Comparing Two Techniques for Intrusion Visualization

Various techniques have been proposed to model attacks on systems. In order to understand such attacks and thereby propose efficient mitigations, the sequence of steps in the attack should be analysed thoroughly. However, there is a lack of techniques to represent intrusion scenarios across a system architecture. This paper proposes a new technique called misuse sequence diagrams (MUSD). MUSD represents the sequence of attacker interactions with system components and how they were misused over time by exploiting their vulnerabilities. The paper investigates MUSD in a controlled experiment with 42 students, comparing it with a similar technique called misuse case maps (MUCM). The results suggest that the two mostly perform equally well and they are complementary regarding architectural issues and temporal sequences of actions though MUSD was perceived more favourably.

[1]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[2]  Andreas L. Opdahl,et al.  Experimental comparison of attack trees and misuse cases for security threat identification , 2009, Inf. Softw. Technol..

[3]  Andreas L. Opdahl,et al.  Visualizing Cyber Attacks with Misuse Case Maps , 2010, REFSQ.

[4]  Qing Li,et al.  Unified Modeling Language , 2009 .

[5]  Felix Redmill,et al.  System Safety: HAZOP and Software HAZOP , 1999 .

[6]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[7]  Dag I. K. Sjøberg,et al.  Evaluating the effect of a delegated versus centralized control style on the maintainability of object-oriented software , 2004, IEEE Transactions on Software Engineering.

[8]  R. J. A. Buhr,et al.  Use Case Maps: A New Model to Bridge the Gap Between Requirements and Design , 1995 .

[9]  Claes Wohlin,et al.  Experimentation in software engineering: an introduction , 2000 .

[10]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[11]  P. Lachenbruch Statistical Power Analysis for the Behavioral Sciences (2nd ed.) , 1989 .

[12]  William L. Simon,et al.  The Art of Intrusion , 2005 .

[13]  Ketil Stølen,et al.  The Pragmatics of STAIRS , 2005, FMCO.

[14]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[15]  Ketil Stølen,et al.  Model-based risk assessment to improve enterprise security , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[16]  Will G. Hopkins,et al.  A new view of statistics , 2002 .

[17]  Manachai Toahchoodee,et al.  An aspect-oriented methodology for designing secure applications , 2009, Inf. Softw. Technol..

[18]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[19]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.