Threat Assessment of Enterprise Applications via Graphical Modelling

Cyber resiliency has been a very challenging engineering research. There have been several case studies done to assess cyber resiliency of enterprise business application through application of attack graphs. The challenge of automation lies in extracting from a general business enterprise system, the distinct layers like asset layer, service layer, business process task layer etc., so that the task dependencies together with formal vulnerability specification can be integrated to arrive at attack graphs. In this paper, we develop a model for threat analysis of an enterprise from a set of given vulnerabilities in various layers of the business process. Starting from the business process model (BPMN) of the given enterprise, we first obtain its’ task dependency graph, we obtain the hierarchical dependency graph consisting of asset-, service- and business process-layer. From the graphical dependency graph and the vulnerability specifications we obtain a logical specification of vulnerability/threat propagation for deriving multi step multi stage attacks using MulVAL (MulVAL: http://people.cs.ksu.edu/xou/argus/software/mulval.).

[1]  Sushil Jajodia,et al.  A Graphical Model to Assess the Impact of Multi-Step Attacks , 2018 .

[2]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[3]  Bruce Schneier,et al.  Toward a secure system engineering methodolgy , 1998, NSPW '98.

[4]  Rajesh Kumar,et al.  Quantitative Security and Safety Analysis with Attack-Fault Trees , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[5]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[6]  Indrajit Ray,et al.  Investigating Computer Attacks Using Attack Trees , 2007, IFIP Int. Conf. Digital Forensics.

[7]  Bruce Potter Hierarchy: IT security needs hierarchy , 2005 .

[8]  S. Nair,et al.  Cyber threat trees for large system threat cataloging and analysis , 2010, 2010 IEEE International Systems Conference.

[9]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[10]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[11]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[12]  Xiaoyan Sun,et al.  Assessing Attack Impact on Business Processes by Interconnecting Attack Graphs and Entity Dependency Graphs , 2018, DBSec.

[13]  Vamsi Paruchuri,et al.  Threat modeling using attack trees , 2008 .