Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A Framework and Calculation Engine for Modeling and Predicting the Cyber Security of Enterprise Architectures
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
2014 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Information Technology (IT) is a cornerstone of our modern society and essential for governments' management of public services, economic growth and national security. Consequently, it is of importance that IT systems are kept in a dependable and secure state. Unfortunately, as modern IT systems typically are composed of numerous interconnected components, including personnel and processes that use or support it (often referred to as an enterprise architecture), this is not a simple endeavor. To make matters worse, there are malicious actors who seek to exploit vulnerabilities in the enterprise architecture to conduct unauthorized activity within it. Various models have been proposed by academia and industry to identify and mitigate vulnerabilities in enterprise architectures, however, so far none has provided a sufficiently comprehensive scope.

The contribution of this thesis is a modeling framework and calculation engine that can be used as support by enterprise decision makers in regard to cyber security matters, e.g., chief information security officers. In summary, the contribution can be used to model and analyze the vulnerability of enterprise architectures, and provide mitigation suggestions based on the resulting estimates. The contribution has been tested in real-world cases and has been validated on both a component level and system level; the results of these studies show that it is adequate in terms of supporting enterprise decision making.

This thesis is a composite thesis of eight papers. Paper 1 describes a method and dataset that can be used to validate the contribution described in this thesis and models similar to it. Paper 2 presents what statistical distributions that are best fit for modeling the time required to compromise computer systems. Paper 3 describes estimates on the effort required to discover novel web application vulnerabilities. Paper 4 describes estimates on the possibility of circumventing web application firewalls. Paper 5 describes a study of the time required by an attacker to obtain critical vulnerabilities and exploits for compiled software. Paper 6 presents the effectiveness of seven commonly used automated network vulnerability scanners. Paper 7 describes the ability of the signature-based intrusion detection system Snort at detecting attacks that are more novel, or older than its rule set. Finally, paper 8 describes a tool that can be used to estimate the vulnerability of enterprise architectures; this tool is founded upon the results presented in papers 1-7.

Abstract [sv]

Informationsteknik (IT) är en grundsten i vårt moderna samhälle och grundläggande för staters hantering av samhällstjänster, ekonomisk tillväxt och nationell säkerhet. Det är därför av vikt att IT-system hålls i ett tillförlitligt och säkert tillstånd. Då moderna IT-system vanligen består av en mångfald av olika integrerade komponenter, inklusive människor och processer som nyttjar eller stödjer systemet (ofta benämnd organisationsövergripande arkitektur, eller enterprise architecture), är detta tyvärr ingen enkel uppgift. För att förvärra det hela så finns det även illvilliga aktörer som ämnar utnyttja sårbarheter i den organisationsövergripande arkitekturen för att utföra obehörig aktivitet inom den. Olika modeller har föreslagits av den akademiska världen och näringslivet för att identifiera samt behandla sårbarheter i organisationsövergripande arkitekturer, men det finns ännu ingen modell som är tillräckligt omfattande.

Bidraget presenterat i denna avhandling är ett modelleringsramverk och en beräkningsmotor som kan användas som stöd av organisatoriska beslutsfattare med avseende på säkerhetsärenden. Sammanfattningsvis kan bidraget användas för att modellera och analysera sårbarheten av organisationsövergripande arkitekturer, samt ge förbättringsförslag baserat på dess uppskattningar. Bidraget har testats i fallstudier och validerats på både komponentnivå och systemnivå; resultaten från dessa studier visar att det är lämpligt för att stödja organisatoriskt beslutsfattande.

Avhandlingen är en sammanläggningsavhandling med åtta artiklar. Artikel 1 beskriver en metod och ett dataset som kan användas för att validera avhandlingens bidrag och andra modeller likt detta. Artikel 2 presenterar vilka statistiska fördelningar som är bäst lämpade för att beskriva tiden som krävs för att kompromettera en dator. Artikel 3 beskriver uppskattningar av tiden som krävs för att upptäcka nya sårbarheter i webbapplikationer. Artikel 4 beskriver uppskattningar för möjligheten att kringgå webbapplikationsbrandväggar. Artikel 5 beskriver en studie av den tid som krävs för att en angripare skall kunna anskaffa kritiska sårbarheter och program för att utnyttja dessa för kompilerad programvara. Artikel 6 presenterar effektiviteten av sju vanligt nyttjade verktyg som används för att automatiskt identifiera sårbarheter i nätverk. Artikel 7 beskriver förmågan av det signatur-baserade intrångsdetekteringssystemet Snort att upptäcka attacker som är nyare, eller äldre, än dess regeluppsättning. Slutligen beskriver artikel 8 ett verktyg som kan användas för att uppskatta sårbarheten av organisationsövergripande arkitekturer; grunden för detta verktyg är de resultat som presenteras i artikel 1-7.

Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2014. , xiv, 53 p.
Series
Trita-EE, ISSN 1653-5146 ; 2014:001
Keyword [en]
Computer security, security metrics, vulnerability assessment, attack graphs, risk management, architecture modeling, Enterprise Architecture
Keyword [sv]
Cybersäkerhet, säkerhetsmetriker, sårbarhetsanalys, attackgrafer, riskhantering, arkitekturmodellering, organisationsövergripande arkitektur
National Category
Information Systems
Identifiers
URN: urn:nbn:se:kth:diva-140525ISBN: 978-91-7595-005-1 (print)OAI: oai:DiVA.org:kth-140525DiVA: diva2:690837
Public defence
2014-02-26, F3, Lindstedtsvägen 26, KTH, Stockholm, 10:00 (English)
Opponent
Supervisors
Note

QC 20140203

Available from: 2014-02-03 Created: 2014-01-24 Last updated: 2014-02-03Bibliographically approved
List of papers
1. Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
Open this publication in new window or tab >>Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
2012 (English)In: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 9, no 6, 825-837 p.Article in journal (Refereed) Published
Abstract [en]

The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored according to this method. As computer systems typically have multiple vulnerabilities, it is often desirable to aggregate the score of individual vulnerabilities to a system level. Several such metrics have been proposed, but their quality has not been studied. This paper presents a statistical analysis of how 18 security estimation metrics based on CVSS data correlate with the time-to-compromise of 34 successful attacks. The empirical data originates from an international cyber defense exercise involving over 100 participants and were collected by studying network traffic logs, attacker logs, observer logs, and network vulnerabilities. The results suggest that security modeling with CVSS data alone does not accurately portray the time-to-compromise of a system. However, results also show that metrics employing more CVSS data are more correlated with time-to-compromise. As a consequence, models that only use the weakest link (most severe vulnerability) to compose a metric are less promising than those that consider all vulnerabilities.

Keyword
Network-level security and protection, unauthorized access (hacking, phreaking), risk management, network management
National Category
Computer and Information Science
Research subject
SRA - ICT
Identifiers
urn:nbn:se:kth:diva-100910 (URN)10.1109/TDSC.2012.66 (DOI)000308754300004 ()2-s2.0-84866600214 (Scopus ID)
Note

QC 20121029

Available from: 2012-08-21 Created: 2012-08-21 Last updated: 2017-12-07Bibliographically approved
2. A Large-Scale Study of the Time Required To Compromise a Computer System
Open this publication in new window or tab >>A Large-Scale Study of the Time Required To Compromise a Computer System
2014 (English)In: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 11, no 1, 6506084- p.Article in journal (Refereed) Published
Abstract [en]

A frequent assumption in the domain of cybersecurity is that cyberintrusions follow the properties of a Poisson process, i.e., that the number of intrusions is well modeled by a Poisson distribution and that the time between intrusions is exponentially distributed. This paper studies this property by analyzing all cyberintrusions that have been detected across more than 260,000 computer systems over a period of almost three years. The results show that the assumption of a Poisson process model might be unoptimalâthe log-normal distribution is a significantly better fit in terms of modeling both the number of detected intrusions and the time between intrusions, and the Pareto distribution is a significantly better fit in terms of modeling the time to first intrusion. The paper also analyzes whether time to compromise (TTC) increase for each successful intrusion of a computer system. The results regarding this property suggest that time to compromise decrease along the number of intrusions of a system.

Place, publisher, year, edition, pages
IEEE Computer Society, 2014
Keyword
Invasive software (viruses, worms, Trojan horses), Risk management, Network management
National Category
Computer Science
Identifiers
urn:nbn:se:kth:diva-129251 (URN)10.1109/TDSC.2013.21 (DOI)000331301100002 ()2-s2.0-84894561473 (Scopus ID)
Note

QC 20130926

Available from: 2013-09-24 Created: 2013-09-24 Last updated: 2017-12-06Bibliographically approved
3. Effort estimates on web application vulnerability discovery
Open this publication in new window or tab >>Effort estimates on web application vulnerability discovery
2013 (English)Conference paper, Published paper (Refereed)
Abstract [en]

Web application vulnerabilities are widely considered a serious concern. However, there are as of yet scarce data comparing the effectiveness of different security countermeasures or detailing the magnitude of the security issues associated with web applications. This paper studies the effort that is required by a professional penetration tester to find an input validation vulnerability in an enterprise web application that has been developed in the presence or absence of four security measures: (i) developer web application security training, (ii) type-safe API’s, (iii) black box testing tools, or (iv) static code analyzers. The judgments of 21 experts are collected and combined using Cooke’s classical method. The results show that 53 hours is enough to find a vulnerability with a certainty of 95% even though all measures have been employed during development. If no measure is employed 7 hours is enough to find a vulnerability with 95% certainty.

National Category
Computer and Information Science
Research subject
SRA - ICT
Identifiers
urn:nbn:se:kth:diva-100913 (URN)10.1109/HICSS.2013.190 (DOI)2-s2.0-84875488716 (Scopus ID)
Conference
Hawaii International Conference on System Sciences 46 (HICSS), January 7 - 10, 2013, Grand Wailea, Maui, Hawaii
Note

QC 20130201

Available from: 2013-02-01 Created: 2012-08-21 Last updated: 2016-11-25Bibliographically approved
4. Estimates on the effectiveness of web application firewalls against targeted attacks
Open this publication in new window or tab >>Estimates on the effectiveness of web application firewalls against targeted attacks
2013 (English)In: Information Management & Computer Security, ISSN 0968-5227, E-ISSN 1758-5805, Vol. 21, no 4, 250-265 p.Article in journal (Refereed) Published
Abstract [en]

Purpose – The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF.

Design/methodology/approach – Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method.

Findings – The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures.

Research limitations/implications – The results are only valid for the attacker profile of a professional penetration tester who prepares one week for attacking a WA protected by a WAF.

Practical implications – The competence of the individual(s) tuning a WAF, employment of an automated black box tool for tuning and the manual effort spent on tuning are of great importance for the effectiveness of a WAF. The presence of an operator monitoring it has minor positive influence on its effectiveness.

Originality/value – WA vulnerabilities are widely considered a serious concern. To manage them in deployed software, many enterprises employ WAFs. However, the effectiveness of this type of countermeasure under different operational scenarios is largely unknown.

National Category
Computer Science
Identifiers
urn:nbn:se:kth:diva-129252 (URN)10.1108/IMCS-11-2012-0064 (DOI)2-s2.0-84886497065 (Scopus ID)
Note

QC 20140131

Available from: 2013-09-24 Created: 2013-09-24 Last updated: 2017-12-06Bibliographically approved
5. A Bayesian Model for Likelihood Estimations of Acquirement of Critical Software Vulnerabilities and Exploits
Open this publication in new window or tab >>A Bayesian Model for Likelihood Estimations of Acquirement of Critical Software Vulnerabilities and Exploits
(English)Manuscript (preprint) (Other academic)
National Category
Computer and Information Science
Identifiers
urn:nbn:se:kth:diva-140513 (URN)
Note

QS 2014

Available from: 2014-01-24 Created: 2014-01-24 Last updated: 2014-02-03Bibliographically approved
6. Performance of automated network vulnerability scanning at remediating security issues
Open this publication in new window or tab >>Performance of automated network vulnerability scanning at remediating security issues
2012 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 31, no 2, 164-175 p.Article in journal (Refereed) Published
Abstract [en]

This paper evaluates how large portion of an enterprises network security holes that would be remediated if one would follow the remediation guidelines provided by seven automated network vulnerability scanners. Remediation performance was assessed for both authenticated and unauthenticated scans. The overall findings suggest that a vulnerability scanner is a usable security assessment tool, given that credentials are available for the systems in the network. However, there are issues with the method: manual effort is needed to reach complete accuracy and the remediation guidelines are oftentimes very cumbersome to study. Results also show that a scanner more accurate in terms of remediating vulnerabilities generally also is better at detecting vulnerabilities, but is in turn also more prone to false alarms. This is independent of whether the scanner is provided system credentials or not.

Keyword
Network security, Security tools, Vulnerabilities, Vulnerability detection, Vulnerability remediation
National Category
Information Systems
Identifiers
urn:nbn:se:kth:diva-99543 (URN)10.1016/j.cose.2011.12.014 (DOI)000319547600003 ()2-s2.0-84857364659 (Scopus ID)
Note

QC 20120801

Available from: 2012-08-01 Created: 2012-07-31 Last updated: 2017-12-07Bibliographically approved
7. Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?
Open this publication in new window or tab >>Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?
2014 (English)In: 2014 47th Hawaii International Conference on System Sciences, HICSS, IEEE Computer Society, 2014, 4895-4904 p.Conference paper, Published paper (Refereed)
Abstract [en]

A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days’ to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days’ (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days’ aredetected, how prone the correspondingsignaturesare to false alarms,and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snortis 8.2%.

Place, publisher, year, edition, pages
IEEE Computer Society, 2014
Series
Proceedings of the Annual Hawaii International Conference on System Sciences, ISSN 1060-3425
Keyword
Detection rates, False alarms, Rule set, Signature-based network intrusion detection systems, Zero day attack, Systems science
National Category
Computer Science
Identifiers
urn:nbn:se:kth:diva-129255 (URN)10.1109/HICSS.2014.600 (DOI)000343806605004 ()2-s2.0-84902261151 (Scopus ID)978-147992504-9 (ISBN)
Conference
47th Hawaii International Conference on System Sciences, HICSS 2014; Waikoloa, HI; United States; 6 January 2014 through 9 January 2014
Note

QC 20140131

Available from: 2013-09-24 Created: 2013-09-24 Last updated: 2014-12-09Bibliographically approved
8. P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language
Open this publication in new window or tab >>P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language
2015 (English)In: IEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, E-ISSN 1941-0018, Vol. 12, no 6, 626-639 p.Article in journal (Refereed) Published
Abstract [en]

This paper presents the Predictive, Probabilistic Cyber Security Modeling Language ((PCySeMoL)-Cy-2), an attack graph tool that can be used to estimate the cyber security of enterprise architectures. (PCySeMoL)-Cy-2 includes theory on how attacks and defenses relate quantitatively; thus, users must only model their assets and how these are connected in order to enable calculations. The performance of (PCySeMoL)-Cy-2 enables quick calculations of large object models. It has been validated on both a component level and a system level using literature, domain experts, surveys, observations, experiments and case studies.

Place, publisher, year, edition, pages
IEEE Press, 2015
National Category
Computer and Information Science
Identifiers
urn:nbn:se:kth:diva-140514 (URN)10.1109/TDSC.2014.2382574 (DOI)000364992800003 ()2-s2.0-84959316597 (Scopus ID)
Note

QC 20151218

Available from: 2014-01-24 Created: 2014-01-24 Last updated: 2017-12-06Bibliographically approved

Open Access in DiVA

fulltext(2320 kB)939 downloads
File information
File name FULLTEXT01.pdfFile size 2320 kBChecksum SHA-512
5b261760892d7a4073cd0bafaa2557d5aef19fafef19157c57cf42cbedac48fd03932a4dfe71fafb4a01ed677f37188df72e4f921e841c383f36c4d28b0c0722
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Holm, Hannes
By organisation
Industrial Information and Control Systems
Information Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 939 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 2692 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf