Computer Aided Threat Identification

Asnar, Yudis; Li, Tong; Massacci, Fabio; Paci, Federica

doi:10.1109/cec.2011.13

Cited by 10 publications

(7 citation statements)

References 13 publications

(22 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…During the security requirements analysis in each layer, related threat information is required to in order to identify critical security requirements. Such threat analysis was not accommodated by the framework, instead we proposed to incorporate external threat analysis approaches for this purpose (e.g., [12]) or to import corresponding threat information from related studies that have been performed in the same domain (e.g., [18]). However, existing threat analysis approaches cannot holistically analyze multistage attacks on STSs.…”

Section: A a Three-layer Security Requirements Analysis Frameworkmentioning

confidence: 99%

Security attack analysis using attack patterns

Paja

Mylopoulos

et al. 2016

2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS)

Self Cite

View full text Add to dashboard Cite

Abstract-Discovering potential attacks on a system is an essential step in engineering secure systems, as the identified attacks will determine essential security requirements. The prevalence of Socio-Technical Systems (STSs) makes attack analysis particularly challenging. These systems are composed of people and organizations, their software systems, as well as physical infrastructures. As such, a thorough attack analysis needs to consider strategic (social and organizational) aspects of the involved people and organizations, as well as technical aspects affecting software systems and the physical infrastructure, requiring a large amount of security knowledge which is difficult to acquire. In this paper, we propose a systematic approach to efficiently leverage a comprehensive attack knowledge repository (CAPEC) in order to identify realistic and detailed attack behaviors, avoiding severe repercussions of security breaches. In particular, we propose a systematic method to model CAPEC attack patterns, which has been applied to 102 patterns, in order to semi-automatically select and apply such patterns. Using the CAPEC patterns as part of a systematic and tool-supported process, we can efficiently operationalize attack strategies and identify realistic alternative attacks on an STS. We validate our proposal by performing a case study on a smart grid scenario.

show abstract

Section: A a Three-layer Security Requirements Analysis Frameworkmentioning

confidence: 99%

Security attack analysis using attack patterns

Paja

Mylopoulos

et al. 2016

2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS)

Self Cite

View full text Add to dashboard Cite

show abstract

“…As in [3], we distinguish three types of permission: access, modify, and manage. Each type of permission determines the set of actions that an actor can perform.…”

Section: Requirements Modelingmentioning

confidence: 99%

“…In particular, resources linked to a subgoal are needed for the achievement of the upper level goals. 3 If a (sub)goal is delegated to another actors, the corresponding goal model rooted in the rationale of the delegator is analyzed as described above. Thus, the set of resources needed to achieve a goal includes all resources needed for the achievement of its subgoals possibly via delegation.…”

Section: Mapping Between Access Control Policy and Dependence Networkmentioning

confidence: 99%

Conviviality-driven access control policy

et al. 2014

View full text Add to dashboard Cite

Nowadays many organizations experience security incidents due to unauthorized access to information. To reduce the risk of such incidents, security policies are often employed to regulate access to information. Such policies, however, are often too restrictive, and users do not have the rights necessary to perform assigned duties. As a consequence, access control mechanisms are perceived by users as a barrier and thus bypassed, making the system insecure. In this paper we draw a bridge between the social concept of conviviality and access control. Conviviality has been introduced as a social science concept for ambient intelligence and multi-agent systems to highlight soft qualitative requirements like user-friendliness of systems. To bridge the gap between conviviality and security, we propose a methodological framework for updating and adapting access control policies based on conviviality recommendations. Our methodology integrates and extends existing techniques to assist system designers in the derivation of access control policies from socio-technical requirements of the system, while taking into account the conviviality of the system. We illustrate our framework using the Ambient Assisted Living (AAL) use case from the HotCity of Luxembourg.

show abstract

“…The final considered approach is the security threats identification as done in [2]. This approach is focused on resources and goals as assets of an organization.…”

Section: Amentioning

confidence: 99%

“…New security challenges imposed by these technological advancement can be identified through a number of existing alternatives basing on different parameters. Application security challenges can be identified by either focusing on resources and goals as assets of an organization [2], use of graphical approach such as Unified Modeling Language [3], or use of models such as STRIDE [4]. For the purposes of this paper STRIDE threats model has been selected to identify possible security threats for the anticipated Livestock Data Center system.…”

Section: Introductionmentioning

confidence: 99%

An Approach for Systematically Analyzing and Specifying Security Requirements for the Converged Web-Mobile Applications

al¹

2014

IJCDS

View full text Add to dashboard Cite

As the use of web and mobile applications is becoming pervasive for service delivery and user mobility support, enterprises are now increasingly fighting against a huge number of emerging security threats which interfere with the process of service delivery. As an attempt to help the enterprises in dealing with the emerging security threats in the converged service delivery architecture, this paper presents a methodology for security threat analysis and security requirements specification in web/mobile applications development. The presented methodology is based on a case study Livestock Data Center (LDC) system, which is being developed and it allows both web and mobile interfaces as service delivery channels. Hence the system serves as a representative of other similar setups of service delivery.In addition to the processes of analysis and security specification, the methodology involves threat modeling as well. There are several threat models in the literature. The STRIDE threats model is one among the existing threats models that is used to identify security threats that needs to be addressed in systems such as the LDC system. The STRIDE threats model has been used to identify the likely security threats to our case study. On applying the STRIDE threats model the following threats were identified as prominent: sensitive data exposure, weak server side controls, client side injection, and weak authentication and authorization.The identified security threats were compared to existing threats in traditional web and mobile applications separately in order to figure out the changes when the two computing platforms come together. The findings from our case study have shown that the proposed methodology for security threat analysis and security design can be useful in security requirements specifications in the converged web-mobile applications during development, and can be generally used to assist developers of other similar systems.

show abstract

Computer Aided Threat Identification

Cited by 10 publications

References 13 publications

Security attack analysis using attack patterns

Security attack analysis using attack patterns

Conviviality-driven access control policy

An Approach for Systematically Analyzing and Specifying Security Requirements for the Converged Web-Mobile Applications

Contact Info

Product

Resources

About