Skip to main content
SpringerLink
Log in

On Security Countermeasures Ranking through Threat Analysis

  • Conference paper
Computer Safety, Reliability, and Security (SAFECOMP 2014)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 8696))

Included in the following conference series:

Abstract

Security analysis and design are key activities for the protection of critical systems and infrastructures. Traditional approaches consist first in applying a qualitative threat assessment that identifies the attack points. Results are then used as input for the security design such that appropriate countermeasures are selected. In this paper we propose a novel approach for the selection and ranking of security controlling strategies which is driven by quantitative threat analysis based on attack graphs. It consists of two main steps: i) a threat analysis, performed to evaluate attack points and paths identifying those that are feasible, and to rank attack costs from the perspective of an attacker; ii) controlling strategies, to derive the appropriate monitoring rules and the selection of countermeasures are evaluated, based upon the provided values and ranks. Indeed, the exploitation of such threat analysis allows to compare different controlling strategies and to select the one that fits better the given set of functional and security requirements. To exemplify our approach, we adopt part of an electrical power system, the Customer Energy Management System (CEMS), as reference scenario where the steps of threat analysis and security strategies are applied.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Basin, D., Jugé, V., Klaedtke, F., Zălinescu, E.: Enforceable security policies revisited. In: Degano, P., Guttman, J.D. (eds.) POST. LNCS, vol. 7215, pp. 309–328. Springer, Heidelberg (2012)

    Google Scholar 

  2. Bauer, L., Ligatti, J., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4(1-2) (2005)

    Google Scholar 

  3. Bielova, N., Massacci, F.: Predictability of enforcement. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 73–86. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  4. Bistarelli, S.: Semirings for Soft Constraint Solving and Programming. LNCS, vol. 2962. Springer, Heidelberg (2004)

    Google Scholar 

  5. Caravagna, G., Costa, G., Pardini, G.: Lazy security controllers. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 33–48. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  6. Ciancia, V., Martinelli, F., Ilaria, M., Morisset, C.: Quantitative evaluation of enforcement strategies: Position paper. In: Danger, J.-L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Heywood, N.Z. (eds.) FPS 2013. LNCS, vol. 8352, pp. 178–186. Springer, Heidelberg (2013)

    Google Scholar 

  7. Cinque, M., Cotroneo, D., Natella, R., Pecchia, A.: Assessing and improving the effectiveness of logs for the analysis of software faults. In: 2010 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 457–466 (2010)

    Google Scholar 

  8. Dacier, M., Deswarte, Y.: Privilege graph: An extension to the typed access matrix model. In: Gollmann, D. (ed.) ESORICS 1994. LNCS, vol. 875, pp. 319–334. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  9. Drábik, P., Martinelli, F., Morisset, C.: Cost-aware runtime enforcement of security policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 1–16. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  10. Easwaran, A., Kannan, S., Lee, I.: Optimal control of software ensuring safety and functionality. Tech. Rep. MS-CIS-05-20, University of Pennsylvania (2005)

    Google Scholar 

  11. Evans, S., Wallner, J.: Risk-based security engineering through the eyes of the adversary. In: Information Assurance Workshop, Proc. of the 6th Annual IEEE SMC, pp. 158–165 (2005)

    Google Scholar 

  12. Hägerling, C., Kurtz, F.M., Wietfeld, C., Iacono, D., Daidone, A., Di Giandomenico, F.: Security Risk Analysis and Evaluation of Integrating Customer Energy Management Systems into Smart Distribution Grids. CIRED Workshop Proc. (ed.) Accepted to be Published in the Technical Track About Telecommunications and Data Management

    Google Scholar 

  13. LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE). In: Proc. of the 8th Int. Conf. on Quantitative Evaluation of SysTems, QEST, pp. 191–200. IEEE Computer Society (2011)

    Google Scholar 

  14. Mallios, Y., Bauer, L., Kaynar, D., Martinelli, F., Morisset, C.: Probabilistic cost enforcement of security policies. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 144–159. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  15. Martinelli, F., Matteucci, I.: Through modeling to synthesis of security automata. ENTCS 179 (2007)

    Google Scholar 

  16. Martinelli, F., Matteucci, I., Morisset, C.: From qualitative to quantitative enforcement of security policy. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 22–35. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  17. Mendes, N., Neto, A., Duraes, J., Vieira, M., Madeira, H.: Assessing and comparing security of web servers. In: 14th IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2008, pp. 313–322 (2008)

    Google Scholar 

  18. Nicol, D., Sanders, W., Trivedi, K.: Model-based evaluation: from dependability to security. IEEE Transactions on Dependable and Secure Computing 1(1), 48–65 (2004)

    Article  Google Scholar 

  19. Nostro, N., Ceccarelli, A., Bondavalli, A., Brancati, F.: A methodology and supporting techniques for the quantitative assessment of insider threats. In: Proc. of the 2nd International Workshop on Dependability Issues in Cloud Computing, pp. 1–6 (2013)

    Google Scholar 

  20. Practical threat analysis (pta), http://www.ptatechnologies.com/Documents/PTA_for_Software.pdf (accessed May 2014)

  21. Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000)

    Article  Google Scholar 

  22. Schneier, B.: Secrets & Lies: Digital Security in a Networked World, 1st edn. John Wiley & Sons, Inc., New York (2000)

    Google Scholar 

  23. Wang, L., Singhal, A., Jajodia, S.: Toward measuring network security using attack graphs. In: Proc. of the ACM Workshop on Quality of Protection, QoP 2007, pp. 49–54 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Florence, Firenze, Italy

    Nicola Nostro, Andrea Ceccarelli & Andrea Bondavalli

  2. ISTI - CNR, Pisa, Italy

    Nicola Nostro & Felicita Di Giandomenico

  3. IIT-CNR, Pisa, Italy

    Ilaria Matteucci & Fabio Martinelli

Authors
  1. Nicola Nostro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ilaria Matteucci
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrea Ceccarelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Felicita Di Giandomenico
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Fabio Martinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Andrea Bondavalli
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Mathematics and Informatics, University of Florence, 50134, Florence, Italy

    Andrea Bondavalli  & Andrea Ceccarelli  & 

  2. Computer Systems in Engineering, Otto-von-Guericke-University Magdeburg, 39106, Magdeburg, Germany

    Frank Ortmeier

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Nostro, N., Matteucci, I., Ceccarelli, A., Di Giandomenico, F., Martinelli, F., Bondavalli, A. (2014). On Security Countermeasures Ranking through Threat Analysis. In: Bondavalli, A., Ceccarelli, A., Ortmeier, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2014. Lecture Notes in Computer Science, vol 8696. Springer, Cham. https://doi.org/10.1007/978-3-319-10557-4_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-10557-4_27

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-10556-7

  • Online ISBN: 978-3-319-10557-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation