Skip to main content
SpringerLink
Log in

Unified Modeling Technique for Threat Cause Ranking, Mitigation and Testing

  • Conference paper
Contemporary Computing (IC3 2011)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 168))

Included in the following conference series:

Abstract

This paper describes a unified modeling technique applied after threat identification step of threat modeling process, for ranking the causes of a threat which is then used for threat mitigation and testing. The paper presents a unique approach that starts with enumeration of causes for each possible threat over the system with construction of threat cause model that diagrammatically describes the causes and sub-causes responsible for the occurrence of a threat. The paper suggests an approach for the ranking of both threats and their causes for effective mitigation. After applying threat cause mitigation strategy, testing of system towards a threat is verified by checking the security at the perimeter of the cause model for that threat. This unique technique assures that ensuring all sub-causes at lowest level of abstraction impossible will make the system safe towards a particular threat. Unlike other techniques this technique is unified as it starts with a threat model for each individual threat, that enumerates causes of their occurrence and then the same is used for mitigation and testing. Hence this strategy can ensure security when applied to all threats over the system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Shostack, A.: Experiences Threat Modeling at Microsoft (2008), http://www.homeport.org/~adam/modsec08/Shostack-ModSec08-Experiences-Threat-Modeling-At-Microsoft.pdf

  2. Howard, M., Leblane, D.: Threat Modeling: Writing Secure Code, 2nd edn., vol. ch. 4. Microsoft Press (2002)

    Google Scholar 

  3. Meier, J.D., Mackman, A., Wastell, B.: Threat Modeling Web Applications. Microsoft Patterns & Practices, Microsoft Corporation (2005), http://msdn.microsoft.com/en-us/library/ff648006.aspx

  4. Meier, J.D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., Murukan, A.: Threat Modeling: Improving Web Application Security:-Threats and Countermeasures. Microsoft patterns & practices, Microsoft Corporation, ch. 3, file:///F:/threat%20modeling/Threat%20Modeling.htm

    Google Scholar 

  5. Abi-Antoun, M., Wang, D., Torr, P.: Checking Threat Modeling Data Flow Diagrams for Implementation Conformance and Security. In: ASE 2007, November 7 (2007) ; short paper program

    Google Scholar 

  6. Threat Modeling: A Process to Ensure Application Security.: SANS Institute InfoSec Reading Room, http://www.sans.org/reading_room/whitepapers/securecode/threat-modeling-process-ensure-application-security_1646

  7. Ambler, S.W.: Introduction to Security Threat Modeling, http://www.agilemodeling.com/artifacts/securityThreatModel.htm

  8. Abdullah, S., Hussain, T., Khan, G.F.: Enhancing C4I Security using Threat Modeling. In: 12th International Conference on Computer Modelling and Simulation (2010)

    Google Scholar 

  9. Chen, Y., Boehm, B., Sheppard, L.: Value Driven Security Threat Modeling Based on Attack Path Analysis. In: Proceedings of the 40th Hawaii International Conference on System Sciences (2007)

    Google Scholar 

  10. Ebenezer, A., Oladimeji., S.S., Lawrence, C.: Security Threat Modeling and Analysis: A Goal-Oriented Approach. In: 10th IASTED International Conference on Software Engineering and Applications (SEA 2006), Dallas, Texas, USA (2006)

    Google Scholar 

  11. The Importance of Threat Modeling White Paper: Information Risk Management. In: IRM PLC (December 2007)

    Google Scholar 

  12. Threat Model Analysis. Microsoft Corporation , http://msdn.microsoft.com/en-us/library/aa561499v=bts.70.aspx

  13. SDL Process: Introduction 2008. Microsoft Corporation, http://msdn.microsoft.com/en-us/library/cc307406.aspx

Download references

Author information

Authors and Affiliations

  1. Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee, Roorkee, Uttarakhand, India

    Gaurav Varshney, Ramesh Chandra Joshi & Anjali Sardana

Authors
  1. Gaurav Varshney
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ramesh Chandra Joshi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anjali Sardana
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Iowa State University and IIT Bombay, India, 329 Durham, Ames, IA 5001, Iowa, USA

    Srinivas Aluru

  2. Indian Statistical Institute, 203 B.T. Road, 700 108, Kolkata, West Bengal, India

    Sanghamitra Bandyopadhyay

  3. The Ohio State University, 3190 Graves Hall, 333 W 10th Ave, 43210, Columbus, OH, USA

    Umit V. Catalyurek

  4. Department of Computing Science, Chalmers University, Rännvagen 6B, 412 96, Göteborg, Sweden

    Devdatt P. Dubhashi

  5. Dept. of Electrical and Computer Engineering, Iowa State University, 329 Durham, IA 50011, Ames, USA

    Phillip H. Jones

  6. TASSL, Dept. of Electrical & Computer Engineering, Rutgers, The State University of New Jersey, Brett Road, NJ 08854-8058, Piscataway, USA

    Manish Parashar

  7. School of Computer Engineering, Nanyang Technological University, N4-02a-32 Nanyang Ave, 639798, Singapore

    Bertil Schmidt

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Varshney, G., Joshi, R.C., Sardana, A. (2011). Unified Modeling Technique for Threat Cause Ranking, Mitigation and Testing. In: Aluru, S., et al. Contemporary Computing. IC3 2011. Communications in Computer and Information Science, vol 168. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22606-9_48

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22606-9_48

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22605-2

  • Online ISBN: 978-3-642-22606-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation