We present a framework for quantitative security modeling and analysis of highly customizable attack scenarios, which resulted as a spin-off from our research in software product line engineering. The graphical security models are based on attributed attack-defense diagrams to capture the structure and properties of vulnerabilities, defenses and countermeasures--with notable similarities to feature diagrams--and on probabilistic models of attack behavior, capable of capturing resource constraints and attack effectiveness. In this paper, we provide an overview of the framework that is described in full technical detail in twin papers, which present the formal syntax and semantics of the domain-specific language and showcase the associated tool with advanced IDE support for performing analyses based on statistical model checking. The properties of interest range from average cost and success probability of attacks to the effectiveness of defenses and countermeasures. Here we illustrate the capabilities of the DSL and the tool by applying them to an example scenario from the security domain. This shows how techniques from variability modeling can be applied to security. We conclude with a vision and roadmap for future research.
Variability meets security: quantitative security modeling and analysis of highly customizable attack scenarios
ter Beek M. H.;
2020
Abstract
We present a framework for quantitative security modeling and analysis of highly customizable attack scenarios, which resulted as a spin-off from our research in software product line engineering. The graphical security models are based on attributed attack-defense diagrams to capture the structure and properties of vulnerabilities, defenses and countermeasures--with notable similarities to feature diagrams--and on probabilistic models of attack behavior, capable of capturing resource constraints and attack effectiveness. In this paper, we provide an overview of the framework that is described in full technical detail in twin papers, which present the formal syntax and semantics of the domain-specific language and showcase the associated tool with advanced IDE support for performing analyses based on statistical model checking. The properties of interest range from average cost and success probability of attacks to the effectiveness of defenses and countermeasures. Here we illustrate the capabilities of the DSL and the tool by applying them to an example scenario from the security domain. This shows how techniques from variability modeling can be applied to security. We conclude with a vision and roadmap for future research.| File | Dimensione | Formato | |
|---|---|---|---|
|
prod_416789-doc_146913.pdf
non disponibili
Descrizione: Variability meets Security: Quantitative Security Modeling and Analysis of Highly Customizable Attack Scenarios
Tipologia:
Versione Editoriale (PDF)
Dimensione
854.67 kB
Formato
Adobe PDF
|
854.67 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
|
prod_416789-doc_146914.pdf
accesso aperto
Descrizione: Variability meets Security: Quantitative Security Modeling and Analysis of Highly Customizable Attack Scenarios
Tipologia:
Versione Editoriale (PDF)
Dimensione
1.59 MB
Formato
Adobe PDF
|
1.59 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
