Using Attack-Defense Trees to Analyze Threats and Countermeasures in an ATM: A Case Study

  • Marlon Fraile
  • Margaret Ford
  • Olga Gadyatskaya
  • Rajesh Kumar
  • Mariëlle Stoelinga
  • Rolando Trujillo-Rasua
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 267)


Securing automated teller machines (ATMs), as critical and complex infrastructure, requires a precise understanding of the associated threats. This paper reports on the application of attack-defense trees to model and analyze the security of ATMs. We capture the most dangerous multi-stage attack scenarios applicable to ATM structures, and establish a practical experience report, where we reflect on the process of modeling ATM threats via attack-defense trees. In particular, we share our insights into the benefits and drawbacks of attack-defense tree modeling, as well as best practices and lessons learned.


Attack-defense trees Security modeling ATM security 


  1. 1.
    Bagnato, A., Kordy, B., Meland, P.H., Schweitzer, P.: Attribute decoration of attack-defense trees. Int. J. Secure Softw. Eng. 3(2), 1–35 (2012)CrossRefGoogle Scholar
  2. 2.
    Byres, E.J., Franz, M., Miller, D.: The use of attack trees in assessing vulnerabilities in SCADA systems. In: Proceedings of the International Infrastructure Survivability Workshop (2004)Google Scholar
  3. 3.
    Du, S., Zhu, H.: Security assessment via attack tree model. In: Du, S., Zhu, H. (eds.) Security Assessment in Vehicular Networks. SpringerBriefs in Computer Science, pp. 9–16. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  4. 4.
    Edge, K., Raines, R., Grimaila, M., Baldwin, R., Bennington, R., Reuter, C.: The use of attack and protection trees to analyze security for an online banking system. In: Proceedings of HICSS. IEEE Computer Society (2007)Google Scholar
  5. 5.
    Gadyatskaya, O., Jhawar, R., Kordy, P., Lounis, K., Mauw, S., Trujillo-Rasua, R.: Attack trees for practical security assessment: ranking of attack scenarios with ADTool 2.0. In: Agha, G., Van Houdt, B. (eds.) QEST 2016. LNCS, vol. 9826, pp. 159–162. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-43425-4_10 CrossRefGoogle Scholar
  6. 6.
    Kewley, D.L., Bouchard, J.F.: DARPA information assurance program dynamic defense experiment summary. IEEE Trans. Syst. Man Cybern. Part A 31(4), 331–336 (2001)CrossRefGoogle Scholar
  7. 7.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014)CrossRefGoogle Scholar
  8. 8.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13, 1–38 (2014)CrossRefGoogle Scholar
  9. 9.
    Kumar, R., Ruijters, E., Stoelinga, M.: Quantitative attack tree analysis via priced timed automata. In: Sankaranarayanan, S., Vicario, E. (eds.) FORMATS 2015. LNCS, vol. 9268, pp. 156–171. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  10. 10.
    Li, T., Horkoff, J., Paja, E., Beckers, K., Mylopoulos, J.: Analyzing attack strategies through anti-goal refinement. In: Ralyté, J., España, S., Pastor, Ó. (eds.) The Practice of Enterprise Modeling. LNBIP, vol. 235, pp. 75–90. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  11. 11.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Morais, A., Hwang, I., Cavalli, A., Martins, E.: Generating attack scenarios for the system security validation. Netw. Sci. 2(3–4), 69–80 (2013)CrossRefGoogle Scholar
  13. 13.
    Opdahl, A., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Inf. Softw. Technol. 51(5), 916–932 (2009)CrossRefGoogle Scholar
  14. 14.
    Paul, S.: Towards automating the construction & maintenance of attack trees: a feasibility study. In: Proceedings of GraMSec, vol. 148 of EPTCS, pp. 31–46 (2014)Google Scholar
  15. 15.
    Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)CrossRefGoogle Scholar
  17. 17.
    Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using attack trees. J. Comput. Sci. Coll. 23(4), 124–131 (2008)Google Scholar
  18. 18.
    Schneier, B.: Attack trees. Dr. Dobb’s J. Softw. Tools 24(12), 21–29 (1999)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  • Marlon Fraile
    • 1
  • Margaret Ford
    • 2
  • Olga Gadyatskaya
    • 3
  • Rajesh Kumar
    • 4
  • Mariëlle Stoelinga
    • 4
  • Rolando Trujillo-Rasua
    • 3
  1. 1.GMVMadridSpain
  2. 2.Consult HyperionGuildfordUK
  3. 3.University of Luxembourg, SnTEsch-sur-AlzetteLuxembourg
  4. 4.University of TwenteEnschedeNetherlands

Personalised recommendations