Attribute Decoration of Attack–Defense Trees

Attribute Decoration of Attack–Defense Trees

Alessandra Bagnato, Barbara Kordy, Per Håkon Meland, Patrick Schweitzer
Copyright: © 2012 |Pages: 35
DOI: 10.4018/jsse.2012040101
(Individual Articles)
No Current Special Offers


Attack–defense trees can be used as part of threat and risk analysis for system development and maintenance. They are an extension of attack trees with defense measures. Moreover, tree nodes can be decorated with attributes, such as probability, impact, and penalty, to increase the expressiveness of the model. Attribute values are typically assigned based on cognitive estimations and historically recorded events. This paper presents a practical case study with attack–defense trees. First, the authors create an attack–defense tree for an RFID-based goods management system for a warehouse. Then, they explore how to use a rich set of attributes for attack and defense nodes and assign and aggregate values to obtain condensed information, such as performance indicators or other key security figures. The authors discuss different modeling choices and tradeoffs. The case study led them to define concrete guidelines that can be used by software developers, security analysts, and system owners when performing similar assessments.
Article Preview

1. Introduction

The security of any sufficiently valuable system is not static. To keep a system secure, it has to be protected against an increasing number of threats of growing complexity. As defenses are added to the system, more sophisticated attacks break these defensive measures anew. To cope with the resulting, intricate systems, a formal modeling and evaluation approach become indispensable.

One of the formal approaches to assess a system’s security is the attack–defense tree (ADTree) methodology. ADTrees focus on the interaction between two types of players, attackers and defenders, while keeping the complexity of the formalism at a minimum (Kordy et al., 2011b). They are a compromise between attack trees, which are too restrictive in their modeling capabilities, and petri-nets, where modeling is quite intricate and computationally complex. ADTrees retain the easily understandable tree structure and are therefore especially useful in an interdisciplinary work environment, where an intuitive understanding of the system is as important as formal foundations. ADTrees even allow a rough first assessment of a system’s security purely based on the visual representation of the scenario, making it easy to spot missing or redundant defenses. The theoretical aspects of the ADTree methodology have already been extensively studied by Kordy et al. (2010, 2011a, 2011b).

The purpose of this paper is to present experiences and provide practical recommendations on the use of attributes in ADTrees. Attributes are the part of the ADTree formalism that allows quantitative analysis, something that is of great value for risk analysis either during planning, development or maintenance of a system. There are numerous security attributes to be found in the literature today, and through a case study we show how a selection of them can be applied, how values are assigned to nodes and how they are used for quantitative analysis. Knowing which attributes to choose and how to estimate their values is a non-trivial challenge and is addressed in detail. Attributes are used to answer questions such as: Is it possible to attack the system? How much would it cost to prevent one or all attacks or implement one or all defenses? How long does it take to secure the entire system? We are interested in extending these answerable questions to bivariate questions, i.e., questions where inputs from attackers and defenders are needed. This, for example, includes questions such as: Given a limited defense budget, can the defender at least defend against some attacks? How does the scenario change in case of a power outage?

The case study was based on an operational Radio-Frequency Identification (RFID) system for goods management in a warehouse, taking technical, physical and social engineering aspects into account. There were four players from both academia and industry involved, taking roles as defenders and attackers.

The rest of the paper is structured as follows. This section continues with a summary of the theoretical foundations of ADTrees and concludes with a short literature review on related work. In Section ‎2, we review some of the attributes that can be found in the literature and elaborate on different calculation methods. In Section ‎3, we present the case study scenario and the corresponding ADTree. Section ‎4 shows the attribute decoration and calculation of values for the ADTree. The results of the case study are discussed in Section ‎5 and we conclude and synthesize our recommendations in Section ‎6.

  • IGI Global’s Sixth Annual Excellence in Research Journal Awards
    IGI Global’s Sixth Annual Excellence in Research Journal AwardsHonoring outstanding scholarship and innovative research within IGI Global's prestigious journal collection, the Sixth Annual Excellence in Research Journal Awards brings attention to the scholars behind the best work from the 2013 copyright year.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing