Cyberpatterns

A pattern represents a discernible regularity in the world or in manmade designs. In the prescriptive point of view, a pattern is a template from which instances can be created; while in the descriptive point of view, the elements of a pattern that repeat in a predictable manner can be observed and recognised. Similar to theories in sciences, patterns explain and predict regularities in a subject domain. In a complicated subject domain like cyberspace, there are usually a large number of patterns that each describes and predicts a subset of recurring phenomena, yet these patterns can interact with each other and be interrelated and composed with each other. The pattern-oriented research method studies a subject domain by identifying the patterns, classifying and categorising them, organising them into pattern languages, investigating the interactions between them, devising mechanisms and operations for detecting and predicting their occurrences, and facilitating their instantiations. This chapter illustrates this research methodology through a review of the research on software design patterns as an example of successful application of the methodology. It then discusses its possible applications to the research on cyberpatterns, i.e. patterns in cyberspace. It defines the scope of research, reviews the current state of art and identifies the key research questions.

We introduce security patterns as the most mature domain within cyberpatterns, and outline a conceptual framework to help understand and develop good security patterns. Security patterns help us move from an improvised craft to engineering discipline because they transfer knowledge about proven solutions in an understandable and reusable format to experienced users and novices alike. Although security patterns are widely known, many questions remain unanswered regarding their conceptual foundation and practical use. We characterise the current pattern schemes using the Zachman Framework for enterprise architecture modelling, which allows us to structure and pose questions about both the problem domain and corresponding solutions provided by security patterns. We propose a parallel security plane overlaying the entire Zachman grid allowing the separate consideration of security within the security plane using the interrogative questions (who, what, where, when, why and how) to evaluate the six aspects. The integration between security and functional concerns is similarly aided by using the correspondence between aspects in the security and functional planes to decompose and examine the relationship between security patterns and problem context. We also briefly discuss security patterns as transformations, and related concepts such as tactics that may usefully be applied to security. We conclude with a set of unsolved challenges for security patterns. This discussion is relevant to other types of cyberpattern such as attack patterns, and may aid the eventual development of a comprehensive framework for cyberpatterns.

The field of software design patterns has grown extensively since the first work on patterns in the 1990s. Design patterns have proved useful as encodings of good design practice and expert knowledge in a wide variety of domains, from enterprise information systems to software security. We look at some recent developments in the application of patterns, and identify some remaining theoretical and practical issues with the use of patterns.

To arrive at such a common framework we propose to leverage the existing work on design patterns, which are specified as predicates on the static and dynamic models of software systems. By reviewing the techniques for reasoning about design patterns, and what these techniques can achieve, we can propose a suitable way of structuring all patterns. This method of structuring is also informed by a detailed comparison between the headings used to structure each of design, attack and security patterns. The difficulties in producing a common framework for all types of pattern are also briefly considered, before a suitable method of structuring patterns is described in detail as a conclusion.

As knowledge of solutions to recurring design problems, a large number of software design patterns (DP) has been identified, catalogued and formalized in the past decades. Tools have been developed to support the application and recognition of patterns. However, although the notions of pattern in different subject domains carry a great deal of similarity, we are in lack of a general theory that applies to all types of design patterns. This paper is based on our previous work on formalization of OO DPs and an algebra of pattern compositions. We propose a generalization of the approach so that it can be applied to other types of DPs. In particular, a pattern is defined as a set of points in a design space that satisfy certain conditions. Each condition specifies a property of the instances of the pattern in a certain view of the design space. The patterns can then be composed and instantiated through applications of operators defined on patterns. The paper demonstrates the feasibility of the proposed approach by examples of patterns of enterprise security architecture.

Aspect Oriented Programming is increasingly being used for the practical coding of cross-cutting concerns woven throughout an application. However, most existing AOP point-cut definition languages don’t distinguish in their application between different systems across a network. For network security there is a need to apply different aspects depending on the role a piece of code has within the larger networked system, and a new approach for this is therefore required. In this chapter we present a formalism for how this might be approached, proposing a way to capture distributed point-cuts for applying different aspects in different parts of the network. The method is based on templates that match properties within the code, and a set of flexible relationships that can be defined between them.

Computer and communication networks are becoming increasingly critical in supporting business, leisure and daily life in general. Thus, there is a compelling need for resilience to be a key property of networks. The approach we present in this paper is intended to enable the specification of management patterns that describe the dynamic intrusion tolerant behaviour of resilient networks. A management pattern describes a policy-based collaboration between a set of resilience mechanisms used to address a specific type of challenge. Much of the existing work on security patterns has focused only on the static defence aspect of a network. However, dynamic behaviour adds a great deal of complexity to network management, thus making the specification of patterns for this activity very desirable.

Secure adaptation of service composition is crucial for service-oriented applications. An effective adaptation method must improve a composition’s adherence to specified behaviour, performance and security guarantees at reasonable cost in terms of computing complexity and time consumption. This chapter discusses current techniques that have been developed to help achieve secure service composition. Based on security verification results, which have been categorised into four patterns in this chapter, a simple heuristics-based adaptation strategy is proposed. This proposal aims at more accurate yet relatively fast secure service adaptation strategy. In order to make direct comparisons of different services, a simple quantification method is also introduced.

We have created a framework for modelling security that divides computer incidents into their stages of access, use and effect. In addition, we have developed a three-layer architectural model to examine incidents with the social, logical and physical levels. Our ontology that combines the architectural and incident models provides the basis for a suitable semantics for attack patterns, where the entities and relationships between them can be precisely defined. The current informality of these patterns means that their utility is limited to manual use, so we plan to adapt existing work on formalising design patterns to attack patterns, to aid the detection of attack patterns leading to the possible creation of effective defensive controls. A specification in logic, which is progressively refined into code, is a common method of developing high integrity and secure software, but there are additional issues in system protection, as the system is a diverse set of components housing different and unrelated functionality rather than a single program. The attack patterns form a logical specification, which can be intersected with the model of the defence to determine the corresponding defensive observations and actions to counter the attacks. This would allow convincing reasoning about possible defensive response measures, and holds out the possibility of proving security against certain types of attacks. We outline a roadmap for formulating attack patterns in our ontology and then translating them in logic.

There is no denying that communication networks, in particular the Internet, have changed our lives in many ways. Many organizations and businesses in general benefit, but at the same time their communication networks face many challenges such as cyber-attacks, which can result in disruptions of services and huge financial losses. Therefore, resilience of these networks against cyber-attacks is a growing interest in the cyber security community. In this paper, we propose a framework for attack pattern recognition by collecting and correlating cyber situational information vertically across protocol-levels, and horizontally along the end-to-end network path. This will help to analyze cyber challenges from different viewpoints and to develop effective countermeasures.

The problems of system security are well known, but no satisfactory methods to resolve them have ever been discovered. One heuristic method is to use a penetration test with the rationale of finding system flaws before malicious attackers. However, this is a craft-based discipline without an adequate theoretical or empirical basis for justifying its activities and results. We show that both the automated tool and skill-based methods of pen testing are unsatisfactory, because we need to provide understandable evidence to clients about their weaknesses and offer actionable plans to fix the critical ones. We use attack patterns to help develop a pen-testing framework to help avoid the limitations of current approaches.

Most software development companies conduct in-house testing of their code prior to releasing their product, yet software vulnerabilities are still found every single day in the most prevalent of applications. Memory corruption vulnerabilities are amongst the most difficult to detect, but can be the most dangerous. This research presents both an effective taxonomy of these vulnerabilities, which can be used to identify software threats and a methodology to maximize the number of memory corruption vulnerabilities that are identified during software testing. A means of cataloguing such vulnerabilities was required: As design patterns were already familiar to software engineers the use of a pattern language seemed appropriate, particularly as the solution to the vulnerabilities lay in the software engineering domain.

In this chapter we propose the fundaments of a design of an exploratory simulation of security management in a corporate environment. The model brings together theory and research findings on causes of information security risks in order to analyse diverse roles interacting through scripts. The framework is an adaptation of theoretical and empirical research in general crime prevention for the purposes of cybercrime. Its aim is to provide insights into the prerequisites for a more functional model (Information security; Conjunction of criminal opportunity; Crime scripts; Simulation).

We describe the pattern-related aspects of the prototype Protection and Assessment (P&A) Workbench that was developed as part of the MASTER EU 7th Framework collaborative research project. The Workbench supports a model-driven design process within the overall MASTER methodology. It includes a Protection and Regulatory Model (PRM) tool that is a step towards turning the Workbench into an ‘organisational memory’ for design practices that accumulates and improves over time. PRMs are essentially control process design patterns that incorporate proven strategies in a re-usable form, saving time and improving quality and consistency.

Security patterns are a useful way of describing, packaging and applying security knowledge which might otherwise be unavailable. However, because patterns represent partial knowledge of a problem and solution space, there is little certainty that addressing the consequences of one problem won’t introduce or exacerbate another. Rather than using patterns exclusively to explore possible solutions to security problems, we can use them to better understand the security problem space. To this end, we present a framework for evaluating the implications of security and attack patterns using premortems: scenarios describing a failed system that invites reasons for its failure. We illustrate our approach using an example from the EU FP 7 webinos project.

Many real world security and digital forensics tasks involve the analysis of large amounts of data and the need to be able to classify parts of that data into sets that are not well or even easily defined. Rule based systems can work well and efficiently for simple scenarios where the security or forensics incident can be well specified. However, such systems do not cope as well where there is uncertainty, where the IT system under consideration is complex or where there is significant and rapid change in the methods of attack or compromise. Artificial Intelligence (AI) is an area of computer science that has concentrated on pattern recognition and in this extended abstract we highlighted some of the main themes in AI and their appropriateness for use in a security and digital forensics context.

This paper describes a novel method aiming to cluster datasets containing malware behavioural data. Our method transform the data into an standardised data matrix that can be used in any clustering algorithm, finds the number of clusters in the data set and includes an optional visualization step for high-dimensional data using principal component analysis. Our clustering method deals well with categorical data, and it is able to cluster the behavioural data of 17,000 websites, acquired with Capture-HPC, in less than 2 min.

Service-Oriented Architectures (SOAs) are becoming a dominant paradigm for the integration of heterogeneous systems. However, SOA-based applications are highly dynamic and liable to change significantly at runtime. This justifies the need for monitoring composed services throughout the lifetime of the service execution. In this chapter we present a novel approach to monitor services at runtime and to ensure that services behave as they have promised. Services are defined as BPMN (Business Process Modelling Notation) processes which can then be monitored during execution.

Digital storage systems (DSS) contain an abundance of geospatial data which can be extracted and analysed to provide useful and complex intelligence insights. This data takes a number of forms such as data within text files, configuration databases and in operating system generated files—each of which require particular forms of processing. This paper investigates the breadth of geospatial data available on DSS, the issues and problems involved in extracting and analysing them and the intelligence insights that the visualisation of the data can provide. We describe a framework to extract a wide range of geospatial data from a DSS and resolve this data into geographic coordinates.

As patterns in cyberspace, cyberpatterns shed light on research on the development of cyber systems from a new angle. They can help us move from an improvised craft to an engineering discipline because they help to transfer knowledge about proven solutions in an understandable and reusable format. They allow innovative applications in cloud, cyber-physical and mobile systems, and novel methods of use with data patterns for observation and analysis of ‘big data’ problems. The ultimate aim of research on cyberpatterns is an overall framework for cyberpatterns integrating all the cyber domains to help develop a better-understood and effective cyberspace. However, there are many research questions in cyberpatterns that remain unanswered regarding both their conceptual foundation and practical use. This chapter concludes the book by exploring some of the most critical and important problems needing to be addressed.