Hierarchy-Driven Approach for Attack Patterns in Software Security Education

Pauli, Joshua J.; Engebretson, Patrick

doi:10.1109/itng.2008.15

Cited by 4 publications

(5 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At least an annual evaluation of the attack trees is therefore recommended with the aim of implementing new information. Pauli and Engebretson (2008) suggest a hierarchical approach in order to encourage students to learn and better understand the attack patterns. In doing so, vulnerabilities present the highest level of abstraction.…”

Section: Workflows For Attack Modellingmentioning

confidence: 99%

Digital Business Model and Challenges for Travel Services

Marinković¹,

Marinkovic²

2019

38. Mednarodna Konferenca O Razvoju Organizacijskih Znanosti: Ekosistem Organizacij v Dobi Digitalizacije: Konferenčni Zbornik

View full text Add to dashboard Cite

show abstract

Section: Workflows For Attack Modellingmentioning

confidence: 99%

Digital Business Model and Challenges for Travel Services

Marinković¹,

Marinkovic²

2019

38. Mednarodna Konferenca O Razvoju Organizacijskih Znanosti: Ekosistem Organizacij v Dobi Digitalizacije: Konferenčni Zbornik

View full text Add to dashboard Cite

show abstract

“…Similarly, Hazeyama et al, proposed a learning environment for software security education [10]. Others have sought to develop lab environments [7], simulations [17], analysis frameworks [ 18], [19], and reconfigurable course modules [2], [27] to facilitate technical learning of specific and hands-on cyber security topics. More novel approaches include the use of Second Life [24], hacking competitions [4] and capstone design courses [9].…”

Section: Tier One: Course-based Learningmentioning

confidence: 99%

Security across the curriculum and beyond

Idziorek

Rursch

Jacobson

2012

2012 Frontiers in Education Conference Proceedings

View full text Add to dashboard Cite

Society's dependency on informationtecbnology has drasticaUy outpaced educational curricula and the opportunities that universities and higher education institutes provide to students from both technical (e.g., computer engineering, computer science) and non-technical majors. To increase the opportunities for all students to learn how protect themselves as individuals and others as professionals from numerous cyber threats the focus of this work is to identify gaps in engineering curricula and present novel approaches to fulfill the growing and diverse needs of cyber security education.The overall objective of this paper is to make security education accessible, relevant, and tangible across educational curricula, as well as to provide tbeframework to extend these efforts beyond university classrooms and into community coUeges and high schools. While the predominant focus,research, and innovative practices in the area of cyber security have focused on technical students at the university level, this work instead concentrates on the demographic of students that desire to learn about cyber security without having to major in computer engineering, for example. In this paper we present a threetiered framework that provides breadth and depth to security education across multiple education levels. This all-encempassing framework for security education includes providing (I) formal literacy-based training for students of all backgrounds, (2) inquiry-based learning through security-and technically-focused student groups and activities, and (3) classical technical-based initiatives. For each of these respective areas, previous research and efforts are discussed as well as the innovative practices that we have developed to address identified educational gaps.

show abstract

“…Given the sheer volume of information included in the Release 1 Dictionary, which includes not only the defined 101 attack patterns but their descriptive elements as well, there tends to be considerable confusion and information overload when individuals are first introduced to the concept of attack patterns [3].…”

Section: Related Workmentioning

confidence: 99%

“…Previous research focused on the benefits of building and creating a hierarchy structure from the CAPEC elements [3]. We propose the further refinement of this concept to include both the Parent Threat and Parent Mitigations.…”

Section: Building Graphical Hierarchy Treesmentioning

confidence: 99%

“…CAPEC was created to make up for the shortcoming in attack-specific security research which lacked a standard that provided a consistent documentation of attacks [2]. One drawback to the current standard is that the current CAPEC dictionary is so large, it is wrought with the possibility of user error [3]. While CAPEC's Release 1 Dictionary provides a solid framework, the current format and sheer volume of information renders the new standard nearly useless to anyone outside of the academic field [4].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Leveraging Parent Mitigations and Threats for CAPEC-Driven Hierarchies

Engebretson

Pauli

2009

2009 Sixth International Conference on Information Technology: New Generations

View full text Add to dashboard Cite

We propose a new attack pattern model which focuses on the re-inclusion of the "Parent Threat" and "Parent Mitigation" elements to logically group the background of each of the 101 attack patterns in the Common Attack Pattern Enumeration Classification's (CAPEC) Release 1 dictionary. Our approach creates a graphical hierarchy for each of the attack patterns and groups them not only by Parent Threats (such as "Spoofing" and "Injection"), but also by Parent Mitigations (such as "Access Control" and "Configuration Management"). This allows individual attack patterns to be traced upward to its Parent Threat and downward to its Parent Mitigation. The Parent Threat and Parent Mitigation elements are created from the inherit findings in the CAPEC and NIST standards; we are integrating this information into our hierarchy-based attack pattern approach.The traceability from the top of the tree (Parent Threat), through the detailed elements of the attack patterns, to the roots of the tree (Parent Mitigation) introduces the CAPEC standard to audiences who are not familiar with attack patterns and allows experienced users to leverage the attacks from organized groupings that are widely accepted. There is a great amount of information in the CAPEC dictionary that we are capturing and documenting with this fan-in/fan-out approach.

show abstract

Hierarchy-Driven Approach for Attack Patterns in Software Security Education

Cited by 4 publications

References 7 publications

Digital Business Model and Challenges for Travel Services

Digital Business Model and Challenges for Travel Services

Security across the curriculum and beyond

Leveraging Parent Mitigations and Threats for CAPEC-Driven Hierarchies

Contact Info

Product

Resources

About