Mitigating multi-threats optimally in proactive threat management

In turbulent economic times, the cost effectiveness of security measures is of the utmost importance when designing safeguards or countermeasures. This paper presents an optimal approach: MMT-O, Mitigating Multi-Threats Optimally, to meet the above challenges. The proposed approach is based on an optimum mitigation path set generation algorithm that provides optimal plans for threat/vulnerability management which can be adopted at the design level of the software life cycle. In MMT-O, a multi-threat attack graph is generated by combining all of the individual threats responsible for security compromise of the system. It identifies a unique set of attacks needing mitigation by removing redundant nodes, as an attack can be a part of multiple threats. The proposed algorithm, implemented in Java, provides the minimum mitigation paths required to be blocked to avert the threat. Countermeasures using a multi-agent system are inducted in these identified mitigation paths to avert the threat optimally. The proposed approach has been applied on different test cases and the results validate its economic justification over traditional security solutions as a part of proactive threat management.

[1]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[2]  Michael Wooldridge,et al.  Agent-based software engineering , 1997, IEE Proc. Softw. Eng..

[3]  J. Pollock Planning Agents , 1998 .

[4]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[5]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[6]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[7]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[8]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[9]  Dianxiang Xu,et al.  Threat-Driven Architectural Design of Secure Information Systems , 2018, ICEIS.

[10]  Carnegie M Ielloii Secure Software Development Life Cycle Processes: A Technology Scouting Report , 2005 .

[11]  Terence Soule,et al.  A layered decision model for cost-effective network defense , 2005, IRI -2005 IEEE International Conference on Information Reuse and Integration, Conf, 2005..

[12]  Donald Firesmith,et al.  Analyzing the Security Significance of System Requirements , 2005 .

[13]  William Yurcik,et al.  Threat Modeling as a Basis for Security Requirements , 2005 .

[14]  Jan Willemson,et al.  Rational Choice of Security Measures Via Multi-parameter Attack Trees , 2006, CRITIS.

[15]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[16]  Glenn Wissing Multi-agent planning using HTN and GOAP , 2007 .

[17]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[18]  Rossouw von Solms,et al.  Guidelines for secure software development , 2008, SAICSIT '08.

[19]  Nicolas Mayer,et al.  Alignment of Misuse Cases with Security Risk Management , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[20]  Philip Bjarnolf Threat Analysis Using Goal-Oriented Action Planning : Planning in the Light of Information Fusion , 2008 .

[21]  M. J. Johnson,et al.  A new approach to internet banking , 2008 .

[22]  Punam Bedi,et al.  Avoiding Threats Using Multi Agent System Planning for Web Based Systems , 2009, ICCCI.

[23]  Punam Bedi,et al.  Identifying Security Requirements Hybrid Technique , 2009, 2009 Fourth International Conference on Software Engineering Advances.

[24]  Punam Bedi,et al.  Threat Mitigation, Monitoring and Management Plan - A New Approach in Risk Management , 2009, 2009 International Conference on Advances in Recent Technologies in Communication and Computing.

[25]  Punam Bedi,et al.  A step towards Secure Software System using fuzzy logic , 2010, 2010 2nd International Conference on Computer Engineering and Technology.

[26]  Punam Bedi,et al.  Layered security architecture for threat management using multi-agent system , 2011, SOEN.

[27]  M. E. Kabay,et al.  Writing Secure Code , 2015 .