Model-driven architectural risk analysis using architectural and contextualised attack patterns

Authors:
Shamal Faily;John Lyle;Cornelius Namiluko;Andrea Atzeni;Cesare Cameroni
Affiliations:
University of Oxford, Oxford, UK;University of Oxford, Oxford, UK;University of Oxford, Oxford, UK;Politecnico di Torino, Torino, Italy;Politecnico di Torino, Torino, Italy
Venue:
Proceedings of the Workshop on Model-Driven Security
Year:
2012

Citing 14
Cited 1

Design patterns: elements of reusable object-oriented software

Design patterns: elements of reusable object-oriented software
Pattern-oriented software architecture: a system of patterns

Pattern-oriented software architecture: a system of patterns
Integrating obstacles in goal-driven requirements engineering

Proceedings of the 20th international conference on Software engineering
The Persona Lifecycle: Keeping People in Mind Throughout Product Design

The Persona Lifecycle: Keeping People in Mind Throughout Product Design
Software Security: Building Security In

Software Security: Building Security In
Software Abstractions: Logic, Language, and Analysis

Software Abstractions: Logic, Language, and Analysis
Requirements Engineering

Requirements Engineering
A meta-model for usable secure requirements engineering

Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems
Security in Context: Analysis and Refinement of Software Architectures

COMPSAC '10 Proceedings of the 2010 IEEE 34th Annual Computer Software and Applications Conference
Model-Driven Risk Analysis: The CORAS Approach

Model-Driven Risk Analysis: The CORAS Approach
User-Centered Information Security Policy Development in a Post-Stuxnet World

ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security
Here's Johnny: A Methodology for Developing Attacker Personas

ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security
Combining Goal Models, Expert Elicitation, and Probabilistic Simulation for Qualification of New Technology

HASE '11 Proceedings of the 2011 IEEE 13th International Symposium on High-Assurance Systems Engineering
Cross-Platform Access Control for Mobile Web Applications

POLICY '12 Proceedings of the 2012 IEEE International Symposium on Policies for Distributed Systems and Networks

Guidelines for integrating personas into software engineering tools

Proceedings of the 5th ACM SIGCHI symposium on Engineering interactive computing systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

A secure system architecture is often based on a variety of design and security model elements. Without some way of evaluating the impact of these individual design elements in the face of possible attacks, design flaws may weaken a software architecture. This paper illustrates how architectural and contextualised attack patterns can be used to formalise the elements of architectural attacks and possible defences. We illustrate how these patterns, and tool-support building upon them, can be used to automate an architectural risk analysis process. We demonstrate this approach using an example from the EU FP7 webinos project.