DOI QR코드

DOI QR Code

Security-Reverse-Attack Engineering Life-cycle Model for Attack System and Attack Specification Models

공격시스템을 위한 보안-역-공격공학 생명주기 모델과 공격명세모델

  • Kim, Nam-Jeong (Department of Computer Engineering, Hannam University) ;
  • Kong, Mun-Soo (Department of Computer Engineering, Hannam University) ;
  • Lee, Gang-Soo (Department of Computer Engineering, Hannam University)
  • 김남정 (한남대학교 컴퓨터공학과) ;
  • 공문수 (한남대학교 컴퓨터공학과) ;
  • 이강수 (한남대학교 컴퓨터공학과)
  • Published : 2017.06.28

Abstract

Recently, as cyber attacks have been activated, many such attacks have come into contact with various media. Research on security engineering and reverse engineering is active, but there is a lack of research that integrates them and applies attack systems through cost effective attack engineering. In this paper, security - enhanced information systems are developed by security engineering and reverse engineering is used to identify vulnerabilities. Using this vulnerability, we compare and analyze lifecycle models that construct or remodel attack system through attack engineering, and specify structure and behavior of each system, and propose more effective modeling. In addition, we extend the existing models and tools to propose graphical attack specification models that specify attack methods and scenarios in terms of models such as functional, static, and dynamic.

최근 사이버공격이 활성화됨에 따라 이러한 많은 공격사례들이 다양한 매체를 통해 접해지고 있다. 사이버공격에 대한 보안공학이나 역공학에 대한 연구는 활발하지만, 이들을 통합하고 비용효과적인 공격공학을 통해 공격시스템을 연계하여 적용시킨 연구는 부족하다. 본 논문에서는, 보안강화형 정보시스템을 보안공학적으로 개발하고, 역공학을 통해 취약점을 식별한다. 이 취약점을 이용하여 공격공학을 통해 공격시스템을 구축하거나 리모델링하는 생명주기모델을 비교 분석하여 각 시스템의 구조 및 행동을 명세화하고, 더욱 실효성 있는 모델링을 제안한다. 또한, 기존의 모델 도구를 확장하여 공격방법 및 시나리오를 기능적, 정적, 동적과 같은 모델의 관점에서 명세하는 도형적 공격명세모델을 제시한다.

Keywords

References

  1. J. W. Jung, J. D. Kim, Myeong-Gyun Song, Chul-Gu Jin, "A study on Development of Certification Schemes for Cloud Security", Journal of digital Convergence , Vol. 13, No. 8, pp. 43-49, 2015. https://doi.org/10.14400/JDC.2015.13.8.43
  2. M. S. Gu, YongZhen Li, "A Study of Countermeasures for Advanced Persistent Threats attacks by malicious code," Journal of IT Convergence Society for SMB, Vol. 5, No. 4, pp. 37-42, 2015
  3. J. H. Allen, S. Barnum, Robert J, Software security engineering - A guide for project managers, Addison-Wesley Professional, pp. 315, 2008.
  4. M. Ramachandran, Software Security Engineering - Design and applications, Nova Science Publishers, Inc., p. 272, 2012.
  5. R. Ross, M. McEvilley, J. C. Oren, Systems security engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, NIST SP 800-160, pp. 242, 2016.
  6. Common Criteria for Information Technology Security Evaluation, Part1, Part2, Part3 Version 3.1, Revision 4, CCRA, 2012.
  7. Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 4, CCRA, 2012.
  8. Kelley Dempsey, Security and Privacy Controls for Federal Information Systemsand Organizations, NIST SP 800-53 Revision 4, 2013.
  9. http://www.commoncriteriaportal.org.
  10. E. Gamma, et al., Design patterns - elements of reusable object-oriented software, Addison-Wesley, pp. 431, 1995.
  11. C. Dougherty, Secure Design Patterns, SEI, CMU, 2009.
  12. C Secure Coding Guide for e-government SW Development - Operation, Ministry of the Interior, 11-1311000-000330-10, pp. 212, 2012.9.
  13. Java Secure Coding Guide for e-government SW Development - Operation, Ministry of the Interior, 11-1311000-000330-10, pp. 320, 2012.9.
  14. https://cve.mitre.org/cve.
  15. https://www.owasp.org,/index.php/OWASP_Testing_Guide_v4_Table_of_Contents 2017.
  16. J. H. Kim, J. Y. Go, K. H. Lee, "A Scheme of Social Engineering Attacks and Countermeasures Using Big Data based Conversion Voice Phishing", Journal of The Korea Convergence Society", Vol. 6, No. 1, pp. 85-91, 2015 https://doi.org/10.15207/JKCS.2015.6.1.085
  17. H. S. Yang, "A Study on Multi-level Attack Detection Technique based on Profile Table", Journal of The Korea Society of Digital Industry and Information Management, Vol. 10, No. 4, pp89-96, 2014 https://doi.org/10.17662/ksdim.2014.10.1.089
  18. https://insights.sei.cmu.edu/sei_blog/2013/11/using-v-models-for-testing.html.
  19. K. M. Goertztel, et al., Software security assurance, IATAC and DACS, 2007.
  20. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=overflow.
  21. https://cve.mitre.org/data/downloads/index.html.
  22. https://www.exploit-db.com/.
  23. http://www.cert.org/secure-coding/tools/.
  24. https://www.microsoft.com/en-us/SDL.
  25. P. Manadhata and J. M. Wing, "An Attack Surface Metric," IEEE Transactions on Software Engineering, Vol. 37, Vo. 3, 2011.
  26. https://www.surfwatchlabs.com/.
  27. R. M. Blank, Guide for Conducting Risk Assessments, NIST SP 800-30, 2012.
  28. https://capec.mitre.org.
  29. Alexander I. "Misuse Cases: Use Cases with Hostile Intent," IEEE Software, Vol. 20, No. 1, pp.58-66, 2003. https://doi.org/10.1109/MS.2003.1159030
  30. Sindre, G., Opdahl A.L. Eliciting Security Requirements with Misuse Cases. Requirements Engineering 10(1), pp. 34-44, 2005. https://doi.org/10.1007/s00766-004-0194-4
  31. Barbara Kordy, Ludovic Pietre-Cambacedes, Patrick Schweitzer, DAG-Based Attack and Defense Modeling: Don' Miss the Forest for the Attack Trees, Computer Science Review, Vol. 13, pp. 1-38, 2014.
  32. J. H. Eom, Park, S. H, Chung, Tai M, "A Study on an Extended Cyber Attack Tree for an Analysis of Network Vulnerability", Journal of the Korea Society of Digital Industry and Information Management, Vol. 6, No. 3, pp. 49-57, 2010
  33. G. Lee, J Lee, "Petri Net based Models for Specification and Analysis of Cryptographic Protocols", The Journal of Systems and Software, Vol. 37, pp. 141-159, 1997. https://doi.org/10.1016/S0164-1212(96)00112-4
  34. Yongfu Zhou, "The Network Attack Model based on Hierarchical Expanded Stochastic Petri Net", International Journal of Security and Its Applications, Vol.8, No.6, pp.161-172, 2014. https://doi.org/10.14257/ijsia.2014.8.6.15
  35. Peter Karpati, Guttorm Sindre, "Towards a hacker attack representation method", Proceedings of the 5th International Conference on Software and Data Technologies, pp. 92-101, 2010.
  36. https://capec.mitre.org/documents/An_Introduction_to_Attack_Patterns_as_a_Software_Assurance_Knowledge_Resource.pdf.
  37. Schneider, Thorsten, "Secure Software Engineering Processes: Improving the Software Development Life Cycle to Combat Vulnerability", Software Quality Professional 8, no. 1, 2006.
  38. I. Flechais, C. Mascolo, M. Angela Sasse, "Integrating Security and Usability into the Requirements and Design Process", International Journal of Electronic Security and Digital Forensics, Vol. 1, Issue 1, pp. 12-26, 2006. https://doi.org/10.1504/IJESDF.2007.013589
  39. https://www.owasp.org/images/7/76/Jim_Manico_(Hamburg)_-_Securiing_the_SDLC.pdf.
  40. http://resources.sei.cmu.edu/asset_files/whitepaper/2013_019_001_297287.pdf.
  41. http://resources.sei.cmu.edu/asset_files/presentation/2016_017_001_493912.pdf.
  42. A. S. Sodiya,S. A. Onashoga, O. B. Ajayi, "Towards building secure software systems", Proceedings of Issues in Informing Science and Information Technology, Vol. 3, pp. 637-644, 2006.
  43. M. Zulkernine and S. I. Ahamed, Software Security Engineering: Toward Unifying Software Engineering and Security Engineering, Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues, pp. 19, 2006.