Skip to main content
SpringerLink
Log in

Generating attack scenarios for the system security validation

  • Research Article
  • Published:
Networking Science

Abstract

Next Generation Network (NGN) is a completely new architectural concept for providing end-users with voice, video, and all sorts of data services. However, secure communication is a key and challenging requirement for NGN service providers. In this paper, we propose an innovative attack script generation and injection approach to evaluate the security of the communication system and consequently detect its security flaws. We apply attack modeling technique to describe the system vulnerabilities and generate system context attack scenarios. The attack scenarios are then refined to executable attack scripts which are executed by communication testing tools in charge of emulating the system attacks. The approach is applied to Wireless Application Protocol (WAP), which is a customized protocol used in resource constrained mobile devices. We performed experiments using specific attacks of the mobile protocol such as Denial of Service (DoS) and Message Truncation attacks. The experiments results demonstrate the effectiveness of the attack injection approach in the role of detecting security vulnerabilities in the communication system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. D. Powell, A. Adelsbach, C. Cachin, S. Creese, M. Dacier, Y. Deswarte, T. McCutcheon, N. Neves, B. Pfitzmann, B. Randell, R. Stroud, P. Verissimo, and M. Waidner, “MAFTIA (Malicious- and Accidental-Fault Tolerance for Internet Applications),” in Proc. Int. Conf. Dependable Systems and Networks (DSN), Göteborg, Sweden, 2001, pp. D32–D35.

    Google Scholar 

  2. C. Nagle. (2001). Keyword Driven Automation Framework Model [Online]. Available: http://safsdev.sourceforge.net/FRAMESDataDrivenTestAutomationFrameworks.htm.

    Google Scholar 

  3. Juniper Research. (2011, Jan. 27). Low Cost Handsets & Entry Level Smartphones [Online]. Available: http://juniperresearch.com/reports/low_cost_handsets_&_entry_level_smartphones.

    Google Scholar 

  4. Wap Forum. (2001, Apr. 06). Wireless Transport Layer Security Specification Version 06-Apr-2001 [Online]. Available: http://www.wapforum.org/what/technical.htm..

    Google Scholar 

  5. A.P. Moore, R. J. Ellison, and R.C. Linger, “Attack modeling for information security and survivability,” Technical Note CMU/SEI-2001-TN-001, Mar. 2001.

    Google Scholar 

  6. N. W. Paton, O. Díaz, M. H. Williams, J. Campin, A. Dinn, and A. Jaime, “Dimensions of active behaviourn,” in Proc. 1st Int. Workshop Rules in Database Systems, Edinburgh, Scotland, 1993, pp. 40–57.

    Google Scholar 

  7. A. Morais, E. Martins, and A. Cavalli, “Security Protocol Testing Using Attack Trees,” in Proc. Int. Conf. Computational Science and Engineering, Vancouver, Canada, 2009, pp. 690–697.

    Google Scholar 

  8. A. Morais, E. Martins, and A. Cavalli, “A model-based attack injection approach for security validation,” in Proc. 4th Int. Conf. Security of Information and Networks, Sydney, Australia, 2011, pp. 103–110.

    Google Scholar 

  9. H. H. Thompson, J. A. Whittaker, and F. E. Mottay, “Software security vulnerability testing in hostile environments,” in Proc. ACM Symp. Applied Computing (SAC), Madrid, Spain, 2002, pp. 260–264.

    Google Scholar 

  10. P. C. H. Wanner and R. F. Weber, “Fault injection tool for network security evaluation,” in Dependable Computing: LNCS vol. 2847, R. de Lemos, T. S. Weber, and J. B. Camargo, Jr, Eds. Berlin: Springer, 2003, pp. 127–136.

    Chapter  Google Scholar 

  11. N. Neves, J. Antunes, M. Correia, P. Veríssimo, and R. Neves, “Using attack injection to discover new vulnerabilities,” in Proc. Int. Conf. Dependable Systems and Networks (DSN), Philadelphia, USA, 2006, pp 457–466.

    Google Scholar 

  12. R. Kaksonen, M. Laakso, and A. Takanen, “System security assessment through specification mutations and fault injection,” in Proc. IFIP TC6/TC11 Int. Conf. Communications and Multimedia Security Issues of the New Century, Darmstadt, Germany, 2001, p. 27.

    Google Scholar 

  13. B. Miller. (1990). Fuzz Testing of Application Reliability [Online]. Available: http://pages.cs.wisc.edu/~bart/fuzz/.

    Google Scholar 

  14. M.-J. O. Saarinen, “Attacks against the WAP WTLS protocol,” in Proc. IFIP TC6/TC11 Joint Working Conf. Secure Information Networks: Communications and Multimedia Security, 1999, pp. 209–215.

    Google Scholar 

  15. D. Wagner and B. Schneier, “Analysis of the SSL 3.0 protocol,” in Proc. 2nd USENIX WorkshopElectronic Commerce, Berkeley, USA, 1996, pp. 29–40.

    Google Scholar 

  16. R. Zhang and K. Chen, “Improvements on the WTLS protocol to avoid denial of service attacks,” Computers & Security, vol. 24, no. 1, pp. 76–82, Feb. 2005.

    Article  Google Scholar 

  17. D. Dolev and A. Yao, “On the security of public-key protocols,” IEEE Trans. Inf. Theory, vol. 29, no. 2, pp. 198–208, Mar. 1983.

    Article  MathSciNet  MATH  Google Scholar 

  18. R. J. Drebes, G. Jacques-Silva, J. F. da Trindade, and T. S. Weber, “A kernel-based communication fault injector for dependability testing of distributed systems,” in Proc. of Parallel and Distributed Systems: Testing and Debugging (PADTAD-3), Haifa, Israel, 2005, pp. 177–190.

    Google Scholar 

  19. A. Cavalli, E. Martins, and A. Morais, “Use of invariant properties to evaluate the results of fault-injection-based robustness testing of protocol implementations,” in Proc. 4th Workshop Advances in Model Based Testing (AMOST’08), Lillehammer, Norway, 2008, pp. 21–30.

    Google Scholar 

  20. B. Schneier, “Attack trees: Modeling security threats,” Dr. Dobb’s Journal, vol. 24, no. 12, pp.21–29, Dec. 1999.

    Google Scholar 

  21. M. Hussein and M. Zulkernine, “UMLintr: A UML profile for specifying intrusions,” in Proc. 13th Annu. IEEE Int. Symp. and Workshop Engineering of Computer Based Systems, Postdam, Germany, 2006, pp. 279–288.

    Google Scholar 

  22. Amenaza Technologies Limited. (2006, Aug. 16). Secur/Tree Tutorial [Online]. Available: http://www.amenaza.com/downloads/docs/Tutorial.pdf.

  23. R. Sandilands. (2009). Network Traffic Generator [online]. Available: http://sourceforge.net/projects/traffic/.

    Google Scholar 

  24. F. Bachmann, L. Bass, C. Buhman, S. Comella-Dorda, F. Long, J. E. Robert, R. C. Seacord, and K. C. Wallnau, “Volume II:. Technical concepts of component-based software engineering,” Technical Report CMU/SEI-2000-TR-008, 2nd ed. May 2000.

    Google Scholar 

  25. E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design Patterns: Elements of Reusable Object-Oriented Software. Reading, USA: Addison-Wesley, 1995.

    Google Scholar 

  26. LAAS-CNRS. (2006). Deliverable D12 Resilience-Building Technologies: State of Knowledge. Available: http://www.resist-noe.org/outcomes/outcomes.html.

    Google Scholar 

  27. Y. Hsu, G. Shu, and D. Lee, “A model-based approach to security flaw detection ofnetwork protocol implementations,” in Proc. 16th IEEE Int. Conf. Network Protocols (ICNP), 2008, pp. 114–123.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Software-Networks Department, Télécom SudParis, 9 rue Charles Fourier, 91000, Evry, France

    Anderson Morais & Ana Cavalli

  2. Software R&D Center, Samsung Electronics, 129 Samsung-ro, Yeongtong-gu, Suwon-si, Gyeonggi-do, 443-742, Republic of Korea

    Iksoon Hwang

  3. Institute of Computing, University of Campinas, Av. Albert Einstein 1251, 13083-852, Campinas-SP, Brazil

    Eliane Martins

Authors
  1. Anderson Morais
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Iksoon Hwang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ana Cavalli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eliane Martins
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ana Cavalli.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Morais, A., Hwang, I., Cavalli, A. et al. Generating attack scenarios for the system security validation. Netw.Sci. 2, 69–80 (2013). https://doi.org/10.1007/s13119-012-0012-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13119-012-0012-0

Keywords

Search

Navigation