Skip to main content
SpringerLink
Log in

Using Statistical Model Checking for Cybersecurity Analysis

  • Conference paper
  • First Online:
Digital Sovereignty in Cyber Security: New Challenges in Future Vision (CyberSec4Europe 2022)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1807))

  • 216 Accesses

Abstract

This work discusses an approach to estimate the likelihood of occurrence and evolution in time of software security issues. First, software vulnerability assessment is revised under the light of recent studies. Then, guidelines are proposed that allow for (formal) modelling stochastic aspects of cybersecurity-relevant scenarios. This opens a connection to the field of formal methods, where automated tools like statistical model checkers can estimate the value of property queries characterising such scenarios. But exploitable vulnerabilities and attacks in cybersecurity are rare events, which calls for specialised tools. In view of this, the work finalises presenting FIG, a statistical model checker specialised on rare event simulation. FIG, an open source software tool freely available at https://git.cs.famaf.unc.edu.ar/dsg/fig, can be used to estimate the probability of an attack within the next release cycle.

Funded by the EU under GA n.101067199 (ProSVED). Views and opinions expressed are those of the author(s) only and do not necessarily reflect those of the European Union or The European Research Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This is rather encryption, a sub-field of cryptography. For a more precise (and serious) understanding of cryptography we refer the interested reader to e.g. [4, chs. 1 and 3].

  2. 2.

    In \(\textsc {ml}\), predict refers to classification, i.e. identify code affected by a CVE or known vulnerable pattern. This is not the same as foretelling the occurrence of vulnerabilities in the future, e.g. a yet-to-come CVE. Here we are interested in estimating the latter.

  3. 3.

    Transitions among states are governed by stochastic distributions, that describe the jump probabilities from past evidence. Stochastic Automata encode this via “clocks”.

  4. 4.

    A more in-depth introduction to the concept of importance function requires to formally define state spaces, nondeterministic vs. probabilistic branching, and simulation traces in formal models—we refer the interested reader to e.g. [8, 25].

References

  1. Akram, J., Luo, P.: SQVDT: a scalable quantitative vulnerability detection technique for source code security assessment. Softw. Practice Exp. 51(2), 294–318 (2021). https://doi.org/10.1002/spe.2905

  2. Alohaly, M., Takabi, H.: When do changes induce software vulnerabilities? In: CIC, pp. 59–66. IEEE (2017). https://doi.org/10.1109/CIC.2017.00020

  3. Alves, H., Fonseca, B., Antunes, N.: Software metrics and security vulnerabilities: dataset and exploratory study. In: EDCC, pp. 37–44. IEEE (2016). https://doi.org/10.1109/EDCC.2016.34

  4. Aumasson, J.P.: Serious Cryptography: A Practical Introduction to Modern Encryption. No Starch Press (2017)

    Google Scholar 

  5. Baier, C., Katoen, J.P.: Principles of Model Checking. MIT Press (2008)

    Google Scholar 

  6. Barbot, B., Haddad, S., Picaronny, C.: Coupling and importance sampling for statistical model checking. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 331–346. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28756-5_23

    Chapter  MATH  Google Scholar 

  7. Bilgin, Z., Ersoy, M.A., Soykan, E.U., Tomur, E., Çomak, P., Karaçay, L.: Vulnerability prediction from source code using machine learning. IEEE Access 8, 150672–150684 (2020). https://doi.org/10.1109/ACCESS.2020.3016774

    Article  Google Scholar 

  8. Budde, C.E.: Automation of Importance Splitting Techniques for Rare Event Simulation. Ph.D. thesis, Universidad Nacional de Córdoba, Córdoba, Argentina (2017)

  9. Budde, C.E.: FIG: The Finite Improbability Generator v1.3. SIGMETRICS Perform. Eval. Rev. 49(4), 59–64 (2022). https://doi.org/10.1145/3543146.3543160

  10. Budde, C.E., D’Argenio, P.R., Hartmanns, A.: Automated compositional importance splitting. Sci. Comput. Program. 174, 90–108 (2019). https://doi.org/10.1016/j.scico.2019.01.006

    Article  Google Scholar 

  11. Budde, C.E., D’Argenio, P.R., Monti, R.E., Stoelinga, M.: Analysis of non-Markovian repairable fault trees through rare event simulation. Int. J. Softw. Tools Technol. Transfer (to appear) (2022). https://doi.org/10.1007/s10009-022-00675-x

    Article  Google Scholar 

  12. Chakraborty, S., Krishna, R., Ding, Y., Ray, B.: Deep learning based vulnerability detection: are we there yet. IEEE Trans. Softw. Eng. 48(9), 3280–3296 (2021). https://doi.org/10.1109/TSE.2021.3087402

    Article  Google Scholar 

  13. Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Architect. 57(3), 294–313 (2011). https://doi.org/10.1016/j.sysarc.2010.06.003

    Article  Google Scholar 

  14. D’Argenio, P.R., Katoen, J.P.: A theory of stochastic systems part I: Stochastic automata. Inf. Comput. 203(1), 1–38 (2005). https://doi.org/10.1016/j.ic.2005.07.001

    Article  MATH  Google Scholar 

  15. D’Argenio, P.R., Monti, R.E.: Input/output stochastic automata with urgency: confluence and weak determinism. In: Fischer, B., Uustalu, T. (eds.) ICTAC 2018. LNCS, vol. 11187, pp. 132–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02508-3_8

    Chapter  Google Scholar 

  16. Dragoni, N., Lafuente, A.L., Massacci, F., Schlichtkrull, A.: Are we preparing students to build security in? A survey of European cybersecurity in higher education programs [education]. IEEE Secur. Privacy 19(01), 81–88 (2021). https://doi.org/10.1109/MSEC.2020.3037446

    Article  Google Scholar 

  17. Fang, Z., Fu, H., Gu, T., Qian, Z., Jaeger, T., Hu, P., Mohapatra, P.: A model checking-based security analysis framework for IoT systems. High-Confidence Comput. 1(1) (2021). https://doi.org/10.1016/j.hcc.2021.100004

  18. Faqeh, R., Fetzer, C., Hermanns, H., Hoffmann, J., Klauck, M., Köhl, M.A., Steinmetz, M., Weidenbach, C.: Towards dynamic dependable systems through evidence-based continuous certification. In: Margaria, T., Steffen, B. (eds.) ISoLA 2020. LNCS, vol. 12477, pp. 416–439. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61470-6_25

    Chapter  Google Scholar 

  19. Furnell, S., Clarke, N.: Power to the people? the evolving recognition of human aspects of security. Comput. Secur. 31(8), 983–988 (2012). https://doi.org/10.1016/j.cose.2012.08.004

    Article  Google Scholar 

  20. Ganesh, S., Ohlsson, T., Palma, F.: Predicting security vulnerabilities using source code metrics. In: SweDS, pp. 1–7. IEEE (2021). https://doi.org/10.1109/SweDS53855.2021.9638301

  21. Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. 50(4) (2017). https://doi.org/10.1145/3092566

  22. Hartmanns, A.: On the analysis of stochastic timed systems. Ph.D. thesis, Saarland University (2015). https://doi.org/10.22028/D291-26597

  23. Hole, K.J.: Anti-fragile ICT Systems. Springer (2016). https://doi.org/10.1007/978-3-319-30070-2

  24. Khan, S., Katoen, J.P.: Synergising reliability modelling languages: BDMPs and repairable DFTs. In: PRDC, pp. 113–122. IEEE (2021). https://doi.org/10.1109/PRDC53464.2021.00023

  25. L’Ecuyer, P., Le Gland, F., Lezaud, P., Tuffin, B.: Splitting techniques. In: Rubino and Tuffin [41], pp. 39–61. https://doi.org/10.1002/9780470745403.ch3

  26. Li, H., Kwon, H., Kwon, J., Lee, H.: A scalable approach for vulnerability discovery based on security patches. In: Batten, L., Li, G., Niu, W., Warren, M. (eds.) ATIS 2014. CCIS, vol. 490, pp. 109–122. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45670-5_11

    Chapter  Google Scholar 

  27. Li, Q., Song, J., Tan, D., Wang, H., Liu, J.: PDGraph: a large-scale empirical study on project dependency of security vulnerabilities. In: DSN, pp. 161–173. IEEE (2021). https://doi.org/10.1109/DSN48987.2021.00031

  28. Massacci, F., Pashchenko, I.: Technical leverage in a software ecosystem: development opportunities and security risks. In: ICSE, pp. 1386–1397. IEEE (2021). https://doi.org/10.1109/ICSE43902.2021.00125

  29. Meneely, A., Williams, L.: Secure open source collaboration: an empirical study of linus’ law. In: CCS, pp. 453–462. ACM (2009). https://doi.org/10.1145/1653662.1653717

  30. Meneely, A., Williams, L.: Strengthening the empirical analysis of the relationship between Linus’ law and software security. In: ESEM. ACM (2010). https://doi.org/10.1145/1852786.1852798

  31. Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017). https://doi.org/10.1016/j.cose.2017.01.004

    Article  Google Scholar 

  32. Pashchenko, I., Plate, H., Ponta, S.E., Sabetta, A., Massacci, F.: Vulnerable open source dependencies: counting those that matter. In: ESEM, pp. 42:1–42:10. ACM (2018). https://doi.org/10.1145/3239235.3268920

  33. Pashchenko, I., Plate, H., Ponta, S.E., Sabetta, A., Massacci, F.: Vuln4Real: a methodology for counting actually vulnerable dependencies. IEEE Trans. Software Eng. 48(5), 1592–1609 (2022). https://doi.org/10.1109/TSE.2020.3025443

    Article  Google Scholar 

  34. Post, G.V., Kagan, A.: Evaluating information security tradeoffs: restricting access can interfere with user tasks. Comput. Secur. 26(3), 229–237 (2007). https://doi.org/10.1016/j.cose.2006.10.004

    Article  Google Scholar 

  35. Prana, G.A.A., et al.: Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empir. Softw. Eng. 26(4), 1–34 (2021). https://doi.org/10.1007/s10664-021-09959-3

    Article  Google Scholar 

  36. Rindell, K., Ruohonen, J., Holvitie, J., Hyrynsalmi, S., Leppänen, V.: Security in agile software development: a practitioner survey. Inf. Softw. Technol. 131 (2021). https://doi.org/10.1016/j.infsof.2020.106488

  37. Roberts, R., Lewis, B., Hartmanns, A., Basu, P., Roy, S., Chakraborty, K., Zhang, Z.: Probabilistic verification for reliability of a two-by-two network-on-chip system. In: Lluch Lafuente, A., Mavridou, A. (eds.) FMICS 2021. LNCS, vol. 12863, pp. 232–248. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-85248-1_16

    Chapter  Google Scholar 

  38. Rose, A.Z., Miller, N.: Measurement of Cyber Resilience from an Economic Perspective, chap. 10, pp. 253–274. John Wiley & Sons, Ltd (2021). https://doi.org/10.1002/9781119287490.ch10

  39. Roumani, Y., Nwankpa, J.K., Roumani, Y.F.: Time series modeling of vulnerabilities. Comput. Secur. 51, 32–40 (2015). https://doi.org/10.1016/j.cose.2015.03.003

    Article  Google Scholar 

  40. Rubino, G., Tuffin, B.: Introduction to rare event simulation. In: Rubino and Tuffin [41], pp. 1–13. https://doi.org/10.1002/9780470745403.ch1

  41. Rubino, G., Tuffin, B. (eds.): Rare Event Simulation Using Monte Carlo Methods. Wiley (2009). https://doi.org/10.1002/9780470745403

  42. Stoelinga, M., Kolb, C., Nicoletti, S.M., Budde, C.E., Hahn, E.M.: The marriage between safety and cybersecurity: still practicing. In: Laarman, A., Sokolova, A. (eds.) SPIN 2021. LNCS, vol. 12864, pp. 3–21. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84629-9_1

    Chapter  Google Scholar 

  43. Sultana, K.Z., Deo, A., Williams, B.J.: Correlation analysis among Java nano-patterns and software vulnerabilities. In: HASE, pp. 69–76. IEEE (2017). https://doi.org/10.1109/HASE.2017.18

  44. Walden, J., Stuckman, J., Scandariato, R.: Predicting vulnerable components: software metrics vs text mining. In: ISSRE, pp. 23–33. IEEE (2014). https://doi.org/10.1109/ISSRE.2014.32

  45. Weiss, J.: A system security engineering process. In: Proceedings of the 14th National Computer Security Conference. Information System Security: Requirements & Practices, vol. 249, pp. 572–581 (1991)

    Google Scholar 

  46. Yasasin, E., Prester, J., Wagner, G., Schryen, G.: Forecasting IT security vulnerabilities - an empirical analysis. Comput. Secur. 88 (2020). https://doi.org/10.1016/j.cose.2019.101610

  47. Younes, H.L.S., Simmons, R.G.: Probabilistic verification of discrete event systems using acceptance sampling. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 223–235. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45657-0_17

    Chapter  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Security, University of Trento, Trento, Italy

    Carlos E. Budde

Authors
  1. Carlos E. Budde
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Carlos E. Budde .

Editor information

Editors and Affiliations

  1. University of Murcia, Murcia, Spain

    Antonio Skarmeta

  2. Politecnico di Torino, Turin, Italy

    Daniele Canavese

  3. Politecnico di Torino, Turin, Italy

    Antonio Lioy

  4. University of Murcia, Murcia, Spain

    Sara Matheu

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Budde, C.E. (2023). Using Statistical Model Checking for Cybersecurity Analysis. In: Skarmeta, A., Canavese, D., Lioy, A., Matheu, S. (eds) Digital Sovereignty in Cyber Security: New Challenges in Future Vision. CyberSec4Europe 2022. Communications in Computer and Information Science, vol 1807. Springer, Cham. https://doi.org/10.1007/978-3-031-36096-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-36096-1_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-36095-4

  • Online ISBN: 978-3-031-36096-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation