pwnPr3d: An Attack-Graph-Driven Probabilistic Threat-Modeling Approach

In this paper we introduce pwnPr3d, a probabilistic threat modeling approach for automatic attack graph generation based on network modeling. The aim is to provide stakeholders in organizations with a holistic approach that both provides high-level overview and technical details. Unlike many other threat modeling and attack graph approaches that rely heavily on manual work and security expertise, our language comes with built-in security analysis capabilities. pwnPr3d generates probability distributions over the time to compromise assets.

[1]  Khurram Shahzad,et al.  P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language , 2015, IEEE Trans. Dependable Secur. Comput..

[2]  Richard Lippmann,et al.  Visualizing attack graphs, reachability, and trust relationships with NAVIGATOR , 2010, VizSec '10.

[3]  M. E. Kabay,et al.  Writing Secure Code , 2015 .

[4]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[5]  Sajal K. Das,et al.  NetSecuritas: An Integrated Attack Graph-based Security Assessment Tool for Enterprise Networks , 2015, ICDCN.

[6]  Hannes Holm Performance of automated network vulnerability scanning at remediating security issues , 2012, Comput. Secur..

[7]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[8]  Marilu Goodyear,et al.  Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers , 2010 .

[9]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[10]  Sushil Jajodia,et al.  Advances in Topological Vulnerability Analysis , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[11]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[12]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[13]  Peng Liu,et al.  Using Bayesian networks for cyber security analysis , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[14]  Teodor Sommestad,et al.  An empirical test of the accuracy of an attack graph analysis tool , 2015, Inf. Comput. Secur..

[15]  Paul Saitta,et al.  Trike v.1 Methodology Document [Draft] , 2005 .

[16]  Hannes Holm A Large-Scale Study of the Time Required to Compromise a Computer System , 2014, IEEE Transactions on Dependable and Secure Computing.

[17]  David A. Schmidt,et al.  Aggregating vulnerability metrics in enterprise networks using attack graphs , 2013, J. Comput. Secur..

[18]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[19]  Maik Moeller Managing Information Security Risks The Octave Approach , 2016 .

[20]  Matunda Nyanchama Enterprise Vulnerability Management and Its Role in Information Security Management , 2005, Inf. Secur. J. A Glob. Perspect..

[21]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[22]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .