Modelling Attack-defense Trees Using Timed Automata

  • Olga Gadyatskaya
  • René Rydhof Hansen
  • Kim Guldstrand Larsen
  • Axel Legay
  • Mads Chr. Olesen
  • Danny Bøgsted Poulsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9884)

Abstract

Performing a thorough security risk assessment of an organisation has always been challenging, but with the increased reliance on outsourced and off-site third-party services, i.e., “cloud services”, combined with internal (legacy) IT-infrastructure and -services, it has become a very difficult and time-consuming task. One of the traditional tools available to ease the burden of performing a security risk assessment and structure security analyses in general is attack trees [19, 23, 24], a tree-based formalism inspired by fault trees, a well-known formalism used in safety engineering.

In this paper we study an extension of traditional attack trees, called attack-defense trees, in which not only the attacker’s actions are modelled, but also the defensive actions taken by the attacked party [15]. In this work we use the attack-defense tree as a goal an attacker wants to achieve, and separate the behaviour of the attacker and defender from the attack-defense-tree. We give a fully stochastic timed semantics for the behaviour of the attacker by introducing attacker profiles that choose actions probabilistically and execute these according to a probability density. Lastly, the stochastic semantics provides success probabilitites for individual actions. Furthermore, we show how to introduce costs of attacker actions. Finally, we show how to automatically encode it all with a network of timed automata, an encoding that enables us to apply state-of-the-art model checking tools and techniques to perform fully automated quantitative and qualitative analyses of the modelled system.

References

  1. 1.
    Alur, R., Dill, D.: Automata for modeling real-time systems. In: Paterson, M.S. (ed.) Automata, Languages and Programming. LNCS, vol. 443, pp. 322–335. Springer, Heidelberg (1990). ISBN: 3-540-52826-1CrossRefGoogle Scholar
  2. 2.
    Arnold, F., Guck, D., Kumar, R., Stoelinga, M.: Sequential and parallel attack tree modelling. In: Koornneef, F., van Gulijk, C. (eds.) Computer Safety, Reliability, and Security. LNCS, vol. 9338, pp. 291–299. Springer International Publishing, Switzerland (2015)CrossRefGoogle Scholar
  3. 3.
    Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 95–114. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46666-7_6 Google Scholar
  4. 4.
    Bagnato, A., Kordy, B., Meland, P.H., Schweitzer, P.: Attribute decoration of attack-defense trees. Int. J. Secure Softw. Eng. (IJSSE) 3(2), 1 (2012)CrossRefGoogle Scholar
  5. 5.
    Behrmann, G., David, A., Larsen, K.G.: A tutorial on Uppaal. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30080-9_7 CrossRefGoogle Scholar
  6. 6.
    Buldas, A., Laud, P., Priisalu, J., Saarepera, M., Willemson, J.: Rational choice of security measures via multi-parameter attack trees. In: López, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 235–248. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Dalton, G.C., Mills, R.F., Colombi, J.M., Raines, R.A., et al.: Analyzing attack trees using generalized stochastic petri nets. In: 2006 IEEE Information Assurance Workshop, pp. 116–123. IEEE (2006)Google Scholar
  8. 8.
    David, A., Larsen, K.G., Legay, A., Mikučionis, M., Poulsen, D.B., van Vliet, J., Wang, Z.: Statistical model checking for networks of priced timed automata. In: Fahrenberg, U., Tripakis, S. (eds.) FORMATS 2011. LNCS, vol. 6919, pp. 80–96. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    David, A., Jensen, P.G., Larsen, K.G., Legay, A., Lime, D., Sørensen, M.G., Taankvist, J.H.: On time with minimal expected cost!. In: Cassez, F., Raskin, J.-F. (eds.) ATVA 2014. LNCS, vol. 8837, pp. 129–145. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11936-6_10. ISBN: 978-3-319-11935-9Google Scholar
  10. 10.
    David, A., Jensen, P.G., Larsen, K.G., Mikucionis, M., Taankvist, J.H.: Uppaal stratego. In: Baier, C., Tinelli, C. (eds.) Tools and Algorithms for the Construction and Analysis of Systems. LNCS, vol. 9035, pp. 206–211. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46681-0_16. ISBN: 978-3-662-46680-3Google Scholar
  11. 11.
    Gadyatskaya, O.: How to generate security cameras: towards defence generation for socio-technical systems. In: Mauw, S., et al. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 50–65. Springer, Heidelberg (2016). doi:10.1007/978-3-319-29968-6_4 CrossRefGoogle Scholar
  12. 12.
    Hermanns, H., Krämer, J., Krcál, J., Stoelinga, M.: The value of attack-defence diagrams. In: Piessens, F., et al. (eds.) POST 2016. LNCS, vol. 9635, pp. 163–185. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49635-0_9 CrossRefGoogle Scholar
  13. 13.
    Ivanova, M.G., Probst, C.W., Hansen, R.R., Kammüller, F.: Transforming graphical system models to graphical attack models. In: Mauw, S., et al. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 82–96. Springer, Heidelberg (2016). doi:10.1007/978-3-319-29968-6_6 CrossRefGoogle Scholar
  14. 14.
    Jürgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014). doi:10.1016/j.cosrev.2014.07.001 CrossRefMATHGoogle Scholar
  17. 17.
    Kumar, R., Ruijters, E., Stoelinga, M.: Quantitative attack tree analysis via priced timed automata. In: Sankaranarayanan, S., Vicario, E. (eds.) FORMATS 2015. LNCS, vol. 9268, pp. 156–171. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  18. 18.
    Larsen, K.G., Pettersson, P., Yi, W.: UPPAAL in a nutshell. STTT 1(1–2), 134–152 (1997). doi:10.1007/s100090050010 CrossRefMATHGoogle Scholar
  19. 19.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    NATO Research and Technology Organisation (RTO). Improving Common Security Risk Analysis. Technical report AC/323(ISP-049)TP/193, North Atlantic Treaty Organisation, University of California, Berkeley (2008)Google Scholar
  21. 21.
    Nielson, F., Aslanyan, Z., Parker, D.: Quantitative verification and synthesis of attack-defense scenarios. In: CSF 2016 (2016, to appear)Google Scholar
  22. 22.
    OWASP. CISO AppSec Guide: Criteria for managing application security risks (2013)Google Scholar
  23. 23.
    Salter, C., Saydjari, O.S., Schneier, B., Wallner, J.: Toward a secure system engineering methodology. In: Proceedings of the 1998 New Security Paradigms Workshop (NSPW 1998), pp. 2–10, Charlottesville, Virginia, US, September 1998Google Scholar
  24. 24.
    Schneier, B.: Attack trees: modeling security threats. Dr. Dobb’s J. (1999)Google Scholar
  25. 25.

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Olga Gadyatskaya
    • 1
  • René Rydhof Hansen
    • 2
  • Kim Guldstrand Larsen
    • 2
  • Axel Legay
    • 3
  • Mads Chr. Olesen
    • 2
  • Danny Bøgsted Poulsen
    • 2
  1. 1.SnTUniversity of LuxembourgLuxembourg CityLuxembourg
  2. 2.Department of Computer ScienceAalborg UniversityAalborgDenmark
  3. 3.Inria Rennes – Bretagne AtlantiqueRennesFrance

Personalised recommendations