XA4AS: Adaptive Security for Multi-Stage Attacks

Elias Seid, Oliver Popov and Fredrik Blix

Department of Computer and Systems Sciences, Stockholm University, Sweden

Keywords:

Security Engineering, Control Theory, Adaptive Systems, Security Solution, Multiple Failure,

Cyber-Physical Systems.

Abstract:

Identifying potential system threats that define security requirements is vital to designing secure cyber systems.

Furthermore, the high frequency of attacks poses an enormous obstacle in analysing cyber-physical systems

by the NIS directive of the European Union and Swedish government agencies. The proposed solution is the

Adaptive security framework, which aims to simplify the development of analytical models for implementing

model predictive control and adaptive security solutions in the field of CPS. This study analyses security

attacks and corresponding security measures for Swedish government agencies and organisations under the

European Union’s NIS mandate. A thorough analysis of adaptive security was conducted on 254 security

incident reports provided by vital service providers. As a result, an overall total of five security measures were

identified.

1 INTRODUCTION

The confluence of digital technology has led to sub-

stantial tangible consequences arising from mishaps

ital assets. The immediate effect is comparable to

classifiers that evaluate the operational and informa-

tional consequences (Pursiainen, C. et al., 2018). The

indirect impact refers to the consequences of an event

that takes place outside of the digital domain (Van den

Berg et al., 2022). Furthermore, the investigation un-

dertaken in citation (Wang, E.K. et al., 2010) evalu-

ated both the primary and secondary consequences of

cyber incidents.

The organisation, stakeholders, government, and

quences (Uzunov, A.V. et al 2012). The main sec-

ments employ anticipated financial and economic

damages to evaluate the probability and consequences

of certain situations. The commercial and financial

consequences are major when a loss of competitive

advantage occurs as a result of the disclosure of sen-

sitive information or a disruption. A comprehensive

investigation was carried out to determine the typi-

cal expenses associated with cyber incidents across

several industry sectors, with a specific emphasis on

identifying the most severe categories. Financial loss

Healthcare, government, and financial services soft-

ware systems are often CPS (Griffor et al., 2017;

Boyes, 2018). Smart things have diverse, dynamic,

and flexible sensor networks. These networks have

distributed intelligent devices that can be easily at-

284

Seid, E., Popov, O. and Blix, F.

XA4AS: Adaptive Security for Multi-Stage Attacks.

DOI: 10.5220/0012707400003705

Paper published under CC license (CC BY-NC-ND 4.0)

In the last ten years, different sectors in society

have undergone a rapid process of digitalization. A

notable trend is the transfer of vital information re-

sources and organisational procedures from physi-

cal to digital platforms. The introduction of inno-

vative socio-technical solutions has resulted in sev-

eral benefits by dramatically enhancing operational

efficiency in both corporate and governmental organ-

isations, thus transforming the way information and

processes are managed. Nevertheless, technology

CPS security breaches have cost large corpora-

tions millions of dollars in monetary losses. Fur-

thermore, these expenses are rising (Ponemon et al.,

2015). The complexity of CPS, including people, pro-

cedures, technology, and infrastructure, contributes to

the occurrence of breaches. The inclusion of diverse

components in a system might increase security con-

cerns and attack potential, unlike homogenous soft-

ware systems. Breach causes include trusted insiders,

malware, SQL injections, compromised devices, and

complex than for software systems, as it involves

considering both individual components (e.g., sens-

ing, communication, processing) and their interac-

tion with the physical environment (Banerjee,2012).

Adversaries can target vulnerable and risky CPS ele-

ments. This is because components like sensors op-

erate in an unprotected environment without adequate

security measures. Not considering various attacks

during CPS design can make them vulnerable to ex-

ploitation. This phenomena is due to the low risks

and employ CPS are required to operate in dynamic

environments and effectively accomplish many objec-

configuration is executed. Nevertheless, devising a

strategy to alleviate the consequences of alterations

presents a major challenge (K. Angelopoulos et al.,

2014). The main challenge arises from the undesired

interference of multiple parameters in the configura-

tion space, each with its own distinct objectives. The

execution of the adaptation process may potentially

lead to the restoration of security goal satisfaction.

However, it also bears the risk of failure or exacer-

bation of security objectives.

Agency of Cybersecurity (ENISA) has determined

that publicly reported incidents only account for a

small portion of the overall total. This suggests that

a considerable number of incidents go unnoticed or

unreported. The lack of research dedicated to study-

ing the nature and impact of attacks targeting impor-

tant service providers might be seen as harmful from

multiple perspectives. As stated by sources [9,18], it

has been suggested that this pattern could potentially

affect the ability of businesses to accurately evaluate

inal acts (Caldarulo, M et al., 2022;Agrafiotis et al.,

2018 ). The objective of this study is to look into the

following research question (RQ).

RQ1. How can adaptive security solutions be inte-

grated into into current critical infrastructure

systems to enhance the overall cybersecurity

posture?

The remaining parts of this paper are organised as

follows. Section 2 establishes the theoretical founda-

tion of our research, whereas Section 3 introduces the

Digitalization linked physical and digital domains,

speeding up and connecting society. Technology has

heightened social instability, uncertainty, complex-

ity, and ambiguity (Urbach, 2019). Due to its com-

plexity, modern society has become a risk society

requiring advanced risk management (Kaiya, 2014).

Beck suggests that digitization and globalisation may

have led to transboundary disasters, impacting emer-

gency response (Boin, A, 2019). Disasters can im-

technical advancements, such as reliance on diverse

systems and software, and complicated supply net-

works, have led to increased occurrences (Kaiya, H,

A, 2014). Modern civilization must adapt to lessen

transboundary crisis risks due to infrastructure inter-

ruptions (Boin, 2019).

286

cording to the behaviour of the system. This allows

the controller to overcome inherent inaccuracies aris-

ing from dynamics that are not accounted for in model

(2), as well as unknown disturbances affecting the

system.

(MPC) is a control technique that employs an opti-

misation problem to determine a set of control param-

eters (actuators), denoted as u(·), in order to achieve

a desired set of goals, denoted as y◦(·), for a set of

indicators, denoted as y(·), over a prediction hori-

As a result, a derived solution refers to a planned

arrangement of forthcoming control parameter values

+ 1, .......U

+ H − 1 across the anticipated

time horizon. Effective planning is particularly cru-

cial in situations where there is a delay in the occur-

first computed value u

to the system, u(t)=u

. Cre-

ating perfect models for real-world systems is impos-

sible due to their dynamic behaviour. Therefore, plan

is created based on the updated measured values of

indicators to overcome this obstacle. This accounts

for modelling uncertainties and unanticipated system

behaviours (2). The model has been incorporated into

our framework for adaptive security strategies and is

integrated within our architecture, as detailed in the

subsequent section.

for highly complex systems such as CPS, charac-

terised by numerous complicated and diverse states,

presents a significant challenge (Cailliau and van

Lamsweerde et al., 2017). In order to comprehend

how attackers achieve their objectives by compromis-

ing security concerns such as confidentiality, integrity,

availability, and accountability, it is necessary to anal-

yse the behaviour of the threat environment within

the system and how adversaries can exploit vulner-

abilities. Once the design phase has been finalised

found in (Seid,E et al., 2024)

CRITICAL SERVICE

various Swedish government departments and organ-

isations, in accordance with the standards outlined

in the European Union’s NIS-directive. In Sweden

and other countries, organisations have the option to

retain information. The Swedish legislation govern-

ing public access to information and confidentiality,

namely the Public Access to Information and Secrecy

Act (SFS 2009:400) and the Protective Security Act

(SFS 2018:585), imposes restrictions on the sharing

of information within public administration, includ-

data used as the data source were not explicitly gath-

ered for the aim of this study. This constraint restricts

Figure 1: XA4AS.

the analysis. The conclusions that can be drawn rely

on the attributes and excellence of the data acquired

from the specific structure of MSB’s IT-incident re-

ports. Another limitation includes the dependence on

recorded incidences as the foundation. To analyse the

cyber threat landscape, it is important to consider that

the findings drawn are heavily influenced by the re-

ful events. Rest were removed from the dataset. The

IT-incident reports were categorised by vulnerability,

attack mechanism, security events, and attack target

in the second stage, and the results were quantified.

Incidents lacking sufficient information for classifi-

cation were classed as unknown. The third stage of

data treatment involves summarising quantities within

each category for frequency comparison. From April

2019 until 2023, (MSB) received 1332 IT-incident re-

ports from major service providers. Only 256 reports

failures, natural events, and unknown variables. Ad-

ditionally, cyberattack frequency has remained steady

from April 2019 to 2023. The period from 1 April

2019 to 2020 had a significant rise in reported cyber-

attacks, totaling 73 occurrences. Between 2022 and

2023, 67 cyberattacks were documented. From 2020

to 2021, cyberattacks increased significantly, with 61

documented cases. From April 2021 to 2022, cyber

5 SECURITY ATTACK ANALYSIS

USING ASFALIA FRAMEWORK

This section presents an analysis of security attacks

for critical service providers using the Asfalia frame-

work. The framework facilitates the monitoring of se-

curity breach incidents and encompasses all three do-

mains of a Cyber-Physical System (CPS).Moreover,

the framework facilitates evaluation and monitoring

of many domains, allowing for the detection of se-

withheld).

Attack patterns are classified into two distinct cat-

egories: The initial classification of cyberattack is

domain-based, wherein specific domains or networks

are targeted. The second category is mechanism-

288

category, whereas ’collect and analyse’ falls into the

mechanism-based attack category. A total of 18 cyber

security incidents have been categorised as cyber at-

tacks, depending on the manner of attack, while seven

of them have been categorised as domain-based cyber

attacks. The reports were classified into two main cat-

egories related to cybersecurity and cyberattacks. A

study was conducted on five major cyber incidents to

analyse the tendencies of cyber security attacks. The

occurrences were identified and categorised based on

tacking mechanism based on the threat explored in

VM model as shown in Figure 5. However, threats

Specifically, our focus is directed towards events that

can be directly perceived or witnessed. Security

scripting, (2) exploit systems susceptible to the at-

tack, (3) find the insertion point for the payload, and

(4) craft and inject the payload. Tasks: (1) Lever-

age knowledge of common local zone functionality,

(2) find weakness in the functionality used by both

privileged and unprivileged users, (3) make the mali-

ciously vulnerable functionality to be used by the vic-

disabled, E4: weakness found, E5: weakness failed,

E6: victim-injected payload, and E7: payload in-

jected.

record all links visited, (3) use a browser to manu-

ally explore and analyse the website, (4) use a list of

XSS probe strings to inject in the parameter of known

URLs; (5) use a proxy tool to record the results of

the manual input of XSS probes in known URls, (6)

develop malicious JavaScript that is injected through

vectors and send information to the attacker, (7) de-

velop malicious JavaScript that is injected through

vectors and take and cause the browser to execute

it, (8) develop malicious JavaScript that is injected

through vectors, and (10) cause the browser to execute

visited links recorded, E4: known URLs injected, E5:

results of manual input of XSS probes recorded: E6:

E8: invalid information exposed to the user.

Our methodology originates by extracting diverse se-

in the target situation, is denoted as (T3#DA2). This

annotation indicates the consecutive execution of two

In this situation, the initial EvoSm operation is

started, leading to a change in the reference objec-

tive from 80% to 70%, as can be seen in Table 4. The

second EvoSm operation is triggered when there is a

80% and from 80% to 60%, respectively.If ASm4

and ASm5 encounter a failure lasting more than three

days, the reference security aim will be temporarily

loosened for a period of one week.

If goal G1 fails more than three times per week

in the context of ASm6, the restriction is continually

adjusted to four times per week. If ASm4 encounters

a failure lasting more than three consecutive days, the

adaptation mechanism will then ignore it for a period

of three days. The Analytic Hierarchy Process (AHP)

mine a state of balance for each aim, devoting more

resources towards achieving the goals that are more

important. The weights of the control parameters are

tweaking. The values of matrix P in the cost function

represent weights.

Our security analysis for XSS throught HTTP,

DDoS, has found that Disable scripting languages

such as JavaScript in browser is a more cost-effective

The remaining security goals to be identified per-

tain to the adaptive security mechanism (ADSM). The

attainment of these objectives imposes constraints on

the process of adaptation itself. Model Predictive

Control (MPC) uses an Adaptive Horizon Determina-

tion Strategy (ADSM) to establish the receding hori-

zon of the controller. This approach establishes the

specific time period towards which the adaptation

plan should be focused on in the future. The term

”ADSM” may also denote the degree to which con-

rameters, while also documenting the input and out-

put data. We employ Matlab and the System Iden-

tification toolkit to ascertain the analytical model of

the system. While it is not possible to simulate the

290

Table 2: EvoSm Operations.

Strengthen(ASm1,ASm1’ 80)

studied to determine cyber security attack trends. A

domain-specific attack recognised and categorised the

instances. From 254 reported instances, Asfalia de-

tected 7 vulnerabilities and 5 critical cyber security

events. Additionally, all five cyberattack targets were

successfully captured.

The framework also includes 24 attack mecha-

nisms, 32 tasks, 23 behavioural annotations, 10 do-

main assumptions, and 35 security events. According

to their behaviours, the experiment’s security issues

Our investigation shows that building the secu-

rity model bottom-up in the framework works. Based

on domain task specifications, differentiation occurs.

This identifies domain-specific attacks. We prioritise

cyber, physical infrastructure, and social aspects of

CPS for essential service providers in our models. We

also analysed attack model interconnectivity across

domains. The VM method detects domain-specific

vulnerabilities. Once vulnerabilities are found by

VM, attack (AM) uses them to identify an acceptable

This is because CPS lacks exclusive methods. Secu-

rity engineering approaches and MPC configuration

optimisation guidelines are our future study.

to environmental changes and create adaptable solu-

tions. The approach was assessed using 254 critical

service provider security incident reports. According

captures adversaries and vulnerabilities, then analy-

ses the attack’s target using a domain-specific tech-

nique. The Attack Model (AM) is created by build-

ing a model based on the adversaries provided in the

VM. The behavioural model (BM) annotates system

behaviours of the VM and AM. EM events are derived

from behavioural models. The models above help the

XA4AS Security Evolution Manager and Adaptation

Manager. Our approach needs more case studies in

order to demonstrate its efficacy.

tive content analysis. Qual. Health Res. 2005, 15,

1277–1288

Papakonstantinou, V. Cybersecurity as praxis and as a state:

The EU law path towards acknowledgement of a new

right to cybersecurity? Comput. Law Secur. Rev.

2022, 44, 105653

Osei-Kyei, R.; Tam, V.; Ma, M.; Mashiri, F. Critical review

of the threats affecting the building of critical infras-

tructure resilience. Int. J. Disaster Risk Reduct. 2021,

60, 102316

propagate. J. Cybersecur. 2018, 4, tyy006

Kaiya, H.; Kono, S.; Ogata, S.; Okubo, T.; Yoshioka,

N.; Washizaki, H.; Kaijiri, K. Security requirements

analysis using knowledge in capec. In Advanced In-

formation Systems Engineering Workshops; Springer:

Berlin/Heidelberg, Germany, 2014; pp. 343–348.

Boin, A. The transboundary crisis: Why we are unprepared

and the road ahead. J. Contingencies Crisis Manag.

2019, 27, 94–99.

Harry, C.; Gallagher, N. Classifying cyber events. J. Inf.

trolling the Human Element of Security; John Wiley

& Sons: Hoboken, NJ, USA, 2011

Shevchenko, P.V.; Jang, J.; Malavasi, M.; Peters, G.W.;

Sofronov, G.; Tr

cyber-related events: Risk categories and business

sectors. J. Cyberse-Curity 2023, 9, tyac016

Simmons, C.; Ellis, C.; Shiva, S.; Dasgupta, D.;Wu, Q.

AVOIDIT: A Cyber Attack Taxonomy. In Proceedings

292