Security and privacy requirements engineering for human centric IoT systems using eFRIEND and Isabelle

In this paper, we combine a framework for ethical requirement elicitation eFRIEND with automated reasoning. To provide trustworthy and secure IoT for vulnerable users in healthcare scenarios, we need to apply ethics to arrive at suitable system requirements. In order to map those to technical system requirements, we employ high level logical modeling using dedicated Isabelle frameworks for (1) infrastructures with human actors and security policies, (2) attack tree analysis, and (3) security protocol analysis. Following this outline, we apply these frameworks to a case study for supporting Security and Privacy when diagnosing Alzheimer’s patients with smartphone and sensor technolog

Security and privacy requirements engineering for human centric IoT systems using eFRIEND and Isabelle

In this paper, we combine a framework for ethical requirement elicitation eFRIEND with automated reasoning. To provide trustworthy and secure IoT for vulnerable users in healthcare scenarios, we need to apply ethics to arrive at suitable system requirements. In order to map those to technical system requirements, we employ high level logical modeling using dedicated Isabelle frameworks for (1) infrastructures with human actors and security policies, (2) attack tree analysis, and (3) security protocol analysis. Following this outline, we apply these frameworks to a case study for supporting Security and Privacy when diagnosing Alzheimer’s patients with smartphone and sensor technolog

Human centric security and privacy for the IoT using formal techniques

In this paper, we summarize a new approach to make security and privacy issues in the Internet of Things (IoT) more transparent for vulnerable users. As a pilot project, we investigate monitoring of Alzheimer’s patients for a low-cost early warning system based on bio-markers supported with smart technologies. To provide trustworthy and secure IoT infrastructures, we employ formal methods and techniques that allow specification of IoT scenarios with human actors, refinement and analysis of attacks and generation of certified code for IoT component architectures

Attack time analysis in dynamic attack trees via integer linear programming

Attack trees are an important tool in security analysis, and an important part of attack tree analysis is computing metrics. This paper focuses on dynamic attack trees and their min time metric, i.e. the minimal time to attack a system. For general attack trees, calculating min time efficiently is an open problem, with the fastest current method being enumerating all minimal attacks, which is NP-hard. This paper presents three tools for calculating min time. First, we introduce a novel method for general dynamic attack trees based on mixed integer linear programming. Second, we show how the computation can be sped up by identifying the modules of an attack tree, i.e. subtrees connected to the rest of the attack tree via only one node. Finally, we define a general semantics for dynamic attack trees that significantly relaxes the restrictions on attack trees compared to earlier work, allowing us to apply our methods to a wide variety of attack trees. Experiments on both a case study of a server cluster and a synthetic testing set of large attack trees verify that both the integer linear programming approach and modular analysis considerably decrease the computation time of attack time analysis

Quantitative Verification and Synthesis of Attack-Defence Scenarios

Attack-defence trees are a powerful technique for formally evaluating attack-defence scenarios. They represent in an intuitive, graphical way the interaction between an attacker and a defender who compete in order to achieve conflicting objectives. We propose a novel framework for the formal analysis of quantitative properties of complex attack-defence scenarios, using an extension of attack-defence trees which models temporal ordering of actions and allows explicit dependencies in the strategies adopted by attackers and defenders. We adopt a game-theoretic approach, translating attack-defence trees to two-player stochastic games, and then employ probabilistic model checking techniques to formally analyse these models. This provides a means to both verify formally specified security properties of the attack-defence scenarios and, dually, to synthesise strategies for attackers or defenders which guarantee or optimise some quantitative property, such as the probability of a successful attack, the expected cost incurred, or some multi-objective trade-off between the two. We implement our approach, building upon the PRISM-games model checker, and apply it to a case study of an RFID goods management system

Formal Template-Based Generation of Attack–Defence Trees for Automated Security Analysis

Systems that integrate cyber and physical aspects to create cyber-physical systems (CPS) are becoming increasingly complex, but demonstrating the security of CPS is hard and security is frequently compromised. These compromises can lead to safety failures, putting lives at risk. Attack Defense Trees with sequential conjunction (ADS) are an approach to identifying attacks on a system and identifying the interaction between attacks and the defenses that are present within the CPS. We present a semantic model for ADS and propose a methodology for generating ADS automatically. The methodology takes as input a CPS system model and a library of templates of attacks and defenses. We demonstrate and validate the effectiveness of the ADS generation methodology using an example from the automotive domain