Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A framework and theory for cyber security assessments
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
2012 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Information technology (IT) is critical and valuable to our society. An important type of IT system is Supervisor Control And Data Acquisition (SCADA) systems. These systems are used to control and monitor physical industrial processes like electrical power supply, water supply and railroad transport. Since our society is heavily dependent on these industrial processes we are also dependent on the behavior of our SCADA systems. SCADA systems have become (and continue to be) integrated with other IT systems they are thereby becoming increasingly vulnerable to cyber threats. Decision makers need to assess the security that a SCADA system’s architecture offers in order to make informed decisions concerning its appropriateness. However, data collection costs often restrict how much information that can be collected about the SCADA system’s architecture and it is difficult for a decision maker to know how important different variables are or what their value mean for the SCADA system’s security.

The contribution of this thesis is a modeling framework and a theory to support cyber security vulnerability assessments. It has a particular focus on SCADA systems. The thesis is a composite of six papers. Paper A describes a template stating how probabilistic relational models can be used to connect architecture models with cyber security theory. Papers B through E contribute with theory on operational security. More precisely, they contribute with theory on: discovery of software vulnerabilities (paper B), remote arbitrary code exploits (paper C), intrusion detection (paper D) and denial-of-service attacks (paper E). Paper F describes how the contribution of paper A is combined with the contributions of papers B through E and other operationalized cyber security theory. The result is a decision support tool called the Cyber Security Modeling Language (CySeMoL). This tool produces a vulnerability assessment for a system based on an architecture model of it.

Abstract [sv]

Informationsteknik (IT) är kritiskt och värdefullt för vårt samhälle. En viktig typ av IT-system är de styrsystem som ofta kallas SCADA-system (från engelskans "Supervisor Control And Data Acquisition"). Dessa system styr och övervakar fysiska industriella processer så som kraftförsörjning, vattenförsörjning och järnvägstransport. Eftersom vårt samhälle är beroende av dessa industriella processer så är vi också beroende av våra SCADA-systems beteende. SCADA-system har blivit (och fortsätter bli) integrerade med andra IT system och blir därmed mer sårbara för cyberhot. Beslutsfattare behöver utvärdera säkerheten som en systemarkitektur erbjuder för att kunna fatta informerade beslut rörande dess lämplighet. Men datainsamlingskostnader begränsar ofta hur mycket information som kan samlas in om ett SCADA-systems arkitektur och det är svårt för en beslutsfattare att veta hur viktiga olika variabler är eller vad deras värden betyder för SCADA-systemets säkerhet.

Bidraget i denna avhandling är ett modelleringsramverk och en teori för att stödja cybersäkerhetsutvärderingar. Det har ett särskilt focus på SCADA-system. Avhandlingen är av sammanläggningstyp och består av sex artiklar. Artikel A beskriver en mall för hur probabilistiska relationsmodeller kan användas för att koppla samman cybersäkerhetsteori med arkitekturmodeller. Artikel B till E bidrar med teori inom operationell säkerhet. Mer exakt, de bidrar med teori angående: upptäckt av mjukvarusårbarheter (artikel B), fjärrexekvering av godtycklig kod (artikel C), intrångsdetektering (artikel D) och attacker mot tillgänglighet (artikel E). Artikel F beskriver hur bidraget i artikel A kombineras med bidragen i artikel B till E och annan operationell cybersäkerhetsteori. Resultatet är ett beslutsstödsverktyg kallat Cyber Security Modeling Language (CySeMoL). Beslutsstödsverktyget producerar sårbarhetsutvärdering för ett system baserat på en arkitekturmodell av det.

Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2012. , 42 p.
Series
TRITA-EE, ISSN 1653-5146 ; 2012:43
Keyword [en]
cyber security, security assessment, vulnerability assessment, architecture modeling, enterprise architecture
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:kth:diva-103690ISBN: 978-91-7501-511-8 (print)OAI: oai:DiVA.org:kth-103690DiVA: diva2:561246
Public defence
2012-11-15, F3, Lindstedtvägen 26, KTH, Stockholm, 10:00 (English)
Opponent
Supervisors
Note

QC 20121018

Available from: 2012-10-18 Created: 2012-10-17 Last updated: 2014-02-11Bibliographically approved
List of papers
1. A probabilistic relational model for security risk analysis
Open this publication in new window or tab >>A probabilistic relational model for security risk analysis
2010 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 29, no 6, 659-679 p.Article in journal (Refereed) Published
Abstract [en]

Information system security risk, defined as the product of the monetary losses associated with security incidents and the probability that they occur, is a suitable decision criterion when considering different information system architectures. This paper describes how probabilistic relational models can be used to specify architecture metamodels so that security risk can be inferred from metamodel instantiations. A probabilistic relational model contains classes, attributes, and class-relationships. It can be used to specify architectural metamodels similar to class diagrams in the Unified Modeling Language. In addition, a probabilistic relational model makes it possible to associate a probabilistic dependency model to the attributes of classes in the architectural metamodel. This paper proposes a set of abstract classes that can be used to create probabilistic relational models so that they enable inference of security risk from instantiated architecture models. If an architecture metamodel is created by specializing the abstract classes proposed in this paper, the instantiations of the metamodel will generate a probabilistic dependency model that can be used to calculate the security risk associated with these instantiations. The abstract classes make it possible to derive the dependency model and calculate security risk from an instance model that only specifies assets and their relationships to each other. Hence, the person instantiating the architecture metamodel is not required to assess complex security attributes to quantify security risk using the instance model.

Keyword
Security risk, Risk assessment, Architecture metamodel, Probabilistic relational model, Architecture analysis
National Category
Computer and Information Science
Identifiers
urn:nbn:se:kth:diva-29429 (URN)10.1016/j.cose.2010.02.002 (DOI)000280625700003 ()2-s2.0-77955417822 (Scopus ID)
Note
QC 20110215Available from: 2011-02-15 Created: 2011-02-02 Last updated: 2017-12-11Bibliographically approved
2. Effort estimates for vulnerability discovery projects
Open this publication in new window or tab >>Effort estimates for vulnerability discovery projects
2012 (English)In: Proceedings of the 45th Hawaii International Conference on System Sciences, 2012, 5564-5573 p.Conference paper, Published paper (Refereed)
Abstract [en]

Security vulnerabilities continue to be an issue in the software field and new severe vulnerabilities are discovered in software products each month. This paper analyzes estimates from domain experts on the amount of effort required for a penetration tester to find a zero-day vulnerability in a software product. Estimates are developed using Cooke's classical method for 16 types of vulnerability discovery projects – each corresponding to a configuration of four security measures. The estimates indicate that, regardless of project type, two weeks of testing are enough to discover a software vulnerability of high severity with fifty percent chance. In some project types an eight-to-five-week is enough to find a zero-day vulnerability with 95 percent probability. While all studied measures increase the effort required for the penetration tester none of them have a striking impact on the effort required to find a vulnerability.

Series
Proceedings of the Annual Hawaii International Conference on System Sciences, ISSN 1530-1605
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-79614 (URN)10.1109/HICSS.2012.238 (DOI)2-s2.0-84857973207 (Scopus ID)978-076954525-7 (ISBN)
Conference
45th Hawaii International Conference on System Sciences, January 4-7 2012,Grand Wailea, Maui
Note

QC 20121018

Available from: 2013-03-26 Created: 2012-02-09 Last updated: 2014-09-08Bibliographically approved
3. Estimates of success rates of remote arbitrary code execution attacks
Open this publication in new window or tab >>Estimates of success rates of remote arbitrary code execution attacks
2012 (English)In: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 20, no 2, 107-122 p.Article in journal (Refereed) Published
Abstract [en]

Purpose: The purpose of this paper is to identify the importance of the factors that influence the success rate of remote arbitrary code execution attacks. In other words, attacks which use software vulnerabilities to execute the attacker's own code on targeted machines. Both attacks against servers and attacks against clients are studied. Design/methodology/approach: The success rates of attacks are assessed for 24 scenarios: 16 scenarios for server-side attacks and eight for client-side attacks. The assessment is made through domain experts and is synthesized using Cooke's classical method, an established method for weighting experts' judgments. The variables included in the study were selected based on the literature, a pilot study, and interviews with domain experts. Findings: Depending on the scenario in question, the expected success rate varies between 15 and 67 percent for server-side attacks and between 43 and 67 percent for client-side attacks. Based on these scenarios, the influence of different protective measures is identified. Practical implications: The results of this study offer guidance to decision makers on how to best secure their assets against remote code execution attacks. These results also indicate the overall risk posed by this type of attack. Originality/value: Attacks that use software vulnerabilities to execute code on targeted machines are common and pose a serious risk to most enterprises. However, there are no quantitative data on how difficult such attacks are to execute or on how effective security measures are against them. The paper provides such data using a structured technique to combine expert judgments.

Keyword
Buffer overflows, Computer security, Computer software, Data management, Data security, Expert judgment, Information management, Remote code exploits, Software vulnerabilities
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-79604 (URN)10.1108/09685221211235625 (DOI)2-s2.0-84861873854 (Scopus ID)
Note
QC 20120802Available from: 2012-02-09 Created: 2012-02-09 Last updated: 2017-12-07Bibliographically approved
4. Quantifying the effectiveness of intrusion detection systems in operation through domain experts
Open this publication in new window or tab >>Quantifying the effectiveness of intrusion detection systems in operation through domain experts
(English)Article in journal (Other academic) Submitted
Abstract [en]

An intrusion detection system is a security measure that can help system administrators in enterprise environments to detect attacks made against networks and their hosts. Evaluating the effectiveness of IDSs by experiments or observations is however difficult and costly. This paper describes the result of a study where 165 domain experts in the intrusion detection field estimated the effectiveness of 24 different scenarios pertaining to detection of remote arbitrary code exploits.

National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-103688 (URN)
Note

QS 2012

Available from: 2012-10-17 Created: 2012-10-17 Last updated: 2012-11-20Bibliographically approved
5. Estimates of Success Rates of Denial-of-Service Attacks
Open this publication in new window or tab >>Estimates of Success Rates of Denial-of-Service Attacks
2011 (English)In: 2011 IEEE 10th International Conference: Trust, Security and Privacy in Computing and Communications (TrustCom), IEEE conference proceedings, 2011, 21-28 p.Conference paper, Published paper (Refereed)
Abstract [en]

Denial-of-service (DoS) attacks are an imminent and real threat to many enterprises. Decision makers in these enterprises need be able to assess the risk associated with such attacks and to make decisions regarding measures to put in place to increase the security posture of their systems. Experiments, simulations and analytical research have produced data related to DoS attacks. However, these results have been produced for different environments and are difficult to interpret, compare, and aggregate for the purpose of decision making. This paper aims to summarize knowledge available in the field by synthesizing the judgment of 23 domain experts using an establishing method for expert judgment analysis. Different system architecture's vulnerability to DoS attacks are assessed together with the impact of a number of countermeasures against DoS attacks.

Place, publisher, year, edition, pages
IEEE conference proceedings, 2011
Keyword
denial of service, DoS, distributed denial of service, flooding attack, semantic attack, expert judgment, Cooke’s classical method
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-73608 (URN)10.1109/TrustCom.2011.7 (DOI)2-s2.0-84856180318 (Scopus ID)978-1-4577-2135-9 (ISBN)
Conference
2011 IEEE 10th International Conference onTrust, Security and Privacy in Computing and Communications (TrustCom). Changsha, China. 16-18 Nov 2011
Note

QC 20120203

Available from: 2013-03-13 Created: 2012-02-02 Last updated: 2013-03-13Bibliographically approved
6. The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures
Open this publication in new window or tab >>The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures
2013 (English)In: IEEE Systems Journal, ISSN 1932-8184, E-ISSN 1937-9234, Vol. 7, no 3, 363-373 p.Article in journal (Refereed) Published
Abstract [en]

The cyber security modeling language (CySeMoL) is a modeling language for enterprise-level system architectures coupled to a probabilistic inference engine. If the computer systems of an enterprise are modeled with CySeMoL, this inference engine can assess the probability that attacks on the systems will succeed. The theory used for the attack-probability calculations in CySeMoL is a compilation of research results on a number of security domains and covers a range of attacks and countermeasures. The theory has previously been validated on a component level. In this paper, the theory is also validated on a system level. A test indicates that the reasonableness and correctness of CySeMoL assessments compare with the reasonableness and correctness of the assessments of a security professional. CySeMoL's utility has been tested in case studies.

Place, publisher, year, edition, pages
IEEE Press, 2013
Keyword
Computer security, expert systems, risk analysis, supervisory control and data acquisition (SCADA) systems
National Category
Computer Systems
Identifiers
urn:nbn:se:kth:diva-103689 (URN)10.1109/JSYST.2012.2221853 (DOI)000321641800003 ()2-s2.0-84880572592 (Scopus ID)
Note

QC 20130320

Available from: 2013-03-20 Created: 2012-10-17 Last updated: 2017-12-07Bibliographically approved

Open Access in DiVA

A Framework and Theory for Cyber Security Assessments(764 kB)6674 downloads
File information
File name FULLTEXT02.pdfFile size 764 kBChecksum SHA-512
cac75e47be107989c00d4c159eb625b9f750139b8258085c8027752f0811ca33779da50aabd0dcab3c2937d571f2aad1190a893e384153f493cd4f3493db7899
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Sommestad, Teodor
By organisation
Industrial Information and Control Systems
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 6674 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1570 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf