CN101655787A - Threat modeling method added with attack path formalization analysis - Google Patents

Threat modeling method added with attack path formalization analysis Download PDF

Info

Publication number
CN101655787A
CN101655787A CN200910067931A CN200910067931A CN101655787A CN 101655787 A CN101655787 A CN 101655787A CN 200910067931 A CN200910067931 A CN 200910067931A CN 200910067931 A CN200910067931 A CN 200910067931A CN 101655787 A CN101655787 A CN 101655787A
Authority
CN
China
Prior art keywords
node
attack
threat
attack path
tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200910067931A
Other languages
Chinese (zh)
Inventor
李晓红
邢金亮
许光全
刘然
丁刚刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin University
Original Assignee
Tianjin University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin University filed Critical Tianjin University
Priority to CN200910067931A priority Critical patent/CN101655787A/en
Publication of CN101655787A publication Critical patent/CN101655787A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a threat modeling method added with attack path formalization analysis. In software design stage, software defect information is extracted by UML active graph decomposition application or system and threat modeling is carried out. The method includes the following steps: creating and modeling use case; creating silhouette of application or system; decomposing the application or system by using the active graph; using the acquired key asset information as threat object, creating a threat tree by taking the threat object as root node and assigning value to all nodes in the threat tree including value assignment on root nodes and leaf nodes; classifying and evaluating the threat object; and calculating the attack path of the threat tree. Compared with the prior art, the invention can reduce software product safety defect and improve software quality, improves application range of threat modeling, obtains more comprehensive and accurate threat relaxation scheme, realizes threat modeling automation and greatly reduces technical threshold, cost and development period of trusted software development.

Description

The threat modeling method that adds attack path formalization analysis
Technical field
The present invention relates to the software development design field, particularly relate to a kind of trusted software constructing technology, is research object with the software development process, finds and the analysis software defective at software design stage, develops trusted software.
Background technology
Along with popularizing of computing machine and internet, software has become the important carrier that the information age resource obtains and utilizes.Yet a large amount of software defects causes the production status of software can not be satisfactory, and under these circumstances, the safety of software just becomes every important leverage working properly, that efficiently carry out.At present, the research about software trust and safety mainly contains three angles: 1) from software developer's angle, research software security engineering method is learned; 2) from assailant's angle, discover the new attack method, how to use and defend these attack methods; 3) from software itself, discovery, management and the use of research software self-defect.
Software defect produces and through the whole software Project Development Life Cycle.Therefore, to fundamentally reduce the cost of development of secure and trusted software, improve its reliability, just must be from the angle of soft project, design phase in SDLC adds the threat modeling, the helper applications deviser obtains software defect information, thereby revises, avoids software defect, solves the potential potential safety hazard in the software design.Threatening modeling is a kind of engineering, be used for determining threat, attack, leak and the countermeasure of application program scheme context, its modeling process mainly comprises six stages: the sketch plan of 1) creating application program or system, 2) decompose application program or system, 3) determine assets, the definite threat, 4) assessment attack path and threat, 5) utilization threat tree-model visual software defective, 6) utilize STRIDE model and DREAD model to carry out classification of defects and assessment respectively to threatening the tree root node.Threaten tree to can be good at representing at the possible attack path of a certain threat object, these information will provide important evidence for the threat analysis and the mitigation of system.Yet the threat modeling of Microsoft does not well utilize and handles these information, but it is directly represented to system designer, thereby this just requires the system designer to have the further analysis of higher software security background, and provides corresponding mitigation scheme.This has not only limited the application that threatens modeling, has improved software development cost simultaneously, has prolonged software development cycle.
Unified modeling language UML is in the development phase, illustrates, visual, the opening method that makes up and write the goods of an object-oriented software congestion system, and is extensively adopted by industry member.It can be used for the decomposition of the early stage application programs of software design stage, and it has carried more detailed software information, the wherein potential software defect information that comprised.But at present the correlation technique of Russia fails UML effectively is used in the analysis of potential software defect information.
Summary of the invention
Defective in view of above-mentioned prior art existence, the present invention proposes a kind of threat modeling method that adds attack path formalization analysis, decompose application program or system at software design stage by the UML activity diagram, extract software defect information, modeling impends, and to threatening path analysis to assess, and analysis result is applied to the mitigation scheme of software defect.
The present invention proposes a kind of threat modeling method that adds attack path formalization analysis, decomposes application program or system at software design stage by the UML activity diagram, extracts software defect information, the modeling that impends, and this method may further comprise the steps:
Step 1 is created the use-case modeling, and this step also comprises: find out border, participant and the use-case of alternative application program or system, determine this process of application program or system iterative, settle out up to system boundary, participant, use-case, the output use-case model;
Step 2, the sketch plan of establishment application program or system, this sketch plan are with describing with illustration that the use-case modeling of step 1 output is drawn;
Step 3 uses activity diagram to decompose application program or system, and utilizing iterative manner is the littler subsystems of a plurality of functions with an application program or system decomposition; In activity diagram, by the structure type among the UML (stereotype) extension mechanism, introduce a new modeling element---border, represent the border of machine, physics, address space or trust with it, increase output assets information function on this basis, the Key Asset information of being obtained is as the threat object of obtaining;
Step 4: the Key Asset information obtained as threat object, is created to threaten tree as root node, each node carries out assignment in the tree to threatening, and comprises the assignment that threatens tree root node and leaf node;
Step 5: threat object is classified and assess by STRIDE and DREAD model;
Step 6: calculate to threaten the attack path of tree, an attack path that threatens tree be exactly from root node to a minimal cut set that threatens tree all leaf nodes the path of process.。The input of this algorithm is expressed as the level traversing result N that threatens node in the tree, and output is expressed as the attack path P that threatens each node in the tree i, this algorithm comprises following flow process:
Last node begins from level traversing result N, backward scanning, decision node type;
If node is leaf node N L, its attack path is exactly N LItself;
If node is AND type node N A:
Try to achieve the attack path bar number of this AND node n = Π i = 1 k n i (this AND node has k child node, n iBe the attack path bar number of i child node);
Try to achieve
Figure A20091006793100072
(i=0 ..., k-1, when i=k,
Figure A20091006793100073
);
Try to achieve the l+1 bar attack path of this AND node P [ l ] = N A + Σ i = 1 k P i [ M ( l , i ) ] (i=0 ..., k, l=0 ..., n-1, P i[M (l, i)] be the M (l, i) bar attack path) of i child node of this AND node;
The attack path of this AND node be P[0] ..., P[n-1] };
If node is OR type node N O:
Try to achieve this OR node attack path bar number n = Σ i = 1 k n i (this OR node has k child node, n iBe the attack path bar number of i child node), the attack path of each child nodes is respectively P i[1] ..., P i[ni];
Try to achieve this OR node attack path set be
N O+P 1[1],…,N O+P 1[n 1],N O+P 2[1],…,N O+P 2[n 2],…,N O+P k[1],…,N O+P k[n k];
After having scanned first node among the N (promptly threatening the root node of tree), finish scanning, the output attack path.
Whether step 7: attacking needs specific installation, attack cost, possibility of success attack and attacks the assessment that threat tree attack path is assessed in four aspects of the extent of injury.
The use-case model that described step 2 is exported comprises: application program or system boundary, participant, use-case, relation.
Whether described attack needs specific installation CALCULATION OF PARAMETERS method as follows:
When calculating this parameter of the root node that threatens an attack path of setting, adopt from leaf node, successively the computing method of upwards transmitting.For leaf node, the value of this parameter is exactly the assignment whether itself needs specific installation; For the AND node, the value of this parameter is the result who the value that whether needs this parameter of specific installation of its all child node is carried out exclusive disjunction; For the OR node, the value of this parameter is that the value that whether needs this parameter of specific installation of its all child node is carried out the result with computing.Successively upwards transmit then, up to the parameter value that whether needs specific installation of the root node that calculates this attack path.
The computing method of described attack cost parameter are as follows:
When calculating the attack cost of the root node that threatens an attack path of setting, adopt from leaf node, successively the computing method of upwards transmitting.For leaf node, attacking cost is exactly the attack cost assignment of itself; For the AND node, attack cost and be its all child node the attack cost and; For the OR node, attacking cost is the attack cost of its some child nodes; Upwards transmit layer by layer then, to the last calculate the attack cost of the root node of this attack path.
Described possibility of success attack CALCULATION OF PARAMETERS method is as follows:
When calculating possibility of success attack of attacking root node directly that threatens tree, still adopt from leaf node, successively the computing method of upwards transmitting.At first, suppose between the concrete attack pattern that leaf node identified of an attack path it is independent, incoherent mutually mutually in twos.For leaf node, possibility of success attack is exactly the assignment of the possibility of success attack of itself; For the AND node, possibility of success attack is the product of possibility of success attack value of its all child nodes; For the OR node, possibility of success attack is the possibility of success attack of its some child nodes.Upwards transmit layer by layer then, up to the possibility of success attack of the root node that finally calculates attack path.
The extent of injury of described attack is used possibility of success attack and is attacked the ratio value representation of cost.
Compared with prior art, the present invention can reduce the software product safety defect, improves software quality, by proposing OO threat modeling towards the fail-safe software construction cycle, and adds formal attack path appraisal procedure, and concrete effect comprises:
1, proposition has improved the scope of application that threatens modeling based on the threat modeling method of UML activity diagram.
2, the attack path assessment that adds in threatening modeling process has made full use of the information that tree-model comprised that threatens, thereby obtains more comprehensive and accurate threat-mitigation approach.
3, develop related tool software, realized threatening the modeling robotization, greatly reduced technical threshold, cost and the construction cycle of trusted software exploitation.
Description of drawings
Fig. 1 is the process flow diagram of threat modeling of the present invention;
Fig. 2 is the overall architecture synoptic diagram of threat modeling tool of the present invention
Fig. 3 is the sketch plan of online Web bank application program
Fig. 4 is the online Web bank of user capture " one deck exploded view of use-case
Fig. 5 is the threat tree of malicious user by the secret accounts information of network browsing
Embodiment
The present invention is divided into following two main processes:
(1) threat is obtained
At first create the sketch plan of application program or system, to describe with illustration.The key of drawing with illustration is the use-case modeling, and typical use-case modeling process is: find out border, participant and the use-case of alternative application program or system, this process of iteration settles out up to system boundary, participant, use-case.In this process, the fundamental purpose of use-case modeling is to determine the assets of application program or system, considers the iterations of use-case modeling in view of the above.The incipient stage of use-case modeling is wanted application programs or system boundary to make to estimate, with the auxiliary activity of defining modeling; Then, in the enterprising row iteration of activity, the output of these activities is use-case models, comprising:
1) application program or system boundary: just illustrate on the border of the application program or the system of modeling, help to analyze scope with designer's problem identificatioin.
2) participant: people or use the object institute role of this application program or system.
3) use-case: the object of participant and application program or system interaction.
4) relation: significant contact between participant and the use-case.
Next is to use activity diagram to decompose application program or system.Application program or system can be decomposed into the littler subsystem of a plurality of functions, and this is the process of an iteration.Decompose with the activity diagram application programs, need create one or more activity diagram to each use-case, and the call action node in each activity diagram can call another activity, can create deeper activity diagram again to these activities of calling, like this iteration, can application programs or system carry out successively decomposition.The number of plies that the formalization of application programs or system is decomposed need be determined according to the demand that threatens modeling, threatening application programs is decomposed in the modeling main target is the ingredient of research application program or system or resource, boundary information, how data flows between various piece, obtains the information of assets with this.In activity diagram, by the structure type among the UML (stereotype) extension mechanism, introduce a new modeling element---border, represent the border of machine, physics, address space or trust with it, increase output assets information function on this basis.
(2) threat analysis
At first, the Key Asset information obtained as threat object, is created to threaten tree as root node, each node carries out assignment in the tree to threatening, and comprises the assignment that threatens tree root node and leaf node.
Be based on the DREAD assessment models for the assignment that threatens the tree root node, this model has provided 5 measurement indexs that software threatens: potential destructiveness, repeatability, utilizability, affected user and the property found, span all is the integer in [1,10].
Comprise two classes for the assignment that threatens leaf nodes.1) Boolean, the value of node are the value of Boolean type.It is to attack whether to need this parameter of specific installation that the present invention chooses the assignment of the Boolean type of leaf node, need to represent specific installation with true, do not need to represent specific installation with false.This parameter be the assailant start to attack can be successful the important references condition.2) value of node is the successive value in a certain interval.For example the assailant starts the cost attacked, assailant's possibility of success attack, and the assailant starts level of attacking needed professional knowledge and technical ability etc.It is to attack cost and two parameters of possibility of success attack that the present invention chooses the assignment of the successive value type of leaf node, the span of attacking cost be (0 ,+integer in ∞), the span of possibility of success attack is (0,1) interior real number.These two parameters are parameters of assailant's overriding concern when starting to attack.
Next is threat object is classified and to assess by STRIDE and DREAD model.
Calculate and assess attack path then.From threatening the tree root node to leaf node, attack pattern is refinement progressively, and the threat object that finally threatens the tree root node to represent is finished by the leaf node of the concrete attack pattern of a series of representatives.Threaten in the tree to have AND node and OR node, can form different attack patterns, must form different attack paths by different leaf nodes.When determining attack path, provide the notion of cut set and minimal cut set.Cut set is the set that threatens the leaf node of tree, and the attack that leaf node identified in set takes place simultaneously, just can successfully reach to threaten the represented threat object of tree root node.Just no longer become cut set if the leaf node that is comprised in the cut set is removed one arbitrarily, such cut set is exactly a minimal cut set.An attack path that threatens tree be exactly from root node to a minimal cut set that threatens tree all leaf nodes the path of process.
Calculating the algorithm core that threatens the tree attack path is to find the whole minimal cut sets that threaten tree.From threatening the leaf node of tree, successively calculate from bottom to up, for leaf node, the minimal cut set of its attack path correspondence is exactly an itself.In the process of the minimal cut set that calculates attack path, from the leaf node of bottom, in the minimal cut set of the attack path correspondence of node, add this node, just can obtain the attack path of this node.Upwards calculate root node, just can obtain threatening the whole attack paths of tree up to final threat tree.
Calculate the attack path algorithm that threatens tree
Input: the level traversing result N that threatens node in the tree
Output: the attack path P that threatens each node in the tree i
Arthmetic statement:
Last node begins from level traversing result N, backward scanning, decision node type.
If node is leaf node N L, its attack path is exactly N LItself;
If node is AND type node N A:
Try to achieve the attack path bar number of this AND node n = Π i = 1 k n i (this AND node has k child node, n iBe the attack path bar number of i child node);
Try to achieve
Figure A20091006793100112
(i=0 ..., k-1, when i=k,
Figure A20091006793100113
)
Try to achieve the l+1 bar attack path of this AND node P [ l ] = N A + Σ i = 1 k P i [ M ( l , i ) ] (i=0 ..., k, l=0 ..., n-1, P i[M (l, i)] be the M (l, i) bar attack path) of i child node of this AND node
The attack path of this AND node be P[0] ..., P[n-1] }
If node is OR type node N O:
Try to achieve this OR node attack path bar number n = Σ i = 1 k n i (this OR node has k child node, n iBe the attack path bar number of i child node), the attack path of each child nodes is respectively P i[1] ..., P i[n i]
Try to achieve this OR node attack path set be
N O+P 1[1],…,N O+P 1[n 1],N O+P 2[1],…,N O+P 2[n 2],…,N O+P k[1],…,N O+P k[n k]
After having scanned first node among the N (promptly threatening the root node of tree), finish scanning, the output attack path.
Whether to the assessment that threatens the tree attack path is to need specific installation, attack cost, possibility of success attack and four aspects of the attack extent of injury to assess from attacking.After the leaf node assignment that threatens tree, know: for the AND node, realize that its target need realize the target of its all child nodes, and then task is upwards transmitted according to the AND node that threatens tree and the definition of OR node; For the OR node, realize that its target only need realize the target of its any one child node, and then task is upwards transmitted.So threaten three CALCULATION OF PARAMETERS methods of tree attack path as follows:
1) attacks whether need specific installation.When calculating this parameter of the root node that threatens an attack path of setting, adopt from leaf node, successively the computing method of upwards transmitting.For leaf node, the value of this parameter is exactly the assignment whether itself needs specific installation; For the AND node, the value of this parameter is the result who the value that whether needs this parameter of specific installation of its all child node is carried out exclusive disjunction; For the OR node, the value of this parameter is that the value that whether needs this parameter of specific installation of its all child node is carried out the result with computing.Successively upwards transmit then, up to the parameter value that whether needs specific installation of the root node that calculates this attack path.
2) attack cost.When calculating the attack cost of the root node that threatens an attack path of setting, adopt from leaf node, successively the computing method of upwards transmitting.For leaf node, attacking cost is exactly the attack cost assignment of itself; For the AND node, attack cost and be its all child node the attack cost and; For the OR node, attacking cost is the attack cost of its some child nodes.Upwards transmit layer by layer then, to the last calculate the attack cost of the root node of this attack path.
3) possibility of success attack.When calculating possibility of success attack of attacking root node directly that threatens tree, still adopt from leaf node, successively the computing method of upwards transmitting.At first, suppose between the concrete attack pattern that leaf node identified of an attack path it is independent, incoherent mutually mutually in twos.For leaf node, possibility of success attack is exactly the assignment of the possibility of success attack of itself; For the AND node, possibility of success attack is the product of possibility of success attack value of its all child nodes; For the OR node, possibility of success attack is the possibility of success attack of its some child nodes.Upwards transmit layer by layer then, up to the possibility of success attack of the root node that finally calculates attack path.
All leaf nodes that threaten the attack path of tree are minimal cut sets of this threat tree.By the definition of minimal cut set as can be known, when the attack that all leaf nodes are represented in minimal cut set takes place simultaneously, the threat object that could successful attack threatens the root node representative of tree.So for the root node that threatens tree, be the logical relation of AND between these leaf nodes.Can be reduced to E (R)=E (L so calculate the value that whether needs the specific installation parameter of the root node of an attack path 1) ∨ E (L 2) ∨ ... ∨ E (L i) ∨ ... ∨ E (L n), wherein E (R) is the value that whether needs specific installation of the root node of attack path, E (L i) being the value that whether needs specific installation of leaf node, n is the number of leaf node.The attack cost that calculates the root node of an attack path can be reduced to C ( R ) = Σ i = 1 n C ( L i ) = C ( L 1 ) + C ( L 2 ) + · · · + C ( L i ) + · · · + C ( L n ) , Wherein C (R) is the attack cost of the root node of attack path, C (L i) be the attack cost of leaf node, n is the number of leaf node.Therefore, the possibility of success attack of the root node of an attack path of calculating can be reduced to P ( R ) = P ( Π i = 1 n L i ) = P ( L 1 ) × P ( L 2 ) × · · · × P ( L i ) × · · · × P ( L n ) , Wherein P (R) is the possibility of success attack of the root node of attack path, P (L i) be the possibility of success attack of the leaf node of attack path, n is the number of leaf segment.
Calculated the specific installation that whether needs that threatens all attack path root nodes of tree, attacked cost, after the value of these three aspect parameters of possibility of success attack, needed to analyze the value of these parameters, attack path has been assessed.First parameter mainly is the special circumstances that the assailant will consider when starting to attack, and is the cofactor that the assailant considers when selecting attack path; Latter two parameter is the aspect of assailant's overriding concern when starting to attack, and the assailant can select to make the success attack possibility to improve when selecting attack path, and attacks the low as much as possible attack path of cost.In order to portray this characteristic of attack path, introduce the notion of the extent of injury of attacking, with possibility of success attack and the ratio value representation of attacking cost.Give the attack path divided rank according to the extent of injury of attacking, and according to sorting to attack path in proper order from high to low.When system is analyzed and designs, want emphasis to consider defensive measure for attacking the high attack path of the extent of injury, its attack process of labor all will be taked measure targetedly to each phase of the attack that is experienced in this process.
Further specify technical scheme of the present invention below by a specific embodiment:
By modeling that online Web bank application program is impended, application of the present invention is described.
1. create the sketch plan of application program or system,, draw with illustration as the sketch plan of describing whole application program by online Web bank application program is carried out the use-case modeling.The sketch plan of the online Web bank application program that obtains as shown in Figure 3.
2. activity diagram is tied up on each use-case of online Web bank application program, it is carried out dynamic modeling, thereby finish decomposition to online Web bank application program, because the 26S Proteasome Structure and Function of the online Web bank application program of example is also uncomplicated, according to the needs that modeling threatens and assesses, we just carry out the decomposition of one deck (level) to it.Accompanying drawing 4 is one deck exploded view of " the online Web bank of user capture " use-case.
3. the analysis assets information is determined threat object, and the main threat object in the accompanying drawing 4 is " returning the accounts information activity " and " service users request activity ".Thus, can obtain main threat.Can obtain to threaten " the accounts information threat that malicious user is maintained secrecy by network browsing " at " returning the accounts information activity ".
4. threaten tree, accompanying drawing 5 at threatening " the accounts information threat that malicious user is maintained secrecy by network browsing " to set up.To threatening root node and the leaf node assignment of tree, subordinate list 1.Calculate attack path then, attack path and threat are assessed, and select the mitigation scheme, detailed documentation sees attached list 2.
Subordinate list 1: malicious user is by the leaf node assignment of the threat tree of the secret accounts information of network browsing
Subordinate list 2: " accounts information that malicious user is maintained secrecy by network browsing " threatens the tree analytical documentation
Subordinate list 1: malicious user is by the leaf node assignment of the threat tree of the secret accounts information of network browsing
Threaten the leaf node of tree Attack cost Possibility of success attack Whether need specific installation
Http communication is not protected ??5 ??1 ??false
Router is not protected ??5 ??1 ??false
Destroy router ??30 ??0.8 ??true
Conjecture router password ??25 ??0.6 ??True
Smell spy network service ??20 ??0.8 ??True
Various switches are attacked ??40 ??0.7 ??True
Subordinate list 2: " accounts information that malicious user is maintained secrecy by network browsing " threatens the tree analytical documentation
Figure A20091006793100141
Figure A20091006793100151
Figure A20091006793100161

Claims (6)

1. a threat modeling method that adds attack path formalization analysis decomposes application program or system at software design stage by the UML activity diagram, extracts software defect information, the modeling that impends, and this method may further comprise the steps:
Step 1 is created the use-case modeling, and this step also comprises: find out border, participant and the use-case of alternative application program or system, determine this process of application program or system iterative, settle out up to system boundary, participant, use-case, the output use-case model;
Step 2, the sketch plan of establishment application program or system, this sketch plan are with describing with illustration that the use-case modeling of step 1 output is drawn;
Step 3 uses activity diagram to decompose application program or system, and utilizing iterative manner is the littler subsystems of a plurality of functions with an application program or system decomposition; In activity diagram, by the structure type among the UML (stereotype) extension mechanism, introduce a new modeling element---border, represent the border of machine, physics, address space or trust with it, increase output assets information function on this basis, the Key Asset information of being obtained is as the threat object of obtaining;
Step 4: the Key Asset information obtained as threat object, is created to threaten tree as root node, each node carries out assignment in the tree to threatening, and comprises the assignment that threatens tree root node and leaf node;
Step 5: threat object is classified and assess by STRIDE and DREAD model;
Step 6: calculate to threaten the attack path of tree, an attack path that threatens tree be exactly from root node to a minimal cut set that threatens tree all leaf nodes the path of process.。The input of this algorithm is expressed as the level traversing result N that threatens node in the tree, and output is expressed as the attack path P that threatens each node in the tree i, this algorithm comprises following flow process:
Last node begins from level traversing result N, backward scanning, decision node type;
If node is leaf node N L, its attack path is exactly N LItself;
If node is AND type node N A:
Try to achieve the attack path bar number of this AND node n = Π i = 1 k n i (this AND node has k child node, n iBe the attack path bar number of i child node);
Try to achieve
Figure A2009100679310002C2
(i=0 ..., k-1, when i=k,
Figure A2009100679310002C3
);
Try to achieve the l+1 bar attack path of this AND node P [ l ] = N A + Σ i = 1 k P i [ M ( l , i ) ] (i=0 ..., k, l=0 ..., n-1, P i[M (l, i)] be the M (l, i) bar attack path) of i child node of this AND node;
The attack path of this AND node be P[0] ..., P[n-1] };
If node is OR type node N O:
Try to achieve this OR node attack path bar number n = Σ i = 1 k n i (this OR node has k child node, n iBe the attack path bar number of i child node), the attack path of each child nodes is respectively P i[1] ..., P i[n i];
Try to achieve this OR node attack path set be
N O+P 1[1],…,N O+P 1[n 1],N O+P 2[1],…,N O+P 2[n 2],…,N O+P k[1],…,N O+P k[n k];
After having scanned first node among the N (promptly threatening the root node of tree), finish scanning, the output attack path.
Whether step 7: attacking needs specific installation, attack cost, possibility of success attack and attacks the assessment that threat tree attack path is assessed in four aspects of the extent of injury.
2. the threat modeling method of adding attack path formalization analysis as claimed in claim 1 is characterized in that, the use-case model that described step 2 is exported comprises: application program or system boundary, participant, use-case, relation.
3. the threat modeling method of adding attack path formalization analysis as claimed in claim 1 is characterized in that, whether described attack needs specific installation CALCULATION OF PARAMETERS method as follows:
When calculating this parameter of the root node that threatens an attack path of setting, adopt from leaf node, successively the computing method of upwards transmitting.For leaf node, the value of this parameter is exactly the assignment whether itself needs specific installation; For the AND node, the value of this parameter is the result who the value that whether needs this parameter of specific installation of its all child node is carried out exclusive disjunction; For the OR node, the value of this parameter is that the value that whether needs this parameter of specific installation of its all child node is carried out the result with computing.Successively upwards transmit then, up to the parameter value that whether needs specific installation of the root node that calculates this attack path.
4. the threat modeling method of adding attack path formalization analysis as claimed in claim 1 is characterized in that, the computing method of described attack cost parameter are as follows:
When calculating the attack cost of the root node that threatens an attack path of setting, adopt from leaf node, successively the computing method of upwards transmitting.For leaf node, attacking cost is exactly the attack cost assignment of itself; For the AND node, attack cost and be its all child node the attack cost and; For the OR node, attacking cost is the attack cost of its some child nodes; Upwards transmit layer by layer then, to the last calculate the attack cost of the root node of this attack path.
5. the threat modeling method of adding attack path formalization analysis as claimed in claim 1 is characterized in that, described possibility of success attack CALCULATION OF PARAMETERS method is as follows:
When calculating possibility of success attack of attacking root node directly that threatens tree, still adopt from leaf node, successively the computing method of upwards transmitting.At first, suppose between the concrete attack pattern that leaf node identified of an attack path it is independent, incoherent mutually mutually in twos.For leaf node, possibility of success attack is exactly the assignment of the possibility of success attack of itself; For the AND node, possibility of success attack is the product of possibility of success attack value of its all child nodes; For the OR node, possibility of success attack is the possibility of success attack of its some child nodes.Upwards transmit layer by layer then, up to the possibility of success attack of the root node that finally calculates attack path.
6. the threat modeling method of adding attack path formalization analysis as claimed in claim 1 is characterized in that, the extent of injury of described attack is used possibility of success attack and attacked the ratio value representation of cost.
CN200910067931A 2009-02-24 2009-02-24 Threat modeling method added with attack path formalization analysis Pending CN101655787A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910067931A CN101655787A (en) 2009-02-24 2009-02-24 Threat modeling method added with attack path formalization analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910067931A CN101655787A (en) 2009-02-24 2009-02-24 Threat modeling method added with attack path formalization analysis

Publications (1)

Publication Number Publication Date
CN101655787A true CN101655787A (en) 2010-02-24

Family

ID=41710085

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910067931A Pending CN101655787A (en) 2009-02-24 2009-02-24 Threat modeling method added with attack path formalization analysis

Country Status (1)

Country Link
CN (1) CN101655787A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102103514A (en) * 2011-03-02 2011-06-22 天津大学 Method for analyzing security demand based on activity graph expansion under CC (Common Criteria)
CN104303152A (en) * 2012-03-22 2015-01-21 洛斯阿拉莫斯国家安全股份有限公司 Anomaly detection to identify coordinated group attacks in computer networks
CN105978898A (en) * 2016-06-28 2016-09-28 南京南瑞继保电气有限公司 Network security threat evaluation method and system for substation monitoring system
CN106709613A (en) * 2015-07-16 2017-05-24 中国科学院信息工程研究所 Risk assessment method suitable for industrial control system
CN107251038A (en) * 2014-12-05 2017-10-13 T移动美国公司 Recombinate Threat moulding
CN109145579A (en) * 2018-08-18 2019-01-04 北京航空航天大学 Intelligent network joins automobile information secure authentication testing method and system
CN109446805A (en) * 2018-10-19 2019-03-08 西安电子科技大学 A kind of measure and its computer installation, readable storage medium storing program for executing of the complete sexual assault of information flow
CN110378121A (en) * 2019-06-19 2019-10-25 全球能源互联网研究院有限公司 A kind of edge calculations terminal security appraisal procedure, device, equipment and storage medium
US10574675B2 (en) 2014-12-05 2020-02-25 T-Mobile Usa, Inc. Similarity search for discovering multiple vector attacks
US10601854B2 (en) 2016-08-12 2020-03-24 Tata Consultancy Services Limited Comprehensive risk assessment in a heterogeneous dynamic network
CN111368302A (en) * 2020-03-08 2020-07-03 北京工业大学 Automatic threat detection method based on attacker attack strategy generation
CN112558927A (en) * 2020-12-09 2021-03-26 中国电子科技集团公司第十五研究所 Software reliability index distribution method and device based on layer-by-layer decomposition method
WO2021152423A1 (en) * 2020-01-28 2021-08-05 International Business Machines Corporation Combinatorial test design for optimizing parameter list testing
CN114896600A (en) * 2022-04-29 2022-08-12 苏州浪潮智能科技有限公司 Server threat assessment method and device, electronic equipment and storage medium
CN115484105A (en) * 2022-09-19 2022-12-16 北京犬安科技有限公司 Attack tree modeling method and device, electronic equipment and readable storage medium

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102103514A (en) * 2011-03-02 2011-06-22 天津大学 Method for analyzing security demand based on activity graph expansion under CC (Common Criteria)
CN104303152A (en) * 2012-03-22 2015-01-21 洛斯阿拉莫斯国家安全股份有限公司 Anomaly detection to identify coordinated group attacks in computer networks
CN104303152B (en) * 2012-03-22 2017-06-13 洛斯阿拉莫斯国家安全股份有限公司 Detect abnormal to recognize the methods, devices and systems that collaboration group is attacked in Intranet
US10574675B2 (en) 2014-12-05 2020-02-25 T-Mobile Usa, Inc. Similarity search for discovering multiple vector attacks
CN107251038A (en) * 2014-12-05 2017-10-13 T移动美国公司 Recombinate Threat moulding
CN106709613A (en) * 2015-07-16 2017-05-24 中国科学院信息工程研究所 Risk assessment method suitable for industrial control system
CN106709613B (en) * 2015-07-16 2020-11-27 中国科学院信息工程研究所 Risk assessment method applicable to industrial control system
CN105978898A (en) * 2016-06-28 2016-09-28 南京南瑞继保电气有限公司 Network security threat evaluation method and system for substation monitoring system
CN105978898B (en) * 2016-06-28 2019-09-27 南京南瑞继保电气有限公司 A kind of monitoring system of electric substation network security threats appraisal procedure and system
US10601854B2 (en) 2016-08-12 2020-03-24 Tata Consultancy Services Limited Comprehensive risk assessment in a heterogeneous dynamic network
CN109145579A (en) * 2018-08-18 2019-01-04 北京航空航天大学 Intelligent network joins automobile information secure authentication testing method and system
CN109446805A (en) * 2018-10-19 2019-03-08 西安电子科技大学 A kind of measure and its computer installation, readable storage medium storing program for executing of the complete sexual assault of information flow
CN109446805B (en) * 2018-10-19 2021-10-29 西安电子科技大学 Information flow integrity attack measuring method, computer device and readable storage medium thereof
CN110378121A (en) * 2019-06-19 2019-10-25 全球能源互联网研究院有限公司 A kind of edge calculations terminal security appraisal procedure, device, equipment and storage medium
CN110378121B (en) * 2019-06-19 2021-03-16 全球能源互联网研究院有限公司 Edge computing terminal security assessment method, device, equipment and storage medium
US11336679B2 (en) 2020-01-28 2022-05-17 International Business Machines Corporation Combinatorial test design for optimizing parameter list testing
WO2021152423A1 (en) * 2020-01-28 2021-08-05 International Business Machines Corporation Combinatorial test design for optimizing parameter list testing
CN111368302A (en) * 2020-03-08 2020-07-03 北京工业大学 Automatic threat detection method based on attacker attack strategy generation
CN111368302B (en) * 2020-03-08 2024-02-02 北京工业大学 Automatic threat detection method based on attacker attack strategy generation
CN112558927A (en) * 2020-12-09 2021-03-26 中国电子科技集团公司第十五研究所 Software reliability index distribution method and device based on layer-by-layer decomposition method
CN112558927B (en) * 2020-12-09 2024-02-20 中国电子科技集团公司第十五研究所 Software reliability index distribution method and device based on layer-by-layer decomposition method
CN114896600A (en) * 2022-04-29 2022-08-12 苏州浪潮智能科技有限公司 Server threat assessment method and device, electronic equipment and storage medium
CN114896600B (en) * 2022-04-29 2024-06-25 苏州浪潮智能科技有限公司 Server threat assessment method and device, electronic equipment and storage medium
CN115484105A (en) * 2022-09-19 2022-12-16 北京犬安科技有限公司 Attack tree modeling method and device, electronic equipment and readable storage medium
CN115484105B (en) * 2022-09-19 2024-02-02 北京犬安科技有限公司 Modeling method and device for attack tree, electronic equipment and readable storage medium

Similar Documents

Publication Publication Date Title
CN101655787A (en) Threat modeling method added with attack path formalization analysis
CN106709613B (en) Risk assessment method applicable to industrial control system
Johnson et al. A meta language for threat modeling and attack simulations
Kotenko et al. Attack modeling and security evaluation in SIEM systems
Abraham et al. Cyber security analytics: a stochastic model for security quantification using absorbing markov chains
Kotenko et al. A cyber attack modeling and impact assessment framework
EP3490223A1 (en) System and method for simulating and foiling attacks on a vehicle on-board network
Tianfield Cyber security situational awareness
Chandy et al. Cyberattack detection using deep generative models with variational inference
Bianchini et al. Evolutionary-Statistical System: A parallel method for improving forest fire spread prediction
CN103607388A (en) APT threat prediction method and system
CN102103677A (en) Security evaluation method of software driven by threat model
CN114039758A (en) Network security threat identification method based on event detection mode
Tomar et al. Prediction of quality using ANN based on Teaching‐Learning Optimization in component‐based software systems
Gore et al. Augmenting bottom-up metamodels with predicates
Wang et al. Fuzzy network based framework for software maintainability prediction
CN112632564B (en) Threat assessment method and device
Khalil et al. Fuzzy Logic based security trust evaluation for IoT environments
Fan et al. An improved integrated prediction method of cyber security situation based on spatial-time analysis
Wade et al. Incorporating resilience in an integrated analysis of alternatives
Berthier et al. Abstraction and symbolic execution of deep neural networks with Bayesian approximation of hidden features
Xie et al. Graph‐based Bayesian network conditional normalizing flows for multiple time series anomaly detection
CN116886329A (en) Quantitative index optimization method for industrial control system safety
Diamah et al. Network security evaluation method via attack graphs and fuzzy cognitive maps
Lederman et al. Learning heuristics for quantified boolean formulas through deep reinforcement learning

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20100224