Abstract
Careful planning is needed to design cyber infrastructures that can achieve mission objectives in the presence of deliberate attacks, including availability and reliability of service and confidentiality of data. Planning should be done with the aid of rigorous and sound security models. A security modeling formalism should be easy to learn and use, flexible enough to be used in different contexts, and should explicitly model the most significant parts of the system of interest. In particular, the research community is increasingly realizing the importance of human behavior in cyber security. However, security modeling formalisms often explicitly model only the adversary, or simplistic interactions between adversaries and defenders, or are tailored to specific use cases, or are difficult to use. We propose and define a novel security modeling formalism that explicitly models adversary, defender, and user behavior in an easy and general way, and illustrate its use with an example.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Baiardi, F., Corò, F., Tonelli, F., Bertolini, A., Bertolotti, R., Guidi, L.: Security stress: evaluating ICT robustness through a monte carlo method. In: Panayiotou, C.G.G., Ellinas, G., Kyriakides, E., Polycarpou, M.M.M. (eds.) CRITIS 2014. LNCS, vol. 8985, pp. 222–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31664-2_23
Buratowski, M.: The DNC server breach: who did it and what does it mean? Netw. Secur. 2016(10), 5–7 (2016)
Eloff, J., Labuschagne, L., Badenhorst, K.: A comparative framework for risk analysis methods. Comput. Secur. 12(6), 597–603 (1993). https://doi.org/10.1016/0167-4048(93)90056-B
Gorodetski, V., Kotenko, I., Karsaev, O.: Multi-agent technologies for computer network security: attack simulation, intrusion detection and intrusion detection learning. Int. J. Comput. Syst. Sci. Eng. 18(4), 191–200 (2003)
Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 17th International Conference on World Wide Web, WWW 2008, pp. 209–218. ACM, New York (2008)
Herley, C., v. Oorschot, P.C.: SoK: science, security and the elusive goal of security as a scientific pursuit. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 99–120, May 2017
Izmalkov, S., Micali, S., Lepinski, M.: Rational secure computation and ideal mechanism design. In: 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2005), pp. 585–594, October 2005. https://doi.org/10.1109/SFCS.2005.64
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2012). https://doi.org/10.1093/logcom/exs029
Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: Dag-based attack and defense modeling: don’t miss the forest for the attack trees. CoRR abs/1303.7397 (2013). http://arxiv.org/abs/1303.7397
Kramer, J.: Attack-defence graphs: on the formalisation of security-critical systems. Master’s thesis, Saarland University (2015). https://www-old.cs.uni-paderborn.de/uploads/tx_sibibtex/main_01.pdf
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)
Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems (2016)
LeMay, E.: Adversary-driven state-based system security evaluation. Ph.D. thesis, University of Illinois at Urbana-Champaign (2011). https://www.perform.illinois.edu/Papers/USAN_papers/11LEM02.pdf
Manshaei, M.H., Zhu, Q., Alpcan, T., Bacşar, T., Hubaux, J.P.: Game theory meets network security and privacy. ACM Comput. Surv. 45(3), 25:1–25:39 (2013)
Marsan, M.A., Balbo, G., Conte, G., Donatelli, S., Franceschinis, G.: Modelling with Generalized Stochastic Petri Nets, 1st edn. Wiley, New York (1994)
Meyer, J.F., Movaghar, A., Sanders, W.H.: Stochastic activity networks: Structure, behavior, and application. In: Proceedings of the International Conference on Timed Petri Nets, Torino, Italy, pp. 106–115, July 1985
Roy, S., Ellis, C., Shiva, S., Dasgupta, D., Shandilya, V., Wu, Q.: A survey of game theory as applied to network security. In: 2010 43rd Hawaii International Conference on System Sciences (HICSS), pp. 1–10. IEEE (2010)
Salter, C., Saydjari, O.S., Schneier, B., Wallner, J.: Toward a secure system engineering methodolgy. In: Proceedings of the 1998 Workshop on New Security Paradigms, NSPW 1998, pp. 2–10. ACM, New York (1998)
Sanders, W.H., Meyer, J.F.: Reduced base model construction methods for stochastic activity networks. IEEE J. Sel. Areas Commun. 9(1), 25–36 (1991). Special issue on Computer-Aided Modeling, Analysis, and Design of Communication Networks
Sanders, W.H., Meyer, J.: A unified approach for specifying measures of performance, dependability, and performability. In: Avizienis, A., Kopetz, H., Laprie, J. (eds.) Dependable Computing for Critical Applications, Dependable Computing and Fault-Tolerant Systems, vol. 4, pp. 215–237. Springer, Vienna (1991). https://doi.org/10.1007/978-3-7091-9123-1_10
Straub, D.W., Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Q., 441–469 (1998)
Verendel, V.: Quantified security is a weak hypothesis: a critical survey of results and assumptions. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, NSPW 2009, pp. 37–50. ACM, New York(2009)
Wagner, N., Lippmann, R., Winterrose, M., Riordan, J., Yu, T., Streilein, W.W.: Agent-based simulation for assessing network security risk due to unauthorized hardware. In: Proceedings of the Symposium on Agent-Directed Simulation, ADS 2015, pp. 18–26. Society for Computer Simulation International, San Diego (2015)
You, X.Z., Shiyong, Z.: A kind of network security behavior model based on game theory. In: Proceedings of the 4th International Conference on Parallel and Distributed Computing, Applications and Technologies, PDCAT 2003, pp. 950–954, August 2003. https://doi.org/10.1109/PDCAT.2003.1236458
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Rausch, M., Fawaz, A., Keefe, K., Sanders, W.H. (2018). Modeling Humans: A General Agent Model for the Evaluation of Security. In: McIver, A., Horvath, A. (eds) Quantitative Evaluation of Systems. QEST 2018. Lecture Notes in Computer Science(), vol 11024. Springer, Cham. https://doi.org/10.1007/978-3-319-99154-2_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-99154-2_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99153-5
Online ISBN: 978-3-319-99154-2
eBook Packages: Computer ScienceComputer Science (R0)