Skip to main content
SpringerLink
Log in

Towards a Systematic Method for Developing Meta Attack Language Instances

  • Conference paper
  • First Online:
Enterprise, Business-Process and Information Systems Modeling (BPMDS 2022, EMMSAD 2022)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 450))

Abstract

Successfully developing domain-specific languages (DSLs) demands language engineers to consider their organizational context, which is challenging. Action design research (ADR) provides a conceptual framework to address this challenge. Since ADR’s application to the engineering of DSLs has not yet been examined, we investigate applying it to the development of threat modeling DSLs based on the Meta Attack Language (MAL), a metamodeling language for the specification of domain-specific threat modeling languages. To this end, we conducted a survey with experienced MAL developers on their development activities. We extract guidelines and align these, together with established DSL design guidelines, to the conceptual model of ADR. The research presented, aims to be the first step to investigate whether ADR can be used to systematically engineer DSLs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    MAL Survey https://forms.gle/Wuv5sJgqZSctgP4LA (Accessed 2021-06-01).

  2. 2.

    https://collaborate.mitre.org/attackics/index.php/Main_Page.

References

  1. Avdiji, H., Winter, R.: Knowledge gaps in design science research. In: ICIS 2019 (2019)

    Google Scholar 

  2. Barišić, A., Amaral, V., Goulão, M.: Usability evaluation of domain-specific languages. In: QUATIC 2012, pp. 342–347. IEEE (2012)

    Google Scholar 

  3. vom Brocke, J., Maedche, A.: The DSR grid: six core dimensions for effectively planning and communicating design science research projects. Electr. Mark. 29(3), 379–385 (2019)

    Article  Google Scholar 

  4. Burmester, S., Giese, H., Tichy, M.: Model-driven development of reconfigurable mechatronic systems with Mechatronic UML. In: Aßmann, U., Aksit, M., Rensink, A. (eds.) MDAFA 2003-2004. LNCS, vol. 3599, pp. 47–61. Springer, Heidelberg (2005). https://doi.org/10.1007/11538097_4

    Chapter  Google Scholar 

  5. Clark, T., van den Brand, M., Combemale, B., Rumpe, B.: Conceptual model of the globalization for domain-specific languages. In: Combemale, B., Cheng, B., France, R., Quel, JM., Rumpe, B. (eds.) Globalizing Domain-Specific Languages. LNCS, vol. 9400, pp. 7–20. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26172-0_2

  6. Combemale, B., France, R., Jézéquel, J.M., Rumpe, B., Steel, J., Vojtisek, D.: Engineering Modeling Languages: Turning Domain Knowledge into Tools. Chapman & Hall , November 2016

    Google Scholar 

  7. Cronholm, S., Göbel, H.: Guidelines supporting the formulation of design principles. In: ACIS 2018 (2018)

    Google Scholar 

  8. Dalkey, N., Helmer, O.: An experimental application of the Delphi method to the use of experts. Manag. Sci. 9, 351–515 (1963)

    Article  Google Scholar 

  9. Defense Use Case: Analysis of the cyber attack on the ukrainian power grid (2016). https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

  10. Deutskens, E., De Ruyter, K., Wetzels, M., Oosterveld, P.: Response rate and response quality of internet-based surveys: an experimental study. Mark. Lett. 15(1), 21–36 (2004)

    Article  Google Scholar 

  11. Dhillon, D.: Developer-driven threat modeling: lessons learned in the trenches. IEEE Secu. Privacy 9(4), 41–47 (2011)

    Article  Google Scholar 

  12. Ekstedt, M., Johnson, P., Lagerström, R., Gorton, D., Nydrén, J., Shahzad, K.: Securi CAD by Foreseeti: A CAD tool for enterprise cyber security management. In: EDOCW 2015, pp. 152–155. IEEE (2015)

    Google Scholar 

  13. Gregor, S., Hevner, A.R.: Positioning and presenting design science research for maximum impact. MIS Q. 37, 337–355 (2013)

    Google Scholar 

  14. Gregory, R.W., Muntermann, J.: Research note -heuristic theorizing: proactively generating design theories. Inf. Syst. Res. 25(3), 639–653 (2014)

    Article  Google Scholar 

  15. Hacks, S., Katsikeas, S.: Towards an ecosystem of domain specific languages for threat modeling. In: CAiSE 2021, pp. 3–18 (2021)

    Google Scholar 

  16. Hacks, S., Katsikeas, S., Ling, E., Lagerström, R., Ekstedt, M.: powerLang: a probabilistic attack simulation language for the power domain. Energy Informat. 3(1) (2020)

    Google Scholar 

  17. Haj-Bolouri, A., Bernhardsson, L., Rossi, M.: PADRE: a method for participatory action design research. In: Parsons, J., Tuunanen, T., Venable, J., Donnellan, B., Helfert, M., Kenneally, J. (eds.) DESRIST 2016. LNCS, vol. 9661, pp. 19–36. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39294-3_2

    Chapter  Google Scholar 

  18. Bichler, M.: Design science in information systems research. MIS Q 48(2), 133–135 (2006). https://doi.org/10.1007/s11576-006-0028-8

    Article  Google Scholar 

  19. Hölldobler, K., Rumpe, B., Wortmann, A.: Software language engineering in the large: towards composing and deriving languages. Comput. Lang. Syst. Struct. 54, 386–405 (2018)

    Google Scholar 

  20. Holm, H., Shahzad, K., Buschle, M., Ekstedt, M.: P\(^2\)CySeMoL predictive, probabilistic cyber security modeling language. IEEE TDSC 12(6), 626–639 (2015)

    Google Scholar 

  21. Jannaber, S., Riehle, D.M., Delfmann, P., Thomas, O., Becker, J.: Designing a framework for the development of domain-specific process modelling languages. In: Maedche, A., vom Brocke, J., Hevner, A. (eds.) DESRIST 2017. LNCS, vol. 10243, pp. 39–54. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59144-5_3

    Chapter  Google Scholar 

  22. Johnson, P., Lagerström, R., Ekstedt, M.: A meta language for threat modeling and attack simulations. In: ARES 2018, p. 38. ACM (2018)

    Google Scholar 

  23. Jones, C., Venable, J.R.: Integrating CCM4DSR into ADR to improve problem formulation. In: Hofmann, S., Müller, O., Rossi, M. (eds.) DESRIST 2020. LNCS, vol. 12388, pp. 247–258. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64823-7_23

    Chapter  Google Scholar 

  24. Kahraman, G., Bilgen, S.: A framework for qualitative assessment of domain-specific languages. Softw. Syst. Model. 14(4), 1505–1526 (2013). https://doi.org/10.1007/s10270-013-0387-8

    Article  Google Scholar 

  25. Kang, D., Lee, J., Choi, S., Kim, K.: An ontology-based enterprise architecture. Exp. Syst. Appl. 37(2), 1456–1464 (2010)

    Article  Google Scholar 

  26. Karsai, G., Krahn, H., Pinkernell, C., Rumpe, B., Schindler, M., Völkel, S.: Design guidelines for domain specific languages. In: DSM’09, pp. 7–13 (2009)

    Google Scholar 

  27. Katsikeas, S., Hacks, S., Johnson, P., Ekstedt, M., Lagerström, R., Jacobsson, J., Wällstedt, M., Eliasson, P.: An attack simulation language for the IT domain. In: Eades III, H., Gadyatskaya, O. (eds.) GraMSec 2020. LNCS, vol. 12419, pp. 67–86. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62230-5_4

    Chapter  Google Scholar 

  28. Katsikeas, S., Johnson, P., Hacks, S., Lagerström, R.: Probabilistic modeling and simulation of vehicular cyber attacks: an application of the meta attack language. In: ICISSP 2019 (2019)

    Google Scholar 

  29. Kelly, S., Pohjonen, R.: Worst practices for domain-specific modeling. IEEE Softw. 26(4), 22–29 (2009)

    Article  Google Scholar 

  30. Kelly, S., Tolvanen, J.P.: Domain-Specific Modeling: Enabling Full Code Generation. John Wiley & Sons, New York (2008)

    Google Scholar 

  31. Ling, E., Lagerström, R., Ekstedt, M.: A systematic literature review of information sources for threat modeling in the power systems domain. In: Rashid, A., Popov, P. (eds.) CRITIS 2020. LNCS, vol. 12332, pp. 47–58. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58295-1_4

    Chapter  Google Scholar 

  32. Maccani, G., Donnellan, B., Helfert, M.: Systematic problem formulation in action design research: the case of smart cities. In: ECIS 2014, January 2014

    Google Scholar 

  33. Medelyan, A.: Coding qualitative data: how to code qualitative research (2020). https://getthematic.com/insights/coding-qualitative-data/

  34. Mernik, M., Heering, J., Sloane, A.M.: When and how to develop domain-specific languages. ACM Comput. Surv. 37(4), 316–344 (2005)

    Article  Google Scholar 

  35. Nickerson, R.C., Varshney, U., Muntermann, J.: A method for taxonomy development and its application in information systems. Euro. J. Inf. Syst. 22(3), 336–359 (2013)

    Article  Google Scholar 

  36. Nielsen, P., Persson, J.: Engaged problem formulation in is research. Commun. Assoc. Inf. Syst. 38, 720–737 (2016)

    Google Scholar 

  37. O’Connor, C., Joffe, H.: Intercoder reliability in qualitative research: debates and practical guidelines. Int. J. Qual. Methods 19 (2020)

    Google Scholar 

  38. Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24(3), 45–77 (2007)

    Article  Google Scholar 

  39. Popping, R.: Analyzing open-ended questions by means of text analysis procedures. Bull. Sociol. Methodol. 128(1), 23–39 (2015)

    Article  Google Scholar 

  40. Rencelj Ling, E., Ekstedt, M.: Generating threat models and attack graphs based on the IEC 61850 system configuration description language. In: AT-CPS 20’21, pp. 98–103. ACM (2021)

    Google Scholar 

  41. Rumpe, B.: Modeling with UML: Language, Concepts, Methods. Springer, Cham, July 2016. https://doi.org/10.1007/978-3-319-33933-7

  42. Sabbagh, B.A., Kowalski, S.: A socio-technical framework for threat modeling a software supply chain. IEEE Secur. Privacy 13(4), 30–39 (2015)

    Article  Google Scholar 

  43. Sein, M.K., Henfridsson, O., Purao, S., Rossi, M., Lindgren, R.: Action design research. MIS Q 35, 37–56 (2011)

    Google Scholar 

  44. Selic, B.: The theory and practice of modeling language design for model-based software engineering—a personal perspective. In: Fernandes, J.M., Lämmel, R., Visser, J., Saraiva, J. (eds.) GTTSE 2009. LNCS, vol. 6491, pp. 290–321. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18023-1_7

    Chapter  Google Scholar 

  45. Shostack, A.: Threat Modeling : Designing for Security. Wiley, Hoboken (2014)

    Google Scholar 

  46. Torr, P.: Demystifying the threat modeling process. Secur Priv 3(5), 66–70 (2005)

    Article  Google Scholar 

  47. Uzunov, A., Fernandez, E.: An extensible pattern-based library and taxonomy of security threats for distributed systems. Comput. Stand. Int. 36(4), 734–747 (2014)

    Article  Google Scholar 

  48. Venable, J.: The role of theory and theorising in design science research. In: DESRIST 2006, pp. 1–18. Citeseer (2006)

    Google Scholar 

  49. Venable, J., Pries-Heje, J., Baskerville, R.: A comprehensive framework for evaluation in design science research. In: Peffers, K., Rothenberger, M., Kuechler, B. (eds.) DESRIST 2012. LNCS, vol. 7286, pp. 423–438. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29863-9_31

    Chapter  Google Scholar 

  50. Venable, J.R., Pries-Heje, J., Baskerville, R.: Choosing a design science research methodology. In: ACIS 2017 (2017)

    Google Scholar 

  51. Völter, M.: Best practices for DSLs and model-driven development. J. Object Technol. 8(6), 79–102 (2009)

    Article  Google Scholar 

  52. Vraalsen, F., Lund, M.S., Mahler, T., Parent, X., Stølen, K.: Specifying legal risk scenarios using the CORAS threat modelling language. In: Herrmann, P., Issarny, V., Shiu, S. (eds.) iTrust 2005. LNCS, vol. 3477, pp. 45–60. Springer, Heidelberg (2005). https://doi.org/10.1007/11429760_4

    Chapter  Google Scholar 

  53. Walter, R., Masuch, M.: How to integrate domain-specific languages into the game development process. In: ACE 2011, pp. 1–8 (2011)

    Google Scholar 

  54. Xiong, W., Lagerström, R.: Threat modeling - a systematic literature review. Comput. Secur. 84, 53–69 (2019)

    Article  Google Scholar 

  55. Xiong, W., Legrand, E., Åberg, O., Lagerström, R.: Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix. SoSyM (2021)

    Google Scholar 

  56. Yskout, K., Heyman, T., Van Landuyt, D., Sion, L., Wuyts, K., Joosen, W.: Threat modeling: from infancy to maturity. In: ICSE 2020, pp. 9–12. ACM (2020)

    Google Scholar 

Download references

Acknowledgements

This project has received funding from the European Union’s H2020 research and innovation program under the Grant Agreement No. 832907, the Swedish Centre for Smart Grids and Energy Storage (SweGRIDS), and the Deutsche Forschungsgemeinschaft (DFG) under Grant Agreement No. 441207927.

Author information

Authors and Affiliations

  1. KTH Royal Institute of Technology, Stockholm, Sweden

    Simon Hacks, Sotirios Katsikeas, Engla Rencelj Ling & Wenjun Xiong

  2. University of Stuttgart, Stuttgart, Germany

    Jérôme Pfeiffer & Andreas Wortmann

  3. University of Southern Denmark, Odense, Denmark

    Simon Hacks

Authors
  1. Simon Hacks
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sotirios Katsikeas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Engla Rencelj Ling
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wenjun Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jérôme Pfeiffer
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Andreas Wortmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Simon Hacks .

Editor information

Editors and Affiliations

  1. The University of Melbourne, Carlton, VIC, Australia

    Adriano Augusto

  2. University of Technology Sydney, Ultimo, NSW, Australia

    Asif Gill

  3. TU Wien, Vienna, Austria

    Dominik Bork

  4. University Paris 1 Pantheon-Sorbonne, Paris, France

    Selmin Nurcan

  5. University of Haifa, Haifa, Israel

    Iris Reinhartz-Berger

  6. Hochschule für angewandte Wissenschaften München, Munich, Germany

    Rainer Schmidt

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hacks, S., Katsikeas, S., Rencelj Ling, E., Xiong, W., Pfeiffer, J., Wortmann, A. (2022). Towards a Systematic Method for Developing Meta Attack Language Instances. In: Augusto, A., Gill, A., Bork, D., Nurcan, S., Reinhartz-Berger, I., Schmidt, R. (eds) Enterprise, Business-Process and Information Systems Modeling. BPMDS EMMSAD 2022 2022. Lecture Notes in Business Information Processing, vol 450. Springer, Cham. https://doi.org/10.1007/978-3-031-07475-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07475-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07474-5

  • Online ISBN: 978-3-031-07475-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation