Through the Description of Attacks: a Multidimensional View Igor Nai Fovino1 and Marcelo Masera1 Institute for the Protection and the Security of the Citizen Joint Research Centre, via E. Fermi 1, I-20... Ispra -Va-, Italy
[email protected] [email protected]
Abstract. Cyber attacks are the core of any security assessment of ICTbased systems. One of the more promising research fields in this context is related to the representation of the attack patterns. Several are the models proposed to represent them; these models usually provide a generic representation of attacks. Conversely, the experience shows that attack profiles are strongly dependent upon several boundary conditions. This paper defends that from the security assessment perspective, it is necessary to integrate the knowledge contained in the attack patterns with boundary knowledge related to vulnerability of the target system and to the potential threats. In this paper, after a characterization of this boundary knowledge, we propose an n-dimensional view of the attack tree approach, integrating information on threats and vulnerabilities. Moreover, we show how to use this view to derive knowledge about the security exposure of a target system. Keywords: Security assessment, Attack Pattern
1
Introduction
Security threats are one of the main problems of this computer-based era. All systems making use of information and communication technologies (ICT) are prone to failures and vulnerabilities that can be exploited by malicious software and agents. In such a scenario, it has become imperative to perform proper risk assessments, putting in evidence the main threats a system is exposed to and eventually the effectiveness of the possible countermeasures. There exist in the scientific literature some interesting approaches to the risk assessment of ICT infrastructures [7, 8]. These methodologies have as core target the analysis of the system components, the interconnection between components and the set of “Security Information” (i.e. vulnerabilities, threats, attacks and countermeasures). Although these methodologies have proved useful for zeroing in the security lacks of the analyzed systems, we believe that it is possible to improve the results of risk assessments by a more attentive and precise description of the “Security Information”.
In particular, in every risk assessment framework, a prominent role is played by the capacity to collect and analyze in a correct way information related to the threats, vulnerabilities and attacks that, in some way may have an undesirable effect over the analyzed system. A key point in such a task is, obviously, the description of the attack pattern which an attacker may put in act in order to realize a threat. As we describe in the section 3, there are several models proposed to represent them; these models usually provide a generic representation of attacks in term of steps needed in order to realize a, possibly malicious, goal. However, even if such models have prove useful in the task of attack documentation gathering and sharing, the information they represent is too general and abstract to be used with real advantages in a risk assessment analysis. In the real world, the attacks profiles are strongly context dependent [1][2][3]. Therefore, a traditional attack tree can be used as an “Arianna Thread”, which shows at high level the typical steps an attacker follows to realize a particular goal. In order to perform a risk assessment, it is necessary to map such an information on the real context represented by the system under analysis. In other words in is necessary to merge the information contained in the attack tree with the boundary knowledge related to vulnerability of the target system, to the security properties of the system and to the potential threats. In order to address this problem, we propose in this paper an n-dimensional view of the attack tree approach, integrating information on system, threats and vulnerabilities. Moreover, we show how to use this view to derive knowledge about the security exposure of a target system. The paper is organized as follows: in section 2 we give some preliminary definition clarifying some basic concepts. In this section we give an overview of the risk assessment methodology we adopted as reference for the attack tree integration [8]. Moreover, in section 3 a State of the Art in Attack representation in given. In section 4 we introduce the “Boundary Knowledge” related to threat, vulnerabilities and system. Finally in section 5 we present in detail our n-dimensional attack tree approach.
2
Preliminary Definitions
The work presented in this paper, was conceived to make better use of attack trees in a risk assessment framework, enriching the trees with relevant information. In this section we give some preliminary definitions related to security concepts and we give an overview of the risk assessment methodology we adopted as reference. 2.1
Security Definitions
A risk assessment for ICT infrastructure, is strongly connected with some concepts traditionally derived from the field of computer security, in particular five are the elements of interest that need to be defined: the concepts of Threat, Vulnerability, Attack, Risk and Asset.
As defined in [5] and in the Internet RFC glossary of terms, a Threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. A Vulnerability, by definition [10][11], is a weakness in the architecture design/implementation of an application or a service. An Attack can be identified as the entire process allowing a Threat Agent to exploit a system by the use of one or more Vulnerabilities. According to the ISO/IEC 17799:2000 [6], a Risk may be defined as the probability that a damaging incident is happening (when a threat occurs because of a vulnerability), times the potential damage. Finally according with [6] an Asset is defined as something that has value to the relevant stakeholders. Roughly speaking we can think of these security entities as follows: an asset is (a) somewhat having a relevance for an organization that (b)is the target of a threat agent which, (c) by the use of some vulnerabilities, put in act (d) an attack in order to (e) damage the asset and indirectly the organization. 2.2
Risk Assessment Methodology Overview
As claimed in the introduction, our objective is to make the knowledge contained in an attack tree more useful for the assessment of risks. In literature there exist several security assessment methodologies conceived for the analysis of ICT infrastructure. We have chosen to adopt as reference the work of Masera & Nai [8]. In the methodology proposed by Masera & Nai, the authors present a risk assessment methodology tailored to the analysis of the ICT infrastructure of complex industrial systems. In the remainder of this section, we give a brief overview of this methodology. More in detail, this methodology foresees that in order to assess the security of a system, it is necessary firstly to provide a description of the system itself, of its components, of its assets, of the interaction and the relationships among the components, the assets and the external world. Such a description (expressed analytically by tables) could be used to identify in a systematic way the vulnerabilities affecting the whole system. These vulnerabilities are then described by some significant parameters and used to identify the threat that can be associated to the components and to the whole system. From the analysis of this information, one can derive the evaluation of the possible damages to the components, their propagation to the system and the consequent attack pattern. All these operations are quantified in some risk related indexes that are then employed to perform the evaluation of the security failure risk and the countermeasures. The approach adopted is based on five main steps. With regard to the topic of this paper, the attack assessment, information about attacks are represented by generic attack trees used to magnify if a system could be considered prone to a target attack. Even if this can be a good starting point in the evaluation of attack impact on a target system, we believe that integrating such attack trees with the other information contained in the target system description could give a great improvement to the analysis of a system.
3
State of the Art
In the scientific literature, there exist several methods/approaches used to describe security information related to attacks. Historically the first approach in that sense were related to the creation of vulnerability database. Bugtraq [12] is an example of such database. However, they are usually focused on the description of the vulnerabilities, lacking completely (but that isn’t their goal)in the description of the way by which such vulnerabilities can be used in putting in act complex attacks. The most promising approach allowing to capture such characteristic is known in the scientific literature as Graph Based Attack Models [13]. In this category two can be considered the main “Modeling family”: the Petri Net based Models and the Attack and Fault Trees models. A good example of the first category can be considered the Attack Net Model introduced by McDermott [15] in which the places of a Petri Net represent the steps of an attack and the transitions are used to capture precise actions performed by the attackers. In this view, an attack is a pattern of states and results less intuitive to represent an attacks are results of multiple application of coordinated different attacks. On the other hand, the second approach (attack trees), originated from the world of fault analysis, in which a tree representation of the dependencies among component of a system are used to identify the fault chains that potentially may affect a system and allowing then to evaluate the propagation of a fault through the system [16]. In this context, Bruce Schneier [17] proposed to use a similar techniques based on the use of expansion trees to show the different attacks that could affect a system. Attack trees can be used to capture the steps of an attack and their interdependecies. As showed in figure 1, the building blocks of attack trees are nodes. Every node is used to model the steps of an attack or attacker actions and the root node of the tree represents the goal of the attack [16][17]. Such an approach has been largely used and improved. For example Daley, Larson & Dawkins [18] have proposed to introduce a layering approach (stratified node topology)in the attack tree design, in order to separate the attack tree nodes based on functionality (Event level, State Level etc.). Moreover, in such a context, recently, Jajodia, Noel and O’Berry [4] have introduced an approach based on the concept of vulnerability topological analysis, allowing, starting from the combination of modeled attacker exploits, to discover attack paths. However, to our knowledge, no much effort has been spent to enforce the link existing between an high level attack tree and its projection in a real case.
4
Boundary Conditions
As we claimed in the introduction, a “traditional” Attack Tree constitutes a good way to collect and share information about attacks, in term of the logical steps and requirements needed in order to realize a malicious scope. However, in a real case, an attack profile (and its exploitability) strongly depends on the
DoS against web server
Web server unreachable
OR Attacker injects malicious packets
Attacker injects flooding packets AND
Web server is vulnerable to DoS by resource consumption
Web server is not vulnerable
No traffic shaping policy defined
Attacker fingerprints target web server
Fig. 1. Example of Schneier style Attack Tree
particular context in which it is applied. In a risk assessment context, we need, in order to analyze the system exposure, information about attacks, but, on the other hand, we need to evaluate the impact and the plausibility of such attacks. Let consider the example in Figure 1. It represents the attack tree of an hypothetical Denial of Service against a web server. As it is possible to see two are the main branches of the tree: one related to a resource consumption scenario, in which the DoS is obtained by consuming all the resources of the webserver, and one related to a code based vulnerability allowing to crash the web server, making it unreachable. This is a typical attack tree description. However under a risk assessment perspective, this attack tree mainly lack in providing two relevant information: – Plausibility: how plausible is the attack (in general) or, in more detail, how plausible is the exploitation of a vulnerability used in the attack or how plausible is an operation considered needed in order to perform the attack. – Severity: how severe is the attack in term of potential impact. For example, referring to the figure 1, if a firewall exists between the Internet and the Web Server and if such a firewall drops systematically every type of network scan packet (e.g. icmp packets, nmap generated packets etc.), the plausibility of the fingerprint operation has to be considered low. Moreover, if for example the Web Server is not affected by known code based vulnerability, the related branch has to be considered slightly implausible. All available information of this type can be associated to the attack tree at the origin, evaluating for example that a particular attack configuration, for example, may generally be very improbable or that the damage caused by this attack is in average low. When an attack tree is used in a security assessment, we need to be able to reevaluate these values; what is equivalent to make a “projection” of a general attack to a target, specific case. The benefits deriving from this projection are intuitively two:
1. Pruning of the analysis input: reassigning plausibility values on the light of a particular scenario allows, as described previously, to eliminate improbable branches, reducing then the complexity of the analysis. 2. Precision of the analysis: reviewing the severity and the plausibility values taking advantage of information deriving from the the target scenario, allows to improve the value of the risk analysis in term of precision and reliability. The attack projection, as showed in Figure 2 is the result of the intersection of information coming from: – The attack tree. – The system description. – The description of the adverse environment.
Threats Description
Sy
em st
n ti o r ip sc De e ln Vu
sD i ti e bi l ra
n io i pt cr es
Abstract Attack Three
Fig. 2. Logical view of an attack tree projection
In what follows, we characterize, making use of the information coming from these sources, an “Attack Tree Projection”. 4.1
System Description Information Source
Every Risk Assessment framework, departs from a system description phase. As we claimed in section 2, we adopt as reference the framework proposed by Masera et al. in [8] and the system description proposed by the same authors in [9]. In such a description, as showed in figure 3, the system is decomposed in terms of components, subsystems, services (provided by components or subsystems), security policies, roles, stakeholders and flows between these entities. Moreover the concept of Asset and Information Asset [19] are captured. Under the perspective of integrating attack trees with information derived from the system description, three are the most relevant objects which can easily concur in the attack projection:
Fig. 3. Logical view of an n-dimensional attack tree
– Components: they host vulnerabilities and they are the target of several operations described by an attack tree. For instance, if in the example of Figure 1 in the system under analysis there isn’t a WebServer the attack became completely implausible. Information about the absence of a particular component in a system is a precious information allowing to prune all the branches of an attack tree that take in some way advantage of the presence of this component (see next section for more clarifications). Moreover, a component may have associated some security configurations (e.g. access rules of a firewall). Even these information may concur to the attack projection (let us take as example the previous one related to the network fingerprint in the WebSever DoS). – Services: They are usually one of the possible final target of an attack. If some intermediate nodes of an attack tree contain a “Statement” regarding a service not provided by the target system, it is necessary to reevaluate the plausibility and the severity of the branch containing the statement – Security Policies: They represent information about the operations allowed to and on a particular object (component, stakeholder, user, etc.). The knowledge of the security policies may allow to understand whether some operations described in an attack tree can be performed in a target scenario. Moreover, strong or weak policies may have an effect in the plausibility and severity evaluation of the attack tree In order to take advantage of this knowledge contained in the system description, it is necessary to introduce a formal representation of these objects which,
as described in section 5, can be easily made compatible with the ndimensional attack tree definition. Definition 1. A component ci is defined as a tuple < N ame, Desc, Lov, Sbid , Conf State, sec pol > where: – – – – – –
N ame is the name of a component. Desc is a free text describing the component. Lov is the list of the known vulnerabilities affecting the target component. Sbid is the id of the subsystem containing the component. Conf State is the specification of the component configuration. Sec pol is the list of security policies associated to the component
From a logical point of view, a component of a system is the atomic entity of every system description. It could be a hardware element, a software element, or, to simplify the view, an actor which has tasks and provide services in the system. At the same way, for our scope, a security policy can be defined as follows: Definition 2. let O = {o1 ...on } be the universe of the operation, let be C = {c1 ...cm } the universe of the actors (component) of a system, we define a tuple < oi , cj > as a “allowed operation” tuple. A security policy can be defined as a set Sck = {< oi , cj > |oi ∈ O, cj ∈ C} representing the collection of the operation allowed on the component ck . The previous definition is, of course, too simple to completely represent the concept of security policy, but this is out of the scope of the paper. What is relevant in this context is to emphasize the connection between this concept and the projection of the attack tree. A service can be defined, according with [9] as follows: Definition 3. A service S is a tuple < N ame, SdL, F L, value, SP > where: – N ame identifies in a unique way a target service – SdL (Services dependence list) is the list of the services concurring in the realization of the target service. – F L (Function logic) is a logical expression (First order) describing the relation between the target service and the services contained in the previous lists. – V alue it represent the value associated to a target service. – SP is the list of the security policies applied to the service. Information about services are extremely useful in the attack tree projection and reevaluation, for two reasons: (1) information about the associated security policies, service dependences and function logic can be used can be used to validate the feasibility of some attack steps (see next section) having then an impact on the plausibility evaluation; (2)information about service dependencies, function logic and service value can be even used to understand the real severity of a target attack in a target scenario.
4.2
Adverse Environment Information Source
For evaluating the plausibility of an attack, we need to take into consideration information about the Adverse Environment. In light of such knowledge, the plausibility of an attack tree can be reevaluated in order to obtain a more precise risk exposure evaluation. Information about the adverse environment can be usually organized in two classes: – Threats Information: as claimed in Section 2, a threat is a potential violation of security [11]. The description of a threat, includes information about the type of threat (natural, human etc.), the description of the threat agent (e.g criminal or terroristic organizations, hackers, newbie hackers etc.), their resources etc. This type of information is very useful in the evaluation of the attack plausibility. If we know for example that at the present time there is a criminal organization having interest in damaging a particular service provided by the system under analysis we must consider more plausible all the attacks having as final scope the interruption of such service. Moreover information about their motivation, their skills and resources could improve the plausibility evaluation. – Vulnerability Information: information about vulnerabilities associated to a target component, new tools allowing to make easier the exploitation of a particular vulnerability, has obviously a strong impact in the evaluation of the plausibility of an attack tree. As in the case presented in the previous section, in order to take advantage of the knowledge represented by information on threats and vulnerabilities, it is necessary to introduce a formal representation of these objects which, as described in Section 5, can be easily made compatible with the ndimensional attack tree definition. Definition 4. A Threat Agent can be defined as a tuple < N ame, Desc, Sk, Rs > where: – – – –
N ame identifies the threat agent Desc contains a description of the threat agent Sk describes the skills potentially owned by the threat agent Rs describes the resources owned by the threat agent (in a qualitative manner)
A Threat then can be described as follows: Definition 5. A Threat is defined as a tuple < N ame, T ype, T A, M ot, Category, plausibility, severity, dis caused > where: – – – – –
N ame identifies in a unique manner a threat T ype internal, external, both T A contains a Threat Agent tuple M ot describes the motivation aiming the threat agent Category Natural (meteo, geological.), technological, human... etc.
– P lausibilityindex it gives a measure of the plausibility of the threat considering information in possession by the analyst – Severityindex : it gives a measure of the impact the target threat may have on a certain system – dis caused: list of the disservice potentially caused, where a disservice is the negation of a service. In the same way we can now formally define a vulnerability. Definition 6. A vulnerability can be described by a tuple < N ame, T ype, Desc, V uln ref, Comp list, Count list, Sev, Exp, res > where: – N ame:identifies in a unique manner a vulnerability – T ype: it identifies a type of vulnerability (e.g. buffer overflow etc.). – Desc: it contains information about the vulnerability as : how to take advantage of it etc.. – V uln ref : it indicates the Vulnerability Reference Number (rif. MITRE or CVE). – Comp list: list of the components affected by the vulnerability. – Count list: it contains the list of the countermeasures. – Sev: it contains an index representing the severity of the vulnerability. – Exp: it contains an index representing the exploitability of the vulnerability. – res: a description of the resources needed to exploit the vulnerability In this respect, the elements of particular relevance for the “attack tree projection” context, are the exploitability of a vulnerability, the plausibility of the threat, the motivation, the resource and the skills of a threat agent (which have an impact in the plausibility evaluation of an attack) and the threat and vulnerability severity. All of them have an impact on the severity of an attack.
5
N-Dimensional Attack tree
An attack tree is a particular graph that describes the steps of an attack process. As we explained in Sections 1, attack trees were introduced to describe and share information about attack patterns. For this reason they are not usually focused on a target scenario. On the other hand in a risk assessment perspective, in order to obtain a more precise and detailed analysis, it is useful to have attack trees focused on the target scenario. We believe that these context−relevant trees can be obtained creating a projection of the generic, abstract trees on the target scenario by the use of the “boundary knowledge” presented in Section 4. In order to do this, two relevant points need to be improved: 1. The structure of the attack tree must be enriched with information on the target system and the hypothetical threat agent allowing to characterize better the different phases of an attack. Moreover, we note that in a traditional attack tree (as presented in [17]) all nodes have the same semantic meaning from a structural point of view. This constitutes a problem in linking the proper boundary knowledges to the correct nodes.
2. The knowledge contained in the attack tree must be normalized in order to be compatible with the knowledge derived by the system description and the adverse environment description. In what follows, we present an attack tree definition that considers the previous points. More in details, attack tree nodes can be categorized into three main classes: 1. Operations: any step representing an operation made by the attacker in order to perform the attack. 2. Vulnerabilities: any step describing a vulnerability required in order to realize the attack 3. Assertions: any step representing assumptions, results, or requirements characterizing the attack process. All these basic steps are linked by the use of logical ports (AND, OR, and NOT). Figure 4 gives an example of the use of these different elements.
Attack: DoS against VPN Server
Attacker runs TCP Flooding DDoS attack
No Traffic shaping policy defined on VPN server
Attacker runs attack verify_x509cert DoS
VPN Server is Vulnerable to a Resource Consumption Attack
VPN Server vulnerable to DoS, ref. CAN-2004-0590
The VPN Server is TCP based
VPN Server is Ipsec based
Attacker acquires information about FTP Server
Attacker runs TCP Flooding DDoS attack
Firewall allows network fingerprint
Attacker knows Finger Print Techniques
Fig. 4. An attack tree in which the squares represent Assertions, the circles represent Vulnerabilities used and the hexagons represents operations made by the attackers
This categorization allows to specify the different semantic meanings of the attack process steps. However, in order to improve points (1) and (2) it is necessary to define well the information associated to these object classes. Formally we can define these objects as follows: Definition 7. An Operation is a tuple < N ame, Actor, T arget, Action, Desc, P laus, Sev > where: – – – – –
N ame identifies the operation Actor identifies who performs the action T arget identifies the target of the action Desc describes the operations performed P laus & Severity are the plausibility and severity index associated a priori to the operation
Definition 8. An Assertion is a tuple < N ame, Desc, logic exp > where – N ame identifies the assertion – Desc contains a description of the assertion – logic exp contains eventually a logical function to be validated in order to consider true the assertion A Vulnerability is defined in Definition 6. Moreover, every attack tree has a special top node identifying the attack and containing a global evaluation (a priori) of its severity and its plausibility. As it is possible to see, adopting such a representation scheme we obtain a “semantic attack tree” with nodes that gains a contextual−relevant meaning. Moreover, this schema take into account the boundary knowledge described in the previous section. This schema can be then used to obtain a projection of the attack tree related to the target scenario. The projection task can be summarized as follows: 1. All the Operations of the attack tree are validated considering the configuration of the components involved, the associated security policies and the services provided by the components. 2. The Vulnerabilities used in the attack tree are validated considering the vulnerabilities associate to the respective components of the system. 3. The Assertions are validated considering the security policies, the information related to the threats (resources needed to realize vulnerabilities etc.) and the information related to the services. 4. Taking into consideration the validation results, the attack tree is pruned. 5. The values of plausibility and severity of the remaining attack tree are revised considering the associated boundary information. The result of this process is then an attack tree which is the projection of the original and general attack-tree on a target scenario. Moreover, due to the normalization of the attack tree, it is possible to directly link the boundary information with the related nodes of the attack tree, obtaining in this way a multidimensional attack tree containing both information related to the attack, information related to the attacked system and information related to the attacker (see Figure 5).
Threat Agent Information
Attack Information
Vulnerability information
Information on attacked system
Fig. 5. Multidimensional attack tree
6
Conclusion
The risk assessment evaluation of an ICT infrastructure is a extremely complex task that requires as input a complete picture of the security scenario to be analyzed. In this picture one must include the description of the attacks that realize a threat against a system. Such attacks, in the real world, are strongly context dependent. In order to develop a more realistic and precise risk assessment, we have showed how information about the boundary knowledge derived by the system and the environment description can be used in order to obtain an n-dimensional view of the attack tree projected on a target scenario. This is a first attempt, that of course needs further improvements. In particular, we plan to clarify in a formal way how the severity and the plausibility associated to the attack trees have to be modified in consideration of the boundary information. Moreover, we plan to integrate this approach into the methodology proposed in [8].
References 1. Aslam, T., Krsul, I. & Spafford, E.H.: Use of a taxonomy of security faults. In Proceedings of the Nineteenth NIST-NCSC National Information Systems Security Conference, (1996) pages 551560. 2. Kumar, S. : Classification and Detection of Computer Intrusions. PhD thesis, Department of Computer Science, Purdue University, West Lafayette, Indiana (1995). 3. Howard, J.: An Analysis of Security Incidents on the Internet, 19891995. PhD thesis, Department of Engineering and Public Policy, Carnegie Mellon University, Pittsburgh, Pennsylvania (1997). 4. S. Jajodia, S. Noel, B. O’Berry: Topological Analysis of Network Attack Vulnerability. In Managing Cyber Threats: Issues, Approaches and Challenges, V. Kumar, J. Srivastava, A. Lazarevic (eds.), Kluwer Academic Publisher (2004). 5. Jones, A., Ashenden, D.: Risk Management for Computer Security : Protecting Your Network & Information Assets. Elsevier (March 2005). 6. Code of Practice for Information Security Management. International Standard (ISO/IEC) 17799:2000. 7. Alberts, C., & Dorofee, A.: Managing Information Security Risks: The OCTAVE (SM) Approach., Addison Wesley Professional (July 2002) 8. Masera, M., Nai Fovino, I., & Sgnaolin, R.: A Framework for the Security Assessment of Remote Control Applications of Critical Infrastructure. ESReDA 29th Seminar, (2005) Ispra. 9. Masera, M., Nai Fovino, I.: Models for Security Assessment and Management. In Proceeding of the International Workshop on Complex Network and Infrastructure Protection 2006, (2006) Rome, Italy. 10. Alhazmi, O., Malaiya, Y., & Ray, I.: Security Vulnerabilities in Software Systems: A Quantitative Perspective. Lecture Notes in Computer Science, Volume 3654/2005. (2005) Publisher: Springer-Verlag GmbH. 11. Bishop, M.: Computer Security Art and Science, (November 2004) Addison Wesley. 12. Bugtraq vulnerability database. http://securityfocus.com 13. Steffan, J., Schumacher, M.: Collaborative attack modeling. In proceeding of the Symposium on Applied Computing, Madrid, Spain (2002) pp. 253 - 259 14. Tidwell, T., Larson. R., Fitch, K. & Hale, J.: Modeling Internet Attacks. Proceeding of the 2001 IEEE Workshop on Information Assurance and Security. United States Military Academy, West Point, NY (2001). 15. McDermott, J.: Attack Penetration Testing. In Proceeding of the 2000 New Security Paradigm Workshop, ACM SigSAC, ACM Press, ((2000) pp. 15-22. 16. Helmer, G., Wong, J., Slagell, M., Honavar, V., Miller, L., and Lutz, R.: A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System. In Proceedings of the first Symposium on Requirements Engineering for Information Security (2001). 17. Schneier, B.: Modeling Security Threats, Dr. Dobb’s Journal. https://www.schneier.com/paper-attacktrees-ddj-ft.html (2001). 18. Daley, K., Larson, R., & Dawkins, J.: A Structural Framework for Modeling MultiStage Network Attacks. Proceedings of the International Conference on Parallel Processing Workshops. ICPP Workshops (2002), pp. 5-10. 19. Masera, M. & Nai Fovino, I.: Modelling Information Assets for Security Risk Assessment in Industrial settings. 15th EICAR Annual Conference (2006).
