Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

In the past few years, we have witnessed a rapid increase in the number and severity of security breaches, ranging from theft of personal information about millions of US government employeesFootnote 1 to sophisticated targeted malware attacks on security vendorsFootnote 2. This problem is exacerbated by the fact that it has become difficult to perform an adequate risk assessment of an organisation’s security stance, with many organisations relying on a complex mix of off-site third party IT-services, e.g., “cloud services” and internally supported IT services. One of the tools available to help structure risk assessments and security analyses is attack trees, recommended, e.g., by NATO Research and Technology Organisation (RTO) [20] and OWASP [22]. Attack trees [19, 23, 24] is a tree based formalism inspired by fault trees, a well-known formalism used in safety engineering. The formalism was initially introduced by [24] and given a formal definition by Mauw and Oostdijk [19]. Kordy et al. [16] provide a survey on attack trees and related formalisms. While basic quantitative analysis, i.e., a bottom-up computation for a single parameter (e.g., cost, probability or time of an attack), can be performed directly on attack trees [4], several proposals exist to extend the basic attack tree formalism in order to support better analysis. For example, Buldas et al. [6], Jürgenson and Willemson [14] introduced multi-parameter attack trees with interdependent variables; Dalton et al. [7] have proposed analysing attack trees as Generalized Stochastic Petri Nets; Arnold et al. [2] applied interactive Input/Output Markov Chains to enhance temporal and stochastic dependencies analysis in attack trees. Kumar et al. [17] have considered priced timed automata for analysis of attack trees. This work defines a translation for each leaf node and each gate in an attack tree into a priced timed automaton. The approach allows to translate the full attack tree into an automaton that can be analysed using the uppaal Cora model checker. The research community interest in attack trees has been recently reinvigorated by new techniques to automatically generate attack trees and attack-defense trees from socio-technical organizational models [11, 13], paving the way towards automating risk assessment.

Attack-defense trees are a notable extension of attack trees that include, besides attacker’s actions, also defender’s actions and model their interplay [3, 15]. This extended formalism allows capturing more detailed scenarios, and incorporating the defender’s perspective into an analysis. For example, burglar-resistance classes for physical security mechanisms, such as doors and windows, define how much time an attacker equipped with certain tools needs to spend on the intrusion [25]. Explicit consideration of defenses in the analysis allows the domain experts to get a better picture of the scenario [4, 15]. Recently, Hermanns et al. [12] have created the attack-defense-diagrams formalism extending attacke-defense trees with trigger and reset gates, which allow expressing temporal behaviours. The work [21] likewise introduces a sequential gate to attack-defense trees and considers a two-player stochastic game interpretation of this.

Our paper introduces a framework for analysing complex temporal scenarios of interactions of attackers and defenders, beyond the expressiveness of classic attack-defense trees. For doing this we develop a modelling framework for expressing the temporal behaviour of the attacker with the formalism networks of timed automata. Unlike the work of [17] the attack-defense-tree is not encoded as a timed automata-instead it is encoded as a boolean formula, which the attacker wishes to become true. This encoding allows us to apply state-of-the-art model checking tools and techniques to perform fully automated analyses of the modelled system, both qualitative (boolean) analysis and quantitative (probabilistic) analysis. The modelling framework is accompanied by an automatic translation script. The script reads an attack-defense-tree and outputs a uppaal [18] timed automata model which can subsequently be queried several questions: among these questions are “what is the probability that an attack succeeds within \(\tau \)” and “what is the expected cost of the attacker within \(\tau \) time units” for a specific behaviour of the attacker. Using Uppaal-Stratego [10], a recent extension of uppaal, we are furthermore capable of finding an attacker that minimises the expected cost of an attack.

2 Attack Defense Trees

We will now define an attack-defense tree (Definition 1), along with the standard boolean semantics for such a tree. Thereafter a temporal semantics with time, cost and stochasticity is introduced. This temporal semantics is the first contribution of this paper.

Definition 1

(AD-tree). An AD-tree over the attacker actions \(\mathtt {A}_{a}\)and defender actions \(\mathtt {A}_{d}\) is generated by the syntax

$$ t : == p \mid t \wedge t \mid t \vee t \mid \sim t $$

where \(p\in \mathtt {A}_{a}\cup \mathtt {A}_{d}\). We denote by \(\mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\) all AD-trees over \(\mathtt {A}_{a}\) and \(\mathtt {A}_{d}\).

Let \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\), let \(A\subseteq \mathtt {A}_{a}\) be the set of selected attacker actins and let \(D\subseteq {\mathtt {A}_{d}}\) be the set of selected defender actions; then we inductively define \(\llbracket t \rrbracket A,D\) as

  • \(\llbracket p \rrbracket D,A = \mathtt {tt}\) if \(p \in A\cup D\), \(\mathtt {ff}\) otherwise

  • \(\llbracket t_1 \wedge t_2 \rrbracket D,A = {(\llbracket t_1 \rrbracket D,A)} \wedge {(\llbracket t_2 \rrbracket D,A)}\)

  • \(\llbracket t_1 \vee t_2 \rrbracket D,A = {(\llbracket t_1 \rrbracket D,A)} \vee {(\llbracket t_2 \rrbracket D,A)}\)

  • \(\llbracket \sim t \rrbracket D,A = \lnot {(\llbracket t \rrbracket D,A)}\)

As an example of an attack-defense-tree consider Fig. 1. This tree explains how an attacker may succefully remove an RFID-tag from a warehouse. Among the possible ways is infiltrating management and order a replacement tag. The example is lifted from [3].

Fig. 1.
figure 1

An example of an attack-defense-tree. Square items correspond to defender’s actions and circles to the attacker.

Full size image

To make attack-defense-trees well-formed, we follow Aslanyan and Nielson [3] and impose a type system on top of the abstract syntax of Definition 1 – in this system there are two types d and a corresponding to defender and attacker. The type system is captured in Fig. 2. The negation operator \(\sim \) acts like the switch operator of Aslanyan and Nielson [3] and changes the type of the subtree. Unlike Aslanyan and Nielson [3], we do not have a normal negation operator: the reason is we only want an attacker (or defender for that matter) to do positive things i.e. the attacker should only do something beneficial for him. In the remainder we only consider well-formed trees according to this type-system and we restrict our attention to trees t where \(t\vdash a\). The major interest of attack-defense trees is whether there exists a set of defense measures such that an attack can never occur.

Question 1

For an attack-defense tree \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\), does there exist \(D\subseteq \mathtt {A}_{d}\), such that for all \(A\subseteq \mathtt {A}_{a}\), \(\llbracket t \rrbracket D,A = \mathtt {ff}\)?

This encapsulates our view that defense measures are selected ahead of time and fixed, while the attacker selects a set of attack measures. Our view is in accordance with the classical definition of attack-defense trees by [15]. Let \(\lambda \) be a symbol not in \(\mathtt {A}_{a}\), which indicates that an attacker chooses to do no actions. We denote by \(\mathtt {A}_{a}^\lambda \) the set \(\mathtt {A}_{a}\cup \{\lambda \}\).

Definition 2

Let \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\) be an AD-tree. The Attack-Defense-Graph over t is the tuple \(\mathcal {G}^{t} = (\mathcal {V},{v_{}}^0,\rightarrow ,\rightarrow _\lnot ,\dashrightarrow ,F)\) where

  • \(\mathcal {V}= 2^{\mathtt {A}_{d}}\times 2^{\mathtt {A}_{a}}\) is a set of vertices containing currently true attacker and defender actions,

  • \({v_{}}^0= (\emptyset ,\emptyset )\) is the initial vertex,

  • \(\rightarrow \subseteq (\mathcal {V}\times \mathtt {A}_{a}^\lambda \times \mathcal {V})\) is a set of edges where \(((D,A),a,(D',A'))\in \rightarrow \) if and only if \(D = D'\), \(A' = A \cup (\{a\}\cap \mathtt {A}_{a})\) and \(a\notin A\),

  • \(\rightarrow _\lnot \subseteq (\mathcal {V}\times \mathtt {A}_{a}\times \mathcal {V})\) is a set of edges where \(((D,A),a,(D,A))\in \rightarrow _\lnot \) if and only if \(a\notin A\)

  • \(\dashrightarrow = \{({v_{}}^0,D,S) \mid D \in 2^{\mathtt {A}_{d}} \wedge S = (D,\emptyset )\}\) is the “select defense” edges and

  • \(F= \{(D,A)\in \mathcal {V}\mid \llbracket t \rrbracket D,A = \mathtt {tt}\}\) is a set of final vertices.

An attack-defense graph is essentially laying out all the possible steps an attacker may take to achieve a successful attack. Notice the edges in \(\rightarrow _\lnot \) correspond to trying to execute an atomic attack and failing. We allow this loop back as in this way we are able to model an attacker who selects what action to perform and an environment deciding whether that action succeeds.

Fig. 2.
figure 2

Type system to make attack-defense trees well-formed

Full size image

For an attack-defense graph (ADG) \(\mathcal {G}^{t} = (\mathcal {V},{v_{}}^0,\rightarrow ,\rightarrow _\lnot ,\dashrightarrow ,F)\) we write \({v_{}}\overset{D}{\dashrightarrow } {v_{}}'\) whenever \(({v_{}},D,{v_{}}')\in \dashrightarrow \) and similarly we write \({v_{}}\xrightarrow {a}{v_{}}'\) (\({v_{}}\xrightarrow {\lnot a}{v_{}}'\)) if \(({v_{}},a,{v_{}}')\in \rightarrow \) (\(({v_{}},a,{v_{}}')\in \rightarrow _\lnot \)). An attack-defense scenario (ADS) for \(\mathcal {G}^{t}\) is a sequence \( \omega ={v_{0}} D{v_{1}}\alpha _1{v_{2}}\alpha _2\dots {\alpha _{n_1}} s_n \dots \), where \({v_{0}} = {v_{}}^0\), for all i, \(\alpha _i \in \{a,\lnot a \mid a\in \mathtt {A}_{a}\}\cup \{\lambda \}\), \({v_{0}}\overset{D}{\dashrightarrow }{v_{1}}\) and for all \(j>0\), \({v_{j}}\xrightarrow {\alpha _j}{v_{j+1}}\). We call \(\omega \) a successful ADS if there exists j such that \({v_{j}}\in F\), denoted \(\omega \vDash t\), and we call it a failed ADS if for all j, \({v_{j}}\notin F\), denoted \(\omega \not \vDash t\). We denote by \(\varOmega (t)\) all ADSs over t and furthermore let \(\varOmega ^D(t) = \{\pi = {v_{}}^0\overset{D}{\dashrightarrow }{v_{0}}\xrightarrow {a_1}\dots \mid \pi \in \varOmega (t)\}\) be all the ADSs initiated by the defender selecting defense measure D.

Lemma 1

Let \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\) be an attack-defense-tree and let \(D\subseteq \mathtt {A}_{d}\). If for all \(\omega \in \varOmega ^D(t)\), \(\omega \not \vDash t\) then for all \(A\subseteq \mathtt {A}_{a}\) \(\llbracket t \rrbracket D,A = \mathtt {ff}\).

Lemma 2

Let \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\) be an attack-defense-tree and let \(D\subseteq \mathtt {A}_{d}\). If there exists \(\omega \in \varOmega ^D(t)\), \(\omega \vDash t\) then there exists \(A\subseteq \mathtt {A}_{a}\) such that \(\llbracket t \rrbracket D,A=\mathtt {tt}\).

In reality we wish to analyse the possible attacks after the defender has selected some defense measures. For this we remove the choice of defense measures from the ADG to get an attack graph (AG). Let \(\mathcal {G}^{t} = (\mathcal {V},{v_{}}^0,\rightarrow ,\rightarrow _\lnot ,\dashrightarrow ,F)\) be the ADG for \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\); then the AG responding to \(D\subseteq \mathtt {A}_{d}\) is the graph \((\mathcal {V},{v_{}}^{\mathcal {A}},\rightarrow ,\rightarrow _\lnot ,F)\) where \({v_{}}^0\overset{D}{\dashrightarrow } {v_{}}^{\mathcal {A}}\). We denote this AG by \(\mathcal {G}^{t}_D\). Due to Lemmas 1 and 2 then Question 1 is answerable by a pure reachability check on \(\mathcal {G}^{t}_D\) for all \(D\subseteq 2^{\mathtt {A}_{d}}\).

2.1 Adding Timed Behaviour

Intuitively speaking, an attacker observes the state of an ADG and choose an action. The attacker is memoryless and does, for instance, not remember how many times a specific attack has been attempted. The execution time of an action \(p_a\) is given by interval \([L_{p_a},U_{p_a}]\), and thus an abstract timed attacker (Definition 3) is essentially a timed transition system.

Definition 3

(Abstract Timed Attacker). Let \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\). An abstract timed attacker over the ADG \(\mathcal {G}^{t} = (\mathcal {V},{v_{}}^0,\rightarrow ,\rightarrow _\lnot ,\dashrightarrow ,F)\) is a tuple \((\mathsf {S},M,Ac)\) where

  • \(\mathsf {S}\) is a set of states,

  • \(M: \mathcal {V}\rightarrow \mathsf {S}\) maps vertices to attacker states, and

  • \(Ac: \mathsf {S}\rightarrow 2^{\mathtt {A}_{a}^\lambda \times \mathbb {R_{\ge 0}}}\) gives the possible actions and delays for an attacker, with the requirements that

    • if \({\mathsf {s}^{}}= M({v_{}})\) and \((p_a,r)\in Ac({\mathsf {s}^{}})\) then \({v_{}}\xrightarrow {p_a}{v_{}}'\) for some \({v_{}}'\),

    • if \((p_a,t)\in Ac({\mathsf {s}^{}})\) then \(L_{p_a} \le t\le U_{p_a}\) and \(\{(p_a,t') | L_{p_a} \le t' \le U_{p_a}\}\subseteq Ac({\mathsf {s}^{}})\),

    • if \((\lambda ,t)\in Ac({\mathsf {s}^{}})\) then \(Ac({\mathsf {s}^{}}) = \{(\lambda ,t') \mid t'\in \mathbb {R_{\ge 0}}\}\),

    • if \({\mathsf {s}^{}}= M({v_{}})\), \({v_{}}= D,A\), then \((\lambda ,0)\in Ac({\mathsf {s}^{}})\) if and only if \({v_{}}\in F\) or \(A=\mathtt {A}_{a}\) and

    • for all \({\mathsf {s}^{}}\in {\mathsf {s}^{}}\), \(Ac({\mathsf {s}^{}}) \ne \emptyset \)

Let \(\mathcal {G}^{t} = (\mathcal {V},{v_{}}^0,\rightarrow _a,\rightarrow _\lnot ,\dashrightarrow ,F)\) be an ADG and let \(\mathcal {A}= (\mathsf {S},M,Ac)\) be an abstract timed attacker for \(\mathcal {G}^{t}\). For \(D\subseteq \mathtt {A}_{d}\), we denote by \(\mathcal {G}^{t}_D| \mathcal {A}\) the transition system with state space \(\mathcal {V}\times \mathsf {S}\), initial state \(({v_{}}^{\mathcal {A}},M({v_{}}^{\mathcal {A}}))\) and transition relation defined by the rules

  • \(({v_{}},{\mathsf {s}^{}})\xrightarrow {p_a,t}({v_{}}',M({v_{}}'))\) if \((p_a,t)\in Ac({\mathsf {s}^{}})\) and \({v_{}}\xrightarrow {p_a} {v_{}}'\)

  • \(({v_{}},{\mathsf {s}^{}})\xrightarrow {\lnot p_a,t}({v_{}}',M({v_{}}'))\) if \((p_a,t)\in Ac({\mathsf {s}^{}})\) and \({v_{}}\xrightarrow {\lnot p_a} {v_{}}'\)

  • \(({v_{}},{\mathsf {s}^{}})\xrightarrow {\lambda ,t}({v_{}}',M({v_{}}'))\) if \((\lambda ,t)\in Ac({\mathsf {s}^{}})\) and \({v_{}}\xrightarrow {\lambda }{v_{}}'\).

A timed attack over \(\mathcal {G}^{t}_D|\mathcal {A}\), \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\) is a sequence \({v_{0}} d_0 \alpha _0 ,{v_{1}} d_1 \alpha _1 \dots , \) where \({v_{0}} = {v_{}}^{\mathcal {A}}\), for all i, \(d_i\in \mathbb {R_{\ge 0}}\), \(\alpha _i\in \{p_a,\lnot p_a\mid p_a\in \mathtt {A}_{a}\}\cup \{\lambda \}\) and there exists a sequence of states and transitions \(({v_{0}},M({v_{0}}))\xrightarrow {\alpha _0,d_0} ({v_{1}},{\mathsf {s}^{1}})\dots \). We denote by \(\varOmega ^\tau (\mathcal {G}^{t}_D|\mathcal {A})\) all timed attacks of \(\mathcal {G}^{t}_D|\mathcal {A}\). Let \(\omega = {v_{0}} d_0 \alpha _0 ,{v_{1}} d_1 \alpha _1 \dots \) be a timed attack, then we write \(\omega \vDash ^\tau t\) if there exists i, s.t. \(\llbracket t \rrbracket {v_{}}= \mathtt {tt}\) and \(\sum _{i=0}^{i-1} d_i \le \tau \).

Having introduced time, a defender may consider to not guarantee that an attack can never occur, but to make it very difficult time-wise i.e. that any succeeding attack will require more than \(\tau \) time units - captured by Question 2. Obviously, an attacker wishes to find an attack in response to \(D\subseteq \mathtt {A}_{d}\) that succeeds before \(\tau \) time units i.e. to answer Question 3.

Question 2

For an attack-defense tree \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\), abstract timed attacker \(\mathcal {A}\) and time limit \(\tau \), does there exist a \(D\subseteq \mathtt {A}_{d}\), such that for all \(\omega \in \varOmega ^\tau (\mathcal {G}^{t}_D|\mathcal {A})\), \(\omega \not \vDash ^\tau t\)?

Question 3

For an attack-defense tree \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\), abstract timed attacker \(\mathcal {A}\), time limit \(\tau \) and \(D\subseteq \mathtt {A}_{d}\) does there exist \(\omega \in \varOmega ^\tau (\mathcal {G}^{t}_D|\mathcal {A})\), such that \(\omega \vDash ^\tau t\)?

2.2 Adding Stochasticity

A stochastic attacker is a tuple \(\mathcal {A^S}= (\mathcal {A},\gamma ,\{ \delta _{p_a} | p_a\in \mathtt {A}_{a}^\lambda \})\), where \(\mathcal {A}\) is an attacker defining allowed behaviour by the stochastic attacker, \(\gamma : \mathsf {S}\rightarrow \mathtt {A}_{a}^\lambda \rightarrow \mathbb {R_{\ge 0}}\) assigns a probability mass to attacker’s actions and for all \(p_a\in \mathtt {A}_{a}^\lambda \),\(\delta _{p_a} : \mathsf {S}\rightarrow \mathbb {R_{\ge 0}}\rightarrow \mathbb {R_{\ge 0}}\) assigns a density to the execution time of \(p_a\). A few requirements are in order here:

  1. 1.

    \(\sum _{a\in \mathtt {A}_{a}^\lambda } \gamma ({\mathsf {s}^{}}) (a) = 1\),

  2. 2.

    \(\int _\mathbb {R_{\ge 0}}\delta _a ({\mathsf {s}^{}}) (t)\mathop {}\!\mathrm {d} t = 1\) for all \(a\in \mathtt {A}_{a}^{\lambda }\),

  3. 3.

    \(\gamma ({\mathsf {s}^{}})(a)\cdot \delta _a({\mathsf {s}^{}})(t) \ne 0\) implies \((a,t)\in Ac({\mathsf {s}^{}})\).

Requirement 1 states that \(\gamma ({\mathsf {s}^{}})\) must be a probability mass function, 2 requires that \(\delta _a ({\mathsf {s}^{}})\) is a probability density, and finally the most interesting rule 3 requires that whenever a probability density is assigned to a pair (at) then the attacker must in fact be able to do those according to the timed semantics. Finally, to make a complete stochastic semantics we need to resolve the non-determinism of selecting an outcome of performing an action \(p_a\). We assume there is a static probability of an action succeeding, and thus we assume a probability mass function \(\gamma _{Succ}: \mathtt {A}_{a}\rightarrow \{p_a,\lnot p_a\} \rightarrow ]0,1[\) that assigns success and failure probabilities to actions with the requirement that any action must have a non-zero probability of succeeding.

Forming the core of a \(\sigma \)-algebra over timed attacks of \({\mathcal {G}^{t}_D|\mathcal {A^S}}\), consider the finite sequence \(\pi = {v_{0}}I_0\alpha _0{v_{1}}I_1\alpha _1\dots {v_{n}}\), where for all i; \(\alpha _i\in \{p_a,\lnot p_a\mid p_a\in \mathtt {A}_{a}\}\), \(I_i\) is an interval with rational end-points and \({v_{i}}\in \mathcal {V}\). The set of runs (cylinder) of this sequence is

$$\mathcal {C}_{\mathcal {G}^{t}_D|\mathcal {A^S}} (\pi ) = \{{v_{0}} d_0 \alpha _0 ,{v_{1}} d_1 \alpha _1 \dots {v_{n}} d_n \alpha _n \dots \in \varOmega ^\tau (\mathcal {G}^{t}_D|\mathcal {A}) \mid \forall i < d_i\in I_i\}.$$

The probability of these timed attacks runs from \(({v_{}},{\mathsf {s}^{}})\) are recursively defined by

$$ F_{({v_{}},{\mathsf {s}^{}})}(\pi ) = ({v_{0}} = {v_{}})\cdot \gamma ({\mathsf {s}^{}})(c(\alpha ))\cdot \int _{\mathbb {R_{\ge 0}}} \delta _{c(\alpha )}({\mathsf {s}^{}})(t) \mathop {}\!\mathrm {d} t\cdot \gamma _{Succ}(\alpha ) F_{[({v_{}},{\mathsf {s}^{}})]^{\alpha ,t}}(\pi ^1),$$

where \(\pi ^1 = {v_{1}} d_1 \alpha _1 \dots {v_{n}} d_n \alpha _n\), \(c(p_a) = c(\lnot p_a) = p_a\) and \(({v_{}},{\mathsf {s}^{}})\xrightarrow {\alpha ,t}[({v_{}},{\mathsf {s}^{}})]^{\alpha ,t}\) and base case \(F_{({v_{}},{\mathsf {s}^{}})}(\epsilon ) = 1\).

Remark 1

The stochastic semantics above is given for arbitrary time distributions. For the remainder we will however restrict our attention to stochastic attacker using only uniform distributions.

Let \(\mathcal {G}^{t}_D = (\mathcal {V},{v_{}}^{\mathcal {A}},\rightarrow _a,\rightarrow _\lnot ,F)\) be an AG and let \(\mathcal {A^S}= ((\mathsf {S},M,Ac), \gamma ,\{ ,\delta _{p_a} | p_a\in \mathtt {A}_{a}^\lambda \})\) then we let \(F_{\mathcal {G}^{t}_D|\mathcal {A^S}}(\pi ) = F_{({v_{}}^{\mathcal {A}},M({v_{}}^{\mathcal {A}})}(\pi )\). With the above in place, the probability of a succesful attack within a time-bound \(\tau \) is

$$\begin{aligned} \mathbb {P}_ {\mathcal {G}^{t}_D|\mathcal {A^S}}(\Diamond _{\le \tau } t) = \int _{\omega \in \varOmega ^\tau (\mathcal {G}^{t}_D|\mathcal {A^S})}\left( {\left\{ \begin{array}{ll} 0 &{}\text { if } \omega \not \vDash ^\tau t\\ 1 &{}\text { if } \omega \vDash ^\tau t\\ \end{array}\right. }\right) \mathop {}\!\mathrm {d} F_{\mathcal {G}^{t}_D|\mathcal {A^S}}. \end{aligned}$$

Question 4

Given an attack-defense tree \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\), stochastic attacker \(\mathcal {A^S}\) and time limit \(\tau \); find \( D^* = \text {arg min}_{D\in 2^{\mathtt {A}_{d}}} \left( \mathbb {P}_{\mathcal {G}^{t}_D|\mathcal {A^S}}(\Diamond _\tau t)\right) \)

Notice that Question 4 has the time bound requirement for how quickly an attacker must succeed in an attack. If this time bound was not present and we thus gave an attacker unlimited time, then if a successful attack exists (no matter how unlikely) it would eventually succeed. This is evidenced by the plot in Fig. 3 with the time limit on the x-axis and the probabilities of an attack on the y-axis. The dashed line in the figure is the lower bound of the \(99\,\%\) confidence level and the solid line is the upper bound.

Fig. 3.
figure 3

Plot of probabilities of a successful attack for a uniform attacker.

Full size image

2.3 Adding Cost

Considering that an attacker is not only constrained by time, but also by his available resources e.g. money, we want to reflect the concept of a resource in our modelling. For this purpose we consider that an attacker only has one resource and that each action has an associated cost per attempted execution. We capture this cost by a function \(\mathtt {C}: \mathtt {A}_{a}^\lambda \rightarrow \mathbb {R_{\ge 0}}\) that assigns the cost to actions with the requirement that \(\mathtt {C}(\lambda ) = 0\).

Let \(\omega = {v_{0}}d_0\alpha _0\dots \) be a timed attack; then we define the cost of \(\omega \) up till step j as \(\mathtt {C}(\omega ,j) = \sum _{i=0}^{j-1}\mathtt {C}(c(\alpha _i))\), where \(c(\lambda ) = \lambda \) and \(c(p_a) = c(\lnot p_a) = p_a\), i.e., we just sum up the individual costs along the attack before the \(j^{th}\) step. Now we can define the expected cost of a stochastic attacker, \(\mathcal {A^S}\), responding to a set of defense measures D with a time limit \(\tau \)

figure a

Question 5

Given an attack-defense tree \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\), stochastic attacker \(\mathcal {A^S}\), time limit \(\tau \) and \(D\subset \mathtt {A}_{d}\), find \(\mathbb {E}_ {\mathcal {G}^{t}_D|\mathcal {A^S}}(C: \Diamond _{\le \tau } t)\).

Consider that we fix the distribution over execution times and the success probabilities of execution attacks, but let \(\gamma \) range freely among all possible probability mass functions. Thus, we have a range of possible stochastic attackers, parameterised by \(\gamma \), i.e. a range of attackers \(\mathcal {A^S}_1,\mathcal {A^S}_2 \dots \), where \( \mathcal {A^S}_i = (\mathcal {A},\gamma _i,\{ \delta _{p_a} | p_a\in \mathtt {A}_{a}^\lambda \})\). Then we are interested in finding the attacker that minimises the cost.

Question 6

Given an attack-defense tree \(t\in \mathcal {L}(\mathtt {A}_{a},\mathtt {A}_{d})\) time limit \(\tau \), \(D\subset \mathtt {A}_{d}\) and a collection of attackers \(\mathcal {A^S}_1,\mathcal {A^S}_2 \dots \) parameterised by \(\gamma \); find a stochastic attacker, \(\mathcal {A^S}\), minimising \(\mathbb {E}_ {\mathcal {G}^{t}_D|\mathcal {A^S}}(C: \Diamond _{\le \tau } t)\).

3 Timed Automata

In this paper we use the expressive network of timed automata (TA) formalism [1] extensively. An efficient model checking technique exists for this formalism, and the tool uppaal [5, 18] uses an extended version as its modelling language. As an example consider the three automata in Fig. 4, modelling two persons and a door.

Fig. 4.
figure 4

Model of a Thief, a Resident and a Door.

Full size image

One of the persons is a Resident of a house and the other is a Thief who wants to enter the house while the Resident is not home. The Resident is initially at with the door locked for 14 h - indicated by the expression . The expression is an invariant expression and is something that should always be true whenever the automata is in the given location. From the resident may the door and go , from where he can either the door or just leave the location to go . The “U” in means this location is urgent and thus no time may pass while any automata is in such a location. The Door is initially – from here someone may request to , after which the Door responds with : the “C” in the location means committed and is similar to urgent locations, but in addition to stopping time, it also ensures that only components in committed locations may move next. The door may be ed - from which it responds to an with a . The Thief chooses some time, between 0 and 24 to attempt ing – if he succeeds and gets an from the Door he is happy and enters . In case he is unlucky he receives an and tries again later. Although simple, the above example contains the key elements of timed automata. To summarise, a timed automaton consists of locations and edges between locations. On locations one can write invariant expressions based on the values of clocks, like . A clock is a real-valued counter that increases as time progresses. While moving along an edge, a TA may synchronise with another over a set of channels: in uppaal the convention is that means “send on a”, and means “receive on a”. Not shown in the example is that edges can be “guarded” by expressions over clocks.

Let \(c\) be a clock then we call an element \(c\le n\) (\(c\ge n\)) an upper (lower) bound and denote by \(\mathcal {B}^\le ({\mathcal {C}_{}})\) (\(\mathcal {B}^\ge ({\mathcal {C}_{}})\)) the set of all finite conjunctions of lower (upper) bounds. For a finite set of channels \(\varSigma _{}\) we denote by \(\varSigma _o= \{a! | a\in \varSigma \}\) and \(\varSigma _i= \{a? | a\in \varSigma \}\) the output and input actions over \(\varSigma \) respectively.

Definition 4

(Timed Automaton). A timed automaton (TA) is a 6-tuple \(\mathcal {A} = (L_{}, {\mathcal {C}_{}}, \ell ^{}_0, \mathtt {A}_{,}\rightarrow , I_{})\), where (1) \(L_{} \) is a finite set of locations, (2) \(\ell ^{}_0\in L_{} \) is the initial location, (3) \({\mathcal {C}_{}} \) is a finite set of clocks, (4) \(\varSigma \) is a finite set of channels, (5) \({\rightarrow } \subseteq L_{} \times \mathcal {G} ({\mathcal {C}_{}}) \times 2^{{\mathcal {C}_{}}} \times L_{} \) is the (non-deterministic) transition relation. We write for a transition, where \(\ell \) is the source and \(\ell '\) the target location, \(g\in \mathcal {B}^\le ({\mathcal {C}_{}})\) is a guard, \(a\in \varSigma _o\cup \varSigma _i\) is a label, and \(R\subseteq {\mathcal {C}_{}} \) is the set of clocks to reset, and (6) \(I_{} :L_{} \rightarrow \mathcal {B}^\ge ({\mathcal {C}_{}})\) is an invariant function, mapping locations to a set of invariant constraints.

A clock valuation is a function . We denote all clock valuations over \({\mathcal {C}_{}}\) with \(\mathcal {V}({\mathcal {C}_{}})\). We need two operations on clock valuations: for a delay of \(d\in \mathbb {R}_{\ge 0} \) time units, s.t. , and reset of a set of clocks \(R \subseteq {\mathcal {C}_{}} \), s.t. if \(c \in R\), and otherwise. We write to mean that the clock valuation satisfies the clock constraint g.

The semantics of a TA \((L_{}, {\mathcal {C}_{}}, \ell ^{}_0, \mathtt {A}_{,}\rightarrow , I_{})\) is a timed transition system with states \(L_{} \times \mathcal {V}({\mathcal {C}_{}})\) and initial state , where assigns zero to all clocks. From a state the TA may transit via a discrete transition if there exists an edge \(\ell \xrightarrow {g,a,r}\ell '\), and . Time-wise the TA can perform a delay \(d\in \mathbb {R_{\ge 0}}\) via a time transition if .

Several TAs \(\mathcal {A} _1,\mathcal {A} _2,\dots ,\mathcal {A} _n\), \(\mathcal {A} _i = (L_{i}, {\mathcal {C}_{i}}, \ell ^{i}_0, \varSigma _{},\rightarrow _i, I_{i})\) may be joined into a network of timed automata. The state space of such a composition is the product of the individual TAs state spaces. From a state \((s_{1},s_{2},\dots ,s_{n})\) the network can do a

  • discrete output transition \((s_{1},s_{2},\dots ,s_{n}) \xrightarrow {a!} (s_{1}',s_{2}',\dots ,s_{n}')\), if there exists an i, such that \(s_{i}\xrightarrow {a!}s_{i}'\) and for all \(j\ne i\) \(s_{j}\xrightarrow {a?}s_{j}'\)

  • or it can can delay d time units, \((s_{1},s_{2},\dots ,s_{n}) \xrightarrow {d} (s_{1}',s_{2}',\dots ,s_{n}')\), if for all i \(s_{i} \xrightarrow {d} s_{i}'\).

Notice we are using broadcast synchronisation for accommodating the use of uppaal SMC. Furthermore, we will assume that components are input-enabled and action-deterministic thus for any action there is at most one successor and for any input action there is at least one.

Stochastic Semantics. The stochastic semantics of networks of timed automata was laid out by David et al. [8]. In a state, each timed automaton is given a delay density and a probability mass function for selecting output actions. The semantics is now race based: components select a delay, t, according to their delay distribution, and the one with the smallest delay is selected the winner. After the entire network performs the delay, the winner selects an output according to its probability mass function. The remaining network respond to this output by performing the corresponding input. Afterwards a new race commences. In uppaal SMC bounded delays (i.e. the current location has an invariant) are selected from a uniform distribution ranging from the minimal delay before some guard is satisfied and the maximal delay, where the invariant is still satisfied. For unbounded delays the delay is selected from an exponential distribution.

In the preceding example, the probability that the Thief enters the house without the Resident being home within 12 time units is:

$$\int _0^{12}\frac{1}{14} \cdot \left( \int _t^{24}\frac{1}{24} \mathop {}\!\mathrm {d} t' \right) \cdot \frac{1}{2} \cdot \int _0^{12-t} \frac{1}{24-t} \mathop {}\!\mathrm {d} \tau \mathop {}\!\mathrm {d} t \approx 0.13$$

Game Semantics. In recent works [9, 10] the simple stochastic timed automata model has been given a game semantics. In this semantics the edges of timed automaton \(\mathcal {A} = (L_{}, {\mathcal {C}_{}}, \ell ^{}_0, \mathtt {A}_{,}\rightarrow , I_{})\) are partitioned into a controllable set of edges, \(\rightarrow _{C}\), and uncontrollable set of edges \(\rightarrow _{U}\). The uncontrollable edges are controlled by stochastic environment behaving according to the stochastic semantics above, while the controllable set of edges is controlled by an actor that tries to “drive” the system into a given goal state. In Fig. 4 the dashed edges correspond to uncontrollable edges and the controllable edges are the solid edges.

A tool like Uppaal-Stratego can, by using reinforcement learning, find deterministic strategies for minimising the expected time (or cost) of reaching a goal - taking the stochastic environment into account.

4 Timed Automata Encoding

The timed automata encoding of the attack-defense tree semantics given in the previous sections consists of three automata; one encoding the attacker, one encoding the defender and one encoding the environment selecting an outcome for the execution of attacker actions (\(\gamma _{Succ}\)). Furthermore, the encoding has one boolean variable per atomic proposition, p, in the attack-defense tree. The state of these boolean variables directly corresponds to the states of the ADG.

Fig. 5.
figure 5

Environmental modelling. In the figure = 1-\(\gamma _{Succ}(p_a)(p_a)\).

Full size image

4.1 Environmental Modelling

Let \(\mathtt {A}_{a}\) be the set of attacker actions in the attack-defense-tree, then for each \(p_a\in \mathtt {A}_{a}\) we create a channel that is used by the attacker to indicate that he wishes to execute \(p_a\). The environment responds to this by deciding an outcome in accordance with \(\gamma _{Succ}\). Figure 5 depicts the modelling of the environment for an attack-defense tree, where there is only one attacker action (\(p_a\)); here is the probability that \(p_a\) succeeds.

Fig. 6.
figure 6

Modelling the environment with two defender actions, \(p_d^1\) and \(p_d^2\).

Full size image

4.2 Defender Modelling

Let \(\mathtt {A}_{d}\) be the set of defender actions available to the defender. For each \(D\in 2^{\mathtt {A}_{d}}\) the defender has an edge, where he sets all boolean variables, \(p_d\in D\), to true. In Fig. 6 an example modelling of this is shown with two defender actions. As the edges of this defender are uncontrollable, the defender would select a set of defense measures by a uniform choice among all the edges. For analysing possible attack scenarios in response to a specific set of defense measures D we would delete edges of the defender until only the edge corresponding to D remains.

4.3 Attacker Modelling

In the formal development of an attacker we just defined general requirements that any attacker should respect. Firstly, we present a non-deterministic attacker that is as general as possible, which can be used for learning; afterwards we create one specific attacker profile, where the non-determinism is resolved by a probability mass function.

Fig. 7.
figure 7

Non-deterministic attacker modelling

Full size image

Non-deterministic Attacker. Assume we have \(\mathtt {A}_{a}= \{p_a\}\) as our set of attacker actions and let each of the attacker propositions have a lower execution bound () and an upper execution bound () – an execution time that is not controllable by the attacker and thus will be selected according to a uniform distribution by the environment. Figure 7 depicts an attacker with only one action: from the initial state, the attacker can decide to perform \(p_a\), if it is not already true and the tree is not already true (); after which it enters a location, where the environment decides how long the execution takes according to the uniform distribution. After this waiting time the environment is informed of the attempt to execute \(p_a\) and decides on the outcome. Also, during this transition the cost of executing \(p_a\) is added to the variable . For the case with several propositions, the cycle in Fig. 7 is added for each proposition.

In case the tree is true, the attacker only has one option, namely, to enter the location, where he cannot do anything.

Uniform Attacker. The uniform attacker is essentially the non-deterministic attacker, where the non-determinism of selecting an action is resolved by a uniform choice among all possible actions.

Fig. 8.
figure 8

Experimental setup.

Full size image

5 Tool Support

The translation into timed automata described in the preceding section has been implemented as a python script. This script takes the attack-defense tree, the description of the cost of atomic attacker actions, the execution time and their probability of succeeding. Having translated into timed automata, we can now take advantage of the uppaal [5] model checking engine to answer some of the questions raised in the previous sections. For instance, Question 3 is answerable by a simple timed reachability check by uppaal. In the following we focus on answering Questions 5 and 6. We consider the attack-defense tree in Fig. 1. The success probability and cost of the various attacker actions are summarised in Fig. 8. The L column is the lower bound of the execution time, U is the upper bound, \(\mathtt {C}\) is the cost of the actions and \(F\) is the success probability.

5.1 Expected Cost

We first show how to answer Question 5 by finding expected cost of the uniform attacker within 300 time units. The cost of the attacker is estimated by the uppaalsmc with the query

$$\begin{aligned} \mathtt {E[<=300;1000](max: i\_attCost)}. \end{aligned}$$
Table 1. Expected cost for the uniform attacker and for synthesised strategies.
Full size table

The estimates for various defense measures are given in Table 1 in the “Uniform” row. From the results we can see that the highest cost (unsurprisingly) is obtained when all possible defender’s actions are selected, and the smallest when none of them are selected. Also the results indicate that by performing t2, t1, tf the expected cost is equivalent to performing all of the defense measures. This is because this set jointly blocks large parts of the attack-defense tree, leaving only the expensive “threaten” and “blackmail” for an attacker to succeed.

5.2 Finding Good Attacker Profile

Next we answer Question 6 i.e. we focus on a stochastic attacker, who minimises his costs in response to various defense measures. For doing this, we apply the non-deterministic attacker of our encoding and use the Uppaal-Stratego to minimise the cost variable. The queries for the Uppaal-Stratego are

$$\begin{aligned}&\mathtt {strategy\ s = minE(bi\_attCost)[<=300]:<> t}\\&\mathtt {E[<=300;1000](max: bi\_attCost)\ under\ s}, \end{aligned}$$

where t is the attack-defense tree translated into the uppaal syntax.

The result of executing these queries for different defenders are reported in Table 1 in the Uppaal-Stratego row. As can be seen, the synthesized attacker generally obtains a reduced expected cost. The reason is that he can avoid attempting attacks he knows are blocked due to the defender’s measures. Another reason is that this attacker actively attempts to minimise his costs; meaning he will not take the expensive “threaten” or “bribe” if it can be avoided.

6 Conclusion

In this paper we have shown how to separate the modelling of attacker’s and defender’s behaviours from the attack-defense tree. In this way we allow modelling complex temporal behaviours without compromising the intuitively simple description of various ways of achieving an attack expressed in the attack-defense tree. This stands in opposition with, for example, the work [12] that adds temporal behaviours by introducing sequential gates, trigger gates and reset gates, which may clutter the description of possible attacks. Experiments reported in the paper have shown the different analyses that can be performed on our encoding using the uppaal SMC and Uppaal-Stratego: among these are finding an attacker who minimises his costs, and estimating the probability of an attack for a specific attacker.

In the future we wish to extend the current framework by describing the actual behaviour of the attacker in a more thorough way. This may include incorporating parts of the work by Hermanns et al. [12], but we will maintain them in a separate modelling language.