Foundations of Attack–Defense Trees

  • Barbara Kordy
  • Sjouke Mauw
  • Saša Radomirović
  • Patrick Schweitzer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6561)


We introduce and give formal definitions of attack–defense trees. We argue that these trees are a simple, yet powerful tool to analyze complex security and privacy problems. Our formalization is generic in the sense that it supports different semantical approaches. We present several semantics for attack–defense trees along with usage scenarios, and we show how to evaluate attributes.


Intrusion Detection System Defense Tree Attack Tree Attribute Domain Fault Tree Analysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Vesely, W.E., Goldberg, F.F., Roberts, N., Haasl, D.: Fault Tree Handbook. Technical Report NUREG-0492, U.S. Regulatory Commission (1981)Google Scholar
  2. 2.
    Schneier, B.: Attack Trees. Dr. Dobb’s Journal of Software Tools 24(12), 21–29 (1999)Google Scholar
  3. 3.
    Mauw, S., Oostdijk, M.: Foundations of Attack Trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Jürgenson, A., Willemson, J.: Serial Model for Attack Tree Computations. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 118–128. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Edge, K.S., Dalton II, G.C., Raines, R.A., Mills, R.F.: Using Attack and Protection Trees to Analyze Threats and Defenses to Homeland Security. In: Military Communications Conference, MILCOM 2006, pp. 1–7. IEEE, Los Alamitos (2006)CrossRefGoogle Scholar
  6. 6.
    Saini, V., Duan, Q., Paruchuri, V.: Threat Modeling Using Attack Trees. Journal of Computing in Small Colleges 23(4), 124–131 (2008)Google Scholar
  7. 7.
    Bistarelli, S., Fioravanti, F., Peretti, P.: Defense Trees for Economic Evaluation of Security Investments. In: ARES, pp. 416–423. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  8. 8.
    Bistarelli, S., Dall’Aglio, M., Peretti, P.: Strategic Games on Defense Trees. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2006. LNCS, vol. 4691, pp. 1–15. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Moore, A.P., Ellison, R.J., Linger, R.C.: Attack Modeling for Information Security and Survivability. Technical Report CMU/ SEI-2001-TN-001, CMU Software Eng (2001)Google Scholar
  10. 10.
    Cervesato, I., Meadows, C.: One Picture Is Worth a Dozen Connectives: A Fault-Tree Representation of NPATRL Security Requirements. IEEE Transactions on Dependable and Secure Computing 4, 216–227 (2007)CrossRefGoogle Scholar
  11. 11.
    Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall, Inc., Upper Saddle River (1994)zbMATHGoogle Scholar
  12. 12.
    Morais, A.N.P., Martins, E., Cavalli, A.R., Jimenez, W.: Security Protocol Testing Using Attack Trees. In: CSE (2), pp. 690–697. IEEE Computer Society, Los Alamitos (2009)Google Scholar
  13. 13.
    Sheyner, O., Haines, J.W., Jha, S., Lippmann, R., Wing, J.M.: Automated Generation and Analysis of Attack Graphs. In: IEEE Symposium on Security and Privacy, pp. 273–284. IEEE Computer Society, Los Alamitos (2002)Google Scholar
  14. 14.
    Bistarelli, S., Peretti, P., Trubitsyna, I.: Analyzing Security Scenarios Using Defence Trees and Answer Set Programming. Electronic Notes in Theoretical Computer Science 197(2), 121–129 (2008)CrossRefGoogle Scholar
  15. 15.
    Kordy, B., Mauw, S., Melissen, M., Schweitzer, P.: Attack–defense trees and two-player binary zero-sum extensive form games are equivalent. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 245–256. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  16. 16.
    Rehák, M., Staab, E., Fusenig, V., Pěchouček, M., Grill, M., Stiborek, J., Bartoš, K., Engel, T.: Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 61–80. Springer, Heidelberg (2009)Google Scholar
  17. 17.
    Doets, K.: Basic Model Theory. CSLI Publications, Stanford (1996)zbMATHGoogle Scholar
  18. 18.
    Jürgenson, A., Willemson, J.: Computing Exact Outcomes of Multi-parameter Attack Trees. In: Chung, S. (ed.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Amenaza: SecurITree,
  20. 20.

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Barbara Kordy
    • 1
  • Sjouke Mauw
    • 1
  • Saša Radomirović
    • 1
  • Patrick Schweitzer
    • 1
  1. 1.CSC and SnTUniversity of LuxembourgLuxembourg

Personalised recommendations