The Automated Security Evaluation of Threat Paths Based on Petri Nets

Document Type : Original Article

Authors

1 PhD Student, Department of Computer, Faculty of Engineering, Islamic Azad University, Sari Branch, Sari, Iran

2 Assistant Professor, Department of Computer, Faculty of Engineering, Islamic Azad University, Babol Branch, Babol, Iran

3 Associate Professor, Department of Computer, Islamic Azad University, Sari Branch, Sari, Iran

Abstract

The key challenge to be well addressed in case of emerging technologies such as the Internet of Things, Internet of Transportation, e-Health, etc. is the security. Ignoring this challenge can sometimes cause irreparable personal and financial damage to human beings in everyday life. On the other hand, to identify and extract security requirements and potential threats in the design phase of large-scale and interactive systems, there is a need to model the threats. The problem is that the existing modelling methods are mostly manual, which are inherently associated with errors, cost, time consumption, and failure to evaluate all conceivable possibilities. The present paper proposes a new method, called “Automated Security Evaluation of Threat Paths”, as an automated solution to the problem of identifying and extracting potential threats. In the proposed method, by adding new capabilities such as conditional probability and security to Petri Nets, it is possible not only to automatically generate the threat paths, but also to automatically evaluate the security of threat models in both quantitative and qualitative ways. In this paper, the performance of the proposed method was evaluated under different security scenarios, and the results showed that, compared to other existing methods, the proposed method offers a higher level of security assurance and also, it is fully automated, unlike the existing methods .
 

Keywords


[1]
M. Shunmei, G. Zijian, L. Qianmu, W. Hao, D. Hong-Ning and Q. Lianyong, "Security-Driven hybrid collaborative recommendation method for cloud-based iot services," Computers & Security, 2020.
[2]
Z. Mahmood, "Connected vehicles in the iov: Concepts, technologies and architectures," In: Connected vehicles in the internet of things : Springer, 2020.
[3]
A. Kumar, A. K. Jain and M. Dua, "A comprehensive taxonomy of security and privacy issues in RFID," Complex Intell. Syst., 2021.
[4]
G. Tripathi, M. Ahad and M. Sathiyanarayanan, "The role of blockchain in internet of vehicles (iov): Issues, challenges and opportunities," In: 2019 international conference on contemporary computing and informatics (IC3I). IEEE, pp. 26-31, 2019.
[5]
L. Sleem, H. N. Noura and R. Couturier, "Towards a secure ITS: Overview, challenges and solutions," Journal of Information Security and Applications, vol. 55, 2020.
[6]
M. Zhang, C. Chen, T. Wo, T. Xie, M. Bhuiyan and X. Lin, "Safedrive: online driving anomaly detection from large-scale vehicle data," IEEE Trans Ind Inf, vol. 13, no. 4, pp. 2087-96, 2017.
[7]
O. Abu Waraga, M. Bettayeb, Q. Nasir and M. Abu Talib, "Design and Implementation of Automated IoT Security Testbed," Computers & Security, vol. 88, 2020.
[8]
B. D. Deebak and F. AL-Turjman, "Secure-user sign-in authentication for IoT-based eHealth systems," Complex Intell. Syst, 2021.
[9]
S. Tanwar, K. Parekh and R. Evans, "Blockchain-based electronic healthcare record system for healthcare 4.0 applications," Journal of Information Security and Applications, 2020.
[10]
L. Chen , W. Lee , C.-H. Chang, K.-K. Raymond Choo and N. Zhang , "Blockchain based searchable encryption for electronic health record sharing," Fut Gener Comput Syst, vol. 95, pp. 420-9, 2019.
[11]
D. Xu, M. Tu, M. Sanford, L. Thomas, D. Woodraska and W. Xu, "Automated Security Test Generation with Formal Threat Models," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 4, pp. 526-540, 2012.
[12]
B. Barzegar and H. Motameni, "Modeling and simulation firewall using Colored Petri Nets," World Appl. Sci. j, vol. 15, no. 6, pp. 826-830, 2011.
[13]
B. Barzegar, S. Ghanbari, H. Bozorgi and M. Rahimi, "Modeling and simulation of traffic lights and controller unit systems by Colored Petri Nets," Int. j. Phys. Sci, vol. 6, no. 34, pp. 7760-7770, 2011.
[14]
W. Arsac, G. Bella, X. Chantry and L. Compagna,
"Multi-Attacker Protocol Validation," Journal of Automated Reasoning, vol. 46, no. 4, pp. 353-388, 2011.
[15]
A. O. Baquero, A. J. Kornecki and J. Zalewski, "Threat Modeling for Aviation Computer Security," Fusing IT & Real-Time Tactical, vol. 28, pp. 21-27, 2015.
[16]
S. Musman and A. Turner, "A game oriented approach to minimizing cybersecurity risk," International Journal of Safety and Security Engineering, vol. 8, no. 2, pp. 212-222, 2018.
[17]
W. Xiong and R. Lagerström, " Threat modeling -- A systematic literature review," Computers & Security, vol. 84, pp. 53-69, 2019.
[18]
H. Holm, M. Buschle, R. Lagerstrom and M. Ekstedt, "Automated data collection for enterprise architecture models," Softw syst model, vol. 13, no. 2, p. 825, 2014.
[19]
P. Närman, P. Johnson, R. Lagerström, U. Franke and M. Ekstedt, " Data Collection Prioritization for System Quality Analysis," Electronic Notes in Theoretical Computer Science, vol. 233, pp. 29-42, 2009.
[20]
R. Jiang, R. Lu, Y. Wang, J. Luo, C. Shen and X. S. Shen, "Energy-Theft Detection Issues for Advanced Metering Infrastructure in Smart Grid," Science and Technology, vol. 19, no. 2, pp. 105-120, 2014.
[21]
A. Almulhem, "Threat Modeling for Electronic Health Record Systems," Journal of Medical Systems, vol. 36, no. 5, 2012.
[22]
A. Almulhem, "Threat modeling of a multi-UAV system," Transportation Research Part A: policy and practice, pp. 290-295, 2020.
[23]
D. Pei, L. Zhang and D. Massey, "A framework for resilient Internet routing protocols," IEEE Network, vol. 18, no. 2, pp. 5-12, 2004.
[24]
X. Liu, P. Zhu, Y. Zhang and K. Chen, "A Collaborative Intrusion Detection Mechanism Against False Data Injection Attack in Advanced Metering Infrastructure," IEEE Transactions on Smart Grid, vol. 6, no. 5, pp. 435-443, 2015.
[25]
J. C. Pendergrass, K. Heart, C. Ranganathan and V. N. Venkatakrishnan, "A threat table based assessment of information security in telemedicine," International Journal of Healthcare Information Systems and Informatics, vol. 9, no. 4, pp. 20-31, 2014.
[26]
P. Bedi, V. Gandotra, A. Singhal, H. Narang and S. Sharma, "Threat-oriented security framework in risk management using multiagent system," Software:P ractice and Experience, vol. 43, pp. 1013-1038, 2013.
[27]
G. Brændeland, A. Refsdal and K. Stølen, "Modular analysis and modelling of risk scenarios with dependencies," The Journal of Systems & Software, vol. 83, no. 10, pp. 1995-2013, 2010.
[28]
A. V. Uzunov and E. B. Fernandez,, "An extensible pattern-based library and taxonomy of security threats for distributed systems," Computer Standards & Interfaces, vol. 36, no. 4, pp. 734-747, 2014.
[29]
R. N. Dahbul, C. Lim and J. Purnama, "Enhancing Honeypot Deception Capability Through Network Service Fingerprinting," Journal of Physics:Conference Series, pp. 1-6, 2017.
[30]
D. Xu and K. E. Nygard, "Threat-Driven Modeling and Verification of Secure Software Using Aspect-Oriented Petri Nets," IEEE Transactions on Software Engineering, vol. 32, no. 4, pp. 265-278, 2006.
[31]
D. Seifert and H. Reza, "A Security Analysis of Cyber-Physical Systems Architecture for Healthcare," Computers, vol. 5, no. 27, pp. 1-24, 2016.
[32]
M. Kalinin and A. Konoplev, "Formalization of objectives of grid systems resources protection against unauthorized access," Nonlinear Phenomena in Complex Systems, vol. 17, no. 3, pp. 272-277, 2014.
[33]
J. Meszaros and A. Buchalcevova, "Introducing OSSF: A framework for online service cybersecurity risk management," Computers & Security, vol. 65, pp. 300-313, 2017.
[34]
X. Chen, Y. Liu and J. Yi, "A Security Evaluation Framework Based on STRIDE Model for Software in Networks," International Journal of Advancements in Computing Technology, vol. 4, no. 13, pp. 269-278, 2012.
[35]
V. Olawumi, K. Haataja and P. Toivanen, "Security Issues in Smart Homes and Mobile Health System: Threat Analysis, Possible Countermeasures and Lessons Learned," International Journal on Information Technologies & Security, vol. 9, no. 1, p. 31, 2017.
[36]
M. Frydman, G. Ruiz, E. Heymann, E. César and B. P. Miller, "Automating Risk Analysis of Software Design Models," The Scientific World Journal, pp. 1-12, 2014.
[37]
Microsoft, "object-oriented programing," Microsoft, 2020. [Online]. Available: https://docs.microsoft.com/en-us/dotnet/csharp/tutorials/intro-to-csharp/object-oriented-programming.
[38]
Microsoft, "Inheritance," Microsoft, 2020. [Online]. Available: https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/classes-and-structs/inheritance.
[39]
K. Shoushian, A. J. Rashidi and A. R. Mirghadri, "Probabilistic Modeling of Obfuscated Multi-Stage Cyber Attacks," Journal of Electronical & Cyber Defence, vol. 8, no. 2, p. 61, 2020,
(In Persion).
Volume 9, Issue 4 - Serial Number 36
Serial No. 36, Winter Quarterly
February 2022
Pages 87-98
  • Receive Date: 10 August 2021
  • Revise Date: 06 November 2021
  • Accept Date: 13 December 2021
  • Publish Date: 20 February 2022