1. Future Work  Improve diagnosis of a modeled system’s weaknesses  Save and load profiles of potential intruders to the system, such as the average script kiddie, a professional cracker, or a common burglar  Model and diagnose a real life system, most likely a local computer network Abstract This project aims to model network security systems and develop network security analysis tools. Systems are modeled under the concept of an “attack tree”, an approach to security modeling developed by Bruce Schneier, a professional in the fields of cryptography and security 1. Security analysis benefits from an attack tree modeling approach; given the right tools, a modeling environment can help a user find the biggest holes in a system’s security or best methods of fortification. An attack tree modeling language and model interpreters have been developed using Vanderbilt's Generic Modeling Environment (GME). The Attack Tree Toolbox Security Analysis of Systems Using Model-Integrated-Computing  Allows user to input search conditions for filtering paths, such as Cost to attack < 5000  Populates a list box with all applicable paths  Lets user view and sort paths based on various statistics  Allows user to highlight paths in the model and/or create a separate model for the path Allows the user to import or export a model in XML or export the model into Graphviz, a separate program for displaying graphs. Figure 1: The AttackTree MetaModel Figure 2: Use of the Analysis interpreter Figure 3: Viewing of a model exported to Graphviz Legend: Citations 1. Schneier, Bruce. “Attack Trees.“ Dec. 1999. 1 August 2006.. (Attack tree acquired from first source.) Analysis Interpreter (Main Interpreter) Collapse Interpreter Based on the object selected by the user, either collapses the branch starting at that node into a model or expands the model into the original branch. Dispatch Interpreter Modeling Specifications Objects and Relations  “Node”: an event in an attack path  “Attack tree”: a container that can hold nodes and their connections  “Node to node connection”: a directed relationship between nodes; the source node is essentially a requirement for the destination node  “Attack tree to node connection”: a relationship similar to that of nodes; used when branches of a tree have been collapsed to a container Attributes of Objects Attributes for only nodes:  “Type”: either AND or OR AND -> all attached nodes are required OR -> only one attached node is required  “Goal”: does node represent the goal of the attack? Attributes for both nodes and trees:  “Cost to attack”: how much an attack on the object would cost the attacker  “Damage cost”: how much an attack on the object would cost the owner(s) of a system  “Technical ability”: a rating from 1-100 of the skill required to achieve the attack  “Probability of apprehension”: the risk a potential attacker would run of being caught SIPHER Students: Marty Henderson, Blake Sheridan Graduate Student Mentor: Jan Werner