QSec: Supporting Security Decisions on an IT Infrastructure

Baiardi, Fabrizio; Tonelli, Federico; Corò, Fabio; Guidi, Luca

doi:10.1007/978-3-319-03964-0_10

Cited by 5 publications

(3 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The builder deduces from the CVE description of v and from its common vulnerability scoring system score other attributes of the attacks that v enables such as the pre‐condition and post‐condition, the success probabilities and the execution time. We refer to for a detailed discussion of the current implementation of the builder and the accuracy of the classification.…”

Section: Haruspex Suite: Risk Assessmentmentioning

confidence: 99%

Iterative selection of countermeasures for intelligent threat agents

2015

Self Cite

View full text Add to dashboard Cite

We describe a model-based approach to select cost-effective countermeasures for an information and communication technology infrastructure under attack by intelligent agents. Each agent tries to reach some predefined goals through a sequence of attacks. The proposed approach builds the models of the infrastructure and of the agents, and then it applies a Monte Carlo method that runs multiple, independent simulations of the agent attacks. These simulations produce a statistical sample that is used to assess the risk. The selection of countermeasures works in an iterative way where each iteration selects some countermeasures and applies the Monte Carlo method to evaluate any residual risk. In this way, it takes into account that an intelligent agent may select distinct attacks to replace those affected by the countermeasures. To improve cost effectiveness, the selection focuses on useful attacks to reach a goal. The Haruspex suite is an integrated set of tool to support this approach. Some of its tools build the models of the agents and the one of the system. Another tool uses these models to apply the Monte Carlo method and simulate the agent attacks. This tool is iteratively invoked by the one that select countermeasures. We describe the adoption of the suite to assess and manage the risk of three industrial control system

show abstract

Section: Haruspex Suite: Risk Assessmentmentioning

confidence: 99%

Iterative selection of countermeasures for intelligent threat agents

2015

Self Cite

View full text Add to dashboard Cite

show abstract

“…(Gordon and Loeb 2002) discusses the optimal security investment. With respect to our previous papers that have presented our two tools (Baiardi et al 2013b;Baiardi and Sgandurra 2013) the original contribution of this paper is their integration to automatically assess an infrastructure and a case study.…”

Section: Related Workmentioning

confidence: 99%

“…This classification also determines the pre and post conditions of each attack and its success probability. We refer to (Baiardi et al 2013b) for a detailed discussion of the classification and of the current implementation.…”

Section: Building the Scenario Descriptionmentioning

confidence: 99%

Simulating Attack Plans Against ICT Infrastructures

Baiardi

Corò

Tonelli

et al. 2014

Vulnerability, Uncertainty, and Risk

Self Cite

View full text Add to dashboard Cite

Goal-oriented, rational threat agents attack a complex ICT infrastructure by composing elementary attacks against distinct components into an attack chain or attack plan. To compute statistics on the success probabilities of these plans, we have designed and implemented Haruspex, a tool that implements a Monte Carlo method by simulating the agent plans. A proper set of Haruspex experiments returns a set of data to compute statistics on the agent plans and their success probabilities even before deploying a system. In this way, we can assess with high confidence the robustness of a system and the risk it poses by considering scenarios where it is attacked by a set of agent. To fully automate the assessment, we have developed GVScan, a tool that maps the output of a vulnerability scanning into the inputs of Haruspex. This paper describes both Haruspex and GVScan and their adoption to assess the control plant of a power generation system.

show abstract