Sunteți pe pagina 1din 57

Paper ID

Name

STRIDE

DREAD

Abusers Stories
Stride Average Model
Attack Tress
9 Fuzzy Logic
Microsoft Threat Modeling
1 T-Map
10 CORAS
TRIKE
11 The CIAA Threat Model Process
11 The Data Lifecycle Threat Model Process
17 ITM SYSTEMS AND THREAT MODEL
http://www.ptatechnologies. PTA Practical Threat Analysis Calculative Threat Modeling Methodology
Threat Assessment & Remediation Analysis
18 Quantative Threat Modeling Methodoligies

20 Defects Threat Tree Modeling


21 Qualitative Threat Model
21 Threat Model Quantification
22 PABTM (Police Agent based Threat Model)
23 Unified Threat Model

25 Threat Source Modeling


26 Method for Common Criteria-Compliant Threat Analysis
28 Threat Model Framework and Methodology for Personal Networks (PNs)

27 Common Vulnerability Scoring System (CVSS)


27 Threat Model with UML Sequence Diagram
27 Threat Modeling in Pervasive Computing Paradigm

System Threat Modelling

Fault Trees
Atatck Trees
Atatck Nets
Threat Nets

Author Name

SDLC Phase

Application
Domain

COTS(Commercial of the shelf systems)

Distributed Data Storage Systems


Distributed Data Storage Systems

e Threat Modeling Methodology

Requirements

Requirement

Web based systems

Requirements

Grid infrastructure

Requirements

Grid infrastructure

Design
Design

Threat Analysis

Requirement

gy for Personal Networks (PNs)

Requirement

Web systems

Personal Networks

Design

g Paradigm

pervasive computing (when there are mutiple identities of

Design

Web based systems

Additional / Overlap Phases


Levels/SDLC

Repeatedly during the lifecycle


helf systems)

Data creation stage

Design
Design stage

n there are mutiple identities of a person and

Objectives

quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat

6 step threat methodology apply early repeatedly and during development lifecylce
provides a strong quantitaive method to evaluate the security

examining the types of threats that can occur at different


stages of data state from creation to extinction.

traditional software security testing cannot ensure software security effectively.

identify threats , agent based identification


to detect the design-level vulnerabilities and to design the mitigation schemes for secure coding and

Threat model for common criteria compliant


aim to built structured, convinient approach to model the threats

to analyze the system behaviour in terms of threats and their message exchange

The paper present a novel approach for addressing the threat modeling in pervasive computing and p

Study Type

ecure coding and testing.

Implementation

Limitations

e computing and presents a model fo


N/A

Methodology Name/tools+J45

Formal or Semi-Formal

STRIDE Threat Model

DREAD modeling

Microsoft Threat Modeling

The CIAA Threat Model Process


The Data Lifecycle Threat Model Process

Defects threat tree modeling


Formal
Formal

Unified threat model

PN Threat Model Methodology

threat modeling with uml sequence diagram


semi formal

Outcome artifact

Model

Document
threat model and document (CORAS diagram

identified threats under CIAA at every stage

Optimal S&P(Security and Privacy) requirem

Defect threat tree


threat Model
threat Model
threat Model
threat model

Document / Comon Crietria documentation


threat Model

model
threat model

Threat Identification

Group threats into categories, DFD is developed and apply these steps on each node.

DFD ,
Analyze on the following: Damage
Reproducibility
Exploitability
Affected users
Discoverability
identifying threats, understanding threats, categorizing threats using STRIDE, identifying mitigation st

Input variable(threats derived form stride), fuzzication


Identify threats, apply STRIDE, identify countermeasures
Vulnerability database ->Attack path UML Model(Class diagram), Attribute Ranking (0 to 1 depends o
1- introductory meeting (system description (drawing, sketches etc)) , 2- high level analysis (assett di
1- req , 2-dfd
Organize threats under categories, confientiality, integrity, availibility, authentication , physical
Data creation + detail, Data Reception + detail, output + detail (apply ciaa on each)

Use case ->DFD, 2-Map S&P threats to DFD (threats->Privacy protection goals ()Unlikability, transpare

1- DFD, 2- Identify threats according to that DFD (build threat trees)


MDP model (Markov decision process), identify sources(types), identify expertise(complexity)

TMQ, Action selection by the user(possible actions identified by sources(history, professionals estimat

Threat tree, threat evaluating algorithm , historical statistical information

1-Define scope(context diagram ; persons + technical) , 2-Assett identification (For all identified doma

1-use cases, 2-network overview from that scenarios, 3-technical background in usecases(Make DFD o

Establish user/service roles and usage Scenario (use case) , Identify security domains and their interf

Results

ling by attack path(algo, (overall threat, threat key of note))


ML) ) , 3-approval (Assett tabe and likelihood), 4- risk identifiction (threat diagrams on the basis of threat scenar

ntify misusecase scenarios, 4-Risk based quantification (Attack trees or DREAD), 5-S&P requirements

ation (history, professionals estimation )

ntify assetts) , 3-Domain knowledge (Document the assumptions ), 4- Describe attackers (for every assett and a

y assets in usecases, 5-identify threat (threat scenarios and attack trees), 6- identify vulnerabilities (from thre

each security domain, Vulnerabilities and their countermeasures , Risk Evaluation, Detecting new threats and

he basis of threat scenarios and assetts), 5-risk estimation (on threat diagram (likelihood , assett value)) , 6-risk

P requirements

rs (for every assett and assumption identify attackers ), 5-Identify threats (relationship between attacker and as

vulnerabilities (from threat scenarios and their likelihood ), 7- risk assessment (determine risks on the basis of i

tecting new threats and vulnerabilities (Common vulnerability scoring system)

ihood , assett value)) , 6-risk evaluation (risk diagram), 7-risk treatment (threat diagrams->treatment diagrams

hip between attacker and assett), 6- Documentation (document with the diagram)

ermine risks on the basis of identified threats) , 8- determine the result (rank the threats to risk, usecase to the

ms->treatment diagrams)

ts to risk, usecase to their risk )

Processes

Techniques

Design

string, alliases
To do- 2moro
From the abstracts first threat modeling than find the alliases for that.

Attacker Centric
Threat Centric
Attack Centric
Assset centric
System centric

25-3-2016
Examples
Specific
Exampples in different domains

Paper ID

Name

SDLC Phase

Application

Applied on
which phase of Application
SDLC
area/domain

Web systems,
distributed data
storage systems

Unified threat model for


analyzing and evaluating
1 software threats

Design

2 STRIDE

Design

Web applictions

A privacy threat analysis


framework: supporting the
elicitation and fulfillment of
3 privacy requirements

4,5

ADVANCED CLOUD PRIVACY


THREAT Modelling

Requiremnts ,
Design

Biobank clouds

Threat Modeling Revisited:


Improving Expressiveness of
6 Attack
Design

Structured System Threat


Modeling and Mitigation
Analysis for Industrial
7 Automation Systems

Design

Industrial Control
Systems

Threat Modeling for Security


8 Failure-Tolerant Requirements Design

Fault-Tolerant
Systems

Value Driven Security Threat


Modeling Based on Attack
9 Path Analysis

Threat-based Security
Analysis for the Internet of
10 Things

Design

Internet of Things
Systems

Determine Information
Security Features for Smart
Grid through Constructing a
11 Threat Model

Design

Smart Grid Networks

A Security Evaluation Method


Based on STRIDE Model for
12 Web Service
Design

Web Services

Towards an Enhanced Design


Level Security Integrating
13 Attack Trees with Statecharts Design

Using Taint Analysis for


Threat Risk of Cloud
14 Applications

Threat Tree Templates to


Ease Difficulties in Threat
15 Modeling

Cloud Applications

Design

Threat Modeling in Pervasive


16 Computing Paradigm
Design

17 THREAT RISK MODELING

Design

A New Method for Network


Threat Quantification
18 Analysis

Design

Privacy Threat Modeling


Framework for Online Social
19 Networks

20 UMLSec

Pervasive
computing ,
ubiquitous networks

Social Networks

Design

21 T-Map

Design

COTS(Commercial of
the shelf systems)

The CIAA Threat Model


22 Process

Design

Distributed Data
Storage Systems

The Data Lifecycle Threat


22 Model Process

Design

Distributed Data
Storage Systems

Privacy-by-Design Based on
Quantitative Threat
23 Modelling

Design

A Case Study of Software


Security Test Based On
24 Defects Threat Tree Modeling Design

Web Systems

25 l

Design

Smart Grid
infrastructurre

Additional /
Overlap
Phases
Objectives

Problem

If applied on
multiple
phases on
SDLC
Example:
Microsoft
Threat
Modelling:
Repeatedly
in lifecycle

research
in threat modeling has yet to
For the purpose of improving mature as established techniques,
the
and tools to aid formal analysis and
trustworthiness of software
evaluation of
designs, this paper presents a software threats are still
unified threat model for
insufficient. To address this
representing, analyzing, and issue, this paper presents a unified
evaluating
threat model to formally
No on design software threats at various
represent, analyze, and evaluate
stage
design stages
software threats.

No

to discover the security


weaknesses of a software
system.

No

To map privacy-based threats

Yes

To reduce the complexity of


privacy threat modelling

to identify methodlogy weaknesses


likesuch that support for different
privacy legisilation and threat
identification process

No

to provide solution that


incorporates system design
and deployment flaws, and
attacker time specific
attributes in the synthesis of
threats.

existing tehniques lack


expressiveness in modelling the
threat

one step further than a


regular threat model, by not
only modeling components
and threats within a system,
but also the security controls
that can mitigate threats.

the existing tools we found were


either too
general, and would not allow an
efficient re-use of data, or too
specific, in that they could not
reasonably be applied to all the
different components in a reference
architecture.

No

No

to modeling
security threats to
applications and to deriving
security failuretolerant
requirements from the
threats.

existing approaches to modeling


threats analyze
security threats without
consideration of the security
failuretolerance.
This paper describes an approach to
modeling
security threats for security failuretolerant applications.

No

to
analyze the cost-effectiveness
of how system patching
and upgrades can improve
security.

sensitive to an organizations
business value
priorities and IT environment. Cost
effectiveness

No

thorough
analysis of the security and
privacy properties that are
required
for a system where the
constituent devices vary in
their
capabilities.s

to deal with security and privacy


issues in IoT, a holistic
analysis and risk assessment is still
lacking. Due to the
incompleteness of the security and
privacy requirements

aiming at analyzing
information security risks on
SGN through constructing a
threat model.

on Smart Grid
network (SGN), the accompanying
information security attacks
will affect the reliability and
usability of Smart Grid
applications.

No

No

the current Web


service security-related studies
have mostly been confined to
the implementation mechanisms of
Web service security, and
the related researched on
to evaluate the security index comprehensive evaluation of
of Web service through
security
the threat modeling and
degree from perspectives of Web
evaluating the degree of
service consumer and Web
security
service provider is relatively little.

No

to increase the security


awareness of software
engineers by modeling the
dynamic behavior of security
attacks and integrating it with
the functional specifications.

No

No

threat modeling approach uses


separate models to
represent threats and system
behavior

Moble security problem

it is difficult for an average


analyst to construct adequate trees,
propose threat tree
because security expertise,
templates to help non-expert particularly from an attackers
analysts to construct threat
perspective, is required to find
trees
potential attack scenarios.

No

No

To design a new modelling


approach for pervasive
computing and ubiquitous
networks in order to handle
inherit security issues.

The problem of security in


pervasive computing increases in
larger
environments, when the users have
multiple identities in
different security domains and
moves from one domain to
another domain. Due to non
availability of centralized
authorize, the problem of scalability
can be much greater than
that of Public Key Infrastructure.

to detect and remove


security vulnerabilities early
in the software lifecycle.

to employ a flow-based model as


an alternative methodology for
decomposition and
identification, and classification of
threats

No

did not identify system components


and
potential vulnerabilities in the
threat model. Does not answer the
questions such as where the
lack of a threat
threats come from and what are the
model to study privacy issues possible countermeasures
in online social networks
either.

No

To improve by integrating
security requirements analysis
with a satndard development
process

No

most current approaches in security


economics still stay at a high-level
and lack strong
connections to the large volumes of
fast-changing
provides a strong quantitaive internet vulnerabilities and specific
method to evaluate the
organizations IT
security
environment.

No

to present systematic
processes toward threat
modeling for storage systems.

lack of a comprehensive process to


designing storage protection solutions.

No

to present systematic
processes toward threat
modeling for storage systems.

lack of a comprehensive process to


designing storage protection solutions.

No

to provide architects of
privacy-respecting systems
with the adequate Privacy by
design tools to make objective
design decisions about their
Existing privacy by design approach
services.
lack quantification

No

Due to the increasing complexity of


software applications, traditional
function security testing ways,
which only test and validate
software security mechanisms, are
To build an improved security becoming ineffective to detect
model which detect latent
latent software security defects
security defects
(SSD).

No

scalable threat model


quantification method to
create numerical models of
various
threat categories
automatically

quantitative methods exist but


there is no simple way to verify
their validity in
practice for large-scale
infrastructures

Methodology Type Methodology Name/tools

Formal or Semi-Formal

At which level in this


methodology, formality
exist (in process,
method,tool)

Methodology

Unified Threat Model

Semi formal

STRIDE Threat Model / SDL threat


modelling tool
Semi formal

Methodology

the LINDDUN methodology

Cloud Privacy Threat Modelling

Technique

Threat Nets

Process

System Threat Modelling

Semif formal

Methodology

Threat Modelling for Security


Failure-Tolerant Requirements

Semiformal

Process

Quantitaive Threat Modelling


Method

Semi formal

Threat Based Security Analysis for


Internet of Things
Semi formal

Threat Model for smart grid


networks

Semi formal

Method

WS-Security Evaluation Model

Methodology,
Approach

Method

A TAINT CHECKING MODEL FOR


THREAT RISK ANALYSIS OF
MALICIOUS NETWORK
APPLICATIONS

Threat Tree Tmeplates

Semi formal

Methodology

Threat Modeling in Pervasive


Computing Paradigm

Methodology

FLOWTHING MODEL

NETWORK VULNERABILITY
RELATION MODEL

Framework

Privacy Threat Modeling


Framework for Online Social
Networks

Method

UMLSec

Method

Threat Modeling method based on


Attack
Path Analysis (T-MAP)

Process

CIAA Threat Model

Process

Data Lifecycle Threat Model

Appraoch /
Methodology

QUANTITATIVE THREAT MODELING


METHODOLOGY FOR PRIVACY-BYDESIGN

Method

DEFECTS THREAT TREE


MODELING

Method

Threat Model Quantification

Outcome artifact

Threat Identification

Threat Modelling

Threat Analysis

What will be the


outcome after
modelling the
threats

What will be the


outcome after
analyzing the
threats

What are the proposed step by the


methodology to identify the threats

Attack paths

1- Identify system functions via UML


activity diagram 2- Identify actors
and components via usecsses and
mis-usecases 3- Apply STRIDE on
these functions

a structured approach that


enables you to identify,
quantify, and address the
security risks associated with
an application (OWASP)

Threat Model

Threat Model

The examination of
threat sources against
system vulnerabilities to
determine the threats
for a particular system
in a particular
operational
environment.

1-Model the system with DFD 2Map the DFD elements to threat
categories 3- Elicit the threats

process

Threats of DFD
elements

Privacy threat
model

Threat Model

Privacy Threats
(using threat tree
patterens)

1- Model te system with DFD 2- Map


Privacy threats to DFD elements 3Identify misusecase scenarios 4- risk
basedd prioritization 5- elicit privacy
requirments 6- select privacy
enhancing solutions

Risk Evaluation
Report

1-identify privacy requirements from


requirements engineering step 2Take these to design step 3- Map
according to the cloud architecture
4-eualuation of threats 5- results in
privacy threat model

1- Input Data Model 2-identify


threats with repect to the
components 3- Populate the threat
model with identified threats. 4Enlist the possible of security
controls 5- Refine

Security FailureTolerant use cases

1- Use cases 2- Identify assets from


usecases 3- identify threat point
from these 4- Analyze threats
according to attributes. 5- specify
security fault-tolearnt requirements
from these .

Attack path
calculations

1-Vulnerability database 2- Design


class diagram to model the steps in
attack 3- Asign weights to the
attack by T-MAP weighting system
re-do

Threat Model

Rsik Assessment
(Table form)

1-Usecases of internet of things 2Identify potential threat 3- Identify


attack analysis for each device 4Risk analysis

Threats w.r.t DFD

1- Build smart grid framework


summary; 2- Draw data flow
diagram; 3- Analyze data flow
diagram; 4- Determine which
applications are with key assets; 5Threats mapping to Find out assets to be protected and
risk w.r.t threat
identify the threats damaging the
(Tabuular form)
assets.

Use case
description with
threat points

Attack Path class


diagram

Threat Model

1-DFD, 2-Apply STRIDE, 3- Quantize


degree of web service security, 4Quanitzed
calculate the dos evaluation of web
Reference index of services providers, 5- Evaluate the
ods evaluauation
risk, 5- Calculate the dos quantized
form web service
value.

Threat ModelAttack Tree

1- System description, 2- Construct


attack trees, 3- Perform taint
analysis, 4- Perform probibalatic
analysis, 4- Contrcut attack
defence tree, 5- evaluate attack
Attack-Defense tree defence tree

Threat Tree

1- DFD, 2- Threat tree from dfd, 3Analyze on the basis of templates,


4- Refine templates by using
keywords.

Threat Model

1- Data flow models, 2- Apply


methodology steps

Threat Model

1- System description using DFD, 2Identify triggered states wrt state


transition diagrams, 3-Apply stride
classes, 4- Modified DFD

Modified DFD

Threat Model(using
petri net)
Graph

Threat Model

Model

Threat
Table(likelihood,
impact,
prioritization

1- OO analysis of domain, 2- Define


attack rule set, 3- Defifnition of
attack threat, 4- Quantification of
each index of attack threat, 5Modeling using petri-nets, 6Perform analysis using Dijkstra algo

1- Study system's vulnerabilities


undner six security aspects, 2-Direct
and indirect attacks, 3- Create
model, 4- Prioritize the threats

Threat
Model(Graph)

Attack path
calculations

1- Vulnerability database , 2-Attack


path UML Model(Class diagram), 3Attribute Ranking (0 to 1 depends
on organization's req) 4- Modeling
by attack path(algo)
re-do

Threat Model

Organize threats under categories,


confientiality, integrity, availibility,
authentication , physical

Threat Model

Data creation + detail, Data


Reception + detail, output + detail
(apply ciaa on each)

Threat Model
(Attack Tree)

Quantified Rsik
Table

1- Use case(For S&P Req) , 2-DFD, 3Map S&P threats to DFD, 4-Identify
misusecase scenarios, 5-Risk based
quantification
DFD

Defect Threat Tree

Test sequences on
the basis of threat
tree

1-DFD, 2- Identifysecurity defects of


each data element, 3-Build defect
threat tree, 4- Generate test
sequence

Qualitative threat
model(Atatck
paths)

Quantitaive threat
model

1-Obtain n/w topology , 2-create


state based modelof network , 3Model all possible attack paths on
that basis, 4-Apply MDP, 5Quantified model using MDp

Attacker centric

Protocol Centric

S-ar putea să vă placă și