Conducting digital business requires secure network and application architectures. The recently increasing occurrence of severe attacks has shown, however, that we will still need quite some time and effort to reach security standards of IT systems alike the standard already usual in other fields. At present, there is a huge gap between theory and the code of practice. Whereas scientists work on formal approaches for the specification and verification of security requirements, practitioners have to meet the users' requirements. The Pattern Community recognized this problem, too. Patterns literally capture the experience from experts in a structured way. Thus novices can benefit from know-how and skills of experts. Hence, we propose to apply the pattern approach to the security problem. We show that recent security approaches are not sufficient and describe how Security Patterns contribute to the overall process of security engineering. A Security Pattern System provides linkage between Security Patterns. Thus dependencies between specific security problems can be considered in a comprehensive way.

Attack graphs are a valuable tool to network defenders, illustrating paths an attacker can use to gain access to a targeted network. Defenders can then focus their efforts on patching the vulnerabilities and configuration errors that allow the attackers the greatest amount of access. We have created a new type of attack graph, the multiple-prerequisite graph, that scales nearly linearly as the size of a typical network increases. We have built a prototype system using this graph type. The prototype uses readily available source data to automatically compute network reachability, classify vulnerabilities, build the graph, and recommend actions to improve network security. We have tested the prototype on an operational network with over 250 hosts, where it helped to discover a previously unknown configuration error. It has processed complex simulated networks with over 50,000 hosts in under four minutes.

Researchers have previously looked into the problem of determining if a given set of security hardening measures can effectively make a networked system secure. Many of them also addressed the problem of minimizing the total cost of implementing these hardening measures, given costs for individual measures. However, system administrators are often faced with a more challenging problem since they have to work within a fixed budget which may be less than the minimum cost of system hardening. Their problem is how to select a subset of security hardening measures so as to be within the budget and yet minimize the residual damage to the system caused by not plugging all required security holes. In this work, we develop a systematic approach to solve this problem by formulating it as a multi-objective optimization problem on an attack tree model of the system and then use an evolutionary algorithm to solve it.

We grow increasingly dependent on the appropriate operation of computer-based systems. One aspect of such systems is security. As systems become more complex current means of analysis will probably prove ineffective. In the safety domain a variety of analysis techniques has emerged over many years. These have proved surprisingly effective. Since the safety and security domains share many similarities, various authors have suggested that safety techniques might usefully find application in security. This report takes one such technique, HAZOPs, and applies it to one widely used informal design component – UML’s use cases.

Abstract. Use cases are widely used for functional requirements elicitation. However, security non-functional requirements are often neglected in this requirements analysis process. As systems become increasingly complex current means of analysis will probably prove ineffective. In the safety domain a variety of effective analysis techniques have emerged over many years. Since the safety and security domains share many similarities, various authors have suggested that safety techniques might usefully find application in security. This paper takes one such technique, HAZOP, and applies it to one widely used functional requirement elicitation component, UML use cases, in order to provide systematic analysis of potential security issues at the start of system development.

This paper critically surveys previous work on quantitative representation and analysis of security. Such quantified security has been presented as a general approach to precisely assess and control security. We classify a significant part of the work between 1981 and 2008 with respect to security perspective, target of quantification, underlying assumptions and type of validation. The result shows how the validity of most methods is still strikingly unclear. Despite applying a number of techniques from fields such as computer science, economics and reliability theory to the problem it is unclear what valid results exist with respect to operational security. Quantified security is thus a weak hypothesis because a lack of validation and comparison between such methods against empirical data. Furthermore, many assumptions in formal treatments are not empirically well-supported in operational security and have been adopted from other fields. A number of risks are present with depending on quantitative methods with limited or no validation.

On behalf of:

In this paper we analyse a modified version of the model for secure mobile multi-agent computation proposed by Endsuleit and Mie [8]. The modified version still maintains t max := d e 1 as upper limit of tolerable corrupted agents. The original publication is lacking a security analysis that takes into account real world factors. This paper provides such an analysis. We analyse t max looking at t max under realistic network assumptions. We use an attack tree to identify possible attacks and discuss countermeasures. We also consider concrete examples for framework and Alliance sizes. In addition, we discuss different possibilities to improve Alliance security and to mitigate Denial-of-Service (DoS) attacks.

Abstract. Vulnerability detection and security level estimation are actual tasks of protecting computer networks. The paper considers the models and architectures of intelligent components intended for active analyzing computer network vulnerabilities and estimating its security level. The offered approach is based on simulation of computer attacks on different levels of detail and intended for implementation at various stages of computer network life cycle, including design and exploitation stages. 1

Abstract: The economic relevance of IT risk is increasing due to various operational, technical as well as regulatory reasons. Increasing flexibility of business processes and rising dependability on IT require continuous risk assessment, challenging current methods of risk management. Extending these methods by a business process-oriented view is a promising approach for taking the occurring dynamics and interlinks into consideration. In this contribution, a layer based approach for systematic modeling of relations between causes (threats) and effects (direct and indirect loss) is pursued. On the basis of these cause-effect relations, the presented IT Risk Indicator InTRIn measures changes in the IT support of business processes. It is discussed how InTRIn can provide accurate and real-time information on the IT risk situation and thus improve IT risk management. 1 Flexible Business Processes and IT Risk The flexibility to adapt business processes to customers ’ changing demands is regarded as an important instrument for companies in order to be able to distinguish themselves from their competitors (e.g. [Sa95; BG05; Mi07]). To create flexibility, information