Pontus Johnson
ABSTRACT
Attack simulations may be used to assess the cyber security of systems. In such simulations, the steps taken by an attacker in order to compromise sensitive system assets are traced, and a time estimate may be computed from the initial step to the compromise of assets of interest. Attack graphs constitute a suitable formalism for the modeling of attack steps and their dependencies, allowing the subsequent simulation.
To avoid the costly proposition of building new attack graphs for each system of a given type, domain-specific attack languages may be used. These languages codify the generic attack logic of the considered domain, thus facilitating the modeling, or instantiation, of a specific system in the domain. Examples of possible cyber security domains suitable for domain-specific attack languages are generic types such as cloud systems or embedded systems but may also be highly specialized kinds, e.g. Ubuntu installations; the objects of interest as well as the attack logic will differ significantly between such domains.
In this paper, we present the Meta Attack Language (MAL), which may be used to design domain-specific attack languages such as the aforementioned. The MAL provides a formalism that allows the semi-automated generation as well as the efficient computation of very large attack graphs. We declare the formal background to MAL, define its syntax and semantics, exemplify its use with a small domain-specific language and instance model, and report on the computational performance.
- Muhammad Alam, Ruth Breu, and Michael Hafner. 2007. Model-driven security engineering for trust management in SECTET. JSW 2, 1 (2007), 47--59.Google Scholar
Cross Ref
- Mohamed Almorsy and John Grundy. 2014. Secdsvl: A domain-specific visual language to support enterprise security modelling. In Software Engineering Conference (ASWEC), 2014 23rd Australian. IEEE, 152--161. Google ScholarDigital Library
- David Basin, Manuel Clavel, and Marina Egea. 2011. A decade of model-driven security. In Proceedings of the 16th ACM symposium on Access control models and technologies. ACM, 1--10. Google ScholarDigital Library
- David Basin, Jürgen Doser, and Torsten Lodderstedt. 2006. Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology (TOSEM) 15, 1 (2006), 39--91. Google ScholarDigital Library
- Matthew Chu, Kyle Ingols, Richard Lippmann, Seth Webster, and Stephen Boyer. 2010. Visualizing attack graphs, reachability, and trust relationships with NAVIGATOR. In Proc. of the 7th Int. Symp. on Visualization for Cyber Security. ACM, 22--33. Google ScholarDigital Library
- Leandro Marques do Nascimento, Daniel Leite Viana, Paulo AM Silveira Neto, Dhiego AO Martins, Vinicius Cardoso Garcia, and Silvio RL Meira. 2012. A systematic mapping study on domain-specific languages. In Proc. 7th Int. Conf. Softw. Eng. Advances (ICSEA'12). 179--187.Google Scholar
- Mathias Ekstedt, Pontus Johnson, Robert Lagerström, Dan Gorton, Joakim Nydrén, and Khurram Shahzad. 2015. securiCAD by foreseeti: A CAD tool for enterprise cyber security management. In Enterprise Distributed Object Computing Workshop (EDOCW), 2015 IEEE 19th International. IEEE, 152--155. Google ScholarDigital Library
- Marcel Frigault, Lingyu Wang, Anoop Singhal, and Sushil Jajodia. 2008. Measuring network security using dynamic bayesian network. In Proc. of the 4th ACM workshop on Quality of protection. ACM, 23--30. Google ScholarDigital Library
- Nirnay Ghosh, Ishan Chokshi, Mithun Sarkar, Soumya K Ghosh, Anil Kumar Kaushik, and Sajal K Das. 2015. NetSecuritas: An Integrated Attack Graph-based Security Assessment Tool for Enterprise Networks. In Proc. of the 2015 Int. Conf. on Distributed Computing and Networking. ACM, 30. Google ScholarDigital Library
- Michael Hafner, Ruth Breu, Berthold Agreiter, and Andrea Nowak. 2006. SECTET: an extensible framework for the realization of secure inter-organizational workflows. Internet Research 16, 5 (2006), 491--506.Google ScholarCross Ref
- Pawan Harish and PJ Narayanan. 2007. Accelerating large graph algorithms on the GPU using CUDA. In International conference on high-performance computing. Springer, 197--208. Google ScholarDigital Library
- H. Holm, K. Shahzad, M. Buschle, and M. Ekstedt. 2015. P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language. IEEE Transactions on Dependable and Secure Computing 12, 6 (2015), 626--639.Google ScholarDigital Library
- John Homer, Su Zhang, Xinming Ou, David Schmidt, Yanhui Du, S Raj Rajagopalan, and Anoop Singhal. 2013. Aggregating vulnerability metrics in enterprise networks using attack graphs. Journal of Computer Security 21, 4 (2013), 561--597. Google ScholarDigital Library
- Kyle Ingols, Matthew Chu, Richard Lippmann, Seth Webster, and Stephen Boyer. 2009. Modeling modern network attacks and countermeasures using attack graphs. In Computer Security Applications Conference, 2009. ACSAC'09. Annual. IEEE, 117--126. Google ScholarDigital Library
- Pontus Johnson, Alexandre Vernotte, Mathias Ekstedt, and Robert Lagerström. 2016. pwnPr3d: An Attack-Graph-Driven Probabilistic Threat-Modeling Approach. In Availability, Reliability and Security (ARES), 2016 11th International Conference on. IEEE, 278--283.Google ScholarCross Ref
- Jan Jürjens. 2002. UMLsec: Extending UML for secure systems development. In International Conference on The Unified Modeling Language. Springer, 412--425. Google ScholarDigital Library
- Jan Jürjens. 2005. Secure systems development with UML. Springer Science & Business Media. Google ScholarDigital Library
- Barbara Kordy, Sjouke Mauw, Saša Radomirović, and Patrick Schweitzer. 2010. Foundations of attack--defense trees. In International Workshop on Formal Aspects in Security and Trust. Springer, 80--95. Google ScholarDigital Library
- Barbara Kordy, Ludovic Piètre-Cambacédès, and Patrick Schweitzer. 2014. DAG-based attack and defense modeling: Don't miss the forest for the attack trees. Computer science review 13 (2014), 1--38. Google ScholarDigital Library
- Igor Kotenko and Elena Doynikova. 2014. Evaluation of computer network security based on attack graphs and security event processing. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) 5, 3 (2014), 14--29.Google Scholar
- Mass Soldal Lund, Bjørnar Solhaug, and Ketil Stølen. 2010. Model-driven risk analysis: the CORAS approach. Springer Science & Business Media. Google ScholarDigital Library
- Sjouke Mauw and Martijn Oostdijk. 2005. Foundations of attack trees. In International Conference on Information Security and Cryptology. Springer, 186--198. Google ScholarDigital Library
- Haralambos Mouratidis, Paolo Giorgini, Gordon Manson, Ian Philp, and others. 2002. A Natural Extension of Tropos Methodology for Modelling Security. In Proceedings Agent Oriented Methodologies Workshop, Annual ACM Conference on Object Oriented Programming, Systems, Languages (OOPSLA), Seattle-USA. Citeseer.Google Scholar
- S. Noel, M. Elder, S. Jajodia, P. Kalapa, S. O'Hare, and K. Prole. 2009. Advances in Topological Vulnerability Analysis. In Conference For Homeland Security, 2009. CATCH '09. Cybersecurity Applications Technology. 124--129. Google ScholarDigital Library
- Object Management Group (OMG). 2016. Meta-Object Facility (MOF) Core Specification, Version 2.5.1. OMG Document Number: formal/2016-11-01 (http://www.omg.org/spec/MOF/2.5.1). (2016).Google Scholar
- Object Management Group (OMG). 2017. OMGÂő Unified Modeling LanguageÂő (OMG UMLÂő), Version 2.5.1. OMG Document Number: formal/2016-11-01 (http://www.omg.org/spec/UML/2.5.1). (2017).Google Scholar
- Xinming Ou, Sudhakar Govindavajhala, and Andrew W Appel. 2005. MulVAL: A Logic-based Network Security Analyzer. In USENIX security. Google ScholarDigital Library
- Xinming Ou and Anoop Singhal. 2011. Attack Graph Techniques. Quantitative Security Risk Assessment of Enterprise Networks (Jan. 2011).Google ScholarCross Ref
- Elda Paja, Fabiano Dalpiaz, and Paolo Giorgini. 2015. Modelling and reasoning about security requirements in socio-technical systems. Data & Knowledge Engineering 98 (2015), 123--143. Google ScholarDigital Library
- N. Poolsappasit, R. Dewri, and I. Ray. 2012. Dynamic Security Risk Management Using Bayesian Attack Graphs. 9, 1 (2012), 61--74. Google ScholarDigital Library
- Bruce Schneier. 1999. Attack trees. Dr. DobbâĂŹs journal 24, 12 (1999), 21--29.Google Scholar
- Secrets Schneier. 2000. Lies: digital security in a networked world. New York, John Wiley & Sons 21 (2000), 318--333. Google ScholarDigital Library
- Teodor Sommestad, Mathias Ekstedt, and Hannes Holm. 2013. The cyber security modeling language: A tool for assessing the vulnerability of enterprise system architectures. IEEE Systems Journal 7, 3 (2013), 363--373.Google ScholarCross Ref
- Lingyu Wang, S. Jajodia, A. Singhal, Pengsu Cheng, and S. Noel. 2014. k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities. 11, 1 (2014), 30--44. Google ScholarDigital Library
- Leevar Williams, Richard Lippmann, and Kyle Ingols. 2008. GARNET: A graphical attack graph and reachability network evaluation tool. Springer.Google Scholar
- Peng Xie, Jason H Li, Xinming Ou, Peng Liu, and Renato Levy. 2010. Using Bayesian networks for cyber security analysis. In Dependable Systems and Networks (DSN), 2010 IEEE/IFIP Int. Conf. on. IEEE, 211--220.Google Scholar
Index Terms
- A Meta Language for Threat Modeling and Attack Simulations
Recommendations
Generating Threat Models and Attack Graphs based on the IEC 61850 System Configuration description Language
SAT-CPS '21: Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical SystemsDue to our dependency on electricity, it is vital to keep our power systems secure from cyber attacks. However, because power systems are being digitalized and the infrastructure is growing increasingly complicated, it is difficult to gain an overview ...
Software and attack centric integrated threat modeling for quantitative risk assessment
HotSos '16: Proceedings of the Symposium and Bootcamp on the Science of SecurityOne step involved in the security engineering process is threat modeling. Threat modeling involves understanding the complexity of the system and identifying all of the possible threats, regardless of whether or not they can be exploited. Proper ...
An Attack Simulation Language for the IT Domain
Graphical Models for SecurityAbstractCyber-attacks on IT infrastructures can have disastrous consequences for individuals, regions, as well as whole nations. In order to respond to these threats, the cyber security assessment of IT infrastructures can foster a higher degree of ...
Comments