Archivio Istituzionale della RicercaThis paper introduces a novel approach for the automated selection of software protections to mitigate Machine-At-The-End risks against critical assets within software applications. We formalize the key elements involved in protection decision-making — including code artifacts, assets, security requirements, attacks, and software protections — and frame the protection process through a model inspired by game theory. In this model, a defender strategically applies protections to various code artifacts of a target application, anticipating repeated attack attempts by adversaries against the confidentiality and integrity of the application's assets. The selection of the optimal defense maximizes resistance to attacks while ensuring the application remains usable by constraining the overhead introduced by protections. The game is solved through a heuristic based on a mini-max depth-first exploration strategy, augmented with dynamic programming optimizations for improved efficiency. Central to our formulation is the introduction of the Software Protection Index, an original contribution that extends existing notions of potency and resilience by evaluating protection effectiveness against attack paths using software metrics and expert assessments. We validate our approach through a proof-of-concept implementation and expert evaluations, demonstrating that automated software protection is a practical and effective solution for risk mitigation in software.
Automatic selection of protections to mitigate risks against software applications / Canavese, D., Regano, L., Basile, C., De Sutter, B.. - In: COMPUTERS & SECURITY. - ISSN 0167-4048. - 168:(2026). [10.1016/j.cose.2026.104959]
Automatic selection of protections to mitigate risks against software applications
Basile, Cataldo;
2026
Abstract
This paper introduces a novel approach for the automated selection of software protections to mitigate Machine-At-The-End risks against critical assets within software applications. We formalize the key elements involved in protection decision-making — including code artifacts, assets, security requirements, attacks, and software protections — and frame the protection process through a model inspired by game theory. In this model, a defender strategically applies protections to various code artifacts of a target application, anticipating repeated attack attempts by adversaries against the confidentiality and integrity of the application's assets. The selection of the optimal defense maximizes resistance to attacks while ensuring the application remains usable by constraining the overhead introduced by protections. The game is solved through a heuristic based on a mini-max depth-first exploration strategy, augmented with dynamic programming optimizations for improved efficiency. Central to our formulation is the introduction of the Software Protection Index, an original contribution that extends existing notions of potency and resilience by evaluating protection effectiveness against attack paths using software metrics and expert assessments. We validate our approach through a proof-of-concept implementation and expert evaluations, demonstrating that automated software protection is a practical and effective solution for risk mitigation in software.
| File | Dimensione | Formato | |
|---|---|---|---|
|
1-s2.0-S0167404826001355-main.pdf
accesso aperto
Descrizione: Main paper
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Creative commons
Dimensione
2.62 MB
Formato
Adobe PDF
|
2.62 MB | Adobe PDF | Visualizza/Apri |
|
1-s2.0-S0167404826001355-mmc1.pdf
accesso aperto
Descrizione: Supplemental Material
Tipologia:
Altro materiale allegato
Licenza:
Creative commons
Dimensione
441.28 kB
Formato
Adobe PDF
|
441.28 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/3011611