Fast and Optimal Countermeasure Selection for Attack Defence Trees

  • Steve MullerEmail author
  • Carlo Harpes
  • Cédric Muller
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10224)


Risk treatment is an important part of risk management, and deals with the question which security controls shall be implemented in order to mitigate risk. Indeed, most notably when the mitigated risk is low, the costs engendered by the implementation of a security control may exceed its benefits. The question becomes particularly interesting if there are several countermeasures to choose from.

A promising candidate for modeling the effect of defensive mechanisms on a risk scenario are attack–defence trees. Such trees allow one to compute the risk of a scenario before and after the implementation of a security control, and thus to weigh its benefits against its costs.

A naive approach for finding an optimal set of security controls is to try out all possible combinations. However, such a procedure quickly reaches its limits already for a small number of defences.

This paper presents a novel branch-and-bound algorithm, which skips a large part of the combinations that cannot lead to an optimal solution. The performance is thereby increased by several orders of magnitude compared to the pure brute–force version.


Attack-defence tree Return On Security Investment Optimal defences Risk treatment optimisation Branch and bound algorithm 



This work was supported by the Fonds National de la Recherche, Luxembourg (project reference 10239425) and the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement number 318003 (TREsPASS).


  1. 1.
    Giannopoulos, G., Filippini, R., Schimmer, M.: Risk Assessment Methodologies for Critical Infrastructure Protection, Part i: A State of the Art. Publications Office of the European Union, Luxembourg (2012)Google Scholar
  2. 2.
    International Organization for Standardization, ISO/IEC 27005 - information technology - security techniques - information security risk management (2011)Google Scholar
  3. 3.
    Bundesamt für Sicherheit in der Informationstechnik (BSI), IT-GrundschutzGoogle Scholar
  4. 4.
    Amutio, M.A., Candau, J., Mañas, J.: Magerit-version 3, methodology for information systems risk analysis and management, book I - the method, Ministerio de administraciones públicas (2014)Google Scholar
  5. 5.
    Secrétariat général de la défense nationale, Ebios-expression des besoins et identification des objectifs de sécurité (2004)Google Scholar
  6. 6.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack–defense trees. J. Logic Comput. 24(1), 55 (2014). doi: 10.1093/logcom/exs029 MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  8. 8.
    Kordy, B., Mauw, S., Melissen, M., Schweitzer, P.: Attack–defense trees and two-player binary zero-sum extensive form games are equivalent. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 245–256. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17197-0_17 CrossRefGoogle Scholar
  9. 9.
    Gadyatskaya, O., Harpes, C., Mauw, S., Muller, C., Muller, S.: Bridging two worlds: reconciling practical risk assessment methodologies with theory of attack trees. In: Kordy, B., Ekstedt, M., Kim, D.S. (eds.) GraMSec 2016. LNCS, vol. 9987, pp. 80–93. Springer, Cham (2016). doi: 10.1007/978-3-319-46263-9_5 CrossRefGoogle Scholar
  10. 10.
    International Organization for Standardization, ISO/IEC 27002 - information technology - security techniques - code of practice for information security management (2013)Google Scholar
  11. 11.
    Dewri, R., Poolsappasit, N., Ray, I., Whitley, D.: Optimal security hardening using multi-objective optimization on attack tree models of networks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 204–213. ACM (2007)Google Scholar
  12. 12.
    Roy, A., Kim, D.S., Trivedi, K.S.: Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–12. IEEE (2012)Google Scholar
  13. 13.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19751-2_6 CrossRefGoogle Scholar
  14. 14.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inform. Syst. Secur. (TISSEC) 5(4), 438–457 (2002)CrossRefGoogle Scholar
  15. 15.
    Luenberger, D.G.: Introduction to Linear and Nonlinear Programming, vol. 28. Addison-Wesley Reading, MA (1973)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.itrust consulting s.à r.l.NiederanvenLuxembourg
  2. 2.University of LuxembourgLuxembourg CityLuxembourg
  3. 3.Telecom BretagneCesson-SévignéFrance

Personalised recommendations