Semantics for Specialising Attack Trees based on Linear Logic

Horne, Ross; Mauw, Sjouke; Tiu, Alwen

doi:10.3233/fi-2017-1531

Cited by 26 publications

(35 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The article [4] contains a case study and guidelines for practical application of the bottom-up procedure. Numerous examples of attributes for attack trees and attack trees extended with additional sequential refinement have been given in [13,15]. We gather some relevant attribute domains for attackdefense trees in Table 1.…”

Section: Definition 4 Letmentioning

confidence: 99%

“…This difficulty is sometimes recognized, e.g., in [2,21], where authors explicitly assume lack of repeated labels in order for their methods to be valid. In some works the problem is avoided (or overlooked) by interpretation of repeated labels as distinct instances of the same goal, thus, de facto as distinct goals (e.g., [8,13,18,22]), or by distinguishing between the repetitions occurring in specific subtrees of a tree, as in [3]. Recently, Bossuat and Kordy have established a classification of repeated labels in attackdefense trees, depending on whether the corresponding nodes represent exactly the same instance or different instances of a goal [5].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On Quantitative Analysis of Attack–Defense Trees with Repeated Labels

Kordy

Wideł

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Ensuring security of complex systems is a difficult task that requires utilization of numerous tools originating from various domains. Among those tools we find attack-defense trees, a simple yet practical model for analysis of scenarios involving two competing parties. Enhancing the well-established model of attack trees, attack-defense trees are trees with labeled nodes, offering an intuitive representation of possible ways in which an attacker can harm a system, and means of countering the attacks that are available to the defender. The growing palette of methods for quantitative analysis of attack-defense trees provides security experts with tools for determining the most threatening attacks and the best ways of securing the system against those attacks. Unfortunately, many of those methods might fail or provide the user with distorted results if the underlying attack-defense tree contains multiple nodes bearing the same label. We address this issue by studying conditions ensuring that the standard bottom-up evaluation method for quantifying attack-defense trees yields meaningful results in the presence of repeated labels. For the case when those conditions are not satisfied, we devise an alternative approach for quantification of attacks.

show abstract

Section: Definition 4 Letmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

On Quantitative Analysis of Attack–Defense Trees with Repeated Labels

Kordy

Wideł

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Since 1999, numerous extensions of attack trees have been proposed. They augment the original model with additional refinement operators [27,25,7] or support not only offensive but also defensive behaviour [9,30,35]. An exhaustive overview of the existing attack tree-based models can be found in [31].…”

Section: Introductionmentioning

confidence: 99%

“…Sometimes the environment is the defender, but external choice may model uncertainty inherent in the environment the attacker operates. The semantics of external choices becomes particularly interesting when considering the notion of "specialisation" [25] introduced for comparing attack trees that are not necessarily equivalent. This paper introduces several semantics for attack trees: a minimal extension of the standard multiset semantics [33]; a novel game semantics [29,3,16]; and semantics based on linear logic [21].…”

Section: Introductionmentioning

confidence: 99%

The Attacker Does not Always Hold the Initiative: Attack Trees with External Refinement

Horne

Mauw

Tiu

2019

Graphical Models for Security

Self Cite

View full text Add to dashboard Cite

Attack trees provide a structure to an attack scenario, where disjunctions represent choices decomposing attacker's goals into smaller subgoals. This paper investigates the nature of choices in attack trees. For some choices, the attacker has the initiative, but for other choices either the environment or an active defender decides. A semantics for attack trees combining both types of choice is expressed in linear logic and connections with extensive-form games are highlighted. The linear logic semantics defines a specialisation preorder enabling trees, not necessarily equal, to be compared in such a way that all strategies are preserved.

show abstract

“…In order to use any modeling framework in practice, formal foundations are necessary. Previous research on formalization of attack trees focused mainly on mathematical semantics for attack tree-based models [19,13,14,12,10], and various algorithms for their quantitative analysis [25,16,1]. However, all these formalizations rely on an action-based approach, where the attacker's goals represented by the labels of the attack tree nodes are expressed using actions that the attacker needs to perform to achieve his/her objective.…”

Section: Introductionmentioning

confidence: 99%

Is My Attack Tree Correct?

Audinot¹,

Pinchinat²,

Kordy³

2017

Computer Security – ESORICS 2017

View full text Add to dashboard Cite

Attack trees are a popular way to represent and evaluate potential security threats on systems or infrastructures. The goal of this work is to provide a framework allowing to express and check whether an attack tree is consistent with the analyzed system. We model real systems using transition systems and introduce attack trees with formally specified node labels. We formulate the correctness properties of an attack tree with respect to a system and study the complexity of the corresponding decision problems. The proposed framework can be used in practice to assist security experts in manual creation of attack trees and enhance development of tools for automated generation of attack trees. This is an extended version of the work published at ESORICS 2017 [4].

show abstract

Semantics for Specialising Attack Trees based on Linear Logic

Cited by 26 publications

References 20 publications

On Quantitative Analysis of Attack–Defense Trees with Repeated Labels

On Quantitative Analysis of Attack–Defense Trees with Repeated Labels

The Attacker Does not Always Hold the Initiative: Attack Trees with External Refinement

Is My Attack Tree Correct?

Contact Info

Product

Resources

About