Harald Lampesberger

Eckehard Hermann, Harald Lampesberger

For risks that cannot be accepted, sufficiently mitigated, or eliminated, continuous observation is a viable approach but requires a model that can be operationalized. The Hagenberg Risk Management Process bridges this gap between qualitative risk analysis, using contextualized polar heatmaps (triage), and realtime risk management by extending Bowtie diagrams into a formal probabilistic runtime model. We introduce Realtime Risk Studio, a domain-specific modeling tool that (i) transforms Bowtie structures (causes, top event, barriers, consequences) into a directed acyclic graph (DAG) suitable for Bayesian inference, (ii) adds explicit safe-state semantics, and (iii) designates Activation Nodes as intervention points. Bowtie models are qualitative; however, Bayesian inference requires actual probabilities. As a second contribution, we present Probability Capture, a tool that complements our Realtime Risk Studio by automatically generating questionnaires from a DAG model so experts can provide estimates. The tool analyzes disagreement and aggregates conditional-probability assessments using both descriptive dispersion analysis and prior-regularized methods. Causal analysis can then provide insights into the DAG model, for example, via d-separation, adjustment-set inspection, do-calculus for what-if analysis, local independence checks, evidence updating, and impact-oriented searches for effective interventions. This workflow is illustrated with an instant-payments gateway scenario, demonstrating (a) explicit safe-state semantics, (b) Bowtie-to-DAG operationalization, (c) probability capture with visible expert noise, and (d) causal what-if analysis on a transformed and enriched model. Rather than presenting a statistical validation, the paper contributes a method and prototype system that transforms partially mitigated risks into observable, probabilistic, and intervention-ready models.

Harald Lampesberger

The Extensible Markup Language (XML) is a complex language, and consequently, XML-based protocols are susceptible to entire classes of implicit and explicit security problems. Message formats in XML-based protocols are usually specified in XML Schema, and as a first-line defense, schema validation should reject malformed input. However, extension points in most protocol specifications break validation. Extension points are wildcards and considered best practice for loose composition, but they also enable an attacker to add unchecked content in a document, e.g., for a signature wrapping attack. This paper introduces datatyped XML visibly pushdown automata (dXVPAs) as language representation for mixed-content XML and presents an incremental learner that infers a dXVPA from example documents. The learner generalizes XML types and datatypes in terms of automaton states and transitions, and an inferred dXVPA converges to a good-enough approximation of the true language. The automaton is free from extension points and capable of stream validation, e.g., as an anomaly detector for XML-based protocols. For dealing with adversarial training data, two scenarios of poisoning are considered: a poisoning attack is either uncovered at a later time or remains hidden. Unlearning can therefore remove an identified poisoning attack from a dXVPA, and sanitization trims low-frequent states and transitions to get rid of hidden attacks. All algorithms have been evaluated in four scenarios, including a web service implemented in Apache Axis2 and Apache Rampart, where attacks have been simulated. In all scenarios, the learned automaton had zero false positives and outperformed traditional schema validation.

Harald Lampesberger

False-positives are a problem in anomaly-based intrusion detection systems. To counter this issue, we discuss anomaly detection for the eXtensible Markup Language (XML) in a language-theoretic view. We argue that many XML-based attacks target the syntactic level, i.e. the tree structure or element content, and syntax validation of XML documents reduces the attack surface. XML offers so-called schemas for validation, but in real world, schemas are often unavailable, ignored or too general. In this work-in-progress paper we describe a grammatical inference approach to learn an automaton from example XML documents for detecting documents with anomalous syntax. We discuss properties and expressiveness of XML to understand limits of learnability. Our contributions are an XML Schema compatible lexical datatype system to abstract content in XML and an algorithm to learn visibly pushdown automata (VPA) directly from a set of examples. The proposed algorithm does not require the tree representation of XML, so it can process large documents or streams. The resulting deterministic VPA then allows stream validation of documents to recognize deviations in the underlying tree structure or datatypes.