The Attack Navigator

  • Christian W. ProbstEmail author
  • Jan Willemson
  • Wolter Pieters
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9390)


The need to assess security and take protection decisions is at least as old as our civilisation. However, the complexity and development speed of our interconnected technical systems have surpassed our capacity to imagine and evaluate risk scenarios. This holds in particular for risks that are caused by the strategic behaviour of adversaries. Therefore, technology-supported methods are needed to help us identify and manage these risks. In this paper, we describe the attack navigator: a graph-based approach to security risk assessment inspired by navigation systems. Based on maps of a socio-technical system, the attack navigator identifies routes to an attacker goal. Specific attacker properties such as skill or resources can be included through attacker profiles. This enables defenders to explore attack scenarios and the effectiveness of defense alternatives under different threat conditions.


Virtual Machine Access Control Policy Social Engineering Attack Tree Attack Pattern 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007–2013) under grant agreement no. 318003 (TRE\(_\mathrm {S}\)PASS). This publication reflects only the authors’ views and the Union is not liable for any use that may be made of the information contained herein.


  1. 1.
    Fischhoff, B.: Risk perception and communication unplugged: twenty years of process. Risk Anal. 15(2), 137–145 (1995)CrossRefGoogle Scholar
  2. 2.
    Jasanoff, S.: The political science of risk perception. Reliab. Eng. Syst. Saf. 59(1), 91–99 (1998)CrossRefGoogle Scholar
  3. 3.
    Weinstein, N.D.: What does it mean to understand a risk? evaluating risk comprehension. J. Nat. Cancer Inst. Monogr. 25, 15–20 (1999)CrossRefGoogle Scholar
  4. 4.
    The Consortium: Project webpage, 31 October 2015.
  5. 5.
    Schneier, B.: Attack trees: modeling security threats. Dr. Dobb’s J. Softw. Tools 24(12), 21–29 (1999). Google Scholar
  6. 6.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)CrossRefGoogle Scholar
  7. 7.
    Jürgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Jürgenson, A., Willemson, J.: Serial model for attack tree computations. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 118–128. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Jürgenson, A., Willemson, J.: On fast and approximate attack tree computations. In: Kwak, J., Deng, R.H., Won, Y., Wang, G. (eds.) ISPEC 2010. LNCS, vol. 6047, pp. 56–66. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Arnold, F., Hermanns, H., Pulungan, R., Stoelinga, M.: Time-dependent analysis of attacks. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 285–305. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  11. 11.
    Casey, T.: Threat Agent Library Helps Identify Information Security Risks. Intel White Paper, Houston (2007)Google Scholar
  12. 12.
    Casey, T., Koeberl, P., Vishik, C.: Threat agents: a necessary component of threat analysis. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW 2010, pp. 56:1–56:4. ACM, New York (2010)Google Scholar
  13. 13.
    Rosenquist, M.: Prioritizing Information Security Risks with Threat Agent Risk Assessment. Intel White Paper, Houston (2010)Google Scholar
  14. 14.
    Pieters, W., Barendse, J., Ford, M., Heath, C.P., Probst, C.W.: The navigation metaphor in security economics. IEEE Secur. Priv. 14, Scheduled for publication in May/June 2016Google Scholar
  15. 15.
    Van Holsteijn, R.: The motivation of attackers in attack tree analysis. Master’s thesis, TU Delft (2015)Google Scholar
  16. 16.
    Cox Jr, L.A.: Game theory and risk analysis. Risk Anal. 29(8), 1062–1068 (2009)CrossRefGoogle Scholar
  17. 17.
    Pieters, W., Davarynejad, M.: Calculating adversarial risk from attack trees: control strength and probabilistic attackers. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/SETOP/QASA 2014. LNCS, vol. 8872, pp. 201–215. Springer, Heidelberg (2015)Google Scholar
  18. 18.
    The Consortium: Final requirements for visualisation processes and tools Deliverable D4.1.2 (2015)Google Scholar
  19. 19.
    Pieters, W., Dimkov, T., Pavlovic, D.: Security policy alignment: a formal approach. IEEE Syst. J. 7(2), 275–287 (2013)CrossRefGoogle Scholar
  20. 20.
    Kammüller, F., Probst, C.W.: Invalidating policies using structural information. In: 2nd International IEEE Workshop on Research on Insider Threats (WRIT 2013). IEEE Co-located with IEEE CS Security and Privacy 2013 (2013)Google Scholar
  21. 21.
    Kammüller, F., Probst, C.W.: Combining generated data models with formal invalidation for insider threat analysis. In: 3rd International IEEE Workshop on Research on Insider Threats (WRIT 2014). IEEE Co-located with IEEE CS Security and Privacy 2014 (2014)Google Scholar
  22. 22.
    Winkler, I.S., Dealy, B.: Information security technology? don’t rely on it. a case study in social engineering. In: USENIX Security (1995)Google Scholar
  23. 23.
    Thornburgh, T.: Social engineering: the "dark art". In: Proceedings of the 1st Annual Conference on Information Security Curriculum Development, InfoSecCD 2004, pp. 133–135. ACM, New York (2004)Google Scholar
  24. 24.
    Mitnick, K.D., Simon, W.L., Wozniak, S.: The Art of Deception: Controlling the Human Element of Security. Wiley, Hoboken (2002)Google Scholar
  25. 25.
    Holley, P.: Driver follows GPS off demolished bridge, killing wife, police say, 15 October 2015.
  26. 26.
    Knudson, T.: ’Death by GPS’ in desert, Last visited 15 October 2015 (2011).
  27. 27.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Log. Comput. 24(1), 55–87 (2014)CrossRefzbMATHGoogle Scholar
  28. 28.
    Lenin, A., Willemson, J., Sari, D.P.: Attacker profiling in quantitative security assessment based on attack trees. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 199–212. Springer, Heidelberg (2014)Google Scholar
  29. 29.
    Buldas, A., Lenin, A.: New efficient utility upper bounds for the fully adaptive model of attack trees. In: Das, S.K., Nita-Rotaru, C., Kantarcioglu, M. (eds.) GameSec 2013. LNCS, vol. 8252, pp. 192–205. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  30. 30.
    Lenin, A., Willemson, J., Charnamord, A.: Genetic approximations for the failure-free security games. In: Khouzani, M.H.R., et al. (eds.) GameSec 2015. LNCS, vol. 9406, pp. 311–321. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-25594-1_17 CrossRefGoogle Scholar
  31. 31.
    Hall, P., Heath, C., Coles-Kemp, L., Tanner, A.: Examining the contribution of critical visualisation to information security. In: Proceedings of the 2015 New Security Paradigms Workshop. ACM (2015)Google Scholar
  32. 32.
    Heath, C.H.P., Coles-Kemp, L., Hall, P.A., et al.: Logical lego? co-constructed perspectives on service design. In: DS 81: Proceedings of NordDesign 2014, Espoo, Finland, 27–29th August 2014Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Christian W. Probst
    • 1
    Email author
  • Jan Willemson
    • 2
  • Wolter Pieters
    • 3
  1. 1.Technical University of DenmarkKongens LyngbyDenmark
  2. 2.CyberneticaTallinnEstonia
  3. 3.Delft University of TechnologyDelftThe Netherlands

Personalised recommendations