The aim of this paper is to develop a general conceptual model of attack progression that can be applied to modeling of computer and communication threat risks. This paper focuses on attacks that aim at overpowering the victim/prey to gain some benefi t. It examines existing models and introduces a new fl ow model to facilitate development of a general model of two-sided combat. The symmetry between the attacker’s and defender’s fl ow systems of signals, information, plans, decisions, and actions results in a single combat model incorporating the realms of both attacker and defender. Based on this conceptualization, it is possible to characterize the weak points and develop a map of vulnerabilities in the defender’s system. Such a methodology of attack modeling provides a base for analysis in the fi elds of threat modeling and secure software development. Finally, this new model is applied to an SQL injection problem in web services to demonstrate implementation of a real system problem.
attacks, conceptual model, security, SQL injection, threat risk
 Moore, A.P., Ellison, R.J. & Linger, R.C., Attack Modelling for Information Security and Survivability. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA, Tech. Rep, 2001. CMU/SEI-2001-TN-001.
 Alberts, D.S. & Hayes, R.E., Understanding Command and Control. DoD Command and Control Research Program, 2006, available at http://www.dodccrp.org/fi les/ Alberts_UC2.pdf
 Cloppert, M., Security Intelligence: Introduction. SANS Institute Computer Forensic Blog, July 22, 2009, available at https://blogs.sans.org/computer-forensics/2009/07/22/ security-intelligence-introduction-pt-1/
 Johnson, D., Effects-based Operations: A New Operational Model? U.S. Army War College, 2002, available at http://www.iwar.org.uk/military/resources/effect-based-ops/ ebo.pdf
 Brumley, L., Kopp, C. & Korb, K., The Orientation Step of the OODA Loop and Information Warfare, 2006, available at http://www.csse.monash.edu.au/courseware/
 Schechtman, GM., Manipulating the OODA Loop: The Overlooked Role of Information Resource Management in Information Warfare. 1996, available at http://www.au.af.mil/ au/awc/awcgate/afi t/schec_gm.pdf
 USAF Intelligence Targeting Guide, Chapter 1: Targeting and the Target. Air Force Pamphlet 14-210 Intelligence, 1998, available at http://www.fas.org/irp/doddir/usaf/ afpam14-210/part09.htm
 Smith, D.J., Information Operations Primer. U.S. Army War College, 2006, available at http://www.iwar.org.uk/iwar/resources/primer/info-ops-primer.pdf
 Cloppert, M., Security Intelligence: Attacking the Kill Chain. SANS Institute Computer Forensic Blog, October 14, 2009, available at https://blogs.sans.org/computer- forensics/2009/10/14/security-intelligence-attacking-the-kill-chain/
 Al-Fedaghi, S., Conceptual software testing: a new approach. International Review on Computers and Software, 8(8), pp. 1832–1842, 2013.
 Al-Fedaghi, S., How the pride attacks. 9th European Conference on Information Warfare and Security, Thessaloniki, Greece, July 1–2, 2010. Republished in: Leading Issues in Information Warfare and Security Research, Vol. 1, pp. 1–19, ed. Julie J. C. H. Ryan, Academic Publishing: UK, 2012.
 Al-Fedaghi, S., Some aspects of personal information theory. 7th Annual IEEE Information Assurance Workshop (IEEE-IAW 2006), United States Military Academy, West Point, NY, 2006, available at http://ieeexplore.ieee.org/stamp/stamp. jsp?arnumber=01652066
 Department of the Air Force, Vistas: Air Force Information Resources Management Strategic Plan, 1995. HQ USAF: Washington, DC.
 Sarriegi, J.M., Santos, J., Torres, J.M., Imizcoz, D. & Plandolit, A., Modeling security management of information systems: analysis of a ongoing practical case. The 24th International Conference of the System Dynamics Society, July 23–27, Nijmegen, The Netherlands, 2006.
 Cares, J.R., An Information Age Combat Model. Alidade, 2004, available at http:// www.alidade.net/recent_research/IACM.pdf
 Friedl, S.J., SQL injection attacks by example, Steve Friedl’s Unixwiz.net Tech Tips, October 10, 2007. http://www.unixwiz.net/techtips/sql-injection.html
 Bejtlich, R., Threat model vs. attack model, TaoSecurity: Richard Bejtlich’s blog on digital security and the practices of network security monitoring, incident response, and forensics, June 12, 2007, available at http://taosecurity.blogspot.com/2007/06/threatmodel-vs-attack-model.html
 Johansson, K., The Offensive Operations Model, v. 2.1. KSAJ, Inc., 2004 (accessed), available at http://www.penetrationtest.com/penetration_test_information_security_ whitepapers/Offensive_Operations_Model.pdf
 Brown, K., The .NET Developer’s Guide to Windows Security: What is Attack Modeling, 2007, available at http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/ WhatIsThreatModeling.html