Security Analysis of IoT Systems Using Attack Trees

  • Delphine Beaulaton
  • Najah Ben Said
  • Ioana CristescuEmail author
  • Salah Sadou
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11720)


Attack trees are graphical representations of the different scenarios that can lead to a security failure. In combination with model checking, attack trees are useful to quantitatively analyse the security of a system. Such analysis can help in the design phase of a system to decide how and where to modify the system in order to meet some security specifications.

In this paper we propose a security-based framework for modeling IoT systems where attack trees are defined alongside the model. A malicious entity uses the attack tree to exploit the vulnerabilities of the system. Successful attacks can be rare events in the system’s execution, in which case they are hard to detect with usual model checking techniques. Hence, we use importance splitting as a statistical model checking technique for rare events. This technique requires a decomposition of an attack into sub parts, similarly to an attack tree. We argue that therefore, importance splitting is well suited, and benefits, from our modeling framework. We implemented our approach in a tool-set and verified its effectiveness by running a set of experiments over a real-word example.


Attack tree IoT Rare events Importance splitting 



We would like to thank Axel Legay for his helpfull suggestions on importance splitting, and Jean Quilbeuf for his technical help in the tool implementation.


  1. 1.
    Basu, A., Bozga, M., Sifakis, J.: Modeling heterogeneous real-time components in BIP. In: SEFM (2006).
  2. 2.
    Beaulaton, D., et al.: A language for analyzing security of IoT systems. In: SoSE (2018).
  3. 3.
    Bensalem, S., Bozga, M., Delahaye, B., Jegourel, C., Legay, A., Nouri, A.: Statistical model checking QoS properties of systems with SBIP. In: Margaria, T., Steffen, B. (eds.) ISoLA 2012. LNCS, vol. 7609, pp. 327–341. Springer, Heidelberg (2012). Scholar
  4. 4.
    Boyer, B., Corre, K., Legay, A., Sedwards, S.: PLASMA-lab: a flexible, distributable statistical model checking library. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 160–164. Springer, Heidelberg (2013). Scholar
  5. 5.
    ENISA: Smart hospitals, security and resilience for smart health service and infrastructures. Technical report, ENISA (2016)Google Scholar
  6. 6.
    Gadyatskaya, O., Hansen, R.R., Larsen, K.G., Legay, A., Olesen, M.C., Poulsen, D.B.: Modelling attack-defense trees using timed automata. In: Fränzle, M., Markey, N. (eds.) FORMATS 2016. LNCS, vol. 9884, pp. 35–50. Springer, Cham (2016). Scholar
  7. 7.
    Dalton, G.C., Mills, R.F., Colombi, J.M., Raines, R.A.: Analyzing attack trees using generalized stochastic Petri nets. In: 2006 IEEE Information Assurance Workshop (2006).
  8. 8.
    Jegourel, C., Legay, A., Sedwards, S.: Importance splitting for statistical model checking rare properties. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 576–591. Springer, Heidelberg (2013). Scholar
  9. 9.
    Kordy, B., Pouly, M., Schweitzer, P.: Computational aspects of attack–defense trees. In: Bouvry, P., Kłopotek, M.A., Leprévost, F., Marciniak, M., Mykowiecka, A., Rybiński, H. (eds.) SIIS 2011. LNCS, vol. 7053, pp. 103–116. Springer, Heidelberg (2012). Scholar
  10. 10.
    Kumar, R., et al.: Effective analysis of attack trees: a model-driven approach. In: Russo, A., Schürr, A. (eds.) FASE 2018. LNCS, vol. 10802, pp. 56–73. Springer, Cham (2018). Scholar
  11. 11.
    TrapX LAbs: Anatomy of an attack, medjack (medical device attack). Technical report, TrapX Security Inc. (2015)Google Scholar
  12. 12.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). Scholar
  13. 13.
    Ouchani, S.: Ensuring the functional correctness of IoT through formal modeling and verification. In: Abdelwahed, E.H., Bellatreche, L., Golfarelli, M., Méry, D., Ordonez, C. (eds.) MEDI 2018. LNCS, vol. 11163, pp. 401–417. Springer, Cham (2018). Scholar
  14. 14.
    Ruijters, E., Reijsbergen, D., de Boer, P.-T., Stoelinga, M.: Rare event simulation for dynamic fault trees. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10488, pp. 20–35. Springer, Cham (2017). Scholar
  15. 15.
    Schneier, B.: Secrets & Lies: Digital Security in a Networked World. Wiley, Hoboken (2000)Google Scholar
  16. 16.
    Tidwell, T., Larson, R., Fitch, K., Hale, J.: Modeling internet attacks. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, IA (2001)Google Scholar
  17. 17.
    Vanglabbeek, R., Smolka, S., Steffen, B.: Reactive, generative, and stratified models of probabilistic processes. Inf. Comput. 121 (1995). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Delphine Beaulaton
    • 1
  • Najah Ben Said
    • 3
  • Ioana Cristescu
    • 2
    Email author
  • Salah Sadou
    • 1
  1. 1.University South Brittany, IrisaLorientFrance
  2. 2.InriaRennesFrance
  3. 3.Thales SIX-GTSPalaiseauFrance

Personalised recommendations