Comparing Two Techniques for Intrusion Visualization

  • Vikash Katta
  • Peter Karpati
  • Andreas L. Opdahl
  • Christian Raspotnig
  • Guttorm Sindre
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 68)


Various techniques have been proposed to model attacks on systems. In order to understand such attacks and thereby propose efficient mitigations, the sequence of steps in the attack should be analysed thoroughly. However, there is a lack of techniques to represent intrusion scenarios across a system architecture. This paper proposes a new technique called misuse sequence diagrams (MUSD). MUSD represents the sequence of attacker interactions with system components and how they were misused over time by exploiting their vulnerabilities. The paper investigates MUSD in a controlled experiment with 42 students, comparing it with a similar technique called misuse case maps (MUCM). The results suggest that the two mostly perform equally well and they are complementary regarding architectural issues and temporal sequences of actions though MUSD was perceived more favourably.


requirements engineering security experiment threat modeling 


  1. 1.
    Aagedal, J.Ø., et al.: Model-based Risk Assessment to Improve Enterprise Security. In: Proceedings of the Sixth International Enterprise Distributed Object Computing Conference (EDOC 2002). IEEE, Los Alamitos (2002)Google Scholar
  2. 2.
    Mitnick, K.D., Simon, W.L.: The Art of Intrusion. Wiley Publishing Inc., Chichester (2006)Google Scholar
  3. 3.
    Schneier, B.: Secrets and Lies: Digital Security in a Networked World. Wiley, Chichester (2000)Google Scholar
  4. 4.
    Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requirements Engineering 10(1), 34–44 (2005)CrossRefGoogle Scholar
  5. 5.
    Karpati, P., Sindre, G., Opdahl, A.L.: Illustrating Cyber Attacks with Misuse Case Maps. Accepted to 16th International Working Conference on Requirements Engineering: Foundation for Software Quality, RefsQ 2010 (2010)Google Scholar
  6. 6.
    Karpati, P., Opdahl, A.L., Sindre, G.: Experimental evaluation of misuse case maps for eliciting security requirements. Submitted to 18th IEEE International Conference on Requirements Engineering, RE 2010 (2010)Google Scholar
  7. 7.
    Unified Modeling Language, (accessed 4.6.2010)
  8. 8.
    Internet Security Glossary, (accessed 22.6.2010)
  9. 9.
    Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology 51(5), 916–932 (2009)CrossRefGoogle Scholar
  10. 10.
    Buhr, R.J.A.: Use Case Maps: A New Model to Bridge the Gap Between Requirements and Detailed Design. In: 11th Annual ACM Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA 1995), Real Time Workshop, p. 4 (1995)Google Scholar
  11. 11.
    Markose, S., Xiaoqing, L., McMillin, B.: A Systematic Framework for Structured Object-Oriented Security Requirements Analysis in Embedded Systems. In: IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, vol. 1, pp. 75–81 (2008)Google Scholar
  12. 12.
    Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toahchoodee, M., Houmb, S.H.: An aspect-oriented methodology for designing secure applications. Information and Software Technology 51, 846–864 (2009)CrossRefGoogle Scholar
  13. 13.
    Redmill, F., Chudleigh, M., Catmur, J.: Hazop and software Hazop. Wiley, Chichester (1999)Google Scholar
  14. 14.
    IEC 61025: Fault tree analysis (FTA), IEC Standard (2006)Google Scholar
  15. 15.
    Runde, R.K., Haugen, Ø., Stølen, K.: The Pragmatics of STAIRS, Research Report 349 (January 2007) Google Scholar
  16. 16.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)Google Scholar
  17. 17.
  18. 18.
    Davis, F.D.: Perceived usefulness, perceived ease of use and user acceptance of information technology. MIS Quarterly 13, 319–340 (1989)CrossRefGoogle Scholar
  19. 19.
    Cohen, J.: Statistical power analysis for the behavioral sciences, 2nd edn. Lawrence Erlbaum, New Jersey (1988)Google Scholar
  20. 20.
    Hopkins, W.G.: A New View of Statistics. University of Queensland, Brisbane (2001)Google Scholar
  21. 21.
    Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering: An Introduction. Kluwer Academic, Norwell (2000)Google Scholar
  22. 22.
    Arisholm, E., Sjøberg, D.I.K.: Evaluating the effect of a delegated versus centralized control style on the maintainability of object-oriented software. IEEE Transactions on Software Engineering 30, 521–534 (2004)CrossRefGoogle Scholar
  23. 23.
    Venkatesh, V., Morris, M.G., Davis, G.B., Davis, F.D.: User acceptance of information technology: Toward a unified view. MIS Quarterly 27(3), 425–478 (2003)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2010

Authors and Affiliations

  • Vikash Katta
    • 1
    • 3
  • Peter Karpati
    • 1
  • Andreas L. Opdahl
    • 2
  • Christian Raspotnig
    • 2
    • 3
  • Guttorm Sindre
    • 1
  1. 1.Norwegian University of Science and TechnologyTrondheimNorway
  2. 2.University of BergenBergenNorway
  3. 3.Institute for Energy TechnologyHaldenNorway

Personalised recommendations