This page lists community usage of CAPEC by Industry, Government, Academia, Policy/Guidance, Reference, and Standards. A running count of the number of citations by category is also included.
Igor Kotenko and Andrey Chechulin. "A Cyber Attack Modeling and Impact Assessment Framework". 5th International Conference on Cyber Conflict IEEE. 2013-06. <https://ieeexplore.ieee.org/document/6568374>.
Christian Schmitt and Peter Liggesmeyer. "A Model for Structuring and Reusing Security Requirements Sources and Security Requirements". 21st International Conference on Requirements Engineering. 2015-03. <http://ceur-ws.org/Vol-1342/04-CRE.pdf>.
Chien-Cheng Huang, Feng-Yu Lin, Frank Yeong-Sung Lin and Yeali S. Sun. "A novel approach to evaluate software vulnerability prioritization". Issue 11. The Journal of Systems and Software. Vol.86. Department of Information Management, National Taiwan University. 2013. <https://dx.doi.org/10.1016/j.jss.2013.066.040>.
Ravneet Kaur Sidhu. "A Review of the Vulnerabilities of Web Applications". International Journal of Computer Science and Mobile Computing. 2013-09. <https://www.ijcsmc.com/docs/papers/September2013/V2I9201334.pdf>.
Maher Mohamed Gamal, Dr. Bahaa Hasan and Dr. Abdel Fatah Hegazy. "A Security Analysis Framework Powered by an Expert System". Book: 2011 Volume 4, Issue 6. International Journal of Computer Science and Security (IJCSS). Computer Science Journals. 2011年08月02日. <http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.227.7340&rep=rep1&type=pdf>.
Matthew L. Hale and Seth Hanson. "A Testbed and Process for Analyzing Attack Vectors and Vulnerabilities in Hybrid Mobile Apps Connected to Restful Web Services". 2015-09. 2015 IEEE World Congress on Services. 2015. <https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7196523>.
Mohammad Sirwan Geramiparvar and Nasser Modiri. "An Approach to Counteracting the Common Cyber-attacks According to the Metric-Based Model". International Journal of Computer Science and Network Security (IJCSNS). 2015-02. <https://pdfs.semanticscholar.org/ea06/ba248efc981658b494f64974b80b0fb24b4a.pdf>.
Sugandh Shah and B. M. Mehtre. "An overview of vulnerability assessment and penetration testing techniques". Issue 1. Journal of Computer Virology and Hacking Techniques. Volume 11. 2014-11. <https://rd.springer.com/article/10.1007/s11416-014-0231-x>.
Tong Li, Elda Paja, Kristian Beckers, Jennifer Horkoff and John Mylopoulos. "Analyzing Attack Strategies Through Anti-goal Refinement". Proceedings of The Practice of Enterprise Modeling: 8th IFIP WG 8.1. Working Conference, PoEM 2015. Springer. 2015-11. <https://books.google.com/books?id=kSfUCgAAQBAJ&pg=PA75>.
Jeffrey Smith, Basil Krikeles, David K. Wittenberg and Mikael Taveniku. "Applied Vulnerability Detection System". 2015 IEEE International Symposium on Technologies for Homeland Security (HST). XXXX-XX-XX. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7225296>.
Yiwen Zhu. "Attack pattern ontology: A common language for attack information sharing between organizations". PUBLICATION. TU Delft. 2015-08. <https://repository.tudelft.nl/islandora/object/uuid:611583f1-b200-4851-915e-76a43c42fd46>.
Yijun Yu, Virginia N.L. Franqueira, Thein Than Tun, Roel J. Wieringa and Bashar Nuseibeh. "Automated analysis of security requirements through risk-based argumentation". Journal of Systems and Software. Volume 106. 2015-08. <http://www.sciencedirect.com/science/article/pii/S0164121215000850>.
Maxime Frydman, Guifré Ruiz, Elisa Heymann and Barton P. Miller. "Automating Risk Analysis of Software Design Models". The Scientific World Journal 2014. 2014-06. <https://www.hindawi.com/journals/tswj/2014/805856/>.
Guifre Ruiz, Elisa Heymann, Eduardo Cesar and Barton P. Miller. "Automating Threat Modeling through the Software Development Life-Cycle". Jornadas Sarteco. 2012-09. <https://research.cs.wisc.edu/mist/papers/Guifre-sep2012.pdf>.
A. Hazeyama, M. Saito, N. Yoshioka, A. Kumagai, T. Kobashi, H. Washizaki, H. Kaiya and T. Okubo. "Case Base for Secure Software Development Using Software Security Knowledge Base". IEEE 39th Annual Computer Software and Applications Conference (COMPSAC). Volume 3. 2015-07. <https://ieeexplore.ieee.org/document/7273334/>.
Alessandro Oltramari, Lorrie Faith Cranor, Robert J. Walls and Patrick McDaniel. "Computational ontology of network operations". Military Communications Conference - MILCOM 2015. 2015-10. <https://ieeexplore.ieee.org/document/7357462>.
John R. Vacca. "Computer and Information Security Handboook". Third. Morgan Kaufmann Publishers. 2017. <https://books.google.com/books?id=05HUDQAAQBAJ>.
Jesper Jurcenoks. "OWASP to WASC to CWE Mapping - Correlating Different Industry Taxonomy". Critical Watch. 2013-06. <https://www.scribd.com/document/320142562/Owasp-to-Wasc-Mapping>.
Cheshta Rani and Shivani Goel. "CSAAES: An expert system for cyber security attack awareness". International Conference on Computing, Communication and Automation (ICCCA2015). 2015. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7148381>.
Energy Sector Control Systems Working Group. "Cybersecurity Procurement Language for Energy Delivery Systems". DOE. 2014-04. <http://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf>.
Dr. Mark Raugus, Dr. James Ulrich, Roberta Faux, Scott Finkelstein and Charlie Cabot. "A Cyber Security Model for value at Risk". Cyber Point International. 2013-01. <https://www.cyberpointllc.com/docs/CyberVaR.pdf>.
Per Hakon Meland. "Service Injection: A Threat to Self-managed Complex Systems". 2011 Ninth IEEE International Conference on Dependable, Autonomic and Secure Computing. DOI 10.1109/DASC.2011.25. IEEE Computer Society. 2011年12月12日. <https://ieeexplore.ieee.org/document/6118344>.
Patrick H. Engebretson and Joshua J. Pauli. "Leveraging Parent Mitigations and Threats for CAPEC-Driven Hierarchies". 2009 Sixth International Conference on Information Technology: New Generations. DOI 10.1109/ITNG.2009.24. IEEE Computer Society. 2009年04月27日. <https://ieeexplore.ieee.org/document/5070641>.
Justin Hill. "From the Publisher". Crosstalk. The Journal of Defense Software Engineering. 2014 September/October. <http://www.crosstalkonline.org/storage/issue-archives/2014/201409/201409-Hill.pdf>.
Roberta Stempfley. "From the Sponsor". March/April 2014. Crosstalk: The Journal of Defense Software Engineering. Preface. <http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-Stempfley.pdf>.
Tong Li, Elda Paja, John Mylopoulos, Jennifer Horkoff and Kristian Beckers. "Holistic security requirements analysis: An attacker's perspective". International Requirements Engineering Conference (RE). 2015. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7320439>.
Karen Mercedes Goertzel, Theodore Winograd, Holly Lynne McKinley, Lyndon Oh, Michael Colon, Thomas McGibbon, Elaine Fedchak and Robert Vienneau. "State-of-the-Art Report (SOAR)". Software Security Assurance. Information Assurance Technology Analysis Center (IATAC), Data and Analysis Center for Software (DACS). 2007年07月31日. <https://apps.dtic.mil/dtic/tr/fulltext/u2/a472363.pdf>.
Ioannis Agrafiotis, Jason RC Nurse, Oliver Buckley, Phil Legg, Sadie Creese and Michael Goldsmith. "Identifying attack patterns for insider threat detection". Issue 7. Computer Fraud & Security. Volume 2015. XXX. 2015-07. <https://www.sciencedirect.com/science/article/pii/S136137231530066X>.
Jean-Louis Huynen, Vincent Koenig, Gabriele Lenzini and Ana Ferreira. "In Cyber-Space No One Can Hear You S·CREAM - A Root Cause Analysis for Socio-Technical Security". Springer International Publishing Switzerland. 2015. <http://rd.springer.com/content/pdf/10.1007/978-3-319-24858-5_16.pdf>.
Andreas Ekelhart, Bernhard Grill , Elmar Kiesling, Christine Strauss and Christian Stummer. "Integrating attacker behavior in IT security analysis: a discrete-event simulation approach". Issue 3. Information Technology and Management. Volume 16. Springer. 2015-06. <https://link.springer.com/article/10.1007/s10799-015-0232-6>.
Nicandro Scarabeo, Benjamin C.M. Fung and Rashid H. Khokhar. "Mining known attack patterns from security-related events". PeerJ Computer Science. 2015-10. <https://peerj.com/articles/cs-25.pdf>.
"Enterprise Engineering: Systems Engineering for Mission Assurance". Systems Engineering Guide. Cyber Threat Susceptibility Assessment. The MITRE Corporation. <http://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/cyber-threat-susceptibility-assessment>.
Morteza Ansarinia, Seyyed Amir Asghari, Afshin Souzani and Ahmadreza Ghaznavi. "Ontology-based modeling of DDoS attacks for attack plan detection". 2012 Sixth International Symposium on Telecommunications (IST). 2011-11. <https://ieeexplore.ieee.org/document/6483131>.
"OWASP Testing Guide v4". The Open Web Application Security Project (OWASP). 2014年09月17日. <https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents>.
Ahmad Salahi and Morteza Ansarinia. "Predicting Network Attacks Using Ontology-Driven Inference". Computing Research Repository (CoRR). 2013. <https://arxiv.org/ftp/arxiv/papers/1304/1304.0913.pdf>.
Shaun Gilmore, Reeny Sondhi and Stacy Simpson. "Principles for Software Assurance Assessment". SAFECode. 2015. <http://www.safecode.org/publication/SAFECode_Principles_for_Software_Assurance_Assessment.pdf>.
Takahashi, T. and Kadobayashi, Y.. "Reference Ontology for Cybersecurity Operational Information". The Computer Journal. October 2014. <http://watermark.silverchair.com/bxu101.pdf?token=AQECAHi208BE49Ooan9kkhW_Ercy7Dm3ZL_9Cf3qfKAc485ysgAAAkkwggJFBgkqhkiG9w0BBwagggI2MIICMgIBADCCAisGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMPkmZYZVhxK4eE2JaAgEQgIIB_PTcZczWRlsh_Q3VqjnMVOZU66vD60O0vVrkm5f5_hmlL9kherkVsSXWFyZzksTXpgdf-hJja3W4lwFpK3-T1GsTOHvHbTvSk1FDKf3yZupfOqj1u2Od70WW_XNTXJInI8bq72Rc523gysmRHDbIb9zGVee1DQriJpJ5acTUfUfiWKhnNZeaRTF9bBNAJbjsdU4H6fGw5eRDpLVGEwP4kWT0L-9h0s2zRY1lC4A2zn8O5l_ReoaIGoMxGCl9jcbzxbjNI3P1wS8OIFB_VvHUx4dXwJEWMMf9hJCYFyW5tXGfkQpcQurqBCJKp8GqbFlAoiIaWjDRP8L-r_QorpwznZQAN4rlhTuG6kk5b9T5a2qzo5JoBU-v6QInw7C2HzATo5lvkOVbpY8joDWcVVjDCoaN4l6k0fAh-mMPqmHRvqf24KeOSjT5gx1_q_IYs8LbPZfMfTMQwUeia_NgqpD1ddQtlTEXST8Brbcxg6Vz80LlO-WZwXQJ33DuedK3Cs6zcIWMeu9dJo54mP6kjB88Dn8lhCgA-DV53vA3DJyDxwmzqkO_yk70-Exo7i5nL7qELgbj5DooiTtv2vNYc5JoZKhPYQvPDMYzZBZ-jlCgUBqIHO7AKq1Xn0g2ikIpzTA_ASB9XK41XjZc8WGe-MsMRzegy5TtAFQyL8zrkck>.
Zhao Xianghui, Peng Yong, Zhai Zan, Jin Yi and Yao Yuangang. "Research on Parallel Vulnerabilities Discovery Based on Open Source Database and Text Mining". 2015 International Conference on Intelligent Information Hiding and Multimedia Signal Processing. 2015-09. <https://ieeexplore.ieee.org/document/7415823>.
Johannes Viehmann and Frank Werner. "Risk Assessment and Security Testing of Large Scale Networked Systems with RACOMAT". Springer International Publishing Switzerland. 2015. <http://rd.springer.com/content/pdf/10.1007/978-3-319-26416-5_1.pdf>.
Touraj Khodadadi, Mojtaba Alizadeh, Somayyeh Gholizadeh, Mazdak Zamani and Mahdi Darvishi. "Security Analysis Method of Recognition-Based Graphical Password". No 5. Jurnal Teknologi. Vol 72. 2015. <http://www.jurnalteknologi.utm.my/index.php/jurnalteknologi/article/view/3941/2903>.
Panos Kampanakis. "Security Automation and Threat Information-Sharing Options". Volume:12, Issue:5. Security & Privacy, IEEE. pp. 42 - 51. IEEE Computer Society. 2014-Septemnber/October. <https://ieeexplore.ieee.org/document/6924671>.
Michael S. Curtis, Audian H. Paxson, Eva E. Bunker, Nelson W. Bunker and Kevin M. Mitchell. "Security countermeasure management platform". U.S. Patent Application 20140344940. Achilles Guard, Inc. D.B.A. Critical Watch. 2014年11月20日. <http://www.freepatentsonline.com/y2014/0344940.html>.
Elisa Bertino, Lorenzo Martino, Federica Paci and Anna Squicciarini. "Security for Web Services and Service-Oriented Architectures". Springer. 2009. <http://books.google.com/books?id=RYBKAAAAQBAJ&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.
Andreas Ekelhart, Bernhard Grill, Elmar Kiesling, Christine Strauss and Christian Stummer. "Selecting security control portfolios: a multi-objective simulation-optimization approach". EURO Journal on Decision Processes. Springer-Verlag. 2016-04. <http://rd.springer.com/article/10.1007/s40070-016-0055-7>.
Haitao Du and Shanchieh Jay Yang. "Sequential Modeling for Obfuscated Network Attack Action Sequences". IEEE Conference on Communications and Network Security 2013. 2013-10. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6682742&tag=1>.
David A. Wheeler and Rama S. Moorthy. "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation". IDA Paper P-5061. Defense Technical Information Center - Science & Technology (DTIC). Institute for Defense Analysis (IDA). July 2014. <https://apps.dtic.mil/dtic/tr/fulltext/u2/a607954.pdf>.
Igor Kotenko and Elena Doynikova. "The CAPEC based generator of attack scenarios for network security evaluation". 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS). 2015-09. <http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7340774>.
Yan Wu, Irena Bojanova and Yaacov Yesha. "They Know Your Weaknesses – Do You? : Reintroducing Common Weakness Enumeration". Supply Chain Assurance. CrossTalk. September/October 2015. <http://static1.1.sqspcdn.com/static/f/702523/26523304/1441780301827/201509-Wu.pdf>.
Adam Shostack. "Threat Modeling: Designing for Security". Wiley. 2014-02. <https://threatmodelingbook.com/>.
"CWE the VOTE". SpiderLabs Blog. Trustwave. 2012年11月06日. <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cwe-the-vote/>.
Fredrik Seehusen. "Using CAPEC for Risk-Based Security Testing". Springer International Publishing Switzerland. 2015. <http://rd.springer.com/content/pdf/10.1007/978-3-319-26416-5_6.pdf>.
Brandon Bailey. "A Proven Methodology for Developing Secure Software and Applying It to Ground Systems". NASA Goddard Space Flight Center. 2016-02. <https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20160003695.pdf>.
This document was created by the CERT capability team at ENISA in consultation with CERT Polska / NASK (Poland). "Actionable information for Security Incident Response". European Union Agency for Network and Information Security. November 2014. <https://www.enisa.europa.eu/activities/cert/support/actionable-information/actionable-information-for-security/at_download/fullReport>.
Brandon Bailey. "Addressing Software Security". NASA Goddard Space Flight Center. 2015-11. <http://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20150023414.pdf>.
Maurico Papa and Sujeet Shenoi. "Critical Infrastructure Protection II". IFIP WG 11.10 Series in Critical Infrastructure Protection. Springer. 2013. <http://books.google.com/books?id=Dbw330LIaMkC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.
"Chief Information Officer Federal Information Security Management Act Reporting Metrics". FY 2012. US Department of Homeland Security National Cyber Security Division Federal Network Security. 2012年02月14日. <https://www.dhs.gov/xlibrary/assets/nppd/ciofismametricsfinal.pdf>.
"Chief Information Officer Federal Information Security Management Act Reporting Metrics". FY 2014. US Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience. 2014年1月29日. <https://www.dhs.gov/sites/default/files/publications/FY14%20CIO%20Annual%20FISMA%20Metrics_0_0.pdf>.
Laura P. Taylor. "FISMA Compliance Handbook". Second Edition. Syngress. 2013. <http://books.google.com/books?id=_2SV_0aGtPEC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.
Alessandro Oltramari, Noam Ben-Asher, Lorrie Cranor, Lujo Bauer and Nicolas Christin. "General Requirements of a Hybrid-Modeling Framework for Cyber Security". Military Communications Conference (MILCOM). pp. 129 - 135. IEEE. 2014年10月06日. <https://ieeexplore.ieee.org/document/6956749?arnumber=6956749&tag=1>.
Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics. "Program Protection Plan Outline & Guidance". Version 1.0. Deputy Assistant Secretary of Defense Systems Engineering. 2011年07月18日. <http://www.acq.osd.mil/se/docs/PPP-Outline-and-Guidance-v1-July2011.docx>.
Office of Assistant Secretary of Defense for Research and Engineering. "Defense Acquisition Guidebook - Your Acquisition Policy and Discretionary Best Practice Guide". PPP Software Assurance Chapter. DAU Information Systems Service Center (ISSC). 2013年09月17日. <https://acc.dau.mil/dag13.7.3>.
Michael Ogata, Barbara Guttman and Nelson Hastings. "Public Safety Mobile Application Security Requirements Workshop Summary". National Institute of Standards and Technology Internal Report 8018 (NISTIR). 8018. National Institute of Standards and Technology (NIST). 2015-01. <https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8018.pdf>.
Paul R. Popick and Melinda Reed. "Requirements Challenges in Addressing Malicious Supply Chain Threats". Vol. 16, Issue 2. INCOSE INSIGHT. International Council on Systems Engineering (INCOSE). 2013-07. <http://www.acq.osd.mil/se/docs/ReqChallengesSCThreats-Reed-INCOSE-Vol16-Is2.pdf>.
Deputy Assistant Secretary of Defense for Systems Engineering and Department of Defense Chief Information Officer. "Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals". DoD. 2014-01. <http://www.acq.osd.mil/se/docs/SSE-Language-for-TSN-in-DoD-RFPs.pdf>.
This document was created by the CERT capability team at ENISA in consultation with CERT Polska / NASK (Poland). "Standards and Tools for Exchange and Processing of Actionable Information Inventory". European Union Agency for Network and Information Security. November 2014. <https://www.enisa.europa.eu/activities/cert/support/actionable-information/standards-and-tools-for-exchange-and-processing-of-actionable-information/at_download/fullReport>.
Jon Boyens, Celia Paulsen, Rama Moorthy and Nadya Bartol. "Supply Chain Risk Management Practices for Federal Information Systems and Organizations". NIST Special Publication (SP). 800-161. National Institute of Standards and Technology (NIST). 2015-04. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf>.
Deputy Assistant Secretary of Defense for Systems Engineering and Department of Defense Chief Information Officer. "Software Assurance Countermeasures in Program Protection Planning". DoD. 2014-03. <http://www.acq.osd.mil/se/docs/SwA-CM-in-PPP.pdf>.
Ian Herwono and Fadi Ali El-Moussa . "A Collaborative Tool for Modelling Multi-stage Attacks ". Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP). 2017. <http://www.scitepress.org/Papers/2017/61371/61371.pdf>.
Marc Lichtman, Jeffrey D. Poston, SaiDhiraj Amuru, Chowdhury Shahriar, T. Charles Clancy, R. Michael Buehrer and Jeffrey H. Reed. "A Communications Jamming Taxonomy". 2016. <http://www.buehrer.ece.vt.edu/papers/Com_Jam_Taxonomy.pdf>.
Dimitrios Sisiaridis, Fabrizio Carcillo and Olivier Markowitch. "A Framework for Threat Detection in Communication Systems". Proceedings of the 20th Pan-Hellenic Conference on Informatics. 2016-11. <https://dl.acm.org/citation.cfm?id=3003759>.
Imano Williams, Xiaohong Yuan, Jeffrey McDonald and Mohd Anwar. "A Method for Developing Abuse Cases and Its Evaluation". Volume:11, Issue:5. Journal of Software. 2016. <https://pdfs.semanticscholar.org/c8f6/01917b6971f4f3836e3b683bb06bcdfb3666.pdf>.
Loukmen Regainia and Sébastien Salva. "A Practical Way of Testing Security Patterns". Thirteenth International Conference on Software Engineering Advances (ICSEA'18). 2018-10. <https://hal.archives-ouvertes.fr/hal-01868218>.
Jassim Happa, Graham Fairclough, Jason R. C. Nurse, Ioannis Agrafiotis, Michael Goldsmith and Sadie Creese. "A Pragmatic System-failure Assessment and Response Model". 2nd International Conference on Information Systems Security and Privacy. 2016-01. <https://www.researchgate.net/publication/301721444_A_Pragmatic_System-failure_Assessment_and_Response_Model>.
Maheshwari Venkatasen and Prasanna Mani. "A risk-centric defensive architecture for threat modelling in e-government application". Volume:14, Issue:1. Electronic Government, an International Journal . 2015. <https://www.inderscienceonline.com/doi/abs/10.1504/EG.2018.089537>.
Clive Blackwell. "A Strategy for Formalizing Attack Patterns". Proceedings of Cyberpatterns 2012. pages 35-38. Oxford Brookes University. 2012. <https://link.springer.com/chapter/10.1007/978-3-319-04447-7_9>.
Imano Williams and Xiaohong Yuan. "A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns". International Conference on Information Science and Applications (ICISA). 07-2018. <https://link.springer.com/chapter/10.1007/978-981-13-1056-0_25>.
Imano Williams and Xiaohong Yuan. "A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns". International Conference on Information Science and Applications (ICISA). 07-2018. <https://link.springer.com/chapter/10.1007/978-981-13-1056-0_25>.
Igor Kotenko, Elena Doynikova, Andrey Chechulin and Andrey Fedorchenko. "AI- and Metrics-Based Vulnerability-Centric Cyber Security Assessment and Countermeasure Selection". Guide to Vulnerability Analysis for Computer Networks and Systems. Springer. 05-2018. <https://link.springer.com/chapter/10.1007/978-3-319-92624-7_5>.
Richard Derbyshire, Benjamin Green, Daniel Prince, Andreas Mauthe and David Hutchison. "An Analysis of Cyber Security Attack Taxonomies". IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). 2018-04. <https://ieeexplore.ieee.org/abstract/document/8406575>.
Imano Williams. "An Ontology Based Collaborative Recommender System for Security Requirements Elicitation". IEEE 26th International Requirements Engineering Conference (RE). 08-2018. <https://ieeexplore.ieee.org/abstract/document/8491167>.
William Knowles, Alistair Baron and Tim McGarr. "Analysis and recommendations for standardization in penetration testing and vulnerability assessment: Penetration testing market survey". E-print Network. BSI Group, Inc.. 2015-01. <http://eprints.lancs.ac.uk/id/eprint/74275/1/Penetration_testing_online_2.pdf>.
Bong-Jae Kim and Seok-Won Lee. "Analytical Study of Cognitive Layered Approach for Understanding Security Requirements Using Problem Domain Ontology". 23rd Asia-Pacific Software Engineering Conference (APSEC). 2016-12. <https://ieeexplore.ieee.org/abstract/document/7890576>.
Ammarit Thongthua and Sudsanguan Ngamsuriyaroj. "Assessment of Hypervisor Vulnerabilities". International Conference on Cloud Computing Research and Innovations (ICCCRI). 2016. <https://ieeexplore.ieee.org/abstract/document/7600180>.
Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David Hutchison. "Attack Pattern Recognition through Correlating Cyber Situational Awareness in Computer Networks". Proceedings of Cyberpatterns 2012. pages 57-61. Oxford Brookes University. 2012. <http://tech.brookes.ac.uk/CyberPatterns2012/Cyberpatterns2012Proceedings.pdf>.
Jeffery Burroughs, Dr. Patrick Engebretson and Dr. Joshua Pauli. "Attack Traffic Libraries for Testing and Teaching Intrusion Detection Systems". Proc. of Information Systems Analysis and Synthesis: (ISAS 2011). Dakota State University. 2011-03. <http://www.jixion.com/files/ATLTTIDS.pdf>.
Samir Ouchani and Gabriele Lenzini. "Attacks Generation by Detecting Attack Surfaces". Volume 32, Pages 529-536. Procedia Computer Science. Elsevier. 2014-05. <https://www.sciencedirect.com/science/article/pii/S1877050914006577>.
Ian Herwono and Fadi Ali El-Moussa . "Automated Detection of the Early Stages of Cyber Kill Chain". Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP). 2018. <http://www.scitepress.org/Papers/2018/65433/65433.pdf>.
Erwan Godefroy, Eric Totel, Michel Hurfin and Frédéric Majorczyk. "Automatic generation of correlation rules to detect complex attack scenarios". 10th International Conference on Information Assurance and Security. 2014-11. <https://ieeexplore.ieee.org/abstract/document/7064615>.
Bernhard J. Berger, Karsten Sohr and Rainer Koschke. "Automatically Extracting Threats from Extended Data Flow Diagrams". International Symposium on Engineering Secure Software and Systems (ESSoS). 2016. <https://link.springer.com/chapter/10.1007/978-3-319-30806-7_4>.
Nancy R. Mead, Julia H. Allen, W. Arthur Conklin, Antonio Drommi, John Harrison, Jeff Ingalsbe, James Rainey and Dan Shoemaker. "Making the Business Case for Software Assurance". Special Report. CMU/SEI-2009-SR-001. Software Engineering Institute (SEI) Carnegie Mellon. 2009-04. <https://resources.sei.cmu.edu/asset_files/SpecialReport/2009_003_001_15008.pdf>.
Carol Woody, PhD. "Process Improvement Should Link to Security: SEPG 2007 Security Track Recap". Technical Note. CMU/SEI-2007-TN-025. Software Engineering Institute (SEI) Carnegie Mellon. 2007-09. <https://kilthub.cmu.edu/articles/Process_Improvement_Should_Link_to_Security_SEPG_2007_Security_Track_Recap/6582452>.
Robert J. Ellison, John B. Goodenough, Charles B. Weinstock and Carol Woody. "Evaluating and Mitigating Software Supply Chain Security Risks". Technical Note. CMU/SEI-2010-TN-016. Software Engineering Institute (SEI) Carnegie Mellon. 2010-05. <https://kilthub.cmu.edu/articles/Evaluating_and_Mitigating_Software_Supply_Chain_Security_Risks/6573497>.
Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee and Carol C. Woody. "Software Supply Chain Risk Management: From Products to Systems of Systems". Research Showcase. CMU/SEI-2010-TN-026. Software Engineering Institute (SEI) Carnegie Mellon. 2010年12月01日. <https://kilthub.cmu.edu/articles/Software_Supply_Chain_Risk_Management_From_Products_to_Systems_of_Systems/6584210>.
Imano Williams and Xiaohong Yuan. "Creating Abuse Cases Based on Attack Patterns: A User Study". IEEE Cybersecurity Development (SecDev). 2017-09. <https://ieeexplore.ieee.org/abstract/document/8077812>.
Elena Doynikova and Igor Kotenko. "CVSS-based Probabilistic Risk Assessment for Cyber Situational Awareness and Countermeasure Selection". 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP). 03-2017. <https://ieeexplore.ieee.org/abstract/document/7912670>.
Rafał Piotrowski and Joanna Sliwa. "Cyberspace situational awarness in national security system". International Conference on Military Communications and Information Systems (ICMCIS). 2015-05. <https://ieeexplore.ieee.org/abstract/document/7158685>.
Ji-Yeon Kim and Hyung-Jong Kim. "Defining Security Primitives for Eliciting Flexible Attack Scenarios Through CAPEC Analysis". International Workshop on Information Security Applications (WISA). 2014. <https://link.springer.com/chapter/10.1007/978-3-319-15087-1_29>.
Bumryong Kim, Jun-ho Song, Jae-Pye Park and Moon-seog Jun. "Design of Exploitable Automatic Verification System for Secure Open Source Software". Lecture Notes in Electrical Engineering in Advances in Computer Science and Ubiquitous Computing, CSA&CUTE. Volume 373. 2015-12. <http://rd.springer.com/content/pdf/10.1007/978-981-10-0281-6_40.pdf>.
Elena Doynikova, Andrey Fedorchenko and Igor Kotenko. "Determination of Security Threat Classes on the basis of Vulnerability Analysis for Automated Countermeasure Selection". Proceedings of the 13th International Conference on Availability, Reliability and Security (ARES). 08-2018. <https://dl.acm.org/citation.cfm?id=3233260>.
Aleem Khalid Alvi and Mohammad Zulkernine. "A Natural Classification Scheme for Software Security Patterns". 2011 Ninth IEEE International Conference on Dependable, Autonomic and Secure Computing. DOI 10.1109/DASC.2011.42. IEEE Computer Society. 2011年12月12日. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6118361&tag=1>.
Ju An Wang, Minzhe Guo, Hao Wang, J. Camargo and Linfeng Zhou. "Ranking Attacks Based on Vulnerability Analysis". 2010 43rd Hawaii International Conference on System Sciences (HICSS). DOI 10.1109/HICSS.2010.313. IEEE Computer Society. 2010. <https://xplqa30.ieee.org/document/5428663>.
Dr. Bruce Gabrielson. "Who Really Did It? Controlling Malicious Insiders by Merging Biometric Behavior With Detection and Automated Responses". 2012 45th Hawaii International Conference on System Sciences. DOI 10.1109/HICSS.2012.643. IEEE Computer Society. 2012年01月04日. <https://ieeexplore.ieee.org/document/6149310>.
Samir Ouchani, Yosr Jarraya and Otmane Ait Mohamed. "Model-Based Systems Security Quantification". 2011 Ninth Annual International Conference on Privacy, Security and Trust. DOI 10.1109/PST.2011.5971976. IEEE. 2011年07月19日. <https://ieeexplore.ieee.org/document/5971976>.
Sarra Alqahtani and Rose Gamble. "Embedding a Distributed Auditing Mechanism in the Service Cloud". IEEE World Congress on Services. 2014-06. <https://ieeexplore.ieee.org/abstract/document/6903246>.
Elena Doynikova and Igor Kotenko. "Enhancement of probabilistic attack graphs for accurate cyber security monitoring". IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI). 08-2017. <https://ieeexplore.ieee.org/abstract/document/8397618>.
Imano Williams. "Evaluating a Method to Develop and Rank Abuse Cases based on Threat Modeling, Attack Patterns and Common Weakness Enumeration". Master of Science Thesis. North Carolina Agricultural and Technical State University. 2015. <http://search.proquest.com/bostonglobe/docview/1761832676>.
Clive Blackwell and Hong Zhu. "Future Directions for Research on Cyberpatterns". Oxford Brookes University. 2014. <http://cms.brookes.ac.uk/staff/HongZhu/Publications/CyberPatternsBook-Conclusion%20Chapter%20-final.pdf>.
Henrik Stuart. "Hunting bugs with Coccinelle". 2008年08月08日. <http://www.emn.fr/z-info/coccinelle/stuart_thesis.pdf>.
Tayyaba Nafees, Natalie Coull, Robert Ian Ferguson and Adam Sampson. "Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities". International Symposium on Engineering Secure Software and Systems (ESSoS). 2017-07. <https://link.springer.com/chapter/10.1007/978-3-319-62105-0_9>.
Jim Whitmore and William Tobin. "Improving Attention to Security in Software Design with Analytics and Cognitive Techniques". IEEE Cybersecurity Development (SecDev). 2017-09. <https://ieeexplore.ieee.org/abstract/document/8077801>.
Joel Dawson and J. Todd McDonald. "Improving Penetration Testing Methodologies for Security-Based Risk Assessment". Cybersecurity Symposium (CYBERSEC) . 2016. <https://www.computer.org/csdl/proceedings/cybersecsym/2016/5771/00/07942425-abs.html>.
Gao, Yuan, Fischer, Robert, Seibt, Simon, Parekh, Mithil and Li, Jianghai. "Integrated Security Framework". INFORMATIK 2017. Gesellschaft für Informatik, Bonn. 2017. <https://dl.gi.de/handle/20.500.12116/4123>.
Patric Birr, Martin Hetzer and Simon Petretti. "IT security risk analysis and threat mitigation for railway applications". International Conference on Computer Safety, Reliability, and Security (SAFECOMP). 2016. <https://hal.laas.fr/hal-01370249/document>.
Brian Van Leeuwen, William Stout and Vincent Urias. "MTD assessment framework with cyber attack modeling". IEEE International Carnahan Conference on Security Technology (ICCST). 2016-10. <https://ieeexplore.ieee.org/abstract/document/7815722>.
Sanjay Madria and Amartya Sen. "Offline Risk Assessment of Cloud Service Providers". Volume:2, Issue:3. IEEE Cloud Computing. 2015. <https://ieeexplore.ieee.org/abstract/document/7158970>.
Igor Kotenko, Andrey Chechulin, Elena Doynikova and Andrey Fedorchenko. "Ontological Hybrid Storage for Security Data". International Symposium on Intelligent and Distributed Computing (IDC). 10-2017. <https://link.springer.com/chapter/10.1007/978-3-319-66379-1_15>.
Morteza Ansarinia, Seyyed Amir Asghari, Afshin Souzani and Ahmadreza Ghaznavi. "Ontology-based modeling of DDoS attacks for attack plan detection". 2012 Sixth International Symposium on Telecommunications (IST). 2012年11月6日. <http://ieeexplore.ieee.org/document/6483131>.
Ahmad Salahi and Morteza Ansarinia. "Predicting Network Attacks Using Ontology-Driven Inference". Volume 4, Issue 1. International Journal of Information and Communication Technology (IJICT). 2012-1. <http://arxiv.org/ftp/arxiv/papers/1304/1304.0913.pdf>.
Krissada Rongrat and Twittie Senivongse. "Risk Assessment of Security Requirements of Banking Information Systems Based on Attack Patterns". International Conference on Applied Computing and Information Technology (ACIT). 06-2017. <https://link.springer.com/chapter/10.1007/978-3-319-64051-8_8>.
Tony Uceda Velez and Marco M. Morana. "Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis". Wiley. 2015. <https://books.google.com/books?hl=en&lr=&id=pHtXCQAAQBAJ&oi=fnd&pg=PP1>.
Tong Li, Elda Paja, John Mylopoulos, Jennifer Horkoff and Kristian Beckers. "Security attack analysis using attack patterns". IEEE Tenth International Conference on Research Challenges in Information Science (RCIS). 2016. <https://ieeexplore.ieee.org/abstract/document/7549303>.
Haruhiko Kaiya, Sho Kono, Shinpei Ogata, Takao Okubo, Nobukazu Yoshioka, Hironori Washizaki and Kenji Kaijiri. "Security Requirements Analysis Using Knowledge in CAPEC". International Conference on Advanced Information Systems Engineering (CAiSE). 2014. <https://link.springer.com/chapter/10.1007/978-3-319-07869-4_32>.
Stephen Adams, Bryan Carter, Cody Fleming and Peter A Beling. "Selecting System Specific Cybersecurity Attack Patterns Using Topic Modeling". 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). 2018. <https://ieeexplore.ieee.org/abstract/document/8455944>.
Xiao Ma, Elnaz Davoodi, Leila Kosseim and Nicandro Scarabeo. "Semantic Mapping of Security Events to Known Attack Patterns". International Conference on Applications of Natural Language to Information Systems (NLDB). 2018-06. <https://link.springer.com/chapter/10.1007/978-3-319-91947-8_10>.
Daniel Díaz López, María Blanco Uribe, Claudia Santiago Cely, Andrés Vega Torres, Nicolás Moreno Guataquira, Stefany Morón Castro, Pantaleone Nespoli and Nicolás Moreno Guataquira. "Shielding IoT Against Cyber-Attacks: An Event-Based Approach Using SIEM". Wireless Communications and Mobile Computing. 2018-10. <https://doi.org/10.1155/2018/3029638>.
Zareen Syed, Tim Finin, Ankur Padia and Lisa Mathews. "Supporting Situationally Aware Cybersecurity Systems". University of Maryland Baltimore County. 2015-09. <http://ebiquity.umbc.edu/_file_directory_/papers/778.pdf>.
Pascal Meunier. "Classes of Vulnerabilities and Attacks". Wiley Handbook of Science and Technology for Homeland Security. Technial article - CS03. The Center for Education and Research in Information Assurance and Security (CERIAS), Purdue University. 2007. <https://www.semanticscholar.org/paper/Classes-of-Vulnerabilities-and-Attacks-Meunier/9ce12453bf02653d5bcc3f6b7cd9db2e29cd6f16>.
Francis Akowuah, Jerrisa Lake, Xiaohong Yuan, Emmanuel Nuakoh and Huiming Yu. "TESTING THE SECURITY VULNERABILITIES OF OPENEMR 4.1.1: A CASE STUDY". Issue 3. Journal of Computing Sciences in Colleges. Volume 30. 2015-01. <http://dl.acm.org/citation.cfm?id=2675332>.
Steven Noel. "Text Mining for Modeling Cyberattacks". Computational Analysis and Understanding of Natural Languages: Principles, Methods and Applications. Elsevier. 2018-08. <https://books.google.com/books?hl=en&lr=&id=gRJrDwAAQBAJ&oi=fnd&pg=PA463>.
Carol Woody, Ph.D. and Dan Shoemaker, Ph.D.. "The Impact of Contextual Factors on the Security of Code". Defense Technical Information Center - Science & Technology (DTIC). Carnegie Mellon Software Engineering Institute - CERT Division/SSD. 2014-12. <http://apps.dtic.mil/dtic/tr/fulltext/u2/a617283.pdf>.
A. V. Fedorchenko, I. V. Kotenko, E. V. Doynikova and A. A. Chechulin. "The ontological approach application for construction of the hybrid security repository". XX IEEE International Conference on Soft Computing and Measurements (SCM). 05-2017. <https://ieeexplore.ieee.org/abstract/document/7970638>.
Valentina Casola, Alessandra De Benedictis, Massimiliano Rak and Umberto Villano. "Towards Automated Penetration Testing for Cloud Applications". IEEE 27th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE). 2018-06. <https://ieeexplore.ieee.org/abstract/document/8495902>.
Ghaith Husari, Ehab Al-Shaer, Mohiuddin Ahmed, Bill Chu and Xi Niu. "TTPDrill: Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources". Proceedings of the 33rd Annual Computer Security Applications Conference. 2017-12. <https://dl.acm.org/citation.cfm?id=3134646>.
Sébastien Salva and Loukmen Regainia. "Using Data Integration to Help Design More Secure Applications". International Conference on Risks and Security of Internet and Systems (CRiSIS). 02-2018. <https://link.springer.com/chapter/10.1007%2F978-3-319-76687-4_6>.
Mujahid Mohsin and Zahid Anwar. "Where to Kill the Cyber Kill-Chain: An Ontology-Driven Framework for IoT Security Analytics". International Conference on Frontiers of Information Technology (FIT). 2016-12. <https://ieeexplore.ieee.org/abstract/document/7866722>.
"DHS Control Systems Security Program (CSSP) Common Cybersecurity Vulnerabilities in Industrial Control Systems". 2011-05. <http://www.us-cert.gov/sites/default/files/documents/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf>.
Stacy Simpson, Mark Belk, Matt Coles, Cassio Goldschmidt, Michael Howard, Kyle Randolph, Mikko Saario, Reeny Sondhi, Izar Tarandach, Antti Vähä-Sipilä and Yonko Yonchev. "A Guide to the Most Effective Secure Development Practices in Use Today". 2nd Edition. Fundamental Practices for Secure Software Development. Software Assurance Forum for Excellence in Code (SAFECode). 2011年02月08日. <https://safecode.org/publication/SAFECode_Dev_Practices0211.pdf>.
Jason Lam. "Exchanging and sharing of assessment results". SANS Software Security with Frank Kim - AppSec Blog. The SANS Institute. 2010年11月19日. <http://software-security.sans.org/blog/2010/11/19/exchanging-sharing-assessment-results/>.
"SANS NewsBites". Volume: XV, Issue: 59. SANS Software Security with Frank Kim - AppSec Blog. Lack of Common Lexicon Hinders Threat Information Sharing. The SANS Institute. 2013年07月25日. <https://www.sans.org/newsletters/newsbites/xv/59>.
"Securing Web Application Technologies (SWAT) Checklist". 23rd Edition. Securing the Human. Winter 2013. The SANS Institute. 2010. <http://software-security.sans.org/resources/swat>.
"Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses". Version 2.4. Software Assurance (SwA) Pocket Guide Series: Development. Volume II. DHS NCSD Software Assurance Community Resources and Information Clearinghouse. 2012年11月01日. <http://cwe.mitre.org/documents/KeyPracticesMWV22_20121101.pdf>.
"WASC Threat Classification". Version 2.00. The Web Application Security Consortium (WASC). 2010年01月01日. <http://projects.webappsec.org/f/WASC-TC-v2_0.pdf>.
"ISO/IEC TR 20004:2012 Information Technology -- Security Techniques -- Refining Software Vulnerability Analysis under ISO/IEC 15408 and ISO/IEC 18045". ISO. 2012. <https://www.iso.org/standard/50951.html>.
"Common attack pattern enumeration and classification". SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cybersecurity information exchange – Event/incident/heuristics exchange. Recommendation ITU-T X.1544. ITU-T Telecommunication Standardization Sector of ITU. 2013-04. <http://www.itu.int/rec/T-REC-X.1544-201304-I>.
Kelley L. Dempsey, L A. Johnson, Matthew A. Scholl, Kevin M. Stine, Alicia Clay Jones, Angela Orebaugh, Nirali S. Chawla and Ronald Johnston. "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations". NIST Special Publication (NIST SP). 800-137. National Institute of Standards and Technology. 2011年09月30日. <https://csrc.nist.gov/publications/detail/sp/800-137/final>.
Chris Johnson, Lee Badger, David Waltermire, Julie Snyder and Clem Skorupka. "Guide to Cyber Threat Information Sharing". NIST Special Publication (NIST SP). National Institute of Standards and Technology. 2016-10. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf>.
Ronald S. Ross. "Security and Privacy Controls for Federal Information Systems and Organizations". NIST Special Publication (NIST SP). 800-163. National Institute of Standards and Technology. 2015-01. <http://dx.doi.org/10.6028/NIST.SP.800-163>.
Ronald S. Ross. "Guide for Conducting Risk Assessments". rev 1. NIST Special Publication (NIST SP). 800-30. National Institute of Standards and Technology. 2012年09月17日. <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf>.
Ronald S. Ross. "Security and Privacy Controls for Federal Information Systems and Organizations". Revision 4. NIST Special Publication (NIST SP). 800-53. National Institute of Standards and Technology. 2013年04月30日. <http://dx.doi.org/10.6028/NIST.SP.800-53r4>.
|
Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. |
||