Abstract
Subjective attack trees are an extension to traditional attack trees, proposed so to take uncertainty about likelihoods of security events into account during the modelling of security risk scenarios, using subjective opinions. This paper extends the work of subjective attack trees by allowing for the modelling of countermeasures, as well as conducting a comprehensive security and security investment analysis, such as risk measuring and analysis of profitable security investments. Our approach is evaluated against traditional attack trees. The results demonstrate the importance and advantage of taking uncertainty about probabilities into account. In terms of security investment, our approach seems to be more inclined to protect systems in presence of uncertainty (or lack of knowledge) about security events evaluations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al-Hadharami, N., Collinson, M., Oren, N.: Modelling security risk scenarios using subjective attack trees. In: Proceedings of the 15th International Conference on Risks and Security of Internet and Systems (CRISIS 2020). Springer (2020, to appear)
Bistarelli, S., Dall’Aglio, M., Peretti, P.: Strategic games on defense trees. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2006. LNCS, vol. 4691, pp. 1–15. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75227-1_1
Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: First International Conference on Availability, Reliability and Security (ARES 2006), p. 8. IEEE (2006)
Cerutti, F., Kaplan, L., Kimmig, A., Şensoy, M.: Probabilistic logic programming with beta-distributed random variables. In: Proceedings of AAAI, pp. 7769–7776 (2019)
Daly, L.: Simple SAS macros for the calculation of exact binomial and Poisson confidence limits. Comput. Biol. Med. 22(5), 351–361 (1992)
Edge, K., Raines, R., Grimaila, M., Baldwin, R., Bennington, R., Reuter, C.: The use of attack and protection trees to analyze security for an online banking system. In: 2007 40th Annual Hawaii International Conference on System Sciences (HICSS 2007), p. 144b. IEEE (2007)
Edge, K.S.: A framework for analyzing and mitigating the vulnerabilities of complex systems via attack and protection trees. Technical report, School of Engineering and Management, Air Force Institute of Technology, Wright-Patterson AFB, OH (2007)
Edge, K.S., Dalton, G.C., Raines, R.A., Mills, R.F.: Using attack and protection trees to analyze threats and defenses to homeland security. In: MILCOM 2006–2006 IEEE Military Communications Conference, pp. 1–7. IEEE (2006)
Jøsang, A.: Subjective Logic. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-42337-1
Julious, S.A.: Two-sided confidence intervals for the single proportion: comparison of seven method by Robert G. Newcombe, Statistics in Medicine 1998; 17: 857–872. Stat. Med. 24(21), 3383–3384 (2005)
Julious, S.A.: Calculation of confidence intervals for a finite population size. Pharm. Stat. 18(1), 115–122 (2019)
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6
Lallemant, D., Kiremidjian, A.: A beta distribution model for characterizing earthquake damage state distribution. Earthq. Spectra 31(3), 1337–1352 (2015)
Pieters, W., Davarynejad, M.: Calculating adversarial risk from attack trees: control strength and probabilistic attackers. In: Garcia-Alfaro, J., et al. (eds.) DPM/QASA/SETOP-2014. LNCS, vol. 8872, pp. 201–215. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17016-9_13
Roy, A., Kim, D.S., Trivedi, K.S.: Cyber security analysis using attack countermeasure trees. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, pp. 1–4 (2010)
Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)
Sonnenreich, W., Albanese, J., Stout, B., et al.: Return on security investment (ROSI)-a practical quantitative model. J. Res. Pract. Inf. Technol. 38(1), 45 (2006)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Al-Hadhrami, N., Collinson, M., Oren, N. (2021). Security Analysis Using Subjective Attack Trees. In: Maimut, D., Oprina, AG., Sauveron, D. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2020. Lecture Notes in Computer Science(), vol 12596. Springer, Cham. https://doi.org/10.1007/978-3-030-69255-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-69255-1_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-69254-4
Online ISBN: 978-3-030-69255-1
eBook Packages: Computer ScienceComputer Science (R0)