DAG-based attack and defense modeling: don’t miss the forest for the attack trees. (English) Zbl 1300.68026
Summary: This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals.
The objective of this survey is to summarize the existing methodologies, compare their features, and propose a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements.
The objective of this survey is to summarize the existing methodologies, compare their features, and propose a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements.
MSC:
| 68P25 | Data encryption (aspects in computer science) |
| 94A60 | Cryptography |
| 68-02 | Research exposition (monographs, survey articles) pertaining to computer science |
Keywords:
graphical models for security; attack trees; Bayesian networks; attack and defense modeling; quantitative security assessment; qualitative security assessment; security measuresReferences:
| [10] | Byres, E. J.; Franz, M.; Miller, D., The use of attack trees in assessing vulnerabilities in SCADA systems, (International Infrastructure Survivability Workshop (IISW’04) (2004), Institute of Electrical and Electronics Engineers: Institute of Electrical and Electronics Engineers Lisbon), http://blogfranz.googlecode.com/files/SCADA-Attack-Trees-IISW.pdf |
| [20] | Bagnato, A.; Kordy, B.; Meland, P. H.; Schweitzer, P., Attribute decoration of attack-defense trees, Int. J. Secure Softw. Eng., 3, 2, 1-35 (2012), Special Issue on Security Modeling |
| [24] | Vesely, W. E.; Goldberg, F. F.; Roberts, N. H.; Haasl, D. F., Fault Tree Handbook Tech. Rep. NUREG-0492 (1981), U.S. Regulatory Commission, URL http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0492/sr0492.pdf |
| [26] | Schneier, B., Attack trees: modeling security threats, Dobb’s J. Softw. Tools, 24, 12, 21-29 (1999), URL http://www.ddj.com/security/184414879 |
| [27] | Poolsappasit, N.; Dewri, R.; Ray, I., Dynamic security risk management using Bayesian attack graphs, IEEE Trans. Dependable and Secure Computing, 9, 1, 61-74 (2012) |
| [28] | Mauw, S.; Oostdijk, M., Foundations of attack trees, (Won, D.; Kim, S., ICISC. ICISC, LNCS., vol. 3935 (2005), Springer), 186-198 · Zbl 1185.94058 |
| [29] | Yager, R. R., OWA trees and their role in security modeling using attack trees, Inf. Sci., 176, 20, 2933-2959 (2006) · Zbl 1102.68665 |
| [30] | Amoroso, E. G., Fundamentals of Computer Security Technology (1994), Prentice-Hall, Inc: Prentice-Hall, Inc Upper Saddle River, NJ, USA, URL http://portal.acm.org/citation.cfm?id=179237 · Zbl 0838.68011 |
| [31] | Swiderski, F.; Snyder, W., Threat Modeling (2004), Microsoft Press: Microsoft Press Redmond, URL http://books.google.lu/books?id=xawLAAAACAAJ |
| [32] | Howard, M.; LeBlanc, D., Writing Secure Code (2002), Microsoft Press |
| [37] | Schneier, B., Secrets & Lies: Digital Security in a Networked World (2004), Wiley, Indianapolis, Ind |
| [39] | Kienzle, D. M.; Wulf, W. A., A practical approach to security assessment, (Proceedings of the 1997 New Security Paradigms Workshop. NSPW’97 (1997), ACM: ACM New York, NY, USA), 5-16, URL http://doi.acm.org/10.1145/283699.283731 |
| [40] | Moore, A. P.; Ellison, R. J.; Linger, R. C., Attack modeling for information security and survivability. Technical Note CMU/SEI-2001-TN-001 (2001), Carnegie Mellon University |
| [42] | Vigo, R.; Nielson, F.; Nielson, H. R., Automated generation of attack trees, (CSF’14 (2014), IEEE), in press |
| [43] | Stéphane, Paul, Towards automating the construction & maintenance of attack trees: a feasibility study, (Kordy, B.; Mauw, S.; Pieters, W., GraMSec. GraMSec, EPTCS, vol. 148 (2014)), 31-46 |
| [44] | Whitley, J. N.; Phan, R. C.-W.; Wang, J.; Parish, D. J., Attribution of attack trees, Comput. Electr. Eng., 37, 4, 624-628 (2011) · Zbl 1263.68031 |
| [47] | Bistarelli, S.; Dall’Aglio, M.; Peretti, P., Strategic games on defense trees, (Dimitrakos, T.; Martinelli, F.; Ryan, P. Y.A.; Schneider, S. A., FAST. FAST, LNCS, vol. 4691 (2006), Springer), 1-15, URL http://www.springerlink.com/content/83115122h9007685/ |
| [48] | Edge, K. S.; Dalton, G. C.; Raines, R. A.; Mills, R. F., Using attack and protection trees to analyze threats and defenses to homeland security, (MILCOM (2006), IEEE), 1-7 |
| [49] | Saini, V.; Duan, Q.; Paruchuri, V., Threat Modeling Using Attack Trees, J. Comput. Small Coll., 23, 4, 124-131 (2008), URL http://portal.acm.org/citation.cfm?id=1352100 |
| [50] | Li, X.; Liu, R.; Feng, Z.; He, K., Threat modeling-oriented attack path evaluating algorithm, Trans. Tianjin Univ., 15, 3, 162-167 (2009), URL http://www.springerlink.com/content/v76g872558787214/ |
| [51] | Abdulla, P. A.; Cederberg, J.; Kaati, L., Analyzing the security in the GSM radio network using attack jungles, (Margaria, T.; Steffen, B., ISoLA (1). ISoLA (1), LNCS, vol. 6415 (2010), Springer), 60-74 |
| [52] | Baca, D.; Petersen, K., Prioritizing countermeasures through the countermeasure method for software security (CM-Sec), (Babar, M. A.; Vierimaa, M.; Oivo, M., PROFES. PROFES, LNIBP, vol. 6156 (2010), Springer), 176-190 |
| [53] | Buldas, A.; Laud, P.; Priisalu, J.; Saarepera, M.; Willemson, J., Rational choice of security measures via multi-parameter attack trees, (López, J., CRITIS. CRITIS, LNCS, vol. 4347 (2006), Springer), 235-248 |
| [54] | Jürgenson, A.; Willemson, J., Computing exact outcomes of multi-parameter attack trees, (Meersman, R.; Tari, Z., OTM Conferences (2). OTM Conferences (2), LNCS, vol. 5332 (2008), Springer), 1036-1051 |
| [57] | Buoni, A.; Fedrizzi, M.; Mezei, J., Combining attack trees and fuzzy numbers in a multi-agent approach to fraud detection, Int. J. Electron. Bus., 9, 3, 186-202 (2011) |
| [59] | Wang, J.; Whitley, J. N.; Phan, R. C.-W.; Parish, D. J., Unified parametrizable attack tree, Int. J. Inform. Secur. Res., 1, 1, 20-26 (2011) |
| [60] | Reinhardt, A.; Seither, D.; König, A.; Steinmetz, R.; Hollick, M., Protecting IEEE 802.11s wireless mesh networks against insider attacks, (LCN (2012), IEEE), 224-227 |
| [61] | Roy, A.; Kim, D. S.; Trivedi, K. S., Attack Countermeasure Trees (ACT): towards unifying the constructs of attack and defense trees, Secur. Commun. Netw., 5, 8, 929-943 (2012) |
| [62] | Zhao, C.; Yu, Z., Quantitative analysis of survivability based on intrusion scenarios, (Jin, D.; Lin, S., Advances in Electronic Engineering, Communication and Management vol. 2. Advances in Electronic Engineering, Communication and Management vol. 2, LNEE., vol. 140 (2012), Springer: Springer Berlin Heidelberg), 701-705 |
| [63] | Bortot, S.; Fedrizzi, M.; Giove, S., Modelling fraud detection by attack trees and Choquet integral, (DISA Working Papers 2011/09 (2011), Department of Computer and Management Sciences: Department of Computer and Management Sciences University of Trento, Italy), URL http://ideas.repec.org/p/trt/disawp/2011-09.html |
| [64] | Buoni, A.; Fedrizzi, M., Consensual dynamics and choquet integral in an attack tree-based fraud detection system, (Filipe, J.; Fred, A. L.N., ICAART (1) (2012), SciTePress), 283-288 |
| [68] | Mead, N. R.; Hough, E. D.; Stehney, T. R., Security quality requirements engineering (SQUARE) methodology. Tech. Rep. CMU/SEI-2005-TR-009 (2005), Carnegie Mellon University |
| [73] | Evans, S.; Heinbuch, D.; Kyule, E.; Piorkowski, J.; Wallner, J., Risk-based systems security engineering: stopping attacks with intention, IEEE Secur. Priv., 2, 6, 59-62 (2004) |
| [74] | Buckshaw, D. L.; Parnell, G. S.; Unkenholz, W. L.; Parks, D. L.; Wallner, J. M.; Saydjari, O. S., Mission oriented risk and design analysis of critical information systems, Milit. Oper. Res., 10, 2, 19-38 (2005) |
| [77] | Grunske, L.; Joyce, D., Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles, J. Syst. Softw., 81, 8, 1327-1345 (2008) |
| [79] | Ning, Z.; Xin-yuan, C.; Yong-fu, Z.; Si-yuan, X., Design and application of penetration attack tree model oriented to attack resistance test, (International Conference on Computer Science and Software Engineering, vol. 3 (2008)), 622-626 |
| [81] | Morais, A. N.P.; Martins, E.; Cavalli, A. R.; Jimenez, W., Security protocol testing using attack trees, (CSE (2) (2009), IEEE Computer Society), 690-697 |
| [82] | Cagalaban, G.; Kim, T.; Kim, S., Improving SCADA control systems security with software vulnerability analysis. in: Proceedings of the 12th WSEAS International Conference on Automatic Control, Modelling & Simulation. ACMOS’10, 409-414 (2010), World Scientific and Engineering Academy and Society (WSEAS): World Scientific and Engineering Academy and Society (WSEAS) Stevens Point, Wisconsin, USA, URL http://dl.acm.org/citation.cfm?id=1844174.1844250 |
| [84] | McLaughlin, S.; Podkuiko, D.; McDaniel, P., Energy theft in the advanced metering infrastructure, (Proceedings of the 4th International Conference on Critical Information Infrastructures Security. CRITIS’09 (2010), Springer-Verlag: Springer-Verlag Berlin, Heidelberg), 176-187, URL http://dl.acm.org/citation.cfm?id=1880551.1880566 |
| [86] | Ten, C.-W.; Manimaran, G.; Liu, C.-C., Cybersecurity for critical infrastructures: attack and defense modeling, IEEE Trans. Syst. Man Cybernet. A, 40, 4, 853-865 (2010) |
| [87] | Morais, A.; Cavalli, A.; Martins, E., A model-based attack injection approach for security validation, (Proceedings of the 4th International Conference on Security of Information and Networks. SIN’11 (2011), ACM: ACM New York, NY, USA), 103-110, URL http://doi.acm.org/10.1145/2070425.2070443 |
| [88] | Sanford, M.; Woodraska, D.; Xu, D., Security analysis of FileZilla server using threat models, (SEKE (2011), Knowledge Systems Institute Graduate School), 678-682 |
| [90] | Suleiman, H.; Svetinovic, D., Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure, Requirements Eng., 1-29 (2012) |
| [92] | Kienzle, D. M., Practical computer security analysis (1998), School of Engineering and Applied Science: School of Engineering and Applied Science University of Virginia, USA, (Ph.D. thesis) |
| [93] | Pumfrey, D., The principled design of computer system safety analyses (1999), Department of Computer Science, University of York: Department of Computer Science, University of York York, UK, URL http://www.cs.york.ac.uk/ djp/publications/Thesis16.pdf |
| [94] | Moberg, F., Security analysis of an information system using an attack tree-based methodology (2000), Chalmers University of Technology, (Master’s thesis) |
| [95] | Foster, N. L., The application of software and safety engineering techniques to security protocol development (2002), University of York, (Ph.D. thesis) |
| [96] | Schechter, S. E., Computer security strength and risk - a quantitative approach (2004), Harvard University: Harvard University Cambridge, Massachusetts, (Ph.D. thesis) |
| [97] | Opel, A., Design and implementation of a support tool for attack trees (2005), Technische Universiteit Eindhoven, Otto-von-Guericke University: Technische Universiteit Eindhoven, Otto-von-Guericke University Magdeburg, Germany, (Master’s thesis) |
| [98] | Karppinen, K., Security measurement based on attack trees in a mobile ad hoc network environment (2005), VTT and University of Oulu, available at http://www.vtt.fi/inf/pdf/publications/2005/P580.pdf |
| [99] | Edge, K. S., A Framework for analyzing and mitigating the vulnerabilities of complex systems via attack and protection trees (2007), Air Force Institute of Technology: Air Force Institute of Technology Wright Patterson AFB, OH, USA, (Ph.D. thesis) |
| [100] | Espedalen, J. H., Attack trees describing security in distributed internet-enabled metrology (2007), Gjøvik University, (Master’s thesis) |
| [101] | Hogganvik, I., A graphical approach to security risk analysis (2007), Faculty of Mathematics and Natural Sciences, University of Oslo, URL http://heim.ifi.uio.no/ ketils/kst/Theses/2007.Hogganvik.pdf |
| [102] | Mägi, T., Practical security analysis of e-voting systems (2007), Tallin University of Technology, Faculty of Information Technology, Department of Informatics: Tallin University of Technology, Faculty of Information Technology, Department of Informatics Estonia, available at http://triinu.net/e-voting/ |
| [103] | Harrington, P. D., Noncooperative potential games to improve network security (2010), Oklahoma State University: Oklahoma State University USA, (Ph.D. thesis) |
| [104] | Jürgenson, A., Efficient semantics of parallel and serial models of attack trees (2010), Tallinn University of Technology, Faculty of Information Technology, Department of Informatics, available at http://digi.lib.ttu.ee/i/?496 |
| [105] | Piètre-Cambacédès, L., Des relations entre sûreté et sécurité (2010), Télécom ParisTech, (Ph.D. thesis) |
| [106] | Roy, A., Attack countermeasure trees: a non-state-space approach towards analyzing security and finding optimal countermeasure sets (2010), Duke University, Department of Electrical and Computer Engineering: Duke University, Department of Electrical and Computer Engineering USA, (Master’s thesis) |
| [107] | Nielsen, J. R., Evaluating information assurance control effectiveness on an air force supervisory control and data acquisition (SCADA) system (2011), US Air Force Institute of Technology, available at http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html&identifier=ADA541615 |
| [108] | Ostler, R. T., Defensive cyber battle damage assessment through attack methodology modeling (2011), Air Force Institute of Technology, Department of Electrical and Computer Engineering: Air Force Institute of Technology, Department of Electrical and Computer Engineering USA, (Master’s thesis) |
| [109] | Sameer, K. C., Attack generation from system models (2011), Technical University of Denmark: Technical University of Denmark Denmark, (Master’s thesis) |
| [110] | Zonouz, S. A., Game-theoretic intrusion response and recovery (2011), University of Illinois at Urbana-Champaign: University of Illinois at Urbana-Champaign USA, available at https://www.ideals.illinois.edu/bitstream/handle/2142/29667/AliariZonouz_Saman.pdf?sequence=1 |
| [111] | Buoni, A., Fraud detection in the banking sector (2012), Åbo Akademi University: Åbo Akademi University Finland, (Ph.D. thesis) |
| [112] | Koot, L., Security of mobile TAN on smartphones (2012), Radboud University Nijmegen, Faculty of Science: Radboud University Nijmegen, Faculty of Science The Netherlands, (Ph.D. thesis) |
| [113] | Posea, S., Renewal periods for cryptographic keys (2012), Eindhoven University of Technology, Department of Mathematics and Computer Science: Eindhoven University of Technology, Department of Mathematics and Computer Science Eindhoven, The Netherlands, (Master’s thesis) |
| [114] | Patrick, Schweitzer, Attack-defense trees (2013), University of Luxembourg, (Ph.D. thesis) · Zbl 1379.68117 |
| [119] | Sommestad, T.; Ekstedt, M.; Nordström, L., Modeling security of power communication systems using defense graphs and influence diagrams, IEEE Trans. Power Deliv., 24, 4, 1801-1808 (2009) |
| [120] | Anderson, R. J., Security Engineering—A Guide to Building Dependable Distributed Systems (2001), Wiley |
| [121] | Ingoldsby, T. R., Understanding risk through attack tree analysis, Comput. Secur. J., 20, 2, 33-59 (2004), URL http://www.scopus.com/inward/record.url?eid=2-s2.0-2542453149&partnerID=40&md5=a06d3ff5d42229c9dd48cdecc74428db |
| [122] | Mirembe, D. P.; Muyeba, M., Threat modeling revisited: improving expressiveness of attack, (EMS’08: Proceedings of the 2008 Second UKSIM European Symposium on Computer Modeling and Simulation (2008), IEEE Computer Society: IEEE Computer Society Washington, DC, USA), 93-98 |
| [123] | Vidalis, S.; Jones, A., Using vulnerability trees for decision making in threat assessment. Tech. Rep. CS-03-02 (2003), School of Computing, University of Glamorgan: School of Computing, University of Glamorgan Pontypridd, Wales, UK |
| [124] | Patel, S. C.; Graham, J. H.; Ralston, P. A.S., Quantitatively assessing the vulnerability of critical information systems: a new method for evaluating security enhancements, Int. J. Inform. Manag., 28, 6, 483-491 (2008) |
| [125] | Ray, I.; Poolsapassit, N., Using attack trees to identify malicious attacks from authorized insiders, (di Vimercati, S.; Syverson, P.; Gollmann, D., ESORICS’2005. ESORICS’2005, LNCS, vol. 3679 (2005), Springer: Springer Berlin/Heidelberg), 231-246 |
| [126] | Poolsapassit, N.; Ray, I., Investigating computer attacks using attack trees, (Craiger, P.; Shenoi, S., Advances in Digital Forensics III. Advances in Digital Forensics III, IFIP International Federation for Information Processing, vol. 242 (2007), Springer: Springer Boston), 331-343 |
| [127] | Wang, H.; Liu, S.; Zhang, X., An improved model of attack probability prediction system, Wuhan Univ. J. Nat. Sci., 11, 1498-1502 (2006) · Zbl 1156.94385 |
| [131] | Dewri, R.; Poolsappasit, N.; Ray, I.; Whitley, D., Optimal security hardening using multi-objective optimization on attack tree models of networks, (Proceedings of the 14th ACM Conference on Computer and Communications Security. CCS’07 (2007), ACM: ACM New York, NY, USA), 204-213, URL http://doi.acm.org/10.1145/1315245.1315272 |
| [132] | Dewri, R.; Ray, I.; Poolsappasit, N.; Whitley, D., Optimal security hardening on attack tree models of networks: a cost-benefit analysis, Int. J. Inf. Secur., 11, 3, 167-188 (2012) |
| [134] | Willemson, J.; Jürgenson, A., Serial model for attack tree computations, (Lee, D.; Hong, S., ICISC. ICISC, LNCS, vol. 5984 (2010), Springer), 118-128, URL http://research.cyber.ee/ jan/publ/serialattack.pdf |
| [135] | Jürgenson, A.; Willemson, J., On fast and approximate attack tree computations, (Proceedings of the 6th International Conference on Information Security Practice and Experience. ISPEC’10 (2010), Springer-Verlag: Springer-Verlag Berlin, Heidelberg), 56-66 |
| [136] | Niitsoo, M., Optimal adversary behavior for the serial model of financial attack trees, (Proceedings of the 5th International Conference on Advances in Information and Computer Security. IWSEC’10 (2010), Springer-Verlag: Springer-Verlag Berlin, Heidelberg), 354-370, URL http://dl.acm.org/citation.cfm?id=1927197.1927228 |
| [137] | Buldas, A.; Lenin, A., New efficient utility upper bounds for the fully adaptive model of attack trees, (Das, S. K.; Nita-Rotaru, C.; Kantarcioglu, M., GameSec. GameSec, LNCS, vol. 8252 (2013), Springer), 192-205 · Zbl 1423.68085 |
| [139] | Andrusenko, A., Ründepuude Metoodika Ja Seda Toetav Tarkvaraline Raamistik (2010), Master’s thesis, Tallinn University, available at http://www.cyber.ee/publikatsioonid/20-magistri-ja-doktoritood/loputoeoede-failid/Andrusenko-MA.pdf (in Estonian) |
| [140] | Masera, M.; Fovino, I. N.; Cian, A. D., Risk, reliability and societal safety, (Aven, T.; Vinnem, J. E., Proceedings of the 16th European Safety and Reliability Conference ESREL’07 (2007), Taylor & Francis Group: Taylor & Francis Group London), 1-8 |
| [141] | Fovino, I. N.; Masera, M.; Cian, A. D., Integrating cyber attacks within fault trees, Reliab. Eng. Syst. Safety, 94, 9, 1394-1402 (2009) |
| [143] | Watson, H. A., Launch Control Safety Study. Vol.1 (1961), Bell Labs: Bell Labs Murray Hill, NJ |
| [147] | Leveson, N. G.; Harvey, P. R., Software fault tree analysis, J. Syst. Softw., 3, 2, 173-181 (1983), URL http://www.sciencedirect.com/science/article/pii/0164121283900304 |
| [148] | Leveson, N. G., Safeware: System Safety and Computers (1995), Addison-Wesley Professional, URL http://www.worldcat.org/isbn/0201119722 |
| [149] | Helmer, G.; Wong, J.; Slagell, M.; Honavar, V.; Miller, L.; Lutz, R., A software fault tree approach to requirements analysis of an intrusion detection system, J. Requir. Eng., 7, 4, 207-220 (2002) |
| [150] | Helmer, G.; Wong, J.; Slagell, M.; Honavar, V.; Miller, L.; Wang, Y.; Wang, X.; Stakhanova, N., Software fault tree and coloured Petri net-based specification, design and implementation of agent-based intrusion detection systems, Int. J. Inform. Comput. Secur., 1, 1/2, 109-142 (2007) |
| [151] | Brooke, P. J.; Paige, R. F., Fault trees for security system design and analysis, Computers & Security, 22, 3, 256-264 (2003), URL http://www.sciencedirect.com/science/article/pii/S0167404803003134 |
| [153] | Pearl, J., Fusion, propagation, and structuring in belief networks, Artif. Intell., 29, 3, 241-288 (1986), URL http://www.sciencedirect.com/science/article/pii/000437028690072X · Zbl 0624.68081 |
| [154] | Pearl, J., Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference (1988), Morgan Kaufmann |
| [155] | Neapolitan, R. E., Learning Bayesian Networks (2003), Prentice Hall |
| [156] | Jensen, F. V.; Nielsen, T. D., Bayesian Networks and Decision Graphs (2007), Springer Publishing Company, Incorporated · Zbl 1277.62007 |
| [158] | Dantu, R.; Kolan, P., Risk management using behavior based Bayesian networks, (Kantor, P. B.; Muresan, G.; Roberts, F.; Zeng, D. D.; Wang, F.-Y.; Chen, H.; Merkle, R. C., ISI. ISI, LNCS, vol. 3495 (2005), Springer), 115-126 |
| [159] | Dantu, R.; Kolan, P.; Akl, R.; Loper, K., Classification of attributes and behavior in risk management using bayesian networks, IEEE Intell. Secur. Inform., 71-74 (2007) |
| [160] | Dantu, R.; Kolan, P.; ao, W.; Cangussu, J., Network risk management using attacker profiling, Security Commun. Netw., 2, 1, 83-96 (2009) |
| [162] | Althebyan, Q.; Panda, B., A knowledge-based Bayesian model for analyzing a system after an insider attack, (Jajodia, S.; Samarati, P.; Cimato, S., Proceedings of The Ifip Tc 11 23rd International Information Security Conference. Proceedings of The Ifip Tc 11 23rd International Information Security Conference, IFIP International Federation for Information Processing, vol. 278 (2008), Springer: Springer Boston), 557-571 |
| [164] | Pouly, M.; Kohlas, J., Generic Inference: A Unifying Theory for Automated Reasoning (2011), John Wiley & Sons, Inc · Zbl 1252.68007 |
| [165] | Arnborg, S., Efficient algorithms for combinatorial problems on graphs with bounded decomposability—A survey, BIT, 25, 1-23 (1985) · Zbl 0573.68018 |
| [166] | Bodlaender, H. L., A linear time algorithm for finding tree-decompositions of small treewidth, (Proceedings of The Twenty-fifth Annual ACM Symposium on Theory of Computing. STOC’93 (1993), ACM: ACM New York, NY, USA), 226-234, URL http://doi.acm.org/10.1145/167088.167161 · Zbl 1310.05194 |
| [168] | Närman, P.; Johnson, P.; Lagerström, R.; Franke, U.; Ekstedt, M., Data collection prioritization for system quality analysis, Electron. Notes Theor. Comput. Sci., 233, 29-42 (2009), URL http://dx.doi.org/10.1016/j.entcs.2009.02.059 |
| [171] | Scutari, M., Learning Bayesian Networks with the bnlearn R Package, J. Stat. Softw., 35, 3, 1-22 (2010) |
| [172] | Houmb, S. H.; Franqueira, V. N.L.; Engum, E. A., Quantifying security risk level from CVSS estimates of frequency and impact, J. Syst. Softw., 83, 9, 1634-1662 (2009), URL http://www.sciencedirect.com/science/article/pii/S0164121209002155 |
| [173] | Feng, N.; Xie, J., A Bayesian networks-based security risk analysis model for information systems integrating the observed cases with expert experience, Sci. Res. Essays, 7, 10, 1103-1112 (2012) |
| [175] | Noel, S.; Jajodia, S.; Wang, L.; Singhal, A., Measuring security risk of networks using attack graphs, IJNGC, 1, 1, 135-147 (2010) |
| [176] | Frigault, M.; Wang, L., Measuring network security using Bayesian network-based attack graphs, (The Proceedings of the 32nd Annual IEEE International Conference on Computer Software and Applications (COMPSAC 08) (2008)), 698-703 |
| [180] | Jajodia, S.; Noel, S.; O’Berry, B., Topological analysis of network attack vulnerability, (Kumar, Vipin; Srivastava, Jaideep; Lazarevic, Aleksandar, Managing Cyber Threats: Issues, Approaches, and Challenges (2005), Springer: Springer US), 247-266 |
| [181] | Noel, S.; Elder, M.; Jajodia, S.; Kalapa, P.; O’Hare, S.; Prole, K., Advances in topological vulnerability analysis, (Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security. CATCH’09 (2009), IEEE Computer Society: IEEE Computer Society Washington, DC, USA), 124-129 |
| [186] | Nzoukou, W.; Wang, L.; Jajodia, S.; Singhal, A., A Unified framework for measuring a network’s mean time-to-compromise, (SRDS (2013), IEEE), 215-224 |
| [187] | Mell, P.; Scarfone, K.; Romanosky, S., Common vulnerability scoring system, IEEE Security & Privacy, 4, 6, 85-89 (2006) |
| [188] | Çamtepe, S. A.; Yener, B., A formal method for attack modeling and detection. Tech. Rep. TR-06-01 (2006), Rensselaer Polytechnic Institute: Rensselaer Polytechnic Institute Troy, NY, USA |
| [191] | Ardi, S.; Byers, D.; Shahmehri, N., Towards a structured unified process for software security, (Proceedings of the 2006 International Workshop on Software Engineering for Secure Systems. SESS’06 (2006), ACM: ACM New York, NY, USA), 3-10, URL http://doi.acm.org/10.1145/1137627.1137630 |
| [199] | Dugan, J. B.; Bavuso, S. J.; Boyd, M. A., Dynamic fault tree models for fault tolerant computer systems, IEEE Trans. Reliab., 41, 3, 363-377 (1992) · Zbl 0825.68162 |
| [201] | Dugan, J. B.; Sullivan, K. J.; Coppit, D., Developing a low-cost, high-quality software tool for dynamic fault tree analysis, IEEE Trans. Reliab., 49, 1, 49-59 (2000) |
| [203] | Buldas, A.; Stepanenko, R., Upper bounds for adversaries’ utility in attack trees, (Grossklags, J.; Walrand, J. C., GameSec. GameSec, LNCS, vol. 7638 (2012), Springer), 98-117 · Zbl 1284.91086 |
| [205] | Arnold, F.; Hermanns, H.; Pulungan, R.; Stoelinga, M., Time-dependent analysis of attacks, (Abadi, M.; Kremer, S., POST. POST, LNCS, vol. 8414 (2014), Springer), 285-305 |
| [208] | van Lamsweerde, A.; Letier, E., Handling obstacles in goal-oriented requirements engineering, IEEE Trans. Softw. Eng., 26, 978-1005 (2000), URL http://dl.acm.org/citation.cfm?id=357525.357521 |
| [209] | Bistarelli, S.; Fioravanti, F.; Peretti, P., Defense trees for economic evaluation of security investments, (ARES (2006), IEEE Computer Society), 416-423 |
| [210] | Bistarelli, S.; Peretti, P.; Trubitsyna, I., Analyzing security scenarios using defence trees and answer set programming, Electron. Notes Theor. Comput. Sci., 197, 2, 121-129 (2008) |
| [212] | Dalton, G. C.; Edge, K. S.; Mills, R. F.; Raines, R. A., Analysing security risks in computer and Radio Frequency Identification (RFID) networks using attack and protection trees, Int. J. Security Netw., 5, 2, 87-95 (2010) |
| [215] | Byers, D.; Shahmehri, N., (A cause-based approach to preventing software vulnerabilities. A cause-based approach to preventing software vulnerabilities, Proceedings of the Third International Conference on Availability, Reliability and Security (ARES’08) (2008), IEEE Computer Society: IEEE Computer Society Washington, DC, USA), 276-283 |
| [218] | Roy, A.; Kim, D. S.; Trivedi, K. S., Cyber security analysis using attack countermeasure trees, (Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research. CSIIRW’10 (2010), ACM: ACM New York, NY, USA), 28:1-28:4, URL http://doi.acm.org.proxy.bnl.lu/10.1145/1852666.1852698 |
| [219] | Roy, A.; Kim, D. S.; Trivedi, K. S., Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees, (Swarz, R. S.; Koopman, P.; Cukier, M., DSN (2012), IEEE Computer Society), 1-12 |
| [220] | Trivedi, K. S.; Sahner, R., SHARPE at the age of twenty two, SIGMETRICS Perform. Eval. Rev., 36, 4, 52-57 (2009), URL http://doi.acm.org/10.1145/1530873.1530884 |
| [221] | Kordy, B.; Mauw, S.; Radomirović, S.; Schweitzer, P., (Degano, P.; Etalle, S.; Guttman, J. D., FAST. FAST, LNCS, vol. 6561 (2010), Springer), 80-95 |
| [222] | Kordy, B.; Mauw, S.; Radomirović, S.; Schweitzer, P., Attack-defense trees, J. Logic Comput., 24, 1, 55-87 (2014), URL http://logcom.oxfordjournals.org/content/24/1/55 · Zbl 1311.68062 |
| [223] | Kordy, B.; Pouly, M.; Schweitzer, P., Computational aspects of attack-defense trees, (Security & Intelligent Information Systems. Security & Intelligent Information Systems, LNCS, vol. 7053 (2011), Springer), 103-116 |
| [224] | Kordy, B.; Mauw, S.; Melissen, M.; Schweitzer, P., Attack-defense trees and two-player binary zero-sum extensive form games are equivalent, (Alpcan, T.; Buttyán, L.; Baras, J. S., GameSec. GameSec, LNCS, vol. 6442 (2010), Springer), 245-256 · Zbl 1298.91066 |
| [225] | Kordy, B.; Mauw, S.; Schweitzer, P., Quantitative questions on attack-defense trees, (ICISC. ICISC, LNCS, vol. 7839 (2012), Springer), 49-64 · Zbl 1379.68117 |
| [226] | Kordy, B.; Pouly, M.; Schweitzer, P., A probabilistic framework for security scenarios with dependent actions, (Albert, E.; Sekerinski, E., iFM. iFM, LNCS, vol. 8739 (2014), Springer International Publishing Switzerland 2014), 256-271 |
| [229] | Kordy, B.; Kordy, P.; Mauw, S.; Schweitzer, P., ADTool: security analysis with attack-defense trees, (Joshi, K. R.; Siegle, M.; Stoelinga, M.; D’Argenio, P. R., QEST. QEST, LNCS, vol. 8054 (2013), Springer), 173-176 |
| [231] | Berander, P.; Svahnberg, M., Evaluating two ways of calculating priorities in requirements hierarchies—an experiment on hierarchical cumulative voting, J. Syst. Softw., 82, 5, 836-850 (2009) |
| [234] | Wu, Y.-S.; Foo, B.; Matheny, B.; Olsen, T.; Bagchi, S., ADEPTS: adaptive intrusion containment and response using attack graphs in an e-commerce environment. Tech. rep (2003), Purdue University, School of Electrical and Computer Engineering, URL http://www.ece.purdue.edu/ sbagchi/Research/Papers/adepts_dsn04_submit.pdf |
| [235] | Wu, Y.-S.; Foo, B.; Mei, Y.; Bagchi, S., Collaborative intrusion detection system (cids): a framework for accurate and efficient IDS, (ACSAC (2003), IEEE Computer Society), 234-244 |
| [237] | Wu, Y.-S.; Foo, B.; Mao, Y.-C.; Bagchi, S.; Spafford, E., Automated aaptive intrusion containment in systems of interacting services. Tech. Rep. Paper 68 (2005), Purdue University, School of Electrical and Computer Engineering: Purdue University, School of Electrical and Computer Engineering West Lafayette, IN 47907-2035 |
| [241] | Johnson, P.; Johansson, E.; Sommestad, T.; Ullberg, J., A tool for enterprise architecture analysis, (EDOC (2007), IEEE Computer Society), 142-156 |
| [243] | Peine, H.; Jawurek, M.; Mandel, S., Security goal indicator trees: a model of software features that supports efficient security inspection, (HASE’08: Proceedings of the 2008 11th IEEE High Assurance Systems Engineering Symposium (2008), IEEE Computer Society: IEEE Computer Society Washington, DC, USA), 9-18 |
| [244] | Kloos, J.; Elberzhager, F.; Eschbach, R., Systematic construction of goal indicator trees for indicator-based dependability inspections, (36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA’10) (2010)), 279-282 |
| [247] | Bouissou, M.; Bon, J.-L., A new formalism that combines advantages of fault-trees and Markov models: Boolean logic driven Markov processes, Reliab. Eng. Syst. Safety, 82, 2, 149-163 (2003) |
| [249] | Piètre-Cambacédès, L.; Bouissou, M., Attack and Defense Modeling with BDMP, (Kotenko, I.; Skormin, V., Computer Network Security. Computer Network Security, LNCS, vol. 6258 (2010), Springer), 86-101, URLhttp://www.springerlink.com/content/47gl0v2158m85340/ · Zbl 1193.68010 |
| [254] | Johnson, C. W., Using assurance cases and boolean logic driven markov processes to formalise cyber security concerns for safety-critical interaction with global navigation satellite systems, (ECEASST 45 (2011)), 1-18 |
| [255] | Kriaa, S.; Bouissou, M.; Colin, F.; Halgand, Y.; Piètre-Cambacédès, L., Safety and security interactions modeling using the BDMP formalism: case study of a pipeline, (Bondavalli, A.; Di Giandomenico, F., SAFECOMP 2014. SAFECOMP 2014, LNCS, vol. 8666 (2014), Springer International Publishing Switzerland 2014), 326-341 |
| [257] | Sommestad, T.; Ekstedt, M.; Johnson, P., A probabilistic relational model for security risk analysis, Comput. Secur., 29, 6, 659-679 (2010) |
| [258] | Sommestad, T.; Ekstedt, M.; Holm, H., The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures, IEEE Syst. J., 7, 3, 363-373 (2013) |
| [259] | Sommestad, T., A framework and theory for cyber security assessments (2012), Industrial Information and Control Systems, QC 20121018, (Ph.D. thesis) |
| [260] | Friedman, N.; Getoor, L.; Koller, D.; Pfeffer, A., Learning probabilistic relational models, (IJCAI (1999), Springer-Verlag), 1300-1309 |
| [261] | Holm, H., A framework and calculation engine for modeling and predicting the cyber security of enterprise architectures (2014), Industrial Information and Control Systems, (Ph.D. thesis) |
| [262] | Johnson, F.; Ullberg, J.; Buschle, M.; Franke, U.; Shahzad, K., \(P^2 AMF\): predictive, probabilistic architecture modeling framework, (van Sinderen, M.; Luttighuis, P. O.; Folmer, E.; Bosems, S., IWEI. IWEI, LNBIP, vol. 144 (2013), Springer), 104-117 |
| [263] | Buschle, M.; Ullberg, J.; Franke, U.; Lagerström, R.; Sommestad, T., A tool for enterprise architecture analysis using the PRM formalism, (Soffer, P.; Proper, E., CAiSE Forum. CAiSE Forum, LNBIP, vol. 72 (2011), Springer), 108-121 |
| [264] | Buschle, M.; Johnson, P.; Shahzad, K., The enterprise architecture analysis tool—support for the predictive, probabilistic architecture modeling framework, (AMCIS (2013), Association for Information Systems) |
| [265] | Byers, D.; Shahmehri, N., Unified modeling of attacks, vulnerabilities and security activities, (SESS’10: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems (2010), ACM: ACM New York, NY, USA), 36-42 |
| [266] | Shahmehri, N.; Mammar, A.; de Oca, E. M.; Byers, D.; Cavalli, A.; Ardi, S.; Jimenez, W., An advanced approach for modeling and detecting software vulnerabilities, Inf. Softw. Technol., 54, 9, 997-1013 (2012), URL http://www.sciencedirect.com/science/article/pii/S0950584912000535 |
| [269] | Dacier, M., Vers une évaluation quantitative de la sécurité informatique (1994), Laboratoire d’Analyse et d’Architecture des Systèmes du CNRS (LAAS), (Ph.D. thesis) |
| [271] | Horvath, V.; Dörges, T., From security patterns to implementation using petri nets, (Proceedings of The Fourth International Workshop on Software Engineering for Secure Systems. SESS’08 (2008), ACM: ACM New York, NY, USA), 17-24, URL http://doi.acm.org/10.1145/1370905.1370908 |
| [272] | Dalton, G. C.; Mills, R. F.; Colombi, J. M.; Raines, R. A., Analyzing attack trees using generalized stochastic petri nets, (Information Assurance Workshop, 2006 (2006), IEEE: IEEE West Point, NY), 116-123 |
| [273] | Pudar, S.; Manimaran, G.; Liu, C.-C., PENET: a practical method and tool for integrated modeling of security attacks and countermeasures, Comput. Secur., 28, 8, 754-771 (2010) |
| [274] | Xu, D.; Nygard, K. E., Threat-driven modeling and verification of secure software using aspect-oriented Petri nets, IEEE Trans. Softw. Eng., 32, 4, 265-278 (2006) |
| [275] | Dacier, M.; Deswarte, Y., Privilege graph: an extension to the typed access matrix model, (Gollmann, D., ESORICS’1994. ESORICS’1994, LNCS, vol. 875 (1994), Springer), 319-334, URL http://dx.doi.org/10.1007/3-540-58618-0_72 |
| [276] | Dacier, M.; Deswarte, Y.; Kaâniche, M., Models and tools for quantitative assessment of operational security, (Katsikas, S. K.; Gritzalis, D., SEC. SEC, IFIP Conference Proceedings, vol. 54 (1996), Chapman & Hall), 177-186 |
| [281] | Sheyner, O., Scenario graphs and attack graphs (2004), Carnegie Mellon University (CMU): Carnegie Mellon University (CMU) Pittsburgh, PA, (Ph.D. thesis) |
| [284] | Wang, L.; Yao, C.; Singhal, A.; Jajodia, S., Interactive analysis of attack graphs using relational queries, (Damiani, E.; Liu, P., Data and Applications Security XX. Data and Applications Security XX, LNCS, vol. 4127 (2006), Springer: Springer Berlin Heidelberg), 119-132, URL http://dx.doi.org/10.1007/11805588_9 |
| [289] | Manadhata, P. K., An attack surface metric (2008), Carnegie Mellon University, (Ph.D. thesis) |
| [290] | Noel, S.; Jajodia, S., Managing attack graph complexity through visual hierarchical aggregation, (Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (VizSEC’04) (2004), George Mason University: George Mason University Fairfax, VA, USA), 109-118 |
| [294] | Kotenko, I.; Stepashkin, M., Analyzing network security using malefactor action graphs, Int. J. Comput. Sci. Netw. Secur., 6, 6, 226-235 (2006) |
| [296] | Wang, L.; Noel, S.; Jajodia, S., Minimum-cost network hardening using attack graphs, Comput. Commun., 29, 18, 3812-3824 (2006), URL http://dx.doi.org/10.1016/j.comcom.2006.06.018 |
| [297] | Wang, L.; Singhal, A.; Jajodia, S., Measuring the overall security of network configurations using attack graphs, (Barker, S.; Ahn, G.-J., Data and Applications Security XXI. Data and Applications Security XXI, LNCS., vol. 4602 (2007), Springer: Springer Berlin/Heidelberg), 98-112 |
| [298] | Wang, L.; Singhal, A.; Jajodia, S., Toward measuring network security using attack graphs, (Proceedings of the 2007 ACM workshop on Quality of Protection. QoP ’07 (2007), ACM: ACM New York, NY, USA), 49-54, URL http://doi.acm.org/10.1145/1314257.1314273 |
| [299] | Louthan, G. R., Hybrid attack graphs for modeling cyber-physical systems (2011), University of Tulsa: University of Tulsa USA, (Master’s thesis) |
| [302] | Samarji, L.; Cuppens, F.; Cuppens-Boulahia, N.; Kanoun, W.; Dubus, S., (Wang, G.; Ray, I.; Feng, D.; Rajarajan, M., CSS. CSS, LNCS, vol. 8300 (2013), Springer), 132-150 |
| [303] | Pinto, J. A., Temporal reasoning in the situation calculus (1994), University of Toronto: University of Toronto Ontario, Canada, AAINN92616 |
| [308] | Alexander, I., Misuse cases: use cases with hostile intent, IEEE softw., 20, 1, 58-66 (2003) |
| [309] | Sindre, G.; Opdahl, A. L., Eliciting security requirements with misuse cases, J. Requirements Engineering, 10, 34-44 (2005) |
| [311] | Firesmith, D. J., Security Use Cases, J. Object Technol., 2, 3, 53-64 (2003), URL http://www.jot.fm/issues/issue_2003_05/column6 |
| [314] | Opdahl, A. L.; Sindre, G., Experimental comparison of attack trees and misuse cases for security threat identification, Inform. Softw. Technol., 51, 5, 916-932 (2009) |
| [318] | Katta, V.; Kárpáti, P.; Opdahl, A. L.; Raspotnig, C.; Sindre, G., Comparing two techniques for intrusion visualization, (van Bommel, P.; Hoppenbrouwers, S.; Overbeek, S.; Proper, E.; Barjis, J., PoEM. PoEM, Lecture Notes in Business Information Processing, vol. 68 (2010), Springer), 1-15 |
| [319] | Péter, Kárpáti; Guttorm, Sindre; Opdahl, Andreas L., Towards a hacker attack representation method, (Proceedings of the 5th ICSOFT Conference (2010)), 92-101 |
| [321] | Kárpáti, P.; Sindre, G.; Matulevicius, R., Comparing misuse case and mal-activity diagrams for modelling social engineering attacks, IJSSE, 3, 2, 54-73 (2012) |
| [323] | Johnson, P.; Lagerström, R.; Närman, P.; Simonsson, M., Enterprise architecture analysis with extended influence diagrams, Inform. Syst. Front., 9, 2-3, 163-180 (2007) |
| [324] | Matheson, J. E.; Howard, R. A., An Introduction to Decision Analysis (1968), Strategic Decisions Group: Strategic Decisions Group Menlo Park, CA |
| [325] | Ezell, B. C.; Bennett, S. P.; von Winterfeldt, D.; Sokolowski, J.; Collins, A. J., Probabilistic risk analysis and terrorism risk, Risk analysis an official publication of the Society for Risk Analysis, 30, 4, 575-589 (2010) |
| [326] | Lagerström, R.; Johnson, P.; Närman, P., Extended Influence Diagram Generation, (Jardim-Gonçalves, R.; Müller, J. P.; Mertins, K.; Zelm, M., IESA (2007), Springer), 599-602 |
| [329] | (Miyaji, A.; Kikuchi, H.; Rannenberg, K., Advances in Information and Computer Security, Second International Workshop on Security, IWSEC 2007, Nara, Japan, October 29-31, 2007, Proceedings. Advances in Information and Computer Security, Second International Workshop on Security, IWSEC 2007, Nara, Japan, October 29-31, 2007, Proceedings, LNCS, vol. 4752 (2007), Springer) · Zbl 1151.68310 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
