Advertisement

Attack Trees: A Notion of Missing Attacks

  • Sophie PinchinatEmail author
  • Barbara Fila
  • Florence Wacheux
  • Yann Thierry-Mieg
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11720)

Abstract

Attack trees are widely used for security modeling and risk analysis. Classically, an attack tree combines possible actions of the attacker into attacks. In most existing approaches, an attack tree represents generic ways of attacking a system, but without taking any specific system or its configuration into account. This means that such a generic attack tree may contain attacks that are not applicable to the analyzed system, and also that a given system could enable some attacks that the attack tree did not capture.

To overcome this problem, we extend the attack tree setting with a model of the analyzed system, allowing us to introduce precise path semantics of an attack tree and to define missing attacks. We investigate the missing attack existence problem and show how to solve it by calls to the NP oracle that answers the trace attack tree membership problem; the latter problem has been implemented and is available as an open source prototype.

Keywords

Risk analysis Attack trees Path semantics Missing attacks Complexity 

References

  1. 1.
    Amenaza: SecurITree (2001–2013). http://www.amenaza.com/
  2. 2.
    Audinot, M., Pinchinat, S., Kordy, B.: Is my attack tree correct? In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 83–102. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66402-6_7CrossRefGoogle Scholar
  3. 3.
    Audinot, M., Pinchinat, S., Kordy, B.: Guided design of attack trees: a system-based approach. In: CSF, pp. 61–75. IEEE Computer Society (2018)Google Scholar
  4. 4.
    Audinot, M., Pinchinat, S., Schwarzentruber, F., Wacheux, F.: Deciding the non-emptiness of attack trees. In: Cybenko, G., Pym, D., Fila, B. (eds.) GraMSec 2018. LNCS, vol. 11086, pp. 13–30. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-15465-3_2CrossRefGoogle Scholar
  5. 5.
    Baier, C., Katoen, J.: Principles of Model Checking. MIT Press, Cambridge (2008)zbMATHGoogle Scholar
  6. 6.
    Berman, P., Karpinski, M., Scott, A.D.: Approximation hardness of short symmetric instances of MAX-3SAT. Electronic Colloquium on Computational Complexity (ECCC) 10(049) (2003). http://eccc.hpi-web.de/eccc-reports/2003/TR03-049/index.html
  7. 7.
    EAC Advisory Board and Standards Board: Election Operations Assessment - Threat Trees and Matrices and Threat Instance Risk Analyzer (TIRA) (2009). https://www.eac.gov/assets/1/28/Election_Operations _Assessment_Threat_Trees_and_Matrices_and_Threat_Instance_Risk_Analyzer_(TIRA).pdf
  8. 8.
    Gadyatskaya, O., Harpes, C., Mauw, S., Muller, C., Muller, S.: Bridging two worlds: reconciling practical risk assessment methodologies with theory of attack trees. In: Kordy, B., Ekstedt, M., Kim, D.S. (eds.) GraMSec 2016. LNCS, vol. 9987, pp. 80–93. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-46263-9_5CrossRefGoogle Scholar
  9. 9.
    Gadyatskaya, O., Jhawar, R., Mauw, S., Trujillo-Rasua, R., Willemse, T.A.C.: Refinement-aware generation of attack trees. In: Livraga, G., Mitchell, C. (eds.) STM 2017. LNCS, vol. 10547, pp. 164–179. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-68063-7_11CrossRefGoogle Scholar
  10. 10.
    Hong, J.B., Kim, D.S., Chung, C., Huang, D.: A survey on the usability and practical applications of Graphical Security Models. Comput. Sci. Rev. 26, 1–16 (2017)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Isograph: AttackTree+ (2004–2005). http://www.isograph-software.com/atpover.htm
  12. 12.
    Ivanova, M.G., Probst, C.W., Hansen, R.R., Kammüller, F.: Attack tree generation by policy invalidation. In: Akram, R.N., Jajodia, S. (eds.) WISTP 2015. LNCS, vol. 9311, pp. 249–259. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24018-3_16CrossRefGoogle Scholar
  13. 13.
    Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-18467-8_23CrossRefGoogle Scholar
  14. 14.
    Jürgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-88873-4_8CrossRefGoogle Scholar
  15. 15.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)CrossRefGoogle Scholar
  16. 16.
    Kordy, B., Wideł, W.: On quantitative analysis of attack–defense trees with repeated labels. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 325–346. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-89722-6_14CrossRefGoogle Scholar
  17. 17.
    Mantel, H., Probst, C.W.: On the meaning and purpose of attack trees. In: CSF, pp. 184–199. IEEE Computer Society (2019)Google Scholar
  18. 18.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006).  https://doi.org/10.1007/11734727_17CrossRefGoogle Scholar
  19. 19.
    National Electric Sector Cybersecurity Organization Resource (NESCOR): Analysis of selected electric sector high risk failure scenarios, version 2.0 (2015). http://smartgrid.epri.com/doc/NESCOR
  20. 20.
    Pinchinat, S., Acher, M., Vojtisek, D.: Towards synthesis of attack trees for supporting computer-aided risk analysis. In: Canal, C., Idani, A. (eds.) SEFM 2014. LNCS, vol. 8938, pp. 363–375. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-15201-1_24CrossRefGoogle Scholar
  21. 21.
    Pinchinat, S., Acher, M., Vojtisek, D.: ATSyRa: an integrated environment for synthesizing attack trees. In: Mauw, S., Kordy, B., Jajodia, S. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 97–101. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29968-6_7CrossRefGoogle Scholar
  22. 22.
    Saffidine, A., Cong, S.L., Pinchinat, S., Schwarzentruber, F.: The Packed Interval Covering Problem is NP-complete. CoRR abs/1906.03676 (2019). http://arxiv.org/abs/1906.03676
  23. 23.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  24. 24.
    Stockmeyer, L.J.: The polynomial-time hierarchy. Theoret. Comput. Sci. 3(1), 1–22 (1976)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Vigo, R., Nielson, F., Nielson, H.R.: Automated generation of attack trees. In: CSF, pp. 337–350. IEEE Computer Society (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Sophie Pinchinat
    • 1
    Email author
  • Barbara Fila
    • 2
  • Florence Wacheux
    • 1
  • Yann Thierry-Mieg
    • 3
  1. 1.Univ Rennes, CNRS, IRISARennesFrance
  2. 2.Univ Rennes, INSA Rennes, CNRS, IRISARennesFrance
  3. 3.Sorbonne Université, CNRS, LIP6ParisFrance

Personalised recommendations