The Attacker Does not Always Hold the Initiative: Attack Trees with External Refinement

  • Ross Horne
  • Sjouke Mauw
  • Alwen TiuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11086)


Attack trees provide a structure to an attack scenario, where disjunctions represent choices decomposing attacker’s goals into smaller subgoals. This paper investigates the nature of choices in attack trees. For some choices, the attacker has the initiative, but for other choices either the environment or an active defender decides. A semantics for attack trees combining both types of choice is expressed in linear logic and connections with extensive-form games are highlighted. The linear logic semantics defines a specialisation preorder enabling trees, not necessarily equal, to be compared in such a way that all strategies are preserved.


Attack trees Linear logic Extensive-form games Game semantics 



Horne and Tiu receive support from MOE Tier 2 grant MOE2014-T2-2-076 and the National Research Foundation Singapore under its National Cybersecurity R&D Program (Award No. NRF2014NCR-NCR001-30). Mauw received funding from the Fonds National de la Recherche Luxembourg, grant C11/IS/1183245 (ADT2P), and the European Commissions Seventh Framework Programme (FP7/2007–2013) under grant agreement number 318003 (TREsPASS).


  1. 1.
    Abramsky, S., Jagadeesan, R.: Games and full completeness for multiplicative linear logic. J. Symbolic Logic 59(2), 543–574 (1994). Scholar
  2. 2.
    Abramsky, S., Jagadeesan, R.: Game semantics for access control. In: Proceedings of the 25th Conference on Mathematical Foundations of Programming Semantics (MFPS 2009) Electronic Notes in Theoretical Computer Science, vol. 249, pp. 135–156 (2009).
  3. 3.
    Abramsky, S., Melliès, P.-A.: Concurrent games and full completeness. In: 14th Annual IEEE Symposium on Logic in Computer Science LICS, Trento, Italy, 2–5 July 1999, pp. 431–442. IEEE Computer Society (1999).
  4. 4.
    Andreoli, J.-M.: Logic programming with focusing proofs in linear logic. J. Logic Comput. 2(3), 297–347 (1992). Scholar
  5. 5.
    Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 95–114. Springer, Heidelberg (2015). Scholar
  6. 6.
    Aslanyan, Z., Nielson, F., Parker, D.: Quantitative verification and synthesis of attack-defence scenarios. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 105–119. IEEE Computer Society (2016).
  7. 7.
    Audinot, M., Pinchinat, S., Kordy, B.: Is my attack tree correct? In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 83–102. Springer, Cham (2017). Scholar
  8. 8.
    Birkhoff, G.: Rings of sets. Duke Math. J. 3(3), 443–454 (1937). Scholar
  9. 9.
    Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: First International Conference on Availability, Reliability and Security (ARES 2006), pp. 416–423. IEEE Computer Society (2006).
  10. 10.
    Blass, A.: A game semantics for linear logic. Ann. Pure Appl. Logic 56(1), 183–220 (1992). Scholar
  11. 11.
    Brookes, S.D., Hoare, C.A.R., Roscoe, A.W.: A theory of communicating sequential processes. J. ACM 31(3), 560–599 (1984). Scholar
  12. 12.
    Buldas, A., Laud, P., Priisalu, J., Saarepera, M., Willemson, J.: Rational choice of security measures via multi-parameter attack trees. In: Lopez, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 235–248. Springer, Heidelberg (2006). Scholar
  13. 13.
    Chaudhuri, K., Miller, D., Saurin, A.: Canonical sequent proofs via multi-focusing. In: Ausiello, G., Karhumäki, J., Mauri, G., Ong, L. (eds.) TCS 2008. IIFIP, vol. 273, pp. 383–396. Springer, Boston, MA (2008). Scholar
  14. 14.
    Danos, V., Harmer, R.S.: Probabilistic game semantics. ACM Trans. Comput. Logic (TOCL) 3(3), 359–382 (2002). Scholar
  15. 15.
    Debbabi, M., Saleh, M.: Game semantics model for security protocols. In: Lau, K.-K., Banach, R. (eds.) ICFEM 2005. LNCS, vol. 3785, pp. 125–140. Springer, Heidelberg (2005). Scholar
  16. 16.
    Delande, O., Miller, D., Saurin, A.: Proof and refutation in MALL as a game. Ann. Pure Appl. Logic 161(5), 654–672 (2010). Scholar
  17. 17.
    Deswarte, Y., Blain, L., Fabre, J.C.: Intrusion tolerance in distributed computing systems. In: Proceedings of 1991 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 110–121, May 1991.
  18. 18.
    Dimovski, A.S.: Ensuring secure non-interference of programs by game semantics. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 81–96. Springer, Cham (2014). Scholar
  19. 19.
    Gadyatskaya, O., Hansen, R.R., Larsen, K.G., Legay, A., Olesen, M.C., Poulsen, D.B.: Modelling attack-defense trees using timed automata. In: Fränzle, M., Markey, N. (eds.) FORMATS 2016. LNCS, vol. 9884, pp. 35–50. Springer, Cham (2016). Scholar
  20. 20.
    Gadyatskaya, O., Jhawar, R., Mauw, S., Trujillo-Rasua, R., Willemse, T.A.C.: Refinement-aware generation of attack trees. In: Livraga, G., Mitchell, C. (eds.) STM 2017. LNCS, vol. 10547, pp. 164–179. Springer, Cham (2017). Scholar
  21. 21.
    Girard, J.-Y.: Linear logic. Theoret. comput. Sci. 50(1), 1–101 (1987). Scholar
  22. 22.
    Heijltjes, W., Hughes, D.J.: Complexity bounds for sum-product logic via additive proof nets and petri nets. In: 30th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2015, Kyoto, Japan, 6–10 July 2015, pp. 80–91. IEEE Computer Society (2015).
  23. 23.
    Hermanns, H., Krämer, J., Krčál, J., Stoelinga, M.: The value of attack-defence diagrams. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 163–185. Springer, Heidelberg (2016). Scholar
  24. 24.
    Horne, R.: The consistency and complexity of multiplicative additive system virtual. Sci. Ann. Comput. Sci. 25(2), 245 (2015). Scholar
  25. 25.
    Horne, R., Mauw, S., Tiu, A.: Semantics for specialising attack trees based on linear logic. Fund. Inform. 153(1–2), 57–86 (2017). Scholar
  26. 26.
    Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S.: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54. Springer, Heidelberg (2011). Scholar
  27. 27.
    Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015). Scholar
  28. 28.
    Jiang, R., Luo, J., Wang, X.: An attack tree based risk assessment for location privacy in wireless sensor networks. In: WiCOM, pp. 1–4 (2012).
  29. 29.
    Kordy, B., Mauw, S., Melissen, M., Schweitzer, P.: Attack–defense trees and two-player binary zero-sum extensive form games are equivalent. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 245–256. Springer, Heidelberg (2010). Scholar
  30. 30.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014). Scholar
  31. 31.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. C. S. Rev. 13–14, 1–38 (2014)zbMATHGoogle Scholar
  32. 32.
    Laurent, O.: Polarized games. Ann. Pure Appl. Logic 130(1–3), 79–123 (2004). Scholar
  33. 33.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). Scholar
  34. 34.
    Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005). Scholar
  35. 35.
    Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees: towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012). Scholar
  36. 36.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  37. 37.
    Zonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.: RRE: a game-theoretic intrusion response and recovery engine. IEEE Trans. Parallel Distrib. Syst. 25(2), 395–406 (2014). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.CSCUniversity of LuxembourgEsch-sur-AlzetteLuxembourg
  2. 2.CSC/SnTUniversity of LuxembourgEsch-sur-AlzetteLuxembourg
  3. 3.Research School of Computer ScienceAustralian National UniversityCanberraAustralia

Personalised recommendations