Conditional security assesses the security of an information and communication system in a specific context. A fundamental step of the assessment determines the threats of a system and the attack they can implement. Constrained attack automata are finite state automata to formally describe this step by decomposing complex attacks into sequences of elementary attacks. Each state of the automata corresponds to a set of components of the system controlled by the attacker while a final state models the success of a sequence of attacks that has enabled a threat to reach one of its goals. Each transition of the automata can occur provided that some constrains on the amount of computational resources, the skills and the knowledge required to implement the corresponding elementary attack are satisfied. To exploit these automata, each threat is modeled in terms of the amount of computational resources, skills and knowledge it can access. In turn, this amount is modeled as a tuple of elements where each element belongs to a partially ordered set. By comparing the amount of resources a threat can access against that an attack requires, we determine whether the threat can implement the attack. The attacks that can occur are an input of a risk mitigation step that defines static and dynamic countermeasures to be applied. A static countermeasure prevents the successful execution of an attack by removing a vulnerability and it is modeled by pruning some automata transitions. Instead, dynamic countermeasures are modeled as actions executed as the attack goes on to stop it. Lastly, we discuss redundancy to take into account error or fault in countermeasure implementatio

Constrained Automata: A Formal Tool for Risk Assessment and Mitigation

Baiardi, Fabrizio;Ricci, laura;
2008

Abstract

Conditional security assesses the security of an information and communication system in a specific context. A fundamental step of the assessment determines the threats of a system and the attack they can implement. Constrained attack automata are finite state automata to formally describe this step by decomposing complex attacks into sequences of elementary attacks. Each state of the automata corresponds to a set of components of the system controlled by the attacker while a final state models the success of a sequence of attacks that has enabled a threat to reach one of its goals. Each transition of the automata can occur provided that some constrains on the amount of computational resources, the skills and the knowledge required to implement the corresponding elementary attack are satisfied. To exploit these automata, each threat is modeled in terms of the amount of computational resources, skills and knowledge it can access. In turn, this amount is modeled as a tuple of elements where each element belongs to a partially ordered set. By comparing the amount of resources a threat can access against that an attack requires, we determine whether the threat can implement the attack. The attacks that can occur are an input of a risk mitigation step that defines static and dynamic countermeasures to be applied. A static countermeasure prevents the successful execution of an attack by removing a vulnerability and it is modeled by pruning some automata transitions. Instead, dynamic countermeasures are modeled as actions executed as the attack goes on to stop it. Lastly, we discuss redundancy to take into account error or fault in countermeasure implementatio
Baiardi, Fabrizio; Martinelli, Fabio; Ricci, Laura; Telmon, Claudio
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11568/121608
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact