Litcius/Paper detail

Quantitative Security Risk Modeling and Analysis with RisQFLan

Maurice H. ter Beek, Axel Legay, Alberto Lluch Lafuente, Andrea Vandin

2021Digital Access to Libraries (Université catholique de Louvain (UCL), l'Université de Namur (UNamur) and the Université Saint-Louis (USL-B))15 citationsDOIOpen Access PDF

Abstract

Domain-specific quantitative modeling and analysis approaches are fundamental in scenarios in which qualitative approaches are inappropriate or unfeasible. In this paper, we present a tool-supported approach to quantitative graph-based security risk modeling and analysis based on attack-defense trees. Our approach is based on QFLan, a successful domain-specific approach to support quantitative modeling and analysis of highly configurable systems, whose domain-specific components have been decoupled to facilitate the instantiation of the QFLan approach in the domain of graph-based security risk modeling and analysis. Our approach incorporates distinctive features from three popular kinds of attack trees, namely enhanced attack trees, capabilities-based attack trees and attack countermeasure trees, into the domain-specific modeling language. The result is a new framework, called RisQFLan, to support quantitative security risk modeling and analysis based on attack-defense diagrams. By offering either exact or statistical verification of probabilistic attack scenarios, RisQFLan constitutes a significant novel contribution to the existing toolsets in that domain. We validate our approach by highlighting the additional features offered by RisQFLan in three illustrative case studies from seminal approaches to graph-based security risk modeling analysis based on attack trees.

Topics & Concepts

Computer scienceDomain (mathematical analysis)Probabilistic logicCountermeasureGraphFault tree analysisThreat modelDomain analysisQuantitative analysis (chemistry)Security analysisComputer securityTheoretical computer scienceData miningArtificial intelligenceMathematicsSoftwareReliability engineeringProgramming languageChromatographyMathematical analysisChemistrySoftware systemAerospace engineeringEngineeringSoftware constructionSoftware Reliability and Analysis ResearchAdvanced Software Engineering MethodologiesInformation and Cyber Security
Quantitative Security Risk Modeling and Analysis with RisQFLan | Litcius