SMART: Security Model Adversarial Risk-based Tool
DOI:
https://doi.org/10.15662/IJRAI.2022.0502003Keywords:
SMART, Adversarial Risk Modeling, Attack Graphs, CVE Analysis, Security Risk Assessment, Cybersecurity Metrics, CVSS Scoring, System Security DesignAbstract
As development and deployment of secure systems continue to grow at scale, there is an equal need to evaluate these systems for vulnerabilities and other problems. However, the process of evaluating these designs is complicated and mainly proprietary to the group performing the evaluation. Generally, one follows the generic risk equation of probability and impact. In addition, one should examine the costs related to the adversary and the defender of a system. Without accounting for all of these different aspects, one cannot expect to properly assess the security of a system model or design. This work presents a security model adversarial risk-based tool (SMART) for systems security design evaluation. Our tool reads in a systems security model an attack graph and collects the necessary information for the purpose of determining the best solution based on a calculated security risk represented as a monetary amount. The advantage of the tool is the level of automation provided in the evaluation of security attack trees while providing meaningful metrics that are effortless to compare.
References
1. Yin, Z., Jain, M., et al. (2012). Game-theoretic resource allocation for malicious packet detection in computer networks. In Proceedings of the 11th International Conference on Autonomous Agents and Multiagent Systems (AAMAS). Richland, SC: IFAAMAS.
2. Durkota, K., Lisy, V., Kiekintveld, C., et al. (2015). Game-theoretic algorithms for optimal network security hardening using attack graphs. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS ’15). Richland, SC: IFAAMAS.
3. Blocki, J., Christin, N., Datta, A., et al. (2013). Audit games. In Proceedings of the 23rd International Joint Conference on Artificial Intelligence (IJCAI).
4. Blocki, J., Christin, N., Datta, A., et al. (2015). Audit games with multiple defender resources. In AAAI Conference on Artificial Intelligence (AAAI). Palo Alto, CA: AAAI Press.
5. von Stackelberg, H. (1934). Marktform und Gleichgewicht. Vienna: Springer.
6. Kiekintveld, C., Jain, M., Tsai, J., et al. (2009). Computing optimal randomized resource allocations for massive security games. In Proceedings of the 8th International Conference on Autonomous Agents and Multiagent Systems (AAMAS), 689–696. Richland, SC: IFAAMAS.
7. Leitmann, G. (1978). On generalized Stackelberg strategies. Journal of Optimization Theory and Applications, 26, 637–643.
8. Navandar, Pavan. "Fortifying cybersecurity in Healthcare ERP systems: unveiling challenges, proposing
9. Navandar, Pavan. " Enhancing Security with Two-Factor Authentication in SAP Fiori Applications" Journal of Scientific and Engineering Research 5, no. 10 (2018):329-33.
10. Navandar, Pavan. " Segregation of Duties (SoD) Risks in SAP Security: Mitigation Strategies and Best Practices" Journal of Scientific and Engineering Research 6, no. 9 (2019):206-206.
11. Navandar, Pavan. " SAP Security is key for Business Success for ERP system" Journal of Scientific and Engineering Research 5, no. 6 (2018):398-400.
12. Breton, M., Alg, A., & Haurie, A. (1988). Sequential Stackelberg equilibria in two-person games. Journal of Optimization Theory and Applications, 59, 71–97.
13. Conitzer, V., & Sandholm, T. (2006). Computing the optimal strategy to commit to. In Proceedings of the ACM Conference on Electronic Commerce (ACM-EC), 82–90.
14. Paruchuri, P., Pearce, J. P., Marecki, J., et al. (2008). Playing games with security: An efficient exact algorithm for Bayesian Stackelberg games. In Proceedings of the 7th International Conference on
15. Autonomous Agents and Multiagent Systems (AAMAS), 895–902. Richland, SC: IFAAMAS.
16. Navandar, Pavan. "Enhancing Cybersecurity in Airline Operations through ERP Integration: A Comprehensive Approach." Journal of Scientific and Engineering Research 5, no. 4 (2018): 457-462.
17. Navandar, Pavan. " Enhancing Governance, Risk, and Compliance (GRC)" Journal of Scientific and Engineering Research 7, no. 3 (2020):250-256.
18. Navandar, P. (2021). Fortifying cybersecurity in Healthcare ERP systems: unveiling challenges, proposing solutions, and envisioning future perspectives. Int J Sci Res, 10(5), 1322-1325.
19. Korzhyk, D., Conitzer, V., & Parr, R. (2010). Complexity of computing optimal Stackelberg strategies in security resource allocation games. In Proceedings of the 24th AAAI Conference on Artificial Intelligence, 805–810.
20. Yin, Z., Jain, M., Tambe, M., et al. (2011). Risk-averse strategies for security games with execution and observational uncertainty. In Proceedings of the 25th AAAI Conference on Artificial Intelligence, 758–763.
21. Navandar, P. (2021). "Developing Advanced Fraud Prevention Techniques using Data Analytics and ERP Systems" Int J Sci Res, 10(5), 1326-1329.
22. An, B., Tambe, M., Ordonez, F., et al. (2011). Refinement of strong Stackelberg equilibria in security games. In Proceedings of the 25th Conference on Artificial Intelligence, 587–593.
23. Pita, J., John, R., Maheswaran, R., et al. (2012). A robust approach to addressing human adversaries in security games. In European Conference on Artificial Intelligence (ECAI). Amsterdam: IOS Press.
24. Jain, M., Kardes, E., Kiekintveld, C., et al. (2010). Security games with arbitrary schedules: A branch-and-price approach. In Proceedings of the 24th AAAI Conference on Artificial Intelligence, 792–797.
25. P. Navandar, "Optimizing SAP roles for efficient enterprise resource planning," Int. J. Sci. Res. (IJSR), vol. 9, no. 1, pp. 1932–1934, Jan. 2020, doi: 10.21275/SR24529194621.
26. P. Navandar, " Mitigating Financial Fraud in Retail through ERP System Controls” Int. J. Sci. Res. (IJSR), vol. 9, no. 4, pp. 1823–1827,
27. Navandar, Pavan. " Unveiling the Power of Data Masking: Safeguarding Sensitive Information in the Digital Age" International Journal of Core Engineering & Management 5, no.6 (2019): 27-32.
