Threat modeling-oriented attack path evaluating algorithm

Xiaohong Li , Ran Liu , Zhiyong Feng , Ke He

Transactions of Tianjin University ›› 2009, Vol. 15 ›› Issue (3) : 162 -167.

PDF
Transactions of Tianjin University ›› 2009, Vol. 15 ›› Issue (3) : 162 -167. DOI: 10.1007/s12209-009-0029-y
Article

Threat modeling-oriented attack path evaluating algorithm

Author information +
History +
PDF

Abstract

In order to evaluate all attack paths in a threat tree, based on threat modeling theory, a weight distribution algorithm of the root node in a threat tree is designed, which computes threat coefficients of leaf nodes in two ways including threat occurring possibility and the degree of damage. Besides, an algorithm of searching attack path was also obtained in accordence with its definition. Finally, an attack path evaluation system was implemented which can output the threat coefficients of the leaf nodes in a target threat tree, the weight distribution information, and the attack paths. An example threat tree is given to verify the effectiveness of the algorithms.

Keywords

attack tree / attack path / threat modeling / threat coefficient / attack path evaluation

Cite this article

Download citation ▾
Xiaohong Li, Ran Liu, Zhiyong Feng, Ke He. Threat modeling-oriented attack path evaluating algorithm. Transactions of Tianjin University, 2009, 15(3): 162-167 DOI:10.1007/s12209-009-0029-y

登录浏览全文

4963

注册一个新账户 忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within
[1]

Viega J., Messier M. Security is harder than you think[J]. ACM Queue, 2004, 2(5): 60-65.

[2]

McGraw G. Software security[J]. IEEE Security and Privacy, 2004, 2(2): 80-83.

[3]

Anderson R. Software security: State of the art[J]. IEEE Security and Privacy, 2007, 5(1): 8.

[4]

Redwine S T. Workshop on secure software engineering education and training [C]. In: Proceedings of Software Engineering Education and Training. Hawaii, USA, 2006. 245.
[5]

Peine H. Rules of thumb for secure software engineering [C]. In: Proceedings of the 27th International Conference on Software Engineering. St. Louis, USA, 2005. 702–703.
[6]

Davis N. Secure Software Development Life Cycle Processes: A Technology Scouting Report [R]. 2005, Pittsburgh: Software Engineering Institute, Carnegie Mellon University.
[7]

Schenier B. Attack trees: Modeling security threats[J]. Dr. Dobb’s Journal, 1999, 12(24): 21-29.
[8]

Mauw S. Foundations of Attack Trees [EB/OL]. http://www.win.tue.nl/~sjouke/, 2005-06-11.
[9]

Moore A. P., Ellison R. J., Linger R. C. Attack Modeling for Information Security and Survivability [R]. 2001, Pittsburgh: Software Engineering Institute, Carnegie Mellon University.
[10]

Dalton G C, Mills R F, Colombi J M et al. Analyzing attack trees using generalized stochastic Petri nets [C]. In: Proceedings of IEEE Workshop on Information Assurance. USA, 2006. 116–123.
[11]

Amenaza Technologies Limited. Hostile Risk Decisions and Capability-based Analysis [EB/OL]. http://www.amenaza.com, 2005-04-12.
[12]

Microsoft ACE Team. Microsoft Threat Analysis and Modeling [EB/OL]. http://msdn.microsoft.com/en-us/security/default.aspx, 2006-01-05.
[13]

Michael H., David LeBlanc. Writing Secure Code[M]. 2002 2nd Ed. Washington DC: Microsoft Press 43-53.
[14]

Li X H, He K. A unified threat model for assessing threat in web application [C]. In: Proceedings of the Second International Conference on Information Security and Assurance. Korea, 2008. 142–145
[15]

Filev D. P., Yager R. R. On the issue of obtaining OWA operator weights[J]. Fuzzy Sets and Systems, 1998, 94(2): 157-169.

AI Summary AI Mindmap
PDF

145

Accesses

0

Citation

Detail
Sections
Recommended

AI思维导图

/