Software Threat Modeling: Types and Techniques

Security plays a major role in the development of secure software systems. Security should be integrated in all stages of Software Development Life Cycle (SDLC). Attacks on the vulnerable software are continuously increasing day by day. Most of the attacks are result of insecure configuration of software. Therefore, software developers should design the software having security in mind and should reduce the security flaws in the early stages of software development life cycle so that secure software is developed. In this paper, we present the review of some approaches used to introduce and fix the threats along advantages and disadvantages. Statistical techniques, Neural network, Fuzzy logic, Genetic algorithm and Neuro- Fuzzy are some techniques used for software threat modeling.

[1]  Ren Hui Gong,et al.  A software implementation of a genetic algorithm based approach to network intrusion detection , 2005, Sixth International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing and First ACIS International Workshop on Self-Assembling Wireless Network.

[2]  Eric Baize Developing Secure Products in the Age of Advanced Persistent Threats , 2012, IEEE Security & Privacy.

[3]  Michael Gegick,et al.  Matching attack patterns to security vulnerabilities in software-intensive system designs , 2005, SESS@ICSE.

[4]  Svein J. Knapskog,et al.  HiNFRA: Hierarchical Neuro-Fuzzy Learning for Online Risk Assessment , 2008, 2008 Second Asia International Conference on Modelling & Simulation (AMS).

[5]  James H. Graham,et al.  Computer System Security Threat Evaluation Based Upon Artificial Immunity Model and Fuzzy Logic , 2005, 2005 IEEE International Conference on Systems, Man and Cybernetics.

[6]  Heejo Lee,et al.  Cyber Threat Trend Analysis Model Using HMM , 2007 .

[7]  Jing-Chiou Liou When the Software Goes Beyond its Requirements -- A Software Security Perspective , 2012, 2012 Ninth International Conference on Information Technology - New Generations.

[8]  Chris Imafidon,et al.  Security Assessment of Software Design using Neural Network , 2013, ArXiv.

[9]  Beijun Shen,et al.  Extending Model Driven Architecture with Software Security Assessment , 2009, 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement.

[10]  S. Nair,et al.  Cyber threat trees for large system threat cataloging and analysis , 2010, 2010 IEEE International Systems Conference.

[11]  Punam Bedi,et al.  A step towards Secure Software System using fuzzy logic , 2010, 2010 2nd International Conference on Computer Engineering and Technology.

[12]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[13]  Chenggang Bai,et al.  Software failure prediction based on a Markov Bayesian network model , 2005, J. Syst. Softw..

[14]  Eric W. T. Ngai,et al.  Fuzzy decision support system for risk analysis in e-commerce development , 2005, Decis. Support Syst..

[15]  Dawn M. Cappelli,et al.  Combating the Insider Cyber Threat , 2008, IEEE Security & Privacy.

[16]  Terrill L. Frantz,et al.  Information assurances and threat identification in networked organizations , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.

[17]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[18]  Danny Dhillon,et al.  Developer-Driven Threat Modeling: Lessons Learned in the Trenches , 2011, IEEE Security & Privacy.

[19]  Jeffrey A. Ingalsbe,et al.  Threat Modeling: Diving into the Deep End , 2008, IEEE Software.

[20]  John Steven,et al.  Threat Modeling - Perhaps It's Time , 2010, IEEE Security & Privacy.

[21]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[22]  Neeli R. Prasad,et al.  A Threat Analysis Methodology for Security Evaluation and Enhancement Planning , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[23]  Andrew H. Sung,et al.  Intrusion detection using neural networks and support vector machines , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[24]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[25]  Nobukazu Yoshioka,et al.  Effective Security Impact Analysis with Patterns for Software Enhancement , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[26]  M. Sudit,et al.  Evaluating Threat Assessment for Multi-Stage Cyber Attacks , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[27]  Punam Bedi,et al.  Threat Mitigation, Monitoring and Management Plan - A New Approach in Risk Management , 2009, 2009 International Conference on Advances in Recent Technologies in Communication and Computing.

[28]  Diana Leonor Tinjaca Rodriguez,et al.  Dynamic model to manage threats in software development projects through artificial intelligence techniques , 2012, 2012 Workshop on Engineering Applications.