Home List of Titles Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles
Please use this identifier to cite or link to this item: http://hdl.handle.net/1959.3/62498
- Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles
- Grunske, Lars; Joyce, David
- Systems and software architects require quantitative dependability evaluations, which allow them to compare the effect of their design decisions on dependability properties. For security, however, quantitative evaluations have proven difficult, especially for component-based systems. In this paper, we present a risk-based approach that creates modular attack trees for each component in the system. These modular attack trees are specified as parametric constraints, which allow quantifying the probability of security breaches that occur due to internal component vulnerabilities as well as vulnerabilities in the component's deployment environment. In the second case, attack probabilities are passed between system components as appropriate to model attacks that exploit vulnerabilities in multiple system components. The probability of a successful attack is determined with respect to a set of attack profiles that are chosen to represent potential attackers and corresponding environmental conditions. Based on these attack probabilities and the structure of the modular attack trees, risk measures can be estimated for the complete system and compared with the tolerable risk demanded by stakeholders. The practicability of this approach is demonstrated with an example that evaluates the confidentiality of a distributed document management system.
- Publication type
- Journal article
- Journal of Systems and Software, Vol. 81, no. 8 (Aug 2008), pp. 1327-1345
- Publication year
- Complete systems; Component-based systems; Composability; Confidentiality; Design decisions; Distributed document management; Engineering; Environmental conditioning; Information retrieval systems; Information services; Model-driven security evaluation; Parametric constraints; Privacy; Probability; Quantitative evaluation; Quantitative risk; Random processes; Risk; Risk assessment; Risk based approaches; Risk measures; Risk perception; Secrecy; Security breaches; Software design; SysML; System components; Systems-and-software
- Publisher URL
- Copyright © 2007 Elsevier. All rights reserved.
- Peer reviewed