Modelling Social-Technical Attacks with Timed Automata

Attacks on a system often exploit vulnerabilities that arise from human behaviour or other human activity. Attacks of this type, so-called socio-technical attacks, cover everything from social engineering to insider attacks, and they can have a devastating impact on an unprepared organisation. In this paper we develop an approach towards modelling socio-technical systems in general and socio-technical attacks in particular, using timed automata and illustrate its application by a complex case study. Thanks to automated model checking and automata theory, we can automatically generate possible attacks in our model and perform analysis and simulation of both model and attack, revealing details about the specific interaction between attacker and victim. Using timed automata also allows for intuitive modelling of systems, in which quantities like time and cost can be easily added and analysed.

[1]  Flemming Nielson,et al.  Automated Generation of Attack Trees , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[2]  Bruce Schneier,et al.  Toward a secure system engineering methodolgy , 1998, NSPW '98.

[3]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[4]  Christian W. Probst,et al.  An extensible analysable system model , 2008, Inf. Secur. Tech. Rep..

[5]  Kim G. Larsen,et al.  A Tutorial on Uppaal , 2004, SFM.

[6]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.

[7]  Florian Kammüller,et al.  Attack Tree Generation by Policy Invalidation , 2015, WISTP.

[8]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[9]  Wolter Pieters,et al.  Representing Humans in System Security Models: An Actor-Network Approach , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[10]  Florian Kammüller,et al.  Invalidating Policies using Structural Information , 2013, 2013 IEEE Security and Privacy Workshops.

[11]  Pieter H. Hartel,et al.  Portunes: Representing Attack Scenarios Spanning through the Physical, Digital and Social Domain , 2010, ARSPA-WITS.

[12]  Lorena Montoya The TREsPASS project , 2013 .

[13]  Florian Kammüller,et al.  Combining Generated Data Models with Formal Invalidation for Insider Threat Analysis , 2014, 2014 IEEE Security and Privacy Workshops.