BITS Faculty Publications

Permanent URI for this communityhttp://localhost:4000/handle/123456789/1867

Browse

Filters

2015 - 201982020 - 202210

Settings

Author: search.filters.author.Kumar, RajeshSubject: search.filters.subject.Computer Science

Search Results

Now showing 1 - 10 of 18
  • No Thumbnail Available
    Item
    How to Efficiently Build a Front-End Tool for UPPAAL: A Model-Driven Approach
    (Springer, 2017-10) Kumar, Rajesh
    We propose a model-driven engineering approach that facilitates the production of tool chains that use the popular model checker Uppaal as a back-end analysis tool. In this approach, we introduce a metamodel for Uppaal ’s input model, containing both timed-automata concepts and syntax-related elements for C-like expressions. We also introduce a metamodel for Uppaal ’s query language to specify temporal properties; as well as a metamodel for traces to interpret Uppaal ’s counterexamples and witnesses. The approach provides a systematic way to build software bridging tools (i.e., tools that translate from a domain-specific language to Uppaal ’s input language) such that these tools become easier to debug, extend, reuse and maintain. We demonstrate our approach on five different domains: cyber-physical systems, hardware-software co-design, cyber-security, reliability engineering and software timing analysis.
  • No Thumbnail Available
    Item
    Effective Analysis of Attack Trees: A Model-Driven Approach
    (Springer, 2018-04) Kumar, Rajesh
    Attack trees (ATs) are a popular formalism for security analysis, and numerous variations and tools have been developed around them. These were mostly developed independently, and offer little interoperability or ability to combine various AT features. We present ATTop, a software bridging tool that enables automated analysis of ATs using a model-driven engineering approach. ATTop fulfills two purposes: 1. It facilitates interoperation between several AT analysis methodologies and resulting tools (e.g., ATE, ATCalc, ADTool 2.0), 2. it can perform a comprehensive analysis of attack trees by translating them into timed automata and analyzing them using the popular model checker Uppaal, and translating the analysis results back to the original ATs. Technically, our approach uses various metamodels to provide a unified description of AT variants. Based on these metamodels, we perform model transformations that allow to apply various analysis methods to an AT and trace the results back to the AT domain. We illustrate our approach on the basis of a case study from the AT literature.
  • No Thumbnail Available
    Item
    Time Dependent Analysis with Dynamic Counter Measure Trees
    (ARXIV, 2015-09) Kumar, Rajesh
    The success of a security attack crucially depends on time: the more time available to the attacker, the higher the probability of a successful attack. Formalisms such as Reliability block diagrams, Reliability graphs and Attack Countermeasure trees provide quantitative information about attack scenarios, but they are provably insufficient to model dependent actions which involve costs, skills, and time. In this presentation, we extend the Attack Countermeasure trees with a notion of time; inspired by the fact that there is a strong correlation between the amount of resources in which the attacker invests (in this case time) and probability that an attacker succeeds. This allows for an effective selection of countermeasures and rank them according to their resource consumption in terms of costs/skills of installing them and effectiveness in preventing an attack
  • No Thumbnail Available
    Item
    Sequential and Parallel Attack Tree Modelling
    (Springer, 2015-12) Kumar, Rajesh
    The intricacy of socio-technical systems requires a careful planning and utilisation of security resources to ensure uninterrupted, secure and reliable services. Even though many studies have been conducted to understand and model the behaviour of a potential attacker, the detection of crucial security vulnerabilities in such a system still provides a substantial challenge for security engineers. The success of a sophisticated attack crucially depends on two factors: the resources and time available to the attacker; and the stepwise execution of interrelated attack steps. This paper presents an extension of dynamic attack tree models by using both, the sequential and parallel behaviour of AND- and OR-gates. Thereby we take great care to allow the modelling of any kind of temporal and stochastic dependencies which might occur in the model. We demonstrate the applicability on several case studies.
  • No Thumbnail Available
    Item
    Using Attack-Defense Trees to Analyze Threats and Countermeasures in an ATM: A Case Study
    (Springer, 2016-10) Kumar, Rajesh
    Securing automated teller machines (ATMs), as critical and complex infrastructure, requires a precise understanding of the associated threats. This paper reports on the application of attack-defense trees to model and analyze the security of ATMs. We capture the most dangerous multi-stage attack scenarios applicable to ATM structures, and establish a practical experience report, where we reflect on the process of modeling ATM threats via attack-defense trees. In particular, we share our insights into the benefits and drawbacks of attack-defense tree modeling, as well as best practices and lessons learned.
  • No Thumbnail Available
    Item
    Quantitative Attack Tree Analysis via Priced Timed Automata
    (Springer, 2015-01) Kumar, Rajesh
    The success of a security attack crucially depends on the resources available to an attacker: time, budget, skill level, and risk appetite. Insight in these dependencies and the most vulnerable system parts is key to providing effective counter measures. This paper considers attack trees, one of the most prominent security formalisms for threat analysis. We provide an effective way to compute the resources needed for a successful attack, as well as the associated attack paths. These paths provide the optimal ways, from the perspective of the attacker, to attack the system, and provide a ranking of the most vulnerable system parts. By exploiting the priced timed automaton model checker Uppaal CORA, we realize important advantages over earlier attack tree analysis methods: we can handle more complex gates, temporal dependencies between attack steps, shared subtrees, and realistic, multi-parametric cost structures. Furthermore, due to its compositionality, our approach is flexible and easy to extend. We illustrate our approach with several standard case studies from the literature, showing that our method agrees with existing analyses of these cases, and can incorporate additional data, leading to more informative results.
  • No Thumbnail Available
    Item
    Quantitative Security and Safety Analysis with Attack-Fault Trees
    (IEEE, 2017) Kumar, Rajesh
    Cyber physical systems, like power plants, medical devices and data centers have to meet high standards, both in terms of safety (i.e. absence of unintentional failures) and security(i.e. no disruptions due to malicious attacks). This paper presents attack fault trees (AFTs), a formalism thatmarries fault trees (safety) and attack trees (security). We equipAFTs with stochastic model checking techniques, enabling a rich plethora of qualitative and quantitative analyses. Qualitative metrics pinpoint to root causes of the system failure, while quantitative metrics concern the likelihood, cost, and impact of a disruption. Examples are: (1) the most likely attack path, (2) the most costly system failure, (3) the expected impact of an attack. Each of these metrics can be constrained, i.e., we can provide the most likely disruption within time t and/or budget B. Finally, we can use sensitivity analysis to find the attack step that has the most influence on a given metric. We demonstrate our approach through three realistic cases studies.
  • No Thumbnail Available
    Item
    LOCKS: a property specification language for security goals
    (ACM Digital Library, 2018-04) Kumar, Rajesh
    We introduce a formal specification language LOCKS, that allow security practitioners to express as well as compose security goals in a convenient manner. LOCKS supports the specification of the most common security properties over generic attributes, both for qualitative and quantitative goals. To make our language independent of a specific security framework, we evaluate LOCKS over a generic attack model, namely the structural attack model (SAM), which over-arches the most prominent graphical threat models. Furthermore, we equip our language with a concise grammar, type rules and denotational semantics, thus laying the foundations of an automated tool. We take a number of informal security goals from the literature and show how they can be formally expressed in our language.
  • No Thumbnail Available
    Item
    A Quantitative Security Risk Analysis Framework for Modelling and Analyzing Advanced Persistent Threats
    (Springer, 2021-02) Kumar, Rajesh
    Advanced persistent threats (APTs) are different from other computer-based attacks in their target selection, attack technique, and malicious motive. Distinct from script kiddie attacks, these attacks target critical systems to inflict maximum damage, such as to stall critical industrial processes. Standard defenses against APT attack is to deploy security mechanisms that are typically reminiscent of enterprise defense systems such as firewalls, intrusion detection systems, etc. However, given the nature and attack potential of APT attacks, one cannot rely on these security mechanisms alone as they are susceptible to failure, false alarms, and interfere with usability. A yet another problem is to decide on which mechanisms to deploy and at which points to offer maximum coverage against attacks. We believe, given the unique characteristics of APT attacks, one needs a robust and layered defense to protect against APT by timely detection, prevention, mitigation, and emergency plan. One such objective way to determine the countermeasures’ efficacy is by modeling and simulating attack behaviour. In this paper, we propose a two-layer framework to analyze the APT attacks. At the top is the domain model of the Enhanced cyber kill chain. We use it to capture the attack phases, techniques, and processes. The bottom layer is the analytic layer of stochastic timed automata derived from the domain model. Key metrics are obtained using a state-of-the-art statistical model - checking techniques. We argue that such a timed analysis can be used to improve the security posture by putting countermeasures at appropriate positions.
  • No Thumbnail Available
    Item
    An attack tree template based on feature diagram hierarchy
    (IEEE, 2020) Kumar, Rajesh
    Attack trees (ATs) are a popular model-based formalism to perform a security risk assessment. The benefits of using AT are numerous: graphical top-down representation of multi-stage attack scenarios, several analysis frameworks, and many supporting tools. The current practice of constructing an attack tree for a given system is using the rules-of-thumb. Though this process is flexible, in the absence of a template, it is non-standardized. Hence it is tedious and may result in contention between the stakeholders due to individual idiosyncrasies. To address these limitations, in this paper, we develop an AT template. We meticulously design the template by performing a literature survey of the industry-size ATs and extract the meta-categories used to build them. The AT template is then structured into layers by the systematic question-answering methodology of Potts et al. Each successive layer in our template is a refinement of the previous layer, adding more details. We link the AT template to standard threat databases. Thus, our template guides the practitioner on narrowing to the appropriate attack vectors. An important question here is how to keep the AT template flexible, given the diversity of context and system variables. To address the question, we use a feature diagram to represent the AT categories. We used the AT template to gain practical experience over a hypothetical case study of smart meters (not part of the paper). Based on our experience, we suggest future research directions.