Minimal Schedule with Minimal Number of Agents in Attack-Defence Trees
Jaime Arias, ?ukasz Ma?ko, Wojciech Penczek, Laure Petrucci, Teofil Sidoruk
MMinimal Schedule with Minimal Number of Agents inAttack-Defence Trees
Jaime Arias
LIPN, CNRS UMR 7030, Université Sorbonne Paris NordVilletaneuse, France
Wojciech Penczek
Institute of Computer Science, PASWarsaw, Poland
Laure Petrucci
LIPN, CNRS UMR 7030, Université Sorbonne Paris NordVilletaneuse, France
Teofil Sidoruk
Institute of Computer Science, PASFaculty of Mathematics and Information Science, WarsawUniversity of TechnologyWarsaw, Poland
ABSTRACT
Expressing attack-defence trees in a multi-agent setting allows forstudying a new aspect of security scenarios, namely how the num-ber of agents and their task assignment impact the performance, e.g. attack time, of strategies executed by opposing coalitions. Op-timal scheduling of agents’ actions, a non-trivial problem, is thusvital. We discuss associated caveats and propose an algorithm thatsynthesises such an assignment, targeting minimal attack time andusing minimal number of agents for a given attack-defence tree.The complexity of the algorithm is proved to be quadratic in thenumber of the attack-defence tree nodes.
KEYWORDS
Attack-Defence Trees, Agents’ scheduling
ACM Reference Format:
Jaime Arias, Wojciech Penczek, Laure Petrucci, and Teofil Sidoruk. 2021.Minimal Schedule with Minimal Number of Agents in Attack-Defence Trees.In
Proc. of the 20th International Conference on Autonomous Agents andMultiagent Systems (AAMAS 2021), London, UK, May 3–7, 2021 , IFAAMAS,17 pages.
Security of safety-critical multi-agent systems [23] is one of themajor challenges. Attack-defence trees [3, 15] have been developedto evaluate the safety of systems and to study interactions betweenattacker and defender parties. They provide a simple graphicalformalism of possible attacker’s actions to be taken in order toattack a system and the defender’s defenses employed to protectthe system. Recently, it has been proposed to model attack-defencetrees (ADTrees) in an agent-based formalism, and more precisely,as asynchronous multi-agent systems (AMAS) extended with cer-tain ADTree characteristics [1, 20]. In this setting, one can reasonabout attack/defence scenarios on a new level, i.e. considering agentdistributions over tree nodes and their impact on the feasibilityand performance (quantified by metrics such as time and cost) ofattacking and defending strategies executed by specific coalitions.Both the number of available agents and their distribution overADTree nodes clearly affect these performance metrics. Hence,
Proc. of the 20th International Conference on Autonomous Agents and Multiagent Systems(AAMAS 2021), U. Endriss, A. Nowé, F. Dignum, A. Lomuscio (eds.), May 3–7, 2021, London,UK there arises the problem of optimal scheduling, that is, obtainingan assignment that achieves the lowest possible time or cost, whileusing the minimum number of agents required for an attack to befeasible. Here, we focus on the time metric. While there are someclear parallels with multi-processor task scheduling, the ADTreeformalism introduces a number of unique caveats to consider, ulti-mately causing our approach to differ from classical process sched-uling. To the best of our knowledge, this is the first paper that dealswith agents in this context. We present an algorithm for ADTreeswhich finds an optimal assignment of the minimal number of agentsfor a given ADTree.The rest of the paper is structured as follows. The next sec-tion briefly recalls the ADTree formalism and its translation tomulti-agent systems. In Section 3, several preprocessing steps arediscussed, including transforming the input tree to a DAG, normal-ising node attributes, and handling defences. Section 4 presentssteps performed by the main algorithm, as well as a proof of itscorrectness and optimality. The algorithm, implemented in our tool[5], is demonstrated in practice on three use cases in Section 5. Thefinal section contains conclusions and perspectives.
Related work.
ADTrees [15, 16] are a popular formalism that hasbeen implemented in a broad range of analysis frameworks [2, 4, 9,10], comprehensively surveyed in [17, 22]. They remain extensivelystudied today [8]. Of particular relevance is the ADTree to AMAStranslation [1], based on the semantics from [12]. Furthermore,the problem discussed in this paper is clearly related to parallelprogram scheduling [18], and in particular static scheduling witha task precedence graph, e.g. algorithms given by Hu [11] andCoffman and Graham [13]. However, only the initial labeling ofnodes is similar, and their bottom-up approach is inapplicable toADTrees. Instead, OR and defence nodes enforce sequential, top-down processing of multiple ADTree variants. Such branchingschedules have been previously explored, albeit using differentmodels that either include probability [21] or require an additionalDAG to store possible executions [7]. Zero duration nodes are alsounique to the ADTree setting.To the best of our knowledge, this is the first work dealing withagents in this context. Rather, scheduling in multi-agent systemstypically focuses on agents’ choices in cooperative or competitivescenarios, e.g. in models such as BDI [6, 19]. a r X i v : . [ c s . M A ] F e b ATTACK-DEFENCE TREES
To keep the paper self-contained, in this section we briefly recallthe basics of ADTrees and their translation to a multi-agent setting.
ADTrees are a well-known formalism that models security scenariosas an interplay between attacking and defending parties. Figure 1depicts basic constructs used in examples throughout the paper.For a more comprehensive overview, we refer the reader to [1]. 𝑎 (a) leaf(attack) 𝐴 𝑎 𝑎 𝑛 ··· (b) AND 𝐴 𝑎 𝑎 𝑛 ··· (c) OR 𝐴 𝑎 𝑎 𝑛 ··· (d) SAND 𝑑 (e) leaf(defence) 𝐴 𝑎 𝑑 (f) CAND 𝐴 𝑎 𝑑 (g) NODEF 𝐴 𝑎 𝑑 (h) SCAND
Figure 1: Basic ADTree constructs
Attacking and defending actions are depicted in red and green,respectively. Leaves represent individual actions at the highest levelof granularity. Different types of gates allow for modeling increas-ingly broad intermediary goals, all the way up to the root, whichcorresponds to the overall objective. OR and AND gates are definedanalogously to their logical counterparts.
SAND is a sequential vari-ant of the latter, i.e. the entire subtree 𝑎 𝑖 needs to be completedbefore handling 𝑎 𝑖 + . Although only shown in attacking subtreeshere, these gates may refine defending goals in the same manner.Reactive or passive countering actions can be expressed using gates CAND (counter defence; successful iff 𝑎 succeeds and 𝑑 fails), NODEF (no defence; successful iff either 𝑎 succeeds or 𝑑 fails), and SCAND (failed reactive defence; sequential variant of
CAND , where 𝑎 occursfirst). We collectively refer to gates and leaves as nodes .ADTree nodes may additionally have numerical attributes , e.g. the time needed to perform an attack, or its financial cost. Booleanfunctions over these attributes, called conditions , may then be asso-ciated with counter-defence nodes to serve as additional constraintsfor the success or failure of a defending action.In the following, the treasure hunters ADTree in Figure 2 will beused as a running example. While both the gatekeeper b and thedoor f need to be taken care of to steal the treasure ( ST ), just oneescape route (either h or e ) is needed to flee ( GA ), with TF enforc-ing sequentiality. Note the TS counter defence with an additionalconstraint on the police’s success p . The translation of ADTrees to multi-agent systems (MAS) wasproposed in [1]. To that end, the semantics of asynchronous MASfrom [12] was extended to account for node attributes and condi-tional constraints. Each ADTree node corresponds to a separateautomaton, with specific patterns used for different types of nodes.To minimise the impact of state space explosion, these automataembed certain reductions [20].
TS pTFSTb f GAh e (a) ADTree
Name Cost Time TS (treasure stolen) p (police) e
100 10 min TF (thieves fleeing) ST (steal treasure) 2 min b (bribe gatekeeper) e
500 1 h f (force arm. door) e
100 2 h GA (get away) h (helicopter) e
500 3 min e (emergency exit) 10 min Condition for
TS: init _ time ( p ) > init _ time ( ST ) + time ( GA ) (b) Attributes of nodes Figure 2: Running example: treasure hunters
In this setting, groups of agents working for the attacking anddefending parties can be considered. Note that the feasibility ofan attack is not affected by the number or distribution of agentsover ADTree nodes, while some performance metrics, such as time,clearly depend on both factors ( e.g. a lone agent can sequentiallyhandle all the actions, albeit usually much slower).
Consequently, the optimal distribution of agent coalitions is of vitalimportance for both parties, allowing them to prepare for multiplescenarios, depending on how many agents they can afford to recruit(thereby delaying or speeding up the completion of the main goal).For instance, the thieves in Figure 2, knowing the police responsetime, would have to plan accordingly by bringing a sufficiently largeteam and, more importantly, schedule their tasks to make the mostof these numbers. Thus, we can formulate two relevant and non-trivial scheduling problems.
The first one , not directly addressedhere, is obtaining the assignment using a given number of agentsthat results in optimal execution time.
The second one , on which wefocus in this paper, is synthesising an assignment that achieves aparticular execution time using the least possible number of agents.Typically, the minimum possible time is of interest here. As weshow in Section 3, this time is easily obtainable from the structureof the input ADTree itself (and, of course, the time attribute ofnodes). However, our approach can also target a longer attacktime if desired. In the next section, we discuss it in more detail asnormalisation of the input tree is considered, along with severalother preprocessing steps.
In this preprocessing step, an ADTree is transformed into DAGs(
Directed Acyclic Graphs ) of actions of the same duration. This isachieved by splitting nodes into sequences of such actions, mim-icking the scheduling enforced by ADTrees sequential gates, andconsidering the different possibilities of defences.Therefore, we introduce a sequential node
SEQ , which only waitsfor some input, processes it and produces some output. It is depictedas a lozenge (see nodes 𝑁 , 𝑁 , and 𝑁 in Figure 3).In what follows, we assume one time unit is the greatest commonfactor of time durations across all nodes in the input ADTree, i.e. 𝑡 unit = gcf ( 𝑡 𝑁 . . . 𝑡 𝑁 | 𝐴𝐷𝑇𝑟𝑒𝑒 | ) . By time slots , we refer to fragments ofthe schedule whose length is 𝑡 unit . That is, after normalisation, onegent can handle exactly one node of non-zero duration within asingle time slot. Note that, during the preprocessing steps describedin this section, node labels are preserved to ensure backwards trace-ability. Their new versions are either primed or indexed. It happens that several nodes have no time parameter set, and arethus considered to have a duration of 0. Such nodes play essentiallya structuring role.Proposition 3.1.
Nodes with duration can always be scheduledimmediately before their parent node or their last occurring child,using the same agent in the same time slot. Proof. Straightforward, as such nodes do not take any time. □ Our preprocessing will introduce nodes similar to
SEQ but with0 duration, depicted as trapeziums (see Figure 4) and called
NULL . The first pre-processing step prior to applying the scheduling algo-rithm normalises the time parameter of nodes.Proposition 3.2.
Any node 𝑁 of duration 𝑡 𝑁 = 𝑛 × 𝑡 unit , 𝑛 ≠ can be replaced with an equivalent sequence consisting of a node 𝑁 ′ (differing from 𝑁 only in its duration) and 𝑛 SEQ nodes 𝑁 , . . . , 𝑁 𝑛 of duration 𝑡 unit . Proof. Consider a node 𝑁 ′ identical to 𝑁 except for its duration 𝑡 𝑁 ′ =
0. Let 𝑁 ′ be followed by a sequence of 𝑛 SEQ nodes, each withduration 𝑡 unit . Together, 𝑁 ′ and the SEQ nodes form a sequence, and 𝑡 𝑁 = 𝑡 𝑁 ′ + 𝑡 𝑁 + · · · + 𝑡 𝑁 𝑛 = 𝑛 × 𝑡 unit . Furthermore, since 𝑁 ′ onlydiffers from 𝑁 in its duration, the conditions on their children arethe same, and are evaluated at the same time ( i.e. immediately aftersynchronisation with a sufficient number of children, and beforeany SEQ node is processed). Thus, replacing 𝑁 with the sequence 𝑁 ′ 𝑁 . . . 𝑁 𝑛 preserves the behaviour and duration, independentlyof the number of agents processing nodes. □ 𝑁 ′ 𝑁 𝑁 𝑁 lt rt 𝑁 lt rt Example 3.3.
Figure 3 shows the trans-formation of an
AND node 𝑁 with dura-tion 𝑡 𝑁 = 𝑡 unit . Each of the resultingnodes 𝑁 , 𝑁 and 𝑁 is of duration 𝑡 unit ,while 𝑁 ′ has a null duration. Figure 3: Normalising
AND node 𝑁 ( 𝑡 𝑁 = 𝑡 unit , 𝑡 𝑁 ′ = ) Sequential nodes
SAND enforce some scheduling. These are trans-formed into a sequence containing their subtrees and
NULL nodes.Proposition 3.4.
Any
SAND node 𝑁 with children subtrees 𝑇 , . . . , 𝑇 𝑛 can be replaced with an equivalent sequence 𝑇 , 𝑁 , 𝑇 , . . . , 𝑁 𝑛 − , 𝑇 𝑛 , 𝑁 𝑛 , where each 𝑁 𝑖 is a NULL node, its input is the output of 𝑇 𝑖 andits outputs are the leaves of 𝑇 𝑖 + (except for 𝑁 𝑛 which has the sameoutput as 𝑁 if any). Proof. Each
NULL node 𝑁 𝑖 occurs after its input and before itsoutput, so the sequentiality is preserved: 𝑇 𝑖 occurs before all leavesof 𝑇 𝑖 + which in turn occur before any other action in 𝑇 𝑖 + , and 𝑁 𝑛 occurs last. Moreover, since NULL nodes have 0 duration, they do notimpact the timing. Finally, note that, since the time normalisationoperation has been performed, it holds that 𝑡 𝑁 𝑖 =
0. Hence, thetransformation preserves both order of actions and timing. □ 𝑁𝐵𝑏 𝑏 𝑏 𝐴𝑎 𝑎 𝑎 𝐶𝑐 𝑐 𝑐 𝐴𝑎 𝑎 𝑎 𝑁 𝑏 𝐵𝑏 𝑏 𝑁 𝑐 𝐶𝑐 𝑐 𝑁 Example 3.5.
Let us consider the
SAND node 𝑁 depicted on the left-hand side ofFigure 4, where all nodes have alreadybeen processed by the time normali-sation. The transformation of Proposi-tion 3.4 leads to the DAG on the right-hand side of Figure 4 where subtrees 𝐴 , 𝐵 and 𝐶 occur in sequence, as imposedby the NULL nodes 𝑁 and 𝑁 betweenthem, and then action 𝑁 occurs. Figure 4: Normalising
SAND node 𝑁 The scheduling we are seeking to obtain will guarantee the nec-essary attacks are performed. Hence, when dealing with defencenodes, we can assume that all attacks are successful. However, theymay not be mandatory, in which case they should be avoided so asto obtain a better scheduling of agents.Taking into account each possible choice of defences will leadto as many DAGs representing the attacks to be performed. Thisallows for answering the question: “What is the minimal scheduleof attacker agents if these defences are operating?”
Composite defences.
Defences resulting from an
AND , SAND or OR between several defences are operating according to the success oftheir subtrees: for AND and
SAND , all subtrees should be operating,while only one is necessary for OR . This can easily be computed bya boolean bottom-up labelling of nodes. Note that different choicesof elementary defences can lead to disabling the same higher-levelomposite defence, thus limiting the number of DAGs that willneed to be considered for the scheduling. No Defence nodes (
NODEF ). A NODEF succeeds if its attack succeedsor its defence fails. Hence, if the defence is not operating, the attackis not necessary. Thus, the
NODEF node can be replaced by a
NULL node without children, and the children subtrees deleted. On thecontrary, if the defence is operating, the attack must take place.The defence subtree is deleted, while the attack one is kept, and the
NODEF node can be replaced by a
NULL node, as pictured in Figure 5.
Counter Defence (
CAND ) and Failed Reactive Defence (
SCAND ) nodes. A CAND succeeds if its attack is successful and its defence is not. A
SCAND behaves similarly but in a sequential fashion, i.e. the defencetakes place after the attack. In both cases, if the defence is notoperating, its subtree is deleted, while the attack one is kept, andthe
CAND (or
SCAND ) node can be replaced by a
NULL node, as was thecase in Figure 5c. Otherwise, the
CAND (or
SCAND ) node is deleted,as well as its subtrees. Moreover, it transmits its failure recursivelyto its parents, until a choice of another branch is possible. Thus, allancestors are deleted bottom up until an OR is reached.After this step, we have a set of DAGs with attack nodes only. 𝐴𝑎 𝑑 (a)
NODEF node 𝐴 ′ (b) Case 𝑑 fails 𝐴 ′ 𝑎 (c) Case 𝑑 operates Figure 5: Handling
NODEF 𝐴 OR nodes give the choice between several series of actions, onlyone of which will be chosen in an optimal assignment of events.However, one cannot simply keep the shortest branch of an OR node and prune all others. Doing so minimises attack time, but notnecessarily the number of agents. In particular, a slightly longer,but narrower branch may require fewer agents without increasingattack time, provided there is a longer sequence elsewhere in theDAG. Consequently, only branches that are guaranteed not to leadto an optimal assignment can be pruned, which is the case when abranch is the longest one in the entire graph. All other cases needto be investigated, leading to multiple variants depending on the OR branch executed, similar to the approach for defence nodes. Figures 6 and 7 detail the preprocessing of the treasure huntersexample step by step. The time unit is one minute. Long sequencesof
SEQ are shortened with dotted lines. Note that when handlingthe defence, at step 3, we should obtain two DAGs correspondingto the case where the defence fails (see Figure 7b), or where thedefence is successful. This latter case leads to an empty DAG whereno attack can succeed. Therefore, we can immediately concludethat if the police is successful, there is no scheduling of agents. TS ′ p p p ′ TF ′ ST ST ST ′ b b b ′ f f f ′ GA ′ h h h h ′ e e e ′ Figure 6: Treasure hunters ADTree: time normalisation TS ′ p p p ′ TF ′ GA ′ h h h h ′ e e e ′ TF ′ ST ST ST ′ b b b ′ f f f ′ (a) Schedulingenforcement TS ′ TF ′ GA ′ h h h h ′ e e e ′ TF ′ ST ST ST ′ b b b ′ f f f ′ (b) Handlingfailed defence TS ′ TF ′
125 0 GA ′
125 0 h
125 0 h
124 1 h
123 2 h ′
122 3 TF ′
122 3 ST
122 3 ST
121 4 ST ′
120 5 b
60 5 b b ′ f
120 5 f f ′ (c) ApplyingAlgorithms 1 and 2 andhandling OR nodes Figure 7: Treasure hunters ADTree: final preprocessing steps(left, middle) and initial part of the main algorithm (right)
BEST MINIMAL AGENT ASSIGNMENT
At this stage, we have DAGs where nodes are either (i) a leaf, or oftype
AND , OR , or NULL , all with duration 0 or (ii) of type
SEQ withduration 𝑡 unit . Its branches mimic the possible runs in the system.The algorithm’s input is a set of DAGs preprocessed as describedin Section 3, corresponding to possible configurations of defencenodes’ outcomes in the original ADTree. For each of these DAGs, 𝑛 denotes the number of SEQ nodes (all other ones have 0-duration).Furthermore, nodes (denoted by 𝑁 ) have some attributes: their type ; four integers depth , level , agent and slot , initially with value0. The values of depth and level denote, respectively, the height of anode’s tallest subtree and the distance from the root (both withoutcounting the zero duration nodes), while agent and slot store anode’s assignment in the schedule.We first compute the nodes’ depth in Section 4.1, then computethe level of nodes in Section 4.2, and finally compute an optimalscheduling in Section 4.4. Starting from the root, the DAG is explored by Algorithm 1 in aDFS ( depth first search ) and depth is computed during backtracking, i.e. starting from the leaves. The computation for the different typesof nodes is as follows:
LEAF node:
After the time normalisation, a leaf node takes 0time. It may still be an actual leaf, and its total duration is also 0since it has no children (not satisfying condition at l. 3). Or, it mayhave a child due to scheduling enforcement, and then its time isthe same as the one of its only child (l. 10).
SEQ node:
Its duration is one 𝑡 unit , which must be added to theduration of its only child to obtain the minimum time of executionfrom the start (l. 4–5). AND node:
All children must be completed before it occurs. There-fore, its minimal time is the maximum one of all its children (l. 6–7). OR node: One child must complete for the OR node to happen.Its time is thus the minimal one of all its children (l. 8– 9). NULL node:
Note that, by construction, a
NULL node may haveseveral parents but a single child. Its duration being null, its time isthe same as the one of its only child (l. 10).Note that the condition at l. 2 avoids a second exploration of anode which has already been handled in another branch.
Algorithm 1:
DepthNode( node ) for 𝑁 ∈ child ( node ) do if 𝑁 .𝑑𝑒𝑝𝑡ℎ = then DepthNode ( 𝑁 ) if child ( node ) ≠ ∅ then if node . type = SEQ then node . depth ← 𝑁 . depth + s.t. { 𝑁 } = child ( node ) else if node . type = AND then node . depth ← max ({ 𝑁 . depth | 𝑁 ∈ child ( node )}) else if node . type = OR then node . depth ← min ({ 𝑁 . depth | 𝑁 ∈ child ( node )}) else node . depth ← 𝑁 . depth , s.t. { 𝑁 } = child ( node ) Levels are assigned recursively, starting with the root, using aDFS. Algorithm 2 computes nodes’ levels. It first assigns the node’slevel (l. 1). Note that in case of multiple parents (or ancestors withmultiple parents), the longest path to the root is kept.
Algorithm 2:
LevelNode( node , 𝑙 ) node . level ← max ( 𝑙, node . level ) for 𝑁 ∈ child ( node ) do if node . type = SEQ then
LevelNode ( 𝑁, 𝑙 + ) else LevelNode ( 𝑁, 𝑙 ) The upper bound on the number of agents is obtained from themaximal width of the preprocessed DAG, i.e. the maximal numberof
SEQ nodes assigned the same value of level .The minimal attack time is easily obtained from the number oflevels 𝑙 in the preprocessed DAG. Note that the longest path from theroot to a leaf has exactly 𝑙 nodes of non-zero duration. Clearly, noneof these nodes can be executed in parallel, therefore the number oftime slots cannot be smaller than 𝑙 . Thus, if an optimal schedule of 𝑙 × 𝑡 unit is realisable, the 𝑛 nodes must fit in a schedule containing 𝑙 time slots. Hence, the lower bound on the number of agents is ⌈ 𝑛𝑙 ⌉ . There is, however, no guarantee that it can be achieved, andintroducing additional agents may be necessary. The algorithm for obtaining a schedule with the minimal attacktime and also minimising the number of agents is given in Algo-rithm 3. Input DAGs are processed sequentially, a schedule returnedfor each one. Not restricting the output to the overall minimumallows to avoid “no attack” scenarios where the time is 0 ( e.g. fol-lowing a defence failure on a root
NODEF node). Furthermore, withinformation on the repartition of agents for a successful minimaltime attack in all cases of defences, the defender is able to decidewhich defences to enable according to these results (and maybe thecosts of defences).The actual computation of the schedule is handled by the func-tion Schedule (Algorithm 4). Starting from the root and goingtop-down, all
SEQ nodes at the current level are added to set 𝑆 . Theother nodes at that level have a null duration and can be scheduledafterwards with either a parent or child. Nodes in 𝑆 are assignedan agent and time slot, prioritising those with higher depth ( i.e. taller subtrees), as long as an agent is available. Assigned nodesare removed from 𝑆 , and any that remains ( e.g. when the boundwas exceeded) is carried over to the next level iteration. Note thatat this point it is possible for a parent and child node to be in 𝑆 concurrently, but since higher depth takes precedence, they willnever be scheduled in the wrong order. In such cases, an extra checkin the while loop avoids scheduling both nodes to be executed inparallel.Algorithm 4 calls function ReshuffleSlot after the completeassignment of a time slot at l. 10 to ensure consistent assignmentof sub-actions of the same ADTree node. Note that dependingn 𝑑𝑒𝑝𝑡ℎ , a sub-action may be moved to the next slot, creating aninterrupted schedule where an agent stops an action for one or moretime units to handle another. Alternatively, agents may collaborate,each handling a node’s action for a part of its total duration. Suchassignments could be deemed unsuitable for specific attack-defencescenarios, e.g. defusing a bomb, in which case manual reshufflingor adding extra agent(s) is left to the user’s discretion.At this point, either the upper or the lower bound on the numberof agents is adjusted, depending on whether the resulting scheduleis valid (that is, there are no nodes left to assign at the end). Sched-uling is then repeated for these updated values until the minimalnumber of agents is found ( i.e. the two bounds are equal).After the complete computation for a given DAG, l. 22 calls func-tion ZeroAssign in order to obtain assignments for all remainingnodes, i.e. those of zero duration. Functions ReshuffleSlot andZeroAssign are detailed in Sections 4.5 and 4.6, respectively.Although this algorithm assumes the minimal time is of interest,it can be easily modified to increase the number of time slots, thussynthesising the minimal number of agents required for a successfulattack of any given duration. Algorithm 3:
MinSchedule(
DAG _ set ) output = ∅ while DAG_set ≠ ∅ do Pick
DAG ∈ DAG _ set if DAG .𝑛 = then continue ⊲ Skip empty DAGs DepthNode ( 𝑟𝑜𝑜𝑡 ( DAG )) ⊲ Compute depth of nodes DAG ← DAG \ { 𝑁 | ¬ 𝑁 . keep } LevelNode ( 𝑟𝑜𝑜𝑡 ( DAG ) , ) ⊲ Compute level of nodes slots ← 𝑟𝑜𝑜𝑡 ( DAG ) . depth lower _ bound ← ⌈ DAG .𝑛 slots ⌉ − max _ agents ← max 𝑗 (|{ 𝑁 : 𝑁 . type = SEQ ∧ 𝑁 . level = 𝑗 }|) ⊲ Max width of a level (concurrent SEQ nodes) upper _ bound ← max _ agents curr _ output = ∅ while ( upper_bound − lower_bound > ) do agents ← lower _ bound + ⌊ upper _ bound − lower _ bound ⌋ ( candidate , n _ remain ) ← Schedule ( DAG , slots , agents ) if n_remain = then ⊲ Candidate schedule OK upper _ bound ← agents curr _ output ← candidate else lower _ bound = agents ⊲ Cand. schedule not OK if upper_bound = max_agents then ( curr _ output , _ ) ← Schedule ( DAG , slots , max _ agents ) ZeroAssign ( DAG ) output ← output ∪ curr _ output DAG _ set ← DAG _ set \ DAG return output A separate subprocedure, given in Algorithm 5, swaps assignedagents between nodes at the same level so that the same agent
Algorithm 4:
Schedule(
DAG , slots , agents ) 𝑙 ← , slot ← slots , 𝑆 ← ∅ , n _ remain ← DAG .𝑛 while n_remain > and slot > do agent ← 𝑆 ← 𝑆 ∪ { 𝑁 | 𝑁 . type = SEQ ∧ 𝑁 . level = 𝑙 } while agent ≤ agents and 𝑆 ≠ ∅ and (Pick 𝑁 ∈ 𝑆 , s.t. ∀ 𝑁 ′ ∈ 𝑆 𝑁 . depth ≥ 𝑁 ′ . depth ∧∀ 𝑁 ′ : 𝑁 ′ . slot = slot 𝑁 ′ ∉ 𝑎𝑛𝑐𝑒𝑠𝑡𝑜𝑟𝑠 ( 𝑁 )) ≠ ∅ do 𝑁 . agent ← agent 𝑁 . slot ← slot agent ← agent + , n _ remain ← n _ remain − 𝑆 ← 𝑆 \ { 𝑁 } ReshuffleSlot ( slot , agent − ) 𝑙 ← 𝑙 + , slot ← slot − 𝑜𝑢𝑡𝑝𝑢𝑡 ← (cid:208) 𝑁 ∈ DAG {( 𝑁 . agent , 𝑁 . slot )} return 𝑜𝑢𝑡𝑝𝑢𝑡, n _ remain handles all SEQ nodes in sequences obtained during the time nor-malisation step ( i.e. corresponding to a single node in the originalADTree).
Algorithm 5:
ReshuffleSlot( 𝑠𝑙𝑜𝑡, 𝑛𝑢𝑚 _ 𝑎𝑔𝑒𝑛𝑡𝑠 ) for 𝑎𝑔𝑒𝑛𝑡 ∈ { ..𝑛𝑢𝑚 _ 𝑎𝑔𝑒𝑛𝑡𝑠 } do current _ node ← 𝑁 , s.t. 𝑁 . agent = agent ∧ 𝑁 . slot = slot par _ agent ← parent ( current _ node ) . agent if par_agent ≠ agent ∧ par_agent ≠ then if ∃ 𝑁 ′ ≠ current_node, s.t. 𝑁 ′ . agent = par_agent ∧ 𝑁 ′ . slot = slot then 𝑁 ′ . agent ← agent ⊲ Swap with 𝑁 ′ if it exists 𝑁 ′ . slot ← slot current _ node . agent ← par _ agent current _ node . slot ← slot Proposition 4.1.
Reshuffling the assignment by swapping theagents assigned to a pair of nodes in the same slot does not affect thecorrectness of the scheduling.
Proof. First, note that the procedure does not affect nodeswhose parents have not yet been assigned an agent (l. 4). Hence,reshuffling only applies to
SEQ nodes (since the assignment of 0 du-ration nodes occurs later in the main algorithm MinSchedule). Fur-thermore, changes are restricted to pairs of nodes in the same timeslot, so swapping assigned agents between them cannot break theexecution order and does not affect the schedule correctness. □ After all non-zero duration nodes have been assigned and possiblyreshuffled at each level, Algorithm 6 handles the remaining nodes.Our choice here stems from the ADTree gate the node originatesfrom. We first assign zero-duration nodes to the same agent and thesame time slot as their parent if the parent is a
SEQ node (l. 2–6).Of the remaining ones, nodes of type
NULL , OR and LEAF get thesame assignment as their only child if any, or as their parent ifhey have no child (l. 8–19). The latter case may happen for
NULL when handling defences as in e.g.
Figure 5b, and for
LEAF nodeswith originally a null duration.
AND nodes are assigned the sameagent and time slot as the child that occurs last (l. 20–30).Note that in all cases the agents (and time slots) assigned to zeroduration nodes are the same as those of their immediate parents orchildren. Consequently, no further reshuffling is necessary.Proposition 4.2.
Adding nodes of zero duration to the assignmentin Algorithm 6 does not affect the correctness of the scheduling.
Proof. Since all remaining nodes have zero duration, no extraagents or time slots are necessary. In all cases, the zero durationnode is assigned with either its immediate parent or child, preserv-ing the correct execution order. Consider possible cases at each stepof the algorithm: • l. 2–6: Nodes with a SEQ parent are the final nodes of se-quences obtained during time normalisation. Clearly, theycan be assigned the same agent and time slot as their imme-diate parent without affecting the schedule. • l. 8–19: OR nodes: in each DAG variant (see Section 3.5), theyare guaranteed to have a single child node and can be sched-uled together with this child provided the correspondingsub-DAG has some duration. NULL and
LEAF nodes have a single child if any and are han-dled analogously to OR , being assigned the same agent astheir child. Note that LEAF nodes can have gotten this childduring e.g. the scheduling enforcement step (see Section 3.3). OR , NULL and
LEAF nodes with no child or a child sub-DAGwith no duration are assigned as their parent. If a
NULL nodehas several parents due to sequence enforcement, it gets thesame assignment as its parent that occurs first. • l. 20–30: In case all children are never able to get an assign-ment, i.e. they are subtrees of null duration and can be iden-tified with a depth 0, the AND node gets the same assignmentas its parent.Otherwise,
AND nodes are also scheduled together with oneof their children. Note that the
AND condition is satisfied onlyif all its longest children have completed, therefore the onethat occurs last, i.e. has the biggest time slot, is chosen (l. 20–30). Furthermore, note that since children subtrees with anull duration are discarded, such children of the
AND nodehave already been assigned an agent at that point.The pathological case of a full ADTree with no duration is nothandled since the algorithm is not called for such DAGs. □ We now consider the algorithm’s complexity and prove that itachieves its intended goal.Proposition 4.3.
Algorithm 3 is in O( 𝑘𝑛 log 𝑛 ) , where 𝑘 is thenumber of input DAG variants, and 𝑛 their average number of nodes. Proof. Initially, DepthNode, and LevelNode each visit all DAGnodes, hence 2 𝑛 operations. In Schedule, the outer while loop (l. 2)iterates over nodes of non-zero duration; its inner loop and Reshuf-fleSlot both operate within a single time slot. Overapproximating Algorithm 6:
ZeroAssign(
DAG ) 𝑆 ← { 𝑁 | 𝑁 . agent = } ⊲ Nodes not assigned yet for node ∈ 𝑆 do if 𝑁 ∈ parent ( node ) ∧ 𝑁 . type = SEQ then node . agent ← 𝑁 . agent node . slot ← 𝑁 . slot 𝑆 ← 𝑆 \ { node } while 𝑆 ≠ ∅ do for node ∈ 𝑆 s.t. 𝑛𝑜𝑑𝑒.𝑡𝑦𝑝𝑒 ∈ { NULL , OR , LEAF } do if 𝑁 . agent ≠ s.t. 𝑁 ∈ child ( node ) then node . agent ← 𝑁 . agent node . slot ← 𝑁 . slot 𝑆 ← 𝑆 \ { node } if ( child ( node ) = ∅ ∨( 𝑁 . depth = s.t. 𝑁 ∈ child ( node ))) then parent _ node ← 𝑁 ∈ parent ( node ) s.t. ∀ 𝑁 ′ ∈ parent ( node ) 𝑁 . slot ≤ 𝑁 ′ . slot if parent_node .𝑎𝑔𝑒𝑛𝑡 ≠ then node . agent ← parent _ node . agent node . slot ← parent _ node . slot 𝑆 ← 𝑆 \ { node } for node ∈ 𝑆 s.t. node . type = AND do if node . depth = ∧ parent ( node ) .𝑎𝑔𝑒𝑛𝑡 ≠ then node . agent ← parent ( node ) . agent node . slot ← parent ( node ) . slot 𝑆 ← 𝑆 \ { node } if node . depth ≠ ∧∀ 𝑁 ∈ child ( node ) ( 𝑁 . agent ≠ ∨ 𝑁 . depth = ) then child _ node ← 𝑁 ∈ child ( node ) s.t. ∀ 𝑁 ′ ∈ child ( node ) 𝑁 . slot ≥ 𝑁 ′ . slot node . agent ← child _ node . agent node . slot ← child _ node . slot 𝑆 ← 𝑆 \ { node } these numbers by 𝑛 puts the function at no more than 𝑛 opera-tions. The schedule computation is repeated at most log 𝑛 times ina divide-and-conquer strategy (l. 13).Finally, ZeroAssign visits all zero duration nodes (again over-approximated by 𝑛 ), performing at most 2 𝑛 iterations for each, fora total of 2 𝑛 . Thus, the complexity of processing a single DAGis O( 𝑛 + 𝑛 log 𝑛 + 𝑛 ) = O( 𝑛 log 𝑛 ) , and O( 𝑘𝑛 log 𝑛 ) for thewhole input set. □ Proposition 4.4.
The assignments returned by Algorithm 3 usethe minimal number of agents for each variant DAG ∈ DAG_set toachieve the attack in minimal time.
Proof. Consider any
DAG ∈ DAG _ set . The algorithm first as-signs the depth and level of nodes. Let L denote the number oflevels in DAG , and 𝐿 𝑖 the set of nodes at the 𝑖 -th level. We will firstshow that the assignment is correct , i.e. there are enough agents tohandle all nodes in the correct execution order without conflicts.Correctness of the execution order is straightforward: Scheduleassigns time slot 1 to leaves at the bottom level, subsequent slotso their ancestors, and finally the last one L to the root node. Anynodes executed in parallel ( i.e. at the same level) are guaranteedto be assigned to different agents (l. 8). After discarding an invalidassignment, agents increases, ensuring all nodes are handled (l. 14).We will now show that this assignment is also optimal . First,note that the number of time slots is fixed at 𝐿 (Algorithm 3, l. 8),and only the number of agents is adjusted. Hence, the total attacktime is always minimal, i.e. 𝐿 × 𝑡 unit , where L = 𝑟𝑜𝑜𝑡 ( DAG ) .𝑑𝑒𝑝𝑡ℎ .By induction on subsequent levels 𝐿 𝑖 , we can show agents arealso optimally assigned at each one. The case for the top level 𝐿 istrivial: it only contains the root node, which cannot be executed inparallel with any other. As such, it can be assigned to any agent.Suppose that the assignment of agents and time slots for allnodes down to and including level 𝐿 𝑖 is optimal. At 𝐿 𝑖 + , there aretwo possibilities to consider. If | 𝐿 𝑖 + | ≤ agents , enough agents areavailable to handle all nodes at 𝐿 𝑖 + in parallel, so the assignmentup to level 𝐿 𝑖 + cannot be improved upon. Conversely, if | 𝐿 𝑖 + | > agents , some nodes will be carried over to 𝐿 𝑖 + .However, the final assignment (l. 21) is obtained for the lowestnumber of agents that did not produce an invalid schedule discaredduring a previous loop cycle (l. 16). Therefore, decreasing the num-ber of agents further is impossible without adding an extra slotinstead, and so the assignment up to level 𝐿 𝑖 + also cannot be im-proved in this case. The optimality is not affected by ReshuffleSlotand ZeroAssign, since neither procedure adds extra agents.Thus, for any DAG ∈ DAG _ set , the induction step follows fromthe fact time slots are filled exhaustively wherever possible, usingthe lowest number of agents that does not leave unassigned nodes.We have proven that the algorithm, always using the minimalnumber of time slots L , assigns the minimal number of agents for allinput DAG variants. Since the latter are equivalent to the originalADTree w.r.t. scheduling (by Propositions 3.1, 3.2 and 3.4), it alsoholds that the assignment is optimal for the original ADTree. □ We now apply these algorithms to the treasure hunters example.Figure 7c shows the output of the three initial subprocedures. Depthof nodes assigned by Algorithm 1 is displayed in green. The branchcorresponding to attack e has been pruned as per Section 3.5. Levelsassigned by Algorithm 2 are displayed in blue. Finally, the agentsassignment computed by Algorithm 3 is shown in Figure 8. We have implemented the algorithms presented in this paper in ourtool [5], which exports each step presented above as Tikz figures,allowing to understand and visualise them. In the following, wepresent its application to the use cases from [1], plus examples thatfeature some specific behaviour. The user can find all the figuresand tables of the examples in the supplementary material of thispaper, which will later be available on the tool webpage. forestall.
This case study models forestalling a software instance.Depending on the active defences, 4 cases are possible. However,the DAG for no active defence or only id active is the same. Allthree remaining DAGs have an optimal schedule with only 1 agent,in 43 days for the no defence (or id only) case, 54 if only scr isactive, and 55 if both defences occur. Although only a single agent is slot agent 1 2125 h , GA ′ , TF ′ , TS ′ h h , h ′ ST , TF ′ ST , ST ′ f b · · · · · · · · · f b , b ′ f · · · · · · f , f ′ Figure 8: Treasure hunters: Assignment of Algorithm 3 needed to achieve the attack in minimal time, the schedule exhibitswhich specific attacks must be performed to do so. iot-dev.
This example models an attack on an IoT device via anetwork. There are 4 cases, according to the active defences, butonly the one with no defence leads to a DAG. Indeed, tla causesthe failure of
GVC which in turn makes
APN and then
APNS fail,independent of inc . Thus the attack necessarily fails. This is alsothe case if defence inc is active. The only way for an attack tosucceed is that all defences fail, leading to an optimal schedule in694 minutes with 2 agents. Hence an attacker will use 2 agents toperform the fastest attack. On the other hand, the defender knowsthat a single one of the two defences is sufficient to block any attack. gain-admin.
This third case study features an attacker trying togain administration privileges on a computer system. There are 16possible defences combinations, which are covered by only 3 cases: scr is not active; scr is active but not
DTH ; both of them are active.In all three cases, the shortest attack requires only a single agent,and can be scheduled in 2942, 4320 and 5762 minutes, respectively.
Exhibiting particular scheduling features.
Experiments were con-ducted on the example used in [1] to evaluate the impact of thenumber of agents on the attack time and two small examples de-signed to exhibit particular characteristics of the schedule. Ouralgorithm confirms an optimal schedule in 5 minutes with 6 agentsfor the example of [1]. Then, interrupted , shows that the schedulingalgorithm can produce an the interleaved execution of two attacks( b and e ), assigned to the same agent. Finally, the last exampleprovides a succession of nodes with 0 duration ( a ′ , e ′ , f ′ , h ′ and i ′ ), and shows they are handled as expected. Scaling example.
In the scaling example, the first agent processesthe longest path while the second agent handles all other actions.It is extended to analyse the scaling capabilities of the schedulingalgorithm. For this purpose, we wrote an automatic generator ofADTrees and a notebook that processes the output of our tool inorder to create Figure 9. The parameters of the generated ADTreesare the depth , the width corresponding to the number of deepmostleaves, the number of children for each
AND , and the total numberof nodes . All nodes have time 1 except the first leaf that has time idth −
1. The results show that the number of agents is not propor-tional to the width of the tree (red bars), and the optimal schedulingvaries according to the time of nodes. d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n d _ w _ c _ n ADTree ConfigurationADTree Configuration A g e n t s S l o t s Figure 9: Scalability of different agent configurations
This paper has presented an agents scheduling algorithm that al-lows for evaluating attack/defence models. It synthesises a minimalnumber of agents and their schedule, providing insight to bothparties as to the number of agents and actions necessary for asuccessful attack, and the defences required to counter it.A natural extension will be to consider characteristics other thantime ( e.g. cost) and more importantly the additional constraints as-sociated with nodes. A complete framework for not only analysingbut also synthesising configurations of agents and their scheduleto achieve a given goal in a multi-agent system. Targeting moreelaborate goals, expressed in the TATL logic [14], will allow foranalysing more general multi-agent systems and their properties.
ACKNOWLEDGMENTS
We would like to thank Łukasz Maśko for his valuable commentson the paper.
REFERENCES [1] Jaime Arias, Carlos E. Budde, Wojciech Penczek, Laure Petrucci, Teofil Sidoruk,and Mariëlle Stoelinga. 2020. Hackers vs. Security: Attack-Defence Trees asAsynchronous Multi-agent Systems. In . Springer, 3–19. https://doi.org/10.1007/978-3-030-63406-3_1[2] Florian Arnold, Dennis Guck, Rajesh Kumar, and Mariëlle Stoelinga. 2015. Se-quential and Parallel Attack Tree Modelling. In
Proceedings of SAFECOMP 2015Workshops, Delft, The Netherlands, September 22, 2015 . Springer, 291–299.[3] Zaruhi Aslanyan and Flemming Nielson. 2015. Pareto Efficient Solutions ofAttack-Defence Trees. In
Proceedings of the 4th Conference on Principles of Securityand Trust, POST 2015, London, UK, April 11-18, 2015 . Springer, 95–114.[4] Zaruhi Aslanyan, Flemming Nielson, and David Parker. 2016. QuantitativeVerification and Synthesis of Attack-Defence Scenarios. In
Proceedings of the 29thIEEE Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June27 - July 1, 2016 . IEEE, 105–119.[5] Anonymous Authors. 2020. Tool name and access URL anonymised.[6] Michael Dann, John Thangarajah, Yuan Yao, and Brian Logan. 2020. Intention-Aware Multiagent Scheduling. In
Proceedings of the 19th International Conferenceon Autonomous Agents and Multi-agent Systems, AAMAS ’20, Auckland, NewZealand, May 9-13, 2020 . IFAAMAS, 285–293.[7] Hesham El-Rewini and Hesham H. Ali. 1995. Static Scheduling of ConditionalBranches in Parallel Programs.
Journal of Parallel and Distributed Computing
Proceedings of the 33rd IEEE ComputerSecurity Foundations Symposium, CSF 2020, Boston, MA, USA, June 22-26, 2020 .IEEE, 395–410.[9] Olga Gadyatskaya, René Rydhof Hansen, Kim Guldstrand Larsen, Axel Legay,Mads Chr. Olesen, and Danny Bøgsted Poulsen. 2016. Modelling Attack-DefenseTrees Using Timed Automata. In
Formal Modeling and Analysis of Timed Systems .Vol. 9884. Springer, 35–50.[10] Marco Gribaudo, Mauro Iacono, and Stefano Marrone. 2015. Exploiting BayesianNetworks for the Analysis of Combined Attack Trees.
Electronic Notes in Theo-retical Computer Science
310 (2015), 91–111.[11] Te Chiang Hu. 1961. Parallel Sequencing and Assembly Line Problems.
OperationsResearch
9, 6 (1961), 841–848.[12] Wojciech Jamroga, Wojciech Penczek, Piotr Dembinski, and Antoni Mazurkiewicz.2018. Towards Partial Order Reductions for Strategic Ability. In
Proceedings ofthe 17th International Conference on Autonomous Agents and Multi-agent Systems,AAMAS ’18, Stockholm, Sweden, July 10-15, 2018 . ACM, 156–165.[13] Edward G. Coffman Jr. and Ronald L. Graham. 1972. Optimal Scheduling forTwo-Processor Systems.
Acta Informatica
Journal of ArtificialIntelligence Research
66 (2019), 197–223.[15] Barbara Kordy, Sjouke Mauw, Sa ˇs a Radomirović, and Patric Schweitzer. 2011.Foundations of Attack-Defense Trees. In FAST 2010 (LNCS, Vol. 6561) . Springer,80–95.[16] Barbara Kordy, Sjouke Mauw, Sa ˇs a Radomirović, and Patrick Schweitzer. 2014.Attack–Defense Trees. Journal of Logic and Computation
24, 1 (2014), 55–87.[17] Barbara Kordy, Ludovic Piètre-Cambacédès, and Patrick Schweitzer. 2014. DAG-based Attack and Defense Modeling: Don’t Miss the Forest for the Attack Trees.
Computer Science Review
ACM Computing Surveys
31, 4 (1999), 406–471.[19] Ingrid Nunes and Michael Luck. 2014. Softgoal-based Plan Selection in Model-driven BDI Agents. In
Proceedings of the 13th International conference on Au-tonomous Agents and Multi-agent Systems, AAMAS ’14, Paris, France, May 5-9,2014 . IFAAMAS, 749–756.[20] Laure Petrucci, Michal Knapik, Wojciech Penczek, and Teofil Sidoruk. 2019.Squeezing State Spaces of (Attack-Defence) Trees. In . IEEE, 71–80.[21] Donald F. Towsley. 1986. Allocating Programs Containing Branches and LoopsWithin a Multiple Processor System.
IEEE Transactions on Software Engineering
12, 10 (1986), 1018–1024.[22] Wojciech Widel, Maxime Audinot, Barbara Fila, and Sophie Pinchinat. 2019.Beyond 2014: Formal Methods for Attack Tree-based Security Modeling.
ACMComputing Surveys
52, 4 (2019), 75:1–75:36.[23] Michael J. Wooldridge. 2002.
An Introduction to Multiagent Systems . John Wiley& Sons. S leveldepth 043 FS FS ′ dtm dtm dtm ′ FS ′ icp icp icp ′ FS ′ SC ′ PRS ′ PR ′ rfc ′ PR ′ reb reb reb reb ′ PR ′ hr hr hr ′ (a) Cases no defenceor id active FS leveldepth 054 FS FS ′ dtm dtm dtm ′ FS ′ icp icp icp ′ FS ′ SC ′ NAS ′ NA NA ′ heb heb heb heb ′ NA ′ sb ′ NA ′ hh hh hh ′ (b) Case scr active FS leveldepth 055 FS FS ′ dtm dtm dtm ′ FS ′ icp icp icp ′ FS ′ SC ′ BRB BRB BRB BRB ′ psc psc psc ′ BRB ′ bp bp bp ′ (c) Case id and scr active Figure 11: Preprocessing the forestall
ADTree.
A FORESTALL
FSicp dtmSCNAS PRSBRBbp psc NAhebsbhh id PRreb rfchr scr
Name Cost Time FS : forestalling of softw. e SC : steal code e PRS : physical robbery succ. e PR : physical robbery e NAS : network attack succ. e NA : network attack e BRB : bribe e icp : integr. code in prod. e
2k 15 d dtm : deploy to market e
1k 5 d scr : secure coding rooms e
5k 0 d rfc : rob. finds code e reb : rob. enters building e
500 3 d hr : hire robber e
4k 10 d id : intrusion detection e
200 1 d heb : hacker exploits bug e sb : system has a bug e hh : hire hacker e
1k 20 d psc : progr. steals code e bp : bribe programmer e
2k 15 d
Figure 10: Forestall a software release ( forestall )able 1: Assignment for forestall (a) DAG (a) slot agent 11 hr ′ , hr hr · · · · · · hr PR ′ , hr reb ′ , reb reb FS ′ , PR ′ , PR ′ , PRS ′ , SC ′ , reb , rfc ′ icp ′ , icp icp · · · · · · icp FS ′ , icp dtm ′ , dtm dtm · · · · · · dtm FS ′ , FS FS · · · · · · FS (b) DAG (b) slot agent 11 hh ′ , hh hh · · · · · · hh NA ′ , NA ′ , hh , sb ′ heb ′ , heb heb heb FS ′ , NA ′ , NAS ′ , NA , SC ′ icp ′ , icp icp · · · · · · icp FS ′ , icp dtm ′ , dtm dtm · · · · · · dtm FS ′ , FS FS · · · · · · FS (c) DAG (c) slot agent 11 bp ′ , bp bp · · · · · · bp BRB ′ , bp psc ′ , psc psc · · · · · · psc BRB ′ , BRB BRB BRB , FS ′ , SC ′ icp ′ , icp icp · · · · · · icp FS ′ , icp dtm ′ , dtm dtm · · · · · · dtm FS ′ , FS FS · · · · · · FS IoTD ′ rms rms rms ′ CIoTD ′ esv esv esv ′ CIoTD ′ APNS APNS ′ APN inc inc ′ APN APN ′ CPN ′ GVC ′ gc tla tla ′ gc gc ′ AL ′ AW ′ bwk bwk bwk ′ AW ′ fw fw fw ′ sma sma sma ′ AL ′ flp flp flp ′ (a) Steps 1, 2: Time normal-isation and scheduling en-forcement CIoTD ′ rms rms rms ′ CIoTD ′ esv esv esv ′ CIoTD ′ APNS APNS ′ APN APN APN ′ CPN ′ GVC ′ gc gc gc ′ AL ′ AW ′ bwk bwk bwk ′ AW ′ fw fw fw ′ sma sma sma ′ AL ′ flp flp flp ′ (b) Step 3: All faileddefenses CIoTD ′ leveldepth 0694 rms rms rms ′ CIoTD ′ esv esv esv ′ CIoTD ′ APNS APNS ′ APN APN APN ′ CPN ′ GVC ′ gc gc gc ′ AL ′ sma sma sma ′ AL ′ flp flp flp ′ (c) Applying Al-gorithms 1 and 2and handling OR nodes Figure 13: Preprocessing the iot-dev
ADTree. When either tla or inc are enabled, step 3 produces an empty DAG. Table 2: Assignment for iot-dev slot agent 1 21 gc ′ , gc gc · · · · · · gc gc flp ′ , flp gc flp · · · · · · · · · gc flp gc AL ′ , flp gc sma ′ , sma gc sma · · · · · · · · · gc sma GVC ′ , gc AL ′ , CPN ′ , sma APN ′ , APN APN APN APNS ′ , APNS , CIoTD ′ esv ′ , esv esv · · · · · · esv CIoTD ′ , esv rms ′ , rms rms · · · · · · rms CIoTD ′ , rms B IOT-DEV
CIOTDesv rmsAPNSAPNCPNALflp sma AWfw bwkGVCgc tlainc
Name Cost Time
CIOTD : compromise IoT device e APNS : access private net. succ. e APN : access private net. e GVC : get valid credentials e CPN : connect to private net. e AW : access WLAN e AL : access LAN e rms : run malicious script e
100 30 m esv : exploit soft. vulnerab. e
10 1 h inc : inform of new connect. e tla : two-level authentic. e gc : get credentials e
100 10 h bwk : break WPA keys e
100 2 h fw : find WLAN e
10 5 h sma : spoof MAC address e
50 30 m flp : find LAN port e
10 1 h
Figure 12: Compromise IoT device ( iot-dev )able 3: Assignment for gain-admin (a) DAG (a) slot agent 11 bcc ′ , bcc bcc · · · · · · bcc ECC ′ , bcc ECCS ′ , ECCS ECCS · · · · · · ECCS ACLI ′ , ACLI ACLI , OAP ′ (b) DAG (b) slot agent 11 th ′ , th th · · · · · · th GSAP ′ , OAP ′ , TSA ′ , th (c) DAG (c) slot agent 11 co ′ , co co · · · · · · co ACLI ′ , ACLI ACLI , OAP ′ C GAIN-ADMIN
OAPACLIco ECCSECCbcc ccg scr GSAPGAPSGAPopf fgptla LSASLSAbsa vsa satnv TSAth DTHwd efwcsa
Name Cost Time
OAP : obtain admin privileges e GSAP : get SA password e ACLI : access c.c. CLI e TSA : trojan horse for SA e DTH : defence against trojans e LSAS : LSA successful e LSA : look over SA shoulder e GAPS : GAP successful e GAP : get admin password e ECCS : enter c.c. successful e ECC : enter computer centre e csa : corrupt Sys. Admin. e
5k 5 d efw : E-Mail firewall e
3k 0 m wd : watchdog sys. daemon e
2k 5 m th : trojan horse SA e
100 3 d nv : no-visits policy e sat : spy SA terminal e vsa : visit SA at work e
20 2 d bsa : befriend Sys. Admin. e
500 14 d tla : two-level authentic. e fgp : find guessable pass. e opf : obtain password file e
100 3 d scr : secure coding rooms e
5k 0 d ccg : c.c. guest unwatched e
100 5 d bcc : break-in comp. centre e
6k 2 d co : corrupt operator e
4k 4 d
Figure 14: Obtain admin privileges ( gain-admin ) OAP ′ leveldepth 02942 ACLI ACLI ACLI ′ ECCS ECCS ECCS ′ ECC ′ bcc bcc bcc ′ (a) Case scr is not ac-tive OAP ′ leveldepth 04320 GSAP ′ TSA ′ th th th ′ (b) Case scr active,but not DTH
OAP ′ leveldepth 05762 ACLI ACLI ACLI ′ co co co ′ (c) Case both scr and DTH are active
Figure 15: Preprocessing the gain-admin
ADTree.
INTERRUPTED a cb d e
Name Time a b c d e Figure 16: Interrupted schedule example ( interrupted ) a ′ leveldepth 05 b c c ′ d e e e e ′ d d d d ′ b b ′ Figure 17: Preprocessing the interrupted
ADTree slot agent 1 21 d ′ , d e ′ , e d b ′ , b d e d e c ′ , c a ′ , b Table 4: Assignment for interrupted
EXAMPLE FROM [1]
A7A6 A5A4 A3A2A1 l8 l7l6l5l4l3l2l1
Name Time A7 A6 A5 A4 A3 A2 A1 l8 l7 l6 l5 l4 l3 l2 l1 Figure 18: Scaling example ( scaling-example ) A7 leveldepth 05 A7 ′ A6 l8 l8 ′ A6 ′ A4 A5 A5 ′ A3 l7 l7 ′ A3 ′ l5 l6 l6 ′ l5 ′ A4 ′ A1 A2 A2 ′ l3 l4 l4 ′ l3 ′ A1 ′ l1 l2 l2 ′ l1 ′ Figure 19: Preprocessing the scaling-example
ADTree slot agent 1 2 3 4 5 61 l1 ′ , l1 l2 ′ , l2 l3 ′ , l3 l4 ′ , l4 l5 ′ , l5 l6 ′ , l6 A1 ′ , A1 A2 ′ , A2 A3 ′ , A3 l7 ′ , l7 A4 ′ , A4 A5 ′ , A5 A6 ′ , A6 l8 ′ , l8 A7 ′ , A7 Table 5: Assignment for scaling-example
LAST ab efh ic d gj k l m
Name Time a b c d e f g h i j k l m Figure 20: Last example ( last ) a ′ leveldepth 04 b e ′ f ′ h ′ i ′ l l ′ j j ′ b ′ c d d d d ′ c ′ Figure 21: Preprocessing the last
ADTree slot agent 1 21 d ′ , d d i ′ , l ′ , l d c ′ , c a ′ , b ′ , b e ′ , f ′ , h ′ , j ′ , j Table 6: Assignment for last able 8: Scalability of different agent configurationsdepth width
G SCALING EXAMPLE ab cd e f g
Name Time a b c d e f g Figure 22: Scaling example ( scaling ) a leveldepth 05 a ′ b c c ′ f g g ′ f ′ b ′ d e e e e ′ d ′ Figure 23: Preprocessing the scaling