Abstract
Current security requirements engineering methods tend to take an atomic and single-perspective view on attacks, treating them as threats, vulnerabilities or weaknesses from which security requirements can be derived. This approach may cloud the big picture of how many smaller weaknesses in a system contribute to an overall security flaw. The proposed Hacker Attack Representation Method (HARM) combines well-known and recently developed security modeling techniques in order represent complex and creative hacker attacks diagrammatically from multiple perspectives. The purpose is to facilitate overviews of intrusions on a general level and to make it possible to involve different stakeholder groups in the process, including non-technical people who prefer simple, informal representations. The method is tied together by a meta model. Both the method and the meta model are illustrated with a security attack reported in the literature.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Amyot, D., Mussbacher, G.: On the Extension of UML with Use Case Maps Concepts. In: Evans, A., Caskurlu, B., Selic, B. (eds.) UML 2000. LNCS, vol. 1939, pp. 16–31. Springer, Heidelberg (2000)
Alexander, I.: Misuse Cases: Use Cases with Hostile Intent. IEEE Software 20(1), 58–66 (2003)
Barnum, S.: Attack Patterns as a Knowledge Resource for Building Secure Software. In: Sethi, A. (ed.) Cigital: OMG Software Assurance WS (2007)
Benyon, D., Skidmore, S.: Towards a Tool Kit For the Systems Analyst. The Computer Journal 30(1), 2–7 (1987)
Buhr, R.J.A.: Use case maps for attributing behaviour to system architecture. In: Proc. 4th Int. WS on Parallel and Distributed Real-Time Systems, p. 3 (1996)
Buhr, R.J.A., Casselman, R.S.: Use Case Maps for Object-Oriented Systems. Prentice Hall (1995)
Cheung, S., Lindqvist, U., Valdez, R.: Correlated Attack Modeling (CAM), Final Technical Report by SRI International (October 2003)
Gegick, M., Williams, L.: Matching attack patterns to security vulnerabilities in software-intensive system designs. In: Proc. SESS 2005 - Building Trustworthy Applications, pp. 1–7 (2005)
Gutierrez, C., Fernandez-Medina, E., Piattini, M.: Web services enterprise security architecture: a case study. In: Proc. WS on Secure Web Services (SWS 2005), Fairfax, VA, USA (2005)
Gutierrez, C., Fernandez-Medina, E., Piattini, M.: Towards a Process for Web Services Security. In: Proc. WOSIS 2005 at ICEIS 2005, Miami, Florida, USA (2005)
Gutierrez, C., Fernandez-Medina, E., Piattini, M.: PWSSec: Process for Web Services Security. In: Proc. ICWS 2006, September 18-22, pp. 213–222 (2006)
Karpati, P., Sindre, G., Opdahl, A.L.: Visualizing Cyber Attacks with Misuse Case Maps. In: Wieringa, R., Persson, A. (eds.) REFSQ 2010. LNCS (LNAI), vol. 6182, pp. 262–275. Springer, Heidelberg (2010)
Karpati, P., Sindre, G., Opdahl, A.L.: Towards a Hacker Attack Representation Method. In: Proc. of the 5th ICSOFT, pp. 92–101. INSTICC Press (2010)
Katta, V., Karpati, P., Opdahl, A.L., Raspotnig, C., Sindre, G.: Comparing Two Techniques for Intrusion Visualization. In: van Bommel, P., Hoppenbrouwers, S., Overbeek, S., Proper, E., Barjis, J. (eds.) PoEM 2010. LNBIP, vol. 68, pp. 1–15. Springer, Heidelberg (2010)
Lamsweerde, A., Brohez, S., De Landtsheer, R., Janssens, D.: From System Goals to Intruder Anti-Goals: Attack Generation and Resolution for Security Requirements Engineering. In: Heytmeier, C., Mead, N. (eds.) Proc. of the 2nd RHAS 2003, pp. 49–56 (2003)
Liu, L., Yu, E., Mylopoulos, J.: Security and Privacy Requirements Analysis within a Social Setting. In: Proc. of the 11th RE 2003, pp. 151–160. IEEE Press, Monterey Bay (2003)
Maurya, S., Jangam, E., Talukder, M., Pais, A.R.: Suraksha: A security designers’ workbench. In: Proc. Hack.in 2009, pp. 59–66 (2009)
Mead, N.R., Stehney, T.: Security Quality Requirements Engineering (SQUARE) Methodology. In: Proc SESS 2005, St. Louis, MO, May 15-16, pp. 1–7 (2005)
Mitnick, K.D., Simon, W.L.: The Art of Intrusion. Wiley Publishing Inc. (2006)
Neumann, P.G., Porras, P.A.: Experience with EMERALD to date. In: Proc. WS on Intrusion Detection and Network Monitoring, pp:73–80 (1999)
Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proc. 9th ACM Conf. on CCS, pp. 245–254 (2002)
OMG Unified Modeling LanguageTM (OMG UML), Superstructure Version 2.2 (February 2009)
Opdahl, A.L., Sindre, G.: Experimental Comparison of Attack Trees and Misuse Cases for Security Threat Identification. Information and Software Technology 51(5), 916–932 (2009)
ReqSec project, http://idi.ntnu.no/research/index.php?prosjekt=39
Schneier, B.: Attack Trees, Dr. Dobb’s Journal (1999)
Schneier, B.: Secrets and Lies: Digital Security in a Networked World. Wiley (2000)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated Generation and Analysis of Attack Graphs. In: Proc. IEEE Symposium on Security and Privacy, p. 273 (2002)
Sindre, G.: Mal-Activity Diagrams for Capturing Attacks on Business Processes. In: Sawyer, P., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007)
Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requirements Engineering 10(1), 34–44 (2005)
Sindre, G., Opdahl, A.L., Brevik, G.F.: Generalization/Specialization as a Structuring Mechanism for Misuse Cases. In: Proc. SREIS 2002 (2002)
Steele, P., Zaslavsky, A.: The Role of Metamodels in Federating System Modeling Techniques. In: Elmasri, R.A., Kouramajian, V., Thalheim, B. (eds.) ER 1993. LNCS, vol. 823, pp. 301–312. Springer, Heidelberg (1994)
Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proc. WS on New Security Paradigms, pp. 31–38 (2000)
The Mitre Corp., Common Attack Pattern Enumeration and Classification (2010), http://capec.mitre.org (accessed: 30.3.2010)
Tøndel, I.A., Jensen, J., Røstad, L.: Combining misuse cases with attack trees and security activity models. In: Proc. ARES 2010, pp. 438–445 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Karpati, P., Opdahl, A.L., Sindre, G. (2013). HARM: Hacker Attack Representation Method. In: Cordeiro, J., Virvou, M., Shishkov, B. (eds) Software and Data Technologies. ICSOFT 2010. Communications in Computer and Information Science, vol 170. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29578-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-29578-2_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29577-5
Online ISBN: 978-3-642-29578-2
eBook Packages: Computer ScienceComputer Science (R0)