Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

A property based security risk analysis through weighted simulation

: Winkelvos, T.; Rudolph, C.; Repp, J.


Institute of Electrical and Electronics Engineers -IEEE-:
10th Annual Information Security South Africa Conference, ISSA 2011. Proceedings : 15-17 Aug. 2011, Johannesburg, South Africa
ISBN: 1-4577-1481-7
ISBN: 978-1-4577-1481-8
Art. 6027534, 8 pp.
Annual Information Security South Africa Conference ( ISSA) <10, 2011, Johannesburg>
Conference Paper
Fraunhofer SIT ()

The estimation of security risks in complex information and communication technology systems is an essential part of risk management processes. A proper computation of risks requires a good knowledge about the probability distributions of different upcoming events or behaviours. Usually, technical risk assessment in Information Technology (IT) systems is concerned with threats to specific assets. However, for many scenarios it can be useful to consider the risk of the violation of particular security properties. The set of suitable qualities comprises authenticity of messages or non-repudiability of actions within the system but also more general security properties like confidentiality of data. Furthermore, as current automatic security analysis tools are mostly confined to a technical point of view and thereby missing implications on an application or process level, it is of value to facilitate a broader view including the relation between actions within the IT system and their external influence. The property based approach aims to help assessing risks in a process-oriented or service level view of a system and also to derive a more detailed estimation on a technical level. Moreover, as systems' complexities are growing, it becomes less feasible to calculate the probability of all patterns of a system's behaviour. Thus, a model based simulation of the system is advantageous in combination with a focus on precisely defined security properties. This paper introduces the first results supporting a simulation based risk analysis tool that enables a security property oriented view of risk. The developed tool is based on an existing formal validation, verification and simulation tool, the Simple Homomorphism Verification Tool (SHVT). The new simulation software provides a graphical interface for a monitor automaton which facilitates the explicit definition of security properties to be investigated during the simulation cycles. Furthermore, in order to model different