Modeling Attacks

Modeling Attacks

S. Al-Fedaghi Samer Moein 

Computer Engineering Department, Kuwait University, Kuwait

30 June 2014
| Citation



The aim of this paper is to develop a general conceptual model of attack progression that can be applied to modeling of computer and communication threat risks. This paper focuses on attacks that aim at overpowering the victim/prey to gain some benefi t. It examines existing models and introduces a new fl ow model to facilitate development of a general model of two-sided combat. The symmetry between the attacker’s and defender’s fl ow systems of signals, information, plans, decisions, and actions results in a single combat model incorporating the realms of both attacker and defender. Based on this conceptualization, it is possible to characterize the weak points and develop a map of vulnerabilities in the defender’s system. Such a methodology of attack modeling provides a base for analysis in the fi elds of threat modeling and secure software development. Finally, this new model is applied to an SQL injection problem in web services to demonstrate implementation of a real system problem.


attacks, conceptual model, security, SQL injection, threat risk


[1] Moore, A.P., Ellison, R.J. & Linger, R.C., Attack Modelling for Information Security and Survivability. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA, Tech. Rep, 2001. CMU/SEI-2001-TN-001.

[2] Alberts, D.S. & Hayes, R.E., Understanding Command and Control. DoD Command and Control Research Program, 2006, available at les/ Alberts_UC2.pdf

[3] Cloppert, M., Security Intelligence: Introduction. SANS Institute Computer Forensic Blog, July 22, 2009, available at security-intelligence-introduction-pt-1/

[4] Johnson, D., Effects-based Operations: A New Operational Model? U.S.  Army War College, 2002, available at ebo.pdf

[5] Brumley, L., Kopp, C. & Korb, K., The Orientation Step of the OODA Loop and Information Warfare, 2006, available at


[6] Schechtman, GM., Manipulating the OODA Loop: The Overlooked Role of Information Resource Management in Information Warfare. 1996, available at au/awc/awcgate/afi t/schec_gm.pdf

[7] USAF Intelligence Targeting Guide, Chapter 1: Targeting and the Target. Air Force Pamphlet 14-210 Intelligence, 1998, available at afpam14-210/part09.htm

[8] Smith, D.J., Information Operations Primer. U.S. Army War College, 2006, available at

[9] Cloppert, M., Security Intelligence: Attacking the Kill Chain. SANS Institute Computer Forensic Blog, October 14, 2009, available at forensics/2009/10/14/security-intelligence-attacking-the-kill-chain/

[10] Al-Fedaghi, S., Conceptual software testing: a new approach. International Review on Computers and Software, 8(8), pp. 1832–1842, 2013.

[11] Al-Fedaghi, S., How the pride attacks. 9th European Conference on Information  Warfare and Security, Thessaloniki, Greece, July 1–2, 2010. Republished in: Leading Issues in Information Warfare and Security Research, Vol. 1, pp. 1–19, ed. Julie J. C. H. Ryan, Academic Publishing: UK, 2012.

[12] Al-Fedaghi, S., Some aspects of personal information theory. 7th Annual IEEE Information Assurance Workshop (IEEE-IAW 2006), United States Military Academy, West Point, NY, 2006, available at jsp?arnumber=01652066

[13] Department of the Air Force, Vistas: Air Force Information Resources Management Strategic Plan, 1995. HQ USAF: Washington, DC.

[14] Sarriegi, J.M., Santos, J., Torres, J.M., Imizcoz, D. & Plandolit, A., Modeling security management of information systems: analysis of a ongoing practical case. The 24th International Conference of the System Dynamics Society, July 23–27, Nijmegen, The Netherlands, 2006.

[15] Cares, J.R., An Information Age Combat Model.  Alidade, 2004, available at http://

[16] Friedl, S.J., SQL injection attacks by example, Steve Friedl’s Tech Tips, October 10, 2007.

[17] Bejtlich, R., Threat model vs. attack model, TaoSecurity: Richard Bejtlich’s blog on digital security and the practices of network security monitoring, incident response, and forensics, June 12, 2007, available at 

[18] Johansson, K., The Offensive Operations Model, v. 2.1. KSAJ, Inc., 2004 (accessed), available at whitepapers/Offensive_Operations_Model.pdf

[19] Brown, K., The .NET Developer’s Guide to Windows Security: What is Attack Modeling, 2007, available at WhatIsThreatModeling.html