Sequential and Parallel Attack Tree Modelling

  • Florian Arnold
  • Dennis Guck
  • Rajesh Kumar
  • Mariële Stoelinga
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9338)


The intricacy of socio-technical systems requires a careful planning and utilisation of security resources to ensure uninterrupted, secure and reliable services. Even though many studies have been conducted to understand and model the behaviour of a potential attacker, the detection of crucial security vulnerabilities in such a system still provides a substantial challenge for security engineers. The success of a sophisticated attack crucially depends on two factors: the resources and time available to the attacker; and the stepwise execution of interrelated attack steps. This paper presents an extension of dynamic attack tree models by using both, the sequential and parallel behaviour of AND- and OR-gates. Thereby we take great care to allow the modelling of any kind of temporal and stochastic dependencies which might occur in the model. We demonstrate the applicability on several case studies.


Attack trees Security analysis Sequential and parallel 



This work has been supported by the EU FP7 project TREsPASS (318003) and by the STW-ProRail partnership program ExploRail under the project ArRangeer (12238).


  1. 1.
    Apvrille, L., Roudier, Y.: SysML-Sec: a model-driven environment for developing secure embedded systems. In: SAR-SSI 2013, 8ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d’Information, 16–18 Septembre 2013. Mont-de-Marsan, France, Mont-de-Marsan, France, September 2013Google Scholar
  2. 2.
    Arnold, F., Belinfante, A., Van der Berg, F., Guck, D., Stoelinga, M.: DFTCalc: a tool for efficient fault tree analysis. In: Bitsch, F., Guiochet, J., Kaâniche, M. (eds.) SAFECOMP. LNCS, vol. 8153, pp. 293–301. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  3. 3.
    Arnold, F., Hermanns, H., Pulungan, R., Stoelinga, M.: Time-dependent analysis of attacks. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 285–305. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  4. 4.
    Baier, C., Katoen, J.: Principles of Model Checking. MIT Press, Cambridge (2008) zbMATHGoogle Scholar
  5. 5.
    Boudali, H., Crouzen, P., Stoelinga, M.: A rigorous, compositional, and extensible framework for dynamic fault tree analysis. IEEE Trans. Dependable Secure Comput. 7(2), 128–143 (2010)CrossRefGoogle Scholar
  6. 6.
    Buckshaw, D.L.: Use of Decision Support Techniques for Information System Risk Management. John Wiley Sons Ltd, UK (2014)CrossRefGoogle Scholar
  7. 7.
    Dalton, G., Mills, R., Colombi, J., Raines, R.: Analyzing attack trees using generalized stochastic petri nets. In: Information Assurance Workshop, 2006 IEEE, pp. 116–123, June 2006Google Scholar
  8. 8.
    Evans, S., Heinbuch, D.V., Kyule, E., Piorkowski, J., Wallner, J.: Risk-based systems security engineering: stopping attacks with intention. IEEE Secur. Priv. 2(6), 59–62 (2004)CrossRefGoogle Scholar
  9. 9.
    Ford, M.D., Keefe, K., LeMay, E., Sanders, W.H., Muehrcke, C.: Implementing the ADVISE security modeling formalism in Möbius. In: Proceedings of the 43rd International Conference on Dependable Systems and Networks (DSN), pp. 1–8 (2013)Google Scholar
  10. 10.
    Gupta, V., Lam, V., Ramasamy, H.G.V., Sanders, W.H., Singh, S.: Dependability and performance evaluation of intrusion-tolerant server architectures. In: de Lemos, R., Weber, T.S., Camargo Jr., J.B. (eds.) LADC 2003. LNCS, vol. 2847, pp. 81–101. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  11. 11.
    Haas, P.J.: Stochastic petri nets for modelling and simulation. In: Proceeding of the 36th Conference on Winter Simulation, pp. 101–112 (2004)Google Scholar
  12. 12.
    Ingolds, T.R.: Attack tree-based threat risk analysis. Technical report, Amenaza Technologies Ltd (2013)Google Scholar
  13. 13.
    Jürgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  14. 14.
    Kordy, B., Pietre-Cambacedes, L., Schweitzer, P.: DAG-based attack and defense modeling: Don’t miss the forest for the attack trees. CoRR, abs/1303.7397 (2013)Google Scholar
  15. 15.
    Kordy, B., Pouly, M., Schweitzer, P.: Computational aspects of attack–defense trees. In: Bouvry, P., Kłopotek, M.A., Leprévost, F., Marciniak, M., Mykowiecka, A., Rybiński, H. (eds.) SIIS 2011. LNCS, vol. 7053, pp. 103–116. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  16. 16.
    Kriaa, S., Bouissou, M., Piètre-Cambacédès, L.: Modeling the stuxnet attack with BDMP: towards more formal risk assessments. In: Proceedings of the 7th International Conference on Risk and Security of Internet and Systems (CRiSIS), pp. 1–8, October 2012Google Scholar
  17. 17.
    Leemis, L.M.: Reliability: Probabilistic Models and Statistical Methods. Prentice Hall, Englewood Cliffs (1995)zbMATHGoogle Scholar
  18. 18.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  19. 19.
    McQueen, M., Boyer, W., Flynn, M., Beitel, G.: Quantitative cyber risk reduction estimation methodology for a small scada control system. In: Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS), vol. 9, p. 226, January 2006Google Scholar
  20. 20.
    Pieters, W., Davarynejad, M.: Calculating adversarial risk from attack trees: control strength and probabilistic attackers. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/SETOP/QASA 2014. LNCS, vol. 8872, pp. 201–215. Springer, Heidelberg (2015) Google Scholar
  21. 21.
    Piètre-Cambacédès, L., Bouissou, M.: Attack and defense modeling with BDMP. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2010. LNCS, vol. 6258, pp. 86–101. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  22. 22.
    Piètre-Cambacédès, L., Bouissou, M.; Beyond attack trees: dynamic security modeling with boolean logic driven markov processes (BDMP). In: Dependable Computing Conference (EDCC), pp. 199–208, April 2010Google Scholar
  23. 23.
    Sanders, W.H., Meyer, J.F.: Stochastic activity networks: formal definitions and concepts. In: Brinksma, E., Hermanns, H., Katoen, J.-P. (eds.) EEF School 2000 and FMPA 2000. LNCS, vol. 2090, pp. 315–343. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  24. 24.
    Schneier, B.: Attack trees: modeling security threats. Dr. Dobb’s J. 24 (1999)Google Scholar
  25. 25.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, 2002, pp. 273–284 (2002)Google Scholar
  26. 26.
    Singh, S., Cukier, M., Sanders, W.H.: Probabilistic validation of an intrusion-tolerant replication system. In: Proceedings of the 2003 International Conference on Dependable Systems and Networks (DSN), pp. 615–624 (2003)Google Scholar
  27. 27.
    Weiss, J.: A system security engineering process. In: Proceedings of the 14th National Computer Security Conference, vol. 249, October 1991Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Florian Arnold
    • 2
  • Dennis Guck
    • 1
  • Rajesh Kumar
    • 1
  • Mariële Stoelinga
    • 1
  1. 1.Formal Methods and ToolsUniversity of TwenteEnschedeThe Netherlands
  2. 2.Bayer Technology ServicesLeverkusenGermany

Personalised recommendations