SlideShare a Scribd company logo

Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime

Download as PPTX, PDF
L
Liliana Pasquale

Adaptive security systems aim to protect critical assets in the face of changes in their operational environment. We have argued that incorporating an explicit representation of the environment’s topology enables reasoning on the location of assets being protected and the proximity of potentially harmful agents. This paper proposes to engineer topology aware adaptive security systems by identifying violations of security requirements that may be caused by topological changes, and selecting a set of security controls that prevent such violations. Our approach focuses on physical topologies; it maintains at runtime a live representation of the topology which is updated when assets or agents move, or when the structure of the physical space is altered. When the topology changes, we look ahead at a subset of the future system states. These states are reachable when the agents move within the physical space. If security requirements can be violated in future system states, a configuration of security controls is proactively applied to prevent the system from reaching those states. Thus, the system continuously adapts to topological stimuli, while maintaining requirements satisfaction. Security requirements are formally expressed using a propositional temporal logic, encoding spatial properties in Computation Tree Logic (CTL). The Ambient Calculus is used to represent the topology of the operational environment - including location of assets and agents - as well as to identify future system states that are reachable from the current one. The approach is demonstrated and evaluated using a substantive example concerned with physical access control.

Engineering
1 of 44
Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime Christos Tsigkanos1, Liliana Pasquale2, Claudio Menghi1, Carlo Ghezzi1, Bashar Nuseibeh2,3 1Politecnico di Milano 2Lero 3The Open University
Motivation Engineering adaptive security systems that continue to protect critical assets in the face of changes in their operational environment. Analysis Environment (Topology) Monitoring Planning System Security Controls Execution Security Requirements X
Topology Structure of space Location of objects and agents • Proximity • Reachability
Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas.
Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas.
Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents.
Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents.
Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents. Proximity Colocation in the same physical area.
Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents. Proximity Colocation in the same physical area. Reachability Accessibility of a physical agent/object to physical areas/objects.
Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities Forbid access to O6.
… But Topology Changes Topology changes determined by agents/assets movements may facilitate different attacks and render enabled security controls ineffective.
Topology Changes Examples (1/2) Topology change: Potential threat: Bob enters office O6 Eve can access O6 and eavesdrop the safe’s key code
Topology Changes Examples (1/2) Topology change: Potential threat: Bob enters office O6 Eve can access O6 and eavesdrop the safe’s key code
Topology Changes Examples (2/2) Topology change: Potential threat: A valuable server is placed in office O2 Mallory can tamper with the server Server
Topology Changes Examples (2/2) Topology change: Potential threat: A valuable server is placed in office O2 Mallory can tamper with the server Server
Topology Aware Adaptive Security How to engineer the activities of the MAPE loop to reconfigure security controls at runtime when topology changes
Engineering Topology Aware Adaptive Security
Modeling the Topology of the Environment Ambient Calculus … how we use it? For Example: A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ] • Locations, Agents and Assets are specific kinds of Ambients • Agents can move spontaneously depending on their current location
Monitoring
Monitoring The topology model is updated after changes in the environment are detected. For Example: if Eve moves to room O6 A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ] A2[ Bob | O5 | O6[ Eve | Safe ] | O7 ]
Threat Analysis
Threat Analysis Identify violations of security requirements that can take place in future evolutions of the topology model. 1. Generation of future topological configurations 2. Identification of security requirements violations
Generation of Future Topological Configurations
Generation of Future Topological Configurations
Generation of Future Topological Configurations
Threat Analysis Identify violations of security requirements that can take place in future evolutions of the topology model. 1. Generation of future topological configurations 2. Identification of security requirements violations
Specifying Requirements Computation Tree Logic • Branching time logic • Semantics in terms of states and paths For example: Never Bob with another agent in room O6
Identification of Requirements Violations Security Requirement:
Planning
Planning Select security controls that prevent security requirements violations Remove future paths of execution that should not be reached – Progressively pruning the LTS until violating states do not exists – Ensuring satisfaction of other requirements
Planning X X X
Planning Functional Requirement:
Planning X X
Planning Functional Requirement:
Execution
Execution Revoke from agents the permission to access to specific areas depending on the pruned LTS transitions In our example … Pruned LTS Transition: <Eve in O6> Security Control: Revoke from Eve access to O6
Evaluation Applicability Prototype Realisation – Analysis • Ambient Calculus model checking • Domain-specific heuristics – Planning • Security controls selection Expressiveness  Permission  Prohibition X Obligation X Dispensation
Conclusion & Future Work Conclusion A systematic approach to engineer adaptive security systems – Formal representation of the physical topology – Identification of security requirements violations by model checking – Selection of security controls that prevent violations of security requirements Future Work • Investigate applicability to Cyber-Physical Systems • Further evaluate the approach with practitioners
Questions?
Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime

Recommended

Network topologies
Network topologiesNetwork topologies
Network topologiesNorah Saad
 
Sophos - Fundamentals - Certfied Engineer
Sophos - Fundamentals - Certfied EngineerSophos - Fundamentals - Certfied Engineer
Sophos - Fundamentals - Certfied EngineerWojciech (Voy-tec) Grajewski
 
Network Topologies
Network TopologiesNetwork Topologies
Network TopologieseShikshak
 
NETWORK TOPOLOGIES (NETWORK TOPOLOGY)
NETWORK TOPOLOGIES (NETWORK TOPOLOGY)NETWORK TOPOLOGIES (NETWORK TOPOLOGY)
NETWORK TOPOLOGIES (NETWORK TOPOLOGY)𝖆𝖑𝖕𝖍𝖆 𝖆𝖑𝖕𝖍𝖆
 
Network topology
Network topologyNetwork topology
Network topologylekshmik
 
Topology presentation
Topology presentationTopology presentation
Topology presentationJobaida Nahar
 
Network topology.ppt
Network topology.pptNetwork topology.ppt
Network topology.pptSiddique Ibrahim
 
Access control
Access controlAccess control
Access controlarj_presenter
 

Recommended

Network topologies
Network topologiesNetwork topologies
Network topologiesNorah Saad
 
Sophos - Fundamentals - Certfied Engineer
Sophos - Fundamentals - Certfied EngineerSophos - Fundamentals - Certfied Engineer
Sophos - Fundamentals - Certfied EngineerWojciech (Voy-tec) Grajewski
 
Network Topologies
Network TopologiesNetwork Topologies
Network TopologieseShikshak
 
NETWORK TOPOLOGIES (NETWORK TOPOLOGY)
NETWORK TOPOLOGIES (NETWORK TOPOLOGY)NETWORK TOPOLOGIES (NETWORK TOPOLOGY)
NETWORK TOPOLOGIES (NETWORK TOPOLOGY)𝖆𝖑𝖕𝖍𝖆 𝖆𝖑𝖕𝖍𝖆
 
Network topology
Network topologyNetwork topology
Network topologylekshmik
 
Topology presentation
Topology presentationTopology presentation
Topology presentationJobaida Nahar
 
Network topology.ppt
Network topology.pptNetwork topology.ppt
Network topology.pptSiddique Ibrahim
 
Access control
Access controlAccess control
Access controlarj_presenter
 
Dynamic Security Modeling in Risk Management Using Environmental Knowledge
Dynamic Security Modeling in Risk Management Using Environmental KnowledgeDynamic Security Modeling in Risk Management Using Environmental Knowledge
Dynamic Security Modeling in Risk Management Using Environmental KnowledgeMahsa Teimourikia
 
Global Services for Global Science March 2023.pptx
Global Services for Global Science March 2023.pptxGlobal Services for Global Science March 2023.pptx
Global Services for Global Science March 2023.pptxIan Foster
 
Spatial Studio is an Important analytic tool.pdf
Spatial Studio is an Important analytic tool.pdfSpatial Studio is an Important analytic tool.pdf
Spatial Studio is an Important analytic tool.pdfNicholas Toscano
 
Innoslate's Ontology - LML, SysML, DoDAF, and more
Innoslate's Ontology - LML, SysML, DoDAF, and moreInnoslate's Ontology - LML, SysML, DoDAF, and more
Innoslate's Ontology - LML, SysML, DoDAF, and moreElizabeth Steiner
 
Logic for security
Logic for security Logic for security
Logic for security rainoftime
 
Executable Security Policies: Specification and Validation of Security Policies
Executable Security Policies: Specification and Validation of Security PoliciesExecutable Security Policies: Specification and Validation of Security Policies
Executable Security Policies: Specification and Validation of Security Policiesijwmn
 
Rbi final report
Rbi final reportRbi final report
Rbi final reportRicardo Torres Tufiño
 
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshAutomated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshMatt Turner
 
Scalable and Cost-Effective Model-Based Software Verification and Testing
Scalable and Cost-Effective Model-Based Software Verification and TestingScalable and Cost-Effective Model-Based Software Verification and Testing
Scalable and Cost-Effective Model-Based Software Verification and TestingLionel Briand
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgJohn M. Kennedy
 
Transfer Learning for Performance Analysis of Highly-Configurable Software
Transfer Learning for Performance Analysis of Highly-Configurable SoftwareTransfer Learning for Performance Analysis of Highly-Configurable Software
Transfer Learning for Performance Analysis of Highly-Configurable SoftwarePooyan Jamshidi
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
Risks in Smart Environments and Adaptive Access Controls
Risks in Smart Environments and Adaptive Access ControlsRisks in Smart Environments and Adaptive Access Controls
Risks in Smart Environments and Adaptive Access ControlsMahsa Teimourikia
 
SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...
SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...
SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...SMART Infrastructure Facility
 
An Ontology-based Decision Support Framework for Personalized Quality of Life...
An Ontology-based Decision Support Framework for Personalized Quality of Life...An Ontology-based Decision Support Framework for Personalized Quality of Life...
An Ontology-based Decision Support Framework for Personalized Quality of Life...Marina Riga
 
Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...
Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...
Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...Society of Women Engineers
 
Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...
Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...
Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...Cynapsys It Hotspot
 
SECURITY PLANNING DESIGN (SESSION 3).ppt
SECURITY PLANNING DESIGN (SESSION 3).pptSECURITY PLANNING DESIGN (SESSION 3).ppt
SECURITY PLANNING DESIGN (SESSION 3).pptMajor K. Subramaniam Kmaravehlu
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 
Iso 27001
Iso 27001Iso 27001
Iso 27001jooo king
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxmaisarahman1
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 

More Related Content

Similar to Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime

Dynamic Security Modeling in Risk Management Using Environmental Knowledge
Dynamic Security Modeling in Risk Management Using Environmental KnowledgeDynamic Security Modeling in Risk Management Using Environmental Knowledge
Dynamic Security Modeling in Risk Management Using Environmental KnowledgeMahsa Teimourikia
 
Global Services for Global Science March 2023.pptx
Global Services for Global Science March 2023.pptxGlobal Services for Global Science March 2023.pptx
Global Services for Global Science March 2023.pptxIan Foster
 
Spatial Studio is an Important analytic tool.pdf
Spatial Studio is an Important analytic tool.pdfSpatial Studio is an Important analytic tool.pdf
Spatial Studio is an Important analytic tool.pdfNicholas Toscano
 
Innoslate's Ontology - LML, SysML, DoDAF, and more
Innoslate's Ontology - LML, SysML, DoDAF, and moreInnoslate's Ontology - LML, SysML, DoDAF, and more
Innoslate's Ontology - LML, SysML, DoDAF, and moreElizabeth Steiner
 
Logic for security
Logic for security Logic for security
Logic for security rainoftime
 
Executable Security Policies: Specification and Validation of Security Policies
Executable Security Policies: Specification and Validation of Security PoliciesExecutable Security Policies: Specification and Validation of Security Policies
Executable Security Policies: Specification and Validation of Security Policiesijwmn
 
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshAutomated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshMatt Turner
 
Scalable and Cost-Effective Model-Based Software Verification and Testing
Scalable and Cost-Effective Model-Based Software Verification and TestingScalable and Cost-Effective Model-Based Software Verification and Testing
Scalable and Cost-Effective Model-Based Software Verification and TestingLionel Briand
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgJohn M. Kennedy
 
Transfer Learning for Performance Analysis of Highly-Configurable Software
Transfer Learning for Performance Analysis of Highly-Configurable SoftwareTransfer Learning for Performance Analysis of Highly-Configurable Software
Transfer Learning for Performance Analysis of Highly-Configurable SoftwarePooyan Jamshidi
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
Risks in Smart Environments and Adaptive Access Controls
Risks in Smart Environments and Adaptive Access ControlsRisks in Smart Environments and Adaptive Access Controls
Risks in Smart Environments and Adaptive Access ControlsMahsa Teimourikia
 
SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...
SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...
SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...SMART Infrastructure Facility
 
An Ontology-based Decision Support Framework for Personalized Quality of Life...
An Ontology-based Decision Support Framework for Personalized Quality of Life...An Ontology-based Decision Support Framework for Personalized Quality of Life...
An Ontology-based Decision Support Framework for Personalized Quality of Life...Marina Riga
 
Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...
Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...
Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...Society of Women Engineers
 
Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...
Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...
Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...Cynapsys It Hotspot
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 

Similar to Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime (20)

Dynamic Security Modeling in Risk Management Using Environmental Knowledge
Dynamic Security Modeling in Risk Management Using Environmental KnowledgeDynamic Security Modeling in Risk Management Using Environmental Knowledge
Dynamic Security Modeling in Risk Management Using Environmental Knowledge
 
Global Services for Global Science March 2023.pptx
Global Services for Global Science March 2023.pptxGlobal Services for Global Science March 2023.pptx
Global Services for Global Science March 2023.pptx
 
Spatial Studio is an Important analytic tool.pdf
Spatial Studio is an Important analytic tool.pdfSpatial Studio is an Important analytic tool.pdf
Spatial Studio is an Important analytic tool.pdf
 
Innoslate's Ontology - LML, SysML, DoDAF, and more
Innoslate's Ontology - LML, SysML, DoDAF, and moreInnoslate's Ontology - LML, SysML, DoDAF, and more
Innoslate's Ontology - LML, SysML, DoDAF, and more
 
Logic for security
Logic for security Logic for security
Logic for security
 
Executable Security Policies: Specification and Validation of Security Policies
Executable Security Policies: Specification and Validation of Security PoliciesExecutable Security Policies: Specification and Validation of Security Policies
Executable Security Policies: Specification and Validation of Security Policies
 
Rbi final report
Rbi final reportRbi final report
Rbi final report
 
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshAutomated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
 
Scalable and Cost-Effective Model-Based Software Verification and Testing
Scalable and Cost-Effective Model-Based Software Verification and TestingScalable and Cost-Effective Model-Based Software Verification and Testing
Scalable and Cost-Effective Model-Based Software Verification and Testing
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwg
 
Transfer Learning for Performance Analysis of Highly-Configurable Software
Transfer Learning for Performance Analysis of Highly-Configurable SoftwareTransfer Learning for Performance Analysis of Highly-Configurable Software
Transfer Learning for Performance Analysis of Highly-Configurable Software
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
Risks in Smart Environments and Adaptive Access Controls
Risks in Smart Environments and Adaptive Access ControlsRisks in Smart Environments and Adaptive Access Controls
Risks in Smart Environments and Adaptive Access Controls
 
SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...
SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...
SMART Seminar Series: "Trusted Autonomous Systems as System of Systems". Pres...
 
An Ontology-based Decision Support Framework for Personalized Quality of Life...
An Ontology-based Decision Support Framework for Personalized Quality of Life...An Ontology-based Decision Support Framework for Personalized Quality of Life...
An Ontology-based Decision Support Framework for Personalized Quality of Life...
 
Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...
Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...
Technology Insertion: A Well-Grounded Approach to Implementing Out of this Wo...
 
Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...
Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...
Présentation noura baccar " Innovation on Indoor GeoLocalization Applications...
 
SECURITY PLANNING DESIGN (SESSION 3).ppt
SECURITY PLANNING DESIGN (SESSION 3).pptSECURITY PLANNING DESIGN (SESSION 3).ppt
SECURITY PLANNING DESIGN (SESSION 3).ppt
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
 

Recently uploaded

A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxmaisarahman1
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxJuliansyahHarahap1
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startQuintin Balsdon
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxSCMS School of Architecture
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesMayuraD1
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...soginsider
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086anil_gaur
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsvanyagupta248
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxSCMS School of Architecture
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxJIT KUMAR GUPTA
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadhamedmustafa094
 

Recently uploaded (20)

A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 

Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime

  • 1. Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime Christos Tsigkanos1, Liliana Pasquale2, Claudio Menghi1, Carlo Ghezzi1, Bashar Nuseibeh2,3 1Politecnico di Milano 2Lero 3The Open University
  • 2. Motivation Engineering adaptive security systems that continue to protect critical assets in the face of changes in their operational environment. Analysis Environment (Topology) Monitoring Planning System Security Controls Execution Security Requirements X
  • 3. Topology Structure of space Location of objects and agents • Proximity • Reachability
  • 4. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas.
  • 5. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas.
  • 6. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents.
  • 7. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents.
  • 8. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents. Proximity Colocation in the same physical area.
  • 9. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents. Proximity Colocation in the same physical area. Reachability Accessibility of a physical agent/object to physical areas/objects.
  • 10. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
  • 11. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
  • 12. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
  • 13. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
  • 14. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities Forbid access to O6.
  • 15. … But Topology Changes Topology changes determined by agents/assets movements may facilitate different attacks and render enabled security controls ineffective.
  • 16. Topology Changes Examples (1/2) Topology change: Potential threat: Bob enters office O6 Eve can access O6 and eavesdrop the safe’s key code
  • 17. Topology Changes Examples (1/2) Topology change: Potential threat: Bob enters office O6 Eve can access O6 and eavesdrop the safe’s key code
  • 18. Topology Changes Examples (2/2) Topology change: Potential threat: A valuable server is placed in office O2 Mallory can tamper with the server Server
  • 19. Topology Changes Examples (2/2) Topology change: Potential threat: A valuable server is placed in office O2 Mallory can tamper with the server Server
  • 20. Topology Aware Adaptive Security How to engineer the activities of the MAPE loop to reconfigure security controls at runtime when topology changes
  • 21. Engineering Topology Aware Adaptive Security
  • 22. Modeling the Topology of the Environment Ambient Calculus … how we use it? For Example: A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ] • Locations, Agents and Assets are specific kinds of Ambients • Agents can move spontaneously depending on their current location
  • 24. Monitoring The topology model is updated after changes in the environment are detected. For Example: if Eve moves to room O6 A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ] A2[ Bob | O5 | O6[ Eve | Safe ] | O7 ]
  • 26. Threat Analysis Identify violations of security requirements that can take place in future evolutions of the topology model. 1. Generation of future topological configurations 2. Identification of security requirements violations
  • 27. Generation of Future Topological Configurations
  • 28. Generation of Future Topological Configurations
  • 29. Generation of Future Topological Configurations
  • 30. Threat Analysis Identify violations of security requirements that can take place in future evolutions of the topology model. 1. Generation of future topological configurations 2. Identification of security requirements violations
  • 31. Specifying Requirements Computation Tree Logic • Branching time logic • Semantics in terms of states and paths For example: Never Bob with another agent in room O6
  • 32. Identification of Requirements Violations Security Requirement:
  • 34. Planning Select security controls that prevent security requirements violations Remove future paths of execution that should not be reached – Progressively pruning the LTS until violating states do not exists – Ensuring satisfaction of other requirements
  • 40. Execution Revoke from agents the permission to access to specific areas depending on the pruned LTS transitions In our example … Pruned LTS Transition: <Eve in O6> Security Control: Revoke from Eve access to O6
  • 41. Evaluation Applicability Prototype Realisation – Analysis • Ambient Calculus model checking • Domain-specific heuristics – Planning • Security controls selection Expressiveness  Permission  Prohibition X Obligation X Dispensation
  • 42. Conclusion & Future Work Conclusion A systematic approach to engineer adaptive security systems – Formal representation of the physical topology – Identification of security requirements violations by model checking – Selection of security controls that prevent violations of security requirements Future Work • Investigate applicability to Cyber-Physical Systems • Further evaluate the approach with practitioners

Editor's Notes

  1. This work was done in collaboration with researchers from Politecnico di Milano: … and with Bashar Nuseibeh from Lero and the Open University
  2. The main challenge our work tries to address is to engineer adaptive security systems that continue to protect critical assets in the face of changes in their operational environment. They do so by performing the activities of the MAPE adaptation loop. In particular, adaptive security systems monitor and analyse their operational environment in order to detect possible future violations of security requirements and identify and deploy security controls aimed to prevent the potential violations identified during the analysis. incorporating an explicit representation of the environment’s topology enables reasoning about both structural and semantic awareness of important contextual characteristics that can affect security Concerns and therefore engineering more effective adaptive security systems.
  3. In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary Make it clear that topology represents the structure of the space plus some additional properties. Remember to mention that space can be both physical and digital
  4. For this paper we focused on physical topologies. Here it is an example of a floor plan of a university building, where we have areas, rooms, agents and objects. A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships (e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a corporate building that is composed of rooms R1, R2 and R3. This topology also represents physical objects, such as lab equipment (e.g., microscope M) and a desktop (D) that are located in rooms R2 and R3, respectively, and human agents such as a visitor (V) and an employee (E). In this example, a containment relationship exists if an area contains objects/agents (e.g., room R1 contains agents V and E, or the building belongs to a specific department). A proximity relationship identifies the distance between two agents/objects or whether these are simply co-located in the same area. In this example, a visitor is co-located with an employee. A reachability relationship expresses if an agent can access another area or reach an object from a specific location. For example, room R2 can be accessed by the employee and the visitor who are in room R1, or M can be reached by those agents who are in room R2. For a physical topology, accessibility always requires agents-objects proximity.
  5. Here there is an example of physical topology and explain exactly each element! In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary. A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships (e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a corporate building that is composed of rooms R1, R2 and R3. This topology also represents physical objects, such as lab equipment (e.g., microscope M) and a desktop (D) that are located in rooms R2 and R3, respectively, and human agents such as a visitor (V) and an employee (E). In this example, a containment relationship exists if an area contains objects/agents (e.g., room R1 contains agents V and E, or the building belongs to a specific department). A proximity relationship identifies the distance between two agents/objects or whether these are simply co-located in the same area. In this example, a visitor is co-located with an employee. A reachability relationship expresses if an agent can access another area or reach an object from a specific location. For example, room R2 can be accessed by the employee and the visitor who are in room R1, or M can be reached by those agents who are in room R2. For a physical topology, accessibility always requires agents-objects proximity.
  6. Here there is an example of physical topology and explain exactly each element! In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary. A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships (e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a corporate building that is composed of rooms R1, R2 and R3. This topology also represents physical objects, such as lab equipment (e.g., microscope M) and a desktop (D) that are located in rooms R2 and R3, respectively, and human agents such as a visitor (V) and an employee (E). In this example, a containment relationship exists if an area contains objects/agents (e.g., room R1 contains agents V and E, or the building belongs to a specific department). A proximity relationship identifies the distance between two agents/objects or whether these are simply co-located in the same area. In this example, a visitor is co-located with an employee. A reachability relationship expresses if an agent can access another area or reach an object from a specific location. For example, room R2 can be accessed by the employee and the visitor who are in room R1, or M can be reached by those agents who are in room R2. For a physical topology, accessibility always requires agents-objects proximity.
  7. Here there is an example of physical topology and explain exactly each element! In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary. A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships (e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a corporate building that is composed of rooms R1, R2 and R3. This topology also represents physical objects, such as lab equipment (e.g., microscope M) and a desktop (D) that are located in rooms R2 and R3, respectively, and human agents such as a visitor (V) and an employee (E). In this example, a containment relationship exists if an area contains objects/agents (e.g., room R1 contains agents V and E, or the building belongs to a specific department). A proximity relationship identifies the distance between two agents/objects or whether these are simply co-located in the same area. In this example, a visitor is co-located with an employee. A reachability relationship expresses if an agent can access another area or reach an object from a specific location. For example, room R2 can be accessed by the employee and the visitor who are in room R1, or M can be reached by those agents who are in room R2. For a physical topology, accessibility always requires agents-objects proximity.
  8. Here there is an example of physical topology and explain exactly each element! In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary. A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships (e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a corporate building that is composed of rooms R1, R2 and R3. This topology also represents physical objects, such as lab equipment (e.g., microscope M) and a desktop (D) that are located in rooms R2 and R3, respectively, and human agents such as a visitor (V) and an employee (E). In this example, a containment relationship exists if an area contains objects/agents (e.g., room R1 contains agents V and E, or the building belongs to a specific department). A proximity relationship identifies the distance between two agents/objects or whether these are simply co-located in the same area. In this example, a visitor is co-located with an employee. A reachability relationship expresses if an agent can access another area or reach an object from a specific location. For example, room R2 can be accessed by the employee and the visitor who are in room R1, or M can be reached by those agents who are in room R2. For a physical topology, accessibility always requires agents-objects proximity.
  9. Here there is an example of physical topology and explain exactly each element! In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary. A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships (e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a corporate building that is composed of rooms R1, R2 and R3. This topology also represents physical objects, such as lab equipment (e.g., microscope M) and a desktop (D) that are located in rooms R2 and R3, respectively, and human agents such as a visitor (V) and an employee (E). In this example, a containment relationship exists if an area contains objects/agents (e.g., room R1 contains agents V and E, or the building belongs to a specific department). A proximity relationship identifies the distance between two agents/objects or whether these are simply co-located in the same area. In this example, a visitor is co-located with an employee. A reachability relationship expresses if an agent can access another area or reach an object from a specific location. For example, room R2 can be accessed by the employee and the visitor who are in room R1, or M can be reached by those agents who are in room R2. For a physical topology, accessibility always requires agents-objects proximity.
  10. Threats can arise from malicious agents. Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships. Security controls: depend on the location of assets and vulnerabilities Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset. Taking into account the topology of an operational environment can radically change the way we identify security concerns for engineering secure systems. Some security concerns, such as vulnerabilities, threats and attacks, can also depend on the locations of human and software agents, who can harm valuable assets placed in their vicinity. Threats can arise from malicious agents while attack vectors represent the possible sequences of actions that can be performed by an agent to harm an asset depending on the topology structure and relationships. Vulnerabilities can be considered as capabilities offered by a physical or digital object, which can be exploited to harm an asset. The current topology state can give an indication of when a vulnerability can be exploited, for example, if an is agent is co-located with the same vulnerable object and has the capability to exploit it.
  11. Threats can arise from malicious agents. Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships. Security controls: depend on the location of assets and vulnerabilities Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset. Taking into account the topology of an operational environment can radically change the way we identify security concerns for engineering secure systems. Some security concerns, such as vulnerabilities, threats and attacks, can also depend on the locations of human and software agents, who can harm valuable assets placed in their vicinity. Threats can arise from malicious agents while attack vectors represent the possible sequences of actions that can be performed by an agent to harm an asset depending on the topology structure and relationships. Vulnerabilities can be considered as capabilities offered by a physical or digital object, which can be exploited to harm an asset. The current topology state can give an indication of when a vulnerability can be exploited, for example, if an is agent is co-located with the same vulnerable object and has the capability to exploit it.
  12. Threats can arise from malicious agents. Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships. Security controls: depend on the location of assets and vulnerabilities Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset. Taking into account the topology of an operational environment can radically change the way we identify security concerns for engineering secure systems. Some security concerns, such as vulnerabilities, threats and attacks, can also depend on the locations of human and software agents, who can harm valuable assets placed in their vicinity. Threats can arise from malicious agents while attack vectors represent the possible sequences of actions that can be performed by an agent to harm an asset depending on the topology structure and relationships. Vulnerabilities can be considered as capabilities offered by a physical or digital object, which can be exploited to harm an asset. The current topology state can give an indication of when a vulnerability can be exploited, for example, if an is agent is co-located with the same vulnerable object and has the capability to exploit it.
  13. Threats can arise from malicious agents. Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships. Security controls: depend on the location of assets and vulnerabilities Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset. Taking into account the topology of an operational environment can radically change the way we identify security concerns for engineering secure systems. Some security concerns, such as vulnerabilities, threats and attacks, can also depend on the locations of human and software agents, who can harm valuable assets placed in their vicinity. Threats can arise from malicious agents while attack vectors represent the possible sequences of actions that can be performed by an agent to harm an asset depending on the topology structure and relationships. Vulnerabilities can be considered as capabilities offered by a physical or digital object, which can be exploited to harm an asset. The current topology state can give an indication of when a vulnerability can be exploited, for example, if an is agent is co-located with the same vulnerable object and has the capability to exploit it.
  14. Threats can arise from malicious agents. Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships. Security controls: depend on the location of assets and vulnerabilities Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset. Taking into account the topology of an operational environment can radically change the way we identify security concerns for engineering secure systems. Some security concerns, such as vulnerabilities, threats and attacks, can also depend on the locations of human and software agents, who can harm valuable assets placed in their vicinity. Threats can arise from malicious agents while attack vectors represent the possible sequences of actions that can be performed by an agent to harm an asset depending on the topology structure and relationships. Vulnerabilities can be considered as capabilities offered by a physical or digital object, which can be exploited to harm an asset. The current topology state can give an indication of when a vulnerability can be exploited, for example, if an is agent is co-located with the same vulnerable object and has the capability to exploit it.
  15. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  16. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations). Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  17. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  18. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  19. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  20. Labelled Transition System [9] (LTS) is a modelling formalism used to describe systems and their evolution in terms of states and transitions.
  21. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  22. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  23. It is a branching time logic characterised by state and path formulae. State formulae are specified over a set of atomic propositions While path formulae must be satisfied by at least one path or on all paths
  24. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  25. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  26. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.
  27. The Ambient Calculus is a process algebra having a special focus on mobility [6]. An ambient is an abstract entity that can model different elements both in a physical space (e.g., agents and locations) and in a digital space (e.g., programming scopes and variables) [17]. Ambients reside in a hierarchy of locations and form a tree structure that can be dynamically re-configured when they exercise a set of capabilities (actions), such as in , out , and open . In this work, a fragment of the Ambient Calculus is considered where the communication primitives and the open capability are neglected.