Quantitative Questions on Attack–Defense Trees

  • Barbara Kordy
  • Sjouke Mauw
  • Patrick Schweitzer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7839)


Attack–defense trees are a novel methodology for graphical security modeling and assessment. The methodology includes intuitive and formal components that can be used for quantitative analysis of attack–defense scenarios. In practice, we use intuitive questions to ask about aspects of scenarios we are interested in. Formally, a computational procedure, using a bottom-up algorithm, is applied to derive the corresponding numerical values. This paper bridges the gap between the intuitive and the formal way of quantitatively assessing attack–defense scenarios. We discuss how to properly specify a question, so that it can be answered unambiguously. Given a well-specified question, we then show how to derive an appropriate attribute domain which constitutes the corresponding formal model.


Defense Tree User Credential Attack Tree Attribute Domain Defensive Measure 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdulla, P.A., Cederberg, J., Kaati, L.: Analyzing the Security in the GSM Radio Network Using Attack Jungles. In: Margaria, T., Steffen, B. (eds.) ISoLA 2010, Part I. LNCS, vol. 6415, pp. 60–74. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Amenaza: SecurITree, (accessed October 5, 2012)
  3. 3.
    Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall, Inc., Upper Saddle River (1994), zbMATHGoogle Scholar
  4. 4.
    Baca, D., Petersen, K.: Prioritizing Countermeasures through the Countermeasure Method for Software Security (CM-Sec). In: Ali Babar, M., Vierimaa, M., Oivo, M. (eds.) PROFES 2010. LNCS, vol. 6156, pp. 176–190. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Bagnato, A., Kordy, B., Meland, P.H., Schweitzer, P.: Attribute Decoration of Attack–Defense Trees. International Journal of Secure Software Engineering (IJSSE) 3(2), 1–35 (2012)CrossRefGoogle Scholar
  6. 6.
    Bistarelli, S., Dall’Aglio, M., Peretti, P.: Strategic Games on Defense Trees. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2006. LNCS, vol. 4691, pp. 1–15. Springer, Heidelberg (2007), CrossRefGoogle Scholar
  7. 7.
    Buldas, A., Laud, P., Priisalu, J., Saarepera, M., Willemson, J.: Rational Choice of Security Measures Via Multi-parameter Attack Trees. In: López, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 235–248. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Byres, E.J., Franz, M., Miller, D.: The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems. In: International Infrastructure Survivability Workshop (IISW 2004). Institute of Electrical and Electronics Engineers, Lisbon (2004)Google Scholar
  9. 9.
    Edge, K.S., Dalton II, G.C., Raines, R.A., Mills, R.F.: Using Attack and Protection Trees to Analyze Threats and Defenses to Homeland Security. In: MILCOM, pp. 1–7. IEEE (2006)Google Scholar
  10. 10.
    Fung, C., Chen, Y.L., Wang, X., Lee, J., Tarquini, R., Anderson, M., Linger, R.: Survivability analysis of distributed systems using attack tree methodology. In: Proceedings of the 2005 IEEE Military Communications Conference, vol. 1, pp. 583–589 (October 2005)Google Scholar
  11. 11.
    Henniger, O., Apvrille, L., Fuchs, A., Roudier, Y., Ruddle, A., Weyl, B.: Security requirements for automotive on-board networks. In: 9th International Conference on Intelligent Transport Systems Telecommunications (ITST 2009), Lille, pp. 641–646 (October 2009)Google Scholar
  12. 12.
    Jürgenson, A., Willemson, J.: Computing Exact Outcomes of Multi-parameter Attack Trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Kordy, B., Mauw, S., Melissen, M., Schweitzer, P.: Attack–Defense Trees and Two-Player Binary Zero-Sum Extensive Form Games Are Equivalent. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 245–256. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of Attack–Defense Trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack–Defense Trees. Journal of Logic and Computation, 1–33 (2012),
  16. 16.
    Kordy, B., Mauw, S., Schweitzer, P.: Quantitative Questions on Attack–Defense Trees. arXiv (2012),
  17. 17.
    Kordy, B., Pouly, M., Schweitzer, P.: Computational Aspects of Attack–Defense Trees. In: Bouvry, P., Kłopotek, M.A., Leprévost, F., Marciniak, M., Mykowiecka, A., Rybiński, H. (eds.) SIIS 2011. LNCS, vol. 7053, pp. 103–116. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Kordy, P., Schweitzer, P.: The ADTool, (accessed October 12, 2012)
  19. 19.
    Li, X., Liu, R., Feng, Z., He, K.: Threat modeling-oriented attack path evaluating algorithm. Transactions of Tianjin University 15(3), 162–167 (2009), CrossRefGoogle Scholar
  20. 20.
    Manikas, T.W., Thornton, M.A., Feinstein, D.Y.: Using Multiple-Valued Logic Decision Diagrams to Model System Threat Probabilities. In: 41st IEEE International Symposium on Multiple-Valued Logic (ISMVL 2011), pp. 263–267 (2011)Google Scholar
  21. 21.
    Mauw, S., Oostdijk, M.: Foundations of Attack Trees. In: Won, D., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  22. 22.
    Piètre-Cambacédès, L., Bouissou, M.: Beyond Attack Trees: Dynamic Security Modeling with Boolean Logic Driven Markov Processes (BDMP). In: European Dependable Computing Conference, pp. 199–208. IEEE Computer Society, Los Alamitos (2010)Google Scholar
  23. 23.
    Roy, A., Kim, D.S., Trivedi, K.S.: Cyber security analysis using attack countermeasure trees. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW 2010), pp. 28:1–28:4. ACM, New York (2010), CrossRefGoogle Scholar
  24. 24.
    Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Security and Communication Networks 5(8), 929–943 (2012), CrossRefGoogle Scholar
  25. 25.
    Saini, V., Duan, Q., Paruchuri, V.: Threat Modeling Using Attack Trees. J. Computing Small Colleges 23(4), 124–131 (2008), Google Scholar
  26. 26.
    Schneier, B.: Attack Trees. Dr. Dobb’s Journal of Software Tools 24(12), 21–29 (1999), Google Scholar
  27. 27.
    Tanu, E., Arreymbi, J.: An examination of the security implications of the supervisory control and data acquisition (SCADA) system in a mobile networked environment: An augmented vulnerability tree approach. In: Proceedings of Advances in Computing and Technology (AC&T) The School of Computing and Technology 5th Annual Conference. pp. 228–242. University of East London, School of Computing, Information Technology and Engineering (2010),
  28. 28.
    Wang, J., Whitley, J.N., Phan, R.C.W., Parish, D.J.: Unified Parametrizable Attack Tree. International Journal for Information Security Research 1(1), 20–26 (2011), Google Scholar
  29. 29.
    Jürgenson, A., Willemson, J.: Serial Model for Attack Tree Computations. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 118–128. Springer, Heidelberg (2010), CrossRefGoogle Scholar
  30. 30.
    Yager, R.R.: OWA trees and their role in security modeling using attack trees. Inf. Sci. 176(20), 2933–2959 (2006)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Barbara Kordy
    • 1
  • Sjouke Mauw
    • 1
  • Patrick Schweitzer
    • 1
  1. 1.SnTUniversity of LuxembourgLuxembourg

Personalised recommendations