recherche en informatique de Toulouse
Abstract : Building secure networks is crucial as well as challenging for any organization. Network security majorly concerns the security architectural needs that describe network segmentation (i.e., security zoning); security of network devices connecting the communicating end user systems; and security of the information being transferred across the communication links. Most often, a late consideration of security aspects (i.e., post-deployment of network design) inevitably results in an increase in costs as well as in the complexity to take into account the necessary changes that have be made to the existing infrastructures. In this regard, network security requirements hold a paramount importance since they drive the decisions related to the implementation of security controls about business needs. Indeed, bad network security requirements can lead to ineffective and costly security or worth security holes in the network security design. Nevertheless, current security requirement engineering methodologies render no support to derive network security requirements. This thesis work is a part of the research project DGA IREHDO2 (Intégration REseau Haut Débit embarqué Optique 2ème phase) that concerns aircrafts future generation networks. Our work is done mainly in collaboration with AIRBUS and is related to the security requirements engineering process for aircraft networks. Our objective in this project is to propose an SRE methodology for capturing and analysing network security requirements, and that facilitates the refinement into network security and monitoring configurations (TOP/DOWN approach). The complexity addressed comes at a time from the differences in point of view: i) with regard to the understanding of the issue of security by different stakeholders, ii) the nature of the systems impacted and the variability of the levels of abstraction in the network development cycle. In this work, we defined SRE methodology based on the abstraction levels proposed by SABSA (Sherwood Applied Business Security Architecture) method in order to structure the refinement activity of business needs into network security requirements. Indeed, SABSA recommends the expression of the needs considering the Business view (decision makers), Architect's view (objectives, risks, processes, applications and interactions), Designer's view (security services), Builder's view (security mechanisms) and Tradesman's view (products, tools, technologies). We considered the first three views. We express the business and architect's views using STS (Social-Technical Systems) formalism. We also propose to represent attacks as multi-agent systems to facilitate the analysis of security risks at these first two views. For expressing the network security requirements captured at Designer's view, we propose a methodology that automates parts of the process of security zoning and network security requirements elicitation using a definite set of formalized rules derived from security design principles and formal integrity models. We developed a tool that implements these rules in ASP (Answer set programming), which facilitates calculating cost-optimal security zone models. In the end, to ensure traceability between the three views, we defined a new modelling notation based on the concepts proposed in KAOS (Keep All Objectives Satisfied) and STS. We illustrate our methodology using a scenario specific to the IRHEDO2 project. Finally, we evaluate our methodology using: 1) an e-commerce enterprise case study; 2) a new scenario specific to the IRHEDO2 project.
Document type :
Complete list of metadata

Cited literature [221 references]  Display  Hide  Download
Contributor : Abes Star :  Contact
Submitted on : Friday, July 10, 2020 - 3:32:11 PM
Last modification on : Wednesday, November 3, 2021 - 6:52:13 AM
Long-term archiving on: : Monday, November 30, 2020 - 8:28:50 PM


Version validated by the jury (STAR)


  • HAL Id : tel-02896486, version 1


Sravani Teja Bulusu. Méthodologie d'ingénierie des exigences de sécurité réseau. Génie logiciel [cs.SE]. Université Paul Sabatier - Toulouse III, 2019. Français. ⟨NNT : 2019TOU30084⟩. ⟨tel-02896486⟩



Les métriques sont temporairement indisponibles