P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language

This paper presents the Predictive, Probabilistic Cyber Security Modeling Language (P $^{2}$ CySeMoL), an attack graph tool that can be used to estimate the cyber security of enterprise architectures. P $^{2}$ CySeMoL includes theory on how attacks and defenses relate quantitatively; thus, users must only model their assets and how these are connected in order to enable calculations. The performance of PCySeMoL enables quick calculations of large object models. It has been validated on both a component level and a system level using literature, domain experts, surveys, observations, experiments and case studies.

[1]  Mathias Ekstedt,et al.  Effort Estimates for Vulnerability Discovery Projects , 2012, 2012 45th Hawaii International Conference on System Sciences.

[2]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[3]  Igor Nai Fovino,et al.  An experimental investigation of malware attacks on SCADA systems , 2009, Int. J. Crit. Infrastructure Prot..

[4]  Hannes Holm,et al.  Using phishing experiments and scenario-based surveys to understand security behaviours in practice , 2014, Inf. Manag. Comput. Secur..

[5]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[6]  Hannes Holm,et al.  Cyber security for a Smart Grid - What about phishing? , 2013, IEEE PES ISGT Europe 2013.

[7]  Lingyu Wang,et al.  Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[8]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[9]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[10]  Yeu-Pong Lai,et al.  Using the vulnerability information of computer systems to improve the network security , 2007, Comput. Commun..

[11]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[12]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[13]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[14]  Mathias Ekstedt,et al.  Estimates on the effectiveness of web application firewalls against targeted attacks , 2013, Inf. Manag. Comput. Secur..

[15]  Mathias Ekstedt,et al.  A Manual for the Cyber Security Modeling Language (simplified version) , 2013 .

[16]  H. Akaike Factor analysis and AIC , 1987 .

[17]  Miles A. McQueen,et al.  Ideal Based Cyber Security Technical Metrics for Control Systems , 2007, CRITIS.

[18]  Hannes Holm,et al.  Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter? , 2014, 2014 47th Hawaii International Conference on System Sciences.

[19]  Miles A. McQueen,et al.  Time-to-Compromise Model for Cyber Risk Reduction Estimation , 2006, Quality of Protection.

[20]  A. Nur Zincir-Heywood,et al.  VEA-bility Security Metric: A Network Security Analysis Tool , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[21]  Marc M. Lankhorst,et al.  Enterprise Architecture at Work - Modelling, Communication and Analysis, 2nd Edition , 2005, The Enterprise Engineering Series.

[22]  Jeffrey Robert Jacobs,et al.  Measuring the Effectiveness of the USB Flash Drive as a Vector for Social Engineering Attacks on Commercial and Residential Computer Systems , 2011 .

[23]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[24]  Shouhuai Xu,et al.  Evaluating detection and treatment effectiveness of commercial anti-malware programs , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[25]  Mathias Ekstedt,et al.  The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures , 2013, IEEE Systems Journal.

[26]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[27]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[28]  Khurram Shahzad,et al.  P2AMF: Predictive, Probabilistic Architecture Modeling Framework , 2013, IWEI.

[29]  David A. Schmidt,et al.  Aggregating vulnerability metrics in enterprise networks using attack graphs , 2013, J. Comput. Secur..

[30]  Mathias Ekstedt,et al.  Information Management & Computer Security Estimates of success rates of remote arbitrary code execution attacks , 2017 .

[31]  Khurram Shahzad,et al.  The Enterprise Architecture Analysis Tool - Support for the Predictive, Probabilistic Architecture Modeling Framework , 2013, AMCIS.

[32]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007 .

[33]  Mathias Ekstedt,et al.  A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits , 2015, Inf. Softw. Technol..

[34]  Andy Ju An Wang Information security models and metrics , 2005, ACM-SE 43.

[35]  Atul Prakash,et al.  Distilling critical attack graph surface iteratively through minimum-cost SAT solving , 2011, ACSAC '11.

[36]  Richard Lippmann,et al.  Visualizing attack graphs, reachability, and trust relationships with NAVIGATOR , 2010, VizSec '10.

[37]  Richard Lippmann,et al.  GARNET: A Graphical Attack Graph and Reachability Network Evaluation Tool , 2008, VizSEC.

[38]  Mark Baggett,et al.  Effectiveness of Antivirus in Detecting Metasploit Payloads , 2008 .

[39]  Markus Buschle,et al.  Automatic data collection for enterprise architecture models , 2012, Software & Systems Modeling.

[40]  Mathias Ekstedt,et al.  A Metamodel for Web Application Injection Attacks and Countermeasures , 2012, TEAR/PRET.

[41]  Sushil Jajodia,et al.  Advances in Topological Vulnerability Analysis , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[42]  William H. Sanders,et al.  Implementing the ADVISE security modeling formalism in Möbius , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[43]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[44]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[45]  Coniferous softwood GENERAL TERMS , 2003 .

[46]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[47]  Daniel E. O'Leary,et al.  Expert system verification and validation: a survey and tutorial , 1993, Artificial Intelligence Review.

[48]  Hannes Holm A Large-Scale Study of the Time Required to Compromise a Computer System , 2014, IEEE Transactions on Dependable and Secure Computing.

[49]  Khurram Shahzad,et al.  A Tool for Automatic Enterprise Architecture Modeling , 2011, CAiSE Forum.

[50]  William H. Sanders,et al.  Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE) , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[51]  Mathias Ekstedt,et al.  Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[52]  Toshinori Sato,et al.  Power-Performance Trade-Off of a Dependable Multicore Processor , 2007 .

[53]  Marilu Goodyear,et al.  Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers , 2010 .

[54]  Lise Getoor,et al.  Learning Probabilistic Relational Models , 1999, IJCAI.

[55]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[56]  Mathias Ekstedt,et al.  Effort Estimates on Web Application Vulnerability Discovery , 2013, 2013 46th Hawaii International Conference on System Sciences.

[57]  Hannes Holm Performance of automated network vulnerability scanning at remediating security issues , 2012, Comput. Secur..