Automatic Generation of Security Argument Graphs

TL;DR

This paper introduces methods for automatically constructing security argument graphs by progressively integrating diverse security information, aiding system security evaluation with a prototype tool called CyberSAGE.

Contribution

It presents a novel approach to automatically generate security argument graphs using logical relationships and extension templates, enhancing security assessment processes.

Findings

Successful demonstration with an electric power sector scenario

Effective graph generation through logical relationship exploitation

Prototype tool CyberSAGE supports security evaluation

Abstract

Graph-based assessment formalisms have proven to be useful in the safety, dependability, and security communities to help stakeholders manage risk and maintain appropriate documentation throughout the system lifecycle. In this paper, we propose a set of methods to automatically construct security argument graphs, a graphical formalism that integrates various security-related information to argue about the security level of a system. Our approach is to generate the graph in a progressive manner by exploiting logical relationships among pieces of diverse input information. Using those emergent argument patterns as a starting point, we define a set of extension templates that can be applied iteratively to grow a security argument graph. Using a scenario from the electric power sector, we demonstrate the graph generation process and highlight its application for system security evaluation in our prototype software tool, CyberSAGE.