Abstract
Cyber resiliency has been a very challenging engineering research. There have been several case studies done to assess cyber resiliency of enterprise business application through application of attack graphs. The challenge of automation lies in extracting from a general business enterprise system, the distinct layers like asset layer, service layer, business process task layer etc., so that the task dependencies together with formal vulnerability specification can be integrated to arrive at attack graphs. In this paper, we develop a model for threat analysis of an enterprise from a set of given vulnerabilities in various layers of the business process. Starting from the business process model (BPMN) of the given enterprise, we first obtain its’ task dependency graph, we obtain the hierarchical dependency graph consisting of asset-, service- and business process-layer. From the graphical dependency graph and the vulnerability specifications we obtain a logical specification of vulnerability/threat propagation for deriving multi step multi stage attacks using MulVAL (MulVAL: http://people.cs.ksu.edu/xou/argus/software/mulval.).
The attack graph generated from MulVAL, is imported into the graphical DB, Neo4J so that an online/real-time flexible analysis of vulnerability/threat propagation can be done. We further demonstrate how with additional inputs, it is possible to realize risk analysis of the system. Thus, our integrated model has made threat analysis both re-configurable and scalable. We illustrate the application of our approach to enterprise systems and the power of graphical modeling for the analysis of threat assessments of business enterprise applications. This in turn allows the use of various mitigation techniques for controlling the propagation of threats/vulnerabilities.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Albanese, M., Jajodia, S.: A graphical model to assess the impact of multi-step attacks. J. Defense Model. Simul. 15(1), 79–93 (2018)
AMENAZA: attack tree modelling (2019). http://www.amenaza.com/ documents.php
Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall Inc., Upper Saddle River (1994)
Cao, C., Yuan, L.P., Singhal, A., Liu, P., Sun, X., Zhu, S.: Assessing attack impact on business processes by interconnecting attack graphs and entity dependency graphs. In: 32nd Annual IFIP WG 11.3 Conference, DBSec 2018, Bergamo, Italy, 16–18 July 2018, pp. 330–348 (2018)
Jajodia, S., Noel, S., Kalapa, P., Albanese, M., Williams, J.: Cauldron: Mission-centric cyber situational awareness with defense in depth. In: Proceedings of IEEE Military Communications Conference MILCOM, pp. 1339–1344, November 2011
Kumar, R., Stoelinga, M.: Quantitative security and safety analysis with attack-fault trees. In: Proceedings of the 18th IEEE International Symposium on High Assurance Systems Engineering (HASE 2017), HASE, pp. 25–32. IEEE (2017)
Neo4J: Neo4J : The leading graphical database (2019). https://neo4j.com/
Neo4J: Tutorial (2019). https://www.tutorialspoint.com/neo4j/neo4j_tutorial.pdf
OMG: BPMN: Business Process Model and Notation. https://www.omg.org/spec/BPMN/2.0/About-BPMN/
Ongsakorn, P., Turney, K., Thornton, M., Nair, S., Szygenda, S., Manikas, T.: Cyber threat trees for large system threat cataloging and analysis, pp. 610–615
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of 14th USENIX Security Symposium, SSYM 2005, vol. 14 (2005)
Poolsapassit, N., Ray, I.: Investigating computer attacks using attack trees. In: Craiger, P., Shenoi, S. (eds.) DigitalForensics 2007. ITIFIP, vol. 242, pp. 331–343. Springer, New York (2007). https://doi.org/10.1007/978-0-387-73742-3_23
Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using attack trees. J. Comput. Sci. Coll. 23(4), 124–131 (2008)
Salter, C., Saydjari, O., Schneier, B., Wallner, J.: Towards a secure system engineering methodology (1998)
Schneier, B.: Attack trees. Dr. Dobb’s J. 24, 21–29 (1999)
Schneier, B.: Secrets and Lies: Digital Security in a Networked World (2004)
Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Comput. Commun. 29, 3812–3824 (2006)
Weiss, J.D.: A system security engineering process. In: 14th Annual NCSC/NIST National Computer Security Conference (1991)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Bilur, M., Gari, A., Shyamasundar, R.K. (2019). Threat Assessment of Enterprise Applications via Graphical Modelling. In: Liu, J., Huang, X. (eds) Network and System Security. NSS 2019. Lecture Notes in Computer Science(), vol 11928. Springer, Cham. https://doi.org/10.1007/978-3-030-36938-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-36938-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36937-8
Online ISBN: 978-3-030-36938-5
eBook Packages: Computer ScienceComputer Science (R0)