中科院需求工程需求工程(第五讲)面向角色和意图的方法.ppt

* The necessary factors for the success of an attack are the attacker’s motivations, system vulnerabilities, and the attacker’s capabilities to carry out the attack. Thus, to counteract a hypothetical attack. We just need to seek measures that sufficiently negate any of these factors. Goal / Task Identification What does the actor want to achieve? How to achieve them? -- Goals, Softgoals, Tasks, and their relationships (means-ends, decomposition, contribution, and correlation) Dependency Identification How do actors relate to each other? – Social Dependencies 攻击者识别 Setting an Outer Trust Boundary Setting an inner Trust Boundary all actors between the two boundaries are assumed “guilty until proven innocent”. Outer boundary (e.g. Internet) Inner boundary (e.g. a department of organization) Trust Everyone Suspect Everyone Actors are assumed guilty until proven innocent Any one of the actors identified can be a potential attacker The attacker inherits the intention, capabilities and social relations of the corresponding legitimate actor External attackers can also be considered 攻击者分析 malicious goals legitimate resources and capabilities 恶意意图识别 What may motivate an actor to attack the system? Illicit usage of legitimate resources and capabilities to fulfill malicious goals 脆弱点分析 Depender is vulnerable to dependee. Vulnerability is transitive through dependency network. 攻击方式识别 What are the general types of attacks? 对抗方式识别 Attacker’s motivation + Capability + System vulnerability ? successful attack 获得支持安全性的功能需求 Use high efficient network Daily refresh [medical instruction] Auto-recover mechanism Transmit in encrypted format Require use authorization [information passing] User authentification mechanism 进一步的工作 从I*到形式化Tropos I*模型的正确性和有效性验证 I*模型重写为一种形式化的规格说明：Formal Tropos, Alloy 采用形式化的验证技术（模型验证、定理证明），验证特定的性质是否满足，比如： 最少特权 责任分离 形式化方法：提供 具有坚实精确数学基础的规格说明语言 多方面的自动分析平台 模型验证 一致性/完整性检查 模型模拟 测试数据生成 定理证明 …… 集成形式化方法的好处 辅助系统分析员抽取需求 通过展示： 不一致的理解、错误和丢失信息。 这些事情在非形式的方法中不是很明显 提高需求规格说明形