Attack-defense trees

Kordy, Barbara; Mauw, Sjouke; Radomirović, Saša; Schweitzer, Patrick

doi:10.1093/logcom/exs029

Cited by 147 publications

(198 citation statements)

References 13 publications

Supporting

Mentioning

196

Contrasting

Order By: Relevance

“…As mentioned above, it would be interesting to take the role of an actor into account. We are also investigating how to extend our approach to attack-defence trees [18], which combine actions by attackers with mitigating actions by defenders.…”

Section: Resultsmentioning

confidence: 99%

Understanding How Components of Organisations Contribute to Attacks

Aslanyan

Probst

2016

Secure IT Systems

View full text Add to dashboard Cite

Abstract. Attacks on organisations today explore many different layers, including buildings infrastructure, IT infrastructure, and human factor -the physical, virtual, and social layer. Identifying possible attacks, understanding their impact, and attributing their origin and contributing factors is difficult. Recently, system models have been used for automatically identifying possible attacks on the modelled organisation. The generated attacks consider all three layers, making the contribution of building infrastructure, computer infrastructure, and humans (insiders and outsiders) explicit. However, this contribution is only visible in the attack trees as part of the performed steps; it cannot be mapped back to the model directly since the actions usually involve several elements (attacker and targeted actor or asset). Especially for large attack trees, understanding the relations between several model components quickly results in a large quantity of interrelations, which are hard to grasp. In this work we present several approaches for visualising attributes of attacks such as likelihood of success, impact, and required time or skill level. The resulting visualisations provide a link between attacks on an organisations and the contribution of parts of an organisation to the attack and its impact.

show abstract

Section: Resultsmentioning

confidence: 99%

Understanding How Components of Organisations Contribute to Attacks

Aslanyan

Probst

2016

Secure IT Systems

View full text Add to dashboard Cite

show abstract

“…Attack-defense trees have been provided with a multiset semantics [16], that, as for attack trees, coincides with the positive propositions in linear logic. Thus the multiset semantics for attack-defense trees can be captured using linear logic.…”

Section: Future Workmentioning

confidence: 99%

Semantics for Specialising Attack Trees based on Linear Logic

Horne

Mauw

Tiu

2017

View full text Add to dashboard Cite

Attack trees profile the sub-goals of the proponent of an attack. Attack trees have a variety of semantics depending on the kind of question posed about the attack, where questions are captured by an attribute domain. We observe that one of the most general semantics for attack trees, the multiset semantics, coincides with a semantics expressed using linear logic propositions. The semantics can be used to compare attack trees to determine whether one attack tree is a specialisation of another attack tree. Building on these observations, we propose two new semantics for an extension of attack trees named causal attack trees. Such attack trees are extended with an operator capturing the causal order of sub-goals in an attack. These two semantics extend the multiset semantics to sets of series-parallel graphs closed under certain graph homomorphisms, where each semantics respects a class of attribute domains. We define a sound logical system with respect to each of these semantics, by using a recently introduced extension of linear logic, called MAV, featuring a non-commutative operator. The non-commutative operator models causal dependencies in causal attack trees. Similarly to linear logic for attack trees, implication defines a decidable preorder for specialising causal attack trees that soundly respects a class of attribute domains.

show abstract

“…components or services) and design decisions collectively constitute to SRA quality, traditional architecture analysis and evaluation methods such as utility tree [17] from ATAM are not sufficient because these are unable to quantify architecture quality. We advocate for leveraging an new approach inspired from attack-defense trees [19] to enhance the utility tree for analysis of the completeness of a SRA. Fig.…”

Section: Evaluating a Reference Architecturementioning

confidence: 99%