Carlos E. Budde,Mariëlle Stoelinga

DOI: https://doi.org/10.1109/CSF51468.2021.00041

2021-05-22

Abstract:Numerous analysis methods for quantitative attack tree analysis have been proposed. These algorithms compute relevant security metrics, i.e. performance indicators that quantify how good the security of a system is, such as the most likely attack, the cheapest, or the most damaging one. This paper classifies attack trees in two dimensions: proper trees vs. directed acyclic graphs (i.e. with shared subtrees); and static vs. dynamic gates. For each class, we propose novel algorithms that work over a generic attribute domain, encompassing a large number of concrete security metrics defined on the attack tree semantics. We also analyse the computational complexity of our methods.

Cryptography and Security,Data Structures and Algorithms

Milan Lopuhaä-Zwakenberg,Carlos E. Budde,Mariëlle Stoelinga

DOI: https://doi.org/10.1109/TDSC.2022.3215752

2022-12-11

Abstract:Numerous analysis methods for quantitative attack tree analysis have been proposed. These algorithms compute relevant security metrics, i.e. performance indicators that quantify how good the security of a system is; typical metrics being the most likely attack, the cheapest, or the most damaging one. However, existing methods are only geared towards specific metrics or do not work on general attack trees. This paper classifies attack trees in two dimensions: proper trees vs. directed acyclic graphs (i.e. with shared subtrees); and static vs. dynamic gates. For three out of these four classes, we propose novel algorithms that work over a generic attribute domain, encompassing a large number of concrete security metrics defined on the attack tree semantics; dynamic attack trees with directed acyclic graph structure are left as an open problem. We also analyse the computational complexity of our methods.

Cryptography and Security,Data Structures and Algorithms

Florian Dorfhuber,Julia Eisentraut,Katharina Klioba,Jan Kretinsky

2024-09-18

Abstract:Ranking risks and countermeasures is one of the foremost goals of quantitative security analysis. One of the popular frameworks, used also in industrial practice, for this task are attack-defense trees. Standard quantitative analyses available for attack-defense trees can distinguish likely from unlikely vulnerabilities. We provide a tool that allows for easy synthesis and analysis of those models, also featuring probabilities, costs and time. Furthermore, it provides a variety of interfaces to existing model checkers and analysis tools. Unfortunately, currently available tools rely on precise quantitative inputs (probabilities, timing, or costs of attacks), which are rarely available. Instead, only statistical, imprecise information is typically available, leaving us with probably approximately correct (PAC) estimates of the real quantities. As a part of our tool, we extend the standard analysis techniques so they can handle the PAC input and yield rigorous bounds on the imprecision and uncertainty of the final result of the analysis.

Cryptography and Security

Stefano M. Nicoletti,Milan Lopuhaä-Zwakenberg,E. Moritz Hahn,Mariëlle Stoelinga

2024-05-17

Abstract:Critical infrastructure systems - for which high reliability and availability are paramount - must operate securely. Attack trees (ATs) are hierarchical diagrams that offer a flexible modelling language used to assess how systems can be attacked. ATs are widely employed both in industry and academia but - in spite of their popularity - little work has been done to give practitioners instruments to formulate queries on ATs in an understandable yet powerful way. In this paper we fill this gap by presenting ATM, a logic to express quantitative security properties on ATs. ATM allows for the specification of properties involved with security metrics that include "cost", "probability" and "skill" and permits the formulation of insightful what-if scenarios. To showcase its potential, we apply ATM to the case study of a CubeSAT, presenting three different ways in which an attacker can compromise its availability. We showcase property specification on the corresponding attack tree and we present theory and algorithms - based on binary decision diagrams - to check properties and compute metrics of ATM-formulae.

Cryptography and Security,Logic in Computer Science

Giovanna Broccia,Maurice H. ter Beek,Alberto Lluch Lafuente,Paola Spoletini,Alessio Ferrari

2024-04-09

Abstract:Context and Motivation Attack-Defense Trees (ADTs) are a graphical notation used to model and assess security requirements. ADTs are widely popular, as they can facilitate communication between different stakeholders involved in system security evaluation, and they are formal enough to be verified, e.g., with model checkers. Question/Problem While the quality of this notation has been primarily assessed quantitatively, its understandability has never been evaluated despite being mentioned as a key factor for its success. Principal idea/Results In this paper, we conduct an experiment with 25 human subjects to assess the understandability and user acceptance of the ADT notation. The study focuses on performance-based variables and perception-based variables, with the aim of evaluating the relationship between these measures and how they might impact the practical use of the notation. The results confirm a good level of understandability of ADTs. Participants consider them useful, and they show intention to use them. Contribution This is the first study empirically supporting the understandability of ADTs, thereby contributing to the theory of security requirements engineering.

Software Engineering,Cryptography and Security

Thi Kim Nhung Dang,Milan Lopuhaä-Zwakenberg,Mariëlle Stoelinga

2024-01-23

Abstract:Attack trees are important for security, as they help to identify weaknesses and vulnerabilities in a system. Quantitative attack tree analysis supports a number security metrics, which formulate important KPIs such as the shortest, most likely and cheapest attacks.

Cryptography and Security

Roberto Vigo,Flemming Nielson,Hanne Riis Nielson

DOI: https://doi.org/10.2168/LMCS-12%284%3A5%292016

2016-10-19

Abstract:In the design of software and cyber-physical systems, security is often perceived as a qualitative need, but can only be attained quantitatively. Especially when distributed components are involved, it is hard to predict and confront all possible attacks. A main challenge in the development of complex systems is therefore to discover attacks, quantify them to comprehend their likelihood, and communicate them to non-experts for facilitating the decision process. To address this three-sided challenge we propose a protection analysis over the Quality Calculus that (i) computes all the sets of data required by an attacker to reach a given location in a system, (ii) determines the cheapest set of such attacks for a given notion of cost, and (iii) derives an attack tree that displays the attacks graphically. The protection analysis is first developed in a qualitative setting, and then extended to quantitative settings following an approach applicable to a great many contexts. The quantitative formulation is implemented as an optimisation problem encoded into Satisfiability Modulo Theories, allowing us to deal with complex cost structures. The usefulness of the framework is demonstrated on a national-scale authentication system, studied through a Java implementation of the framework.

Cryptography and Security,Logic in Computer Science

Suguo Du,Haojin Zhu

DOI: https://doi.org/10.1007/978-1-4614-9357-0_3

2013-01-01

Abstract:In this Chapter, we present an attack-defense tree model for VANETs security and privacy problems, which considered both attacker's and defender's strategies. We also introduce two concepts of Return on Attack and Return on Investment to represent the potential gain from launching an attack or adopting a countermeasure. Both the attack-defense tree and the introduced concepts are preparation work for the attack-defense game analysis of later work in Chap. 4.

Thomas Brihaye,Sophie Pinchinat,Alexandre Terefenko

2023-12-01

Abstract:We present a mathematical setting for attack-defense trees, a classic graphical model to specify attacks and countermeasures. We equip attack-defense trees with (trace) language semantics allowing to have an original dynamic interpretation of countermeasures. Interestingly, the expressiveness of attack-defense trees coincides with star-free languages, and the nested countermeasures impact the expressiveness of attack-defense trees. With an adequate notion of countermeasure-depth, we exhibit a strict hierarchy of the star-free languages that does not coincides with the classic one. Additionally, driven by the use of attack-defense trees in practice, we address the decision problems of trace membership and of non-emptiness, and study their computational complexities parameterized by the countermeasure-depth.

Formal Languages and Automata Theory

Olga Gadyatskaya,Sjouke Mauw,Rolando Trujillo-Rasuac,Tim A. C.Willemse

2024-07-10

Abstract:This article addresses the problem of automatically generating attack trees that soundly and clearly describe the ways the system can be attacked. Soundness means that the attacks displayed by the attack tree are indeed attacks in the system; clarity means that the tree is efficient in communicating the attack scenario. To pursue clarity, we introduce an attack-tree generation algorithm that minimises the tree size and the information length of its labels without sacrificing correctness. We achieve this by i) introducing a system model that allows to reason about attacks and goals in an efficient manner, and ii) by establishing a connection between the problem of factorising algebraic expressions and the problem of minimising the tree size. To the best of our knowledge, we introduce the first attack-tree generation framework that optimises the labelling and shape of the generated trees, while guaranteeing their soundness with respect to a system specification.

Cryptography and Security,Formal Languages and Automata Theory

Milan Lopuhaä-Zwakenberg,Mariëlle Stoelinga

DOI: https://doi.org/10.48550/arXiv.2304.05812

2023-04-12

Abstract:Attack trees (ATs) are a widely deployed modelling technique to categorize potential attacks on a system. An attacker of such a system aims at doing as much damage as possible, but might be limited by a cost budget. The maximum possible damage for a given cost budget is an important security metric of a system. In this paper, we find the maximum damage given a cost budget by modelling this problem with ATs, both in deterministic and probabilistic settings. We show that the general problem is NP-complete, and provide heuristics to solve it. For general ATs these are based on integer linear programming. However when the AT is tree-structured, then one can instead use a faster bottom-up approach. We also extend these methods to other problems related to the cost-damage tradeoff, such as the cost-damage Pareto front.

Cryptography and Security,Optimization and Control

Xueqin Gao,Tao Shang,Da Li,Jianwei Liu

DOI: https://doi.org/10.1109/pst55820.2022.9851965

2022-01-01

Abstract:SCADA systems are one of the critical infrastructures and face many security threats. Attackers can control SCADA systems through network attacks, destroying the normal operation of the power system. It is important to conduct a risk assessment of security threats on SCADA systems. However, existing models for risk assessment using attack trees mainly focus on describing possible intrusions rather than the interaction between threats and defenses. In this paper, we comprehensively consider intrusion likelihood and defense capability and propose a quantitative risk assessment model of security threats based on attack countermeasure tree (ACT). Each leaf node in ACT contains two attributes: exploitable vulnerabilities and defense countermeasures. An attack scenario can be constructed by means of traversing the leaf nodes. We set up six indicators to evaluate the impact of security threats in attack scenarios according to NISTIR 7628 standard. Experimental results show the attack probability of security threats and high-risk attack scenarios in SCADA systems. We can improve defense countermeasures to protect against security threats corresponding to high-risk scenarios. In addition, the model can continually update risk assessments based on the implementation of the system’s defensive countermeasures.

Milan Lopuhaä-Zwakenberg

2024-08-13

Abstract:Adequate risk assessment of safety critical systems needs to take both safety and security into account, as well as their interaction. A prominent methodology for modeling safety and security are attack-fault trees (AFTs), which combine the well-established fault tree and attack tree methodologies for safety and security, respectively. AFTs can be used for quantitative analysis as well, capturing the interplay between safety and security metrics. However, existing approaches are based on modeling the AFT as a priced-timed automaton. This allows for a wide range of analyses, but Pareto analsis is still lacking, and analyses that exist are computationally expensive. In this paper, we combine safety and security analysis techniques to introduce a novel method to find the Pareto front between the metrics reliability (safety) and attack cost (security) using Markov decision processes. This gives us the full interplay between safety and security while being considerably more lightweight and faster than the automaton approach. We validate our approach on a case study of cyberattacks on an oil pipe line.

Cryptography and Security

Stefano M. Nicoletti,Milan Lopuhaä-Zwakenberg,Mariëlle Stoelinga,Fabio Massacci,Carlos E. Budde

2024-10-19

Abstract:The landscape of cyber threats grows more complex by the day. Advanced Persistent Threats carry out systematic attack campaigns against which cybersecurity practitioners must defend. Examples of such organized attacks are operations Dream Job, Wocao, WannaCry or the SolarWinds Compromise. To evaluate which risks are most threatening, and which campaigns to prioritize against when defending, cybersecurity experts must be equipped with the right toolbox. In particular, they must be able to (a) obtain likelihood values for each attack campaign recorded in the wild and (b) reliably and transparently operationalize these values to carry out quantitative comparisons among campaigns. This will allow security experts to perform quantitatively-informed decision making that is transparent and accountable. In this paper we construct such a framework by: (1) quantifying the likelihood of attack campaigns via data-driven procedures on the MITRE knowledge base and (2) introducing a methodology for automatic modelling of MITRE intelligence data: this is complete in the sense that it captures any attack campaign via template attack tree models. (3) We further propose a computational framework to carry out this comparisons based on the cATM formal logic, and implement this into an open-source Python tool. Finally, we validate our approach by quantifying the likelihood of all MITRE campaigns, and comparing the likelihood of the Wocao and Dream Job MITRE campaigns -- generated with our proposed approach -- against "ad hoc" traditionally-built attack tree models, demonstrating how our methodology is substantially lighter in modelling effort, and still capable of capturing all the quantitative relevant data.

Cryptography and Security,Logic in Computer Science

Alyzia-Maria Konsta,Beatrice Spiga,Alberto Lluch Lafuente,Nicola Dragoni

2023-09-26

Abstract:Graphical security models constitute a well-known, user-friendly way to represent the security of a system. These kinds of models are used by security experts to identify vulnerabilities and assess the security of a system. The manual construction of these models can be tedious, especially for large enterprises. Consequently, the research community is trying to address this issue by proposing methods for the automatic generation of such models. In this work, we present a survey illustrating the current status of the automatic generation of two kinds of graphical security models -Attack Trees and Attack Graphs. The goal of this survey is to present the current methodologies used in the field, compare them and present the challenges and future directions for the research community.

Cryptography and Security

Xiang Ji,Huiqun Yu,Guisheng Fan,Wenhao Fu

DOI: https://doi.org/10.1109/SNPD.2016.7515980

2016-01-01

Abstract:Cyber-physical system (CPS) is the fuse of cyber world and the dynamic physical world and it is being widely used in areas closely related to people's livelihood. Therefore, the security issues of CPS have drawn a global attention and an appropriate risk assessment for CPS is in urgent need. The existing proposals using attack trees for risk assessment mainly focus on depicting the possible intrusions, not for interactions between threats and defenses. In this paper, a risk assessment idea for cyber-physical system with the use of attack-defense tree (ADTree) is proposed, considering the effect of both the attack cost and defense cost. The effectiveness of the proposed approach is evaluated by a set of metrics like probability of success, attack and defense cost and the impact of an attack. In addition, we introduce two economic factors (ROA and ROI) to evaluate the performance of ADTree. Finally, an illustration case of threat risk analysis in SCADA system is given to demonstrate our approach. Overall, our approach provides an effective means of risk assessment and countermeasures evaluation in the evolutional process of security management for cyber-physical system security.

Jeremy Straub

DOI: https://doi.org/10.1109/smartcloud49737.2020.00035

2020-11-01

Abstract:Multiple techniques for modeling cybersecurity attacks and defense have been developed. The use of tree- structures as well as techniques proposed by several firms (such as Lockheed Martin’s Cyber Kill Chain, Microsoft’s STRIDE and the MITRE ATT&CK frameworks) have all been demonstrated. These approaches model actions that can be taken to attack or stopped to secure infrastructure and other resources, at different levels of detail. This paper builds on prior work on using the Blackboard Architecture for cyberwarfare and proposes a generalized solution for modeling framework/paradigm-based attacks that go beyond the deployment of a single exploit against a single identified target. The Blackboard Architecture Cyber Command Entity attack Route (BACCER) identification system combines rules and facts that implement attack type determination and attack decision making logic with actions that implement reconnaissance techniques and attack and defense actions. BACCER’s efficacy to model examples of tree-structures and other models is demonstrated herein.

Étienne André,Didier Lime,Mathias Ramparison,Mariëlle Stoelinga

DOI: https://doi.org/10.48550/arXiv.1902.04336

2019-05-09

Abstract:Risk assessment of cyber-physical systems, such as power plants, connected devices and IT-infrastructures has always been challenging: safety (i.e. absence of unintentional failures) and security (i.e. no disruptions due to attackers) are conditions that must be guaranteed. One of the traditional tools used to help considering these problems is attack trees, a tree-based formalism inspired by fault trees, a well-known formalism used in safety engineering. In this paper we define and implement the translation of attack-fault trees (AFTs) to a new extension of timed automata, called parametric weighted timed automata. This allows us to parametrize constants such as time and discrete costs in an AFT and then, using the model-checker IMITATOR, to compute the set of parameter values such that a successful attack is possible. Using the different sets of parameter values computed, different attack and fault scenarios can be deduced depending on the budget, time or computation power of the attacker, providing helpful data to select the most efficient counter-measure.

Cryptography and Security

Stefano M. Nicoletti,Milan Lopuhaä-Zwakenberg,E. Moritz Hahn,Mariëlle Stoelinga

2024-01-29

Abstract:We provide an overview of three different query languages whose objective is to specify properties on the highly popular formalisms of fault trees (FTs) and attack trees (ATs). These are BFL, a Boolean Logic for FTs, PFL, a probabilistic extension of BFL and ATM, a logic for security metrics on ATs. We validate the framework composed by these three logics by applying them to the case study of a water distribution network. We extend the FT for this network - found in the literature - and we propose to model the system under analysis with the Fault Trees/Attack Trees (FT/ATs) formalism, combining both FTs and ATs in a unique model. Furthermore, we propose a novel combination of the showcased logics to account for queries that jointly consider both the FT and the AT of the model, integrating influences of attacks on failure probabilities of different components. Finally, we extend the domain specific language for PFL with novel constructs to capture the interplay between metrics of attacks - e.g., "cost", success probabilities - and failure probabilities in the system.

Logic in Computer Science

Ping Wang,Kuo-Ming Chao,Chi-Chun Lo

DOI: https://doi.org/10.1109/ICEBE.2013.52

2013-01-01

Abstract:Most existing Threat and Risk Assessment (TRA) schemes for cloud services use a converse thinking approach to develop theoretical solutions for minimizing the risk of security breeches at a minimal cost. However, to support rational management decisions, TRA schemes require a careful analysis of the trade-off between the residual risk and the Return on Investment (ROI) given prescribed budget and time constraints. Accordingly, the present study proposes an improved Attack-Defense Tree mechanism designated as iADTree, for solving the TRA problem in cloud computing environments. The proposed scheme enables defenders to identify appropriate countermeasures in accordance with three different defensive strategies associated with the organization's security policy. In implementing the proposed scheme, a sandbox technique is used to examine the attack profile and attack probability of various forms of cyber attacks. The cost and residual risk of various defensive strategies are then evaluated and presented to the defender as a set of recommendations. Defense evaluation metrics for each node for probabilistic analysis is used to simulate the attack results. The simulations focus specifically on the attack profile of botnet to the threat risk assessment. The validity of the proposed approach is demonstrated by simulating the TRA process for a Zeus botnet attack. Overall, the results show that iADTree provides an effective means of modeling the interaction process between the attacker and the defender, analyzing the risk at each node of the tree given various defensive strategies, and developing cost-effective countermeasures for mitigating the network threat.