University of Twente Student Theses
Comparing Business Process Modelling and S-PDFA for modeling attacker strategies
Bojorge-Alvarez, J. (2025) Comparing Business Process Modelling and S-PDFA for modeling attacker strategies.
PDF
2MB |
Abstract: | Security Operations Center (SOC) analysts constantly have to deal with attacks on their systems. Attack paths visualize how attackers move through a network and are used by analysts to gain more insight into attacker strategies. In current research approaches, attack graphs are created based on known vulnerabilities and topology settings, making the process of creating attack graphs time-consuming as this information needs to be gathered beforehand. Creating attack graphs based on alert data by hand would cost even more time, especially with the increasingly large amount of alert data that analysts have to sort through. To alleviate these issues, SAGE was created. SAGE is a program that can automatically generate attack graphs based on alert data alone, without the need for a priori knowledge. This means that no knowledge about configurations is needed to run SAGE and instead only alert data is needed. Currently, SAGE uses a Suffix-based Probabilistic Deterministic Finite Automaton (S-PDFA) model, which can semantically distinguish identical attack steps in different stages of an attack. However, the attack graphs generated can only show the adversary's steps sequentially. This limits how closely we can represent the actual attacker strategies. For example, when an attacker performs steps simultaneously (meaning that the order in which these steps happen does not matter), this parallel behaviour should be reflected in the final attack graphs. Business Process Modelling (BPM) is a popular way to transform business processes into models, which \textit{can} model this concurrent behaviour. In this research, we are the first to apply BPM to improve SAGE's automatic attack graph generation. We do this by comparing the S-PDFA, BPM, and S-PDFA + BPM model combinations to see which results in the best attack graphs. This comparison is done based on a balance between how well the model represents the input data and the readability of the final attack graphs. This balance is quantified using the replay fitness and simplicity metrics, respectively. In this research, we found that a combination of S-PDFA and BPM performed best. However, more research needs to be done on the automatic modification of the resulting attack graphs to ensure the best simplicity score. |
Item Type: | Essay (Master) |
Clients: | KPMG, Netherlands |
Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
Subject: | 54 computer science |
Programme: | Computer Science MSc (60300) |
Link to this item: | https://purl.utwente.nl/essays/106366 |
Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Repository Staff Only: item control page