Attack Trees: A Notion of Missing Attacks
Attack trees are widely used for security modeling and risk analysis. Classically, an attack tree combines possible actions of the attacker into attacks. In most existing approaches, an attack tree represents generic ways of attacking a system, but without taking any specific system or its configuration into account. This means that such a generic attack tree may contain attacks that are not applicable to the analyzed system, and also that a given system could enable some attacks that the attack tree did not capture.
To overcome this problem, we extend the attack tree setting with a model of the analyzed system, allowing us to introduce precise path semantics of an attack tree and to define missing attacks. We investigate the missing attack existence problem and show how to solve it by calls to the NP oracle that answers the trace attack tree membership problem; the latter problem has been implemented and is available as an open source prototype.
KeywordsRisk analysis Attack trees Path semantics Missing attacks Complexity
- 1.Amenaza: SecurITree (2001–2013). http://www.amenaza.com/
- 3.Audinot, M., Pinchinat, S., Kordy, B.: Guided design of attack trees: a system-based approach. In: CSF, pp. 61–75. IEEE Computer Society (2018)Google Scholar
- 6.Berman, P., Karpinski, M., Scott, A.D.: Approximation hardness of short symmetric instances of MAX-3SAT. Electronic Colloquium on Computational Complexity (ECCC) 10(049) (2003). http://eccc.hpi-web.de/eccc-reports/2003/TR03-049/index.html
- 7.EAC Advisory Board and Standards Board: Election Operations Assessment - Threat Trees and Matrices and Threat Instance Risk Analyzer (TIRA) (2009). https://www.eac.gov/assets/1/28/Election_Operations _Assessment_Threat_Trees_and_Matrices_and_Threat_Instance_Risk_Analyzer_(TIRA).pdf
- 8.Gadyatskaya, O., Harpes, C., Mauw, S., Muller, C., Muller, S.: Bridging two worlds: reconciling practical risk assessment methodologies with theory of attack trees. In: Kordy, B., Ekstedt, M., Kim, D.S. (eds.) GraMSec 2016. LNCS, vol. 9987, pp. 80–93. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46263-9_5CrossRefGoogle Scholar
- 11.Isograph: AttackTree+ (2004–2005). http://www.isograph-software.com/atpover.htm
- 17.Mantel, H., Probst, C.W.: On the meaning and purpose of attack trees. In: CSF, pp. 184–199. IEEE Computer Society (2019)Google Scholar
- 19.National Electric Sector Cybersecurity Organization Resource (NESCOR): Analysis of selected electric sector high risk failure scenarios, version 2.0 (2015). http://smartgrid.epri.com/doc/NESCOR
- 22.Saffidine, A., Cong, S.L., Pinchinat, S., Schwarzentruber, F.: The Packed Interval Covering Problem is NP-complete. CoRR abs/1906.03676 (2019). http://arxiv.org/abs/1906.03676
- 23.Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
- 25.Vigo, R., Nielson, F., Nielson, H.R.: Automated generation of attack trees. In: CSF, pp. 337–350. IEEE Computer Society (2014)Google Scholar