Adaptive security systems aim to protect critical
assets in the face of changes in their operational environment. We have argued that incorporating an explicit representation of the environment’s topology enables reasoning on the location of assets being protected and the proximity of potentially harmful agents. This paper proposes to engineer topology aware adaptive security systems by identifying violations of security requirements that may be caused by topological changes, and selecting a set of security controls that prevent such violations. Our approach
focuses on physical topologies; it maintains at runtime a live
representation of the topology which is updated when assets
or agents move, or when the structure of the physical space
is altered. When the topology changes, we look ahead at a
subset of the future system states. These states are reachable when the agents move within the physical space. If security requirements can be violated in future system states, a configuration of security controls is proactively applied to prevent the system from reaching those states. Thus, the system continuously adapts to topological stimuli, while maintaining requirements satisfaction. Security requirements are formally expressed using a propositional temporal logic, encoding spatial properties in Computation Tree Logic (CTL). The Ambient Calculus is used to represent the topology of the operational environment - including location of assets and agents - as well as to identify future system states that are reachable from the current one. The approach is demonstrated and evaluated using a substantive example concerned with physical access control.
Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime
1. Engineering Topology Aware Adaptive
Security:
Preventing Requirements Violations at
Runtime
Christos Tsigkanos1, Liliana Pasquale2, Claudio Menghi1,
Carlo Ghezzi1, Bashar Nuseibeh2,3
1Politecnico di Milano 2Lero 3The Open University
2. Motivation
Engineering adaptive security systems that continue to protect critical
assets in the face of changes in their operational environment.
Analysis
Environment
(Topology)
Monitoring Planning
System
Security Controls
Execution
Security
Requirements
X
3. Topology
Structure of space
Location of
objects and agents
• Proximity
• Reachability
4. Physical Topology
Structure of space
Location of
objects and agents
• Proximity
• Reachability
Containment
into physical areas.
5. Physical Topology
Structure of space
Location of
objects and agents
• Proximity
• Reachability
Containment
into physical areas.
6. Physical Topology
Structure of space
Location of
objects and agents
• Proximity
• Reachability
Containment
into physical areas.
Placement
of physical objects and
agents.
7. Physical Topology
Structure of space
Location of
objects and agents
• Proximity
• Reachability
Containment
into physical areas.
Placement
of physical objects and
agents.
8. Physical Topology
Structure of space
Location of
objects and agents
• Proximity
• Reachability
Containment
into physical areas.
Placement
of physical objects and
agents.
Proximity
Colocation in the same
physical area.
9. Physical Topology
Structure of space
Location of
objects and agents
• Proximity
• Reachability
Containment
into physical areas.
Placement
of physical objects and
agents.
Proximity
Colocation in the same
physical area.
Reachability
Accessibility of a
physical agent/object
to physical
areas/objects.
10. Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
11. Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
12. Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
13. Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
14. Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
Forbid
access to
O6.
15. … But Topology Changes
Topology changes determined by agents/assets
movements may facilitate different attacks and
render enabled security controls ineffective.
16. Topology Changes Examples (1/2)
Topology change:
Potential threat:
Bob enters office O6
Eve can access O6 and eavesdrop the
safe’s key code
17. Topology Changes Examples (1/2)
Topology change:
Potential threat:
Bob enters office O6
Eve can access O6 and eavesdrop the
safe’s key code
18. Topology Changes Examples (2/2)
Topology change:
Potential threat:
A valuable server is placed in office O2
Mallory can tamper with the server
Server
19. Topology Changes Examples (2/2)
Topology change:
Potential threat:
A valuable server is placed in office O2
Mallory can tamper with the server
Server
20. Topology Aware Adaptive Security
How to engineer the activities of the MAPE loop
to reconfigure security controls at runtime when
topology changes
22. Modeling the Topology of the Environment
Ambient Calculus
… how we use it?
For Example: A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ]
• Locations, Agents and Assets are specific kinds of Ambients
• Agents can move spontaneously depending on their current
location
24. Monitoring
The topology model is updated after changes
in the environment are detected.
For Example: if Eve moves to room O6
A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ]
A2[ Bob | O5 | O6[ Eve | Safe ] | O7 ]
26. Threat Analysis
Identify violations of security
requirements that can take place in future
evolutions of the topology model.
1. Generation of future topological configurations
2. Identification of security requirements violations
30. Threat Analysis
Identify violations of security
requirements that can take place in future
evolutions of the topology model.
1. Generation of future topological configurations
2. Identification of security requirements violations
31. Specifying Requirements
Computation Tree Logic
• Branching time logic
• Semantics in terms of states and paths
For example: Never Bob with another agent in room O6
34. Planning
Select security controls that prevent
security requirements violations
Remove future paths of execution that should not be reached
– Progressively pruning the LTS until violating states do not exists
– Ensuring satisfaction of other requirements
40. Execution
Revoke from agents the permission to
access to specific areas depending on the
pruned LTS transitions
In our example …
Pruned LTS Transition: <Eve in O6>
Security Control: Revoke from Eve access to O6
41. Evaluation
Applicability
Prototype Realisation
– Analysis
• Ambient Calculus model checking
• Domain-specific heuristics
– Planning
• Security controls selection
Expressiveness
Permission
Prohibition
X Obligation
X Dispensation
42. Conclusion & Future Work
Conclusion
A systematic approach to engineer adaptive security systems
– Formal representation of the physical topology
– Identification of security requirements violations by model checking
– Selection of security controls that prevent violations of security
requirements
Future Work
• Investigate applicability to Cyber-Physical Systems
• Further evaluate the approach with practitioners
This work was done in collaboration with researchers from Politecnico di Milano: … and with Bashar Nuseibeh from Lero and the Open University
The main challenge our work tries to address is to engineer adaptive security systems that continue to protect critical assets in the face of changes in their operational environment.
They do so by performing the activities of the MAPE adaptation loop. In particular, adaptive security systems monitor and analyse their operational environment in order to detect possible future violations of security requirements and identify and deploy
security controls aimed to prevent the potential violations identified during the analysis.
incorporating an explicit representation of
the environment’s topology enables reasoning about both structural and semantic awareness
of important contextual characteristics that can affect security
Concerns and therefore engineering more effective adaptive security systems.
In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary
Make it clear that topology represents the structure of the space plus some additional properties.
Remember to mention that space can be both physical and digital
For this paper we focused on physical topologies.
Here it is an example of a floor plan of a university building, where we have areas, rooms, agents and objects.
A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the
location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships
(e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a
corporate building that is composed of rooms R1, R2 and R3. This
topology also represents physical objects, such as lab equipment
(e.g., microscope M) and a desktop (D) that are located in rooms R2
and R3, respectively, and human agents such as a visitor (V) and
an employee (E). In this example, a containment relationship exists
if an area contains objects/agents (e.g., room R1 contains agents V
and E, or the building belongs to a specific department). A proximity
relationship identifies the distance between two agents/objects
or whether these are simply co-located in the same area. In this
example, a visitor is co-located with an employee. A reachability
relationship expresses if an agent can access another area or reach
an object from a specific location. For example, room R2 can be
accessed by the employee and the visitor who are in room R1, or M
can be reached by those agents who are in room R2. For a physical
topology, accessibility always requires agents-objects proximity.
Here there is an example of physical topology and explain exactly each element!
In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary.
A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the
location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships
(e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a
corporate building that is composed of rooms R1, R2 and R3. This
topology also represents physical objects, such as lab equipment
(e.g., microscope M) and a desktop (D) that are located in rooms R2
and R3, respectively, and human agents such as a visitor (V) and
an employee (E). In this example, a containment relationship exists
if an area contains objects/agents (e.g., room R1 contains agents V
and E, or the building belongs to a specific department). A proximity
relationship identifies the distance between two agents/objects
or whether these are simply co-located in the same area. In this
example, a visitor is co-located with an employee. A reachability
relationship expresses if an agent can access another area or reach
an object from a specific location. For example, room R2 can be
accessed by the employee and the visitor who are in room R1, or M
can be reached by those agents who are in room R2. For a physical
topology, accessibility always requires agents-objects proximity.
Here there is an example of physical topology and explain exactly each element!
In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary.
A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the
location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships
(e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a
corporate building that is composed of rooms R1, R2 and R3. This
topology also represents physical objects, such as lab equipment
(e.g., microscope M) and a desktop (D) that are located in rooms R2
and R3, respectively, and human agents such as a visitor (V) and
an employee (E). In this example, a containment relationship exists
if an area contains objects/agents (e.g., room R1 contains agents V
and E, or the building belongs to a specific department). A proximity
relationship identifies the distance between two agents/objects
or whether these are simply co-located in the same area. In this
example, a visitor is co-located with an employee. A reachability
relationship expresses if an agent can access another area or reach
an object from a specific location. For example, room R2 can be
accessed by the employee and the visitor who are in room R1, or M
can be reached by those agents who are in room R2. For a physical
topology, accessibility always requires agents-objects proximity.
Here there is an example of physical topology and explain exactly each element!
In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary.
A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the
location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships
(e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a
corporate building that is composed of rooms R1, R2 and R3. This
topology also represents physical objects, such as lab equipment
(e.g., microscope M) and a desktop (D) that are located in rooms R2
and R3, respectively, and human agents such as a visitor (V) and
an employee (E). In this example, a containment relationship exists
if an area contains objects/agents (e.g., room R1 contains agents V
and E, or the building belongs to a specific department). A proximity
relationship identifies the distance between two agents/objects
or whether these are simply co-located in the same area. In this
example, a visitor is co-located with an employee. A reachability
relationship expresses if an agent can access another area or reach
an object from a specific location. For example, room R2 can be
accessed by the employee and the visitor who are in room R1, or M
can be reached by those agents who are in room R2. For a physical
topology, accessibility always requires agents-objects proximity.
Here there is an example of physical topology and explain exactly each element!
In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary.
A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the
location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships
(e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a
corporate building that is composed of rooms R1, R2 and R3. This
topology also represents physical objects, such as lab equipment
(e.g., microscope M) and a desktop (D) that are located in rooms R2
and R3, respectively, and human agents such as a visitor (V) and
an employee (E). In this example, a containment relationship exists
if an area contains objects/agents (e.g., room R1 contains agents V
and E, or the building belongs to a specific department). A proximity
relationship identifies the distance between two agents/objects
or whether these are simply co-located in the same area. In this
example, a visitor is co-located with an employee. A reachability
relationship expresses if an agent can access another area or reach
an object from a specific location. For example, room R2 can be
accessed by the employee and the visitor who are in room R1, or M
can be reached by those agents who are in room R2. For a physical
topology, accessibility always requires agents-objects proximity.
Here there is an example of physical topology and explain exactly each element!
In a general sense, topology refers to the study of shapes and spaces, including properties such as connectedness and boundary.
A representation of the topology identifies the structure of space and the location of objects and agents in that space. A physical topology represents the
location of physical agents (e.g., humans, robots) and objects in a physical environment (e.g., a building) and their structural relationships
(e.g., agents-objects proximity). Figure ?? shows a representation of the physical topology of a
corporate building that is composed of rooms R1, R2 and R3. This
topology also represents physical objects, such as lab equipment
(e.g., microscope M) and a desktop (D) that are located in rooms R2
and R3, respectively, and human agents such as a visitor (V) and
an employee (E). In this example, a containment relationship exists
if an area contains objects/agents (e.g., room R1 contains agents V
and E, or the building belongs to a specific department). A proximity
relationship identifies the distance between two agents/objects
or whether these are simply co-located in the same area. In this
example, a visitor is co-located with an employee. A reachability
relationship expresses if an agent can access another area or reach
an object from a specific location. For example, room R2 can be
accessed by the employee and the visitor who are in room R1, or M
can be reached by those agents who are in room R2. For a physical
topology, accessibility always requires agents-objects proximity.
Threats can arise from malicious agents.
Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships.
Security controls: depend on the location of assets and vulnerabilities
Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset.
Taking into account the topology of an operational environment
can radically change the way we identify security concerns for engineering
secure systems.
Some security concerns, such as vulnerabilities, threats and attacks,
can also depend on the locations of human and software
agents, who can harm valuable assets placed in their vicinity.
Threats
can arise from malicious agents
while attack vectors represent the
possible sequences of actions that can be performed by an agent to
harm an asset depending on the topology structure and relationships.
Vulnerabilities
can be considered as capabilities offered by a physical
or digital object, which can be exploited to harm an asset. The
current topology state can give an indication of when a vulnerability
can be exploited, for example, if an is agent is co-located with the
same vulnerable object and has the capability to exploit it.
Threats can arise from malicious agents.
Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships.
Security controls: depend on the location of assets and vulnerabilities
Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset.
Taking into account the topology of an operational environment
can radically change the way we identify security concerns for engineering
secure systems.
Some security concerns, such as vulnerabilities, threats and attacks,
can also depend on the locations of human and software
agents, who can harm valuable assets placed in their vicinity.
Threats
can arise from malicious agents
while attack vectors represent the
possible sequences of actions that can be performed by an agent to
harm an asset depending on the topology structure and relationships.
Vulnerabilities
can be considered as capabilities offered by a physical
or digital object, which can be exploited to harm an asset. The
current topology state can give an indication of when a vulnerability
can be exploited, for example, if an is agent is co-located with the
same vulnerable object and has the capability to exploit it.
Threats can arise from malicious agents.
Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships.
Security controls: depend on the location of assets and vulnerabilities
Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset.
Taking into account the topology of an operational environment
can radically change the way we identify security concerns for engineering
secure systems.
Some security concerns, such as vulnerabilities, threats and attacks,
can also depend on the locations of human and software
agents, who can harm valuable assets placed in their vicinity.
Threats
can arise from malicious agents
while attack vectors represent the
possible sequences of actions that can be performed by an agent to
harm an asset depending on the topology structure and relationships.
Vulnerabilities
can be considered as capabilities offered by a physical
or digital object, which can be exploited to harm an asset. The
current topology state can give an indication of when a vulnerability
can be exploited, for example, if an is agent is co-located with the
same vulnerable object and has the capability to exploit it.
Threats can arise from malicious agents.
Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships.
Security controls: depend on the location of assets and vulnerabilities
Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset.
Taking into account the topology of an operational environment
can radically change the way we identify security concerns for engineering
secure systems.
Some security concerns, such as vulnerabilities, threats and attacks,
can also depend on the locations of human and software
agents, who can harm valuable assets placed in their vicinity.
Threats
can arise from malicious agents
while attack vectors represent the
possible sequences of actions that can be performed by an agent to
harm an asset depending on the topology structure and relationships.
Vulnerabilities
can be considered as capabilities offered by a physical
or digital object, which can be exploited to harm an asset. The
current topology state can give an indication of when a vulnerability
can be exploited, for example, if an is agent is co-located with the
same vulnerable object and has the capability to exploit it.
Threats can arise from malicious agents.
Attacks are actions performed by an agent to harm an asset that exploit topology structure and relationships.
Security controls: depend on the location of assets and vulnerabilities
Vulnerabilities: capabilities offered by a physical/digital object that can be exploited by a malicious agent to harm an asset.
Taking into account the topology of an operational environment
can radically change the way we identify security concerns for engineering
secure systems.
Some security concerns, such as vulnerabilities, threats and attacks,
can also depend on the locations of human and software
agents, who can harm valuable assets placed in their vicinity.
Threats
can arise from malicious agents
while attack vectors represent the
possible sequences of actions that can be performed by an agent to
harm an asset depending on the topology structure and relationships.
Vulnerabilities
can be considered as capabilities offered by a physical
or digital object, which can be exploited to harm an asset. The
current topology state can give an indication of when a vulnerability
can be exploited, for example, if an is agent is co-located with the
same vulnerable object and has the capability to exploit it.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations). Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
Labelled Transition System [9] (LTS) is a modelling formalism
used to describe systems and their evolution in terms
of states and transitions.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
It is a branching time logic characterised by state and path formulae. State formulae are specified over a set of atomic propositions
While path formulae must be satisfied by at least one path or on all paths
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.
The Ambient Calculus is a process algebra having a special
focus on mobility [6]. An ambient is an abstract entity that can
model different elements both in a physical space (e.g., agents
and locations) and in a digital space (e.g., programming scopes
and variables) [17]. Ambients reside in a hierarchy of locations
and form a tree structure that can be dynamically re-configured
when they exercise a set of capabilities (actions), such as
in , out , and open . In this work, a fragment of the Ambient
Calculus is considered where the communication primitives
and the open capability are neglected.