تعداد نشریات | 38 |
تعداد شمارهها | 1,247 |
تعداد مقالات | 9,039 |
تعداد مشاهده مقاله | 8,064,408 |
تعداد دریافت فایل اصل مقاله | 4,835,855 |
ارزیابی امنیتی خودکار مسیرهای تهدید مبتنی بر شبکههای پتری | ||
پدافند الکترونیکی و سایبری | ||
مقاله 8، دوره 9، شماره 4 - شماره پیاپی 36، اسفند 1400، صفحه 87-98 اصل مقاله (1.07 M) | ||
نوع مقاله: مقاله پژوهشی | ||
نویسندگان | ||
محمد علی رمضان زاده1؛ بهنام برزگر* 2؛ همایون موتمنی3 | ||
1دانشجوی دکتری، گروه کامپیوتر، دانشکده فنی ومهندسی، دانشگاه آزاد اسلامی واحد ساری، ساری، ایران | ||
2استادیار، گروه کامپیوتر، دانشکده فنی مهندسی، دانشگاه آزاد اسلامی واحد بابل، بابل، ایران | ||
3دانشیار، گروه کامپیوتر، دانشگاه ازاد اسلامی واحد ساری، ساری، ایران | ||
تاریخ دریافت: 19 مرداد 1400، تاریخ بازنگری: 15 آبان 1400، تاریخ پذیرش: 22 آذر 1400 | ||
چکیده | ||
چالش امنیت کلید واژه مشترک و بسیار مهم در میان فناوریهای نوظهور مانند اینترنت اشیا، اینترنت وسایل حمل و نقل، سلامت الکترونیکی و غیره میباشد و عدم توجه به این چالش، گاهی صدمات جانی و مالی جبران ناپذیری برای انسانها در زندگی روزمره ایجاد خواهد کرد. از سویی دیگر، شناسایی و استخراج نیازمندیهای امنیتی و تهدیدهای احتمالی در سیستمهای مقیاس بزرگ و تعاملی در فاز طراحی نیازمند مدلسازی تهدیدها میباشد که روشهای موجود بیشتر بهصورت دستی همراه با خطا، صرف هزینه، زمان و عدم ارزیابی تمام احتمالهای ممکن میباشد. روش پیشنهادی با نام ارزیابی امنیتی خودکار مسیرهای تهدید بهعنوان راهحلی خودکار برای شناسایی و استخراج تهدیدهای احتمالی ارائهشده است. در روش پیشنهادی با افزودن قابلیتهای جدید مانند، احتمال شرطی و امنیت به شبکههای پتری امکان تولید خودکار مسیرهای تهدید و ارزیابی امنیتی خودکار بهصورت کمی وکیفی از مدلهای تهدید ایجاد شده است. روش ارائهشده با سناریوهای مختلف امنیتی سنجش و ارزیابی شده و نتایج بهدست آمده نشان میدهد که روش پیشنهادی در مقایسه با سایر روشهای موجود تمام خودکار و دارای تضمین امنیتی سطح بالا میباشد. | ||
کلیدواژهها | ||
نیازمندیهای امنیتی؛ مدلسازی تهدید؛ ارزیابی خودکار؛ مسیر تهدید؛ گراف دسترسی؛ شبکههای پتری | ||
عنوان مقاله [English] | ||
The Automated Security Evaluation of Threat Paths Based on Petri Nets | ||
نویسندگان [English] | ||
mohammad ali ramazanzadeh1؛ behnam barzegar2؛ Homayun motameni3 | ||
1PhD Student, Department of Computer, Faculty of Engineering, Islamic Azad University, Sari Branch, Sari, Iran | ||
2Assistant Professor, Department of Computer, Faculty of Engineering, Islamic Azad University, Babol Branch, Babol, Iran | ||
3Associate Professor, Department of Computer, Islamic Azad University, Sari Branch, Sari, Iran | ||
چکیده [English] | ||
The key challenge to be well addressed in case of emerging technologies such as the Internet of Things, Internet of Transportation, e-Health, etc. is the security. Ignoring this challenge can sometimes cause irreparable personal and financial damage to human beings in everyday life. On the other hand, to identify and extract security requirements and potential threats in the design phase of large-scale and interactive systems, there is a need to model the threats. The problem is that the existing modelling methods are mostly manual, which are inherently associated with errors, cost, time consumption, and failure to evaluate all conceivable possibilities. The present paper proposes a new method, called “Automated Security Evaluation of Threat Paths”, as an automated solution to the problem of identifying and extracting potential threats. In the proposed method, by adding new capabilities such as conditional probability and security to Petri Nets, it is possible not only to automatically generate the threat paths, but also to automatically evaluate the security of threat models in both quantitative and qualitative ways. In this paper, the performance of the proposed method was evaluated under different security scenarios, and the results showed that, compared to other existing methods, the proposed method offers a higher level of security assurance and also, it is fully automated, unlike the existing methods . | ||
کلیدواژهها [English] | ||
Security requirements, Threat modelling, Automated evaluation, Threat path, Reachability graph, Petri Nets | ||
مراجع | ||
[1]
|
M. Shunmei, G. Zijian, L. Qianmu, W. Hao, D. Hong-Ning and Q. Lianyong, "Security-Driven hybrid collaborative recommendation method for cloud-based iot services," Computers & Security, 2020.
|
|
[2]
|
Z. Mahmood, "Connected vehicles in the iov: Concepts, technologies and architectures," In: Connected vehicles in the internet of things : Springer, 2020.
|
|
[3]
|
A. Kumar, A. K. Jain and M. Dua, "A comprehensive taxonomy of security and privacy issues in RFID," Complex Intell. Syst., 2021.
|
|
[4]
|
G. Tripathi, M. Ahad and M. Sathiyanarayanan, "The role of blockchain in internet of vehicles (iov): Issues, challenges and opportunities," In: 2019 international conference on contemporary computing and informatics (IC3I). IEEE, pp. 26-31, 2019.
|
|
[5]
|
L. Sleem, H. N. Noura and R. Couturier, "Towards a secure ITS: Overview, challenges and solutions," Journal of Information Security and Applications, vol. 55, 2020.
|
|
[6]
|
M. Zhang, C. Chen, T. Wo, T. Xie, M. Bhuiyan and X. Lin, "Safedrive: online driving anomaly detection from large-scale vehicle data," IEEE Trans Ind Inf, vol. 13, no. 4, pp. 2087-96, 2017.
|
|
[7]
|
O. Abu Waraga, M. Bettayeb, Q. Nasir and M. Abu Talib, "Design and Implementation of Automated IoT Security Testbed," Computers & Security, vol. 88, 2020.
|
|
[8]
|
B. D. Deebak and F. AL-Turjman, "Secure-user sign-in authentication for IoT-based eHealth systems," Complex Intell. Syst, 2021.
|
|
[9]
|
S. Tanwar, K. Parekh and R. Evans, "Blockchain-based electronic healthcare record system for healthcare 4.0 applications," Journal of Information Security and Applications, 2020.
|
|
[10]
|
L. Chen , W. Lee , C.-H. Chang, K.-K. Raymond Choo and N. Zhang , "Blockchain based searchable encryption for electronic health record sharing," Fut Gener Comput Syst, vol. 95, pp. 420-9, 2019.
|
|
[11]
|
D. Xu, M. Tu, M. Sanford, L. Thomas, D. Woodraska and W. Xu, "Automated Security Test Generation with Formal Threat Models," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 4, pp. 526-540, 2012.
|
|
[12]
|
B. Barzegar and H. Motameni, "Modeling and simulation firewall using Colored Petri Nets," World Appl. Sci. j, vol. 15, no. 6, pp. 826-830, 2011.
|
|
[13]
|
B. Barzegar, S. Ghanbari, H. Bozorgi and M. Rahimi, "Modeling and simulation of traffic lights and controller unit systems by Colored Petri Nets," Int. j. Phys. Sci, vol. 6, no. 34, pp. 7760-7770, 2011.
|
|
[14]
|
W. Arsac, G. Bella, X. Chantry and L. Compagna, "Multi-Attacker Protocol Validation," Journal of Automated Reasoning, vol. 46, no. 4, pp. 353-388, 2011. |
|
[15]
|
A. O. Baquero, A. J. Kornecki and J. Zalewski, "Threat Modeling for Aviation Computer Security," Fusing IT & Real-Time Tactical, vol. 28, pp. 21-27, 2015.
|
|
[16]
|
S. Musman and A. Turner, "A game oriented approach to minimizing cybersecurity risk," International Journal of Safety and Security Engineering, vol. 8, no. 2, pp. 212-222, 2018.
|
|
[17]
|
W. Xiong and R. Lagerström, " Threat modeling -- A systematic literature review," Computers & Security, vol. 84, pp. 53-69, 2019.
|
|
[18]
|
H. Holm, M. Buschle, R. Lagerstrom and M. Ekstedt, "Automated data collection for enterprise architecture models," Softw syst model, vol. 13, no. 2, p. 825, 2014.
|
|
[19]
|
P. Närman, P. Johnson, R. Lagerström, U. Franke and M. Ekstedt, " Data Collection Prioritization for System Quality Analysis," Electronic Notes in Theoretical Computer Science, vol. 233, pp. 29-42, 2009.
|
|
[20]
|
R. Jiang, R. Lu, Y. Wang, J. Luo, C. Shen and X. S. Shen, "Energy-Theft Detection Issues for Advanced Metering Infrastructure in Smart Grid," Science and Technology, vol. 19, no. 2, pp. 105-120, 2014.
|
|
[21]
|
A. Almulhem, "Threat Modeling for Electronic Health Record Systems," Journal of Medical Systems, vol. 36, no. 5, 2012.
|
|
[22]
|
A. Almulhem, "Threat modeling of a multi-UAV system," Transportation Research Part A: policy and practice, pp. 290-295, 2020.
|
|
[23]
|
D. Pei, L. Zhang and D. Massey, "A framework for resilient Internet routing protocols," IEEE Network, vol. 18, no. 2, pp. 5-12, 2004.
|
|
[24]
|
X. Liu, P. Zhu, Y. Zhang and K. Chen, "A Collaborative Intrusion Detection Mechanism Against False Data Injection Attack in Advanced Metering Infrastructure," IEEE Transactions on Smart Grid, vol. 6, no. 5, pp. 435-443, 2015.
|
|
[25]
|
J. C. Pendergrass, K. Heart, C. Ranganathan and V. N. Venkatakrishnan, "A threat table based assessment of information security in telemedicine," International Journal of Healthcare Information Systems and Informatics, vol. 9, no. 4, pp. 20-31, 2014.
|
|
[26]
|
P. Bedi, V. Gandotra, A. Singhal, H. Narang and S. Sharma, "Threat-oriented security framework in risk management using multiagent system," Software:P ractice and Experience, vol. 43, pp. 1013-1038, 2013.
|
|
[27]
|
G. Brændeland, A. Refsdal and K. Stølen, "Modular analysis and modelling of risk scenarios with dependencies," The Journal of Systems & Software, vol. 83, no. 10, pp. 1995-2013, 2010.
|
|
[28]
|
A. V. Uzunov and E. B. Fernandez,, "An extensible pattern-based library and taxonomy of security threats for distributed systems," Computer Standards & Interfaces, vol. 36, no. 4, pp. 734-747, 2014.
|
|
[29]
|
R. N. Dahbul, C. Lim and J. Purnama, "Enhancing Honeypot Deception Capability Through Network Service Fingerprinting," Journal of Physics:Conference Series, pp. 1-6, 2017.
|
|
[30]
|
D. Xu and K. E. Nygard, "Threat-Driven Modeling and Verification of Secure Software Using Aspect-Oriented Petri Nets," IEEE Transactions on Software Engineering, vol. 32, no. 4, pp. 265-278, 2006.
|
|
[31]
|
D. Seifert and H. Reza, "A Security Analysis of Cyber-Physical Systems Architecture for Healthcare," Computers, vol. 5, no. 27, pp. 1-24, 2016.
|
|
[32]
|
M. Kalinin and A. Konoplev, "Formalization of objectives of grid systems resources protection against unauthorized access," Nonlinear Phenomena in Complex Systems, vol. 17, no. 3, pp. 272-277, 2014.
|
|
[33]
|
J. Meszaros and A. Buchalcevova, "Introducing OSSF: A framework for online service cybersecurity risk management," Computers & Security, vol. 65, pp. 300-313, 2017.
|
|
[34]
|
X. Chen, Y. Liu and J. Yi, "A Security Evaluation Framework Based on STRIDE Model for Software in Networks," International Journal of Advancements in Computing Technology, vol. 4, no. 13, pp. 269-278, 2012.
|
|
[35]
|
V. Olawumi, K. Haataja and P. Toivanen, "Security Issues in Smart Homes and Mobile Health System: Threat Analysis, Possible Countermeasures and Lessons Learned," International Journal on Information Technologies & Security, vol. 9, no. 1, p. 31, 2017.
|
|
[36]
|
M. Frydman, G. Ruiz, E. Heymann, E. César and B. P. Miller, "Automating Risk Analysis of Software Design Models," The Scientific World Journal, pp. 1-12, 2014.
|
|
[37]
|
Microsoft, "object-oriented programing," Microsoft, 2020. [Online]. Available: https://docs.microsoft.com/en-us/dotnet/csharp/tutorials/intro-to-csharp/object-oriented-programming.
|
|
[38]
|
Microsoft, "Inheritance," Microsoft, 2020. [Online]. Available: https://docs.microsoft.com/en-us/dotnet/csharp/programming-guide/classes-and-structs/inheritance. |
|
[39]
|
K. Shoushian, A. J. Rashidi and A. R. Mirghadri, "Probabilistic Modeling of Obfuscated Multi-Stage Cyber Attacks," Journal of Electronical & Cyber Defence, vol. 8, no. 2, p. 61, 2020, (In Persion). |