TREsPASS: Plug-and-Play Attacker Profiles for Security Risk Analysis (Poster)

Wolter Pieters, Dina Hadziosmanovic, Aleksandr Lenin, Lorena Montoya, Jan Willemson

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    38 Downloads (Pure)

    Abstract

    Existing methods for security risk analysis typically estimate time, cost, or likelihood of success of attack steps. When the threat environment changes, such values have to be updated as well. However, the estimated values reflect both system properties and attacker properties: the time required for an attack step depends on attacker skill as well as the strength of a particular system component. In the TRESPASS project, we propose the separation of attacker and system properties. By doing so, we enable “plug-and-play‿ attacker profiles: profiles of adversaries that are independent of system properties, and thus can be re- used in the same or different organisation to compare risk in case of different attacker profiles. We demonstrate its application in the framework of attack trees, as well as our new concept of attack navigators.
    Original languageEnglish
    Title of host publication35th IEEE Symposium on Security and Privacy
    Place of PublicationPiscataway, New Jersey
    PublisherIEEE Computer Society
    Number of pages2
    Publication statusPublished - May 2014
    Event35th IEEE Symposium on Security and Privacy 2014 - The Fairmont, San Jose, United States
    Duration: 18 May 201421 May 2014
    Conference number: 35
    http://www.ieee-security.org/TC/SP2014/

    Conference

    Conference35th IEEE Symposium on Security and Privacy 2014
    CountryUnited States
    CitySan Jose
    Period18/05/1421/05/14
    Internet address

      Fingerprint

    Keywords

    • EC Grant Agreement nr.: FP7/2007-2013
    • EC Grant Agreement nr.: FP7/318003

    Cite this

    Pieters, W., Hadziosmanovic, D., Lenin, A., Montoya, L., & Willemson, J. (2014). TREsPASS: Plug-and-Play Attacker Profiles for Security Risk Analysis (Poster). In 35th IEEE Symposium on Security and Privacy Piscataway, New Jersey: IEEE Computer Society.