kth.sePublications KTH
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Development and validation of coreLang: A threat modeling language for the ICT domain
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering.ORCID iD: 0000-0001-8287-3160
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering.
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering.ORCID iD: 0000-0003-3922-9606
KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Network and Systems Engineering. Uppsala Univ, Dept Informat Technol, S-75236 Uppsala, Sweden..ORCID iD: 0000-0001-9886-6651
Show others and affiliations
2024 (English)In: Computers & Security, ISSN 0167-4048, E-ISSN 1872-6208, Vol. 146, article id 104057Article in journal (Refereed) Published
Abstract [en]

ICT infrastructures are getting increasingly complex, and defending them against cyber attacks is cumbersome. As cyber threats continue to increase and expert resources are limited, organizations must find more efficient ways to evaluate their resilience and take proactive measures. Threat modeling is an excellent method of assessing the resilience of ICT systems, for example, by building Attack Graphs that illustrate an adversary's attack vectors. Previously, the Meta Attack Language (MAL) was proposed, which serves as a framework to develop Domain Specific Languages (DSLs) and generate Attack Graphs for modeled infrastructures. coreLang is a MAL-based threat modeling language that utilizes Attack Graphs to enable attack simulations and security assessments. In this work, we present the first release version of coreLang in which MITRE ATT&CK tactics and techniques are mapped onto to serve as a validation and identify strengths and weaknesses to benefit the development cycle. Our validation showed that coreLang does cover 46% of all the techniques included in the matrix, while if we additionally exclude the tactics that are intrinsically not covered by coreLang and MAL, the coverage percentage increases to 64%.
Place, publisher, year, edition, pages
Elsevier BV , 2024. Vol. 146, article id 104057
Keywords [en]
Domain specific language, Attack graphs, Cyber attack modeling, Threat modeling, ICT domain
National Category
Computer Systems Computer Sciences
Identifiers
URN: urn:nbn:se:kth:diva-353785DOI: 10.1016/j.cose.2024.104057ISI: 001298046900001Scopus ID: 2-s2.0-85201461410OAI: oai:DiVA.org:kth-353785DiVA, id: diva2:1900520
Note

QC 20240924

Available from: 2024-09-24 Created: 2024-09-24 Last updated: 2025-12-16Bibliographically approved
In thesis
1. Developing and validating domain specific languages for cyberattack modeling and simulations
Open this publication in new window or tab >>Developing and validating domain specific languages for cyberattack modeling and simulations
2026 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

This thesis explores the potential of domain-specific languages (DSLs) to enhance the accuracy, efficiency, and expressiveness of cyberattack modeling and simulation. Motivated by the increasing sophistication of cyber threats, this work addresses the limitations of traditional modeling approaches by developing and validating two novel DSLs: one tailored for vehicular systems and another for the Information and Communications Technology (ICT) domain. These languages provide specialized vocabulary and syntax for describing attack patterns, system behaviors, and defense mechanisms concisely and straightforwardly. Through a series of experiments and case studies, this research demonstrates the effectiveness of these DSLs in capturing the complexities of real-world cyberattacks. These languages enable the automatic generation of attack graphs from system architecture models, streamlining threat identification and enhancing the alignment of security measures with established frameworks for cybersecurity professionals. This thesis contributes to the advancement of cyberattack modeling and simulation techniques, providing cybersecurity professionals with tools to express, analyze, and predict the behavior of cyberattacks.
Abstract [sv]

Denna avhandling undersöker potentialen hos domänspecifika språk (DSL) för att förbättra noggrannheten, effektiviteten och uttrycksfullheten i modellering och simulering av cyberattacker. Motiverad av den ökande sofistikeringen av cyberhot, adresserar detta arbete begränsningarna hos traditionella modelleringsmetoder genom att utveckla och validera två nya DSL:er: en skräddarsydd för fordonsystem och en annan för IKT-domänen. Dessa språk tillhandahåller specialiserad vokabulär och syntax för att beskriva attackmönster, systembeteenden och försvarsmekanismer på ett koncist och tydligt sätt. Genom en serie experiment och fallstudier visar denna forskning effektiviteten hos dessa DSL:er för att fånga komplexiteten i verkliga cyberattacker. Dessa språk möjliggör automatisk generering av attackgrafer från systemarkitekturmodeller, vilket effektiviserar hotidentifiering och förbättrar anpassningen av säkerhetsåtgärder till etablerade ramverk för cybersäkerhets-experter. Denna avhandling bidrar till utvecklingen av tekniker för modellering och simulering av cyberattacker, vilket ger cybersäkerhetsexperter verktyg för att uttrycka, analysera och förutsäga beteendet hos cyberattacker.
Place, publisher, year, edition, pages
Stockholm, Sweden: KTH Royal Institute of Technology, 2026. p. ix, 49
Series
TRITA-EECS-AVL ; 2026:1
Keywords
Domain specific languages, Attack graphs, Cyberattack modeling, Cyberattack simulations, Threat modeling
National Category
Computer Sciences
Research subject
Electrical Engineering
Identifiers
urn:nbn:se:kth:diva-374288 (URN)978-91-8106-445-2 (ISBN)
Public defence
2026-02-06, https://kth-se.zoom.us/j/65337054278, Kollegiesalen, Brinellvägen 8, Stockholm, 13:00 (English)
Opponent
Supervisors
Note

QC 20251217

Available from: 2025-12-18 Created: 2025-12-16 Last updated: 2026-01-12Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Katsikeas, SotiriosBuhaiu, AndreiEkstedt, MathiasAfzal, Zeeshan

Search in DiVA

By author/editor
Katsikeas, SotiriosBuhaiu, AndreiEkstedt, MathiasAfzal, ZeeshanMukherjee, Preetam
By organisation
Network and Systems Engineering
In the same journal
Computers & Security
Computer SystemsComputer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 302 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub
|
About Open Access