Secure Agent-Oriented Modelling with Web-based Security Application Development

Macklin Limpan - University of Malaysia Sarawak, Jln Datuk Mohammad Musa, Kota Samarahan, 94300, Sarawak, Malaysia
Cheah Wai Shiang - University of Malaysia Sarawak, Jln Datuk Mohammad Musa, Kota Samarahan, 94300, Sarawak, Malaysia
Eaqerzilla Phang - University of Malaysia Sarawak, Jln Datuk Mohammad Musa, Kota Samarahan, 94300, Sarawak, Malaysia
Muhammad Asyraf bin Khairuddin - University of Malaysia Sarawak, Jln Datuk Mohammad Musa, Kota Samarahan, 94300, Sarawak, Malaysia
Nurfauza bt Jali - University of Malaysia Sarawak, Jln Datuk Mohammad Musa, Kota Samarahan, 94300, Sarawak, Malaysia


Citation Format:



DOI: http://dx.doi.org/10.62527/joiv.8.1.2180

Abstract


Nowadays, privacy and security have become challenges in developing web-based applications. For example, e-commerce applications are threatened with security issues like scammers, SQL injection attacks, bots, DDOs, Server Security, and Phishing. Although various security requirement methodologies are introduced, it has been reported that security consideration is consistently ignored or treated as the lowest priority during the application development process. Hence, the application is being violated by various security attacks. This paper introduces an alternative methodology to secure a web-based application through an Agent-Oriented Modelling extension. The secure AOM starts with Context and Asset Identification. The models involved in this phase are the Goal Model and Secure Tropos model. The second phase is the Determination of Security Objective. The model that will be used is Secure Tropos. The third phase is Risk Analysis and Assessment. The model that will be used is Secure Tropos. The fourth phase is Risk Treatment. In this phase, there is no model, but we use the suggestion from Secure Tropos: to eliminate risk, transfer risk, retain risk, and reduce risk. The fifth phase is Security Requirements Definition. The models that will be used are the scenario model, interaction model, and knowledge model. The last phase is Control Selection and Implementation. The model that will be used is the Behavior Model. We conducted a reliability analysis to analyze the participants' understanding of Secure AOM. From the reliability test, we can conclude that Secure AOM can become the alternative methodology, as the percentage that agrees that Secure AOM can protect users against making errors and mistakes is 80.9%, and 71.9% agree that SAOM can help to prevent users from specifying incorrect model elements and the relation between the model. This result means that over 50% of the participants agree that Secure AOM can be an alternative methodology that supports security risk management.


Keywords


AOM; Secure Modelling; Secure Methodology; Secure Tropos.

Full Text:

PDF

References


N. Kuruwitaarachchi, P. K. W. Abeygunawardena, L. Rupasingha, and S. W. I. Udara, “A Systematic Review of Security in Electronic Commerce- Threats and Frameworks,” Global Journal of Computer Science and Technology, pp. 33–39, Feb. 2019, doi: 10.34257/GJCSTEVOL19IS1PG33.

Z. Wu, S. Shen, H. Zhou, H. Li, C. Lu, and D. Zou, “An effective approach for the protection of user commodity viewing privacy in e-commerce website,” Knowl Based Syst, vol. 220, p. 106952, May 2021, doi: 10.1016/j.knosys.2021.106952.

M. J. Girsang, Candiwan, R. Hendayani, and Y. Ganesan, “Can Information Security, Privacy and Satisfaction Influence The E-Commerce Consumer Trust?,” in 2020 8th International Conference on Information and Communication Technology (ICoICT), IEEE, Jun. 2020, pp. 1–7. doi: 10.1109/ICoICT49345.2020.9166247.

R. Darimont, E. Delor, P. Massonet, and A. van Lamsweerde, “GRAIL/KAOS,” in Proceedings of the 19th international conference on Software engineering - ICSE ’97, New York, New York, USA: ACM Press, 1997, pp. 612–613. doi: 10.1145/253228.253499.

N. Ulfat-Bunyadi, N. Gol Mohammadi, R. Wirtz, and M. Heisel, “Systematic Refinement of Softgoals Using a Combination of KAOS Goal Models and Problem Diagrams,” 2019, pp. 150–172. doi: 10.1007/978-3-030-29157-0_7.

E. Paja, F. Dalpiaz, M. Poggianella, P. Roberti, and P. Giorgini, “Modelling Security Requirements in Socio-Technical Systems with STS-Tool,” vol. 855, Aug. 2012.

D. Hatebur, M. Heisel, and H. Schmidt, “A Security Engineering Process based on Patterns,” in 18th International Conference on Database and Expert Systems Applications (DEXA 2007), IEEE, Sep. 2007, pp. 734–738. doi: 10.1109/DEXA.2007.36.

R. Matulevicius, N. Mayer, and P. Heymans, “Alignment of Misuse Cases with Security Risk Management,” in 2008 Third International Conference on Availability, Reliability, and Security, IEEE, Mar. 2008, pp. 1397–1404. doi: 10.1109/ARES.2008.88.

M. N. Anwar Mohammad, M. Nazir, and K. Mustafa, “A Systematic Review and Analytical Evaluation of Security Requirements Engineering Approaches,” Arab J Sci Eng, vol. 44, no. 11, pp. 8963–8987, Nov. 2019, doi: 10.1007/s13369-019-04067-3.

P. Yeng, S. Wolthusen, and B. Yang, “Comparative Analysis of Software Development Methodologies For Security Requirement Analysis: Towards Healthcare Security Practice,” Aug. 2020. doi: 10.33965/is2020_202006L009.

E. B. Fernandez, H. Washizaki, N. Yoshioka, and T. Okubo, “The design of secure IoT applications using patterns: State of the art and directions for research,” Internet of Things, vol. 15, p. 100408, Sep. 2021, doi: 10.1016/j.iot.2021.100408.

R. A. Khan, S. U. Khan, M. Ilyas, and M. Y. Idris, “The State of the Art on Secure Software Engineering,” in Proceedings of the Evaluation and Assessment in Software Engineering, New York, NY, USA: ACM, Apr. 2020, pp. 487–492. doi: 10.1145/3383219.3383290.

G. Kavallieratos, S. Katsikas, and V. Gkioulos, “SafeSec Tropos: Joint security and safety requirements elicitation,” Comput Stand Interfaces, vol. 70, p. 103429, Jun. 2020, doi: 10.1016/j.csi.2020.103429.

G. Kavallieratos, V. Diamantopoulou, and S. K. Katsikas, “Shipping 4.0: Security Requirements for the Cyber-Enabled Ship,” IEEE Trans Industr Inform, vol. 16, no. 10, pp. 6617–6625, Oct. 2020, doi: 10.1109/TII.2020.2976840.

C. W. Shiang, A. A. Halin, M. Lu, and G. CheeWhye, “Long Lamai Community ICT4D E-Commerce System Modelling: An Agent-Oriented Role-Based Approach,” The Electronic Journal of Information Systems in Developing Countries, vol. 75, no. 1, pp. 1–22, Jul. 2016, doi: 10.1002/j.1681-4835.2016.tb00547.x.

S. Filzah, Z. A., W. Shiang, M. A. Khairuddin, and N. Jali, “Modeling Emotion Oriented Approach through Agent-Oriented Approach,” Aug. 2020.

L. Sterling and K. Taveter, The Art of Agent-Oriented Modeling. 2009. doi: 10.7551/mitpress/7682.001.0001.

S. F. binti Zulkifli, C. Waishiang, M. A. bin Khairuddin, N. binti Jali, and Y. R. binti Bujang, “How to Model an Engaging Online Quiz? The Emotion Modeling Approach,” Journal of Telecommunications and Information Technology, vol. 1, no. 2022, pp. 54–63, Mar. 2022, doi: 10.26636/jtit.2022.156221.

L. A. Stoica and R. A. Candoi-Savu, “Math approach of implementing ISO 27001,” Proceedings of the International Conference on Business Excellence, vol. 14, no. 1, pp. 521–530, Jul. 2020, doi: 10.2478/piece-2020-0049.

A. Alexei, “ENSURING INFORMATION SECURITY IN PUBLIC ORGANIZATIONS IN THE REPUBLIC OF MOLDOVA THROUGH THE ISO 27001 STANDARD,” Journal of Social Sciences, vol. IV(1), Mar. 2021, doi: 10.52326/jss.utm.2021.4(1).11.

M. D. Arifin and F. Octaviani, “Occupational Health and Safety Analysis Using HIRA and AS/NZS 4360:2004 Standard at XYZ Shipyard,” International Journal of Marine Engineering Innovation and Research, vol. 7, no. 3, Sep. 2022, doi: 10.12962/j25481479.v7i3.14151.

G. R. H. Aji, D. DA Putranto, and I. Juliantina, “Health and Safety Analysis of Light Rail Transit Projects in Palembang,” J Phys Conf Ser, vol. 1198, no. 8, p. 082017, Apr. 2019, doi: 10.1088/1742-6596/1198/8/082017.

D. Tofan, “Information Security Standards,” Journal of Mobile, Embedded and Distributed Systems, vol. 3, Aug. 2011.

G. Farid, N. F. Warraich, and S. Iftikhar, “Digital information security management policy in academic libraries: A systematic review (2010–2022),” J Inf Sci, p. 016555152311600, Apr. 2023, doi: 10.1177/01655515231160026.

N. Mayer, P. Heymans, and R. Matulevičius, “Design of a Modelling Language for Information System Security Risk Management.,” in Proceedings of the 1st International Conference on Research Challenges in Information Science, Jun. 2007, pp. 121–132.

R. Matulevičius, “Security Risk-Aware Secure Tropos,” in Fundamentals of Secure System Modelling, Cham: Springer International Publishing, 2017, pp. 77–91. doi: 10.1007/978-3-319-61717-6_6.

S. Ergasheva and A. Kruglov, “Software Development Life Cycle early phases and quality metrics: A Systematic Literature Review,” J Phys Conf Ser, vol. 1694, no. 1, p. 012007, Dec. 2020, doi: 10.1088/1742-6596/1694/1/012007.

M. Ten LiBin, C. WaiShiang, M. A. B. Khairuddin, E. Mit, and A. Erianda, “Agent-Oriented Modelling for Blockchain Application Development: Feasibility Study,” JOIV : International Journal on Informatics Visualization, vol. 5, no. 3, p. 248, Sep. 2021, doi: 10.30630/joiv.5.3.670.

G. Kahraman and S. Bilgen, “A framework for qualitative assessment of domain-specific languages,” Softw Syst Model, vol. 14, no. 4, pp. 1505–1526, Oct. 2015, doi: 10.1007/s10270-013-0387-8.

F. Santos, I. Nunes, and A. L. C. Bazzan, “Quantitatively Assessing the Benefits of Model-driven Development in Agent-based Modeling and Simulation,” Jun. 2020, doi: 10.1016/j.simpat.2020.102126.