Skip to main content
SpringerLink
Log in

Expected Cost Analysis of Attack-Defense Trees

  • Conference paper
  • First Online:
Quantitative Evaluation of Systems (QEST 2019)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 11785))

Included in the following conference series:

Abstract

Attack-defense trees ( ) are an established formalism for assessing system security. We extend with costs and success probabilities of basic events. We design a framework to analyze the probability of a successful attack/defense, its expected cost, and its probability for a given maximum cost. On the conceptual level, we show that a proper analysis requires to model the problem using sequential decision making and non-tree structures, in contrast to classical analysis. On the technical level, we provide three algorithms: (i) reduction to PRISM-games, (ii) dedicated game solution utilizing the structure of the problem, and (iii) direct analysis of for certain settings. We demonstrate the framework and compare the solutions on several examples.

This research was funded in part by the Studienstiftung des deutschen Volkes project “Formal methods for analysis of attack-defence diagrams” and the German Research Foundation (DFG) project KR 4890/2-1 “Statistical Unbounded Verification”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks.

  2. 2.

    https://www.sto.nato.int/publications/STO%20Technical%20Reports/RTO-TR-IST-049/%5Cprotect%20%5CT1%5Ctextdollar%20%5Cprotect%20%5CT1%5Ctextdollar%20TR-IST-049-ALL.pdf.

  3. 3.

    https://www.fireeye.com/current-threats/annual-threat-report.html.

  4. 4.

    Since a step in the analysis transforms the trees into DAGs, we already introduce more generally as a DAG, not necessarily a tree.

  5. 5.

    To simplify the presentation, we do not consider infinite executions since the games we deal with in this paper are finite and acyclic. Nevertheless, the theory would seamlessly extend to games with cycles and infinite executions if the need of such gates, e.g. [18], arises.

  6. 6.

    In general, one can consider randomizing history-dependent strategies. However, in the context of our paper, positional strategies are sufficient even for cost-bounded objectives since the costs will be implicitly encoded in the states of the games.

  7. 7.

    In principal, a basic event can be triggered by several events and is triggered as soon as one of these events is completed successfully, which is equivalent to a disjunction over all these triggers.

  8. 8.

    http://jscience.org/.

References

  1. Arnold, F., Guck, D., Kumar, R., Stoelinga, M.: Sequential and parallel attack tree modelling. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9338, pp. 291–299. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24249-1_25

    Chapter  Google Scholar 

  2. Arnold, F., Hermanns, H., Pulungan, R., Stoelinga, M.: Time-dependent analysis of attacks. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 285–305. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_16

    Chapter  Google Scholar 

  3. Aslanyan, Z., Nielson, F.: Model checking exact cost for attack scenarios. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 210–231. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_10

    Chapter  Google Scholar 

  4. Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 95–114. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46666-7_6

    Chapter  Google Scholar 

  5. Aslanyan, Z., Nielson, F., Parker, D.: Quantitative verification and synthesis of attack-defence scenarios. In: Computer Security Foundations Symposium (CSF) (2016)

    Google Scholar 

  6. Bagnato, A., Kordy, B., Meland, P.H., Schweitzer, P.: Attribute decoration of attack-defense trees. In: IJSSE (2012)

    Google Scholar 

  7. Baier, C., Katoen, J.-P.: Principles of Model Checking (Representation and Mind Series). The MIT Press, Cambridge (2008). ISBN: 026202649X, 9780262026499

    MATH  Google Scholar 

  8. Behrmann, G., et al.: UPPAAL 4.0. In: Quantitative Evaluation of Systems (QEST) (2006)

    Google Scholar 

  9. de Bijl, M.: Using data analysis to enhance attack trees. In: Proceedings Twente Student Conference (2017)

    Google Scholar 

  10. Bossuat, A., Kordy, B.: Evil Twins: handling repetitions in attack–defense trees. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 17–37. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74860-3_2

    Chapter  Google Scholar 

  11. Buldas, A., Laud, P., Priisalu, J., Saarepera, M., Willemson, J.: Rational choice of security measures via multi-parameter attack trees. In: Lopez, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 235–248. Springer, Heidelberg (2006). https://doi.org/10.1007/11962977_19

    Chapter  Google Scholar 

  12. Chatterjee, K., Henzinger, T.A.: Value iteration. In: Grumberg, O., Veith, H. (eds.) 25 Years of Model Checking. LNCS, vol. 5000, pp. 107–138. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69850-0_7

    Chapter  Google Scholar 

  13. Chen, T., Forejt, V., Kwiatkowska, M., Parker, D., Simaitis, A.: PRISM-games: a model checker for stochastic multi-player games. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 185–191. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742-7_13

    Chapter  MATH  Google Scholar 

  14. Condon, A.: The complexity of stochastic games. Inf. Comput. 96(2), 203–224 (1992)

    Article  MathSciNet  Google Scholar 

  15. Edge, K.S., et al.: The use of attack and protection trees to analyze security for an online banking system. In: Systems Science (HICSS) (2007)

    Google Scholar 

  16. Fraile, M., Ford, M., Gadyatskaya, O., Kumar, R., Stoelinga, M., Trujillo-Rasua, R.: Using attack-defense trees to analyze threats and countermeasures in an ATM: a case study. In: Horkoff, J., Jeusfeld, M.A., Persson, A. (eds.) PoEM 2016. LNBIP, vol. 267, pp. 326–334. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48393-1_24

    Chapter  Google Scholar 

  17. Gadyatskaya, O., Jhawar, R., Kordy, P., Lounis, K., Mauw, S., Trujillo-Rasua, R.: Attack trees for practical security assessment: ranking of attack scenarios with ADTool 2.0. In: Agha, G., Van Houdt, B. (eds.) QEST 2016. LNCS, vol. 9826, pp. 159–162. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43425-4_10. ISBN: 978-3-319-43425-4

    Chapter  Google Scholar 

  18. Hermanns, H., Krämer, J., Krčál, J., Stoelinga, M.: The value of attack-defence diagrams. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 163–185. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49635-0_9

    Chapter  Google Scholar 

  19. Jürgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88873-4_8

    Chapter  Google Scholar 

  20. Kordy, B., Mauw, S., Melissen, M., Schweitzer, P.: Attack–defense trees and two-player binary zero-sum extensive form games are equivalent. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 245–256. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17197-0_17

    Chapter  MATH  Google Scholar 

  21. Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6

    Chapter  Google Scholar 

  22. Kordy, B., Pietre-Cambacedes, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. CoRR (2013)

    Google Scholar 

  23. Kordy, B., Wideł, W.: On quantitative analysis of attack–defense trees with repeated labels. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 325–346. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6_14

    Chapter  Google Scholar 

  24. Kumar, R., Ruijters, E., Stoelinga, M.: Quantitative attack tree analysis via priced timed automata. In: Sankaranarayanan, S., Vicario, E. (eds.) FORMATS 2015. LNCS, vol. 9268, pp. 156–171. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22975-1_11

    Chapter  MATH  Google Scholar 

  25. Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_17

    Chapter  Google Scholar 

  26. Mediouni, B.L., Nouri, A., Bozga, M., Legay, A., Bensalem, S.: Mitigating security risks through attack strategies exploration. In: Margaria, T., Steffen, B. (eds.) ISoLA 2018. LNCS, vol. 11245, pp. 392–413. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03421-4_25

    Chapter  Google Scholar 

  27. Paul, S.: Towards automating the construction & maintenance of attack trees: a feasibility study. In: Graphical Models for Security (GramSec) (2014)

    Google Scholar 

  28. Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827_14

    Chapter  Google Scholar 

  29. Salter, C., Saydjari, O.S., Schneier, B., Wallner, J.: Toward a secure system engineering methodolgy. In: New Security Paradigms (NSPW), New York, NY, USA (1998)

    Google Scholar 

  30. Schneier, B.: Attack trees. Dr. Dobb’s J. (1999)

    Google Scholar 

  31. Schneier, B.: Secrets & Lies: Digital Security in a Networked World, 1st edn. Wiley, New York (2000). ISBN: 0471253111

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technical University of Munich, Munich, Germany

    Julia Eisentraut & Jan Křetínský

Authors
  1. Julia Eisentraut
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Křetínský
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Julia Eisentraut .

Editor information

Editors and Affiliations

  1. University of Birmingham, Birmingham, UK

    David Parker

  2. Saarland University, Saarbrücken, Germany

    Verena Wolf

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Eisentraut, J., Křetínský, J. (2019). Expected Cost Analysis of Attack-Defense Trees. In: Parker, D., Wolf, V. (eds) Quantitative Evaluation of Systems. QEST 2019. Lecture Notes in Computer Science(), vol 11785. Springer, Cham. https://doi.org/10.1007/978-3-030-30281-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-30281-8_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-30280-1

  • Online ISBN: 978-3-030-30281-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation