A practical approach to security assessment
NSPW '97 Proceedings of the 1997 workshop on New security paradigms
A graph-based system for network-vulnerability analysis
Proceedings of the 1998 workshop on New security paradigms
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Model-Based Evaluation: From Dependability to Security
IEEE Transactions on Dependable and Secure Computing
Ariadne: a secure on-demand routing protocol for ad hoc networks
Wireless Networks
A scalable approach to attack graph generation
Proceedings of the 13th ACM conference on Computer and communications security
Practical Attack Graph Generation for Network Defense
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Measuring the overall security of network configurations using attack graphs
Proceedings of the 21st annual IFIP WG 11.3 working conference on Data and applications security
Layering in provenance systems
USENIX'09 Proceedings of the 2009 conference on USENIX Annual technical conference
Energy theft in the advanced metering infrastructure
CRITIS'09 Proceedings of the 4th international conference on Critical information infrastructures security
Business Process-Based Information Security Risk Assessment
NSS '10 Proceedings of the 2010 Fourth International Conference on Network and System Security
Modeling and analyzing faults to improve election process robustness
EVT/WOTE'10 Proceedings of the 2010 international conference on Electronic voting technology/workshop on trustworthy elections
Automatic Generation of Service Availability Models
IEEE Transactions on Services Computing
Foundations of attack-defense trees
FAST'10 Proceedings of the 7th International conference on Formal aspects of security and trust
IEEE Transactions on Software Engineering
Applying a reusable election threat model at the county level
EVT/WOTE'11 Proceedings of the 2011 conference on Electronic voting technology/workshop on trustworthy elections
Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE)
QEST '11 Proceedings of the 2011 Eighth International Conference on Quantitative Evaluation of SysTems
ICISC'05 Proceedings of the 8th international conference on Information Security and Cryptology
A systematic process-model-based approach for synthesizing attacks and evaluating them
EVT/WOTE'12 Proceedings of the 2012 international conference on Electronic Voting Technology/Workshop on Trustworthy Elections
Quantitative questions on attack: defense trees
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Hi-index | 0.00 |
In this paper we advocate the use of workflow---describing how a system provides its intended functionality---as a pillar of cybersecurity analysis and propose a holistic workflow-oriented assessment framework. While workflow models are currently used in the area of performance and reliability assessment, these approaches are designed neither to assess a system in the presence of an active attacker, nor to assess security aspects such as confidentiality. On the other hand, existing security assessment methods typically focus on modeling the active attacker (e.g., attack graphs), but many rely on restrictive models that are not readily applicable to complex (e.g., cyber-physical or cyber-human) systems. By "going with the flow," our assessment framework can naturally adopt a holistic view of such systems, unifying information about system components, their properties, and possible attacks to argue about a security goal. The argument is expressed in a graph structure, based on inputs from several distinct classes that are integrated in a systematic manner. That rigorous structure allows our approach to provide quantitative assessment in an automated fashion (like reliability assessment tools and attack graphs), while maintaining a broad assessment scope. We demonstrate our security assessment process using the case of Advanced Metering Infrastructure in a smart power grid and obtain quantitative results for system availability and confidentiality.