Visualizing Cyber Attacks with Misuse Case Maps

  • Peter Karpati
  • Guttorm Sindre
  • Andreas L. Opdahl
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6182)


[Context and motivation] In the development of secure software, work on requirements and on architecture need to be closely intertwined, because possible threats and the chosen architecture depend on each other mutually. [Question/problem] Nevertheless, most security requirement techniques do not take architecture into account. The transition from security requirements to secure architectures is left to security experts and software developers, excluding domain experts and other groups of stakeholders from discussions of threats, vulnerabilities and mitigations in an architectural context. [Principal idea/results] The paper introduces misuse case maps, a new modelling technique that is the anti-behavioural complement to use case maps. The purpose of the new technique is to visualize how cyber attacks are performed in an architectural context. [Contribution] The paper investigates what a misuse case map notation might look like. A preliminary evaluation suggests that misuse case maps may indeed make it easier for less experienced stakeholders to gain an understanding of multi-stage intrusion scenarios.


security requirements elicitation misuse case use case map misuse case map 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barnum, S., Sethi, A.: Attack Patterns as a Knowledge Resource for Building Secure Software. In: OMG Software Assurance Workshop (2007)Google Scholar
  2. 2.
    Koziol, J., et al.: The shellcoder’s handbook: discovering and exploiting security holes. John Wiley & Sons, Chichester (2004)Google Scholar
  3. 3.
    Hoglund, G., McGraw, G.: Exploiting Software: How to Break Code. Addison-Wesley, Boston (2004)Google Scholar
  4. 4.
    Amyot, D.: Use Case Maps Quick Tutorial (1999),
  5. 5.
    Buhr, R., Casselman, R.: Use case maps for object-oriented systems. Prentice-Hall, Inc., Upper Saddle River (1995)Google Scholar
  6. 6.
    Mitnick, K.D., Simon, W.L.: The art of intrusion: the real stories behind the exploits of hackers, intruders & deceivers. Wiley, Chichester (2005)Google Scholar
  7. 7.
    Schneier, B.: Secrets & lies: digital security in a networked world. John Wiley & Sons, Chichester (2000)Google Scholar
  8. 8.
    Amoroso, E.G.: Fundamentals of computer security technology. Prentice-Hall, Inc., Upper Saddle River (1994)zbMATHGoogle Scholar
  9. 9.
    Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proc. RE 2003, vol. 3, pp. 151–161 (2003)Google Scholar
  10. 10.
    Lin, L., et al.: Using abuse frames to bound the scope of security problems (2004)Google Scholar
  11. 11.
    McDermott, J., Fox, C.: Using abuse case models for security requirements analysis (1999)Google Scholar
  12. 12.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10(1), 34–44 (2005)CrossRefGoogle Scholar
  13. 13.
    Firesmith, D.J.: Security use cases. Technology 2(3) (2003)Google Scholar
  14. 14.
    Giorgini, P., et al.: Modeling security requirements through ownership, permission and delegation. In: Proc. of RE, vol. 5, pp. 167–176 (2005)Google Scholar
  15. 15.
    Van Lamsweerde, A., et al.: From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering. In: Requirements Engineering for High Assurance Systems (RHAS 2003), vol. 2003, p. 49 (2003)Google Scholar
  16. 16.
    Dimitrakos, T., et al.: Integrating model-based security risk management into eBusiness systems development: The CORAS approach. In: Monteiro, J.L., Swatman, P.M.C., Tavares, L.V. (eds.) Proc. 2nd Conference on E-Commerce, E-Business, E-Government (I3E 2002), pp. 159–175. Kluwer, Lisbon (2002)Google Scholar
  17. 17.
    Jurjens, J.: UMLsec: Extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)Google Scholar
  18. 18.
    Lodderstedt, T., et al.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S., et al. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)Google Scholar
  19. 19.
    Rodriguez, A., Fernandez-Medina, E., Piattini, M.: Towards an integration of security requirements into business process modeling. In: Proc. of WOSIS, vol. 5, pp. 287–297 (2005)Google Scholar
  20. 20.
    Rodriguez, A., Fernandez-Medina, E., Piattini, M.: Capturing Security Requirements in Business Processes Through a UML 2.0 Activity Diagrams Profile. In: Roddick, J., Benjamins, V.R., Si-said Cherfi, S., Chiang, R., Claramunt, C., Elmasri, R.A., Grandi, F., Han, H., Hepp, M., Lytras, M.D., Mišić, V.B., Poels, G., Song, I.-Y., Trujillo, J., Vangenot, C. (eds.) ER Workshops 2006. LNCS, vol. 4231, pp. 32–42. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Schumacher, M., et al.: Security Patterns: Integrating Security and Systems Engineering. Wiley, Chichester (2005)Google Scholar
  22. 22.
    Boswell, A.: Specification and validation of a security policy model. IEEE Transactions on Software Engineering 21(2), 63–68 (1995)CrossRefGoogle Scholar
  23. 23.
    Hall, A., Chapman, R.: Correctness by construction: Developing a commercial secure system. IEEE Software, 18–25 (2002)Google Scholar
  24. 24.
    Buhr, R.J.A.: Use case maps for attributing behaviour to system architecture. In: 4th International Workshop of Parallel and Distributed Real-Time Systems (1996)Google Scholar
  25. 25.
    Buhr, R.J.A.: Use case maps as architectural entities for complex systems. IEEE Transactions on Software Engineering 24(12), 1131–1155 (1998)CrossRefGoogle Scholar
  26. 26.
    Woodside, M., Petriu, D., Siddiqui, K.: Performance-related completions for software specifications. In: 24th International Conference on Software Engineering (2002)Google Scholar
  27. 27.
    Liu, X., Peyton, L., Kuziemsky, C.: A Requirement Engineering Framework for Electronic Data Sharing of Health Care Data Between Organizations. In: MCETECH (2009)Google Scholar
  28. 28.
    Mussbacher, G., Amyot, D., Weiss, M.: Visualizing Early Aspects with Use Case Maps. In: Rashid, A., Aksit, M. (eds.) Transactions on AOSD III. LNCS, vol. 4620, pp. 105–143. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    Wu, W., Kelly, T.P.: Deriving safety requirements as part of system architecture definition. In: Proceedings of the 24th International System Safety Conference, Albuquerque (2006)Google Scholar
  30. 30.
    Wu, W., Kelly, T.: Managing Architectural Design Decisions for Safety-Critical Software Systems. In: Hofmeister, C., Crnković, I., Reussner, R. (eds.) QoSA 2006. LNCS, vol. 4214, pp. 59–77. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  31. 31.
    Alexander, I.: Misuse cases: Use cases with hostile intent. IEEE Software 20(1), 58–66 (2003)CrossRefGoogle Scholar
  32. 32.
    Sindre, G.: A look at misuse cases for safety concerns. International Federation for Information Processing Publications - IFIP, vol. 244, p. 252 (2007)Google Scholar
  33. 33.
    Stålhane, T., Sindre, G.: A comparison of two approaches to safety analysis based on use cases. In: Parent, C., Schewe, K.-D., Storey, V.C., Thalheim, B. (eds.) ER 2007. LNCS, vol. 4801, pp. 423–437. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  34. 34.
    Stålhane, T., Sindre, G.: Safety Hazard Identification by Misuse Cases: Experimental Comparison of Text and Diagrams. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., Völter, M. (eds.) MODELS 2008. LNCS, vol. 5301, pp. 721–735. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  35. 35.
    Sindre, G., Opdahl, A.L.: Misuse Cases for Identifying System Dependability Threats. Journal of Information Privacy and Security 4(2), 3–22 (2008)Google Scholar
  36. 36.
    Diallo, M.H., et al.: A comparative evaluation of three approaches to specifying security requirements. In: Proc. REFSQ 2006, Luxembourg (2006)Google Scholar
  37. 37.
    Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology 51(5), 916–932 (2009)CrossRefGoogle Scholar
  38. 38.
    Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS quarterly 13(3), 319–340 (1989)CrossRefGoogle Scholar
  39. 39.
    Lindqvist, U., Cheung, S., Valdez, R.: Correlated Attack Modeling, CAM (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Peter Karpati
    • 1
  • Guttorm Sindre
    • 1
  • Andreas L. Opdahl
    • 2
  1. 1.Department of Computer and Information ScienceNorwegian University of Science and TechnologyTrondheimNorway
  2. 2.Department of Information Science and Media StudiesUniversity of BergenBergenNorway

Personalised recommendations