This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements.
IntroductionGraphical security models provide a useful method to represent and analyze security scenarios that examine vulnerabilities of systems and organizations. The great advantage of graph-based approaches lies in combining user friendly, intuitive, visual features with formal semantics and algorithms that allow for qualitative and quantitative analysis. Over the course of the last two decades, graphical approaches attracted the attention of numerous security and formal methods experts and are quickly becoming a stand-alone research area with dedicated national and international research projects [14,17,241,263,273]. Graphical models constitute a valuable support tool to facilitate threat assessment and risk management of real-life systems. Thus, they have also become popular in the industrial sector. Notable application domains of graphical models include security analysis of supervisory control and data acquisition (SCADA) systems [43,257,258], voting systems [32,142], vehicular communication systems [4,97], Internet related attacks [148,261], secure software engineering [115], and socio-technical attacks [19,77,220].In this paper we focus on graphical methods for analysis of attack and defense scenarios. We understand attack and defense scenarios in a general sense: they encompass any malicious action of an attacker who wants to harm or damage another party or its assets as well as any defense or countermeasure that could be used to prevent or mitigate such malicious actions. In 1991, Weiss [286] introduced threat logic trees as the first graphical attack modeling technique. The obvious similarity of threat logic trees to fault trees [270] suggests that graph-based security modeling has its roots in safety modeling. Weiss' approach can be seen as the origin of numerous subsequent models, including attack trees [230,234] which are nowadays one of the most popular graphical security models.Today, more than 30 different approaches for analysis of attack and defense scenarios exist. Most of them extend the original model of threat logic trees in one or several dimensions which include defensive components, timed and ordered actions, dynamic aspects and different types of *...
