Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles

Systems and software architects require quantitative dependability evaluations, which allow them to compare the effect of their design decisions on dependability properties. For security, however, quantitative evaluations have proven difficult, especially for component-based systems. In this paper, we present a risk-based approach that creates modular attack trees for each component in the system. These modular attack trees are specified as parametric constraints, which allow quantifying the probability of security breaches that occur due to internal component vulnerabilities as well as vulnerabilities in the component’s deployment environment. In the second case, attack probabilities are passed between system components as appropriate to model attacks that exploit vulnerabilities in multiple system components. The probability of a successful attack is determined with respect to a set of attack profiles that are chosen to represent potential attackers and corresponding environmental conditions. Based on these attack probabilities and the structure of the modular attack trees, risk measures can be estimated for the complete system and compared with the tolerable risk demanded by stakeholders. The practicability of this approach is demonstrated with an example that evaluates the confidentiality of a distributed document management system.