Application Vulnerabilities in Risk Assessment and Management

The Haruspex suite is an integrated set of tools that adopts a scenario approach to automate ICT risk assessment and management. Each scenario includes an ICT infrastructure under attack by some intelligent attackers with some predefined goals. An attacker can reach its goals only by sequentially composing the attacks. This overcomes the infrastructure complexity and its large number of nodes. The suite applies a Monte Carlo method with multiple simulations of the attacker behavior to discover the sequences of each attacker. This simulation exploits a formal model of the target infrastructure that describes the infrastructure nodes, the vulnerabilities of the components these nodes run, and the logical topology. The multiple simulations of the Monte Carlo method support the discovering of alternative sequences. They also return a statistical sample of these sequences to compute statistics to assess and manage the risk. This paper extends the original model of the infrastructure to describe in a more accurate way how the implementation hierarchy and the interactions affect the attacks. After describing this extension, we show how it supports the modeling of web applications. In the end, we adopt the new model to assess a critical infrastructure that supervises and manages gas distribution.

[1]  Youki Kadobayashi,et al.  Exploring attack graph for cost-benefit security hardening: A probabilistic approach , 2013, Comput. Secur..

[2]  Michael J. North,et al.  Tutorial on agent-based modelling and simulation , 2005, Proceedings of the Winter Simulation Conference, 2005..

[3]  William H. Sanders,et al.  Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE) , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[4]  Jasbir S. Arora,et al.  Survey of multi-objective optimization methods for engineering , 2004 .

[5]  Dirk Helbing,et al.  How to Do Agent-Based Simulations in the Future: From Modeling Social Mechanisms to Emergent Phenomena and Interactive Systems Design , 2013 .

[6]  Fabrizio Baiardi,et al.  QSec: Supporting Security Decisions on an IT Infrastructure , 2013, CRITIS.

[7]  Rj Allan,et al.  Survey of Agent Based Modelling and Simulation Tools , 2009 .

[8]  E. Casalicchio,et al.  Federated Agent-based Modeling and Simulation Approach to Study Interdependencies in IT Critical Infrastructures , 2007, 11th IEEE International Symposium on Distributed Simulation and Real-Time Applications (DS-RT'07).

[9]  Daniele Sgandurra,et al.  Assessing ICT risk through a Monte Carlo method , 2013, Environment Systems and Decisions.

[10]  David Banks,et al.  Adversarial Risk Analysis , 2015, IWSPA@CODASPY.

[11]  Simon Bennetts,et al.  OWASP Zed Attack Proxy , 2013 .

[12]  Karen A. Scarfone,et al.  An analysis of CVSS version 2 vulnerability scoring , 2009, ESEM 2009.

[13]  Min Ouyang,et al.  Review on modeling and simulation of interdependent critical infrastructure systems , 2014, Reliab. Eng. Syst. Saf..

[14]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[15]  Frédéric Cuppens,et al.  Correlation in an intrusion detection process , 2002 .

[16]  Georgios Stergiopoulos,et al.  Securing critical infrastructures at software and interdependency levels , 2015 .

[17]  Soumya K. Ghosh,et al.  A planner-based approach to generate and analyze minimal attack graph , 2010, Applied Intelligence.

[18]  Igor Kotenko,et al.  Active vulnerability assessment of computer networks by simulation of complex remote attacks , 2003, 2003 International Conference on Computer Networks and Mobile Computing, 2003. ICCNMC 2003..

[19]  David W. Coit,et al.  Multi-objective optimization using genetic algorithms: A tutorial , 2006, Reliab. Eng. Syst. Saf..

[20]  Fabrizio Baiardi,et al.  GVScan: Scanning Networks for Global Vulnerabilities , 2013, 2013 International Conference on Availability, Reliability and Security.

[21]  Fikret Sivrikaya,et al.  Distributed Attack Graph Generation , 2016, IEEE Transactions on Dependable and Secure Computing.

[22]  Matt Bishop,et al.  Tree Approach to Vulnerability Classification , 2005 .

[23]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[24]  Fabrizio Baiardi,et al.  An Extension of Haruspex to Cover Vulnerabilities in Application Environments , 2016, 2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP).

[25]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[26]  A. Shamsai,et al.  Multi-objective Optimization , 2017, Encyclopedia of Machine Learning and Data Mining.

[27]  Dennis M. Buede,et al.  Using plural modeling for predicting decisions made by adaptive adversaries , 2012, Reliab. Eng. Syst. Saf..

[28]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[29]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[30]  Paul Ammann,et al.  A host-based approach to network attack chaining analysis , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[31]  Jun Zhu,et al.  Mitigating Access Control Vulnerabilities through Interactive Static Analysis , 2015, SACMAT.

[32]  Rahul Telang,et al.  Measuring the risk-based value of IT security solutions , 2004, IT Professional.

[33]  Kalyanmoy Deb,et al.  Introducing Robustness in Multi-Objective Optimization , 2006, Evolutionary Computation.

[34]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[35]  Aurelio La Corte,et al.  Failure Analysis and Threats Statistic to Assess Risk and Security Strategy in a Communication System , 2011, ICSNC 2011.

[36]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[37]  Luisa Franchina,et al.  An impact-based approach for the analysis of cascading effects in critical infrastructures , 2011, Int. J. Crit. Infrastructures.

[38]  Russ Rogers Nessus Network Auditing , 2008 .