Future Work

Improve diagnosis of a modeled system’s weaknesses

Save and load profiles of potential intruders to the system, such as the average script kiddie, a professional cracker, or a common burglar

Model and diagnose a real life system, most likely a local computer network

Abstract

This project aims to model network security systems and develop network security analysis tools. Systems are modeled under the concept of an “attack tree”, an approach to security modeling developed by Bruce Schneier, a professional in the fields of cryptography and security1. Security analysis benefits from an attack

tree modeling approach; given the right tools, a modeling environment can help a user find the biggest holes in a system’s security or best methods of fortification. An attack tree modeling language and model interpreters have been developed using Vanderbilt's Generic Modeling Environment (GME).

The Attack Tree Toolbox

Security Analysis of Systems Using

Model-Integrated-Computing

Allows user to input search conditions for filtering paths, such as Cost to attack < 5000 Populates a list box with all applicable paths Lets user view and sort paths based on various statistics Allows user to highlight paths in the model and/or create a separate model for the path

Allows the user to import or export a model in XML or export the model into Graphviz, a separate program for displaying graphs.

Figure 1: The AttackTree MetaModel

Figure 2: Use of the Analysis interpreter

Figure 3: Viewing of a model exportedto Graphviz

Legend:

Citations1. Schneier, Bruce. “Attack Trees.“ Dec. 1999.  1 August 2006. <http://www.schneier.com/paper-attacktrees-ddj-ft.html>.

(Attack tree acquired from first source.)

Analysis Interpreter (Main Interpreter)

Collapse Interpreter

Based on the object selected by the user, either collapses the branch starting at that node into a model or expands the model into the original branch.

Dispatch Interpreter

Modeling Specifications

Objects and Relations “Node”: an event in an attack path “Attack tree”: a container that can hold nodes and their connections “Node to node connection”: a directed relationship between nodes; the source node is essentially a requirement for the destination node “Attack tree to node connection”: a relationship similar to that of nodes; used when branches of a tree have been collapsed to a container

Attributes of ObjectsAttributes for only nodes:

“Type”: either AND or ORAND -> all attached nodes are requiredOR -> only one attached node is required

“Goal”: does node represent the goal of the attack?

Attributes for both nodes and trees: “Cost to attack”: how much an attack on the object would cost the attacker “Damage cost”: how much an attack on the object would cost the owner(s) of a system “Technical ability”: a rating from 1-100 of the skill required to achieve the attack “Probability of apprehension”: the risk a potential attacker would run of being caught

SIPHER Students: Marty Henderson, Blake Sheridan

Graduate Student Mentor: Jan Werner