Selecting and Composing Cyberattack Component Models

Katia P. Maxwell


Modern society is increasingly reliant on computer systems for nearly all aspects of life, and the security of those systems has become an urgent concern. A research program that consists of several interconnected research projects in cybersecurity modeling has to date included the definition of a form of Petri nets extended with additional features specific to modeling cyberattacks, the automated generation of executable cyberattack component models from an attack pattern database, formal representation, and machine learning of attacker and defender strategies during cyberattacks, and the verification and validation of the component models. Because computer systems targeted in cyberattacks may have multiple and/or previously unknown vulnerabilities, there is a need to combine or compose the component models into integrated composite models that represent a target system. In response, methods and supporting software for the selection and composition of those component models were developed in this work. A repository to store the component models was implemented, and component model metadata to assist a user in selecting the appropriate models to compose was defined. Both were tested. Several composition operations and two different forms or levels of composition, coarse-grain, and fine-grain, were defined. Course-grain composition combines models of attack patterns to model complete target systems, whereas fine-grain the composition combines models of individual attack techniques to model new attack patterns. Both forms of composition required the addition of specific model elements to support the composition operations. Both levels of composition were tested using multiple use cases. The resulting composite models were checked for compliance with the modeling formalism and then run using a simulator to confirm that the models were executable. The results of simulations were consistent with real-world experience.