Abstract
Nowadays, security analysis of complex systems has become a major concern. Many works have been achieved to reduce vulnerabilities in such systems. However, existing methods used to perform security assessment as a holistic approach are still poorly instrumented and limited in scope. In this work, we propose methodology and associated framework for security analysis. The methodology relies upon model-driven engineering approach and combines two types of methods: a qualitative method named EBIOS that is usually simple and helps to identify critical parts of the system; then a quantitative method, the Attack Trees method, that is more complex but gives more accurate results. We present the automatic generation of Attack trees from EBIOS analysis phase. We show on a SCADA system case study how our process can be applied.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bernardi, S., Merseguer, J., Petriu, D.: Model-Driven Dependability Assessment of Software Systems. Springer, Berlin (2013)
Bran, S., Gérard, S.: Modeling and Analysis of Real-Time and Embedded Systems with UML and MARTE. Elsevier, Amsterdam (2014)
Basin, D., Clavel, M., Egea, M.: A decade of model-driven security. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, pp. 1–10. ACM (2011)
ISO/IEC: Information technology - security techniques - information security risk management. ISO/IEC 27005, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2008)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. Nist Special Publication, 800(30), 800-30 (2002)
den Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)
Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the OCTAVE Approach. Carnegie Mellon University, Pittsburgh (2003)
Secrétariat Général de la Défense Nationale. EBIOS- Expression des Besoins et Identification des Objectifs de Sécurité, Méthode de Gestion des risques. http://www.ssi.gouv.fr/IMG/pdf/EBIOS-1-GuideMethodologique-2010-01-25.pdf (2010)
International Security Technology (IST): A brief history of CORA (2002). http://www.ist-usa.com. Accessed 16 June 2013
Karabacaka, B, Songukpinar, I.: ISRAM: Information security risk analysis method. In: Computer and Security, pp. 147–169 (2005)
Schneier, B.: Attack trees: modeling security threats. Dr. Dobb’s J. 12(24), 21–29 (1999)
Behnia, A., Rashid, R.A., Chaudhry, J.A.: A survey of information security risk analysis methods. Smart CR 2(1), 79–94 (2012)
Gudemann, M., Ortmeier, F.: Towards model-driven safety analysis. In: 3rd International Workshop on Dependable Control of Discrete Systems (DCDS), pp. 53–58. IEEE (2011)
Mcdonald, J., Decroix, H., Caire, R., Sanchez, J., Chollet, S., Oualha, N., Puccetti, A., Hecker, A., Chaudet, C., Piat, H., et al.: The SINARI project: security analysis and risk assessment applied to the electrical distribution network (2013)
Ten, C.W., Liu, C.C., Manimaran, G.: Vulnerability assessment of cybersecurity for SCADA systems. IEEE Trans. Power Syst. 23(4), 1836–1846 (2008)
Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using Attack trees. J. Comput. Small Coll. 23(4), 124–131 (2008)
Gérard, S., Dumoulin, C., Tessier, P., Selic, B.: 19 Papyrus: a UML2 tool for domain-specific language modeling. In: Giese, H., Karsai, G., Lee, E., Rumpe, B., Schätz, B. (eds.) Model-Based Engineering of Embedded Real-Time Systems. LNCS, vol. 6100, pp. 361–368. Springer, Heidelberg (2010)
Ministerio de Administraciones Publicas: Magerit - version 2 - Methodology for Information Systems Risk Analysis and Management - Book I - The Method, Madrid, 20 June 2006
Dhouib, S., Kchir, S., Stinckwich, S., Ziadi, T., Ziane, M.: RobotML, a domain-specific language to design, simulate and deploy robotic applications. In: Noda, I., Ando, N., Brugali, D., Kuffner, J.J. (eds.) SIMPAR 2012. LNCS, vol. 7628, pp. 149–160. Springer, Heidelberg (2012)
The consortium Sesam-Grids, The Sesam-Grids Project (2012). http://www.sesam-grids.org/
The consortium RISC, The RISC Project (2013). http://risc.sec4scada.com/
Panesar-Walawege, R.K., Sabetzadeh, M., Briand, L.: Supporting the verification of compliance to safety standards via model-driven engineering: approach, tool-support and empirical validation. Inf. Softw. Technol. 55(5), 836–864 (2013)
OMG, U.: Profile for modeling quality of service and fault tolerance characteristics and mechanisms. Revised submission, Object Management Group (2003)
Yakymets, N., Dhouib, S., Jaber, H., Lanusse, A.: Model-driven safety assessment of robotic systems. In: 2013 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), pp. 1137–1142 (2013)
National Institute of Standards and Technology: Systems Security Engineering, An Integral Approach to Building Trustworthy Resilient Systems. NIST Special Publication 800–160 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Abdallah, R., Motii, A., Yakymets, N., Lanusse, A. (2015). Using Model Driven Engineering to Support Multi-paradigms Security Analysis. In: Desfray, P., Filipe, J., Hammoudi, S., Pires, L. (eds) Model-Driven Engineering and Software Development. MODELSWARD 2015. Communications in Computer and Information Science, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-319-27869-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-27869-8_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27868-1
Online ISBN: 978-3-319-27869-8
eBook Packages: Computer ScienceComputer Science (R0)