Holistic security requirements analysis: An attacker's perspective

摘要

The ever-growing complexity of systems makes their protection more challenging, as a single vulnerability or exposure of any component of the system can lead to serious security breaches. This problem is exacerbated by the fact that the system development community has not kept up with advances in attack knowledge. In this demo paper, we propose a holistic attack analysis approach to identify and tackle both atomic and multistage attacks, taking into account not only software attacks but also attacks that are targeted at people and hardware. To bridge the knowledge gap between attackers and defenders, we systematically analyze and refine the malicious desires of attackers (i.e., anti-goals), and leverage a comprehensive attack pattern repository (CAPEC) to operationalize attacker goals into concrete attack actions. Based on the results of our attack analysis, appropriate security controls can be selected to effectively tackle potential attacks.