Semi-automated generation of networked vulnerability-attack countermeasure trees for security analysis
Thesis DisciplineComputer Science
Degree GrantorUniversity of Canterbury
Degree NameMaster of Science
Cybersecurity threats are unavoidable in todays world. So there is a need for development of well-researched security formalisms and metrics. If the security of a networked system is measurable in a qualitative and quanti- tative way, we can enhance security through various techniques. Several theoretical security models have been developed to conduct security anal- ysis, which utilise the security formalisms and metrics in order to quantify security. However, in practice these models are usually constructed manually, which is cumbersome and error prone. Also, with an increase in the size of networks it is no longer feasible to manually construct these models. There are also no reliable tools for automatic extraction of essential information on vulnerabilities of a system, estimation of possible attacks based on the known vulnerabilities and evaluating existing attack detection capabilities and mitigation measures. Hence, there is a need for automated generation of security models for ease of security analysis.
While security models have been developed with improved scalability taking into account information about detection and mitigation techniques, semi-automated generation of these models from the information collected from security solutions (such as intrusion detection systems (IDSs), fire- walls, vulnerability scanners etc.) presents unique challenges. Furthermore, such models do not incorporate vulnerability information explicitly, which is needed for a better security analysis of a system. So there is a need to develop a new security formalism that also includes the vulnerability information.
This thesis presents an approach towards semi-automated generation of a novel security formalism named Networked Vulnerability-Attack Counter- measure Tree (nVACT). nVACT is a two-layered security model consisting of network reachability information in the upper layer and security event in- formation in the lower layer. Security analysis of a networked system using nVACT can be used to assess various security metrics (e.g. return on attack, effectiveness of countermeasures applied, return on investment in counter-measures etc).