• 文献检索
  • 文档翻译
  • 深度研究
  • 学术资讯
  • Suppr Zotero 插件Zotero 插件
  • 邀请有礼
  • 套餐&价格
  • 历史记录
应用&插件
Suppr Zotero 插件Zotero 插件浏览器插件Mac 客户端Windows 客户端微信小程序
定价
高级版会员购买积分包购买API积分包
服务
文献检索文档翻译深度研究API 文档MCP 服务
关于我们
关于 Suppr公司介绍联系我们用户协议隐私条款
关注我们

Suppr 超能文献

核心技术专利:CN118964589B侵权必究
粤ICP备2023148730 号-1Suppr @ 2026

文献检索

告别复杂PubMed语法,用中文像聊天一样搜索,搜遍4000万医学文献。AI智能推荐,让科研检索更轻松。

立即免费搜索

文件翻译

保留排版,准确专业,支持PDF/Word/PPT等文件格式,支持 12+语言互译。

免费翻译文档

深度研究

AI帮你快速写综述,25分钟生成高质量综述,智能提取关键信息,辅助科研写作。

立即免费体验

使用风险分析和威胁建模方法进行风险驱动的安全测试。

Risk-driven security testing using risk analysis with threat modeling approach.

作者信息

Palanivel Maragathavalli, Selvadurai Kanmani

机构信息

Department of Information Technology, Pondicherry Engineering College, Puducherry, India.

出版信息

Springerplus. 2014 Dec 19;3:754. doi: 10.1186/2193-1801-3-754. eCollection 2014.

DOI:10.1186/2193-1801-3-754
PMID:25674480
原文链接:https://pmc.ncbi.nlm.nih.gov/articles/PMC4320241/
Abstract

Security testing is a process of determining risks present in the system states and protects them from vulnerabilities. But security testing does not provide due importance to threat modeling and risk analysis simultaneously that affects confidentiality and integrity of the system. Risk analysis includes identification, evaluation and assessment of risks. Threat modeling approach is identifying threats associated with the system. Risk-driven security testing uses risk analysis results in test case identification, selection and assessment to prioritize and optimize the testing process. Threat modeling approach, STRIDE is generally used to identify both technical and non-technical threats present in the system. Thus, a security testing mechanism based on risk analysis results using STRIDE approach has been proposed for identifying highly risk states. Risk metrics considered for testing includes risk impact, risk possibility and risk threshold. Risk threshold value is directly proportional to risk impact and risk possibility. Risk-driven security testing results in reduced test suite which in turn reduces test case selection time. Risk analysis optimizes the test case selection and execution process. For experimentation, the system models namely LMS, ATM, OBS, OSS and MTRS are considered. The performance of proposed system is analyzed using Test Suite Reduction Rate (TSRR) and FSM coverage. TSRR varies from 13.16 to 21.43% whereas FSM coverage is achieved up to 91.49%. The results show that the proposed method combining risk analysis with threat modeling identifies states with high risks to improve the testing efficiency.

摘要

安全测试是一个确定系统状态中存在的风险并保护其免受漏洞影响的过程。但安全测试没有同时对威胁建模和风险分析给予应有的重视,这会影响系统的保密性和完整性。风险分析包括风险的识别、评估和评价。威胁建模方法是识别与系统相关的威胁。风险驱动的安全测试在测试用例的识别、选择和评估中使用风险分析结果,以对测试过程进行优先级排序和优化。威胁建模方法STRIDE通常用于识别系统中存在的技术和非技术威胁。因此,已经提出了一种基于使用STRIDE方法的风险分析结果的安全测试机制,用于识别高风险状态。用于测试的风险指标包括风险影响、风险可能性和风险阈值。风险阈值与风险影响和风险可能性成正比。风险驱动的安全测试会减少测试套件,进而减少测试用例的选择时间。风险分析优化了测试用例的选择和执行过程。为了进行实验,考虑了系统模型LMS、ATM、OBS、OSS和MTRS。使用测试套件缩减率(TSRR)和有限状态机覆盖率(FSM coverage)对所提出系统的性能进行了分析。TSRR在13.16%至21.43%之间变化,而FSM覆盖率达到了91.49%。结果表明,将风险分析与威胁建模相结合的所提出方法能够识别高风险状态,从而提高测试效率。

https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/1400422d9506/40064_2014_Article_1515_Fig15_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/1a373962c0d1/40064_2014_Article_1515_Fig1_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/261d7fb05779/40064_2014_Article_1515_Fig2_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/4586898310d8/40064_2014_Article_1515_Fig3_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/0be3c599e471/40064_2014_Article_1515_Fig4_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/159575b81c3f/40064_2014_Article_1515_Fig5_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/71c992ad1a0b/40064_2014_Article_1515_Fig6_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/f7ac272ab26a/40064_2014_Article_1515_Fig7_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/e93468f6892c/40064_2014_Article_1515_Fig8_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/c9ef229a07b0/40064_2014_Article_1515_Fig9_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/a880f8cd1f7b/40064_2014_Article_1515_Fig10_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/349279d1cded/40064_2014_Article_1515_Fig11_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/ef468e69957f/40064_2014_Article_1515_Fig12_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/2a6eef4afaac/40064_2014_Article_1515_Fig13_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/813534d30a52/40064_2014_Article_1515_Fig14_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/1400422d9506/40064_2014_Article_1515_Fig15_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/1a373962c0d1/40064_2014_Article_1515_Fig1_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/261d7fb05779/40064_2014_Article_1515_Fig2_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/4586898310d8/40064_2014_Article_1515_Fig3_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/0be3c599e471/40064_2014_Article_1515_Fig4_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/159575b81c3f/40064_2014_Article_1515_Fig5_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/71c992ad1a0b/40064_2014_Article_1515_Fig6_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/f7ac272ab26a/40064_2014_Article_1515_Fig7_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/e93468f6892c/40064_2014_Article_1515_Fig8_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/c9ef229a07b0/40064_2014_Article_1515_Fig9_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/a880f8cd1f7b/40064_2014_Article_1515_Fig10_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/349279d1cded/40064_2014_Article_1515_Fig11_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/ef468e69957f/40064_2014_Article_1515_Fig12_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/2a6eef4afaac/40064_2014_Article_1515_Fig13_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/813534d30a52/40064_2014_Article_1515_Fig14_HTML.jpg
https://cdn.ncbi.nlm.nih.gov/pmc/blobs/1830/4320241/1400422d9506/40064_2014_Article_1515_Fig15_HTML.jpg

相似文献

1
Risk-driven security testing using risk analysis with threat modeling approach.使用风险分析和威胁建模方法进行风险驱动的安全测试。
Springerplus. 2014 Dec 19;3:754. doi: 10.1186/2193-1801-3-754. eCollection 2014.
2
Threat driven modeling framework using petri nets for e-learning system.使用Petri网的面向电子学习系统的威胁驱动建模框架。
Springerplus. 2016 Apr 14;5:446. doi: 10.1186/s40064-016-2101-0. eCollection 2016.
3
Modeling Threats to AI-ML Systems Using STRIDE.使用 STRIDE 对 AI/ML 系统的威胁进行建模。
Sensors (Basel). 2022 Sep 3;22(17):6662. doi: 10.3390/s22176662.
4
AbSRiM: An Agent-Based Security Risk Management Approach for Airport Operations.AbSRiM:一种用于机场运营的基于智能体的安全风险管理方法。
Risk Anal. 2019 Jul;39(7):1582-1596. doi: 10.1111/risa.13278. Epub 2019 Feb 5.
5
A Framework for Cybersecurity Requirements Management in the Automotive Domain.汽车领域网络安全需求管理框架。
Sensors (Basel). 2023 May 22;23(10):4979. doi: 10.3390/s23104979.
6
Securing Cloud-Assisted Connected and Autonomous Vehicles: An In-Depth Threat Analysis and Risk Assessment.保障云辅助联网和自动驾驶车辆安全:深入威胁分析与风险评估
Sensors (Basel). 2023 Dec 31;24(1):241. doi: 10.3390/s24010241.
7
Identifying changing aviation threat environments within an adaptive Homeland Security Advisory System.在自适应国土安全咨询系统中识别不断变化的航空威胁环境。
Risk Anal. 2012 Feb;32(2):319-29. doi: 10.1111/j.1539-6924.2010.01656.x. Epub 2011 Jul 30.
8
Ffuzz: Towards full system high coverage fuzz testing on binary executables.Ffuzz:二进制可执行文件的全系统高覆盖率模糊测试方法。
PLoS One. 2018 May 23;13(5):e0196733. doi: 10.1371/journal.pone.0196733. eCollection 2018.
9
An Adaptive, Situation-Based Risk Assessment and Security Enforcement Framework for the Maritime Sector.基于自适应情景的海上领域风险评估与安全实施框架
Sensors (Basel). 2021 Dec 29;22(1):238. doi: 10.3390/s22010238.
10
Security threat assessment of an Internet security system using attack tree and vague sets.基于攻击树和模糊集的互联网安全系统安全威胁评估
ScientificWorldJournal. 2014;2014:506714. doi: 10.1155/2014/506714. Epub 2014 Oct 21.

本文引用的文献

1
Modeling of HIV/AIDS dynamic evolution using non-homogeneous semi-markov process.使用非齐次半马尔可夫过程对艾滋病毒/艾滋病动态演变进行建模。
Springerplus. 2014 Sep 17;3:537. doi: 10.1186/2193-1801-3-537. eCollection 2014.
2
A review method for UML requirements analysis model employing system-side prototyping.一种采用系统端原型设计的UML需求分析模型的评审方法。
Springerplus. 2013 Mar 26;2(1):134. doi: 10.1186/2193-1801-2-134. Print 2013 Dec.
3
Searching and generating test inputs for mutation testing.为变异测试搜索并生成测试输入。
Springerplus. 2013 Mar 21;2(1):121. doi: 10.1186/2193-1801-2-121. Print 2013 Dec.
4
Exploring utility function in utility management: an evaluating method of library preservation.探索效用管理中的效用函数:一种图书馆馆藏保护的评估方法。
Springerplus. 2013 Feb 21;2(1):61. doi: 10.1186/2193-1801-2-61. Print 2013 Dec.