Application of HAZOP to the Design of Cyber Security Experiments

Hazard and Operability studies have been extensively used in chemical engineering and designing safety critical systems. Its rigorous analysis based on discovering deviations and hazard makes it ideal in the study of designs and experiments with confounding variables. In this paper, HAZOP methodology is applied to a case study of network security experiment to reliably measure the IP tracking behavior of malicious websites using a low interaction client honeypot. The experiment's design involves a large number of factors and components which could potentially introduce bias in the study and result in invalid analysis. We demonstrate that HAZOP can be applied to security experiments to create a proper experimental design and properly control potential bias of confounding variables.

[1]  Seong-je Cho,et al.  Efficient Detection of Malicious Web Pages Using High-Interaction Client Honeypots , 2012, J. Inf. Sci. Eng..

[2]  Tore Dybå,et al.  The Future of Empirical Methods in Software Engineering Research , 2007, Future of Software Engineering (FOSE '07).

[3]  Kim-Kwang Raymond Choo,et al.  A survey of information security incident handling in the cloud , 2015, Comput. Secur..

[4]  Roy A. Maxion,et al.  Should Security Researchers Experiment More and Draw More Inferences? , 2011, CSET.

[5]  John A. Clark,et al.  Effective Security Requirements Analysis: HAZOP and Use Cases , 2004, ISC.

[6]  Thomas W. Edgar,et al.  Realizing scientific methods for cyber security , 2012, LASER '12.

[7]  Fabio Paternò,et al.  Preventing user errors by systematic analysis of deviations from the system task model , 2002, Int. J. Hum. Comput. Stud..

[8]  Matt Bishop,et al.  How to Design Computer Security Experiments , 2007, World Conference on Information Security Education.

[9]  Walter F. Tichy,et al.  Should Computer Scientists Experiment More? , 1998, Computer.

[10]  P. A. Fishwick Neural network models in simulation: a comparison with traditional modeling approaches , 1989, WSC '89.

[11]  Fabio Massacci,et al.  Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts , 2013, ESSoS.

[12]  Konstantin Beznosov,et al.  Improving malicious URL re-evaluation scheduling through an empirical study of malware download centers , 2011, WebQuality '11.

[13]  Rune Winther,et al.  Security Assessments of Safety Critical Systems Using HAZOPs , 2001, SAFECOMP.

[14]  Roy A. Maxion,et al.  Methodological Foundations: Enabling the Next Generation of Security , 2005, IEEE Secur. Priv..

[15]  John McHugh,et al.  Why is there no science in cyber science?: a panel discussion at NSPW 2010 , 2010, NSPW '10.

[16]  Marvin V. Zelkowitz,et al.  Empirical studies to build a science of computer science , 2007, CACM.

[17]  Nancy G. Leveson,et al.  Software safety in embedded computer systems , 1991, CACM.

[18]  V. N. Venkatakrishnan,et al.  WebWinnow: leveraging exploit kit workflows to detect malicious urls , 2014, CODASPY '14.

[19]  Dongho Kim,et al.  Experience with DETER: a testbed for security research , 2006, 2nd International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006..

[20]  David Clark,et al.  Safety and Security Analysis of Object-Oriented Models , 2002, SAFECOMP.

[21]  Mathieu Couture,et al.  Blueprints of a lightweight automated experimentation system: a building block towards experimental cyber security , 2011, BADGERS '11.

[22]  Marvin V. Zelkowitz,et al.  Experimental Models for Validating Technology , 1998, Computer.

[23]  Nancy G. Leveson,et al.  An experimental evaluation of the assumption of independence in multiversion programming , 1986, IEEE Transactions on Software Engineering.

[24]  John A. McDermid,et al.  Experience with the application of HAZOP to computer-based systems , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[25]  Roy A. Maxion Making Experiments Dependable , 2011, Dependable and Historic Computing.

[26]  Terry V. Benzel The science of cyber security experimentation: the DETER project , 2011, ACSAC '11.

[27]  Salvador Mandujano,et al.  Threat analysis for hardware and software products using HazOP , 2009 .

[28]  Paul Lukowicz,et al.  Experimental Methodology in Pervasive Computing , 2011, IEEE Pervasive Computing.

[29]  John A. Clark,et al.  Writing Effective Security Abuse Cases , 2004 .

[30]  Roy A. Maxion,et al.  The Effect of Clock Resolution on Keystroke Dynamics , 2008, RAID.