Article Preview
Top1. Introduction
The security of any sufficiently valuable system is not static. To keep a system secure, it has to be protected against an increasing number of threats of growing complexity. As defenses are added to the system, more sophisticated attacks break these defensive measures anew. To cope with the resulting, intricate systems, a formal modeling and evaluation approach become indispensable.
One of the formal approaches to assess a system’s security is the attack–defense tree (ADTree) methodology. ADTrees focus on the interaction between two types of players, attackers and defenders, while keeping the complexity of the formalism at a minimum (Kordy et al., 2011b). They are a compromise between attack trees, which are too restrictive in their modeling capabilities, and petri-nets, where modeling is quite intricate and computationally complex. ADTrees retain the easily understandable tree structure and are therefore especially useful in an interdisciplinary work environment, where an intuitive understanding of the system is as important as formal foundations. ADTrees even allow a rough first assessment of a system’s security purely based on the visual representation of the scenario, making it easy to spot missing or redundant defenses. The theoretical aspects of the ADTree methodology have already been extensively studied by Kordy et al. (2010, 2011a, 2011b).
The purpose of this paper is to present experiences and provide practical recommendations on the use of attributes in ADTrees. Attributes are the part of the ADTree formalism that allows quantitative analysis, something that is of great value for risk analysis either during planning, development or maintenance of a system. There are numerous security attributes to be found in the literature today, and through a case study we show how a selection of them can be applied, how values are assigned to nodes and how they are used for quantitative analysis. Knowing which attributes to choose and how to estimate their values is a non-trivial challenge and is addressed in detail. Attributes are used to answer questions such as: Is it possible to attack the system? How much would it cost to prevent one or all attacks or implement one or all defenses? How long does it take to secure the entire system? We are interested in extending these answerable questions to bivariate questions, i.e., questions where inputs from attackers and defenders are needed. This, for example, includes questions such as: Given a limited defense budget, can the defender at least defend against some attacks? How does the scenario change in case of a power outage?
The case study was based on an operational Radio-Frequency Identification (RFID) system for goods management in a warehouse, taking technical, physical and social engineering aspects into account. There were four players from both academia and industry involved, taking roles as defenders and attackers.
The rest of the paper is structured as follows. This section continues with a summary of the theoretical foundations of ADTrees and concludes with a short literature review on related work. In Section 2, we review some of the attributes that can be found in the literature and elaborate on different calculation methods. In Section 3, we present the case study scenario and the corresponding ADTree. Section 4 shows the attribute decoration and calculation of values for the ADTree. The results of the case study are discussed in Section 5 and we conclude and synthesize our recommendations in Section 6.