Adversary-driven state-based system security evaluation

Lemay, Elizabeth

Permalink

https://hdl.handle.net/2142/29707 Copy

Description

Title

Adversary-driven state-based system security evaluation

Author(s)

Lemay, Elizabeth

Issue Date

2012-02-06T20:12:09Z

Director of Research (if dissertation) or Advisor (if thesis)

Sanders, William H.

Committee Member(s)

• Nicol, David M.
• Loui, Michael C.
• Borisov, Nikita

Department of Study

Electrical & Computer Eng

Discipline

Electrical & Computer Engr

Degree Granting Institution

University of Illinois at Urbana-Champaign

Degree Name

Ph.D.

Degree Level

Dissertation

Keyword(s)

• model-based quantitative security metrics
• system security analysis
• attack execution graph
• executable security models
• attack step decision function
• state look-ahead tree
• ADversary VIew Security Evaluation (ADVISE) method

Abstract

Quantitative metrics can aid decision-makers in making informed trade-off decisions. In system-level security decisions, quantitative security metrics allow decision-makers to compare the relative security of different system configurations. To produce model-based quantitative security metrics, we have formally defined and implemented the ADversary VIew Security Evaluation (ADVISE) method. Our approach is to create an executable state-based security model of a system and an adversary that represents how the adversary is likely to attack the system and the likely results of such an attack. In an ADVISE model, attack steps are precisely defined and organized into an attack execution graph, and an adversary profile captures a particular adversary's attack preferences and attack goals. We create executable security models that combine information from the attack execution graph, the adversary profile, and the desired security metrics to produce quantitative metrics data. The ADVISE model execution algorithms use the adversary profile and the attack execution graph to simulate how the adversary is likely to attack the system. The adversary selects the best next attack step by evaluating the attractiveness of several attack steps, considering cost, payoff, and the probability of detection. The attack step decision function compares the attractiveness of different attack steps by incorporating the adversary's attack preferences and attack goals. The attack step decision function uses a state look-ahead tree to recursively compute how future attack decisions influence the attractiveness values of the current attack step options. To efficiently produce quantitative model-based security metrics, the ADVISE method has been implemented in a tool that facilitates user input of system and adversary data and automatically generates executable models. The tool was used in two case studies that illustrate how to analyze the security of a system using the ADVISE method. The case studies demonstrate the feasibility of ADVISE and provide an example of the type of security analysis that ADVISE enables. The ADVISE method aggregates security-relevant information about a system and its adversaries to produce a quantitative security analysis useful for holistic system security decisions. System architects can use ADVISE models to compare the security strength of system architecture variants and analyze the threats posed by different adversaries.

Graduation Semester

2011-12

Permalink

http://hdl.handle.net/2142/29707

Copyright and License Information

Copyright 2011 Elizabeth Anne LeMay

Owning Collections