Advertisement

The Attacker Does not Always Hold the Initiative: Attack Trees with External Refinement

  • Ross Horne
  • Sjouke Mauw
  • Alwen TiuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11086)

Abstract

Attack trees provide a structure to an attack scenario, where disjunctions represent choices decomposing attacker’s goals into smaller subgoals. This paper investigates the nature of choices in attack trees. For some choices, the attacker has the initiative, but for other choices either the environment or an active defender decides. A semantics for attack trees combining both types of choice is expressed in linear logic and connections with extensive-form games are highlighted. The linear logic semantics defines a specialisation preorder enabling trees, not necessarily equal, to be compared in such a way that all strategies are preserved.

Keywords

Attack trees Linear logic Extensive-form games Game semantics 

Notes

Acknowledgment

Horne and Tiu receive support from MOE Tier 2 grant MOE2014-T2-2-076 and the National Research Foundation Singapore under its National Cybersecurity R&D Program (Award No. NRF2014NCR-NCR001-30). Mauw received funding from the Fonds National de la Recherche Luxembourg, grant C11/IS/1183245 (ADT2P), and the European Commissions Seventh Framework Programme (FP7/2007–2013) under grant agreement number 318003 (TREsPASS).

References

  1. 1.
    Abramsky, S., Jagadeesan, R.: Games and full completeness for multiplicative linear logic. J. Symbolic Logic 59(2), 543–574 (1994).  https://doi.org/10.2307/2275407MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Abramsky, S., Jagadeesan, R.: Game semantics for access control. In: Proceedings of the 25th Conference on Mathematical Foundations of Programming Semantics (MFPS 2009) Electronic Notes in Theoretical Computer Science, vol. 249, pp. 135–156 (2009).  https://doi.org/10.1016/j.entcs.2009.07.088
  3. 3.
    Abramsky, S., Melliès, P.-A.: Concurrent games and full completeness. In: 14th Annual IEEE Symposium on Logic in Computer Science LICS, Trento, Italy, 2–5 July 1999, pp. 431–442. IEEE Computer Society (1999).  https://doi.org/10.1109/LICS.1999.782638
  4. 4.
    Andreoli, J.-M.: Logic programming with focusing proofs in linear logic. J. Logic Comput. 2(3), 297–347 (1992).  https://doi.org/10.1093/logcom/2.3.297MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 95–114. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46666-7_6CrossRefGoogle Scholar
  6. 6.
    Aslanyan, Z., Nielson, F., Parker, D.: Quantitative verification and synthesis of attack-defence scenarios. In: 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pp. 105–119. IEEE Computer Society (2016).  https://doi.org/10.1109/CSF.2016.15
  7. 7.
    Audinot, M., Pinchinat, S., Kordy, B.: Is my attack tree correct? In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 83–102. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66402-6_7CrossRefGoogle Scholar
  8. 8.
    Birkhoff, G.: Rings of sets. Duke Math. J. 3(3), 443–454 (1937).  https://doi.org/10.1215/S0012-7094-37-00334-XMathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: First International Conference on Availability, Reliability and Security (ARES 2006), pp. 416–423. IEEE Computer Society (2006).  https://doi.org/10.1109/ARES.2006.46
  10. 10.
    Blass, A.: A game semantics for linear logic. Ann. Pure Appl. Logic 56(1), 183–220 (1992).  https://doi.org/10.1016/0168-0072(92)90073-9MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Brookes, S.D., Hoare, C.A.R., Roscoe, A.W.: A theory of communicating sequential processes. J. ACM 31(3), 560–599 (1984).  https://doi.org/10.1145/828.833MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Buldas, A., Laud, P., Priisalu, J., Saarepera, M., Willemson, J.: Rational choice of security measures via multi-parameter attack trees. In: Lopez, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 235–248. Springer, Heidelberg (2006).  https://doi.org/10.1007/11962977_19CrossRefGoogle Scholar
  13. 13.
    Chaudhuri, K., Miller, D., Saurin, A.: Canonical sequent proofs via multi-focusing. In: Ausiello, G., Karhumäki, J., Mauri, G., Ong, L. (eds.) TCS 2008. IIFIP, vol. 273, pp. 383–396. Springer, Boston, MA (2008).  https://doi.org/10.1007/978-0-387-09680-3_26CrossRefGoogle Scholar
  14. 14.
    Danos, V., Harmer, R.S.: Probabilistic game semantics. ACM Trans. Comput. Logic (TOCL) 3(3), 359–382 (2002).  https://doi.org/10.1145/507382.507385MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Debbabi, M., Saleh, M.: Game semantics model for security protocols. In: Lau, K.-K., Banach, R. (eds.) ICFEM 2005. LNCS, vol. 3785, pp. 125–140. Springer, Heidelberg (2005).  https://doi.org/10.1007/11576280_10CrossRefGoogle Scholar
  16. 16.
    Delande, O., Miller, D., Saurin, A.: Proof and refutation in MALL as a game. Ann. Pure Appl. Logic 161(5), 654–672 (2010).  https://doi.org/10.1016/j.apal.2009.07.017MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Deswarte, Y., Blain, L., Fabre, J.C.: Intrusion tolerance in distributed computing systems. In: Proceedings of 1991 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 110–121, May 1991.  https://doi.org/10.1109/RISP.1991.130780
  18. 18.
    Dimovski, A.S.: Ensuring secure non-interference of programs by game semantics. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 81–96. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11851-2_6CrossRefGoogle Scholar
  19. 19.
    Gadyatskaya, O., Hansen, R.R., Larsen, K.G., Legay, A., Olesen, M.C., Poulsen, D.B.: Modelling attack-defense trees using timed automata. In: Fränzle, M., Markey, N. (eds.) FORMATS 2016. LNCS, vol. 9884, pp. 35–50. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-44878-7_3CrossRefzbMATHGoogle Scholar
  20. 20.
    Gadyatskaya, O., Jhawar, R., Mauw, S., Trujillo-Rasua, R., Willemse, T.A.C.: Refinement-aware generation of attack trees. In: Livraga, G., Mitchell, C. (eds.) STM 2017. LNCS, vol. 10547, pp. 164–179. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-68063-7_11CrossRefGoogle Scholar
  21. 21.
    Girard, J.-Y.: Linear logic. Theoret. comput. Sci. 50(1), 1–101 (1987).  https://doi.org/10.1016/0304-3975(87)90045-4MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Heijltjes, W., Hughes, D.J.: Complexity bounds for sum-product logic via additive proof nets and petri nets. In: 30th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2015, Kyoto, Japan, 6–10 July 2015, pp. 80–91. IEEE Computer Society (2015).  https://doi.org/10.1109/LICS.2015.18
  23. 23.
    Hermanns, H., Krämer, J., Krčál, J., Stoelinga, M.: The value of attack-defence diagrams. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 163–185. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49635-0_9CrossRefGoogle Scholar
  24. 24.
    Horne, R.: The consistency and complexity of multiplicative additive system virtual. Sci. Ann. Comput. Sci. 25(2), 245 (2015).  https://doi.org/10.7561/SACS.2015.2.245MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Horne, R., Mauw, S., Tiu, A.: Semantics for specialising attack trees based on linear logic. Fund. Inform. 153(1–2), 57–86 (2017).  https://doi.org/10.3233/FI-2017-1531MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S.: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-1-4614-0977-9CrossRefGoogle Scholar
  27. 27.
    Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-18467-8_23CrossRefGoogle Scholar
  28. 28.
    Jiang, R., Luo, J., Wang, X.: An attack tree based risk assessment for location privacy in wireless sensor networks. In: WiCOM, pp. 1–4 (2012).  https://doi.org/10.1109/WiCOM.2012.6478402
  29. 29.
    Kordy, B., Mauw, S., Melissen, M., Schweitzer, P.: Attack–defense trees and two-player binary zero-sum extensive form games are equivalent. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 245–256. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17197-0_17CrossRefzbMATHGoogle Scholar
  30. 30.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014).  https://doi.org/10.1093/logcom/exs029MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. C. S. Rev. 13–14, 1–38 (2014)zbMATHGoogle Scholar
  32. 32.
    Laurent, O.: Polarized games. Ann. Pure Appl. Logic 130(1–3), 79–123 (2004).  https://doi.org/10.1016/j.apal.2004.04.006MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006).  https://doi.org/10.1007/11734727_17CrossRefGoogle Scholar
  34. 34.
    Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005).  https://doi.org/10.1007/11555827_14CrossRefGoogle Scholar
  35. 35.
    Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees: towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012).  https://doi.org/10.1002/sec.299CrossRefGoogle Scholar
  36. 36.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  37. 37.
    Zonouz, S.A., Khurana, H., Sanders, W.H., Yardley, T.M.: RRE: a game-theoretic intrusion response and recovery engine. IEEE Trans. Parallel Distrib. Syst. 25(2), 395–406 (2014).  https://doi.org/10.1109/TPDS.2013.211CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.CSCUniversity of LuxembourgEsch-sur-AlzetteLuxembourg
  2. 2.CSC/SnTUniversity of LuxembourgEsch-sur-AlzetteLuxembourg
  3. 3.Research School of Computer ScienceAustralian National UniversityCanberraAustralia

Personalised recommendations