ارزیابی امنیتی خودکار مسیرهای تهدید مبتنی بر شبکه‌های پتری

نوع مقاله : مقاله پژوهشی

نویسندگان

1 دانشجوی دکتری، گروه کامپیوتر، دانشکده فنی ومهندسی، دانشگاه آزاد اسلامی واحد ساری، ساری، ایران

2 استادیار، گروه کامپیوتر، دانشکده فنی مهندسی، دانشگاه آزاد اسلامی واحد بابل، بابل، ایران

3 دانشیار، گروه کامپیوتر، دانشگاه ازاد اسلامی واحد ساری، ساری، ایران

چکیده

چالش امنیت کلید واژه مشترک و بسیار مهم در میان فناوری­های نوظهور مانند اینترنت اشیا، اینترنت وسایل حمل و نقل، سلامت الکترونیکی و غیره می­باشد و عدم توجه به این چالش، گاهی صدمات جانی و مالی جبران ناپذیری برای انسان­ها در زندگی روزمره ایجاد خواهد کرد. از سویی دیگر، شناسایی و استخراج نیازمندی­های امنیتی و تهدیدهای احتمالی در سیستم­های مقیاس بزرگ و تعاملی در فاز طراحی نیازمند مدل­سازی تهدیدها می­باشد که روش­های موجود بیشتر به­صورت دستی همراه با خطا، صرف هزینه، زمان و عدم ارزیابی تمام احتمال­های ممکن می­باشد. روش پیشنهادی با نام ارزیابی امنیتی خودکار مسیرهای تهدید به­عنوان راه­حلی خودکار برای شناسایی و استخراج تهدیدهای احتمالی ارائه­شده است. در روش پیشنهادی با افزودن قابلیت­های جدید مانند، احتمال شرطی و امنیت به شبکه­های پتری امکان تولید خودکار مسیرهای تهدید و ارزیابی امنیتی خودکار به­صورت کمی وکیفی از مدل­های تهدید ایجاد شده است. روش ارائه­شده با سناریوهای مختلف امنیتی سنجش و ارزیابی شده و نتایج به­دست آمده نشان می­دهد که روش پیشنهادی در مقایسه با سایر روش­های موجود تمام خودکار و دارای تضمین امنیتی سطح بالا می­باشد.

کلیدواژه‌ها


عنوان مقاله [English]

The Automated Security Evaluation of Threat Paths Based on Petri Nets

نویسندگان [English]

  • mohammad ali ramazanzadeh 1
  • behnam barzegar 2
  • Homayun motameni 3
1 PhD Student, Department of Computer, Faculty of Engineering, Islamic Azad University, Sari Branch, Sari, Iran
2 Assistant Professor, Department of Computer, Faculty of Engineering, Islamic Azad University, Babol Branch, Babol, Iran
3 Associate Professor, Department of Computer, Islamic Azad University, Sari Branch, Sari, Iran
چکیده [English]

The key challenge to be well addressed in case of emerging technologies such as the Internet of Things, Internet of Transportation, e-Health, etc. is the security. Ignoring this challenge can sometimes cause irreparable personal and financial damage to human beings in everyday life. On the other hand, to identify and extract security requirements and potential threats in the design phase of large-scale and interactive systems, there is a need to model the threats. The problem is that the existing modelling methods are mostly manual, which are inherently associated with errors, cost, time consumption, and failure to evaluate all conceivable possibilities. The present paper proposes a new method, called “Automated Security Evaluation of Threat Paths”, as an automated solution to the problem of identifying and extracting potential threats. In the proposed method, by adding new capabilities such as conditional probability and security to Petri Nets, it is possible not only to automatically generate the threat paths, but also to automatically evaluate the security of threat models in both quantitative and qualitative ways. In this paper, the performance of the proposed method was evaluated under different security scenarios, and the results showed that, compared to other existing methods, the proposed method offers a higher level of security assurance and also, it is fully automated, unlike the existing methods .
 

کلیدواژه‌ها [English]

  • Security requirements
  • Threat modelling
  • Automated evaluation
  • Threat path
  • Reachability graph
  • Petri Nets
[1]
M. Shunmei, G. Zijian, L. Qianmu, W. Hao, D. Hong-Ning and Q. Lianyong, "Security-Driven hybrid collaborative recommendation method for cloud-based iot services," Computers & Security, 2020.
[2]
Z. Mahmood, "Connected vehicles in the iov: Concepts, technologies and architectures," In: Connected vehicles in the internet of things : Springer, 2020.
[3]
A. Kumar, A. K. Jain and M. Dua, "A comprehensive taxonomy of security and privacy issues in RFID," Complex Intell. Syst., 2021.
[4]
G. Tripathi, M. Ahad and M. Sathiyanarayanan, "The role of blockchain in internet of vehicles (iov): Issues, challenges and opportunities," In: 2019 international conference on contemporary computing and informatics (IC3I). IEEE, pp. 26-31, 2019.
[5]
L. Sleem, H. N. Noura and R. Couturier, "Towards a secure ITS: Overview, challenges and solutions," Journal of Information Security and Applications, vol. 55, 2020.
[6]
M. Zhang, C. Chen, T. Wo, T. Xie, M. Bhuiyan and X. Lin, "Safedrive: online driving anomaly detection from large-scale vehicle data," IEEE Trans Ind Inf, vol. 13, no. 4, pp. 2087-96, 2017.
[7]
O. Abu Waraga, M. Bettayeb, Q. Nasir and M. Abu Talib, "Design and Implementation of Automated IoT Security Testbed," Computers & Security, vol. 88, 2020.
[8]
B. D. Deebak and F. AL-Turjman, "Secure-user sign-in authentication for IoT-based eHealth systems," Complex Intell. Syst, 2021.
[9]
S. Tanwar, K. Parekh and R. Evans, "Blockchain-based electronic healthcare record system for healthcare 4.0 applications," Journal of Information Security and Applications, 2020.
[10]
L. Chen , W. Lee , C.-H. Chang, K.-K. Raymond Choo and N. Zhang , "Blockchain based searchable encryption for electronic health record sharing," Fut Gener Comput Syst, vol. 95, pp. 420-9, 2019.
[11]
D. Xu, M. Tu, M. Sanford, L. Thomas, D. Woodraska and W. Xu, "Automated Security Test Generation with Formal Threat Models," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 4, pp. 526-540, 2012.
[12]
B. Barzegar and H. Motameni, "Modeling and simulation firewall using Colored Petri Nets," World Appl. Sci. j, vol. 15, no. 6, pp. 826-830, 2011.
[13]
B. Barzegar, S. Ghanbari, H. Bozorgi and M. Rahimi, "Modeling and simulation of traffic lights and controller unit systems by Colored Petri Nets," Int. j. Phys. Sci, vol. 6, no. 34, pp. 7760-7770, 2011.
[14]
W. Arsac, G. Bella, X. Chantry and L. Compagna,
"Multi-Attacker Protocol Validation," Journal of Automated Reasoning, vol. 46, no. 4, pp. 353-388, 2011.
[15]
A. O. Baquero, A. J. Kornecki and J. Zalewski, "Threat Modeling for Aviation Computer Security," Fusing IT & Real-Time Tactical, vol. 28, pp. 21-27, 2015.
[16]
S. Musman and A. Turner, "A game oriented approach to minimizing cybersecurity risk," International Journal of Safety and Security Engineering, vol. 8, no. 2, pp. 212-222, 2018.
[17]
W. Xiong and R. Lagerström, " Threat modeling -- A systematic literature review," Computers & Security, vol. 84, pp. 53-69, 2019.
[18]
H. Holm, M. Buschle, R. Lagerstrom and M. Ekstedt, "Automated data collection for enterprise architecture models," Softw syst model, vol. 13, no. 2, p. 825, 2014.
[19]
P. Närman, P. Johnson, R. Lagerström, U. Franke and M. Ekstedt, " Data Collection Prioritization for System Quality Analysis," Electronic Notes in Theoretical Computer Science, vol. 233, pp. 29-42, 2009.
[20]
R. Jiang, R. Lu, Y. Wang, J. Luo, C. Shen and X. S. Shen, "Energy-Theft Detection Issues for Advanced Metering Infrastructure in Smart Grid," Science and Technology, vol. 19, no. 2, pp. 105-120, 2014.
[21]
A. Almulhem, "Threat Modeling for Electronic Health Record Systems," Journal of Medical Systems, vol. 36, no. 5, 2012.
[22]
A. Almulhem, "Threat modeling of a multi-UAV system," Transportation Research Part A: policy and practice, pp. 290-295, 2020.
[23]
D. Pei, L. Zhang and D. Massey, "A framework for resilient Internet routing protocols," IEEE Network, vol. 18, no. 2, pp. 5-12, 2004.
[24]
X. Liu, P. Zhu, Y. Zhang and K. Chen, "A Collaborative Intrusion Detection Mechanism Against False Data Injection Attack in Advanced Metering Infrastructure," IEEE Transactions on Smart Grid, vol. 6, no. 5, pp. 435-443, 2015.
[25]
J. C. Pendergrass, K. Heart, C. Ranganathan and V. N. Venkatakrishnan, "A threat table based assessment of information security in telemedicine," International Journal of Healthcare Information Systems and Informatics, vol. 9, no. 4, pp. 20-31, 2014.
[26]
P. Bedi, V. Gandotra, A. Singhal, H. Narang and S. Sharma, "Threat-oriented security framework in risk management using multiagent system," Software:P ractice and Experience, vol. 43, pp. 1013-1038, 2013.
[27]
G. Brændeland, A. Refsdal and K. Stølen, "Modular analysis and modelling of risk scenarios with dependencies," The Journal of Systems & Software, vol. 83, no. 10, pp. 1995-2013, 2010.
[28]
A. V. Uzunov and E. B. Fernandez,, "An extensible pattern-based library and taxonomy of security threats for distributed systems," Computer Standards & Interfaces, vol. 36, no. 4, pp. 734-747, 2014.
[29]
R. N. Dahbul, C. Lim and J. Purnama, "Enhancing Honeypot Deception Capability Through Network Service Fingerprinting," Journal of Physics:Conference Series, pp. 1-6, 2017.
[30]
D. Xu and K. E. Nygard, "Threat-Driven Modeling and Verification of Secure Software Using Aspect-Oriented Petri Nets," IEEE Transactions on Software Engineering, vol. 32, no. 4, pp. 265-278, 2006.
[31]
D. Seifert and H. Reza, "A Security Analysis of Cyber-Physical Systems Architecture for Healthcare," Computers, vol. 5, no. 27, pp. 1-24, 2016.
[32]
M. Kalinin and A. Konoplev, "Formalization of objectives of grid systems resources protection against unauthorized access," Nonlinear Phenomena in Complex Systems, vol. 17, no. 3, pp. 272-277, 2014.
[33]
J. Meszaros and A. Buchalcevova, "Introducing OSSF: A framework for online service cybersecurity risk management," Computers & Security, vol. 65, pp. 300-313, 2017.
[34]
X. Chen, Y. Liu and J. Yi, "A Security Evaluation Framework Based on STRIDE Model for Software in Networks," International Journal of Advancements in Computing Technology, vol. 4, no. 13, pp. 269-278, 2012.
[35]
V. Olawumi, K. Haataja and P. Toivanen, "Security Issues in Smart Homes and Mobile Health System: Threat Analysis, Possible Countermeasures and Lessons Learned," International Journal on Information Technologies & Security, vol. 9, no. 1, p. 31, 2017.
[36]
M. Frydman, G. Ruiz, E. Heymann, E. César and B. P. Miller, "Automating Risk Analysis of Software Design Models," The Scientific World Journal, pp. 1-12, 2014.
[37]
Microsoft, "object-oriented programing," Microsoft, 2020. [Online]. Available: https://docs.microsoft.com/en-us/dotnet/csharp/tutorials/intro-to-csharp/object-oriented-programming.
[38]
Microsoft, "Inheritance," Microsoft, 2020. [Online]. Available: https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/classes-and-structs/inheritance.
[39]
K. Shoushian, A. J. Rashidi and A. R. Mirghadri, "Probabilistic Modeling of Obfuscated Multi-Stage Cyber Attacks," Journal of Electronical & Cyber Defence, vol. 8, no. 2, p. 61, 2020,
(In Persion).
دوره 9، شماره 4 - شماره پیاپی 36
شماره پیاپی 36، فصلنامه زمستان
اسفند 1400
صفحه 87-98
  • تاریخ دریافت: 19 مرداد 1400
  • تاریخ بازنگری: 15 آبان 1400
  • تاریخ پذیرش: 22 آذر 1400
  • تاریخ انتشار: 01 اسفند 1400