Threat Assessment of Enterprise Applications via Graphical Modelling

Abstract

Cyber resiliency has been a very challenging engineering research. There have been several case studies done to assess cyber resiliency of enterprise business application through application of attack graphs. The challenge of automation lies in extracting from a general business enterprise system, the distinct layers like asset layer, service layer, business process task layer etc., so that the task dependencies together with formal vulnerability specification can be integrated to arrive at attack graphs. In this paper, we develop a model for threat analysis of an enterprise from a set of given vulnerabilities in various layers of the business process. Starting from the business process model (BPMN) of the given enterprise, we first obtain its’ task dependency graph, we obtain the hierarchical dependency graph consisting of asset-, service- and business process-layer. From the graphical dependency graph and the vulnerability specifications we obtain a logical specification of vulnerability/threat propagation for deriving multi step multi stage attacks using MulVAL (MulVAL: http://people.cs.ksu.edu/xou/argus/software/mulval.). The attack graph generated from MulVAL, is imported into the graphical DB, Neo4J so that an online/real-time flexible analysis of vulnerability/threat propagation can be done. We further demonstrate how with additional inputs, it is possible to realize risk analysis of the system. Thus, our integrated model has made threat analysis both re-configurable and scalable. We illustrate the application of our approach to enterprise systems and the power of graphical modeling for the analysis of threat assessments of business enterprise applications. This in turn allows the use of various mitigation techniques for controlling the propagation of threats/vulnerabilities.