kth.sePublikationer
Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
A Framework and Calculation Engine for Modeling and Predicting the Cyber Security of Enterprise Architectures
KTH, Skolan för elektro- och systemteknik (EES), Industriella informations- och styrsystem.
2014 (Engelska)Doktorsavhandling, sammanläggning (Övrigt vetenskapligt)
Abstract [en]

Information Technology (IT) is a cornerstone of our modern society and essential for governments' management of public services, economic growth and national security. Consequently, it is of importance that IT systems are kept in a dependable and secure state. Unfortunately, as modern IT systems typically are composed of numerous interconnected components, including personnel and processes that use or support it (often referred to as an enterprise architecture), this is not a simple endeavor. To make matters worse, there are malicious actors who seek to exploit vulnerabilities in the enterprise architecture to conduct unauthorized activity within it. Various models have been proposed by academia and industry to identify and mitigate vulnerabilities in enterprise architectures, however, so far none has provided a sufficiently comprehensive scope.

The contribution of this thesis is a modeling framework and calculation engine that can be used as support by enterprise decision makers in regard to cyber security matters, e.g., chief information security officers. In summary, the contribution can be used to model and analyze the vulnerability of enterprise architectures, and provide mitigation suggestions based on the resulting estimates. The contribution has been tested in real-world cases and has been validated on both a component level and system level; the results of these studies show that it is adequate in terms of supporting enterprise decision making.

This thesis is a composite thesis of eight papers. Paper 1 describes a method and dataset that can be used to validate the contribution described in this thesis and models similar to it. Paper 2 presents what statistical distributions that are best fit for modeling the time required to compromise computer systems. Paper 3 describes estimates on the effort required to discover novel web application vulnerabilities. Paper 4 describes estimates on the possibility of circumventing web application firewalls. Paper 5 describes a study of the time required by an attacker to obtain critical vulnerabilities and exploits for compiled software. Paper 6 presents the effectiveness of seven commonly used automated network vulnerability scanners. Paper 7 describes the ability of the signature-based intrusion detection system Snort at detecting attacks that are more novel, or older than its rule set. Finally, paper 8 describes a tool that can be used to estimate the vulnerability of enterprise architectures; this tool is founded upon the results presented in papers 1-7.

Abstract [sv]

Informationsteknik (IT) är en grundsten i vårt moderna samhälle och grundläggande för staters hantering av samhällstjänster, ekonomisk tillväxt och nationell säkerhet. Det är därför av vikt att IT-system hålls i ett tillförlitligt och säkert tillstånd. Då moderna IT-system vanligen består av en mångfald av olika integrerade komponenter, inklusive människor och processer som nyttjar eller stödjer systemet (ofta benämnd organisationsövergripande arkitektur, eller enterprise architecture), är detta tyvärr ingen enkel uppgift. För att förvärra det hela så finns det även illvilliga aktörer som ämnar utnyttja sårbarheter i den organisationsövergripande arkitekturen för att utföra obehörig aktivitet inom den. Olika modeller har föreslagits av den akademiska världen och näringslivet för att identifiera samt behandla sårbarheter i organisationsövergripande arkitekturer, men det finns ännu ingen modell som är tillräckligt omfattande.

Bidraget presenterat i denna avhandling är ett modelleringsramverk och en beräkningsmotor som kan användas som stöd av organisatoriska beslutsfattare med avseende på säkerhetsärenden. Sammanfattningsvis kan bidraget användas för att modellera och analysera sårbarheten av organisationsövergripande arkitekturer, samt ge förbättringsförslag baserat på dess uppskattningar. Bidraget har testats i fallstudier och validerats på både komponentnivå och systemnivå; resultaten från dessa studier visar att det är lämpligt för att stödja organisatoriskt beslutsfattande.

Avhandlingen är en sammanläggningsavhandling med åtta artiklar. Artikel 1 beskriver en metod och ett dataset som kan användas för att validera avhandlingens bidrag och andra modeller likt detta. Artikel 2 presenterar vilka statistiska fördelningar som är bäst lämpade för att beskriva tiden som krävs för att kompromettera en dator. Artikel 3 beskriver uppskattningar av tiden som krävs för att upptäcka nya sårbarheter i webbapplikationer. Artikel 4 beskriver uppskattningar för möjligheten att kringgå webbapplikationsbrandväggar. Artikel 5 beskriver en studie av den tid som krävs för att en angripare skall kunna anskaffa kritiska sårbarheter och program för att utnyttja dessa för kompilerad programvara. Artikel 6 presenterar effektiviteten av sju vanligt nyttjade verktyg som används för att automatiskt identifiera sårbarheter i nätverk. Artikel 7 beskriver förmågan av det signatur-baserade intrångsdetekteringssystemet Snort att upptäcka attacker som är nyare, eller äldre, än dess regeluppsättning. Slutligen beskriver artikel 8 ett verktyg som kan användas för att uppskatta sårbarheten av organisationsövergripande arkitekturer; grunden för detta verktyg är de resultat som presenteras i artikel 1-7.

Ort, förlag, år, upplaga, sidor
Stockholm: KTH Royal Institute of Technology, 2014. , s. xiv, 53
Serie
Trita-EE, ISSN 1653-5146 ; 2014:001
Nyckelord [en]
Computer security, security metrics, vulnerability assessment, attack graphs, risk management, architecture modeling, Enterprise Architecture
Nyckelord [sv]
Cybersäkerhet, säkerhetsmetriker, sårbarhetsanalys, attackgrafer, riskhantering, arkitekturmodellering, organisationsövergripande arkitektur
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Identifikatorer
URN: urn:nbn:se:kth:diva-140525ISBN: 978-91-7595-005-1 (tryckt)OAI: oai:DiVA.org:kth-140525DiVA, id: diva2:690837
Disputation
2014-02-26, F3, Lindstedtsvägen 26, KTH, Stockholm, 10:00 (Engelska)
Opponent
Handledare
Anmärkning

QC 20140203

Tillgänglig från: 2014-02-03 Skapad: 2014-01-24 Senast uppdaterad: 2022-06-23Bibliografiskt granskad
Delarbeten
1. Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
Öppna denna publikation i ny flik eller fönster >>Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
2012 (Engelska)Ingår i: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 9, nr 6, s. 825-837Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored according to this method. As computer systems typically have multiple vulnerabilities, it is often desirable to aggregate the score of individual vulnerabilities to a system level. Several such metrics have been proposed, but their quality has not been studied. This paper presents a statistical analysis of how 18 security estimation metrics based on CVSS data correlate with the time-to-compromise of 34 successful attacks. The empirical data originates from an international cyber defense exercise involving over 100 participants and were collected by studying network traffic logs, attacker logs, observer logs, and network vulnerabilities. The results suggest that security modeling with CVSS data alone does not accurately portray the time-to-compromise of a system. However, results also show that metrics employing more CVSS data are more correlated with time-to-compromise. As a consequence, models that only use the weakest link (most severe vulnerability) to compose a metric are less promising than those that consider all vulnerabilities.

Nyckelord
Network-level security and protection, unauthorized access (hacking, phreaking), risk management, network management
Nationell ämneskategori
Data- och informationsvetenskap
Forskningsämne
SRA - Informations- och kommunikationsteknik
Identifikatorer
urn:nbn:se:kth:diva-100910 (URN)10.1109/TDSC.2012.66 (DOI)000308754300004 ()2-s2.0-84866600214 (Scopus ID)
Anmärkning

QC 20121029

Tillgänglig från: 2012-08-21 Skapad: 2012-08-21 Senast uppdaterad: 2022-06-24Bibliografiskt granskad
2. A Large-Scale Study of the Time Required To Compromise a Computer System
Öppna denna publikation i ny flik eller fönster >>A Large-Scale Study of the Time Required To Compromise a Computer System
2014 (Engelska)Ingår i: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 11, nr 1, s. 6506084-Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

A frequent assumption in the domain of cybersecurity is that cyberintrusions follow the properties of a Poisson process, i.e., that the number of intrusions is well modeled by a Poisson distribution and that the time between intrusions is exponentially distributed. This paper studies this property by analyzing all cyberintrusions that have been detected across more than 260,000 computer systems over a period of almost three years. The results show that the assumption of a Poisson process model might be unoptimalâthe log-normal distribution is a significantly better fit in terms of modeling both the number of detected intrusions and the time between intrusions, and the Pareto distribution is a significantly better fit in terms of modeling the time to first intrusion. The paper also analyzes whether time to compromise (TTC) increase for each successful intrusion of a computer system. The results regarding this property suggest that time to compromise decrease along the number of intrusions of a system.

Ort, förlag, år, upplaga, sidor
IEEE Computer Society, 2014
Nyckelord
Invasive software (viruses, worms, Trojan horses), Risk management, Network management
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:kth:diva-129251 (URN)10.1109/TDSC.2013.21 (DOI)000331301100002 ()2-s2.0-84894561473 (Scopus ID)
Anmärkning

QC 20130926

Tillgänglig från: 2013-09-24 Skapad: 2013-09-24 Senast uppdaterad: 2022-06-23Bibliografiskt granskad
3. Effort estimates on web application vulnerability discovery
Öppna denna publikation i ny flik eller fönster >>Effort estimates on web application vulnerability discovery
2013 (Engelska)Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Web application vulnerabilities are widely considered a serious concern. However, there are as of yet scarce data comparing the effectiveness of different security countermeasures or detailing the magnitude of the security issues associated with web applications. This paper studies the effort that is required by a professional penetration tester to find an input validation vulnerability in an enterprise web application that has been developed in the presence or absence of four security measures: (i) developer web application security training, (ii) type-safe API’s, (iii) black box testing tools, or (iv) static code analyzers. The judgments of 21 experts are collected and combined using Cooke’s classical method. The results show that 53 hours is enough to find a vulnerability with a certainty of 95% even though all measures have been employed during development. If no measure is employed 7 hours is enough to find a vulnerability with 95% certainty.

Nationell ämneskategori
Data- och informationsvetenskap
Forskningsämne
SRA - Informations- och kommunikationsteknik
Identifikatorer
urn:nbn:se:kth:diva-100913 (URN)10.1109/HICSS.2013.190 (DOI)000318231605021 ()2-s2.0-84875488716 (Scopus ID)
Konferens
Hawaii International Conference on System Sciences 46 (HICSS), January 7 - 10, 2013, Grand Wailea, Maui, Hawaii
Anmärkning

QC 20130201

Tillgänglig från: 2013-02-01 Skapad: 2012-08-21 Senast uppdaterad: 2024-03-15Bibliografiskt granskad
4. Estimates on the effectiveness of web application firewalls against targeted attacks
Öppna denna publikation i ny flik eller fönster >>Estimates on the effectiveness of web application firewalls against targeted attacks
2013 (Engelska)Ingår i: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 21, nr 4, s. 250-265Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Purpose – The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF.

Design/methodology/approach – Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method.

Findings – The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures.

Research limitations/implications – The results are only valid for the attacker profile of a professional penetration tester who prepares one week for attacking a WA protected by a WAF.

Practical implications – The competence of the individual(s) tuning a WAF, employment of an automated black box tool for tuning and the manual effort spent on tuning are of great importance for the effectiveness of a WAF. The presence of an operator monitoring it has minor positive influence on its effectiveness.

Originality/value – WA vulnerabilities are widely considered a serious concern. To manage them in deployed software, many enterprises employ WAFs. However, the effectiveness of this type of countermeasure under different operational scenarios is largely unknown.

Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:kth:diva-129252 (URN)10.1108/IMCS-11-2012-0064 (DOI)2-s2.0-84886497065 (Scopus ID)
Anmärkning

QC 20140131

Tillgänglig från: 2013-09-24 Skapad: 2013-09-24 Senast uppdaterad: 2022-06-23Bibliografiskt granskad
5. A Bayesian Model for Likelihood Estimations of Acquirement of Critical Software Vulnerabilities and Exploits
Öppna denna publikation i ny flik eller fönster >>A Bayesian Model for Likelihood Estimations of Acquirement of Critical Software Vulnerabilities and Exploits
(Engelska)Manuskript (preprint) (Övrigt vetenskapligt)
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:kth:diva-140513 (URN)
Anmärkning

QS 2014

Tillgänglig från: 2014-01-24 Skapad: 2014-01-24 Senast uppdaterad: 2022-06-23Bibliografiskt granskad
6. Performance of automated network vulnerability scanning at remediating security issues
Öppna denna publikation i ny flik eller fönster >>Performance of automated network vulnerability scanning at remediating security issues
2012 (Engelska)Ingår i: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 31, nr 2, s. 164-175Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

This paper evaluates how large portion of an enterprises network security holes that would be remediated if one would follow the remediation guidelines provided by seven automated network vulnerability scanners. Remediation performance was assessed for both authenticated and unauthenticated scans. The overall findings suggest that a vulnerability scanner is a usable security assessment tool, given that credentials are available for the systems in the network. However, there are issues with the method: manual effort is needed to reach complete accuracy and the remediation guidelines are oftentimes very cumbersome to study. Results also show that a scanner more accurate in terms of remediating vulnerabilities generally also is better at detecting vulnerabilities, but is in turn also more prone to false alarms. This is independent of whether the scanner is provided system credentials or not.

Nyckelord
Network security, Security tools, Vulnerabilities, Vulnerability detection, Vulnerability remediation
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Identifikatorer
urn:nbn:se:kth:diva-99543 (URN)10.1016/j.cose.2011.12.014 (DOI)000319547600003 ()2-s2.0-84857364659 (Scopus ID)
Anmärkning

QC 20120801

Tillgänglig från: 2012-08-01 Skapad: 2012-07-31 Senast uppdaterad: 2022-06-24Bibliografiskt granskad
7. Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?
Öppna denna publikation i ny flik eller fönster >>Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?
2014 (Engelska)Ingår i: 2014 47th Hawaii International Conference on System Sciences, HICSS, IEEE Computer Society, 2014, s. 4895-4904Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days’ to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days’ (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days’ aredetected, how prone the correspondingsignaturesare to false alarms,and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snortis 8.2%.

Ort, förlag, år, upplaga, sidor
IEEE Computer Society, 2014
Serie
Proceedings of the Annual Hawaii International Conference on System Sciences, ISSN 1060-3425
Nyckelord
Detection rates, False alarms, Rule set, Signature-based network intrusion detection systems, Zero day attack, Systems science
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:kth:diva-129255 (URN)10.1109/HICSS.2014.600 (DOI)000343806605004 ()2-s2.0-84902261151 (Scopus ID)978-147992504-9 (ISBN)
Konferens
47th Hawaii International Conference on System Sciences, HICSS 2014; Waikoloa, HI; United States; 6 January 2014 through 9 January 2014
Anmärkning

QC 20140131

Tillgänglig från: 2013-09-24 Skapad: 2013-09-24 Senast uppdaterad: 2022-06-23Bibliografiskt granskad
8. P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language
Öppna denna publikation i ny flik eller fönster >>P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language
2015 (Engelska)Ingår i: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 12, nr 6, s. 626-639Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

This paper presents the Predictive, Probabilistic Cyber Security Modeling Language ((PCySeMoL)-Cy-2), an attack graph tool that can be used to estimate the cyber security of enterprise architectures. (PCySeMoL)-Cy-2 includes theory on how attacks and defenses relate quantitatively; thus, users must only model their assets and how these are connected in order to enable calculations. The performance of (PCySeMoL)-Cy-2 enables quick calculations of large object models. It has been validated on both a component level and a system level using literature, domain experts, surveys, observations, experiments and case studies.

Ort, förlag, år, upplaga, sidor
IEEE Press, 2015
Nationell ämneskategori
Data- och informationsvetenskap
Identifikatorer
urn:nbn:se:kth:diva-140514 (URN)10.1109/TDSC.2014.2382574 (DOI)000364992800003 ()2-s2.0-84959316597 (Scopus ID)
Anmärkning

QC 20151218

Tillgänglig från: 2014-01-24 Skapad: 2014-01-24 Senast uppdaterad: 2024-03-15Bibliografiskt granskad

Open Access i DiVA

fulltext(2320 kB)1686 nedladdningar
Filinformation
Filnamn FULLTEXT01.pdfFilstorlek 2320 kBChecksumma SHA-512
5b261760892d7a4073cd0bafaa2557d5aef19fafef19157c57cf42cbedac48fd03932a4dfe71fafb4a01ed677f37188df72e4f921e841c383f36c4d28b0c0722
Typ fulltextMimetyp application/pdf

Sök vidare i DiVA

Av författaren/redaktören
Holm, Hannes
Av organisationen
Industriella informations- och styrsystem
Systemvetenskap, informationssystem och informatik

Sök vidare utanför DiVA

GoogleGoogle Scholar
Totalt: 1686 nedladdningar
Antalet nedladdningar är summan av nedladdningar för alla fulltexter. Det kan inkludera t.ex tidigare versioner som nu inte längre är tillgängliga.

isbn
urn-nbn

Altmetricpoäng

isbn
urn-nbn
Totalt: 4039 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf