nach oben

Erschienen in:

01.01.2023

CyberSAGE: The cyber security argument graph evaluation tool

verfasst von: William G. Temple, Yue Wu, Carmen Cheh, Yuan Li, Binbin Chen, Zbigniew T. Kalbarczyk, William H. Sanders, David Nicol

Erschienen in: Empirical Software Engineering | Ausgabe 1/2023

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Cyber risk assessment is a critical step in securing the digital systems that support modern society. Typically this is a manual process carried out by consultants or working groups with little or no software support outside of spreadsheet tools. As cybersecurity threats and digital systems themselves become more complex and dynamic, there is a need for greater tool support in the risk assessment process to document and trace assumptions and facilitate the revision or extension of a threat and risk assessment throughout a system’s lifecycle. The Cyber Security Argument Graph Evaluation (CyberSAGE) tool provides a platform for model-based cybersecurity analysis of cyber failure and attack scenarios. It combines models of high-level workflow, system architecture, device properties, attacker capability and skill, to compute holistic, quantitative security metrics. In this paper we describe the models, algorithms, and software architecture of the CyberSAGE tool. To illustrate its application, we describe an assessment carried out on communication systems in two railway lines with the support of an industry partner. Finally, we summarize feedback on the CyberSAGE tool from the railway case study partner, as well as over 40 interviews with practitioners and domain experts and a multinational electronics company who carried out a one year independent evaluation.

Vorheriger Artikel Analyzing Techniques for Duplicate Question Detection on Q&A Websites for Game Developers

Nächster Artikel Towards understanding bugs in Python interpreters

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

https://www.rsa.com/en-us/products/integrated-risk-management

https://www.ibm.com/sg-en/marketplace/governance-risk-and-compliance

https://www.mobius.illinois.edu/

https://www.foreseeti.com/

Cybersage uses the following versions of the aforementioned libraries: Libdai-Server 0.3.0, Drool rule engine 5.3.0, DoT-Server 2.38.0

https://www.drools.org

https://www.illinois.adsc.com.sg/cybersage/download.html

CyberSAGE property linkage feature is added in the version 1.1, for linking related device property values into one property group to manage them easily. For more details, please refer to Section 3.2.4 of CyberSAGE Quick Start Guide, available at http://www.illinois.adsc.com.sg/docs/CyberSAGEQuickStartGuide.pdf.

Alberts C, Dorofee A (2003) Managing information security risks: The OCTAVE approach. SEI series in software engineering. Addison-Wesley. https://books.google.com.sg/books?id=EGInzsKcG_8C

Blank R, Gallagher P, Group JTFTIIW et al (2013) Nist special publication 800-53, security and privacy controls for federal information systems and organizations, revision 4. National Institute of Standards and Technology (NIST), Washington

CAIRIS (2020) Cairis. https://cairis.org/index.html

Cau D (2014) Governance risk and compliance (grc) software business needs and market trends. Deloitte

Charis R (2012) Tetra for rail. In: TETRA & Critical Communications Association (TCCA) Seminars

Cheh C, Keefe K, Feddersen B, Chen B, Temple WG, Sanders WH (2017) Developing models for physical attacks in cyber-physical systems. In: Proceedings of the 2017 workshop on cyber-physical systems security and privacy, CPS ’17. Association for Computing Machinery, New York, pp 49–55

Chen B, Kalbarczyk Z, Nicol DM, Sanders WH, Tan R, Temple WG, Tippenhauer NO, Vu AH, Yau DK (2013) Go with the flow: Toward workflow-oriented security assessment. In: Proc. of the new security paradigms workshop (NSPW)

Davis R (2008) The tetra rail forum. In: TETRA Seminars-India

Ekstedt M, Johnson P, Lagerström R, Gorton D, Nydrén J, Shahzad K (2015) Securi cad by foreseeti: A cad tool for enterprise cyber security management. In: 2015 IEEE 19th international enterprise distributed object computing workshop, pp 152–155. https://doi.org/10.1109/EDOCW.2015.40

Ekstedt M, Johnson P, Lagerstrom R, Gorton D, Nydrén J, Shahzad K (2015) Securi cad by foreseeti: A cad tool for enterprise cyber security management. In: 2015 IEEE 19Th international enterprise distributed object computing workshop (EDOCW). IEEE, pp 152–155

Fila B, Wideł W (2019) Attack–defense trees for abusing optical power meters: A case study and the osead tool experience report. In: Albanese M, Horne R, Probst C W (eds) Graphical models for security. Springer International Publishing, Cham, pp 95–125

Gadyatskaya O, Jhawar R, Kordy P, Lounis K, Mauw S, Trujillo-Rasua R (2016) Attack trees for practical security assessment:, Ranking of attack scenarios with adtool 2.0., vol 9826, pp 159–162. https://doi.org/10.1007/978-3-319-43425-4_10

Harvey M, Long D, Reinhard K (2014) Visualizing nistir 7628, guidelines for smart grid cyber security. In: Power and energy conference at Illinois (PECI), 2014. IEEE, pp 1–8

Holm H (2014) A framework and calculation engine for modeling and predicting the cyber security of enterprise architectures. PhD thesis, KTH, Industrial Information and Control Systems, qC 20140203

Holm H, Shahzad K, Buschle M, Ekstedt M (2015) P² cysemol: Predictive, probabilistic cyber security modeling language. IEEE Trans Depend Sec Comput 12 (6):626–639. https://doi.org/10.1109/TDSC.2014.2382574CrossRef

Holm H, Shahzad K, Buschle M, Ekstedt M (2015) P2cysemol: Predictive, probabilistic cyber security modeling language. IEEE Trans Depend Sec Comput 12(6):626–639CrossRef

HSSEDI: The Homeland Security Systems Engineering and Development Institute (2018) Cyber threat modeling: Survey, assessment, and representative framework. https://www.mitre.org/sites/default/files/publications/pr_18-1174-ngci-cyber-threat-modeling.pdf

ICS-CERT (2018) Cset: The cyber security evaluation tool

IriusRisk (2020) Iriusrisk - threat modeling platform. https://iriusrisk.com/

Ivanova MG, Probst CW, Hansen RR, Kammüller F (2016) Transforming graphical system models to graphical attack models. In: Mauw S, Kordy B, Jajodia S (eds) Graphical models for security. Springer International Publishing, Cham, pp 82–96

Jauhar S, Chen B, Temple WG, Dong X, Kalbarczyk Z, Sanders WH, Nicol DM (2015) Model-based cybersecurity assessment with nescor smart grid failure scenarios. In: 2015 IEEE 21st Pacific Rim international symposium on dependable computing (PRDC). IEEE, pp 319–324

Johnson P, Vernotte A, Ekstedt M, Lagerström R (2016) pwnpr3d: An attack-graph-driven probabilistic threat-modeling approach. In: 2016 11th international conference on availability, reliability and security (ARES), pp 278–283. https://doi.org/10.1109/ARES.2016.77

Johnson P, Lagerström R, Ekstedt M (2018) A meta language for threat modeling and attack simulations. In: Proceedings of the 13th international conference on availability, reliability and security. Association for Computing Machinery, New York

Keefe K, Feddersen B, Rausch M, Wright R, Sanders WH (2018) An ontology framework for generating discrete-event stochastic models. In: Bakhshi R, Ballarini P, Barbot B, Castel-Taleb H, Remke A (eds) Computer performance engineering. Springer International Publishing, Cham, pp 173–189

Kohnfelder L, Garg P (1999) The threats to our products. https://adam.shostack.org/microsoft/The-Threats-To-Our-Products.docx

Kordy B, Piètre-Cambacédès L, Schweitzer P (2014) Dag-based attack and defense modeling: Don’t miss the forest for the attack trees. Comput Sci Rev 13:1–38CrossRefMATH

Lund M, Solhaug B, StÃ.̧len K (2011) Model-driven risk analysis. https://doi.org/10.1007/978-3-642-12323-8CrossRef

Meland PH, Gjære EA (2012) Representing threats in bpmn 2.0, pp 542–550

Microsoft (2017) Microsoft threat modeling tool. https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool

Muehrcke C (2013) Implementing the advise security modeling formalism in möbius. In: 2013 43rd annual IEEE/IFIP international conference on dependable systems and networks (DSN). IEEE, pp 1–8

National Electric Sector Cybersecurity Organization Resource (2014) Electric sector failure scenarios common vulnerabilities and mitigations mapping. Tech. rep., Electric Power Research Institute

NERC (2012) Security guidelines for the electricity sector:, Vulnerability and risk assessment version 1.0

NIST (2012) Nist special publication 800-30, guide for conducting risk assessments, revision 1. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Noel S, Elder M, Jajodia S, Kalapa P, O’Hare S, Prole K (2009) Advances in topological vulnerability analysis. In: 2009 cybersecurity applications technology conference for homeland security. https://doi.org/10.1109/CATCH.2009.19, pp 124–129

O’Hare S, Noel S, Prole K (2008) A graph-theoretic visualization approach to network risk analysis. In: Goodall JR, Conti G, Ma KL (eds) Visualization for computer security. Springer, Berlin Heidelberg, pp 60–67

Ou X, Govindavajhala S, Appel AW (2005) Mulval: a logic-based network security analyzer. In: USENIX security symposium

OWASP (2020a) Owasp pytm tool. https://owasp.org/www-project-pytm/

OWASP (2020b) Owasp threat dragon. https://owasp.org/www-project-threat-dragon/

Rausch M, Keefe K, Feddersen B, Sanders WH (2018) Automatically generating security models from system models to aid in the evaluation of ami deployment options. In: D’Agostino G, Scala A (eds) Critical information infrastructures security. Springer International Publishing, Cham

Recker J (2010) Opportunities and constraints: the current struggle with BPMN. Bus Process Manag J 16(1):181–201MathSciNetCrossRef

Sindre G (2007) Mal-activity diagrams for capturing attacks on business processes. In: Proc. of international working conference on requirements engineering: foundation for software quality (REFSQ)

Temple WG, Li Y, Tran BAN, Liu Y, Chen B (2016) Railway system failure scenario analysis. In: International conference on critical information infrastructures security. Springer, pp 213–225

TETRA SEKEX Communications (2018) Tetra network radio solution & application. https://www.wwsinternational.com.au/Tetra_2011/index.htm

ThreatModeler (2020) Threatmodeler software inc. https://threatmodeler.com

Tippenhauer NO, Temple WG, Vu AH, Chen B, Nicol DM, Kalbarczyk Z, Sanders W (2014) Automatic generation of security argument graphs. In: Proc. of the IEEE Pacific Rim international symposium on dependable computing (PRDC)

Ucedavélez T, Morana MM (2015) Risk centric threat modeling: process for attack simulation and threat analysis. Wiley. http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470500964.htmlCrossRef

securiCAD User Community (2020) securilang reference manual. https://community.securicad.com/securilang-reference-manual/

VERSPRITE (2020) Waypoint enterprise threat modeling tool. https://versprite.com/security-products/waypoint/

Vu AH, Tippenhauer NO, Chen B, Nicol DM, Kalbarczyk Z (2014) Cybersage: a tool for automatic security assessment of cyber-physical systems. In: International conference on quantitative evaluation of systems. Springer, pp 384–387

Wang L, Jajodia S, Singhal A, Cheng P, Noel S (2014) k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans Depend Sec Comput 11(1):30–44CrossRef

Xiong W, Krantz F, Lagerström R (2020) Threat modeling and attack simulations of connected vehicles: Proof of concept. In: Mori P, Furnell S, Camp O (eds) Information systems security and privacy. Springer International Publishing, Cham, pp 272–287

Titel: CyberSAGE: The cyber security argument graph evaluation tool
verfasst von: William G. Temple
Yue Wu
Carmen Cheh
Yuan Li
Binbin Chen
Zbigniew T. Kalbarczyk
William H. Sanders
David Nicol
Publikationsdatum: 01.01.2023
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 1/2023
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-021-10056-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 1/2023

Variational satisfiability solving: efficiently solving lots of related SAT problems

Towards effective assessment of steady state performance in Java software: are we there yet?

Automatic prediction of rejected edits in Stack Overflow

Analyzing Techniques for Duplicate Question Detection on Q&A Websites for Game Developers

Can static analysis tools find more defects?

Smells in system user interactive tests

Premium Partner