Merak: Asset Threat Analysis Tool
Merak is a web-based threat analysis tool that aims to estimate a software system’s asset threat landscape by leveraging external security data sources such as National Vulnerability Database, MITRE’s ATT&CK, and the Canadian Centre for Cyber Security Alerts and Advisories.
Merak helps system architects, developers, evaluators, and certifiers evaluate the adequacy of security requirements and design decisions associated with each asset of their system. Merak does this by leveraging external data sources and machine learning techniques such as Natural Language Processing to analyze the provided requirements and design specifications and identify potential threats that the asset could face based on various external security data sources such as the National Vulnerability Database. Merak visualizes the findings from its analysis to help practitioners improve their security requirements and design decisions as relevant in their operational context.
For example, if the asset under consideration is a server, and external vulnerability data shows that certain server links are vulnerable to man- in-the-middle attacks, a new security requirement could be added indicating that those links need to be encrypted, if this requirement does not already exist.
- Joe Samuel, Jason Jaskolka, and George O.M. Yee. Leveraging external data sources to enhance secure system design. In Proceedings of the 2021 Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge, RDAAPS 2021, pages 1–8, Hamilton, ON, Canada, 2021.
- Joe Samuel. A Data-Driven Approach to Evaluate the Security of System Designs. Master’s Thesis, Carleton University, Ottawa, ON, Canada, 2021.