Modeling, analyzing and predicting security cascading attacks in smart buildings systems-of-systems

Abstract Software systems intelligence and complexity have been continuously increasing to deliver more and more features to support business critical and mission critical processes in numerous domains such as defense, health-care, and smart cities. Contemporary software-based solutions are composed of several software systems, that form System-of-Systems (SoS). SoS differentiating characteristics, such as emergent behavior, introduce specific issues that render their security modeling, simulation and analysis a critical challenge. The aim of this work is to investigate how Software Engineering (SE) approaches can be leveraged to model and analyze secure SoS solutions for predicting high impact (cascading) attacks at the architecture stage. In order to achieve this objective, we propose a Model Driven Engineering method, Systems-of-Systems Security (SoSSec), that comprises: (1) a modeling language (SoSSecML) for secure SoS modeling and (2) Multi-Agent Systems (MAS) for security analysis of SoS architectures. To illustrate our proposed approach in terms of modeling, simulating, and discovering attacks, we have conducted a case study on a real-life smart building SoS, the Adelaide University Health and Medical School (AHMS). The results from this case study demonstrate that our proposed method discovers cascading attacks comprising of a number of individual attacks, such as a Denial of Service, that arise from a succession of exploited vulnerabilities through interactions among the constituent systems of SoS. In future work, we intend to extend SoSSec to address diverse unknown emergent behaviors and non-functional properties such as safety and trust.

[1]  Lingfeng Wang,et al.  A Smart Home Network Simulation Testbed for Cybersecurity Experimentation , 2014, TRIDENTCOM.

[2]  Marco Mori,et al.  On the impact of emergent properties on SoS security , 2016, 2016 11th System of Systems Engineering Conference (SoSE).

[3]  Paolo Giorgini,et al.  Threat Analysis in Goal-Oriented Security Requirements Modelling , 2014, Int. J. Secur. Softw. Eng..

[4]  Andrea Bondavalli,et al.  Towards an understanding of emergence in systems-of-systems , 2015, 2015 10th System of Systems Engineering Conference (SoSE).

[5]  Xiao Sun,et al.  Bibliometric and social network analysis of the SoS field , 2014, 2014 9th International Conference on System of Systems Engineering (SOSE).

[6]  Jakob Axelsson,et al.  Towards safe and secure systems of systems: challenges and opportunities , 2017, SAC.

[7]  Eric S. K. Yu,et al.  A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs , 2007, ER.

[8]  Mary Shaw,et al.  What makes good research in software engineering? , 2002, International Journal on Software Tools for Technology Transfer.

[9]  Cihan H. Dagli,et al.  Simulation for a coevolved system-of-systems meta-architecture , 2016, 2016 11th System of Systems Engineering Conference (SoSE).

[10]  John Klein,et al.  A systematic review of system-of-systems architecture research , 2013, QoSA '13.

[11]  Muhammad Ali Babar,et al.  Model Driven Software Security Architecture of Systems-of-Systems , 2016, 2016 23rd Asia-Pacific Software Engineering Conference (APSEC).

[12]  Muhammad Ali Babar,et al.  A Model Driven Method to Design and Analyze Secure Architectures of Systems-of-Systems , 2017, 2017 22nd International Conference on Engineering of Complex Computer Systems (ICECCS).

[13]  Cesare Guariniello,et al.  Communications, Information, and Cyber Security in Systems-of-Systems: Assessing the Impact of Attacks through Interdependency Analysis , 2014, CSER.

[14]  Wojciech Mazurczyk,et al.  Analysis of Human Awareness of Security and Privacy Threats in Smart Environments , 2015, HCI.

[15]  Everton Cavalcante,et al.  Describing Cloud Applications Architectures , 2013, ECSA.

[16]  Jean Bézivin,et al.  Model-based DSL frameworks , 2006, OOPSLA '06.

[17]  Mark W. Maier,et al.  Architecting Principles for Systems‐of‐Systems , 1996 .

[18]  Valdemar Vicente Graciano Neto Validating Emergent Behaviours in Systems-of-Systems through Model Transformations , 2016, SRC@MoDELS.

[19]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[20]  Au Vo,et al.  Emerging Trends in Smart Home Security, Privacy, and Digital Forensics , 2016, AMCIS.

[21]  Matthew Peacock,et al.  An analysis of security issues in building automation systems , 2014 .

[22]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[23]  Marco Mori,et al.  Systems‐of‐systems modeling using a comprehensive viewpoint‐based SysML profile , 2018, J. Softw. Evol. Process..

[24]  Flávio Oquendo,et al.  Software Architecture Challenges and Emerging Research in Software-Intensive Systems-of-Systems , 2016, ECSA.

[25]  Robert Cloutier,et al.  Simulation Approaches for System of Systems: Events-based versus Agent Based Modeling☆ , 2015 .

[26]  Tao Yue,et al.  Model-based security engineering for cyber-physical systems: A systematic mapping study , 2017, Inf. Softw. Technol..

[27]  Flávio Oquendo,et al.  A systematic literature review on the description of software architectures for systems of systems , 2015, SAC.

[28]  Michel Mamrot,et al.  Use case based approach for an integrated consideration of safety and security aspects for smart home applications , 2016, 2016 11th System of Systems Engineering Conference (SoSE).

[29]  Agostino Poggi,et al.  Developing Multi-agent Systems with JADE , 2007, ATAL.

[30]  Sanford Friedenthal,et al.  A Practical Guide to SysML, Third Edition: The Systems Modeling Language , 2014 .

[31]  Robert K. Abercrombie,et al.  Designing and operating through compromise: architectural analysis of CKMS for the advanced metering infrastructure , 2013, CSIIRW '13.

[32]  Lichen Zhang,et al.  Applying System of Systems Engineering Approach to Build Complex Cyber Physical Systems , 2014, ICSEng.

[33]  Denisse Muñante Arzapalo,et al.  An Approach Based on Model-Driven Engineering to Define Security Policies Using OrBAC , 2013, 2013 International Conference on Availability, Reliability and Security.

[34]  Robert D. Sparrow,et al.  Study of two security constructs on throughput for Wireless Sensor multi-hop Networks , 2015, 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[35]  Kazuo Yanoo,et al.  Evaluation of IT systems considering characteristics as system of systems , 2011, 2011 6th International Conference on System of Systems Engineering.

[36]  R. Yin Case Study Research: Design and Methods , 1984 .

[37]  Jamal El Hachem Towards Model Driven Architecture and Analysis of System of Systems Access Control , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[38]  Richard N. Taylor,et al.  A Classification and Comparison Framework for Software Architecture Description Languages , 2000, IEEE Trans. Software Eng..

[39]  Judith S. Dahmann,et al.  Security engineering in a system of systems environment , 2013, 2013 IEEE International Systems Conference (SysCon).

[40]  Apostolos Ampatzoglou,et al.  Quality attributes and quality models for ambient assisted living software systems: A systematic mapping , 2017, Inf. Softw. Technol..

[41]  Flávio Oquendo,et al.  The state of the art and future perspectives in systems of systems software architectures , 2013, SESoS.

[42]  Eduardo Fernandez-Buglioni,et al.  Security Patterns in Practice: Designing Secure Architectures Using Software Patterns , 2013 .

[43]  Garry J. Roedler,et al.  Moving towards standardization for system of systems engineering , 2016, 2016 11th System of Systems Engineering Conference (SoSE).

[44]  Ioannis G. Askoxylakis,et al.  Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) , 2015, INTERACT 2015.

[45]  Robert K. Abercrombie,et al.  Security Analysis of Smart Grid Cyber Physical Infrastructures Using Game Theoretic Simulation , 2015, 2015 IEEE Symposium Series on Computational Intelligence.

[46]  Madjid Merabti,et al.  Critical infrastructure protection: A 21st century challenge , 2011, 2011 International Conference on Communications and Information Technology (ICCIT).

[47]  Jan Peleska,et al.  Systems of Systems Engineering , 2015 .

[48]  Pearl Brereton,et al.  Using a Protocol Template for Case Study Planning , 2008, EASE.

[49]  Ludovic Apvrille,et al.  Model-Driven Engineering for Designing Safe and Secure Embedded Systems , 2016, 2016 Architecture-Centric Virtual Integration (ACVI).

[50]  Vanea Chiprianov,et al.  Towards modelling and analysing non-functional properties of systems of systems , 2014, 2014 9th International Conference on System of Systems Engineering (SOSE).

[51]  John S. Fitzgerald,et al.  Modelling System of Systems Interface Contract Behaviour , 2017, FESCA@ETAPS.

[52]  Ehab Al-Shaer,et al.  IoTSAT: A formal framework for security analysis of the internet of things (IoT) , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).