Abstract
Software is behind the technological solutions that deliver many services to our society, which means that software security should not be considered a desirable feature anymore but more of a necessity. Protection of software is an endless labor that includes the improvement of security controls but also the understanding of the sources that induce incidents, which in many cases are due to bad implementation or assumptions of controls. As traditional methods may not be efficient in detecting those security assumptions, novel alternatives must be attempted. In this sense, Security Chaos Engineering (SCE) becomes an innovative methodology based on the definition of a steady state, a hypothesis, experiments, and metrics, which allow to identify failing components and ultimately protect assets under cyber risk scenarios. As an extension of a previous work, this paper presents ChaosXploit, an SCE-powered framework that employs a knowledge database, composed of attack trees, to expose vulnerabilities that exist in a software solution that has been previously defined as a target. The use of ChaosXploit may be part of a defensive security strategy to detect and correct software misconfigurations at an early stage. Finally, different experiments are described and executed to validate the feasibility of ChaosXploit in terms of auditing the security of cloud-managed services, i.e., Amazon buckets, which may be prone to misconfigurations and, consequently, targeted by potential cyberattacks.
Subject
Artificial Intelligence,Computer Science Applications,Information Systems,Management Information Systems
Reference50 articles.
1. Rodríguez, J.I., Durán, S.R., Díaz-López, D., Pastor-Galindo, J., and Mármol, F.G. (2020). C3-Sex: A Conversational Agent to Detect Online Sex Offenders. Electronics, 9.
2. Sánchez, P., Huertas, A., Bovet, G., Martínez, G., and Stille, B. (2022, January 27–29). An ML and Behavior Fingerprinting-based Framework for Cyberattack Detection in IoT Crowdsensing Platforms. Proceedings of the VII Jornadas Nacionales de Investigación en Ciberseguridad (JNIC), Bilbao, Spain.
3. Botello, J.V., Mesa, A.P., Rodríguez, F.A., Díaz-López, D., Nespoli, P., and Mármol, F.G. (2020). BlockSIEM: Protecting Smart City Services through a Blockchain-based and Distributed SIEM. Sensors, 20.
4. Managing XACML systems in distributed environments through Meta-Policies;Comput. Secur.,2015
5. Building malware classificators usable by State security agencies;Iteckne,2018
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Managing Cybersecurity Threats and Increasing Organizational Resilience;Big Data and Cognitive Computing;2023-11-22
2. Research on Distributed Database Stability Testing Platform based on Chaos Engineering;2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom);2023-11-01
3. Securing cloud-based military systems with Security Chaos Engineering and Artificial Intelligence;Proceedings of the 18th International Conference on Availability, Reliability and Security;2023-08-29