996 research outputs found
Efficient and Generic Algorithms for Quantitative Attack Tree Analysis
Numerous analysis methods for quantitative attack tree analysis have been
proposed. These algorithms compute relevant security metrics, i.e. performance
indicators that quantify how good the security of a system is; typical metrics
being the most likely attack, the cheapest, or the most damaging one. However,
existing methods are only geared towards specific metrics or do not work on
general attack trees. This paper classifies attack trees in two dimensions:
proper trees vs. directed acyclic graphs (i.e. with shared subtrees); and
static vs. dynamic gates. For three out of these four classes, we propose novel
algorithms that work over a generic attribute domain, encompassing a large
number of concrete security metrics defined on the attack tree semantics;
dynamic attack trees with directed acyclic graph structure are left as an open
problem. We also analyse the computational complexity of our methods.Comment: Funding: ERC Consolidator (Grant Number: 864075), and European Union
(Grant Number: 101067199-ProSVED), in IEEE Transactions on Dependable and
Secure Computing, 2022. arXiv admin note: substantial text overlap with
arXiv:2105.0751
How to Generate Security Cameras: Towards Defence Generation for Socio-Technical Systems
Recently security researchers have started to look into automated generation
of attack trees from socio-technical system models. The obvious next step in
this trend of automated risk analysis is automating the selection of security
controls to treat the detected threats. However, the existing socio-technical
models are too abstract to represent all security controls recommended by
practitioners and standards. In this paper we propose an attack-defence model,
consisting of a set of attack-defence bundles, to be generated and maintained
with the socio-technical model. The attack-defence bundles can be used to
synthesise attack-defence trees directly from the model to offer basic
attack-defence analysis, but also they can be used to select and maintain the
security controls that cannot be handled by the model itself.Comment: GraMSec 2015, 16 page
Quantitative Security Risk Modeling and Analysis with RisQFLan
Domain-specific quantitative modeling and analysis approaches are fundamental
in scenarios in which qualitative approaches are inappropriate or unfeasible.
In this paper, we present a tool-supported approach to quantitative graph-based
security risk modeling and analysis based on attack-defense trees. Our approach
is based on QFLan, a successful domain-specific approach to support
quantitative modeling and analysis of highly configurable systems, whose
domain-specific components have been decoupled to facilitate the instantiation
of the QFLan approach in the domain of graph-based security risk modeling and
analysis. Our approach incorporates distinctive features from three popular
kinds of attack trees, namely enhanced attack trees, capabilities-based attack
trees and attack countermeasure trees, into the domain-specific modeling
language. The result is a new framework, called RisQFLan, to support
quantitative security risk modeling and analysis based on attack-defense
diagrams. By offering either exact or statistical verification of probabilistic
attack scenarios, RisQFLan constitutes a significant novel contribution to the
existing toolsets in that domain. We validate our approach by highlighting the
additional features offered by RisQFLan in three illustrative case studies from
seminal approaches to graph-based security risk modeling analysis based on
attack trees
ATM: a Logic for Quantitative Security Properties on Attack Trees
Critical infrastructure systems - for which high reliability and availability
are paramount - must operate securely. Attack trees (ATs) are hierarchical
diagrams that offer a flexible modelling language used to assess how systems
can be attacked. ATs are widely employed both in industry and academia but - in
spite of their popularity - little work has been done to give practitioners
instruments to formulate queries on ATs in an understandable yet powerful way.
In this paper we fill this gap by presenting ATM, a logic to express
quantitative security properties on ATs. ATM allows for the specification of
properties involved with security metrics that include "cost", "probability"
and "skill" and permits the formulation of insightful what-if scenarios. To
showcase its potential, we apply ATM to the case study of a CubeSAT, presenting
three different ways in which an attacker can compromise its availability. We
showcase property specification on the corresponding attack tree and we present
theory and algorithms - based on binary decision diagrams - to check properties
and compute metrics of ATM-formulae
Security risk assessment in cloud computing domains
Cyber security is one of the primary concerns persistent across any computing platform. While addressing the apprehensions about security risks, an infinite amount of resources cannot be invested in mitigation measures since organizations operate under budgetary constraints. Therefore the task of performing security risk assessment is imperative to designing optimal mitigation measures, as it provides insight about the strengths and weaknesses of different assets affiliated to a computing platform.
The objective of the research presented in this dissertation is to improve upon existing risk assessment frameworks and guidelines associated to different key assets of Cloud computing domains - infrastructure, applications, and users. The dissertation presents various informal approaches of performing security risk assessment which will help to identify the security risks confronted by the aforementioned assets, and utilize the results to carry out the required cost-benefit tradeoff analyses. This will be beneficial to organizations by aiding them in better comprehending the security risks their assets are exposed to and thereafter secure them by designing cost-optimal mitigation measures --Abstract, page iv
Towards an efficient vulnerability analysis methodology for better security risk management
2010 Summer.Includes bibliographical references.Risk management is a process that allows IT managers to balance between cost of the protective measures and gains in mission capability. A system administrator has to make a decision and choose an appropriate security plan that maximizes the resource utilization. However, making the decision is not a trivial task. Most organizations have tight budgets for IT security; therefore, the chosen plan must be reviewed as thoroughly as other management decisions. Unfortunately, even the best-practice security risk management frameworks do not provide adequate information for effective risk management. Vulnerability scanning and penetration testing that form the core of traditional risk management, identify only the set of system vulnerabilities. Given the complexity of today's network infrastructure, it is not enough to consider the presence or absence of vulnerabilities in isolation. Materializing a threat strongly requires the combination of multiple attacks using different vulnerabilities. Such a requirement is far beyond the capabilities of current day vulnerability scanners. Consequently, assessing the cost of an attack or cost of implementing appropriate security controls is possible only in a piecemeal manner. In this work, we develop and formalize new network vulnerability analysis model. The model encodes in a concise manner, the contributions of different security conditions that lead to system compromise. We extend the model with a systematic risk assessment methodology to support reasoning under uncertainty in an attempt to evaluate the vulnerability exploitation probability. We develop a cost model to quantify the potential loss and gain that can occur in a system if certain conditions are met (or protected). We also quantify the security control cost incurred to implement a set of security hardening measures. We propose solutions for the system administrator's decision problems covering the area of the risk analysis and risk mitigation analysis. Finally, we extend the vulnerability assessment model to the areas of intrusion detection and forensic investigation
- …