Towards Automating the Construction & Maintenance of Attack Trees: a Feasibility Study

Security risk management can be applied on well-defined or existing systems; in this case, the objective is to identify existing vulnerabilities, assess the risks and provide for the adequate countermeasures. Security risk management can also be applied very early in the system's development life-cycle, when its architecture is still poorly defined; in this case, the objective is to positively influence the design work so as to produce a secure architecture from the start. The latter work is made difficult by the uncertainties on the architecture and the multiple round-trips required to keep the risk assessment study and the system architecture aligned. This is particularly true for very large projects running over many years. This paper addresses the issues raised by those risk assessment studies performed early in the system's development life-cycle. Based on industrial experience, it asserts that attack trees can help solve the human cognitive scalability issue related to securing those large, continuously-changing system-designs. However, big attack trees are difficult to build, and even more difficult to maintain. This paper therefore proposes a systematic approach to automate the construction and maintenance of such big attack trees, based on the system's operational and logical architectures, the system's traditional risk assessment study and a security knowledge database.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Model the System from Adversary Viewpoint: Threats Identification and Modeling

Security attacks are hard to understand, often expressed with unfriendly and limited details, making it difficult for security experts and for security analysts to create intelligible security specifications. For instance, to explain Why (attack objective), What (i.e., system assets, goals, etc.), and How (attack method), adversary achieved his attack goals. We introduce in this paper a security attack meta-model for our SysML-Sec framework, developed to improve the threat identification and modeling through the explicit representation of security concerns with knowledge representation techniques. Our proposed meta-model enables the specification of these concerns through ontological concepts which define the semantics of the security artifacts and introduced using SysML-Sec diagrams. This meta-model also enables representing the relationships that tie several such concepts together. This representation is then used for reasoning about the knowledge introduced by system designers as well as security experts through the graphical environment of the SysML-Sec framework.Comment: In Proceedings AIDP 2014, arXiv:1410.322

Adversarial behaviours knowledge area

The technological advancements witnessed by our society in recent decades have brought improvements in our quality of life, but they have also created a number of opportunities for attackers to cause harm. Before the Internet revolution, most crime and malicious activity generally required a victim and a perpetrator to come into physical contact, and this limited the reach that malicious parties had. Technology has removed the need for physical contact to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio

Tree defence and bark beetles in a drying world: carbon partitioning, functioning and modelling.

Drought has promoted large-scale, insect-induced tree mortality in recent years, with severe consequences for ecosystem function, atmospheric processes, sustainable resources and global biogeochemical cycles. However, the physiological linkages among drought, tree defences, and insect outbreaks are still uncertain, hindering our ability to accurately predict tree mortality under on-going climate change. Here we propose an interdisciplinary research agenda for addressing these crucial knowledge gaps. Our framework includes field manipulations, laboratory experiments, and modelling of insect and vegetation dynamics, and focuses on how drought affects interactions between conifer trees and bark beetles. We build upon existing theory and examine several key assumptions: (1) there is a trade-off in tree carbon investment between primary and secondary metabolites (e.g. growth vs defence); (2) secondary metabolites are one of the main component of tree defence against bark beetles and associated microbes; and (3) implementing conifer-bark beetle interactions in current models improves predictions of forest disturbance in a changing climate. Our framework provides guidance for addressing a major shortcoming in current implementations of large-scale vegetation models, the under-representation of insect-induced tree mortality

Appetite for self-destruction: suicidal biting as a nest defense strategy in Trigona stingless bees

Self-sacrificial behavior represents an extreme and relatively uncommon form of altruism in worker insects. It can occur, however, when inclusive fitness benefits are high, such as when defending the nest. We studied nest defense behaviors in stingless bees, which live in eusocial colonies subject to predation. We introduced a target flag to nest entrances to elicit defensive responses and quantified four measures of defensivity in 12 stingless bee species in São Paulo State, Brazil. These included three Trigona species, which are locally known for their aggression. Species varied significantly in their attack probability (cross species range = 0–1, P < 0.001), attack latency (7.0–23.5 s, P = 0.002), biting duration of individual bees (3.5–508.7 s, P < 0.001), and number of attackers (1.0–10.8, P < 0.001). A “suicide” bioassay on the six most aggressive species determined the proportion of workers willing to suffer fatal damage rather than disengage from an intruder. All six species had at least some suicidal individuals (7–83 %, P < 0.001), reaching 83 % in Trigona hyalinata. Biting pain was positively correlated with an index of overall aggression (P = 0.002). Microscopic examination revealed that all three Trigona species had five sharp teeth per mandible, a possible defensive adaptation and cause of increased pain. Suicidal defense via biting is a new example of self-sacrificial altruism and has both parallels and differences with other self-sacrificial worker insects, such as the honey bee. Our results indicate that suicidal biting may be a widespread defense strategy in stingless bees, but it is not universal

Building resilience into Sitka spruce (Picea sitchensis [Bong.] Carr.) forests in Scotland in response to the threat of climate change

Peer reviewedPublisher PD

Modelling escalation of attacks in federated identity management

PhD ThesisFederated Identity Management (FIM) is an increasingly prevalent method for authenticating users online. FIM offloads the authentication burden from a Service Provider (SP) to an Identity Provider (IdP) that the SP trusts. The different entities involved in the FIM process are referred to as stakeholders. The benefits of FIM to stakeholders are clear, such as the ability for users to use Single Sign-On. However, the security of FIM also has to be evaluated. Attacks on one point in a FIM system can lead to other attacks being possible, and detecting those attacks can be hard just from modelling the functionality of the FIM system. Attacks in which the effect of one attack can become the cause for another attack are referred to in this thesis as escalating attacks. The overall research question this thesis revolves around: how can we model escalating attacks to detect attacks which are possible through an adversary first launching another attack, and present causality of attacks to the FIM stakeholders involved? This thesis performs a survey of existing attacks in FIM. We categorise attacks on FIM using a taxonomy of our own design. This survey is the first attempt at categorising attacks that target FIM using a taxonomy. Some attacks can have an effect that causes another attack to be possible in ways that are difficult to predict. We consider a case study involving OAuth 2.0 (provided by existing literature), as a basis for modelling attack escalation. We then seek to present a language for modelling FIM systems and attacker manipulations on those systems. We find that FIM systems can be generalised for the purpose of a programmatic logical analysis. In addition, attacker manipulations on a system can be broken down using an existing conceptual framework called Malicious and Accidental Fault Tolerance (MAFTIA). Using a generalised FIM system model and MAFTIA, we can express a complex interlinking of attacks informed by case studies in FIM security analysis. This is the first attempt to model FIM systems generally and apply logical analysis to that model. Finally, we show how causality of attacks can be analysed using attack trees. We find that any solutions to an escalating attack can be expressed using a tree model which conforms to existing research on attack trees. Our approach is the first attempt of modelling attacks on FIM systems through the use of attack trees. We consider stakeholder attribution and cost analysis as concrete methods for analysing attack trees

Classification hardness for supervised learners on 20 years of intrusion detection data

This article consolidates analysis of established (NSL-KDD) and new intrusion detection datasets (ISCXIDS2012, CICIDS2017, CICIDS2018) through the use of supervised machine learning (ML) algorithms. The uniformity in analysis procedure opens up the option to compare the obtained results. It also provides a stronger foundation for the conclusions about the efficacy of supervised learners on the main classification task in network security. This research is motivated in part to address the lack of adoption of these modern datasets. Starting with a broad scope that includes classification by algorithms from different families on both established and new datasets has been done to expand the existing foundation and reveal the most opportune avenues for further inquiry. After obtaining baseline results, the classification task was increased in difficulty, by reducing the available data to learn from, both horizontally and vertically. The data reduction has been included as a stress-test to verify if the very high baseline results hold up under increasingly harsh constraints. Ultimately, this work contains the most comprehensive set of results on the topic of intrusion detection through supervised machine learning. Researchers working on algorithmic improvements can compare their results to this collection, knowing that all results reported here were gathered through a uniform framework. This work's main contributions are the outstanding classification results on the current state of the art datasets for intrusion detection and the conclusion that these methods show remarkable resilience in classification performance even when aggressively reducing the amount of data to learn from