Portunes: Representing Attack Scenarios Spanning through the Physical, Digital and Social Domain

The security goals of an organization are realized through security policies, which concern physical security, digital security and security awareness. An insider is aware of these security policies, and might be able to thwart the security goals by combining physical, digital and social means. A systematic analysis of such attacks requires the whole environment where the insider operates to be formally represented. This paper presents Portunes, a framework which integrates all three security domains in a single environment. Portunes consists of a high-level abstraction model focusing on the relations between the three security domains and a lower abstraction level language able to represent the model and describe attacks which span the three security domains. Using the Portunes framework, we are able to represent a whole new family of attacks where the insider is not assumed to use purely digital actions to achieve a malicious goal.

[1]  Flemming Nielson,et al.  Where Can an Insider Attack? , 2006, Formal Aspects in Security and Trust.

[2]  Marwan Al-Zarouni,et al.  The reality of risks from consented use of USB devices , 2006 .

[3]  Takeo Kanade,et al.  Formal Aspects in Security and Trust , 2008, Lecture Notes in Computer Science.

[4]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[5]  Rocco De Nicola,et al.  KLAIM: A Kernel Language for Agents Interaction and Mobility , 1998, IEEE Trans. Software Eng..

[6]  Daniele Gorla,et al.  Resource Access and Mobility Control with Dynamic Privileges Acquisition , 2003, ICALP.

[7]  Jon Crowcroft,et al.  Containment: From context awareness to contextual effects awareness , 2005 .

[8]  Council , 1954, The Aeronautical Journal (1968).

[9]  Theo Dimitrakos,et al.  Formal Aspects in Security and Trust, Fourth International Workshop, FAST 2006, Hamilton, Ontario, Canada, August 26-27, 2006, Revised Selected Papers , 2007, Formal Aspects in Security and Trust.

[10]  Pieter H. Hartel,et al.  On the Inability of Existing Security Models to Cope with Data Mobility in Dynamic Organizations , 2008, MODSEC@MoDELS.

[11]  David Scott Abstracting application-level security policy for ubiquitous computing , 2005 .

[12]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[13]  G. B. Varnado,et al.  Critical Infrastructure Systems of Systems Assessment Methodology , 2006 .

[14]  Lorenzo Bettini,et al.  An infrastructure language for open nets , 2002, SAC '02.