How to Generate Security Cameras: Towards Defence Generation for Socio-Technical Systems

详细信息    查看全文

• 关键词：Attack ; defence trees ; Socio ; technical models ; Generation of attack models ; Generation of defences
• 刊名：Lecture Notes in Computer Science
• 出版年：2016
• 出版时间：2016
• 年：2016
• 卷：9390
• 期：1
• 页码：50-65
• 全文大小：264 KB
• 参考文献：1.NIST Special Publication 800–30 Guide for conducting risk assessments. revision 1 (2012). http://​csrc.​nist.​gov/​publications/​nistpubs/​800-30-rev1/​sp800_​30_​r1.​pdf
  2.NIST Special Publication 800–53 Revision 4. Security and privacy controls for federal information systems and organizations (2013). http://​nvlpubs.​nist.​gov/​nistpubs/​SpecialPublicati​ons/​NIST.​SP.​800-53r4.​pdf
  3.Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 95–114. Springer, Heidelberg (2015)
  4.Bagnato, A., Kordy, B., Meland, P.H., Sweitzer, P.: Attribute decoration of attack-defence trees. IJSSE 3(2), 1–35 (2012)
  5.Dimkov, T., Pieters, W., Hartel, P.: Portunes: representing attack scenarios spanning through the physical, digital and social domain. In: Armando, A., Lowe, G. (eds.) ARSPA-WITS 2010. LNCS, vol. 6186, pp. 112–129. Springer, Heidelberg (2010)CrossRef
  6.Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G.: A conceptual framework to study socio-technical security. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 318–329. Springer, Heidelberg (2014)
  7.Ford, M., Rensink, A., Willemson, J., Lenin, A., Probst, C.W., Gadyatskaya, O., Trujillo-Rasua, R., Hansen, R.R., Othman, B.: TREsPASS D3.4.1 Attack generation from socio-technical models (2014)
  8.Ivanova, M.G., Probst, C.W., Hansen, R.R., Kammuller, F.: Transforming graphical system models to graphical attack models. In: Mauw, S., et al. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 82–96. Springer, Heidelberg (2016)
  9.Kammuller, F., Probst, C.W.: Invalidating policies using structural information. In: Proceedings of IEEE S & P Workshops, pp. 229–235. IEEE (2013)
  10.Kordy, B., Ivanova, M.G., Hansen, R.R., Probst, C.: TREsPASS D1.3.1 Initial prototype of socio-technical security model (2013)
  11.Kordy, B., Mauw, S., Radomirovic, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014). Oxford University PressCrossRef MathSciNet MATH
  12.Lenzini, G., Mauw, S., Ouchani, S.: Security analysis of socio-technical physical systems. Elsevier Comput. Electr. Eng. (2015)
  13.Othmane, L., Ranchal, R., Fernando, R., Bhargava, B.K., Bodden, E.: Incorporating attacker capabilities in risk estimation and mitigation. Elsevier Comput. Secur. 51, 41–61 (2015)CrossRef
  14.Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proceedings of CCS, pp. 336–345. ACM (2006)
  15.Paul, S.: Technique for automating the construction and maintenance of attack trees. In: Proceedings of GraMSec, vol. 148, pp. 31–46. EPTCS (2014)
  16.Pieters, W.: Representing humans in system security models: an actor-network approach. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. 2(1), 75–92 (2012)
  17.Pinchinat, S., Acher, M., Vojtisek, D.: Towards synthesis of attack trees for supporting computer-aided risk analysis. In: Canal, C., Idani, A. (eds.) SEFM 2014 Workshops. LNCS, vol. 8938, pp. 363–375. Springer, Heidelberg (2015)
  18.Probst, C.W., Hansen, R.R.: An extensible analysable system model. Inf. Secur. Tech. Rep. 13(4), 235–246 (2008)CrossRef
  19.Radomirovic, S., Basin, D., Schlapfer, M.: A complete characterization of secure human-server communication. In: Proceedings of CSF. IEEE (2015)
  20.Roy, A., Kim, D., Trivedi, K.: ACT: towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 3, 1–15 (2011)CrossRef
  21.Roy, A., Kim, D., Trivedi, K.: Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees, pp. 1–12 (2012)
  22.Vigo, R., Nielsen, F., Nielson, H.R.: Automated generation of attack trees. In: Proceedings of CSF, pp. 337–350. IEEE (2014)
  
• 作者单位：Olga Gadyatskaya (16)
  
  16. SnT, University of Luxembourg, Luxembourg City, Luxembourg
  
• 丛书名：Graphical Models for Security
• ISBN：978-3-319-29968-6
• 刊物类别：Computer Science
• 刊物主题：Artificial Intelligence and Robotics
  Computer Communication Networks
  Software Engineering
  Data Encryption
  Database Management
  Computation by Abstract Devices
  Algorithm Analysis and Problem Complexity
  
• 出版者：Springer Berlin / Heidelberg
• ISSN：1611-3349

文摘

Recently security researchers have started to look into automated generation of attack trees from socio-technical system models. The obvious next step in this trend of automated risk analysis is automating the selection of security controls to treat the detected threats. However, the existing socio-technical models are too abstract to represent all security controls recommended by practitioners and standards. In this paper we propose an attack-defence model, consisting of a set of attack-defence bundles, to be generated and maintained with the socio-technical model. The attack-defence bundles can be used to synthesise attack-defence trees directly from the model to offer basic attack-defence analysis, but also they can be used to select and maintain the security controls that cannot be handled by the model itself.