Joshua J. Pauli scite author profile

We propose a hierarchy-driven approach to facilitate student learning and foster a deeper understanding of the importance of attack patterns in computer, network, and software security. This is a fundamental point in computer and software security education because the "patch and pray" mentality of software security is insufficient. The importance and significance of our approach is justified by accentuating the deficiencies in previous ad-hoc approaches to teaching attack patterns. Because of the vast amount of information in attack pattern repositories, it is unrealistic to expect students to fully comprehend attack pattern fundamentals and its place in computer, network, and software security.

show abstract

Towards a Specification Prototype for Hierarchy-Driven Attack Patterns

Pauli

Engebretson

2008

View full text Add to dashboard Cite

Leveraging Parent Mitigations and Threats for CAPEC-Driven Hierarchies

Engebretson

Pauli

2009

View full text Add to dashboard Cite

We propose a new attack pattern model which focuses on the re-inclusion of the "Parent Threat" and "Parent Mitigation" elements to logically group the background of each of the 101 attack patterns in the Common Attack Pattern Enumeration Classification's (CAPEC) Release 1 dictionary. Our approach creates a graphical hierarchy for each of the attack patterns and groups them not only by Parent Threats (such as "Spoofing" and "Injection"), but also by Parent Mitigations (such as "Access Control" and "Configuration Management"). This allows individual attack patterns to be traced upward to its Parent Threat and downward to its Parent Mitigation. The Parent Threat and Parent Mitigation elements are created from the inherit findings in the CAPEC and NIST standards; we are integrating this information into our hierarchy-based attack pattern approach.The traceability from the top of the tree (Parent Threat), through the detailed elements of the attack patterns, to the roots of the tree (Parent Mitigation) introduces the CAPEC standard to audiences who are not familiar with attack patterns and allows experienced users to leverage the attacks from organized groupings that are widely accepted. There is a great amount of information in the CAPEC dictionary that we are capturing and documenting with this fan-in/fan-out approach.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Joshua J. Pauli

Misuse case-based design and analysis of secure software architecture

Improving the Efficiency and Effectiveness of Penetration Test Automation

Hierarchy-Driven Approach for Attack Patterns in Software Security Education

Towards a Specification Prototype for Hierarchy-Driven Attack Patterns

Leveraging Parent Mitigations and Threats for CAPEC-Driven Hierarchies

Contact Info

Product

Resources

About