Description

1. Problem Statement

Nowadays, the security landscape is vast and complex, a reality reflected in the staggering cost of security breaches, which are estimated to reach 10.5 trillion USD globally by 2025 [1]. In the absence of a structured and straightforward tool to review security features, it becomes easy for non-experts to select inappropriate measures—potentially leading to system breaches. This thesis explores an approach aimed at simplifying the selection of suitable security features by focusing on viewpoint-based Security Pattern descriptions, based on the metamodel developed by D. Lammers.

2. Related Work

D. Lammers: This thesis utilizes the metamodel developed by D. Lammers, presented in his thesis ”Conception of a Security Design Pattern Catalog for Constraint-based Recommender Systems.” The metamodel separates Security Design Patterns into a usage aspect and a knowledge aspect. The usage aspect essentially consists of creating viewpoint-based Security Pattern Descriptions. In this work, we implement the metamodel by constructing viewpoint-based descriptions for selected example patterns, establishing a basis for future evaluation of the metamodel.

J. Sehbaoui: This thesis will collaborate with the thesis of J. Sehbaoui, who is developing a tool to graphically visualize the viewpoints of the Security Design Pattern. We will construct and translate the data from JSON into raw PlantUML code to ensure compatibility with his tool. He will use this raw PlantUML code to generate diagrams that visualize the viewpoints as SVG images. Since generating SVG images from PlantUML diagrams is straightforward, we will leverage this compatibility. The visualized diagrams can then be manipulated through CRUD operations.

3. Contribution and Goals

The thesis will be part of the SCAM Project, which aims to make security models more accessible for system architectures. This thesis will contribute by implementing the Security Design Pattern Description Metamodel (SDPDM) [2], as presented in the thesis of D. Lammers. The SDPDM uses Viewpoints to describe the necessary aspects of a security feature to enable its correct implementation. To comprehensively cover all important elements, it defines four Viewpoints: Conceptual, Data, Behavioral, and Structural. Each of these describes different aspects of the security feature in a simple manner, making it easier to choose an appropriate technique for a system, aligning with the goals of the SCAM Project. We will implement these Viewpoints according to the descriptions provided by D. Lammers.

3.1 Tool Requirements

To lay the foundation for the future evaluation of the metamodel and implement the one proposed by D. Lammers in a tool capable of visualizing it, the following requirements must be met. An initial preview of what the tool might look like is shown in Figure 1.

R1: The tool must provide an effective solution for creating a technical concept for the SDPDM [2].

The technical concept should be represented in a structured data model, which is necessary for visualizing specific Security Design Pattern examples by decoding them into the model. It should collect only the relevant information for each security solution, covering every viewpoint presented in the SDPDM [2]. For this purpose, we will use JSON to structure the viewpoints

R2: The JSON Examples, along with its description in JSON Schema, must be correct and complete with respect to the SDPDM.

This requirement is fundamental for enabling the creation of Viewpointbased Security Pattern Descriptions using an LLM, as well as for validating the results, either by an LLM or a JSON Schema validator.

R3: Given the structured JSON data, the tool must be capable of parsing a PlantUML diagram represented as a string.

The parser should retrieve JSON data from a source, such as a service, and process the corresponding string containing the information required to generate a PlantUML diagram. While this functionality is necessary for the completion of the tool, it falls outside the scope of this thesis. The primary focus of the thesis is on developing the structured data model and enabling the generation and validation of examples using either a large language model (LLM) or a JSON Schema validator. R4: The generated examples must be stored in a public repository in an efficient manner.

Since JSON files tend to become large and difficult to read, we will address this challenge by using IDs that reference specific concrete Viewpoint examples. This approach helps keep the JSON descriptions both concise and comprehensible.

R5: After creating the public repository to store the specific Security Design Pattern examples, the tool must support CRUD operations on a copy of the data.

To lay the foundation for J. Sehbaoui’s thesis, we need to transform the concepts of creating viewpoints for Security Design Patterns into a usable data model. We will use JSON for this purpose. The data must be stored to enable further processing and interaction with the visualized diagrams, such as manipulating and viewing them within J. Sehbaoui’s tool. Therefore, the copy of the stored data must support CRUD operations.

3.2 Work of this Thesis

The tool presented in this thesis will generate JSON Schema files for a Security Design Pattern (SDP) in general, as well as for each individual Viewpoint. Once this is completed, we will need to prove the correctness and completeness of these schemas, showing that the generated JSON Schemas accurately represent the SDPDM [2] described by D. Lammers.

With the valid schemas, we will be able to generate metamodel-conformant, Viewpoint-based Security Pattern Descriptions using a large language model (LLM). This will be done either by providing the LLM with a JPEG image of a diagram describing a specific security feature or by supplying a textual description of the feature.

The generated results will be validated using a JSON Schema validator or, alternatively, by another LLM. Correct and validated outputs will be stored in a public repository.

To align this thesis with the work of J. Sehbaoui—who will focus on visualizing its results—we will clone the public repository into a local environment. In this local version, we will implement CRUD operations through a service. The generated examples will be hardcoded into PlantUML to be handed over to J. Sehbaoui, who will use them to produce SVG images for integration into his tool.

4. Research Questions

RQ1: How can we prove the completeness and correctness of the JSON model of the SDPDM [2]?

This question is fundamental, as we need a way to validate the JSON model of the SDPDM to ensure it can be reliably used for generating metamodel-conformant, Viewpoint-based Security Pattern Descriptions with the help of an LLM.

5. Approach

To meet the requirements defined in Section 3.1, we propose the following approach. An initial roadmap (see Figure 2) shows the estimated time required for the challenges addressed in this thesis; however, these estimates may change as the work progresses.

5.1 Transforming the metamodel into a Structured JSON Schema

The metamodel presented by D. Lammers must be transformed into a structured JSON Schema. The JSON Schema should accurately describe the viewpoints and define a Security Design Pattern as a general object composed of multiple different viewpoints. Therefore, it may be necessary to modify some properties proposed by D. Lammers or to add new properties in order to further clarify the function of the patterns.

We will use JSON primarily because I have prior experience working with JSON and JSON Schema from an earlier internship during my Bachelor’s studies, supervised by Alex Sabau. Furthermore, JSON is sufficiently powerful to represent all elements required by the SDPDM. This includes constraints such as allowing only certain combinations of descriptions or enforcing a general structural format—both of which can be effectively expressed using JSON.

5.2 Proving the Validity of the Structured JSON Schema

The JSON Schema we create may need to be adjusted if it does not perfectly represent the metamodel. A valid and accurate representation is essential for generating SDP examples and validating them.

5.3 Creating Specific Security Design Pattern Examples

A part of this thesis involves creating specific, viewpoint-based Security Design Pattern descriptions as diagrams. These diagrams will serve as example data, which will be stored in a public repository and used in conjunction with the created JSON Schema. Ideally, we will utilize the valid JSON Schema description of the metamodel to generate such examples using a large language model (LLM), which will receive graphical or textual descriptions of the security feature. This is a significant step because, firstly, creating diagrams is time-consuming, even when the descriptions are available. Moreover, by utilizing the LLM, we will be able to focus more on generating an increasing number of examples. The results we obtain will then be stored in a public repository for further scientific use, just as we do to visualize the results.

5.4 Hardcoding the JSON Examples into PlantUML

To be able to hand over the examples to J. Sehbaoui, we will need to hardcode the generated JSON examples into PlantUML. After their creation, the examples will be validated for correctness using the corresponding JSON Schema files.

5.5 Implementing CRUD Operations on Copied Data from the Public Repository

The stored data must be viewable and editable, as it will be used in the context of J. Sehbaoui’s thesis. Therefore, we need to implement CRUD operations to support this functionality.

References

[1] Cybersecurity Ventures. ”Cybercrime To Cost The World 8 Trillion Annually In 2023”. Available at: https://cybersecurityventures.com/cybercri me-to-cost-the-world-8-trillion-annually-in-2023/. Accessed: 2025-04-23. October 17, 2022.

[2] D. Lammers. ”Conception of a Security Design Pattern Catalog for Constraint-based Recommender Systems”. Available at: https://swc.rw th-aachen.de/theses/conception-of-a-security-design-pattern-c atalog-for-constraint-based-recommender-systems/. March 2024, pp. 25–40.