KR100990688B1 - Method and Apparatus for Analyzing Security of Software - Google Patents

Abstract

A method and apparatus for analyzing software security are disclosed. Software security analysis method using a first software model in the form of HCPN (Hierarchically Combined Petri Net) according to an embodiment of the present invention, the first software model in the form of HCPN MRM (Markov Reward, Markov Reward) The method may include converting into a second software model in the form of Model) and extracting quantitative security performance using the second software model. According to an embodiment of the present invention, a method and apparatus for quantitatively analyzing and verifying software security at the design stage may be provided.

Security, Attack Tree, Markov Reward Model, HCPN, HQPN, Attack Scenario

Description

Method and Apparatus for Software Security Analysis {Method and Apparatus for Analyzing Security of Software}

The present invention relates to a method and apparatus for analyzing software security, and more particularly, to a method and apparatus for quantitatively analyzing security of software.

With the recent development of the computer-related industry, the software industry is growing quantitatively and qualitatively.

As the software industry develops qualitatively, the complexity of the software has increased greatly. Accordingly, satisfying not only the functional requirements of the software (for example, document editing in the case of MS Word) but also the non-functional requirements has become an important problem.

Software must meet both functional requirements as well as non-functional requirements. Among the non-functional elements of software are security issues.

Software security requirements are established early in the system development life cycle. However, in conventional software engineering, non-functional requirements such as security requirements could only be verified at the time of system application.

However, if the software finds that it does not meet the security requirements at the time of system application, it may not be able to meet the development period by consuming additional development period of the software to satisfy the security requirements. This causes an exponential increase in software development costs.

To escape the pitfalls of false security, it must be possible to ensure that security requirements have been met early in the software development life cycle.

The present invention has been proposed to solve the above problems, and an object thereof is to provide a method and apparatus for quantitatively analyzing and verifying software security at the design stage.

According to one aspect of the invention, a software security analysis method is provided.

Software security analysis method using a first software model in the form of HCPN (Hierarchically Combined Petri Net) according to an embodiment of the present invention, the first software model in the form of HCPN MRM (Markov Reward, Markov Reward) The method may include converting into a second software model in the form of Model) and extracting quantitative security performance using the second software model.

Software security analysis method using an attack tree according to another embodiment of the present invention (a) when any one of the first node and the second node which is an operand node of the AND operator on the attack tree is a leaf node Merging the first node and the second node; (b) when both the first node and the second node, which are operand nodes of the AND operator on the attack tree, are OR nodes, merge the first node and the second node to generate a third node, which is an OR node; Creating as a child node of the third node the number of nodes multiplied by the number of child nodes of one node and the number of child nodes of the second node; Repeating steps (a) and (b) until there are no AND nodes on the attack tree; And extracting the number of leaf nodes of the attack tree as the number of attack scenarios when there is no AND node on the attack tree.

In addition, according to another aspect of the present invention, a software security analysis apparatus is provided.

Software security analysis apparatus using a first software model in the form of HCPN (Hierarchically Combined Petri Net) according to an embodiment of the present invention, the first software model in the form of HCPN (Markov Reward, Markov Reward) HCPN / MRM conversion unit for converting into a second software model in the form of a model) and MRM-based security analysis unit for extracting quantitative security performance using the second software model.

Software security analysis apparatus using an attack tree according to another embodiment of the present invention (a) when any one of the first node and the second node which is an operand node of the AND operator on the attack tree is a leaf node; Perform a merging of the first node and the second node; (b) when both the first node and the second node, which are operand nodes of the AND operator on the attack tree, are OR nodes, merge the first node and the second node to generate a third node, which is an OR node; Generating as a child node of the third node the number of nodes multiplied by the number of child nodes of one node and the number of child nodes of the second node; An attack tree improvement unit which repeats the operation (a) and the operation (b) until there is no AND node on the attack tree; And a leaf node number extracting unit extracting the number of leaf nodes of the attack tree as the number of attack scenarios when there is no AND node on the attack tree.

Other aspects, features, and advantages other than those described above will become apparent from the following drawings, claims, and detailed description of the invention.

According to an embodiment of the present disclosure, a method and apparatus for quantitatively analyzing and verifying software security at the design stage may be provided.

Hereinafter, an embodiment of a software security analysis method and apparatus according to the present invention will be described in detail with reference to the accompanying drawings. However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all transformations, equivalents, and substitutes included in the spirit and scope of the present invention. In the following description of the present invention, if it is determined that the detailed description of the related known technology may obscure the gist of the present invention, the detailed description thereof will be omitted. In addition, in the description with reference to the accompanying drawings, the same or corresponding components will be given the same reference numerals and duplicate description thereof will be omitted.

First, the Attack Tree, Markov Reward Model (MRM) and Hierarchically Combined Queued Petri Net (HQPN) will be described.

Representative attack scenario modeling methods are based on attack trees and attack graphs. The attack tree provides formal and organizational techniques for describing the security of the system based on the attacker's goals. The attack tree consists of a target located at the root node and a sub-goal located at the leaf node. It is possible to pass node values up to the root of the tree. The value of an AND node is the Boolean AND operation value of all child nodes of the AND node, and the value of the OR node is the Boolean OR operation value of all child nodes of the OR node. If a cost value is taken into account, the value of the AND node is the sum of the values of all child nodes of that AND node, and the value of the OR node is the minimum of all child nodes of that OR node.

The Markov compensation model is a general stochastic model. This is used to evaluate the performance of the system. Performance is a measure of the reliability and performance of a system.

{X (t), t≥0} is called a homogeneous finite state continuous time Markov chain (CTMC) with state space S and constructor matrix Q = {q _ij } . P _i (t) = P {X (t) = i} represents the unconditional probability that the CTMC belongs to state i at time t. And the column vector P (t) = [P ₁ (t), P ₂ (t), ..., P _n (t)] is a transient state probability vector at the time point t of the CTMC. do.

The instantaneous property of the CTMC can be described as in Equation 1 below.

주어진 P(0)에 대해,

For a given P (0),

는 수학식 2를 만족한다.Where P (0) is the initial probability vector (time t = 0). Steady-state probability vector

Satisfies Equation 2.

In addition to instant state probabilities, cumulative probabilities are often of interest.

로 정의한다. 그러면 L_i(t)는 기대 구간[0,t)에서 CTMC가 스테이트 i에 속하는 총 기대시간을 나타낸다. L(t)는 다음 수학식 3을 만족한다.L (t)

. L _i (t) then represents the total expected time that the CTMC belongs to state i in the expected interval [0, t). L (t) satisfies Equation 3 below.

The measurement of the time to reach the absorption state is problematic.

이 된다. 평균 흡수 시간(MTTA: mean time to absorption)은 수학식 4와 같다.Q _T is called the submatrix of Q corresponding to the transition between non-absorbing states. The time before reaching the absorbing state is then limited to states belonging to the set T of the nonabsorbing state.

Becomes Mean time to absorption (MTTA) is shown in Equation 4.

The reward rate assignment depends on the attributes of interest related to security.

The hierarchical queuing petri net (HQPN) is a combination of CGSPNs (Coloured Generalized Stochastic Petri Nets) and a queuing network (QN), which hides stations in the CGSPN's queuing place.

The strict definition of HQPN is shown in Table 1 below.

이다.

는 t_i∈W₁인 경우 컬러 c에 따르는 파이어링 딜레이(firing delay)를 특정하는 음의 방향 지수 분포(negative exponential distribution)의 빈도(rate)이고, t_i∈W₂인 경우 컬러 c에 따르는 상대적 파이어링 주기(firing frequency)를 특정하는 파이어링 웨이트(firing weight)이다.HQPN is 9 tuples.
= HQPN (S, P, T, C, I ^+, I ^-, ₀ M, Q, W), where
i. CPN = (P, T, C , I +, I -, M 0) is the model component of Colored Petri net (Colored PN) based
ii. S = (S ₁ , S ₂ , ..., S _n ) is a set of subnet places that can contain other HQPNs
iii. Q = (Q ₁ , Q ₂ , (q ₁ , ..., q _{| p |} )) where
Q ₁ is a set of timed queueing places
Q ₂ is a set of immediate queueing places, where Q ₁ ∩ Q ₂ = φ. And q ₁ represents the description of the queue taking into account all the colors of C (p _i ). Where p _i corresponds to "null" if the keyword is a queuing place or an ordinary place.
iv. W = (W ₁ , W ₂ , (w ₁ , ..., w _{| T |} )) where
W ₁ ⊆T is a set of timed transitions
W ₂ ⊆T is a set of immediate transitions and W ₁ ∩W ₂ = φ.
For W ₁ ∪ W ₂ = T and ∀c ∈ C (t _i )

to be.

Is the frequency of the negative exponential distribution that specifies the firing delay according to color c for t _i ∈W ₁ , and for color c for t _i ∈W ₂ It is a firing weight that specifies a relative firing frequency.

HQPN hierarchically models a conventional queuing petri net (QPN). Subnet places in HQPN include QPN models or other subnet places. The queuing place fuses the queuing system and the repository. The model represented by the queuing place must have queuing model characteristics (eg G / M / ∞ / IS, G / M / 1 / FCFS). The token color of the HQPN identifies the task and the process.

1A is a schematic diagram of an open class model HQPN.

1B is a schematic diagram of a closed class model HQPN.

The model of FIG. 1A includes a timed transition t ₁ 110 and an intermediate transition t ₂ 120. If the transition t ₁ 110 is fired, the transition t ₁ 110 generates a new token x and stores it in the system S 100. System S is represented in FIG. 1A using a subnet place. The subnet place may be a regular QPN, and the subnet place allows for multiple levels of nesting. The firing delay is selected according to the desired transaction inflow frequency. Transaction t ₂ 120 is used to destroy the token of the completed transaction.

The model of FIG. 1B includes a subnet place 150 and an intermediate transition t ₁ 160.

The examples of the two figures of FIGS. 1A and 1B are distinguished based on whether the intensity of the task is specified by the number of transactions being processed simultaneously or by the number of active clients / terminals that initiate the transaction.

2 is a block diagram of a software security analysis apparatus 200 according to an embodiment of the present invention.

Referring to FIG. 2, the software security analysis apparatus 200 according to an embodiment of the present invention may include an HCPN generation unit 210, an HCPN / MRM conversion unit 220, an MRM-based security analysis unit 230, and an attack tree generation. The unit 240 may include an attack scenario identification unit 250, an attack tree-based security analyzer 260, and a result output unit 270.

The HCPN generation unit 210 generates a first software model in the form of HCPN (Herarchically Combined Petri Net).

The HCPN generator 210 generates a first software model of HCPN type corresponding to the software design.

HCPN improves the syntax by removing the queuing place from the HQPN and adding attributes to the token.

The strict definition of HCPN according to an embodiment of the present invention is shown in Table 2.

HCPN is 8 tuples.
HCPN = (S, P, T , C, I +, I -, M 0, W) , where
i. CPN = (P, T, C , I +, I -, M 0) is the model component of Colored Petri net (Colored PN) based
C = (C ₁ , C ₂ , ..., C _n ) is the set of colors
C _k = {attr ₁ , attr ₂ , ... attr _i } is a set of attributes of the color
ii. S = (S ₁ , S ₂ , ..., S _n ) is a set of subnet places that can contain other HCPNs
iii. W = (W ₁ , W ₂ , (w ₁ , ..., w _{| T |} )) is an HQPN-based model component

Add extended modeling methods for modeling software systems. Table 3 is a definition of a model of a distributed component based system for modeling an integrated software system using HCPN according to an embodiment of the present invention.

여기서,
i.

는 클라이언트의 집합
ii.

는 서버의 집합
iii.

는 배치되는 하드웨어 노드의 집합(예를 들면, 워크스테이션, 네트워크 장비 등)
iv.

는 애플리케이션과 실행 환경으로 구성되는 소프트웨어 컴포넌트의 집합(예를 들면, 소프트웨어 플랫폼, 미들웨어 등)
v.

인

는

인

에서 실행되는 애플리케이션 소프트웨어의 집합
vi.

인

는

인

에서 실행되는 소프트웨어 환경의 집합(예를 들면, 소프트웨어 플랫폼, 미들웨어 등)
vii.

는 다음을 만족하는 원소의 집합.

,

,

그리고

viii.

는 다음을 만족하는 원소의 집합.

,

,

ix.

와

는 서브넷 플레이스

로 표현됨
x.

는 서브넷 플레이스

로 표현되지 않음.
- HCPN이 닫힌 네트워크 모델(closed network model)이라면

는 플레이스로 표현됨
- HCPN이 열린 네트워크 모델(open network model)이라면

는 타임드 트랜지션으로 특정됨Distributed component-based system members consist of four tuples:

here,
i.

Set of clients
ii.

Set of servers
iii.

Is a set of hardware nodes that are deployed (for example, workstations, network equipment, etc.)
iv.

Is a set of software components (eg, software platform, middleware, etc.) consisting of an application and an execution environment.
v.

sign

Is

sign

Set of application software running on
vi.

sign

Is

sign

Set of software environments (eg, software platform, middleware, etc.) running on
vii.

Is a set of elements that satisfy

,

,

And

viii.

Is a set of elements that satisfy

,

,

ix.

Wow

Subnet place

Expressed as
x.

Subnet place

Not expressed as
If HCPN is a closed network model

Is expressed in place
If HCPN is an open network model

Is specified as a timed transition

A distributed component-based system is represented by an application layer and an operation environment layer, which consists of a software environment and a hardware environment, and a layer of the model is represented by a subnet place in HCPN. Represents an application, software environment, or hardware environment This mapping provides a recyclable sub-model, which can be changed by changing the input and output tokens.

Vulnerability analysis of a software system is based on the security requirements of that system. Vulnerability identification is the identification of security requirements from the HCPN model. Confirmation is based on a change to contradiction. For example, if the requirement is "A", then track "NOT A" in the HCPN model. If the potential of "NOT A" is found, the HCPN model does not meet the security requirements.

The identified vulnerability is identified by the token of the HCPN. Requirements verified through the HCPN model are identified as authorized tokens and requirements not verified as non-authorized tokens.

The user can create, modify, and edit the first software model in the form of HCPN through the GUI or the text interface.

The HCPN / MRM conversion unit 220 converts the first software model of the HCPN type into the second software model of the MRM type.

3 is a block diagram of an HQPN / MRM conversion unit 220 according to an embodiment of the present invention.

Referring to FIG. 3, the HQPN / MRM converter 220 according to an embodiment of the present invention includes an HQPN / MC converter 310 and an MC / MRM converter 350.

The HQPN / MC converter 310 converts the first software model of the HCPN type into the third software model of the Markov Chain (MC) type.

The MC / MRM converter 350 converts the MC-type third software model generated by the HQPN / MC converter 310 to MRM-type second software model.

The HQPN / MC converter 310 may include a state generator 320, an edge generator 330, and a change probability extractor 340.

The state generator 320 generates a state identified according to marking of a token included in the first software model of the HCPN type.

The state space S for generating the third software model of the MC type may be generated by the marking M of the first software model of the HCPN type as follows.

가 MC형태의 제3 소프트웨어 모델의 스테이트 공간이고,

가 HCPN 형태의 제1 소프트웨어 모델의 마킹(marking)이라고 한다.

Is the state space of the third software model of the MC type,

Is the marking of the first software model in HCPN form.

Marking here means that the token is distributed in the place of the HCPN.

와 같이 표현할 수 있다.The mapping between the state space of the third software model of the MC type and the marking of the first software model of the HCPN type

It can be expressed as

4 is a schematic diagram of a process of converting an HCPN type model into an MC type according to an embodiment of the present invention.

The state generator 320 generates a state identified according to marking of a token included in the HCPN type first software model.

Referring to FIG. 4, the first software model 400 in the HCPN form before conversion is converted to the third software model 440 in the MC form.

Referring to FIG. 4, the first software model 400 includes a first general place 410, a first transition 420, and a first subnet place 430.

As described above, the first subnet place 430 may include the HCPN in the first subnet place 430.

The first general place 410 holds two tokens A and B, and when the first transition is fired, one token of the two tokens A and B is consumed to consume the first subnet place. May be passed to 430.

The marking of a token refers to the state in which the token is placed / distributed in the place.

Table 4 shows the number of cases of marking in the first software model 400 of FIG. 4.

First General Place (410) First Subnet Place (430) First state (M0, 450) A, B - Second state (M1, 451) B A Third state (M2, 452) A B 4th state (M3, 453) - A, B

First, when both tokens A and B are located in the first general place 410 in the initial state, the first general place 410 holds both A and B tokens, and the first subnet place 430 does not have any tokens. Cannot hold The state generator 320 may generate a first state M0, 450 corresponding to the marking.

The state generator 320 may similarly generate the second states M1 and 451, the third states M2 and 452, and the fourth states M3 and 453 according to the positions of the tokens A and B. FIG.

The edge generator 330 generates an edge corresponding to a state change according to a fire of a transition included in the first software model.

Referring to FIG. 4, when the first transition 420 is fired, either token A or token B is consumed and delivered to the first subnet place 430.

Assume that the first transition 420 is fired and the token A is consumed and transferred to the first subnet place in the situation where the tokens A and B are both located in the first general place 410. In this case, the state changes from the first states M0 and 450 to the second states M1 and 451.

The edge generator 330 generates an edge corresponding to the state change as described above. That is, the edge generator 330 may generate a first edge 461 corresponding to the consumption of the token A by the first transition 420. Similarly, second edge 462, third edge 463, and fourth edge 464 may be created.

When the consumption of token A, which is a condition of the first edge 461 in the first state M0 and 450, is performed, the state of the software model is changed to the second state M1 and 451.

When the consumption of token B, the condition of the second edge 462, is performed in the first state M0, 450, the state of the software model is changed to the third state M2, 452.

When the consumption of token B, the condition of the fourth edge 464, is performed in the second state M1, 451, the state of the software model is changed to the fourth state M3, 453.

When the consumption of token A, which is a condition of the third edge 463 in the third state M2 and 452, is performed, the state of the software model is changed to the fourth state M ₃ and 453.

The change probability extractor 340 extracts the state change probability in accordance with the fire probability of the transition.

라면, 제1 스테이트(M0, 450)로부터 제2 스테이트(M1, 451)로 향하는 제1 에지(461)에 상응하는 확률도

가 된다. 이와 같은 방식으로 모든 에지에 확률을 부여할 수 있다.For example, in the first software model 400 of FIG. 4, when both token A and token B are located in the first general place, the first transition is fired, so that token A is consumed from the first general place and the first subnet is consumed. Chance to move to Place 430

If it is, the probability diagram corresponding to the first edge 461 from the first state (M0, 450) to the second state (M1, 451)

Becomes In this way, probabilities can be assigned to all edges.

When the operation of generating a state, generating an edge, and assigning a probability to the edge is completed, the first software model in the form of HCPN is converted into the third software model in the form of MC.

Referring to FIG. 3, the MC / MRM converter 350 may include a compensation rate allocator 360.

The reward rate allocator 360 assigns a reward rate 0 when at least one of the HCPN's places corresponding to the state holds one or more unauthorized tokens. Otherwise, the software does not have a potential risk of a security problem. Allocate

의 부분집합

은 컬러(

)의 조합의 스테이트이다.In order to assign a compensation rate (0 or 1) to the second software model of the MC type for security analysis, the state is classified into two types, an upper state and a down state. A first compensation rate can be assigned to the down state, and a second compensation rate can be assigned to the upper state. For example, a compensation rate of 0 can be assigned to the down state and a compensation rate of 1 can be assigned to the upper state. Hereinafter, for convenience, it is assumed that a compensation rate 0 is assigned to the down state and a compensation rate 1 is assigned to the upper state. marking

Subset of

Silver color (

) Is a combination state.

는 아래 표 5와 같이 표현할 수 있다.In HCPN for security analysis, the types of tokens include authorized tokens and non-authorized tokens. As described above, unauthorized tokens can be identified based on the vulnerability. therefore,

Can be expressed as shown in Table 5 below.

여기서,

here,

는 승인된 토큰의 집합이고,

는 승인되지 않은 토큰의 집합이다.

Is a set of approved tokens,

Is a set of unauthorized tokens.

Compensation rate allocation for software security according to an embodiment of the present invention is shown in Table 6.

가

이라고 한다. ,

는 승인되지 않은 토큰의 집합이다.

이고,

는 HCPN 형태의 제1 소프트웨어 모델의 마킹(marking)이다.

는 스테이트 j의 플레이스 i에서의 마킹이고,

이다.

이다.

는 MC형태의 제3 소프트웨어 모델의 스테이트 공간이다.
만약

이면,

는 다운 스테이트이다(보상율은 0이다.).
그 외의 경우

는 어퍼 스테이트이다(보상율은 1이다.).

end

It is called. ,

Is a set of unauthorized tokens.

ego,

Is the marking of the first software model in HCPN form.

Is the marking at place i of state j,

to be.

to be.

Is the state space of the third software model of the MC type.
if

If so,

Is the down state (compensation rate is 0).
Otherwise

Is the upper state (compensation rate is 1).

는 플레이스 i가

에 포함된 플레이스가 아니라는 의미이다. 따라서 플레이스 i는 클라이언트이다(표 3 참조). 승인되지 않은 토큰은 보안 요구사항을 만족시킬 수 없게 한다. 따라서, 클라이언트의 플레이스를 제외한 HCPN의 어느 하나의 플레이스에라도 적어도 하나의 승인되지 않은 토큰을 보유한 경우 소프트웨어는 보안 문제의 잠재위험을 가진다.

Place i

It does not mean it is a place. Place i is thus a client (see Table 3). Unauthorized tokens may not meet security requirements. Thus, if there is at least one unauthorized token in any one place of the HCPN except the place of the client, the software has the potential risk of security issues.

In short, if any one or more of the places in the HCPN corresponding to the state holds one or more unauthorized tokens, i.e. if an unauthorized token exists in the marking corresponding to the state, then the software is at risk of a security problem. As a result, the compensation rate of the state is assigned to 0. Otherwise, the software assigns the compensation rate of the state to 1 because there is no potential risk of security problems.

The MRM-based security analysis unit 230 extracts quantitative security performance using a software model in the form of MRM.

5A is a block diagram of an MRM-based security analyzer 230 according to an embodiment of the present invention.

Referring to FIG. 5A, the MRM-based security analyzer 230 may include an MTTI extractor 510 and an MTTB extractor 520.

The MTTI extractor 510 extracts a mean time to intrusion (MTTI) to the first attack.

The MTTB extractor 520 extracts an average time to breach (MTTB) from the first attack time to the successful attack.

5B is a diagram illustrating MTTI and MTTB.

The execution of the software begins at time 0 600, the first attack at time t1 610, and the first attack succeeds at time t2 620.

The average time between time point 0 600 and time point t1 610 is MTTI 650, and the average time between time point t1 610 and time point t2 620 is MTTB 660.

When L _i (t) is the total expected time that CTMC belongs to state i in the interval [0, t), and U _j is a set of upper states with a compensation factor of 1, that is, a set of states that satisfy the security requirements, MTTI It can be obtained as shown in Equation 5.

MTTI is the average time to first attack. The upper state in MRM refers to the normal operation of the system. The MTTI is therefore the sum of the times belonging to the upper state before the system reaches the down state.

L _i (t) is the total expected time that the CTMC belongs to state i in the interval [0, t), and D _j is the set of down states with zero compensation, that is, the set of non-absorbing states that do not meet security requirements. MTTB can be obtained as shown in Equation 6.

The MTTB is the average time from the first attack time to the successful attack, and the down state indicates the system under attack. MTTB is therefore the sum of the times that the system belongs to the down state before reaching the absorption state.

The attack tree generator 240 generates an attack tree.

이 n번째 보안 취약점일 때,

와 같이 표현할 수 있다. 공격 트리의 생성 방법은 아래 표 7과 같다.The identified vulnerability corresponds to the attack target of the attack tree. Therefore, the root target (G ₀ ) of the attack tree is

Is the nth security vulnerability,

It can be expressed as How to create an attack tree is shown in Table 7 below.

를 정의한다.
ii. 상위 레이어를 하나 또는 여러 노드로 분해한다.
iii. 분해된 노드를 OR/AND 논리 관계로 연관시킨다.
iv. 리프 노드에 위치한 공격이 독립적으로 시작될 수 있을 때까지 모든 브랜치(branch)에 대해 ii, iii 단계를 반복한다.
v. 리프 노드에 값을 할당한다. 할당되는 값은 명사적 값(nominal)이 될 수도 있고(예를 들면, 가능/불가능, 특별한 장비 요함/요하지 않음), 숫자적 값(ordinal)이 될 수도 있다(예를 들면, 공격 시간, 공격 가능성, 금전적 비용). 복수의 값이 하나의 노드에 할당될 수 있다.i. Root node corresponding to vulnerability in security requirements

Define.
ii. Break up the upper layer into one or more nodes.
iii. Associate resolved nodes in OR / AND logical relationships.
iv. Repeat steps ii and iii for all branches until the attack located on the leaf node can be started independently.
v. Assign a value to the leaf node. The value assigned can be a nominal value (e.g. possible / disabled, no special equipment required / needed) or a numeric value (e.g. attack time, attack Possibility, monetary costs). Multiple values can be assigned to one node.

는 요구사항 검증에 의하여 식별된 공격자의 목표를 의미한다. 두 번째 및 세 번째 단계에서 보조 목표를 이끌어내기 위해서 공격자의 패턴이 사용된다. 공격 패턴은 소프트웨어 취약점을 이용하기 위한 청사진이다. 공격 패턴은 몇몇 치명적 취약점의 특징을 설명하고, 목적 시스템을 이용하기 위해 필요한 지식으로 공격자를 무장시킨다. 공격 패턴은 공격자의 악의의 공격의 전체 또는 일부의 프로세스를 설명하는 참조 자료를 제공한다.In the first step, the root node

Means the attacker's target identified by the requirements verification. The attacker's pattern is used to derive secondary targets in the second and third stages. Attack patterns are a blueprint for exploiting software vulnerabilities. Attack patterns describe the characteristics of some critical vulnerabilities and equip the attacker with the knowledge necessary to exploit the target system. Attack patterns provide reference material that describes the process, in whole or in part, of an attacker's malicious attack.

6 is a block diagram of an attack scenario identification unit 530 according to an embodiment of the present invention.

Referring to FIG. 6, the attack scenario identification unit 250 according to an embodiment of the present invention may include an attack tree improvement unit 531 and a leaf node number extractor 532.

The attack tree improvement unit 531 improves the attack tree so as to increase the number of attack scenarios.

The attack tree provides a computational measure based on the attack scenario. In the attack tree, an attack scenario means an attack path that reaches an attack target. Thus, there may be more than one attack scenario for reaching one attack target.

Table 8 describes the methods for identifying attack scenarios.

인

가 공격 트리의 레벨 n의 i번째 노드(목표)이고,

가 공격 트리의 루트 목표라고 가정한다. 공격 시나리오는

로부터 모든 리프 노드로의 공격 경로에 의하여 식별된다.

sign

Is the i th node (target) at level n of the attack tree,

Suppose is the root target of the attack tree. Attack scenario

Identified by the attack path from all nodes to the leaf node.

Unsatisfied security requirements correspond to the root target (root node) for malicious attacks in the attack tree. Therefore, the number of requirements is equal to the number of root targets. If there are a large number of attack scenarios against a software system, you may be exposed to a large number of malicious attacks. Therefore, the number of potential attack scenarios is an important measure for security analysis.

Table 9 describes a method for calculating the number of attack scenarios in the attack tree.

가 공격 트리의 레벨 n의 j번째 노드(목표)이고, path(

)인

으로부터

로의 공격 경로의 숫자라고 한다.

인 레벨 n의 노드의 집합

이

로의 공격 경로이고, 각 노드

의 관계가 'AND'인 경우 path(

)=1.

인 레벨 n의 노드의 집합

이

로의 공격 경로이고, 각 노드

의 관계가 'OR'인 경우 path(

)=k.sign

Is the j th node (target) at level n of the attack tree, and path (

)sign

From

It is called the number of attack paths to the furnace.

Set of nodes at level n

this

Path of attack to each node, and each node

If the relationship of 'AND' is path (

) = 1.

Set of nodes at level n

this

Path of attack to each node, and each node

If the relationship of 'OR' is path (

) = k.

7 is a pseudo code of a method for improving an attack tree according to an embodiment of the present invention.

If the attack tree is huge, the number of attack scenarios based on the attack path is complex. The algorithm of FIG. 7 allows the number of attack paths of the attack tree to be counted by simply modifying the tree. The number of attack paths in the original attack tree is equal to the number of leaf nodes in the improved tree. The algorithm of FIG. 7 basically searches all nodes and merges nodes involved in an AND operation.

In FIG. 7, the count_AND_operation (level) function counts the number of AND operators at a specified level. find (AND_operation, level) returns a set of AND operators. The sizeof (and_operation_set) function on line 10 returns the size of the and_operation_set variable. The find_child_nodes (and_operation_set, operation_pointer) function returns a set of child nodes related to and_operator_set at the specified operation_pointer. The refine_node (child_set, size_of (child_set)) function in line 13 refines the attack tree. This function finds the binary operators and and or in child_set to reach the current target (node). If there is an AND node, the refine_node function looks for the child node of the current node and finds the child node's operator until a leaf node is found. The refine_node function consolidates the nodes computed by the AND operator into one node. However, when a node with an AND operator has child nodes and that child node has an OR operator, the refine_node function multiplies the number of child nodes of the two child nodes.

8A, 8B and 9 are schematic diagrams of an attack tree improvement according to an embodiment of the present invention.

Referring to FIG. 8A, refinement is made from the original attack tree 800 to the improved attack tree 850.

(822)는 AND 노드이고, 노드

(831), 노드

(832), 노드

(833)은 노드

(822)의 자식 노드이다. AND 노드인 노드

(822)의 자식 노드가 모두 리프 노드이므로, 세 노드를 하나의 노드

(834)로 병합한다. AND(1:3)은 1∧2∧3을 의미한다. 노드

(822)에 도달하기 위해서는 노드

(831), 노드

(832), 노드

(833)의 조건을 모두 만족시켜야 하므로 실제로 하나의 경로이고, 따라서 하나의 리프 노드로 병합한 것이다. 또한 노드

(834)의 부모 노드는 하나의 자식만을 가지고, 노드

(834)와 노드

(834)의 부모 노드를 병합하여도 경로 개수에는 영향이 없으므로 노드

(834)와 노드

(834)의 부모 노드를 병합할 수 있다.In FIG. 8A, the node

822 is an AND node, the node

(831), nodes

832, nodes

(833) nodes

Is a child node of 822; Nodes that are AND nodes

Since all child nodes of 822 are leaf nodes, three nodes

Merge to (834). AND (1: 3) means 1∧2∧3. Node

Node to reach 822

(831), nodes

832, nodes

Since all the conditions of (833) must be satisfied, it is actually one path, and thus merged into one leaf node. Node

The parent node of 834 has only one child, the node

Node with 834

Merging the parent nodes of (834) does not affect the number of paths, so nodes

Node with 834

The parent node of 834 may be merged.

Referring to FIG. 8B, refinement is made from the original attack tree 801 to the improved attack tree 851.

(810)은 AND 노드이고 따라서 노드

(810)의 자식 노드인 노드

(823) 및 노드

(824)는 AND 연산관계이다. 또한, 노드

(823)는 리프 노드이므로 노드

(823) 및 노드

(824)는 노드

(825)로 병합할 수 있다. 노드

(824)의 자식 노드는 노드

(825)로서 잔존한다. AND(3,4)는 3∧4를 의미한다.In Figure 8b, the node

810 is an AND node and thus

A node that is a child of (810)

(823) and nodes

824 denotes an AND operation relationship. Also, node

Node 823 is a leaf node, so node

(823) and nodes

824 nodes

Merge to (825). Node

Child nodes of 824 are nodes

It remains as 825. AND (3,4) means 3∧4.

That is, when one of the two child nodes of the AND node is a leaf node, the two child nodes can be merged.

9, an improvement is made from the original attack tree 900 to the improved attack tree 950.

(911)과 노드

(912)는 서로 AND 연산관계이고, 각각은 OR 노드이다. 노드

(911)는 노드

(921)과 노드

(922)를 자식 노드로 가진다. 노드

(912)는 노드

(923), 노드

(924)과 노드

(925)를 자식 노드로 가진다. 노드

(911)과 노드

(912)는 서로 AND 연산관계이므로 노드

(913)으로 병합할 수 있다. 여기서 AND(1,2)는 1∧2를 의미한다. 다만, 병합되는 노드가 모드 OR 노드이므로, 노드

(911)의 자식 노드의 수인 2와 노드

(912)의 자식 노드의 수인 3을 곱한 6개의 노드

(931) 내지 노드

(936)를 노드

(913)의 자식 노드로 만든다. 공격 경로의 개수는 노드

(921)과 노드

(922) 중 어느 하나와 노드

(923), 노드

(924)과 노드

(925) 중 어느 하나를 선택하여 조합한 것이 되므로 2 x 3 = 6개가 된다.Node in FIG.

Node with 911

912 are AND arithmetic relations with each other, and each is an OR node. Node

911 nodes

Node with 921

Has 922 as a child node. Node

912 nodes

(923), nodes

924 and nodes

Has 925 as a child node. Node

Node with 911

912 is an AND arithmetic relationship

Merge to 913. Here, AND (1, 2) means 1∧2. However, because the node to be merged is the mode OR node,

2 and the number of child nodes of (911)

6 nodes multiplied by 3, the number of child nodes of (912)

(931) to node

Node 936

Make it a child node of (913). The number of attack paths is node

Node with 921

Node with any one of 922

(923), nodes

924 and nodes

Since any one of 925 is selected and combined, 2 x 3 = 6 pieces.

That is, if two child nodes of an AND node are both OR nodes, and both child nodes (grandchild nodes) are leaf nodes (including when there is only one path from the grandchild node to the leaf node), merge the two child nodes Then, the number of child nodes of the two child nodes are multiplied with each other to make as many nodes as the child nodes of the merged two child nodes.

The attack tree improvement unit 531 repeats the merging operation as shown in FIGS. 8A, 8B, and 9 until there are no AND nodes on the attack tree. Here, when the children become one by merging between the children of the AND nodes, it is no longer considered an AND node.

)로의 경로의 수와 같다. 수학식 7은 이를 수식으로 나타낸 것이다.The total number of attack scenarios is determined by all root nodes (identified as not meeting security requirements).

Equal to the number of paths to). Equation 7 shows this as an expression.

공격 시나리오의 총 개수 = 공격 시나리오의 개수()

Total number of attack scenarios = number of attack scenarios ()

The leaf node number extractor 532 extracts the number of leaf nodes of the improved attack tree as the number of attack scenarios.

The attack tree based security analyzer 260 extracts one or more of survivability, intrusion probability, or high risk attack scenario of the software system.

The attack tree-based security analyzer 260 extracts security performance by using the original tree before the attack tree refiner 531 refines the tree. Therefore, the operation performed by the attack tree-based security analyzer 260 may be performed before the operation of the attack tree improvement unit 531. However, the original tree is copied during the tree improvement operation of the attack tree improvement unit 531, and one of the two attack trees after the copy is improved by the attack tree improvement unit 531 and used to calculate the number of attack paths, and the other one is the attack tree. If used in the base security analysis unit 260 will not be in order.

The attack tree-based security analyzer 260 may extract survivability.

Survivability is the ability of software to protect itself from malicious attacks. Survivability can be defined from the attacker's point of view as the minimum cost for a malicious attack to succeed. In the attack tree, the attack cost is the cost required to reach the root node from the leaf node. This can be calculated with binary operations (AND, OR). Therefore, quantitatively measured survivability may be represented by F as shown in Equation (8).

F = MIN (C ^Tree )

Where C ^Tree is the set of attack costs assigned to the leaf nodes of the attack tree.

The value of an AND node in the attack tree is the sum of the values of the child nodes of the AND node, and the value of the OR node is the minimum of the values of the child nodes of the OR node.

The attack tree based security analyzer 260 may extract an intrusion probability.

Intrusion probability is the probability of attempting a malicious attack in an attack scenario. Therefore, the invasion probability A may be expressed as survivability as shown in Equation (9).

Where total cost is the sum of the elements of the C ^Tree .

The attack tree based security analysis unit 260 may extract a high risk attack scenario.

The security risk of an attack scenario can be defined as the product of two factors:

The probability that the system fails to meet the required security target, as measured by the attack tree based security analysis unit 260 (intrusion probability A).

-Severity severity following system security failure in attack scenarios

Risk factor (R) is calculated as the product of the above probability of invasion and the severity as shown in equation (10).

R _k = A × severity

The high risk attack scenario (Critical) is determined by the following equation (11) by the maximum value of R _k (where k = (1, 2, 3, ..., n)).

Critical = MAX (R _k )

The severity may be a preset value stored in a database according to the attack scenario. According to another embodiment, the severity may be determined by analyzing the attack scenario.

Analysis of the severity is a well-known technique in which several methods have been proposed, and thus detailed description thereof will be omitted.

The result output unit 270 is the MTTI or MTTB extracted by the MRM-based security analyzer 230, the number of attack scenarios extracted by the attack scenario identifier 250, the survivability extracted by the attack tree-based security analyzer 260, and the intrusion. Can output one or more of probable, high-risk attack scenarios.

10 is a flowchart illustrating a security analysis method according to an embodiment of the present invention.

In step S1010, the HCPN generation unit 210 generates a first software model of the HCPN type. Since the first software model generation operation of the HCPN generation unit 210 has been described in detail with reference to FIG. 2, a detailed description thereof will be omitted.

In step S1020, the HCPN / MRM conversion unit 210 converts the first software model of the HCPN type into the second software model of the MRM type.

11 is a detailed flowchart of step S1020 of FIG. 10 according to an embodiment of the present invention.

Referring to FIG. 11, in operation S1110, the first software model in the form of HCPN is converted into the third software model in the form of MC.

12 is a detailed flowchart of step S1110 of FIG. 11 according to an embodiment of the present invention.

In step S1210, the state generating unit 320 generates a state identified according to the marking of the token included in the first software model of the HCPN type. Since the state generating operation of the state generating unit 320 has been described in detail with reference to FIGS. 3 and 4, a detailed description thereof will be omitted.

In step S1220, the edge generator 330 generates an edge corresponding to the state change according to the fire of the transition included in the first software model of the HCPN type. An edge generation operation of the edge generator 330 has been described in detail with reference to FIGS. 3 and 4, and thus a detailed description thereof will be omitted.

In operation S1230, the change probability extractor 340 extracts the state change probability according to the fire probability of the transition. Since the state change probability extraction operation of the change probability extractor 340 has been described in detail with reference to FIGS. 3 and 4, a detailed description thereof will be omitted.

In operation S1120, the MC / MRM converter 350 converts the third software model in the MC form into the second software model in the MRM form. Since the conversion operation of the MC / MRM conversion unit 350 has been described in detail with reference to FIG. 3, a detailed description thereof will be omitted.

In operation S1030, a quantitative security performance is extracted based on the second software model in the form of an MRM.

13 is a detailed flowchart of step S1030 of FIG. 10 according to an embodiment of the present invention.

In step S1310, the MTTI extractor 510 extracts the MTTI. Since the MTTI extraction method has been described in detail with reference to FIGS. 5A and 5B, a detailed description thereof will be omitted.

In step S1320, the MTTB extractor 520 extracts the MTTB. Since the extraction method of MTTB has been described in detail with reference to FIGS. 5A and 5B, a detailed description thereof will be omitted.

In operation S1040, the attack tree generation unit 240 generates an attack tree. Since the attack tree generation of the attack tree generator 240 has been described in detail with reference to FIG. 2, a detailed description thereof will be omitted.

In step S1050, the attack scenario identification unit 250 extracts the number of attack scenarios.

14 is a detailed flowchart of step S1050 of FIG. 10 in accordance with an embodiment of the present invention.

In step S1410, the attack tree refinement unit 531 refines the tree by integrating child nodes of the AND node. Since the tree improvement operation of the attack tree improvement unit 531 has been described in detail with reference to FIGS. 6 to 9, a detailed description thereof will be omitted.

In step S1420, the attack leaf node number extractor 532 extracts the leaf node number of the attack tree as the attack scenario number when there is no AND node on the attack tree. The attack scenario number extracting operation of the attack leaf node number extracting unit 532 has been described in detail with reference to FIGS. 6 to 9, and thus a detailed description thereof will be omitted.

In step S1060, the attack tree-based security analysis unit 260 extracts one or more security capabilities of survivability, intrusion probability, and high risk attack scenario.

15 is a detailed flowchart of step S1060 of FIG. 10 according to an embodiment of the present invention.

In step S1510 the attack tree-based security analysis unit 260 extracts survivability using the attack cost assigned to the leaf node. Since the viability extraction method has been described in detail with reference to FIG. 2, a detailed description thereof will be omitted.

In step S1520 the attack tree-based security analysis unit 260 extracts the intrusion probability using the survivability extracted in step S1510. Since the intrusion probability extraction method has been described in detail with reference to FIG. 2, a detailed description thereof will be omitted.

In step S1530, the attack tree-based security analysis unit 260 extracts an attack scenario having the greatest product of the intrusion probability and the severity extracted in step S1520 as a high risk attack scenario. Since the extraction method of the high risk attack scenario has been described in detail with reference to FIG. 2, a detailed description thereof will be omitted.

In step S1070, the result output unit 270 is the MTTI or MTTB extracted by the MRM-based security analyzer 230, the number of attack scenarios extracted by the attack scenario identifier 250, and the survivability extracted by the attack tree-based security analyzer 260. One or more of the following scenarios: intrusion probability, and high risk attack scenarios.

The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting of the invention. Singular expressions include plural expressions unless the context clearly indicates otherwise.

In this application, the terms "comprise" or "have" are intended to indicate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, and one or more other features. It is to be understood that the present invention does not exclude the possibility or the possibility of additions or numbers, steps, operations, components, components, or combinations thereof.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another.

An embodiment of the present invention may include a computer readable medium including program instructions for performing various computer-implemented operations. The computer readable medium may include program instructions, local data files, local data structures, or the like, alone or in combination. The media may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts.

In addition, the components illustrated in FIGS. 2, 3, and 5A do not necessarily have hardware configurations, and some components may be implemented in the form of an application program that performs the same or similar functions. In addition, each component may be combined or separated within the scope of the invention.

So far I looked at the center of the embodiment for the present invention. Many embodiments other than the above-described embodiments are within the claims of the present invention. Those skilled in the art will appreciate that the present invention can be implemented in a modified form without departing from the essential features of the present invention. The disclosed embodiments should, therefore, be considered in an illustrative rather than a restrictive sense. The scope of the present invention is shown in the claims rather than the foregoing description, and all differences within the scope will be construed as being included in the present invention.

1A is a schematic diagram of an open class model HQPN.

1B is a schematic diagram of a closed class model HQPN.

2 is a block diagram of a software security analysis apparatus 200 according to an embodiment of the present invention.

3 is a block diagram of an HQPN / MRM conversion unit 220 according to an embodiment of the present invention.

4 is a schematic diagram of a process of converting an HCPN type model into an MC type according to an embodiment of the present invention.

5A is a block diagram of an MRM-based security analyzer 230 according to an embodiment of the present invention.

5B is a diagram illustrating MTTI and MTTB.

6 is a block diagram of an attack scenario identification unit 530 according to an embodiment of the present invention.

7 is a pseudo code of a method for improving an attack tree according to an embodiment of the present invention.

8A, 8B and 9 are schematic diagrams of an attack tree improvement according to an embodiment of the present invention.

10 is a flowchart illustrating a security analysis method according to an embodiment of the present invention.

11 is a detailed flowchart of step S1020 of FIG. 10 according to an embodiment of the present invention.

12 is a detailed flowchart of step S1110 of FIG. 11 according to an embodiment of the present invention.

13 is a detailed flowchart of step S1030 of FIG. 10 according to an embodiment of the present invention.

14 is a detailed flowchart of step S1050 of FIG. 10 in accordance with an embodiment of the present invention.

15 is a detailed flowchart of step S1060 of FIG. 10 according to an embodiment of the present invention.

Claims (24)

In the software security analysis method using a first software model in the form of Hierarchically Combined Petri Net (HCPN), Converting the first software model in the form of HCPN into a second software model in the form of a Markov Reward Model (MRM); And Extracting quantitative security performance using the second software model. The method of claim 1, And the color of the first software model has an attribute. The method of claim 1, Converting the first software model of the HCPN type to the second software model of the MRM type, Converting the first software model into a third software model in the form of an MC (Markov Chain); And Converting the third software model to a second software model in the form of an MRM. The method of claim 3, Converting the first software model into a third software model of the MC form, Generating a state identified according to marking of a token included in the first software model; Generating an edge corresponding to a state change according to a fire of a transition included in the first software model; And Extracting a state change probability corresponding to a fire probability of the transition. The method of claim 3, Converting the third software model to the second software model of the MRM type, Assigning a first reward rate to a state in which a non-authorized token does not exist in the marking of the first software model corresponding to a state included in the third software model, and Assigning a second reward rate to a state in which a non-authorized token exists in the marking of the first software model corresponding to a state included in the third software model; Software security analysis method. The method of claim 1, Extracting quantitative security performance using the second software model, L _i (t) is the total expected time that the continuous time Markov chain (CTMC) model corresponding to the second software model stays in state i in the interval [0, t), and U _j is the security requirement. And extracting a mean time to intrusion (MTTI) using the following formula when the set of states satisfies.

The method of claim 2, Extracting quantitative security performance using the second software model, L _i (t) is the total expected time that the continuous time Markov chain (CTMC) model corresponding to the second software model stays in state i in the interval [0, t), and D _j is the security requirement. When the set of non-absorbing state does not satisfy the method, software security analysis method comprising the step of extracting the mean attack time (MTTB) using the following formula.

A program of instructions, which can be executed by a digital processing apparatus for performing the software security analysis method according to any one of claims 1 to 7, is tangibly embodied and can be read by the digital processing apparatus. The recorded recording medium. In the software security analysis device using a first software model in the form of a hierarchically combined petri net (HCPN), An HCPN / MRM conversion unit for converting the first software model in the form of an HCPN into a second software model in the form of a Markov Reward Model (MRM); And Software security analysis device comprising an MRM-based security analysis unit for extracting a quantitative security performance using the second software model. 10. The method of claim 9, And the color of the first software model has an attribute. 10. The method of claim 9, The HCPN / MRM conversion unit, An HCPN / MC converter converting the first software model into a third software model in the form of an MC (Markov Chain); And And an MC / MRM converter configured to convert the third software model into a second software model in the MRM form. The method of claim 11, The HCPN / MC converter, A state generating unit generating a state identified according to marking of a token included in the first software model; An edge generator for generating an edge corresponding to a state change according to a fire of a transition included in the first software model; And And a change probability extracting unit configured to extract a state change probability in accordance with a fire probability of the transition. The method of claim 11, The MC / MRM conversion unit, Assigning a first reward rate to a state in which a non-authorized token does not exist in the marking of the first software model corresponding to a state included in the third software model, and Compensation rate allocating unit for allocating a second reward rate to a state in which a non-authorized token exists in the marking of the first software model corresponding to a state included in the third software model. Software security analysis device. 10. The method of claim 9, The MRM based security analysis unit, L _i (t) is the total expected time that the continuous time Markov chain (CTMC) model corresponding to the second software model stays in state i in the interval [0, t), and U _j is the security requirement. And a MTTI extracting unit for extracting a mean time to intrusion (MTTI) using a following formula when the set of states satisfies.

10. The method of claim 9, The MRM-based security analysis unit, L _i (t) is the total expected time that the continuous time Markov chain (CTMC) model corresponding to the second software model stays in state i in the interval [0, t), and D _j is the security requirement. When the set of non-absorbing state does not satisfy the software security analysis apparatus including an MTTB extractor for extracting the mean attack time (MTTB) using the following formula.

In the software security analysis method using an attack tree, (a) merging the first node and the second node when any one of a first node and a second node which are operand nodes of an AND operator on the attack tree is a leaf node; (b) when both the first node and the second node which are operand nodes of the AND operator on the attack tree are OR nodes, merge the first node and the second node to generate a third node which is an OR node; Generating as many nodes as child nodes of the third node, the number of nodes multiplied by the number of child nodes of the first node and the number of child nodes of the second node; Repeating steps (a) and (b) until there is no AND node on the attack tree; And And extracting the number of leaf nodes of the attack tree as the number of attack scenarios when there is no AND node on the attack tree. The method of claim 16, And when the C ^Tree is a set of attack costs assigned to the leaf nodes of the attack tree, extracting survivability F by the following formula. F = MIN (C ^Tree ) The method of claim 17, And extracting the intrusion probability A according to the following formula when F is survivability and the total cost is the sum of the attack costs assigned to the leaf nodes of the attack tree.

The method of claim 18, And extracting an attack scenario having the greatest product of the intrusion probability and the severity as a high risk attack scenario. 20. A program of instructions, which can be executed by a digital processing apparatus, is tangibly implemented to perform the software security analysis method according to any one of claims 16 to 19, and the program can be read by the digital processing apparatus. The recorded recording medium. In a software security analysis device using an attack tree, (a) merging the first node and the second node when any one of a first node and a second node which are operand nodes of an AND operator on the attack tree is a leaf node; (b) when both the first node and the second node which are operand nodes of the AND operator on the attack tree are OR nodes, merge the first node and the second node to generate a third node which is an OR node; Generate as a child node of the third node the number of nodes multiplied by the number of child nodes of the first node and the number of child nodes of the second node; An attack tree improvement unit which repeats the operation (a) and the operation (b) until there is no AND node on the attack tree; And And a leaf node number extracting unit which extracts the leaf node number of the attack tree as the number of attack scenarios when there is no AND node on the attack tree. The method of claim 21, The C ^Tree further comprises an attack tree based security analysis unit for extracting the survivability (F) by the following formula when the attack cost assigned to the leaf node of the attack tree. F = MIN (C ^Tree ) The method of claim 22, The attack tree-based security analysis unit further performs a function of extracting the intrusion probability A according to the following formula when F is survivability and the total cost is the sum of the attack costs allocated to the leaf nodes of the attack tree. .

24. The method of claim 23, And the attack tree based security analyzer extracts an attack scenario having the greatest product of the intrusion probability and the severity as a high risk attack scenario.

Images