{"id":1178,"date":"2021-10-29T11:39:10","date_gmt":"2021-10-29T15:39:10","guid":{"rendered":"https:\/\/carleton.ca\/cybersea\/?page_id=1178"},"modified":"2026-01-26T10:42:04","modified_gmt":"2026-01-26T15:42:04","slug":"merak","status":"publish","type":"page","link":"https:\/\/carleton.ca\/cybersea\/merak\/","title":{"rendered":"Merak: Asset Threat Analysis Tool"},"content":{"rendered":"\n
\n
\n\n
\n
\n
\n

\n Merak: Asset Threat Analysis Tool\n <\/h1>\n \n \n <\/header>\n\n <\/div>\n\n <\/div>\n\n <\/div>\n<\/section>\n\n

Merak: Asset Threat Analysis Tool<\/h2>\n\n\n\n

Merak<\/em> is a web-based threat analysis tool that aims to estimate a software system’s asset threat landscape by leveraging external security data sources such as National Vulnerability Database, MITRE’s ATT&CK, and the Canadian Centre for Cyber Security Alerts and Advisories.<\/p>\n\n\n\n

Merak helps system architects, developers, evaluators, and certifiers evaluate the adequacy of security requirements and design decisions associated with each asset of their system. Merak does this by leveraging external data sources and machine learning techniques such as Natural Language Processing to analyze the provided requirements and design specifications and identify potential threats that the asset could face based on various external security data sources such as the National Vulnerability Database. Merak visualizes the findings from its analysis to help practitioners improve their security requirements and design decisions as relevant in their operational context.<\/p>\n\n\n\n

For example, if the asset under consideration is a server, and external vulnerability data shows that certain server links are vulnerable to man- in-the-middle attacks, a new security requirement could be added indicating that those links need to be encrypted, if this requirement does not already exist.<\/p>\n\n\n\n

Related Publications<\/h3>\n\n\n\n