ChaosXploit: A Security Chaos Engineering framework based on Attack Trees

Palacios Chavarro, Sara

doi:https://doi.org/10.48713/10336_34710

Ítem

Acceso Abierto

ChaosXploit: A Security Chaos Engineering framework based on Attack Trees

Mostrar el registro sencillo de la publicación

dc.contributor.advisor	Díaz López, Daniel Orlando
dc.creator	Palacios Chavarro, Sara
dc.creator.degree	Profesional en Matemáticas Aplicadas y Ciencias de la Computación	es
dc.creator.degreeLevel	Pregrado
dc.creator.degreetype	Full time	es
dc.date.accessioned	2022-08-16T17:10:12Z
dc.date.available	2022-08-16T17:10:12Z
dc.date.created	2022-05-27
dc.description	Los incidentes de seguridad pueden tener varios orígenes. Sin embargo, muchas veces son causados por componentes que se supone que están correctamente configurados o desplegados. Es decir, los métodos tradicionales pueden no detectar esos supuestos de seguridad, y es necesario probar nuevas alternativas. La Ingeniería del Caos de la Seguridad (SCE) representa una nueva forma de detectar esos componentes que fallan para proteger los activos en escenarios de riesgo cibernético. Para demostrar la aplicación de la SCE en la seguridad, este proyecto de grado presenta, en primer lugar, una introducción a los fundamentos de la Ingeniería del Caos (CE), ya que la SCE hereda sus principios y metodología. Para ello, se realiza un análisis de los Frameworks y herramientas propuestos para la implementación de la CE y se comprueba su funcionalidad con cuatro experimentos. En segundo lugar, este proyecto de grado propone ChaosXploit, un framework de ingeniería del caos de la seguridad basado en árboles de ataque, que aprovecha la metodología de CE junto con una base de datos de conocimiento compuesta por árboles de ataque para detectar y explotar vulnerabilidades en diferentes objetivos como parte de un ejercicio de seguridad ofensiva. Una vez detallados los componentes teóricos y conceptuales de SCE y explicada la propuesta de ChaosXploit, se realiza un conjunto de experimentos para validar la viabilidad de ChaosXploit y así validar la seguridad de los servicios gestionados en la nube, es decir, los buckets de Amazon, que pueden ser propensos a la desconfiguración.	es
dc.description.abstract	Security incidents may have several origins. However, many times they are caused due to components that are supposed to be correctly configured or deployed. That is, traditional methods may not detect those security assumptions, and new alternatives need to be tried. Security Chaos Engineering (SCE) represents a new way to detect such failing components in order to protect assets under cyber risk scenarios. To demonstrate the application of SCE in security, this degree project presents, in the first place, an introduction to the fundamentals of Chaos Engineering (CE) as SCE inherits its principles and methodology. This is done to understand its application in engineering, a series of analyses of the proposed frameworks and tools for the implementation of CE is provided, and its functionality is tested with four experiments. In the second place, this degree project proposes ChaosXploit, a security chaos engineering framework based on attack trees, which leverages the CE methodology along with a knowledge database composed of attack trees to detect and exploit vulnerabilities in different targets as part of an offensive security exercise. Once the theoretical and conceptual components of SCE are detailed and the proposal for ChaosXploit is explained, a set of experiments are conducted to validate the feasibility of ChaosXploit to validate the security of cloud managed services, i.e. Amazon buckets, which may be prone to misconfigurations.	es
dc.format.extent	42 pp	es
dc.format.mimetype	application/pdf	es
dc.identifier.doi	https://doi.org/10.48713/10336_34710
dc.identifier.uri	https://repository.urosario.edu.co/handle/10336/34710
dc.language.iso	eng	es
dc.publisher	Universidad del Rosario
dc.publisher.department	Escuela de Ingeniería, Ciencia y Tecnología
dc.publisher.program	Programa de Matemáticas Aplicadas y Ciencias de la Computación - MACC
dc.rights	Atribución-NoComercial-SinDerivadas 2.5 Colombia	*
dc.rights.accesRights	info:eu-repo/semantics/openAccess	es
dc.rights.acceso	Abierto (Texto Completo)	es
dc.rights.uri	http://creativecommons.org/licenses/by-nc-nd/2.5/co/	*
dc.source.bibliographicCitation	Beyer, Betsy; Jones, Chris; Petoff, Jennifer; Murphy, Niall Richard (2016) Site Reliability Engineering: How Google Runs Production Systems. : O'Reilly Media, Inc.; 9781491929124;
dc.source.bibliographicCitation	Basiri, Ali; Hochstein, Lorin; Jones, Nora; Tucker, Haley (2019) Automating chaos experiments in production. En: CoRR. Vol. abs/1905.04648; Disponible en: http://arxiv.org/abs/1905.04648.
dc.source.bibliographicCitation	Lafeldt, Mathias; Yu, Gu; Principles of chaos engineering. Disponible en: https://principlesofchaos.org/.
dc.source.bibliographicCitation	Pawlikowski, M (2021) Chaos Engineering: Site reliability through controlled disruption. : Manning; 9781617297755;
dc.source.bibliographicCitation	Díaz-López, Daniel; Blanco Uribe, María; Santiago Cely, Claudia; Tarquino Murgueitio, Daniel; Garcia Garcia, Edwin; Nespoli, Pantaleone; Gómez Mármol, Félix (2018) Developing Secure IoT Services: A Security-Oriented Review of IoT. En: Symmetry. Vol. 10; No. 12; 2073-8994; Disponible en: https://www.mdpi.com/2073-8994/10/12/669; http://dx.doi.org/10.3390/sym10120669. Disponible en: 10.3390/sym10120669.
dc.source.bibliographicCitation	Díaz-López, Daniel; Dólera Tormo, Ginés; Gómez Mármol, Félix; Alcaraz Calero, Jose M; Martínez Pérez, Gregorio (2014) Live digital, remember digital: State of the art and research challenges. En: Computers & Electrical Engineering. Vol. 40; No. 1; pp. 109-120 0045-7906; Disponible en: https://www.sciencedirect.com/science/article/pii/S0045790613002905; http://dx.doi.org/10.1016/j.compeleceng.2013.11.008. Disponible en: 10.1016/j.compeleceng.2013.11.008.
dc.source.bibliographicCitation	Torkura, Kennedy A; Sukmana, Muhammad I H; Cheng, Feng; Meinel, Christoph (2020) CloudStrike: Chaos Engineering for Security and Resiliency in Cloud. En: IEEE Access. Vol. 8; pp. 123044-123060 2169-3536; Disponible en: http://dx.doi.org/10.1109/ACCESS.2020.3007338. Disponible en: 10.1109/ACCESS.2020.3007338.
dc.source.bibliographicCitation	Rosenthal, C; Jones, N (2020) Chaos Engineering: System Resiliency in Practice. : O'Reilly Media; 9781492043867;
dc.source.bibliographicCitation	Basiri, Ali; Behnam, Niosha; de Rooij, Ruud; Hochstein, Lorin; Kosewski, Luke; Reynolds, Justin; Rosenthal, Casey (2016) Chaos Engineering. En: IEEE Software. Vol. 33; No. 3; pp. 35-41 Disponible en: http://dx.doi.org/10.1109/MS.2016.60. Disponible en: 10.1109/MS.2016.60.
dc.source.bibliographicCitation	Camacho, Carlos; Cañizares, Pablo C; Llana, Luis; Núñez, Alberto (2022) Chaos as a Software Product Line—A platform for improving open. En: Software. pp. 1-34 1097-024X; Disponible en: http://dx.doi.org/10.1002/spe.3076. Disponible en: 10.1002/spe.3076.
dc.source.bibliographicCitation	Simonsson, Jesper; Zhang, Long; Morin, Brice; Baudry, Benoit; Monperrus, Martin (2021) Observability and chaos engineering on system calls for containerized. En: Future Generation Computer Systems. Vol. 122; pp. 117-129 : Elsevier B.V.; 0167-739X; Disponible en: https://doi.org/10.1016/j.future.2021.04.001; http://dx.doi.org/10.1016/j.future.2021.04.001; http://arxiv.org/abs/1907.13039. Disponible en: 10.1016/j.future.2021.04.001.
dc.source.bibliographicCitation	Zhang, Long; Morin, Brice; Haller, Philipp; Baudry, Benoit; Monperrus, Martin (2018) A Chaos Engineering System for Live Analysis and Falsification of. En: IEEE Transactions on Software Engineering. Vol. 47; No. 11; pp. 2534-2548 : IEEE; 1939-3520; Disponible en: http://dx.doi.org/10.1109/TSE.2019.2954871; http://arxiv.org/abs/1805.05246. Disponible en: 10.1109/TSE.2019.2954871.
dc.source.bibliographicCitation	Zhang, Long; Morin, Brice; Baudry, Benoit; Monperrus, Martin (2021) Maximizing Error Injection Realism for Chaos Engineering with System Calls. En: IEEE Transactions on Dependable and Secure Computing. pp. 1-1 : Institute of Electrical and Electronics Engineers (IEEE); Disponible en: https://doi.org/10.1109%2Ftdsc.2021.3069715; http://dx.doi.org/10.1109/tdsc.2021.3069715. Disponible en: 10.1109/tdsc.2021.3069715.
dc.source.bibliographicCitation	Rinehart, Aaron; Shortridge, Kelly; O'Reilly Media, Incorporated (2020) Security Chaos Engineering Gaining Confidence in Resilience and Safety at.
dc.source.bibliographicCitation	Torkura, Kennedy A; Sukmana, Muhammad I H; Cheng, Feng; Meinel, Christoph (2019) Security Chaos Engineering for Cloud Services: Work in Progress. En: 2019 IEEE 18th International Symposium on Network Computing and.: Institute of Electrical and Electronics Engineers Inc.; Disponible en: http://dx.doi.org/10.1109/NCA.2019.8935046. Disponible en: 10.1109/NCA.2019.8935046.
dc.source.bibliographicCitation	Torkura, K A; Sukmana, Muhammad; Cheng, Feng; Meinel, Christoph (2021) Continuous auditing and threat detection in multi-cloud infrastructure. En: Computers and Security. Vol. 102; pp. 102124 : Elsevier Ltd; 0167-4048; Disponible en: https://doi.org/10.1016/j.cose.2020.102124; http://dx.doi.org/10.1016/j.cose.2020.102124. Disponible en: 10.1016/j.cose.2020.102124.
dc.source.bibliographicCitation	Sharieh, Salah; Ferworn, Alexander (2021) Securing APIs and Chaos Engineering. En: 2021 IEEE Conference on Communications and Network Security (CNS). pp. 290-294 Disponible en: http://dx.doi.org/10.1109/CNS53000.2021.9705049. Disponible en: 10.1109/CNS53000.2021.9705049.
dc.source.bibliographicCitation	Blog, Netflix Technology; Netflix Chaos Monkey Upgraded. Disponible en: https://netflixtechblog.com/netflix-chaos-monkey-upgraded-1d679429be5d.
dc.source.bibliographicCitation	Blog, Netflix Technology; The Netflix Simian Army. Disponible en: https://netflixtechblog.com/the-netflix-simian-army-16e57fbab116.
dc.source.bibliographicCitation	Buttow, Tammy; Chaos Engineering: the history, principles, and practice. Disponible en: https://www.gremlin.com/community/tutorials/chaos-engineering-the-history-principles-and-practice/.
dc.source.bibliographicCitation	Rapid7, (2021) 2021 Cloud Misconfiguration Report.
dc.source.bibliographicCitation	Martínez Martínez, Isabella; Florián Quitián, Andrés; Díaz-López, Daniel; Nespoli, Pantaleone; Gómez Mármol, Félix (2021) MalSEIRS: Forecasting Malware Spread Based on Compartmental Models in. En: Complexity. Vol. 2021; Hindawi;
dc.source.bibliographicCitation	Nespoli, Pantaleone; Díaz-López, Daniel; Gómez Mármol, Félix (2021) Cyberprotection in IoT environments: A dynamic rule-based solution to. En: Journal of Information Security and Applications. Vol. 60; pp. 102878 2214-2126; Disponible en: https://www.sciencedirect.com/science/article/pii/S2214212621001058; http://dx.doi.org/10.1016/j.jisa.2021.102878. Disponible en: 10.1016/j.jisa.2021.102878.
dc.source.bibliographicCitation	Owasp,; OWASP org. Disponible en: https://owasp.org/.
dc.source.bibliographicCitation	Owasp,; OWASP top ten. Disponible en: https://owasp.org/www-project-top-ten/.
dc.source.bibliographicCitation	Butow, Tammy; Gremlin Certified Chaos Engineering Practiotioner.
dc.source.bibliographicCitation	Butow, Tammy; Gremlin Certified Chaos Engineering Professional.
dc.source.bibliographicCitation	Adkins, H; Beyer, B; Blankinship, P; Oprea, A; Lewandowski, P; Stubblefield, A (2020) Building Secure and Reliable Systems: Best Practices for Designing,. : O'Reilly Media; 9781492083122;
dc.source.bibliographicCitation	Kamal, Alya Hannah Ahmad; Yen, Caryn Chuah Yi; Hui, Gan Jia; Ling, Pang Sze; Fatima-tuz-Zahra, (2020) Risk Assessment, Threat Modeling and Security Testing in SDLC. En: arXiv [cs.SE]. Disponible en: http://arxiv.org/abs/2012.07226.
dc.source.bibliographicCitation	Miles, R (2019) Chaos Engineering Observability. : O'Reilly Media, Incorporated; 9781492051039;
dc.source.bibliographicCitation	Roa, Yury Niño (2022) Chaos Engineering and Observability with Visual Metaphors. : InfoQ; Disponible en: https://www.infoq.com/articles/chaos-engineering-observability-visual-metaphors/?utm_campaign=infoq_content&utm_source=twitter&utm_medium=feed&utm_term=culture-methods.
dc.source.bibliographicCitation	Mateo Tudela, Francesc; Bermejo Higuera, Juan-Ramón; Bermejo Higuera, Javier; Sicilia Montalvo, Juan-Antonio; Argyros, Michael I (2020) On Combining Static, Dynamic and Interactive Analysis Security Testing. En: Applied Sciences. Vol. 10; No. 24; 2076-3417;
dc.source.instname	instname:Universidad del Rosario
dc.source.reponame	reponame:Repositorio Institucional EdocUR
dc.subject	Vulnerabilidades	es
dc.subject	Servicios manejados en la nube	es
dc.subject	Caos de la seguridad	es
dc.subject	Árboles de ataque	es
dc.subject.ddc	Matemáticas	es
dc.subject.ddc	Programación, programas, datos de computación	es
dc.subject.keyword	Security Chaos Engineering	es
dc.subject.keyword	Attack Trees	es
dc.subject.keyword	Cloud managed services	es
dc.subject.keyword	Vulnerabilities	es
dc.title	ChaosXploit: A Security Chaos Engineering framework based on Attack Trees	es
dc.title.TranslatedTitle	ChaosXploit: Un Framework de Ingeniería del Caos de la Seguridad basado en árboles de ataque	es
dc.type	bachelorThesis	es
dc.type.document	Trabajo de grado	es
dc.type.hasVersion	info:eu-repo/semantics/acceptedVersion
dc.type.spa	Trabajo de grado	es