Using Attack-Defense Trees to Analyze Threats and Countermeasures in an ATM: A Case Study

Fraile, Marlon; Ford, Margaret; Gadyatskaya, Olga; Kumar, Rajesh; Stoelinga, Mariëlle; Trujillo-Rasúa, Rolando

doi:10.1007/978-3-319-48393-1_24

Cited by 45 publications

(29 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Attackdefense trees enhance attack trees with nodes labeled with goals of a defender, thus enabling modeling of interactions between the two competing actors. They have been used to evaluate the security of real-life systems, such as ATMs [7], RFID managed warehouses [4] and cyber-physical systems [16]. Both the theoretical developments and the practical studies have proven that attack-defense trees offer a promising methodology for security evaluation, but they also highlighted room for improvements.…”

Section: Introductionmentioning

confidence: 99%

On Quantitative Analysis of Attack–Defense Trees with Repeated Labels

Kordy

Wideł

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Ensuring security of complex systems is a difficult task that requires utilization of numerous tools originating from various domains. Among those tools we find attack-defense trees, a simple yet practical model for analysis of scenarios involving two competing parties. Enhancing the well-established model of attack trees, attack-defense trees are trees with labeled nodes, offering an intuitive representation of possible ways in which an attacker can harm a system, and means of countering the attacks that are available to the defender. The growing palette of methods for quantitative analysis of attack-defense trees provides security experts with tools for determining the most threatening attacks and the best ways of securing the system against those attacks. Unfortunately, many of those methods might fail or provide the user with distorted results if the underlying attack-defense tree contains multiple nodes bearing the same label. We address this issue by studying conditions ensuring that the standard bottom-up evaluation method for quantifying attack-defense trees yields meaningful results in the presence of repeated labels. For the case when those conditions are not satisfied, we devise an alternative approach for quantification of attacks.

show abstract

Section: Introductionmentioning

confidence: 99%

On Quantitative Analysis of Attack–Defense Trees with Repeated Labels

Kordy

Wideł

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In complex environments it will likely be impractical to apply the bottom-up approach due to the huge amount of potential vulnerability combinations that can be exploited in various attacks. Indeed, in practice attack trees are typically designed in a top-down manner, when the analyst starts by conjecturing the main attacker's goal and iteratively breaks it down into smaller subgoals [40,46,17,47].…”

Section: Related Workmentioning

confidence: 99%

“…In this empirical evaluation section we focus on ATM fraud, because more empirical data is available for these attacks than for the other types of attacks. Figure 3 presents an attack tree characterising such attacks that is loosely based on the attack-defence tree published by Fraile et al [17]. In ATM fraud, criminals need covert access to the ATM, as this attack typically requires opening the machine's case either by force or with a generic key, and installing a special device (e.g.…”

Section: Atm Security: a Case Studymentioning

confidence: 99%

See 1 more Smart Citation

Attribute evaluation on attack trees with incomplete information

Buldas

Gadyatskaya

Lenin

et al. 2020

Computers & Security

Self Cite

View full text Add to dashboard Cite

Attack trees are considered a useful tool for security modelling because they support qualitative as well as quantitative analysis. The quantitative approach is based on values associated to each node in the tree, expressing, for instance, the minimal cost or probability of an attack. Current quantitative methods for attack trees allow the analyst to, based on an initial assignment of values to the leaf nodes, derive the values of the higher nodes in the tree. In practice, however, it shows to be very difficult to obtain reliable values for all leaf nodes. The main reasons are that data is only available for some of the nodes, that data is available for intermediate nodes rather than for the leaf nodes, or even that the available data is inconsistent. We address these problems by developing a generalisation of the standard bottom-up calculation method in three ways. First, we allow initial attributions of non-leaf nodes. Second, we admit additional relations between attack steps beyond those provided by the underlying attack tree semantics. Third, we support the calculation of an approximative solution in case of inconsistencies. We illustrate our method, which is based on constraint programming, by a comprehensive case study.

show abstract

“…The usage of attack defense trees in threat modelling and risk assessment is a widely recognized methodology in information technology. For example, Fraile et al (2016) used attack defense trees to analyze the security of automated teller machines (ATM) (Fraile et al 2016). Based on their practical work, the authors attest attack defense trees a high potential to produce good results in risk assessment.…”

Section: Related Workmentioning

confidence: 99%

Using an Extended Attack Defense Graph Model to Estimate the Risk of a Successful Attack on an IT Infrastructure

Karg¹,

Hänisch²

2019

AJTE

View full text Add to dashboard Cite

Nowadays, securing the IT infrastructure is an ongoing task in every company and organization. For small and medium-sized enterprises, this task is challenging because of its complexity and the related costs. Especially the risk assessment of threats and the choice of appropriate countermeasures is hard to handle by this kind of enterprises. Using the example of a ransomware attack, this paper describes how to use a method for risk assessment on the basis of attack defence graphs and Monte Carlo simulations. The details of the simulation algorithm are explained and formal aspects are considered.

show abstract

Using Attack-Defense Trees to Analyze Threats and Countermeasures in an ATM: A Case Study

Cited by 45 publications

References 17 publications

On Quantitative Analysis of Attack–Defense Trees with Repeated Labels

On Quantitative Analysis of Attack–Defense Trees with Repeated Labels

Attribute evaluation on attack trees with incomplete information

Using an Extended Attack Defense Graph Model to Estimate the Risk of a Successful Attack on an IT Infrastructure

Contact Info

Product

Resources

About