36 research outputs found
Integrated Attack Tree in Residual Risk Management Framework
Safety-critical cyber-physical systems (CPSs), such as high-tech cars having cyber capabilities, are highly interconnected. Automotive manufacturers are concerned about cyber attacks on vehicles that can lead to catastrophic consequences. There is a need for a new risk management approach to address and investigate cybersecurity risks. Risk management in the automotive domain is challenging due to technological improvements and advances every year. The current standard for automotive security is ISO/SAE 21434, which discusses a framework that includes threats, associated risks, and risk treatment options such as risk reduction by applying appropriate defences. This paper presents a residual cybersecurity risk management framework aligned with the framework presented in ISO/SAE 21434. A methodology is proposed to develop an integrated attack tree that considers multiple sub-systems within the CPS. Integrating attack trees in this way will help the analyst to take a broad perspective of system security. Our previous approach utilises a flow graph to calculate the residual risk to a system before and after applying defences. This paper is an extension of our initial work. It defines the steps for applying the proposed framework and using adaptive cruise control (ACC) and adaptive light control (ALC) to illustrate the applicability of our work. This work is evaluated by comparing it with the requirements of the risk management framework discussed in the literature. Currently, our methodology satisfies more than 75% of their requirements
Optimal Adversary Behavior for the Serial Model of Financial Attack Trees
Attack tree analysis is used to estimate different parameters of general security threats based on information available for atomic subthreats.
We focus on estimating the expected gains of an adversary based on both the cost and likelihood of the subthreats. Such a multi-parameter analysis is considerably more complicated than separate probability or skill level estimation, requiring exponential time in general. However, this paper shows that under reasonable assumptions a completely different type of optimal substructure exists which can be harnessed into a linear-time algorithm for optimal gains estimation.
More concretely, we use a decision-theoretic framework in which a rational adversary sequentially considers and performs the available attacks. The assumption of rationality serves as an upper bound as any irrational behavior will just hurt the end result of the adversary himself. We show that if the attacker considers the attacks in a goal-oriented way, his optimal expected gains can be computed in linear time.
Our model places the least restrictions on adversarial behavior of all known attack tree models that analyze economic viability of an attack and, as such, provides for the best efficiently computable estimate for the potential reward
Advanced attack tree based intrusion detection
Computer network systems are constantly under attack or have to deal with attack
attempts. The first step in any networkâs ability to fight against intrusive attacks
is to be able to detect intrusions when they are occurring. Intrusion Detection
Systems (IDS) are therefore vital in any kind of network, just as antivirus is a
vital part of a computer system. With the increasing computer network intrusion
sophistication and complexity, most of the victim systems are compromised by
sophisticated multi-step attacks. In order to provide advanced intrusion detection
capability against the multi-step attacks, it makes sense to adopt a rigorous and
generalising view to tackling intrusion attacks. One direction towards achieving
this goal is via modelling and consequently, modelling based detection.
An IDS is required that has good quality of detection capability, not only to
be able to detect higher-level attacks and describe the state of ongoing multi-step
attacks, but also to be able to determine the achievement of high-level attack
detection even if any of the modelled low-level attacks are missed by the detector,
because no alert being generated may represent that the corresponding low-level
attack is either not being conducted by the adversary or being conducted by the
adversary but evades the detection.
This thesis presents an attack tree based intrusion detection to detect multistep
attacks. An advanced attack tree modelling technique, Attack Detection Tree,
is proposed to model the multi-step attacks and facilitate intrusion detection. In
addition, the notion of Quality of Detectability is proposed to describe the ongoing
states of both intrusion and intrusion detection. Moreover, a detection uncertainty
assessment mechanism is proposed to apply the measured evidence to deal with
the uncertainty issues during the assessment process to determine the achievement
of high-level attacks even if any modelled low-level incidents may be missing
Extending the Exposure Score of Web Browsers by Incorporating CVSS
When browsing the Internet, HTTP headers enable both clients and servers send extra data in their requests or responses such as the User-Agent string. This string contains information related to the senderâs device, browser, and operating system. Yet its content differs from one browser to another. Despite the privacy and security risks of User-Agent strings, very few works have tackled this problem. Our previous work proposed giving Internet browsers exposure relative scores to aid users to choose less intrusive ones. Thus, the objective of this work is to extend our previous work through: first, conducting a user study to identify its limitations. Second, extending the exposure score via incorporating data from the NVD. Third, providing a full implementation, instead of a limited prototype. The proposed system: assigns scores to usersâ browsers upon visiting our website. It also suggests alternative safe browsers, and finally it allows updating the back-end database with a click of a button. We applied our method to a data set of more than 52 thousand unique browsers. Our performance and validation analysis show that our solution is accurate and efficient. The source code and data set are publicly available here [4].</p
DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees
This paper presents the current state of the art on attack and defense
modeling approaches that are based on directed acyclic graphs (DAGs). DAGs
allow for a hierarchical decomposition of complex scenarios into simple, easily
understandable and quantifiable actions. Methods based on threat trees and
Bayesian networks are two well-known approaches to security modeling. However
there exist more than 30 DAG-based methodologies, each having different
features and goals. The objective of this survey is to present a complete
overview of graphical attack and defense modeling techniques based on DAGs.
This consists of summarizing the existing methodologies, comparing their
features and proposing a taxonomy of the described formalisms. This article
also supports the selection of an adequate modeling technique depending on user
requirements
Explaining mountain pine beetle dynamics: From life history traits to large, episodic outbreaks
The Mountain pine beetle (MPB) is a destructive forest pest that undergoes
boom-bust cycles every 20-40 years. It also has unusual life-history traits,
including a chemosensory affinity for large pine trees, coordinated attacks
facilitated by aggregation and anti-aggregation pheromones, and variable
dispersal that increases in the absence of trees. Using an empirically
calibrated model, we show that MPB's distinctive life-history characteristics
are responsible for its distinctive population dynamics. Specifically, three
life-history traits are necessary for episodic boom-bust dynamics:
density-dependent dispersal, where beetles disperse once most of the large
trees have been killed; an Allee effect, which requires a threshold number of
beetles to overcome tree defenses; and a short generation time, notably in
comparison with their pine tree hosts. In addition to explaining the
qualitative behavior of MPB dynamics, these three ingredients explain residual
tree density, the duration of outbreaks, and the average waiting time between
outbreaks. The peak number of beetles, believed to be the primary factor
driving range expansion, is mostly a consequence of MPB's constitutive high
fecundity. However, two life history traits -- MPB's size-dependent fecundity
and preference for large trees -- are responsible for 25% of the peak number of
beetles. By identifying patterns across the extensive MPB literature, and by
integrating data across multiple sources, we develop a highly accurate
description of MPB's density-dependent interactions with lodgepole pine. We
conclude with a simplified mechanistic model, distilled to two difference
equations, effectively capturing the essence of MPB outbreak dynamics
Digital certificates and threshold cryptography
This dissertation discusses the use of secret sharing cryptographic protocols for distributing and sharing of secret documents, in our case PDF documents.
We discuss the advantages and uses of such a system in the context of collaborative environments.
Description of the cryptographic protocol involved and the necessary Public Key Infrastructure (PKI) shall be presented. We also provide an implementation of this framework as a âproof of conceptâ and fundament the use of a certificate extension as the basis for threshold cryptography.
Details of the shared secret distribution protocol and shared secret recovery protocol shall be given as well as the associated technical implementation details.
The actual secret sharing algorithm implemented at this stage is based on an existing well known secret sharing scheme that uses polynomial interpolation over a finite field.
Finally we conclude with a practical assessment of our prototype
Conception Assistée des Logiciels Sécurisés pour les SystÚmes Embarqués
A vast majority of distributed embedded systems is concerned by security risks. The fact that applications may result poorly protected is partially due to methodological lacks in the engineering development process. More specifically, methodologies targeting formal verification may lack support to certain phases of the development process. Particularly, system modeling frameworks may be complex-to-use or not address security at all. Along with that, testing is not usually addressed by verification methodologies since formal verification and testing are considered as exclusive stages. Nevertheless, we believe that platform testing can be applied to ensure that properties formally verified in a model are truly endowed to the real system. Our contribution is made in the scope of a model-driven based methodology that, in particular, targets secure-by-design embedded systems. The methodology is an iterative process that pursues coverage of several engineering development phases and that relies upon existing security analysis techniques. Still in evolution, the methodology is mainly defined via a high level SysML profile named Avatar. The contribution specifically consists on extending Avatar so as to model security concerns and in formally defining a model transformation towards a verification framework. This contribution allows to conduct proofs on authenticity and confidentiality. We illustrate how a cryptographic protocol is partially secured by applying several methodology stages. In addition, it is described how Security Testing was conducted on an embedded prototype platform within the scope of an automotive project.Une vaste majoritĂ© de systĂšmes embarquĂ©s distribuĂ©s sont concernĂ©s par des risques de sĂ©curitĂ©. Le fait que les applications peuvent ĂȘtre mal protĂ©gĂ©es est partiellement Ă cause des manques mĂ©thodologiques dans le processus dâingĂ©nierie de dĂ©veloppement. ParticuliĂšrement, les mĂ©thodologies qui ciblent la vĂ©rification formelle peuvent manquer de support pour certaines Ă©tapes du processus de dĂ©veloppement SW. Notamment, les cadres de modĂ©lisation peuvent ĂȘtre complexes Ă utiliser ou ne pas adresser la sĂ©curitĂ© du tout. Avec cela, lâĂ©tape de tests nâest pas normalement abordĂ©e par les mĂ©thodologies de vĂ©rification formelle. NĂ©anmoins, nous croyons que faire des tests sur la plateforme peut aider Ă assurer que les propriĂ©tĂ©s vĂ©rifiĂ©es dans le modĂšle sont vĂ©ritablement prĂ©servĂ©es par le systĂšme embarquĂ©. Notre contribution est faite dans le cadre dâune mĂ©thodologie nommĂ©e Avatar qui est basĂ©e sur les modĂšles et vise la sĂ©curitĂ© dĂšs la conception du systĂšme. La mĂ©thodologie est un processus itĂ©ratif qui poursuit la couverture de plusieurs Ă©tapes du dĂ©veloppement SW et qui sâappuie sur plusieurs techniques dâanalyse de sĂ©curitĂ©. La mĂ©thodologie compte avec un cadre de modĂ©lisation SysML. Notre contribution consiste notamment Ă Ă©tendre le cadre de modĂ©lisation Avatar afin dâaborder les aspects de sĂ©curitĂ© et aussi Ă dĂ©finir une transformation du modĂšle Avatar vers un cadre de vĂ©rification formel. Cette contribution permet dâeffectuer preuves dâauthenticitĂ© et confidentialitĂ©. Nous montrons comment un protocole cryptographique est partiellement sĂ©curisĂ©. Aussi, il est dĂ©crit comment les tests de sĂ©curitĂ© ont Ă©tĂ© menĂ©s sur un prototype dans le cadre dâun projet vĂ©hiculaire