Run-Time Risk Management in Adaptive ICT Systems

We will present results of the SERSCIS project related to risk management and mitigation strategies in adaptive multi-stakeholder ICT systems. The SERSCIS approach involves using semantic threat models to support automated design-time threat identification and mitigation analysis. The focus of this paper is the use of these models at run-time for automated threat detection and diagnosis. This is based on a combination of semantic reasoning and Bayesian inference applied to run-time system monitoring data. The resulting dynamic risk management approach is compared to a conventional ISO 27000 type approach, and validation test results presented from an Airport Collaborative Decision Making (A-CDM) scenario involving data exchange between multiple airport service providers.

[1]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[2]  Ketil Stølen,et al.  A graphical approach to risk identification, motivated by empirical investigations , 2006, MoDELS'06.

[3]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[4]  Myong H. Kang,et al.  Security Ontology to Facilitate Web Service Description and Discovery , 2007, J. Data Semant..

[5]  Grenville J. Armitage,et al.  A survey of techniques for internet traffic classification using machine learning , 2008, IEEE Communications Surveys & Tutorials.

[6]  David Welch,et al.  Approximate Bayesian computation scheme for parameter inference and model selection in dynamical systems , 2009, Journal of The Royal Society Interface.

[7]  Haralambos Mouratidis,et al.  Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development , 2008, CAiSE.

[8]  Stefan Fenz,et al.  Formalizing information security knowledge , 2009, ASIACCS '09.

[9]  Nargiza Bekmamedova,et al.  An Ontology-Driven Approach Applied to Information Security , 2010, J. Res. Pract. Inf. Technol..

[10]  Rafael Valencia-García,et al.  Basis for an integrated security ontology according to a systematic review of existing proposals , 2011, Comput. Stand. Interfaces.

[11]  Stefan Fenz,et al.  An ontology- and Bayesian-based approach for determining threat probabilities , 2011, ASIACCS '11.

[12]  Nikitas Nikitakos,et al.  An Intelligent Fault Monitoring and Risk Management Tool for Complex Critical Infrastructures: The SERSCIS Approach in Air-Traffic Surface Control , 2012, 2012 UKSim 14th International Conference on Computer Modelling and Simulation.

[13]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[14]  Bassem Nasser,et al.  SERSCIS: Semantic Modelling of Dynamic, Multi-Stakeholder Systems , 2012 .

[15]  Imed El Fray,et al.  A Comparative Study of Risk Assessment Methods, MEHARI & CRAMM with a New Formal Model of Risk Assessment (FoMRA) in Information Systems , 2012, CISIM.