Quantitative Security Risk Modeling and Analysis with RisQFLan

TL;DR

This paper introduces RisQFLan, a novel tool-supported framework that extends QFLan for quantitative security risk modeling using attack-defense trees, enabling precise and statistical analysis of probabilistic attack scenarios.

Contribution

It presents RisQFLan, a new framework that integrates features from various attack tree types into a domain-specific language for enhanced security risk analysis.

Findings

Supports exact and statistical verification of attack scenarios.

Demonstrated through three illustrative case studies.

Enhances existing security risk modeling tools.

Abstract

Domain-specific quantitative modeling and analysis approaches are fundamental in scenarios in which qualitative approaches are inappropriate or unfeasible. In this paper, we present a tool-supported approach to quantitative graph-based security risk modeling and analysis based on attack-defense trees. Our approach is based on QFLan, a successful domain-specific approach to support quantitative modeling and analysis of highly configurable systems, whose domain-specific components have been decoupled to facilitate the instantiation of the QFLan approach in the domain of graph-based security risk modeling and analysis. Our approach incorporates distinctive features from three popular kinds of attack trees, namely enhanced attack trees, capabilities-based attack trees and attack countermeasure trees, into the domain-specific modeling language. The result is a new framework, called RisQFLan, to support quantitative security risk modeling and analysis based on attack-defense diagrams. By offering either exact or statistical verification of probabilistic attack scenarios, RisQFLan constitutes a significant novel contribution to the existing toolsets in that domain. We validate our approach by highlighting the additional features offered by RisQFLan in three illustrative case studies from seminal approaches to graph-based security risk modeling analysis based on attack trees.