Threat Modeling as a Basis for Security Requirements 论文

摘要

We routinely hear vendors claim that their systems are “secure. ” However, without knowing what assumptions are made by the vendor, it is hard to justify such a claim. Prior to claiming the security of a system, it is important to iden-tify the threats to the system in question. Enumerating the threats to a system helps system architects develop realis-tic and meaningful security requirements. In this paper, we investigate how threat modeling can be used as foundations for the specification of security require-ments. Although numerous works have been published on threat modeling, there is a lack of integrated, systematic ap-proach toward threat modeling for complex systems. We ex-amine the differences between modeling software products and complex systems, and outline our approach for identify-ing threats of networked systems. We also present three case studies of threat modeling: Software-Defined Radio, a net-work traffic monitoring tool (VisFlowConnect), and a clus-ter security monitoring tool (NVisionCC). 1.