Barbara Kordy

DAG-based attack and defense modeling: don’t miss the forest for the attack trees

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to summarize the existing methodologies, compare their features, and propose a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements.

Foundations of attack-defense trees

We introduce and give formal definitions of attack-defense trees. We argue that these trees are a simple, yet powerful tool to analyze complex security and privacy problems. Our formalization is generic in the sense that it supports different semantical approaches. We present several semantics for attack-defense trees along with usage scenarios, and we show how to evaluate attributes.

Attack–defense trees

The advent of the information age has notably amplified the importance of security. Unfortunately security considerations still widely occur as an afterthought. For many companies, security is not a requirement to conduct business and is therefore readily neglected. However the lack of security may obstruct, impede and even ruin an otherwise flourishing enterprise. Only when internal computer networks shut down, web portals are inaccessible, mail servers are attacked, or similar incidents affect the day to day business of an enterprise, security enters into the field of vision of companies. As such, security by design is only slowly becoming accepted practice. Amongst security researchers, there is no dispute that a reasonable approach to- wards uninterrupted business activities includes security measures and controls from the beginning. To support these efforts, many security models have been developed. Graphical security models are a type of security model that help illus- trate and guide the consideration of security throughout the lifecycle of a product, system or company. Their visual properties are especially well-suited to elucidate security requirements and corresponding security measures. During the last four years, we have developed a new graphical security model called attack–defense trees. The new framework, presented in this thesis, generalizes the well-known attack trees model. Attack–defense trees formally extend attack trees and enhance them with defenses. To be able to deploy attack–defense trees as a security support tool, we have equipped them with three different syntaxes: A visually appealing, graph-based syntax that is dedicated to representing security problems, an algebraic, term-based syntax that simplifies correct, formal and quantitative analysis of security scenarios and a textual syntax that is a compromise between succinct, visual representation and easy, computerized input. We have also equipped attack–defense trees with a variety of semantics. This became necessary, since different applications require different interpretations of attack–defense trees. Besides the very specific and problem oriented propositional, De Morgan and multiset semantics, we have introduced equational semantics. The latter semantics is, in fact, an alternative, unified presentation of semantics based on equational theory. We have expressed the propositional and the multiset seman- tics in terms of the equational semantics. This facilitates algorithmic treatment since the two different semantics have a unified formal foundation. To be able to perform quantitative security analysis, we have introduced the notion of an attribute for attack–defense trees. To guarantee that the evaluation of an attribute on two or more semantically equal attack–defense trees results in the same value, we have introduced the notion of a compatibility condition between semantics and attributes. We have also provided usability guidelines for attributes. These guidelines help a user to specify security-relevant questions that can unambiguously be answered using attributes. We have performed several case studies that allowed us to test and improve the attack–defense tree methodology. We have provided detailed explanations for our design choices during the case studies as well as extensive applicability guidelines that serve a prospective user of the attack–defense tree methodology as a user manual. We have demonstrated the usefulness of the formal foundations of attack–defense trees by relating attack–defense terms to other scientific research disciplines. Con- cretely, we have shown that attack–defense trees in the propositional semantics are computationally as complex as propositional attack trees. Moreover, we have described how to merge Bayesian networks with attack–defense trees and have il- lustrated that attack–defense trees in the propositional semantics are equivalent to a specific class of games frequently occurring in game theory. Concluding the thesis, we have related the attack–defense tree methodology to other graphical security models in an extensive literature overview over similar methodologies.

Attribute Decoration of Attack-Defense Trees

Attack-defense trees can be used as part of threat and risk analysis for system development and maintenance. They are an extension of attack trees with defense measures. Moreover, tree nodes can be decorated with attributes, such as probability, impact, and penalty, to increase the expressiveness of the model. Attribute values are typically assigned based on cognitive estimations and historically recorded events. This paper presents a practical case study with attack-defense trees. First, the authors create an attack-defense tree for an RFID-based goods management system for a warehouse. Then, they explore how to use a rich set of attributes for attack and defense nodes and assign and aggregate values to obtain condensed information, such as performance indicators or other key security figures. The authors discuss different modeling choices and tradeoffs. The case study led them to define concrete guidelines that can be used by software developers, security analysts, and system owners when performing similar assessments.

ADTool: security analysis with attack---defense trees

ADTool is free, open source software assisting graphical modeling and quantitative analysis of security, using attack---defense trees. The main features of ADTool are easy creation, efficient editing, and automated bottom-up evaluation of security-relevant measures. The tool also supports the usage of attack trees, protection trees and defense trees, which are all particular instances of attack---defense trees.

Attack-defense trees and two-player binary zero-sum extensive form games are equivalent

Attack-defense trees are used to describe security weaknesses of a system and possible countermeasures. In this paper, the connection between attack-defense trees and game theory is made explicit. We show that attack-defense trees and binary zero-sum two-player extensive form games have equivalent expressive power when considering satisfiability, in the sense that they can be converted into each other while preserving their outcome and their internal structure.

Quantitative questions on attack: defense trees

Attack---defense trees are a novel methodology for graphical security modeling and assessment. The methodology includes intuitive and formal components that can be used for quantitative analysis of attack---defense scenarios. In practice, we use intuitive questions to ask about aspects of scenarios we are interested in. Formally, a computational procedure, using a bottom-up algorithm, is applied to derive the corresponding numerical values. This paper bridges the gap between the intuitive and the formal way of quantitatively assessing attack---defense scenarios. We discuss how to properly specify a question, so that it can be answered unambiguously. Given a well-specified question, we then show how to derive an appropriate attribute domain which constitutes the corresponding formal model.

Computational aspects of attack---defense trees

Attack---defense trees extend attack trees with defense nodes. This richer formalism allows for a more precise modeling of a systems vulnerabilities, by representing interactions between possible attacks and corresponding defensive measures. In this paper we compare the computational complexity of both formalisms. We identify semantics for which extending attack trees with defense nodes does not increase the computational complexity. This implies that, for these semantics, every query that can be solved efficiently on attack trees can also be solved efficiently on attack---defense trees. Furthermore, every algorithm for attack trees can directly be used to process attack---defense trees.

A Probabilistic Framework for Security Scenarios with Dependent Actions

This work addresses the growing need of performing meaningful probabilistic analysis of security. We propose a framework that integrates the graphical security modeling technique of attack–defense trees with probabilistic information expressed in terms of Bayesian networks. This allows us to perform probabilistic evaluation of attack–defense scenarios involving dependent actions. To improve the efficiency of our computations, we make use of inference algorithms from Bayesian networks and encoding techniques from constraint reasoning. We discuss the algebraic theory underlying our framework and point out several generalizations which are possible thanks to the use of semiring theory.

Probabilistic reasoning with graphical security models

We develop a framework for probabilistic analysis of security scenarios with dependencies.We combine the security model of attack-defense trees (ADTrees) with Bayesian networks.We prove that propositionally equivalent ADTrees yield the same probability value.We compare our computational method with the standard bottom-up algorithm for ADTrees.We use semiring theory to improve the efficiency of our computations. This work provides a computational framework for meaningful probabilistic evaluation of attack-defense scenarios involving dependent actions. We combine the graphical security modeling technique of attack-defense trees with probabilistic information expressed in terms of Bayesian networks. In order to improve the efficiency of probability computations on attack-defense trees, we make use of inference algorithms and encoding techniques from constraint reasoning. The proposed approach is illustrated on a running example and the computations are automated with the help of suitable software tools. We show that the computational routines developed in this paper form a conservative generalization of the attack-defense tree formalism defined previously. We discuss the algebraic theory underlying our framework and point out several generalizations which are possible thanks to the use of semiring theory. Finally, our results apply directly to the analysis of the industrially recognized model of attack trees.