Formal approach to security metrics.

Krautsevich, Leanid; Martinelli, Fabio; Yautsiukhin, Artsiom

doi:10.1145/1842752.1842787

Cited by 25 publications

(15 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A first theoretical work for the measurement of security is conducted in [58]. The authors document a formal model for the representation and evaluation of security metrics and define a set of relevant metrics.…”

Section: Quantifying Securitymentioning

confidence: 99%

“…For most composition techniques (e.g., [28,30,52]), the composition verification is modelled as interfaces, inputs/outputs, or plug-ins of the composing components. Then, validation methodologies can verify security properties based on theorems, polices, or contracts (e.g., [44][45][46][47][48][49][50][51][52][53][54][55][56][57][58]). Thereupon, methods that quantify security can evaluate the finally composed system (e.g., [45,52]).…”

Section: Comparisonmentioning

confidence: 99%

“…In this section, we frame the systematic representation of the system's security aspects and composition. The methodology is based on EC and the theoretical research in [58].…”

Section: Compositions Of Spd Metricsmentioning

confidence: 99%

See 2 more Smart Citations

Artificial Intelligence-Driven Composition and Security Validation of an Internet of Things Ecosystem

et al. 2020

View full text Add to dashboard Cite

Key challenges in Internet-of-Things (IoT) system design and management include the secure system composition and the calculation of the security and dependability level of the final system. This paper presents an event-based model-checking framework for IoT systems’ design and management, called CompoSecReasoner. It invokes two main functionalities: (i) system composition verification, and (ii) derivation and validation of security, privacy, and dependability (SPD) metrics. To measure the SPD values of a system, we disassemble two well-known types of security metrics—the attack surface methodologies and the medieval castle approach. The first method determines the attackable points of the system, while the second one defines the protection level that is provided by the currently composed system-of-systems. We extend these techniques and apply the Event Calculus method for modelling the dynamic behavior of a system with progress in time. At first, the protection level of the currently composed system is calculated. When composition events occur, the current system status is derived. Thereafter, we can deploy reactive strategies and administrate the system automatically at runtime, implementing a novel setting for Moving Target Defenses. We demonstrate the overall solution on a real ambient intelligence application for managing the embedded devices of two emulated smart buildings.

show abstract

Section: Quantifying Securitymentioning

confidence: 99%

Section: Comparisonmentioning

confidence: 99%

See 1 more Smart Citation

Artificial Intelligence-Driven Composition and Security Validation of an Internet of Things Ecosystem

et al. 2020

View full text Add to dashboard Cite

show abstract

“…An application's attack surface measurement does not reflect the quality of the code of an application, and as such an application with a bigger attack surface does not necessarily mean it has many vulnerabilities and vice versa, but instead, a larger attack surface measurement reflects that an application is likely to be exploited with little effort and cause more damage to it. 11 So, does the quantity of attack surface parameters increase the attack surface of an application, or only a few have a significant influence towards the size of the attack surface of an application? Which attack surface parameters have a greater contribution to the size of the attack surface of an application?…”

Section: Approachmentioning

confidence: 99%

Self-Advertising Attack Surfaces for Web Application Honeypots: New Technology to Managing Cyber Disasters

Mphago¹,

Mpoeleng²,

Masupe

et al. 2018

ISIJ

View full text Add to dashboard Cite

Honeypots are security tools often used to attract and learn attackers' methods or divert their attention to unimportant resources. In order to achieve their goal, honeypots need to be identified by the attackers, and this is often the challenge with most deployments of honeypots. This paper therefore explores the use of attack surface sizes in web application honeypots to self-advertise their honeypots to the attackers. PageRank, which is a system that ranks pages on the web through outward link analysis, ranks important pages as seen by their users at the top of the search results. Therefore, the paper argues that vulnerable pages on the web, thus applications with large attack surface, are also important to attackers. Therefore, if pages are ranked based on their importance as seen by their users, pages with large attack surface should rank high when attackers search for them. To design a large attack surface, attack surface parameters can be strategically placed in a template as different parameters affect the attack surface differently when placed in a particular way.

show abstract

“…Surveys of risk analysis methods and corresponding metrics are presented by Verendel [241], Sulaman et al [242], Rudolph and Schwarz [243], Krautsevich et al [244], and Jansen [245] among others. For example, Verendel [241] analyses more than 100 approaches and metrics to quantify security.…”

Section: Risk Analysismentioning

confidence: 99%

Security in Embedded Systems: A Model-Based Approach with Risk Metrics

Vasilevskaya¹

2015

View full text Add to dashboard Cite

Formal approach to security metrics.

Cited by 25 publications

References 20 publications

Artificial Intelligence-Driven Composition and Security Validation of an Internet of Things Ecosystem

Artificial Intelligence-Driven Composition and Security Validation of an Internet of Things Ecosystem

Self-Advertising Attack Surfaces for Web Application Honeypots: New Technology to Managing Cyber Disasters

Security in Embedded Systems: A Model-Based Approach with Risk Metrics

Contact Info

Product

Resources

About