You are on page 1of 57

Paper ID




Abusers Stories
Stride Average Model
Attack Tress
9 Fuzzy Logic
Microsoft Threat Modeling
1 T-Map
11 The CIAA Threat Model Process
11 The Data Lifecycle Threat Model Process
http://www.ptatechnologies. PTA Practical Threat Analysis Calculative Threat Modeling Methodology
Threat Assessment & Remediation Analysis
18 Quantative Threat Modeling Methodoligies

20 Defects Threat Tree Modeling
21 Qualitative Threat Model
21 Threat Model Quantification
22 PABTM (Police Agent based Threat Model)
23 Unified Threat Model

25 Threat Source Modeling
26 Method for Common Criteria-Compliant Threat Analysis
28 Threat Model Framework and Methodology for Personal Networks (PNs)

27 Common Vulnerability Scoring System (CVSS)
27 Threat Model with UML Sequence Diagram
27 Threat Modeling in Pervasive Computing Paradigm

System Threat Modelling

Fault Trees
Atatck Trees
Atatck Nets
Threat Nets

Author Name

SDLC Phase


COTS(Commercial of the shelf systems)

Distributed Data Storage Systems
Distributed Data Storage Systems

e Threat Modeling Methodology



Web based systems


Grid infrastructure


Grid infrastructure


Threat Analysis


gy for Personal Networks (PNs)


Web systems

Personal Networks


g Paradigm

pervasive computing (when there are mutiple identities of


Web based systems

Additional / Overlap Phases

Repeatedly during the lifecycle
helf systems)

Data creation stage

Design stage

n there are mutiple identities of a person and .

identify threats . comparing and prioritizing the amount of risk presented by each evaluated threat 6 step threat methodology apply early repeatedly and during development lifecylce provides a strong quantitaive method to evaluate the security examining the types of threats that can occur at different stages of data state from creation to extinction. agent based identification to detect the design-level vulnerabilities and to design the mitigation schemes for secure coding and Threat model for common criteria compliant aim to built structured. convinient approach to model the threats . traditional software security testing cannot ensure software security effectively.Objectives quantifying.

to analyze the system behaviour in terms of threats and their message exchange The paper present a novel approach for addressing the threat modeling in pervasive computing and p .

Implementation Limitations .Study Type ecure coding and testing.

e computing and presents a model fo N/A .

Methodology Name/tools+J45 Formal or Semi-Formal STRIDE Threat Model DREAD modeling Microsoft Threat Modeling The CIAA Threat Model Process The Data Lifecycle Threat Model Process Defects threat tree modeling Formal Formal Unified threat model PN Threat Model Methodology .

threat modeling with uml sequence diagram semi formal .

Outcome artifact Model Document threat model and document (CORAS diagram identified threats under CIAA at every stage Optimal S&P(Security and Privacy) requirem Defect threat tree threat Model threat Model threat Model threat model Document / Comon Crietria documentation threat Model .

model threat model .

apply STRIDE. confientiality. 2-Map S&P threats to DFD (threats->Privacy protection goals ()Unlikability.introductory meeting (system description (drawing. threat evaluating algorithm . categorizing threats using STRIDE. Analyze on the following: Damage Reproducibility Exploitability Affected users Discoverability identifying threats. fuzzication Identify threats. professionals estimat Threat tree. integrity. identifying mitigation st Input variable(threats derived form stride). understanding threats.high level analysis (assett di 1. physical Data creation + detail. persons + technical) . sketches etc)) . 2. availibility. 2-dfd Organize threats under categories. historical statistical information 1-Define scope(context diagram . 2-Assett identification (For all identified doma 1-use cases. 2-network overview from that scenarios. authentication . identify sources(types). Data Reception + detail. identify expertise(complexity) TMQ.Identify threats according to that DFD (build threat trees) MDP model (Markov decision process). DFD is developed and apply these steps on each node. 3-technical background in usecases(Make DFD o .req . 2. identify countermeasures Vulnerability database ->Attack path UML Model(Class diagram). Action selection by the user(possible actions identified by sources(history. transpare 1.DFD. Attribute Ranking (0 to 1 depends o 1.Threat Identification Group threats into categories. DFD . output + detail (apply ciaa on each) Use case ->DFD.

Establish user/service roles and usage Scenario (use case) . Identify security domains and their interf .

3-approval (Assett tabe and likelihood). 4-Risk based quantification (Attack trees or DREAD). 3-Domain knowledge (Document the assumptions ).Results ling by attack path(algo. 5-identify threat (threat scenarios and attack trees). 4.Describe attackers (for every assett and a y assets in usecases. 4. 5-S&P requirements ation (history.risk identifiction (threat diagrams on the basis of threat scenar ntify misusecase scenarios. professionals estimation ) ntify assetts) . (overall threat.identify vulnerabilities (from thre . threat key of note)) ML) ) . 6.

Vulnerabilities and their countermeasures . Risk Evaluation. Detecting new threats and .each security domain.

6-risk P requirements rs (for every assett and assumption identify attackers ).risk assessment (determine risks on the basis of i . assett value)) . 5-Identify threats (relationship between attacker and as vulnerabilities (from threat scenarios and their likelihood ).he basis of threat scenarios and assetts). 7. 5-risk estimation (on threat diagram (likelihood .

tecting new threats and vulnerabilities (Common vulnerability scoring system) .

assett value)) . 8. 6-risk evaluation (risk diagram).Documentation (document with the diagram) ermine risks on the basis of identified threats) .ihood . 6. usecase to the .determine the result (rank the threats to risk. 7-risk treatment (threat diagrams->treatment diagrams hip between attacker and assett).


usecase to their risk ) .ms->treatment diagrams) ts to risk.


Processes Techniques Design .

string. alliases To do.2moro From the abstracts first threat modeling than find the alliases for that. .

Attacker Centric Threat Centric Attack Centric Assset centric System centric .

25-3-2016 Examples Specific Exampples in different domains .

distributed data storage systems Unified threat model for analyzing and evaluating 1 software threats Design 2 STRIDE Design Web applictions .Paper ID Name SDLC Phase Application Applied on which phase of Application SDLC area/domain Web systems.

Design Biobank clouds Threat Modeling Revisited: Improving Expressiveness of 6 Attack Design Structured System Threat Modeling and Mitigation Analysis for Industrial 7 Automation Systems Design Industrial Control Systems .A privacy threat analysis framework: supporting the elicitation and fulfillment of 3 privacy requirements 4.5 ADVANCED CLOUD PRIVACY THREAT Modelling Requiremnts .

Threat Modeling for Security 8 Failure-Tolerant Requirements Design Fault-Tolerant Systems Value Driven Security Threat Modeling Based on Attack 9 Path Analysis Threat-based Security Analysis for the Internet of 10 Things Design Internet of Things Systems Determine Information Security Features for Smart Grid through Constructing a 11 Threat Model Design Smart Grid Networks .

A Security Evaluation Method Based on STRIDE Model for 12 Web Service Design Web Services Towards an Enhanced Design Level Security Integrating 13 Attack Trees with Statecharts Design Using Taint Analysis for Threat Risk of Cloud 14 Applications Threat Tree Templates to Ease Difficulties in Threat 15 Modeling Cloud Applications Design .

Threat Modeling in Pervasive 16 Computing Paradigm Design 17 THREAT RISK MODELING Design A New Method for Network Threat Quantification 18 Analysis Design Privacy Threat Modeling Framework for Online Social 19 Networks 20 UMLSec Pervasive computing . ubiquitous networks Social Networks Design .

21 T-Map Design COTS(Commercial of the shelf systems) The CIAA Threat Model 22 Process Design Distributed Data Storage Systems The Data Lifecycle Threat 22 Model Process Design Distributed Data Storage Systems Privacy-by-Design Based on Quantitative Threat 23 Modelling Design A Case Study of Software Security Test Based On 24 Defects Threat Tree Modeling Design Web Systems .

25 l Design Smart Grid infrastructurre .

this paper presents a software threats are still unified threat model for insufficient. No to discover the security weaknesses of a software system. and evaluate stage design stages software threats. analyze. . and issue. analyzing. To address this representing.Additional / Overlap Phases Objectives Problem If applied on multiple phases on SDLC Example: Microsoft Threat Modelling: Repeatedly in lifecycle research in threat modeling has yet to For the purpose of improving mature as established techniques. this paper presents a unified evaluating threat model to formally No on design software threats at various represent. the and tools to aid formal analysis and trustworthiness of software evaluation of designs.

or too specific. existing tehniques lack expressiveness in modelling the threat one step further than a regular threat model. but also the security controls that can mitigate threats. by not only modeling components and threats within a system. and would not allow an efficient re-use of data. in that they could not reasonably be applied to all the different components in a reference architecture. No . and attacker time specific attributes in the synthesis of threats.No To map privacy-based threats Yes To reduce the complexity of privacy threat modelling to identify methodlogy weaknesses likesuch that support for different privacy legisilation and threat identification process No to provide solution that incorporates system design and deployment flaws. the existing tools we found were either too general.

Cost effectiveness No thorough analysis of the security and privacy properties that are required for a system where the constituent devices vary in their capabilities. the accompanying information security attacks will affect the reliability and usability of Smart Grid applications. on Smart Grid network (SGN). No to analyze the cost-effectiveness of how system patching and upgrades can improve security. No . This paper describes an approach to modeling security threats for security failuretolerant applications. existing approaches to modeling threats analyze security threats without consideration of the security failuretolerance.s to deal with security and privacy issues in IoT. sensitive to an organization’s business value priorities and IT environment. Due to the incompleteness of the security and privacy requirements aiming at analyzing information security risks on SGN through constructing a threat model.No to modeling security threats to applications and to deriving security failuretolerant requirements from the threats. a holistic analysis and risk assessment is still lacking.

propose threat tree because security expertise. is required to find trees potential attack scenarios. No to increase the security awareness of software engineers by modeling the dynamic behavior of security attacks and integrating it with the functional specifications. No No threat modeling approach uses separate models to represent threats and system behavior Moble security problem it is difficult for an average analyst to construct adequate trees. and the related researched on to evaluate the security index comprehensive evaluation of of Web service through security the threat modeling and degree from perspectives of Web evaluating the degree of service consumer and Web security service provider is relatively little. templates to help non-expert particularly from an attacker’s analysts to construct threat perspective.No the current Web service security-related studies have mostly been confined to the implementation mechanisms of Web service security. .

and classification of threats No did not identify system components and potential vulnerabilities in the threat model. The problem of security in pervasive computing increases in larger environments. the problem of scalability can be much greater than that of Public Key Infrastructure. Due to non availability of centralized authorize.No No To design a new modelling approach for pervasive computing and ubiquitous networks in order to handle inherit security issues. to employ a flow-based model as an alternative methodology for decomposition and identification. when the users have multiple identities in different security domains and moves from one domain to another domain. to detect and remove security vulnerabilities early in the software lifecycle. No To improve by integrating security requirements analysis with a satndard development process . Does not answer the questions such as where the lack of a threat threats come from and what are the model to study privacy issues possible countermeasures in online social networks either.

No to provide architects of privacy-respecting systems with the adequate Privacy by design tools to make objective design decisions about their Existing privacy by design approach services.No most current approaches in security economics still stay at a high-level and lack strong connections to the large volumes of fast-changing provides a strong quantitaive internet vulnerabilities and specific method to evaluate the organization’s IT security environment. No to present systematic processes toward threat modeling for storage systems. lack quantification No Due to the increasing complexity of software applications. No to present systematic processes toward threat modeling for storage systems. . which only test and validate software security mechanisms. are To build an improved security becoming ineffective to detect model which detect latent latent software security defects security defects (SSD). traditional function security testing ways. lack of a comprehensive process to designing storage protection solutions. lack of a comprehensive process to designing storage protection solutions.

No scalable threat model quantification method to create numerical models of various threat categories automatically quantitative methods exist but there is no simple way to verify their validity in practice for large-scale infrastructures .

formality exist (in process.tool) Methodology Unified Threat Model Semi formal STRIDE Threat Model / SDL threat modelling tool Semi formal . method.Methodology Type Methodology Name/tools Formal or Semi-Formal At which level in this methodology.

Methodology the LINDDUN methodology Cloud Privacy Threat Modelling Technique Threat Nets Process System Threat Modelling Semif formal .

Methodology Threat Modelling for Security Failure-Tolerant Requirements Semiformal Process Quantitaive Threat Modelling Method Semi formal Threat Based Security Analysis for Internet of Things Semi formal Threat Model for smart grid networks Semi formal .

Approach Method A TAINT CHECKING MODEL FOR THREAT RISK ANALYSIS OF MALICIOUS NETWORK APPLICATIONS Threat Tree Tmeplates Semi formal .Method WS-Security Evaluation Model Methodology.

Methodology Threat Modeling in Pervasive Computing Paradigm Methodology FLOWTHING MODEL NETWORK VULNERABILITY RELATION MODEL Framework Privacy Threat Modeling Framework for Online Social Networks Method UMLSec .

Method Threat Modeling method based on Attack Path Analysis (T-MAP) Process CIAA Threat Model Process Data Lifecycle Threat Model Appraoch / Methodology QUANTITATIVE THREAT MODELING METHODOLOGY FOR PRIVACY-BYDESIGN Method DEFECTS THREAT TREE MODELING .

Method Threat Model Quantification .

Elicit the threats process . and address the security risks associated with an application (OWASP) Threat Model Threat Model The examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.Identify system functions via UML activity diagram 2. quantify.Identify actors and components via usecsses and mis-usecases 3. 1-Model the system with DFD 2Map the DFD elements to threat categories 3.Apply STRIDE on these functions a structured approach that enables you to identify.Outcome artifact Threat Identification Threat Modelling Threat Analysis What will be the outcome after modelling the threats What will be the outcome after analyzing the threats What are the proposed step by the methodology to identify the threats Attack paths 1.

Model te system with DFD 2.risk basedd prioritization privacy enhancing solutions Risk Evaluation Report 1-identify privacy requirements from requirements engineering step 2Take these to design step 3.Threats of DFD elements Privacy threat model Threat Model Privacy Threats (using threat tree patterens) 1.Populate the threat model with identified threats.results in privacy threat model 1.Map Privacy threats to DFD elements 3Identify misusecase scenarios 4.Map according to the cloud architecture 4-eualuation of threats 5. 4Enlist the possible of security controls 5.Input Data Model 2-identify threats with repect to the components 3.elicit privacy requirments 6.Refine .

Determine which applications are with key assets. 5Threats mapping to Find out assets to be protected and risk w.Design class diagram to model the steps in attack 3. 3.Build smart grid framework summary. 2.r.specify security fault-tolearnt requirements from these . 5.t DFD 1.Identify attack analysis for each device 4Risk analysis Threats w.Security FailureTolerant use cases 1. Use case description with threat points Attack Path class diagram .identify threat point from these 4.r.Analyze threats according to attributes.Draw data flow diagram.t threat identify the threats damaging the (Tabuular form) assets.Analyze data flow diagram. Attack path calculations 1-Vulnerability database 2.Use cases 2.Asign weights to the attack by T-MAP weighting system re-do Threat Model Rsik Assessment (Table form) 1-Usecases of internet of things 2Identify potential threat 3.Identify assets from usecases 3. 4.

Perform taint analysis. 4. 3. 2. 5. Threat ModelAttack Tree 1.Perform probibalatic analysis. 5. . 2-Apply STRIDE. 2.Evaluate the ods evaluauation risk. 3Analyze on the basis of templates. 4. 5.Contrcut attack defence tree.Calculate the dos quantized form web service value. 3.Threat Model 1-DFD. 4Quanitzed calculate the dos evaluation of web Reference index of services providers.evaluate attack Attack-Defense tree defence tree Threat Tree 1.Quantize degree of web service security.Threat tree from dfd.DFD.Construct attack trees. 4.System description.Refine templates by using keywords.

Create model.Modified DFD Modified DFD Threat Model(using petri net) Graph Threat Model Model Threat Table(likelihood.OO analysis of domain. 4.Define attack rule set. 2. 4. 6Perform analysis using Dijkstra algo 1.Quantification of each index of attack threat. impact.Apply methodology steps Threat Model 1. 2Identify triggered states wrt state transition diagrams. 3.Threat Model 1. 2-Direct and indirect attacks.System description using DFD.Prioritize the threats . 2. prioritization 1. 3-Apply stride classes. 3. 5Modeling using petri-nets.Defifnition of attack threat.Study system's vulnerabilities undner six security aspects.Data flow models. 4.

confientiality. 4-Identify misusecase scenarios. authentication . output + detail (apply ciaa on each) Threat Model (Attack Tree) Quantified Rsik Table 1.Modeling by attack path(algo) re-do Threat Model Organize threats under categories.Vulnerability database .Identifysecurity defects of each data element. availibility. 3-Build defect threat tree.Generate test sequence . 3Attribute Ranking (0 to 1 depends on organization's req) 4. 2. 4. Data Reception + detail. 5-Risk based quantification DFD Defect Threat Tree Test sequences on the basis of threat tree 1-DFD. 2-Attack path UML Model(Class diagram). 3Map S&P threats to DFD. physical Threat Model Data creation + detail.Use case(For S&P Req) . integrity. 2-DFD.Threat Model(Graph) Attack path calculations 1.

3Model all possible attack paths on that basis. 2-create state based modelof network .Qualitative threat model(Atatck paths) Quantitaive threat model 1-Obtain n/w topology . 5Quantified model using MDp . 4-Apply MDP.

Attacker centric Protocol Centric .