Skip to main content
SpringerLink
Log in
Book cover

International Conference on Software and Data Technologies

ICSOFT 2010: Software and Data Technologies pp 156–175Cite as

HARM: Hacker Attack Representation Method

  • Conference paper

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 170))

Abstract

Current security requirements engineering methods tend to take an atomic and single-perspective view on attacks, treating them as threats, vulnerabilities or weaknesses from which security requirements can be derived. This approach may cloud the big picture of how many smaller weaknesses in a system contribute to an overall security flaw. The proposed Hacker Attack Representation Method (HARM) combines well-known and recently developed security modeling techniques in order represent complex and creative hacker attacks diagrammatically from multiple perspectives. The purpose is to facilitate overviews of intrusions on a general level and to make it possible to involve different stakeholder groups in the process, including non-technical people who prefer simple, informal representations. The method is tied together by a meta model. Both the method and the meta model are illustrated with a security attack reported in the literature.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Amyot, D., Mussbacher, G.: On the Extension of UML with Use Case Maps Concepts. In: Evans, A., Caskurlu, B., Selic, B. (eds.) UML 2000. LNCS, vol. 1939, pp. 16–31. Springer, Heidelberg (2000)

    Google Scholar 

  2. Alexander, I.: Misuse Cases: Use Cases with Hostile Intent. IEEE Software 20(1), 58–66 (2003)

    Article  Google Scholar 

  3. Barnum, S.: Attack Patterns as a Knowledge Resource for Building Secure Software. In: Sethi, A. (ed.) Cigital: OMG Software Assurance WS (2007)

    Google Scholar 

  4. Benyon, D., Skidmore, S.: Towards a Tool Kit For the Systems Analyst. The Computer Journal 30(1), 2–7 (1987)

    Article  Google Scholar 

  5. Buhr, R.J.A.: Use case maps for attributing behaviour to system architecture. In: Proc. 4th Int. WS on Parallel and Distributed Real-Time Systems, p. 3 (1996)

    Google Scholar 

  6. Buhr, R.J.A., Casselman, R.S.: Use Case Maps for Object-Oriented Systems. Prentice Hall (1995)

    Google Scholar 

  7. Cheung, S., Lindqvist, U., Valdez, R.: Correlated Attack Modeling (CAM), Final Technical Report by SRI International (October 2003)

    Google Scholar 

  8. Gegick, M., Williams, L.: Matching attack patterns to security vulnerabilities in software-intensive system designs. In: Proc. SESS 2005 - Building Trustworthy Applications, pp. 1–7 (2005)

    Google Scholar 

  9. Gutierrez, C., Fernandez-Medina, E., Piattini, M.: Web services enterprise security architecture: a case study. In: Proc. WS on Secure Web Services (SWS 2005), Fairfax, VA, USA (2005)

    Google Scholar 

  10. Gutierrez, C., Fernandez-Medina, E., Piattini, M.: Towards a Process for Web Services Security. In: Proc. WOSIS 2005 at ICEIS 2005, Miami, Florida, USA (2005)

    Google Scholar 

  11. Gutierrez, C., Fernandez-Medina, E., Piattini, M.: PWSSec: Process for Web Services Security. In: Proc. ICWS 2006, September 18-22, pp. 213–222 (2006)

    Google Scholar 

  12. Karpati, P., Sindre, G., Opdahl, A.L.: Visualizing Cyber Attacks with Misuse Case Maps. In: Wieringa, R., Persson, A. (eds.) REFSQ 2010. LNCS (LNAI), vol. 6182, pp. 262–275. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  13. Karpati, P., Sindre, G., Opdahl, A.L.: Towards a Hacker Attack Representation Method. In: Proc. of the 5th ICSOFT, pp. 92–101. INSTICC Press (2010)

    Google Scholar 

  14. Katta, V., Karpati, P., Opdahl, A.L., Raspotnig, C., Sindre, G.: Comparing Two Techniques for Intrusion Visualization. In: van Bommel, P., Hoppenbrouwers, S., Overbeek, S., Proper, E., Barjis, J. (eds.) PoEM 2010. LNBIP, vol. 68, pp. 1–15. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  15. Lamsweerde, A., Brohez, S., De Landtsheer, R., Janssens, D.: From System Goals to Intruder Anti-Goals: Attack Generation and Resolution for Security Requirements Engineering. In: Heytmeier, C., Mead, N. (eds.) Proc. of the 2nd RHAS 2003, pp. 49–56 (2003)

    Google Scholar 

  16. Liu, L., Yu, E., Mylopoulos, J.: Security and Privacy Requirements Analysis within a Social Setting. In: Proc. of the 11th RE 2003, pp. 151–160. IEEE Press, Monterey Bay (2003)

    Google Scholar 

  17. Maurya, S., Jangam, E., Talukder, M., Pais, A.R.: Suraksha: A security designers’ workbench. In: Proc. Hack.in 2009, pp. 59–66 (2009)

    Google Scholar 

  18. Mead, N.R., Stehney, T.: Security Quality Requirements Engineering (SQUARE) Methodology. In: Proc SESS 2005, St. Louis, MO, May 15-16, pp. 1–7 (2005)

    Google Scholar 

  19. Mitnick, K.D., Simon, W.L.: The Art of Intrusion. Wiley Publishing Inc. (2006)

    Google Scholar 

  20. Neumann, P.G., Porras, P.A.: Experience with EMERALD to date. In: Proc. WS on Intrusion Detection and Network Monitoring, pp:73–80 (1999)

    Google Scholar 

  21. Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proc. 9th ACM Conf. on CCS, pp. 245–254 (2002)

    Google Scholar 

  22. OMG Unified Modeling LanguageTM (OMG UML), Superstructure Version 2.2 (February 2009)

    Google Scholar 

  23. Opdahl, A.L., Sindre, G.: Experimental Comparison of Attack Trees and Misuse Cases for Security Threat Identification. Information and Software Technology 51(5), 916–932 (2009)

    Article  Google Scholar 

  24. ReqSec project, http://idi.ntnu.no/research/index.php?prosjekt=39

  25. Schneier, B.: Attack Trees, Dr. Dobb’s Journal (1999)

    Google Scholar 

  26. Schneier, B.: Secrets and Lies: Digital Security in a Networked World. Wiley (2000)

    Google Scholar 

  27. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated Generation and Analysis of Attack Graphs. In: Proc. IEEE Symposium on Security and Privacy, p. 273 (2002)

    Google Scholar 

  28. Sindre, G.: Mal-Activity Diagrams for Capturing Attacks on Business Processes. In: Sawyer, P., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  29. Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requirements Engineering 10(1), 34–44 (2005)

    Article  Google Scholar 

  30. Sindre, G., Opdahl, A.L., Brevik, G.F.: Generalization/Specialization as a Structuring Mechanism for Misuse Cases. In: Proc. SREIS 2002 (2002)

    Google Scholar 

  31. Steele, P., Zaslavsky, A.: The Role of Metamodels in Federating System Modeling Techniques. In: Elmasri, R.A., Kouramajian, V., Thalheim, B. (eds.) ER 1993. LNCS, vol. 823, pp. 301–312. Springer, Heidelberg (1994)

    Google Scholar 

  32. Templeton, S.J., Levitt, K.: A requires/provides model for computer attacks. In: Proc. WS on New Security Paradigms, pp. 31–38 (2000)

    Google Scholar 

  33. The Mitre Corp., Common Attack Pattern Enumeration and Classification (2010), http://capec.mitre.org (accessed: 30.3.2010)

  34. Tøndel, I.A., Jensen, J., Røstad, L.: Combining misuse cases with attack trees and security activity models. In: Proc. ARES 2010, pp. 438–445 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Computer and Information Science, Norwegian University of Science and Technology, Trondheim, Norway

    Peter Karpati & Guttorm Sindre

  2. Dept. of Information Science and Media Studies, University of Bergen, Bergen, Norway

    Andreas L. Opdahl

Authors
  1. Peter Karpati
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andreas L. Opdahl
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guttorm Sindre
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Systems and Informatics, INSTICC / IPS, Rua do Vale de Chaves, Estefanilha, 2910-761, Setúbal, Portugal

    José Cordeiro

  2. Department of Informatics, University of Piraeus, 80 Karaoli & Dimitriou St., 18534, Piraeus, Greece

    Maria Virvou

  3. IICREST, P.O. Box 104, 1618, Sofia, Bulgaria

    Boris Shishkov

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Karpati, P., Opdahl, A.L., Sindre, G. (2013). HARM: Hacker Attack Representation Method. In: Cordeiro, J., Virvou, M., Shishkov, B. (eds) Software and Data Technologies. ICSOFT 2010. Communications in Computer and Information Science, vol 170. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29578-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29578-2_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29577-5

  • Online ISBN: 978-3-642-29578-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation