No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees
Abstract
This paper presents the current state of the art on attack and defense
modeling approaches that are based on directed acyclic graphs (DAGs).
DAGs allow for a hierarchical decomposition of complex scenarios into
simple, easily understandable and quantifiable actions. Methods based on
threat trees and Bayesian networks are two well-known approaches to
security modeling. However there exist more than 30 DAG-based
methodologies, each having different features and goals. The objective
of this survey is to present a complete overview of graphical attack and
defense modeling techniques based on DAGs. This consists of summarizing
the existing methodologies, comparing their features and proposing a
taxonomy of the described formalisms. This article also supports the
selection of an adequate modeling technique depending on user
requirements.
... Although there are a wide variety of approaches applied throughout the lifecycle of a software or hardware system, one common approach is the utilisation of models for assessing cybersecurity risks [2,3] or enumerating test cases [1,4]. In particular, attack models are often used as a graphical representation of possible attacks within a given system, which can enable cybersecurity analysts to more intuitively determine areas of high risk. ...
... There exists a notable selection of cybersecurity databases, each offering different types of data with different contextualising information at different levels of abstraction. These include, from most tangible to most abstract: ExploitDB, 1 Common Vulnerabilities and Exposures (CVE), 2 Common Weakness Enumeration (CWE), 3 Common Attack Pattern Enumerations and Classifications (CAPEC) 4 and the ATT&CK matrix. 5 While ExploitDB considers code-level exploits, CVE has a slightly higher level of abstraction by considering text descriptions of individual vulnerabilities, CWE stores weaknesses that can result in vulnerabilities emerging, CAPEC stores attack patterns which utilise weaknesses and finally ATT&CK considers the highest level attack goals via tactics and techniques. ...
... A common approach towards managing cybersecurity is using attack models to emulate the behaviour of a given system whilst under cyberattack. This can be approached in various ways, with graphical models proving a popular method across various domains [2,8,15,26,27]. In essence, the premise is that the system and/or possible attacks are formally modelled using techniques like graphical and mathematical representations. As mentioned previously, of particular interest in this paper are hierarchical attack models. ...
... Although there are a wide variety of approaches applied throughout the lifecycle of a software or hardware system, one common approach is the utilisation of models for assessing cybersecurity risks [2,3] or enumerating test cases [1,4]. ...
... A common approach towards managing cybersecurity is using attack models to emulate the behaviour of a given system whilst under cyberattack. This can be approached in various ways, with graphical models proving a popular method across various domains [21,2,22,20,9]. In essence, the premise is that the system and/or possible attacks are formally modelled using techniques like graphical and mathematical representations. As mentioned previously, of particular interest in this paper are hierarchical attack models, which are defined here as a broad class of attack models which are structured in a hierarchy, separating different levels of abstraction between individual attack actions and high-level goals. ...
... In terms of what is actually being modelled, approaches such as the attack tree [5,2] focus on just the attack model itself, with no explicit modelling of the system itself beyond mentions to what a particular vulnerability targets. Meanwhile, attack graphs generally focus on modeling the physical system such as network connections [23,22] more explicitly and including them within the graph itself, such that the behaviour of the system being targeted is modeled. ...
This paper investigates the use of a pre-trained language model and siamese network to discern sibling relationships between text-based cybersecurity vulnerability data. The ultimate purpose of the approach presented in this paper is towards the construction of hierarchical attack models based on a set of text descriptions characterising potential/observed vulnerabilities in a given system. Due to the nature of the data, and the uncertainty sensitive environment in which the problem is presented, a practically oriented soft computing approach is necessary. Therefore, a key focus of this work is to investigate practical questions surrounding the reliability of predicted links towards the construction of such models, to which end conceptual and practical challenges and solutions associated with the proposed approach are outlined, such as dataset complexity and stability of predictions. Accordingly, the contributions of this paper focus on producing neural networks using a pre-trained language model for predicting sibling relationships between cybersecurity vulnerabilities, then outlining how to apply this capability towards the generation of hierarchical attack models. In addition, two data sampling mechanisms for tackling data complexity, and a 1 Manuscript Click here to view linked References consensus mechanism for reducing the amount of false positive predictions are outlined. Each of these approaches is compared and contrasted using empirical results from three sets of cybersecurity data to determine their effectiveness.
... The literature also outlines approaches that may help with the explainability of cybersecurity assessments. According to Kordy et al. [13], "the great advantage of graph-based approaches lies in combining user friendly, intuitive, visual features with formal semantics and algorithms that allow for qualitative and quantitative analysis". The intuitive nature of these approaches shows promise for facilitating collaboration with stakeholders who may not have a deep cybersecurity background. ...
... The intuitive nature of these approaches shows promise for facilitating collaboration with stakeholders who may not have a deep cybersecurity background. Kordy et al. [13] categorised graph-based security Systems 2024, 12, 238 4 of 28 analyses into two broad categories: statically modelled graphs and sequentially modelled graphs. Both categories can deal with either just attacks or both attack and defence. ...
... The first example of this is the development of the attack trees and bow-tie diagrams in the Risk Assessment phase. While attack trees are not particularly novel and have been used in security analysis since at least 1994 [54], one of their limitations is that they are primarily static [13] and are difficult to update once a significant level of complexity or interconnectedness is reached. The CEMT deliberately uses mal-activity diagrams to allow the modeler to express the threat vectors in a manner that maximises the efficiency of inputting the data, but then automatically generates an attack tree using queries of the structured information within those mal-activity diagrams, which provides the same information in a format that is significantly easier to review. ...
The Cyber Evaluation and Management Toolkit (CEMT) is an open-source university research-based plugin for commercial digital model-based systems engineering tools that streamlines conducting cybersecurity risk evaluations for complex cyber-physical systems. The authors developed this research tool to assist the Australian Defence Force (ADF) with the cybersecurity evaluation of complicated systems operating in an increasingly contested and complex cyber environment. This paper briefly outlines the functionality of the CEMT including the inputs, methodology, and outputs required to apply the toolkit using a sample model of the process applied to a generic insider threat attack. A face validity trial was conducted on the CEMT, surveying subject-matter experts in the field of complex cybersecurity analysis and risk assessment to present the generic case study and gather data on the expected benefits of a real-world implementation of the process. The results of the face validity broadly supports the effectiveness and usability of the CEMT, providing justification for industry research trials of the CEMT.
... An important extension of attack trees was introduced by Kordy et al. [12] to also include defenses to analyze the effectiveness of various countermeasure strategies. Overall, a large body of work in the area up until 2014 is neatly summarized in [13]. A fairly large sub-group in the field works with probabilistic attack graphs, oftentimes using Bayesian networks as the underlying formalism for analysis [14,15,16,17,18,19]. ...
... Examples include STRIDE [24], which helps discover threats during product or system design, while approaches such as UMLsec [25,26], Se-cureUML [27,28], SECTET [29,30], or STS-ml [31] enable a more model-based security analysis. Other model-driven approaches rely on attack trees and/or graphs [2,10,11,12,13] as discussed earlier. ...
... Container Administration Command and Software Deployment Tools define specific security contexts that can easily be modeled in the fashion just described. 13 Either by reaching the NetworkConnectUninspected as described when discussing the Exploit Public-Facing Application in Section 4.1.1 or LocalConnect attack steps. ...
... Fig. 1 shows the attack graph on the Multi-cloud Enterprise Network that consists of directed links representing the exploits and nodes the states. These kinds of networks are directed acyclic graphs (DAGs), i.e. without cycles [9]. ...
... 8) Zuul (20,21) Eureka (3,4) ServiceA (10,11) Service (12,13) ServiceC (14,15) SpringCloud (16,17) Turbine (18,19) HystrixDashboard ( In-centrality Decrease (w=0. 8) Zuul (20,21) Eureka (3,4) ServiceA (10,11) Service (12,13) ServiceC (14,15) SpringCloud (16,17) Turbine (18,19) HystrixDashboard (5,6) ConfigService (1,2) Rabbitmq (8,9) Figure 7: Out-centrality and in-centrality differences (i.e. decrease) for nodes 1 to 21 in Fig. 4 after protecting vulnerabilities in services indicated in the legend (link weight w = 0.8) and the start node of attack being 7. Fig. 11, the lower density causes the curves to be lower compared to those of Fig. 6, and the interrelationship between the curves turn out to be different. ...
In order to improve the resilience of computer infrastructure against cyber attacks and finding ways to mitigate their impact we need to understand their structure and dynamics. Here we propose a novel network-based influence spreading model to investigate event trajectories or paths in various types of attack and causal graphs, which can be directed, weighted, and / or cyclic. In case of attack graphs with acyclic paths, only self-avoiding attack chains are allowed. In the framework of our model a detailed probabilistic analysis beyond the traditional visualisation of attack graphs, based on vulnerabilities, services, and exploitabilities, can be performed. In order to demonstrate the capabilities of the model, we present three use cases with cyber-related graphs, namely two attack graphs and a causal graph. The model can be of benefit to cyber analysts in generating quantitative metrics for prioritisation, summaries, or analysis of larger graphs.
... Attack trees, e.g., [28,51], and their extensions are a widespread formalism for threat modeling and risk assessment. Their applications range from analyzing attacks on smart grids [4], ATMs [18], optical power meters [17], SCADA control systems [10,39,50,35,14] or software supply chains [42] to intelligent autonomous vehicles and vehicular networks [23,27,45], secure deployment of HTTPS [49] or cybersecurity awareness trainings for election officials [48]. ...
... By uploading a model and registering with a name and email address, users receive a token to access all uploaded models in the database. In more details, our benchmark set consists of 42 models from 24 previously published papers, [37,50,30,28,4,32,3,43,18,19,22,33,47,29,1,17,31,46,8,23,26,42,48,45], which we constructed using QuADTool. Additionally, we generated 626 models of various sizes for performance testing. ...
Ranking risks and countermeasures is one of the foremost goals of quantitative security analysis. One of the popular frameworks, used also in industrial practice, for this task are attack-defense trees. Standard quantitative analyses available for attack-defense trees can distinguish likely from unlikely vulnerabilities. We provide a tool that allows for easy synthesis and analysis of those models, also featuring probabilities, costs and time. Furthermore, it provides a variety of interfaces to existing model checkers and analysis tools. Unfortunately, currently available tools rely on precise quantitative inputs (probabilities, timing, or costs of attacks), which are rarely available. Instead, only statistical, imprecise information is typically available, leaving us with probably approximately correct (PAC) estimates of the real quantities. As a part of our tool, we extend the standard analysis techniques so they can handle the PAC input and yield rigorous bounds on the imprecision and uncertainty of the final result of the analysis.
... One of the primary goals of security and privacy TMA methods is to describe threats in a manner that is understandable and comprehensible, as well as to give formal semantics that enables qualitative and quantitative analysis [44]. The type of modeling determines the mode of threat modeling that can be divided into graphical and formal modeling. ...
... These techniques supported semantics, verification, automatic generation, and quantitative support. Furthermore, as the system evolves and new features are introduced, formal techniques enable updates and assessments to be performed in the future [44]. As depicted in Table 3, only four methods provide in detail formal modeling support in representing, verification, and quantitative support for threat analysis. ...
In recent years, the healthcare-IT systems have undergone numerous technological advancements. With the advent of implanted medical devices, the ubiquitous health is possible and quite simple. As a result, locating, monitoring, and treating patients, no matter where they are, have become an easy task. Additionally, the electronic health record system digitalized medical information and provides collaboration, real-time decision support, and permanent patient health records. Despite the fact that these capabilities significantly improve the quality of healthcare, their vulnerability to viruses/malicious attacks has become a major challenge and one of the serious concerns. Literature review shows that number of such attacks is increasing rapidly in healthcare organizations. Therefore, an immediate attention is required as personal health information may be exposed, making healthcare infrastructures less dependable or even cease to function. TMA is a technique/method that thoroughly examines the system, its corresponding flaws, and possible potential attackers. It may be instrumental for making well-informed decisions for security measure. The paper presents a critical review and systematic evaluation of pertinent TMA methods. Each method has been evaluated on the key features of modeling and assessment. Additionally, it includes the relevance and applicability of each method to the healthcare domain based on key factors. This work may be a useful guide for researchers and practitioners working in this area. It may significantly facilitate them for addressing security-related issues and concerns in healthcare domain.
... Kordy et al. [4] categorize thirty-three frameworks for graphical analysis of attack and defense scenarios into (1) attack and/or defense modeling, which focus on the formal aspects of attacks or defenses, and (2) static or sequential modeling, which focus on the temporal aspects or dependencies between actions. Using the same categorization, this section provides an overview of all the frameworks, and it describes these frameworks that fulfill the majority of properties incorporated in the framework of this article. ...
... 3 Moderate Impact cannot be readily absorbed, requiring a modest level of resources and management effort. 4 Major Impact requires a high level of resources and management effort to rectify. 5 ...
Risk assessment plays a crucial role in ensuring the security and resilience of modern computer systems. Existing methods for conducting risk assessments often suffer from tedious and time-consuming processes, making it challenging to maintain a comprehensive overview of potential security issues. In this paper, we propose a novel approach that leverages attack graphs to enhance the efficiency and effectiveness of risk assessment. Attack graphs visually represent the various attack paths that adversaries can exploit within a system, enabling a systematic exploration of potential vulnerabilities. By extending attack graphs with capabilities to include countermeasures and consequences, they can be leveraged to constitute the complete risk assessment process. Our method offers a more streamlined and comprehensive analysis of system vulnerabilities, where system changes, or environment changes can easily be adapted and the issues exposing the highest risk can easily be identified. We demonstrate the effectiveness of our approach through a case study, as well as the applicability by combining existing risk assessment standards with our method. Our work aims to bridge the gap between risk assessment practices and evolving threat landscapes, offering an improved methodology for managing and mitigating risks in modern computer systems.
... Thus, attack trees are a particular case of ADTs that do not have any defense nodes. The ADT model allows representing complex attack-defense scenarios where defenders can deploy countermeasures against attacks, and attackers can try to circumvent these countermeasures [40,41]. Moreover, considering countermeasures explicitly and collecting a library of best practices for mitigation are recommended in the TM literature [19,31,82], and ADTs can help with these objectives. ...
Attack-defense trees (ADTs) are a prominent graphical threat modeling method that is highly recommended for analyzing and communicating security-related information. Despite this, existing empirical studies of attack trees have established their acceptability only for users with highly technical (computer science) backgrounds while raising questions about their suitability for threat modeling stakeholders with a limited technical background. Our research addresses this gap by investigating the impact of the users' technical background on ADT acceptability in an empirical study. Our Method Evaluation Model-based study consisted of n = 102 participants (53 with a strong computer science background and 49 with a limited computer science background) who were asked to complete a series of ADT-related tasks. By analyzing their responses and comparing the results, we reveal that a very limited technical background is sufficient for ADT acceptability. This finding underscores attack trees' viability as a threat modeling method.
... The leafs of the attack tree represent attacks that can no longer be cultivated [48]. Notable application of graphbased attack models include security analysis of supervisory control and data acquisition (SCADA) systems, voting systems, vehicular communication systems, Internet related attacks, and secure software engineering [9]. ...
The continued integration of technology into all aspects of society stresses the need to identify and understand the risk associated with assimilating new technologies. This necessity is heightened when technology is used for medical purposes like ambulatory devices that monitor a patient's vital signs. This integration creates environments that are conducive to malicious activities. The potential impact presents new challenges for the medical community. Hence, this research presents attack graph modeling as a viable solution to identifying vulnerabilities, assessing risk, and forming mitigation strategies to defend ambulatory medical devices from attackers. Common and frequent vulnerabilities and attack strategies related to the various aspects of ambulatory devices, including Bluetooth enabled sensors and Android applications are identified in the literature. Based on this analysis, this research presents an attack graph modeling example on a theoretical device that highlights vulnerabilities and mitigation strategies to consider when designing ambulatory devices with similar components.
... An important extension of attack trees was introduced by Kordy et al. [29] to also include defences as a means to enable the analysis of the effectiveness of various countermeasure strategies. Overall, a large body of work in the area up until 2014 is neatly summarised in [30]. A fairly large subgroup in the field works with probabilistic attacks graphs, often times using Bayesian networks as the underlying formalism for analysis [31][32][33][34]. ...
Flexibility markets are crucial for balancing the decentralised and renewable-driven energy landscape. This paper presents a security evaluation of a flexibility market system using a threat modelling approach. A reference architecture for a typical flexibility market system is proposed, and attack graph-driven simulations are performed to analyse potential attack pathways where malicious actors might infiltrate the system and the vulnerabilities they might exploit. Key findings include the identification of high-risk areas, such as the Internet links between market actors. To mitigate these risks, the paper proposes and evaluates multiple protection scenarios in reducing the identified attack vectors. The findings underline the importance of multi-layered security strategies to safeguard flexibility markets from increasingly sophisticated cyber threats.
... In [33], a strategy that utilizes integrated fault and attack trees was presented. Later, that proposal was extended to include action against some attack vectors [34]. Recently, in [35] an integrated system is proposed to diagnose faults and cyber-attacks in industrial control systems. ...
An essential requirement for modern industrial plants in the Industry 4.0 vision is to guarantee cybersecurity and safety related to the presence of faults. Additionally, the increasing complexity of the control systems and the digital transformation in industries demand a more integrative vision in supervision services improving interoperability. Regularly, research in fault diagnosis and cybersecurity has been developed separately despite having many elements in common. This paper presents a novel fuzzy-based strategy that integrates the early detection and location of cyber-attacks and faults. This holistic approach promotes the necessary and important interrelation between the technical groups of Operational Technology (OT) and Information Technology (IT) in industrial plants allowing for the simplification of the computational solution of the condition monitoring system. The proposal was assessed with two known benchmarks showing robust behavior in the presence of noise and disturbances in the measurements and outstanding performance.
... Intermediate nodes are labeled with gates that determine how their lower-connected nodes activate them: standard ats have or and and gates only, but many extensions exist to model more elaborate attacks [32]. ...
Software security mainly studies vulnerability detection: is my code vulnerable today? This hinders risk estimation, so new approaches are emerging to forecast the occurrence of future vulnerabilities. While useful, these approaches are coarse-grained and hard to employ for project-specific technical decisions. We introduce a model capable of vulnerability forecasting at library level. Formalising source-code evolution in time together with library dependency, our model can estimate the probability that a software project faces a CVE disclosure in a future time window. Our approach is white-box and lightweight, which we demonstrate via experiments involving 1255 CVEs and 768 Java libraries, made public as an open-source artifact. Besides probabilities estimation, e.g. to plan software updates, this formal model can be used to detect security-sensitive points in a project, or measure the health of a development ecosystem.
... Research has long shown service and system identification is possible without verbatim reidentification (Coull et al., 2007;Khan, S. & Parkinson, 2019;Murakami, 2019). While identification of topology or vulnerable hosts is less than ideal, the adversary must gain access to the environment then bypass other security controls before gaining full access (Kordy et al., 2014). When control measures, potential impacts and benefits are considered, certain cyber event log sharing scenarios may be within an organization's risk tolerance allowing consideration of this projects deidentification program. ...
This thesis explores a programatic method for deidentifying organizational cyber event data into functional training sets suitable for cyber security research and skills development. A 4-phase methodology was developed to support repeatable extraction, deidentification and replacement of sensitive values such as IP addresses, computer, domain, and account names. A proof-of concept was implemented via software modules integrated into a customized Logstash pipeline deidentifying data inline to create replica logfiles. Record formats and content variance necessitated multiple parsing approaches enforced by conditional software logic because ad-hoc search and replace proved inadequate for privacy preservation or reliably formatted output. The second finding reaffirmed the privacy-utility continuum, I.E., reidentification risk should be weighed against the opportunity costs of not supporting cyber security and observability research data needs. Testing in a corporate network lab replica generating more than 100,000 events per day confirmed Windows, Linux, and firewall event data deidentification at 130 to 200+ events per second with cyber intrusion data successfully identified in an Elasticsearch analytics platform. Next steps are cyber specialist field testing to determine the viability of threat hunting and detection engineering using deidentified data. pg. 2
... There are many methodological approaches for modeling threats targeting devices such as Spoofing identity, Tampering with data, Repudiation, Information disclosure, DoS, Elevation of privilege (STRIDE) (Hussain et al., 2014), Attack Trees (Kordy, Piètre-Cambacédès and Schweitzer, 2014), The Process for Attack Simulation and Threat Analysis (PASTA) (Shevchenko et al., 2018), Abuser Stories (Singhal and Banati, 2011), CORAS (Lund, Solhaug and Stolen, 2011), and Common Vulnerability Scoring System (CVSS) (Johnson et al., 2018). ...
The Unmanned Aerial Vehicles (UAVs) are being actively used in various fields including agriculture, surveillance, scientific research, and delivery. Despite their widespread use, UAVs face significant cybersecurity challenges due to their vulnerabilities as cyber-physical systems. UAVs are vulnerable to cyberattacks, which target cyber or physical elements, the interface between them, wireless connections, or a combination of several components. Given the complexity of securing these systems, this paper provides a comprehensive survey of the current state of UAV cybersecurity. Moreover, different cybersecurity issues of UAVs are analyzed, various features, and functions of UAVs are considered. UAV attack classification scheme is constructed and attacks on various components are accounted for. Also, countermeasures against cyberattacks that target UAVs are discussed. Finally, UAV cyber security datasets for research purposes are indicated, and the remaining open issues in this field are identified.
... The latter serves as a structured framework, to represent potential attack scenarios. Expanding on this foundation, variations such as the attack and protection tree, defense tree, and attack-defense tree, contribute to enriching the modeling process [39]. ...
Recently, the DevSecOps practice has improved companies’ agile production of secure software, reducing problems and improving return on investment. However, overreliance on security tools and traditional security techniques can facilitate the implementation of vulnerabilities in different stages of the software lifecycle.. Thus, this paper proposes the integration of a Large Language Model to help automate threat discovery at the design stage and Security Chaos Engineering to support the identification of security flaws that may be undetected by security tools. A specific use case is described to demonstrate how our proposal can be applied to a retail company that has the business need to produce rapidly secure software.
... Kordy et al. [4] categorize 33 frameworks for graphical analysis of attack and defense scenarios into (1) attack and/or defense modeling, which focus on the formal aspects of attacks or defenses, and (2) static or sequential modeling, which focus on the temporal aspects or dependencies between actions. Using the same categorization, this section provides an overview of all existing frameworks, and it describes these frameworks that fulfill the majority of properties incorporated in the framework of this article. ...
Risk assessment plays a crucial role in ensuring the security and resilience of modern computer systems. Existing frameworks for conducting risk assessments often suffer from tedious and time-consuming processes, making it challenging to maintain a comprehensive overview of potential security issues. In this article, we propose a novel approach that leverages Attack Graphs to enhance the efficiency and effectiveness of risk assessment. Attack Graphs visually represent the various attack paths that adversaries can exploit within a system, enabling a systematic exploration of potential vulnerabilities. By extending Attack Graphs with capabilities to include countermeasures and consequences, they can be leveraged to constitute the complete risk assessment process. Our framework offers a more streamlined and comprehensive analysis of system vulnerabilities, where system changes, or environment changes can easily be adapted, and the issues exposing the highest risk can easily be identified. We demonstrate the effectiveness of our approach through a case study, as well as the applicability by combining existing risk assessment standards with our framework. Our work aims to bridge the gap between risk assessment practices and evolving threat landscapes, offering an improved framework for mitigating risks in modern computer systems.
... The STRIDE model [134] classifies attacks into Spoofing [143], [70], Tampering [110], Repudiation [106], Information disclosure [105], DoS [137], and Elevation of privilege [69], [110] attacks, as summarized in Table VI. The STRIDE model can be seamlessly integrated with other methodologies, such as the Damage, Reproducibility, Exploitability, Affected users, Discoverability (DREAD) model [132], [135] and Attack Trees [144], to enhance the scope of the threat analysis [110]. ...
Satellite communications (Satcoms) systems have become an integral part of modern society, providing critical infrastructure for a wide range of applications. However, as the reliance on Satcoms has increased, cyberattacks on Satcoms systems have emerged as a severe concern, with the potential to cause significant disruption, economic losses, and even loss of life. We first give a tutorial-style overview of the architecture of a Satcoms system, which typically consists of a space segment, a ground segment (encompassing the terrestrial ground stations and users), and the links segment. Following the taxonomy provided by this segment structure, we provide—to the best of our knowledge—the first comprehensive survey of the state-of-the-art cyberattacks (cyberthreats) on all three segments of Satcoms systems. For each Satcoms system segment, we organize the cyberattacks according to categories of Satcoms-specific cyberattacks, which we relate to the threat classifications in the general STRIDE cyberthreat model. Also, for all three segments of Satcoms systems, we comprehensively survey the general cybersecurity strategies and the specific cybersecurity mechanisms (techniques) that defend Satcoms systems against cyberattacks. We distill the critical learned lessons associated with Satcoms cybersecurity strategies, such as the need to balance security with cost-effectiveness. Finally, we outline the open challenges and future research directions in Satcoms systems cybersecurity.
... Bayesian attack graphs (BAGs) are a well-known class of models that represent the propagation of attacks and compromises in networks (Kordy et al., 2014). They can be seen as a Markov process with binary state variables. ...
Advances in technology have enabled the use of sensors with varied modalities to monitor different parts of systems, each providing diverse levels of information about the underlying system. However, resource limitations and computational power restrict the number of sensors/data that can be processed in real-time in most complex systems. These challenges necessitate the need for selecting/scheduling a subset of sensors to obtain measurements that guarantee the best monitoring objectives. This paper focuses on sensor scheduling for systems modeled by hidden Markov models. Despite the development of several sensor selection and scheduling methods, existing methods tend to be greedy and do not take into account the long-term impact of selected sensors on monitoring objectives. This paper formulates optimal sensor scheduling as a reinforcement learning problem defined over the posterior distribution of system states. Further, the paper derives a deep reinforcement learning policy for offline learning of the sensor scheduling policy, which can then be executed in real-time as new information unfolds. The proposed method applies to any monitoring objective that can be expressed in terms of the posterior distribution of the states (e.g. state estimation, information gain, etc.). The performance of the proposed method in terms of accuracy and robustness is investigated for monitoring the security of networked systems and the health monitoring of gene regulatory networks.
... The high-level scenario we have chosen to defend is two platooning vehicles moving from a rear base to a forward operating base (see Section3.2). We use attack-defence tree methodology [11] (see Figure 1) to map out possible attacks and defences. Each of the defences seen in Figure 1 can be considered an action that Co-Decyber could take. ...
Autonomous decision making for cyber-defence in operational situations is desirable but challenging. This is due to the nature of operational technology (because of its cyber-physical nature) as well as the need to account for multiple contexts. Our contribution is the creation of a co-operative decision-making framework to enable autonomous cyber-defence (which we call Co-Decyber). This framework allows us to break up a big multi-contextual action space into smaller decisions that multiple agents can optimize between. We apply this framework to an autonomous vehicle platooning scenario. Results show that Co-Decyber agents are outperforming random reference agents in the cyber-attack scenarios we have tested. We aim to extend this work with more complex attack scenarios, along with training more agents to defend more of the attack surface. We conclude that this framework when mature will contribute to the goal of providing autonomous cyber-defence for operational technology.
... Analysis. FT and AT enable different kinds of analyses [47]: qualitative analyses include Minimal Cut Sets (MCSs), indicating which combinations of BEs or BASs lead to the TLE. The set {Fire, Door locked} is a cut set in Figure 3. Quantitative analyses compute dependability metrics, such as the system reliability, attack probabilities and costs. ...
... At a given level a single task out of several may need completing (OR tasks), or all tasks at a level may need completing (AND tasks). There are many variations [58] on this AT concept that adds additional features and rules. Figure 11 shows an example of a simple attack tree model for a key relay attack (where a signal from a wireless car key is amplified to compromise a vehicle [59]). ...
The major vehicle manufacturers deploy Over-the-Air (OTA) software update technology for their vehicle systems. In this research, we review the literature on the cybersecurity of the OTA software update mechanism. This allowed the derivation of a high-level reference architecture for the OTA system. The architecture and review guided the analysis of the OTA system attack surface. A novel asset-centric threat modelling method is derived from the analysis and applied to the OTA software upgrade use case. System assets identification, system decomposition and labelling are three steps of a four-step threat modelling methodology. The final step enables attack vector threat analysis and mitigation. The final contribution comes from actionable cybersecurity recommendations for software upgrade systems, providing threat mitigation recommendations for their secure implementation. Knowledge of potential long-range wireless attacks and other OTA system threats provides a foundation for stakeholders' strategic investment in cybersecurity risk reduction. This investment is needed to address a dilemma. On the one hand, OTA systems are a useful technology for updating the software in cyber-physical systems, however, they do provide a potential conduit for cyber attacks. Whilst this work researched vehicular OTA systems, it could be applied to other cyber-physical systems that require secure software updates over a lifecycle. INDEX TERMS Communication system security, embedded software, land vehicles, security management, cyber-physical systems.
... The high-level scenario we have chosen to defend is two platooning vehicles moving from a rear base to a forward operating base (see Section3.2). We use attack-defence tree methodology [11] (see Figure 1) to map out possible attacks and defences. Each of the defences seen in Figure 1 can be considered an action that Co-Decyber could take. ...
Autonomous decision making for cyber-defence in operational situations is desirable but challenging. This is due to the nature of operational technology (because of its cyber-physical nature) as well as the need to account for multiple contexts. Our contribution is the creation of a cooperative decision-making framework to enable autonomous cyber-defence (which we call Co-Decyber). This framework allows us to break up a big multi-contextual action space into smaller decisions that multiple agents can optimize between. We apply this framework to an autonomous vehicle platooning scenario. Results show that Co-Decyber agents are outperforming random reference agents in the cyber-attack scenarios we have tested. We aim to extend this work with more complex attack scenarios, along with training more agents to defend more of the attack surface. We conclude that this framework when mature will contribute to the goal of providing autonomous cyber-defence for operational technology.
... Attack trees (AT) and their derivatives have been widely used for handling threat modelling and security risk assessment, as they can succinctly describe complex threat scenarios and help their readers (e.g., analysts) to better observe and reason about the impact of risks on the system. However, manual construction of AT is heavily dependent on one's expertise and experience (ATs constructed by individual analysts for the same system can differ structurally [3,16]). Experts often use libraries of common attack patterns or reuse parts of models. ...
Systems that integrate cyber and physical aspects to create cyber-physical systems (CPS) are becoming increasingly complex, but demonstrating the security of CPS is hard and security is frequently compromised. These compromises can lead to safety failures, putting lives at risk. Attack Defense Trees with sequential conjunction (ADS) are an approach to identifying attacks on a system and identifying the interaction between attacks and the defenses that are present within the CPS. We present a semantic model for ADS and propose a methodology for generating ADS automatically. The methodology takes as input a CPS system model and a library of templates of attacks and defenses. We demonstrate and validate the effectiveness of the ADS generation methodology using an example from the automotive domain.
... The survey in [12] proposes an extensive overview on attack and defense modeling techniques based on Directed Acyclic Graphs (DAGs). The authors analyze more than 30 formalisms and group them according to two main dimensions, which are (i) attack and/or defense modeling, where attack modeling focuses on attackers' actions while defense modeling focuses on defensive aspects, and (ii) static or sequential approaches, where sequential formalisms can model temporal aspects, while static approaches cannot. ...
Early-stage security analysis can be used for a preliminary assessment of the security level of a system, thus providing useful insights to guide the whole system’s development. In this paper, we focus on a specific meta-level modeling framework for security analysis, ADVISE Meta, which allows representing a system using generic built-in blocks and relationships constituting the ontology of the framework, and to automatically derive complex low-level stochastic models representing attack steps and adversaries. In this paper, we extend the ADVISE Meta ontology to enlarge the variety of the possible attack paths and adversaries that can be represented in the framework, by modeling (i) attack patterns available in the CAPEC database, a comprehensive dictionary of known patterns of attack, and (ii) the adversaries’ profiles defined in the Threat Agent Library (TAL), a reference library which describes the characteristics of threat agents. The paper provides a detailed description of the whole process for extending the ADVISE Meta ontology, and the application of the extended modeling framework for an early-stage security analysis of a public transport supervision system. The framework enables a variety of security-oriented analyses, in particular to assess the probability that a given adversary can successfully reach a specific goal, to analyze the most probable attack path that adversaries can follow to reach a goal, to perform sensitivity analysis at varying of attack patterns and adversaries’ profiles, to compare different architectural solutions, and to identify the system’s components that can be more probably attacked by adversaries.
In this paper, we study the security threats and challenges of self-adaptive systems realized using digital twins. We use the MITRE ATT&CK framework to perform threat analysis and identify unique attack vectors specific to these systems. Our results show that the attack surface is broadened in these systems. We further provide an overview of our research findings for reducing the attack surface and present the open security challenges that are specific to such systems.
The increasing use of Industrial IOT (IIOT) solutions has led to an equal increase in the security risks associated with the connected devices. Security requirements engineering (SRE) aims at reducing these risks by implementing security-by-design principles. To mitigate the security risks in the industrial communication networks, the standard ISA/IEC 62443-1-1 recommends the defense-in-depth design strategy for a secure segmentation of industrial assets into security zones and conduits. Security zones associated with different trust levels signal the criticality of the assets within. However, the current SRE methodologies lack any support to security zoning; thus, they are incapable to reduce the security risks, especially in relation to IIOT.
To fill this gap, we develop a layered SRE methodology in line with the SABSA framework. Starting with the business view, each successive layer brings a new level of abstraction to the design and implementation of a secure network. We use STS (Socio-Technical Systems) SRE methodology for the first two layers: the business view and the architect’s view. As STS is less suitable for risk analysis, we propose Anti-STS, a new multi antiagent threat model, which characterizes the social dependency between the attacking agents in a network environment. For the third layer of the designer’s view, we propose an Answer Set Programming (ASP) tool to obtain zoning solutions underpinned by dataflow and media integrity.
Our use case scenario includes an aircraft domain comprising of the system agents (applications) and an airport domain comprising of the environment agents (staff). Our layered methodology aims to group agents in security zones controlled within domains and to derive the relevant network security requirements. It also brings in the perspectives of different stakeholders, who are vital in driving business objectives forward.
Sophisticated cyberattackers (commonly known as advanced persistent threats (APTs)) pose enormous risks to organizations such as financial institutions, industrial and commercial firms, government institutions, and power grids. This study presents a method and an index to measure the vulnerability of organizations to APT risk and shows why a one-size-fits-all solution to mitigate APT risk does not exist. Our vulnerability index is based on a model that describes the optimal behavior of a cyberattacker (APT) with research and development capabilities aspiring to attack a network that manages the organization and a network operator that deploys blocking and detection measures to protect its organization from the attack. We demonstrate how our vulnerability index, which accounts for the network’s structure and the APTs’ resources and strategy, can be used in realistic risk assessments and optimal resource allocation procedures and serve as a benchmark for organizations’ preparedness against APTs’ cyberattacks. We also propose that regulatory agencies of financial (and other) institutions provide the parameters that define an APT’s profile and request, as part of their periodic assessments of the organizations that they regulate, that our (or similar) vulnerability index will be reported to them by the regulated institutions. Finally, the viability of our index in modeling modern cybersecurity defense procedures shows that not only there is no silver bullet defense against all types of APTs, it is also imperative to account for APTs’ heterogeneity because detection and blocking measures can be complements, substitutes, or even degrade each other. For example, when the attacker’s (defender’s) budget is extremely large (small), the defender should deploy only detection measures, strongly advocating Zero Trust practices.
Supplemental Material: The online appendix is available at https://doi.org/10.1287/deca.2023.0072 .
Most Threat Analysis (TA) techniques analyze threats to targeted assets (e.g., components, services) by considering static interconnections among them. However, in dynamic environments, e.g., the Cloud, resources can instantiate, migrate across physical hosts, or decommission to provide rapid resource elasticity to its users. Existing TA techniques are not capable of addressing such requirements. Moreover, complex multi-layer/multi-asset attacks on Cloud systems are increasing, e.g., the Equifax data breach; thus, TA approaches must be able to analyze them. This paper proposes ThreatPro, which supports dynamic interconnections and analysis of multi-layer attacks in the Cloud. ThreatPro facilitates threat analysis by developing a technology-agnostic information flow model, representing the Cloud's functionality through conditional transitions. The model establishes the basis to capture the multi-layer and dynamic interconnections during the life cycle of a Virtual Machine. ThreatPro contributes to (1) enabling the exploration of a threat's behavior and its propagation across the Cloud, and (2) assessing the security of the Cloud by analyzing the impact of multiple threats across various operational layers/assets. Using public information on threats from the National Vulnerability Database, we validate ThreatPro's capabilities, i.e., identify and trace actual Cloud attacks and speculatively postulate alternate potential attack paths.
Expressing attack-defence trees in a multiagent setting allows for studying a new aspect of security scenarios, namely, how the number of agents and their task assignment impact the performance,
e.g.
,
attack time, of strategies executed by opposing coalitions. Optimal scheduling of agents' actions, a nontrivial problem, is thus vital. We discuss associated caveats and propose an algorithm that synthesizes such an assignment, targeting minimal attack time and using the minimal number of agents for a given attack-defence tree. We also investigate an alternative approach for the same problem using rewriting logic, starting with a simple and elegant declarative model, whose correctness (in terms of schedule's optimality) is self-evident. We then refine this specification, inspired by the design of our specialized algorithm, to obtain an efficient system that can be used as a playground to explore various aspects of attack-defence trees. We compare the two approaches on different benchmarks.
Attack trees are a graphical formalism for security assessment. They are particularly valued for their explainability and high accessibility without security or formal methods expertise. They can be used, for instance, to quantify the global insecurity of a system arising from the unreliability of its parts, graphically explain security bottlenecks, or identify additional vulnerabilities through their systematic decomposition. However, in most cases, the main hindrance in the practical deployment is the need for a domain expert to construct the tree manually or using further models. This paper demonstrates how to learn attack trees from logs, i.e., sets of traces, typically stored abundantly in many application domains. To this end, we design a genetic algorithm and apply it to classes of trees with different expressive power. Our experiments on real data show that comparably simple yet highly accurate trees can be learned efficiently, even from small data sets.
Attack trees (ATs) are an important tool in security analysis, and an important part of AT analysis is computing metrics. However, metric computation is NP-complete in general. In this paper, we showcase the use of mixed integer linear programming (MILP) as a tool for quantitative analysis. Specifically, we use MILP to solve the open problem of calculating the min time metric of dynamic ATs, i.e., the minimal time to attack a system. We also present two other tools to further improve our MILP method: First, we show how the computation can be sped up by identifying the modules of an AT, i.e. subtrees connected to the rest of the AT via only one node. Second, we define a general semantics for dynamic ATs that significantly relaxes the restrictions on attack trees compared to earlier work, allowing us to apply our methods to a wide variety of ATs. Experiments on a synthetic testing set of large ATs verify that both the integer linear programming approach and modular analysis considerably decrease the computation time of attack time analysis.
Context
With the rapid advancement of unmanned aerial vehicle (UAV) technology, ensuring these autonomous systems’ security and integrity is paramount. UAVs are susceptible to cyberattacks, including unauthorized access, control, or manipulation of their systems, leading to potential safety risks or unauthorized data retrieval. Moreover, UAVs encounter limited computing resources, wireless communication and physical vulnerabilities, evolving threats and techniques, necessity for compliance with regulations, and human factors.
Methods
This review explores the potential cyberthreats faced by UAVs, including hacking, spoofing, and data breaches, and highlights the critical need for robust security measures. It examines various strategies and techniques used to protect UAVs from cyberattacks, e.g., encryption, authentication, and intrusion detection systems using cyberthreat analysis and assessment algorithms. The approach to assess the UAVs’ cybersecurity hazards included STRIDE (a model for identifying computer security-related threats) connected with the threats considered.
Findings
Emphasis was laid on the evaluation highly depending on the accuracy of UAV mission definition, potential intruders, and social and other human-related situations. The review discovered that most studies focused on possible intruders’ portraits, which can be crucial when conducting a cybersecurity assessment. Based on a review, future research directions to mitigate cybersecurity risks are presented.
Significance
Protecting UAVs from cyberthreats ensures safe operations and data integrity and preserves public trust in autonomous systems.
Blockchain technology builds an immutable and append-only ledger in peer-to-peer networks, which attracts attention from various fields. However, traditional chain-based blockchain systems typically have the problem of low throughput, leading to unsatisfactory performance. Among the proposed solutions, introducing a structure of the Directed Acyclic Graph (DAG) into the blockchain reaches a high transaction throughput. Such an approach enables blocks to refer to more than one previous block, thus processing blocks in parallel with better performance. However, existing DAG-based blockchain schemes do not establish a deterministic rule for block reference priority. Adversaries can initiate a splitting attack to select block references to affect DAG topology, making the consensus unstable. In this paper, we propose a more stable consensus protocol named Phantasm, aiming to stabilize the ordering result in the consensus protocol. The referred blocks can be decided after computing a solution to the block puzzle and the difficulty of this solution affects the number of block references. We design two strategies to guide the honest nodes to select references so that they can resist the splitting attacks to stabilize the ordering. Theoretical analysis and simulation experiments show that Phantasm is more stable than the classic DAG-based blockchain consensus protocol Phantom regarding the ordering results.
We discuss an approach to modifying a safety assurance case to take into account malicious intent. We show how to analyze an existing assurance case to reveal additions and modifications that need to be made in order to deal with the effects of malicious intent aimed at safety critical applications, and where to make them.
Analyzing attacks and potential attack paths can help to identify and avoid potential security incidents. Manually estimating an attack path to a targeted software element can be complex since a software system consists of multiple vulnerable elements, such as components, hardware resources, or network elements. In addition, the elements are protected by access control. Software architecture describes the structural elements of the system, which may form elements of the attack path. However, estimating attack paths is complex since different attack paths can lead to a targeted element. Additionally, not all attack paths might be relevant since attack paths can have different properties based on the attacker’s capabilities and knowledge. We developed an approach that enables architects to identify relevant attack paths based on the software architecture. We created a metamodel for filtering options and added support for describing attack paths in an architectural description language. Based on this metamodel, we developed an analysis that automatically estimates attack paths using the software architecture. This can help architects to identify relevant attack paths to a targeted component and increase the system’s overall security. We evaluated our approach on five different scenarios. Our evaluation goals are to investigate our analysis’s accuracy and scalability. The results suggest a high accuracy and good runtime behavior for smaller architectures.KeywordsAttack PropagationSoftware ArchitectureAttack Path
A comprehensive cybersecurity evaluation of automotive on-board networks has become a crucial antecedent to the commercial distribution of vehicles. However, the means to perform the required testing and risk assessment are limited due to the complex and increasingly obscure nature of automotive systems. To rectify this, several approaches have been put forward to systematise and automate the process of evaluating cybersecurity in vehicular systems, but these still require a significant amount of expert input. Accordingly, this work evaluates the existing state of the art in attack tree generation as a means towards automation and systematisation of automotive cybersecurity assurance in addition to considering the potential of novel machine learning methods in pursuing further automation.KeywordsAttack treesAutomotive cybersecurityAttack tree generationThreat modellingArtificial intelligence
bnlearn is an R package which includes several algorithms for learning the structure of Bayesian networks with either discrete or continuous variables. Both constraint-based and score-based algorithms are implemented, and can use the functionality provided by the snow package to improve their performance via parallel computing. Several network scores and conditional independence algorithms are available for both the learning algorithms and independent use. Advanced plotting options are provided by the Rgraphviz package.
The business of contemporary organizations is heavily dependent on information systems. Business processes and IT are interwoven and numerous technologies are in use. How the involved systems affect each other or impact the organizations' business domain is often uncertain, thus decision-making regarding information technology is challenging. Enterprise architecture (EA) is a holistic, model-based management approach. Many of the available EA software tools focus on documenting and have limited analysis capabilities. In this article, a tool for EA analysis is presented, supporting the analysis of properties such as business fit, security, and interoperability. The tool is implemented to support the Predictive, Probabilistic Architecture Modeling Framework to specify and apply assessment frameworks for performing property analysis on EA models. © (2013) by the AIS/ICIS Administrative Office All rights reserved.
This work addresses the growing need of performing meaningful probabilistic analysis of security. We propose a framework that integrates the graphical security modeling technique of attack–defense trees with probabilistic information expressed in terms of Bayesian networks. This allows us to perform probabilistic evaluation of attack–defense scenarios involving dependent actions. To improve the efficiency of our computations, we make use of inference algorithms from Bayesian networks and encoding techniques from constraint reasoning. We discuss the algebraic theory underlying our framework and point out several generalizations which are possible thanks to the use of semiring theory.
In the design phase of business and software system development, it is desirable to predict the properties of the system-to-be. Existing prediction systems do, however, not allow the modeler to express uncertainty with respect to the design of the considered system. In this paper, we propose a formalism, the Predictive, Probabilistic Architecture Modeling Framework (P2AMF), capable of advanced and probabilistically sound reasoning about architecture models given in the form of UML class and object diagrams. The proposed formalism is based on the Object Constraint Language (OCL). To OCL, P2AMF adds a probabilistic inference mechanism. The paper introduces P2AMF, describes its use for system property prediction and assessment, and proposes an algorithm for probabilistic inference.
In the design phase of business and IT system development, it is desirable to predict the properties of the system-to-be. A number of formalisms to assess qualities such as performance, reliability and security have therefore previously been proposed. However, existing prediction systems do not allow the modeler to express uncertainty with respect to the design of the considered system. Yet, in contemporary business, the high rate of change in the environment leads to uncertainties about present and future characteristics of the system, so significant that ignoring them becomes problematic. In this paper, we propose a formalism, the Predictive, Probabilistic Architecture Modeling Framework (P(2)AMF), capable of advanced and probabilistically sound reasoning about business and IT architecture models, given in the form of Unified Modeling Language class and object diagrams. The proposed formalism is based on the Object Constraint Language (OCL). To OCL, P(2)AMF adds a probabilistic inference mechanism. The paper introduces P(2)AMF, describes its use for system property prediction and assessment and proposes an algorithm for probabilistic inference.
Cross-Site Request Forgery (CSRF) vulnerability is extremely widespread and one of the top ten Web application vulnerabilities of the Open Web Application Security Project (OWASP). In this paper, we explore the CSRF vulnerabilities, illustrate the real-world CSRF attack, and present novel CSRF attack tree models. The threat models provide for exploring, understanding, and validating security protection features in realistic web application scenarios.
Attack–defense trees are a novel methodology for graphical security modelling and assessment. They extend the well- known
formalism of attack trees by allowing nodes that represent defensive measures to appear at any level of the tree. This enlarges
the modelling capabilities of attack trees and makes the new formalism suitable for representing interactions between an attacker
and a defender. Our formalization supports different semantical approaches for which we provide usage scenarios. We also formalize
how to quantitatively analyse attack and defense scenarios using attributes.
Information technology (IT) is critical and valuable to our society. An important type of IT system is Supervisor Control And Data Acquisition (SCADA) systems. These systems are used to control and monitor physical industrial processes like electrical power supply, water supply and railroad transport. Since our society is heavily dependent on these industrial processes we are also dependent on the behavior of our SCADA systems. SCADA systems have become (and continue to be) integrated with other IT systems they are thereby becoming increasingly vulnerable to cyber threats. Decision makers need to assess the security that a SCADA system’s architecture offers in order to make informed decisions concerning its appropriateness. However, data collection costs often restrict how much information that can be collected about the SCADA system’s architecture and it is difficult for a decision maker to know how important different variables are or what their value mean for the SCADA system’s security. The contribution of this thesis is a modeling framework and a theory to support cyber security vulnerability assessments. It has a particular focus on SCADA systems. The thesis is a composite of six papers. Paper A describes a template stating how probabilistic relational models can be used to connect architecture models with cyber security theory. Papers B through E contribute with theory on operational security. More precisely, they contribute with theory on: discovery of software vulnerabilities (paper B), remote arbitrary code exploits (paper C), intrusion detection (paper D) and denial-of-service attacks (paper E). Paper F describes how the contribution of paper A is combined with the contributions of papers B through E and other operationalized cyber security theory. The result is a decision support tool called the Cyber Security Modeling Language (CySeMoL). This tool produces a vulnerability assessment for a system based on an architecture model of it.
The digitalization of industrial control systems (ICS) raises
several security threats that can endanger the safety of the critical infrastructures supervised by such systems. This paper presents an analysis
method that enables the identification and ranking of risks leading to a
safety issue, regardless of the origin of those risks: accidental or due to
malevolence. This method relies on a modeling formalism called BDMP
(Boolean logic Driven Markov Processes) that was initially created for
safety studies, and then adapted to security. The use of the method is
first illustrated on a simple case to show how it can be used to make
decisions in a situation where security requirements are in conflict with
safety requirements. Then it is applied to a realistic industrial system: a
pipeline and its instrumentation and control system in order to highlight
possible interactions between safety and security.
Attack-defense trees are used to describe security weaknesses of a system and possible countermeasures. In this paper, the connection between attack-defense trees and game theory is made explicit. We show that attack-defense trees and binary zero-sum two-player extensive form games have equivalent expressive power when considering satisfiability, in the sense that they can be converted into each other while preserving their outcome and their internal structure.
Modern society relies on and profits from well-balanced computerized systems. Each of these systems has a core mission such as the correct and safe operation of safety critical systems or innovative and effective operation of e-commerce systems. It might be said that the success of these systems depends on their mission. Although the concept of “well-balanced” has a slightly different meaning for each of these two categories of systems, both have to meet customer needs, deliver capabilities and functions according to expectations and generate revenue to sustain today’s highly competitive market. Tighter financial constraints are forcing safety critical systems away from dedicated and expensive communication regimes, such as the ownership and operation of dedicated communication links, towards reliance on third parties and standardized means of communication. As a consequence, knowledge about their internal structures and operations is more widely and publicly available and this can make them more prone to security attacks. These systems are, therefore, moving towards a remotely exploitable environment and the risks associated with this must be controlled.
We describe the first systematic, quantitative threat evaluation in a local election jurisdiction in the U.S., Marin County, California, in the November 2010 general election. We made use of a reusable threat model that we have developed over several years. The threat model is based on attack trees with several novel enhancements to promote model reuse and flexible metrics, implemented in a software tool, AttackDog. We assess the practicality of reusable threat models for local elections offices and analyze specific vulnerabilities in Marin County, using as our metric "attack team size" (ATS) - the number of individuals who are knowingly involved in election fraud.
The integration of Software Fault Tree (SFT), which describes intrusions and Coloured Petri Nets (CPNs) that specifies design, is examined for an Intrusion Detection System (IDS). The IDS under development is a collection of mobile agents that detect, classify, and correlate the system and network activities. SFTs, augmented with nodes that describe trust, temporal and contextual relationships, are used to describe intrusions. CPNs for intrusion detection are built using CPN templates created from the augmented SFTs. Hierarchical CPNs are created to detect critical stages of intrusions. The agentbased implementation of the IDS is then constructed from the CPNs. Examples of intrusions and descriptions of the prototype implementation are used to demonstrate how the CPN approach has been used in the development of the IDS. The main contribution of this paper is an approach to systematic specification, design and implementation of an IDS; Innovations include (1) using stages of intrusions to structure the specification and design of the IDS; (2) augmentation of SFT with trust, temporal and contextual nodes to model intrusions; (3) algorithmic construction of CPNs from augmented SFT; and (4) generation of mobile agents from CPNs.
ADTool is free, open source software assisting graphical modeling and quantitative analysis of security, using attack---defense trees. The main features of ADTool are easy creation, efficient editing, and automated bottom-up evaluation of security-relevant measures. The tool also supports the usage of attack trees, protection trees and defense trees, which are all particular instances of attack---defense trees.
Attack modeling has recently been adopted by security analysts as a useful tool in risk assessment of cyber-physical systems. We propose in this paper to model the Stuxnet attack with BDMP (Boolean logic Driven Markov Processes) formalism and to show the advantages of such modeling. After a description of the architecture targeted by Stuxnet, we explain the steps of the attack and model them formally with a BDMP. Based on estimated values of the success probabilities and rates of the elementary attack steps, we give a quantification of the main possible sequences leading to the physical destruction of the targeted industrial facility. This example completes a series of papers on BDMP applied to security by modeling a real case study. It highlights the advantages of BDMP compared to attack trees often used in security assessment.
Security risk management can be applied on well-defined or existing systems; in this case, the objective is to identify existing vulnerabilities, assess the risks and provide for the adequate countermeasures. Security risk management can also be applied very early in the system's development life-cycle, when its architecture is still poorly defined; in this case, the objective is to positively influence the design work so as to produce a secure architecture from the start. The latter work is made difficult by the uncertainties on the architecture and the multiple round-trips required to keep the risk assessment study and the system architecture aligned. This is particularly true for very large projects running over many years. This paper addresses the issues raised by those risk assessment studies performed early in the system's development life-cycle. Based on industrial experience, it asserts that attack trees can help solve the human cognitive scalability issue related to securing those large, continuously-changing system-designs. However, big attack trees are difficult to build, and even more difficult to maintain. This paper therefore proposes a systematic approach to automate the construction and maintenance of such big attack trees, based on the system's operational and logical
architectures, the system's traditional risk assessment study and a security knowledge database.
Business metrics play a critical role in determining the best system-level configuration to achieve an organizational business-level goal. We present a framework for reasoning about business-level implications of malicious attacks affecting information technology (IT) systems that underlie various business processes. Through an exemplar web-based retail company scenario, we demonstrate how to quantify both the relative value of the individual business processes, and the relative cost to the business caused by breach of key security properties. The framework allows for mapping business-level metrics to IT system-level metrics, and uses a combination of those metrics to recommend optimal response actions and to guide recovery from security attacks. We validate the framework against three high-impact attack classes common in such web-based retail company situations.
The cyber security modeling language (CySeMoL) is a modeling language for enterprise-level system architectures coupled to a probabilistic inference engine. If the computer systems of an enterprise are modeled with CySeMoL, this inference engine can assess the probability that attacks on the systems will succeed. The theory used for the attack-probability calculations in CySeMoL is a compilation of research results on a number of security domains and covers a range of attacks and countermeasures. The theory has previously been validated on a component level. In this paper, the theory is also validated on a system level. A test indicates that the reasonableness and correctness of CySeMoL assessments compare with the reasonableness and correctness of the assessments of a security professional. CySeMoL's utility has been tested in case studies.
Measurement of software security is a long-standing challenge to the research community. At the same time, practical security metrics and measurements are essential for secure software development. Hence, the need for metrics is more pressing now due to a growing demand for secure software. In this paper, we propose using a software system's attack surface measurement as an indicator of the system's security. We formalize the notion of a system's attack surface and introduce an attack surface metric to measure the attack surface in a systematic manner. Our measurement method is agnostic to a software system's implementation language and is applicable to systems of all sizes; we demonstrate our method by measuring the attack surfaces of small desktop applications and large enterprise systems implemented in C and Java. We conducted three exploratory empirical studies to validate our method. Software developers can mitigate their software's security risk by measuring and reducing their software's attack surfaces. Our attack surface reduction approach complements the software industry's traditional code quality improvement approach for security risk mitigation and is useful in multiple phases of the software development lifecycle. Our collaboration with SAP demonstrates the use of our metric in the software development process.
This chapter addresses the problem of learning the parameters from data. It also discusses score-based structure learning and constraint-based structure learning. The method for learning all parameters in a Bayesian network follows readily from the method for learning a single parameter. The chapter presents a method for learning the probability of a binomial variable and extends this method to multinomial variables. It also provides guidelines for articulating the prior beliefs concerning probabilities. The chapter illustrates the constraint-based approach by showing how to learn a directed acyclic graph (DAG) faithful to a probability distribution. Structure learning consists of learning the DAG in a Bayesian network from data. It is necessary to know which DAG satisfies the Markov condition with the probability distribution P that is generating the data. The process of learning such a DAG is called “model selection.” A DAG includes a probability distribution P if the DAG does not entail any conditional independencies that are not in P. In score-based structure learning, a score is assigned to each DAG based on the data such that in the limit. After scoring the DAGs, the score are used, possibly along with prior probabilities, to learn a DAG. The most straightforward score, the Bayesian score, is the probability of the data D given the DAG. Once a DAG is learnt from data, the parameters can be known. The result will be a Bayesian network that can be used to do inference. In the constraint-based approach, a DAG is found for which the Markov condition entails all and only those conditional independencies that are in the probability distribution P of the variables of interest. The chapter applies structure learning to inferring causal influences from data and presents learning packages. It presents examples of learning Bayesian networks and of causal learning.
The basic concepts of capabilities-based attack tree analysis are discussed. A sample methodology suitable for use in an information technology environment is demonstrated. Changes must be made in the system to reduce the probability of an attack or its impact. Attack tree analysis is ideal for investigating solutions like, changes to policy, procedure and technologies, to security problems.
Practical evidence of the actual security performance of network systems is needed in order to be able to manage them in an adequate way. This study investigates whether the attack tree approach can be used for identification of the appropriate data to be measured in a mobile ad hoc network environment, and whether divergent results of attack tree analysis are obtained with different types of network protocols. The study focuses on the data transmitted in the network in connection with attacks against the Ad hoc On demand Distance Vector protocol (AODV) and Mobile Internet Protocol version 6 (MIPv6). The network type and the protocols used in this study were chosen because of their novelty and their potential importance in future communication scenarios. Based on the results of the study, the attack tree approach is a helpful systematic method for exploring vulnerabilities. However, it is not suitable for a very detailed analysis of the attacks in the area of network protocols when applied manually. This is due to the complexity and diversity of information networks, which causes attack trees to inevitably grow uncontrollably large. Furthermore, this study shows that the results obtained by applying attack tree analyses differ depending on the protocol.
Quantitative analysis of survivability is to use mathematical methods to evaluate the survival situation of the existing network quantificationally. It contributes to detect damage to the system in time and give the appropriate recommendations for improvement, so that the system can provide sustained and stable services. This paper presents a quantitative model based on intrusion scenarios to analysis the survivability of the information system. After constructing the attack trees, the intrusion scenarios are produced. Through calculating the degree of risk of the intrusion scenarios, the survivability of each critical service is determined. Furthermore, the survivability of the information system is measured effectively.
In this paper we extend two modules of the multi-agent system FIDES (Fraud Interactive Detection Expert System) previously introduced in Buoni et al. (2011), and involving the attack tree representation of fraudulent attacks. First, assuming that the opinions of experts involved in the design of the attack tree are represented by fuzzy preference relations, we introduce a dynamical consensus model aiming at finding a shared representation of the attack tree. Second, assuming that the leaf nodes of the attack tree are attribute fuzzy numbers valued and that the attributes are interdependent, we show how to propagate the values up the tree through an aggregation process based on Choquet integral.
Attack trees are widely used to represent threat scenarios in a succinct and intuitive manner, suitable for conveying security information to non-experts. The manual construction of such objects relies on the creativity and experience of specialists, and therefore it is error-prone and impracticable for large systems. Nonetheless, the automated generation of attack trees has only been explored in connection to computer networks and levering rich models, whose analysis typically leads to an exponential blow-up of the state space. We propose a static analysis approach where attack trees are automatically inferred from a process algebraic specification in a syntax-directed fashion, encompassing a great many application domains and avoiding incurring systematically an exponential explosion. Moreover, we show how the standard propositional denotation of an attack tree can be used to phrase interesting quantitative problems, that can be solved through an encoding into Satisfiability Modulo Theories. The flexibility and effectiveness of the approach is demonstrated on the study of a national-scale authentication system, whose attack tree is computed thanks to a Java implementation of the framework.
Stuxnet attack on critical infrastructures is considered as paradigm shift in malware attack approach. The complexity and sophistication involved in this attack make it unique. Attacking approach of the malware, on control infrastructures, is a motivation for academic research. This paper describes the application of the Attack Tree methodology to analyze Stuxnet attack on SCADA system. Root node of the Attack Tree represents the major goal of an attacker and branches represent sub goals. The authors have identified six major goals to penetrate SCADA system, and then have built Attack Trees which demonstrate step by step activity to achieve these goals and sub goals. For each such sub goal, we have found several common categories of attacks which make Stuxnet attack successful and are used to analyze those components of control infrastructure which are susceptible to attacks.
Recent attacks are better coordinated, difficult to discover, and inflict severe damages to networks. However, existing response systems handle the case of a single ongoing attack. This limitation is due to the lack of an appropriate model that describes coordinated attacks. In this paper, we address this limitation by presenting a new formal description of individual, coordinated, and concurrent attacks. Afterwards, we combine Graph Theory and our attack description in order to model attack graphs that cover the three attacks types. Finally, we show how to automatically generate these attack graphs using a logical approach based on Situation Calculus.
In this paper, we give, for constant k, a linear time algorithm, that given a graph G = (V, E), determines whether the treewidth of G is at most k, and if so, finds a tree-decomposition of G with treewidth at most k. A consequence is that every minor-closed class of graphs that does not contain all planar graphs has a linear time recognition algorithm.
reproduced or transmitted, in any form or by any means, without permission.
Recently, there have been attacks against several privacy data warehouses, databases which hold the personal information of thousands of people. This data has been released into the public, and many identity theft claims have been made as a result. This leads to confusion, distrust, and frustration on the part of those attacked. The question which naturally results is, "Why wasn't my data protected against this attack?" Often, flaws in security are overlooked in networks, either through ignorance of the types of threats, simple neglect, a lack of resources, or a combination of all three. Usually, it is the lack of resources which leads to the infiltration of a computer network, and this led to disastrous results in the past, such as the identity theft situation described above. Lack of resources can play a large role in the insufficient security of a computer resource, such as a network. There are various ways of tackling this problem, but it all starts with knowing what the potential attack is, and then trying to develop a countermeasure to that attack. Knowing where to place the effort in protecting against a potential threat is of critical importance when one's defense resources are limited. Enumeration of the different types of attacks and the probabilities of those attacks can therefore be used to predict where and how often a type of attack will occur. One method of listing out these attacks is what is known as 'attack trees'. This paper describes and defines attack trees, what they are, how they are used, and why they have been instrumental in developing plans for protecting against attacks in two types of protocols, the Border Gateway Protocol and the Simple Mail Transfer Protocol.
We present a new fully adaptive computational model for attack trees that allows attackers to repeat atomic attacks if they fail and to play on if they are caught and have to pay penalties. The new model allows safer conclusions about the security of real-life systems and is somewhat (computationally) easier to analyze. We show that in the new model optimal strategies always exist and finding the optimal strategy is (just) an np-complete problem. We also present methods to compute adversarial utility estimation and utility upper bound approximated estimation using a bottom-up approach.
Attack trees model the decision making process of an adversary who plans to attack a certain system. Attack-trees help to visualize possible attacks as Boolean combinations of atomic attacks and to compute attack-related parameters such as cost, success probability and likelihood. The known methods of estimating adversarie’s utility are of high complexity and set many unnatural restrictions on adversaries’ behavior. Hence, their estimations are incorrect-even if the computed utility is negative, there may still exist beneficial ways of attacking the system. For avoiding unnatural restrictions, we study fully adaptive adversaries that are allowed to try atomic attacks in arbitrary order, depending on the results of the previous trials. At the same time, we want the algorithms to be efficient. To achieve both goals, we do not try to measure the exact utility of adversaries but only upper bounds. If adversaries’ utility has a negative upper bound, it is safe to conclude that there are no beneficial ways of attacking the system, assuming that all reasonable atomic attacks are captured by the attack tree.
During a single run of the collect algorithm on a covering join tree (V, E, A, D), exactly |E| messages are computed and transmitted. This chapter presents the arising algorithm called the Shenoy-Shafer architecture. It reduces the number of computed messages to 2|E| for an arbitrary number of queries. The chapter introduces the Lauritzen-Spiegelhalter architecture, HUGIN architecture and idempotent Architecture. More concretely, they presuppose some concept of division that will be defined. Essentially, there are three requirements for introducing a division operator, namely either separativity, regularity or idempotency. Based on the division operator, scaling or normalization can be introduced on a generic, algebraic level as explored in the chapter. Moreover, it is then also required that the solution of inference problems gives scaled results. Therefore the chapter focuses on how the local computation architectures can be adapted to deliver scaled results directly. evolutionary computation; fifth generation systems; query formulation
Attack tree (AT) is one of the widely used non‐state‐space models for security analysis. The basic formalism of AT does not take into account defense mechanisms. Defense trees (DTs) have been developed to investigate the effect of defense mechanisms using measures such as attack cost, security investment cost, return on attack (ROA), and return on investment (ROI). DT, however, places defense mechanisms only at the leaf nodes and the corresponding ROI/ROA analysis does not incorporate the probabilities of attack. In attack response tree (ART), attack and response are both captured but ART suffers from the problem of state‐space explosion, since solution of ART is obtained by means of a state‐space model. In this paper, we present a novel attack tree paradigm called attack countermeasure tree (ACT) which avoids the generation and solution of a state‐space model and takes into account attacks as well as countermeasures (in the form of detection and mitigation events). In ACT, detection and mitigation are allowed not just at the leaf node but also at the intermediate nodes while at the same time the state‐space explosion problem is avoided in its analysis. We study the consequences of incorporating countermeasures in the ACT using three case studies (ACT for BGP attack, ACT for a SCADA attack and ACT for malicious insider attacks). Copyright © 2011 John Wiley & Sons, Ltd.
An attack tree is a useful analytical technique to model security threats and/or risks, and hence model attacks as actual realizations of the former. Research on attack trees have focused either on applying such trees to model various ranges of security systems, or on advancements to this technique in itself. In this paper, we revisit the notion of attack tree attribution, i.e. how explicit attribute values of child nodes are aggregated to form the attribute of the parent node, and propose a novel attribution approach. We then show using this approach within the context of analyzing the weakest links of security systems, how the weakest link may not necessarily always be so, but instead it depends on the existence of other stronger links within the system.
Understanding the social engineering threat is important in requirements engineering for security-critical information systems. Mal-activity diagrams have been proposed as being better than misuse cases for this purpose, but without any empirical testing. The research question in this study is whether mal-activity diagrams would be more efficient than misuse cases for understanding social engineering attacks and finding prevention measures. After a conceptual comparison of the modelling techniques, a controlled experiment is presented, comparing the efficiency of using the two techniques together with textual descriptions of social engineering attacks. The results were fairly equal, the only significant difference being a slight advantage for mal-activity diagrams concerning perceived ease of use. The study gives new insights into the relative merits of the two techniques, and suggests that the advantage of mal-activity diagrams is smaller than previously assumed. However, more empirical investigations are needed to make detailed conclusions.
The success of a security attack crucially depends on time: the more time available to the attacker, the higher the probability of a successful attack; when given enough time, any system can be compromised. Insight in time-dependent behaviors of attacks and the evolution of the attacker’s success as time progresses is therefore a key for effective countermeasures in securing systems.
This paper presents an efficient technique to analyze attack times for an extension of the prominent formalism of attack trees. If each basic attack step, i.e., each leaf in an attack tree, is annotated with a probability distribution of the time needed for this step to be successful, we show how this information can be propagated to an analysis of the entire tree. In this way, we obtain the probability distribution for the entire system to be attacked successfully as time progresses. For our approach to be effective, we take great care to always work with the best possible compression of the representations of the probability distributions arising. This is achieved by an elegant calculus of acyclic phase type distributions, together with an effective compositional compression technique. We demonstrate the effectiveness of this approach on three case studies, exhibiting orders of magnitude of compression.
IEEE 802.11s is an emerging standard for wireless mesh networks. Networks based on IEEE 802.11s directly benefit from existing security mechanisms in IEEE 802.11. This limits the attack surface of IEEE 802.11s significantly for adversaries that cannot authenticate with the network. Mesh networks are, however, often conceived for community network scenarios, which are inherently more open than managed infrastructure networks. This openness entails an increased risk of insider attacks, i.e., attacks by compromised stations that can authenticate with the network. Currently, IEEE 802.11s is lacking adequate protection against such insider attacks. In this paper, we hence derive an attack model for insider attacks and present two insider attack strategies to which IEEE 802.11s networks are prone, namely impairing the network performance and preventing communication between a pair of nodes. We design countermeasures that allow to defend the wireless network against both types of attacks. Our implementations only incur marginal computational and memory overheads, while the network security is measurably strengthened.
Constraints such as limited security investment cost precludes a security decision maker from implementing all possible countermeasures in a system. Existing analytical model-based security optimization strategies do not prevail for the following reasons: (i) none of these model-based methods offer a way to find optimal security solution in the absence of probability assignments to the model, (ii) methods scale badly as size of the system to model increases and (iii) some methods suffer as they use attack trees (AT) whose structure does not allow for the inclusion of countermeasures while others translate the non-state-space model (e.g., attack response tree) into a state-space model hence causing state-space explosion. In this paper, we use a novel AT paradigm called attack countermeasure tree (ACT) whose structure takes into account attacks as well as countermeasures (in the form of detection and mitigation events). We use greedy and branch and bound techniques to study several objective functions with goals such as minimizing the number of countermeasures, security investment cost in the ACT and maximizing the benefit from implementing a certain countermeasure set in the ACT under different constraints. We cast each optimization problem into an integer programming problem which also allows us to find optimal solution even in the absence of probability assignments to the model. Our method scales well for large ACTs and we compare its efficiency with other approaches.
Measuring the mean time-to-compromise provides important insights for understanding a network's weaknesses and for guiding corresponding defense approaches. Most existing network security metrics only deal with the threats of known vulnerabilities and cannot handle zero day attacks with consistent semantics. In this paper, we propose a unified framework for measuring a network's mean time-to-compromise by considering both known, and zero day attacks. Specifically, we first devise models of the mean time for discovering and exploiting individual vulnerabilities. Unlike existing approaches, we replace the generic state transition model with a more vulnerability-specific graphical model. We then employ Bayesian networks to derive the overall mean time-to-compromise by aggregating the results of individual vulnerabilities. Finally, we demonstrate the framework's practical application to network hardening through case studies.