Optimizing System Architecture Cost and Security Countermeasures

  • Sahar Berro
  • Ludovic Apvrille
  • Guillaume DucEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11720)


The design of an embedded system is built on a trade-off between its performance and its cost. Nowadays, the security threats that target most of the embedded systems introduce a new factor in this trade-off: the security level of the system. So system architects must consider, during the design, the different attacks that target the system and the possible countermeasures, and their costs. In this article, we present a methodology to help designers explore different countermeasures and evaluate their impact on the cost of the architecture and the probability of success of an adversary. This methodology is based on extended and formalized Attack-Defense Trees that allow to assess the impact of countermeasures on system components and attacks. We use propagation rules to characterize a main attack from its different steps, and we formalize the trade-off between security and cost by an optimization problem between attack probability and total architecture cost.


Attack-Defense Tree Security of embedded system Countermeasures 



This work is supported by the research chair Connected Cars and Cyber Security (C3S) [6] founded by Nokia, Renault, Thales, Valeo, Wavestone, Fondation Mines-Télécom and Télécom Paris.


  1. 1.
    A deep flaw in your car lets hackers shut down safety features.
  2. 2.
  3. 3.
  4. 4.
    OMG Systems Modeling Language (OMG SysML), V1.0. Technical report, Object Management Group (2007).
  5. 5.
    A survey on the usability and practical applications of graphical security models. Comput. Sci. Rev. 26(C), 1–16 (2017). Scholar
  6. 6.
    Research chair Connected Cars and Cyber Security (C3S) (2019).
  7. 7.
    Audinot, M., Pinchinat, S.: On the soundness of attack trees. In: Kordy, B., Ekstedt, M., Kim, D.S. (eds.) GraMSec 2016. LNCS, vol. 9987, pp. 25–38. Springer, Cham (2016). Scholar
  8. 8.
    Bistarelli, S., Dall’Aglio, M., Peretti, P.: Strategic games on defense trees. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2006. LNCS, vol. 4691, pp. 1–15. Springer, Heidelberg (2007). Scholar
  9. 9.
    Edge, K., Dalton, G., Raines, R., Mills, R.: Using attack and protection trees to analyze threats and defenses to homeland security, pp. 1–7 (2006).
  10. 10.
    Fraile, M., Ford, M., Gadyatskaya, O., Kumar, R., Stoelinga, M., Trujillo-Rasua, R.: Using attack-defense trees to analyze threats and countermeasures in an ATM: a case study. In: Horkoff, J., Jeusfeld, M.A., Persson, A. (eds.) PoEM 2016. LNBIP, vol. 267, pp. 326–334. Springer, Cham (2016). Scholar
  11. 11.
    Garro, A., Tundis, A.: A model-based method for system reliability analysis (2012)Google Scholar
  12. 12.
    Ji, X., Yu, H., Fan, G., Fu, W.: Attack-defense trees based cyber security analysis for CPSs. In: 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), pp. 693–698 (2016).
  13. 13.
    Jürgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008). Scholar
  14. 14.
    Jürgenson, A., Willemson, J.: Serial model for attack tree computations. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 118–128. Springer, Heidelberg (2010). Scholar
  15. 15.
    Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013). Scholar
  16. 16.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). Scholar
  17. 17.
    Kordy, B., Piètre-cambacédès, L., Schweitzer, P.: Dag-based attack and defense modeling: Don’t miss the forest for the attack trees. CoRR (2013)Google Scholar
  18. 18.
    Kordy, B., Wideł, W.: On quantitative analysis of attack–defense trees with repeated labels. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 325–346. Springer, Cham (2018). Scholar
  19. 19.
    van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society, Washington, DC, USA (2004).
  20. 20.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). Scholar
  21. 21.
    Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using attack trees. J. Comput. Sci. Coll. 23(4), 124–131 (2008). Scholar
  22. 22.
    Schneier, B.: Secrets & Lies: Digital Security in a Networked World, 1st edn. Wiley, New York (2000)Google Scholar
  23. 23.
    Steiner, M., Liggesmeyer, P.: Qualitative and quantitative analysis of CFTs taking security causes into account. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9338, pp. 109–120. Springer, Cham (2015). Scholar
  24. 24.
    Zhou, S., Sun, Q., Jiao, J.: A safety modeling method based on SysML. In: 2014 10th International Conference on Reliability, Maintainability and Safety (ICRMS), pp. 1180–1185 (2014).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.LTCI, Télécom Paris, Institut Polytechnique de ParisPalaiseauFrance

Personalised recommendations