Attack-defense trees

Abstract

The advent of the information age has notably amplified the importance of security. Unfortunately security considerations still widely occur as an afterthought. For many companies, security is not a requirement to conduct business and is therefore readily neglected. However the lack of security may obstruct, impede and even ruin an otherwise flourishing enterprise. Only when internal computer networks shut down, web portals are inaccessible, mail servers are attacked, or similar incidents affect the day to day business of an enterprise, security enters into the field of vision of companies. As such, security by design is only slowly becoming accepted practice. Amongst security researchers, there is no dispute that a reasonable approach to- wards uninterrupted business activities includes security measures and controls from the beginning. To support these efforts, many security models have been developed. Graphical security models are a type of security model that help illus- trate and guide the consideration of security throughout the lifecycle of a product, system or company. Their visual properties are especially well-suited to elucidate security requirements and corresponding security measures. During the last four years, we have developed a new graphical security model called attack–defense trees. The new framework, presented in this thesis, generalizes the well-known attack trees model. Attack–defense trees formally extend attack trees and enhance them with defenses. To be able to deploy attack–defense trees as a security support tool, we have equipped them with three different syntaxes: A visually appealing, graph-based syntax that is dedicated to representing security problems, an algebraic, term-based syntax that simplifies correct, formal and quantitative analysis of security scenarios and a textual syntax that is a compromise between succinct, visual representation and easy, computerized input. We have also equipped attack–defense trees with a variety of semantics. This became necessary, since different applications require different interpretations of attack–defense trees. Besides the very specific and problem oriented propositional, De Morgan and multiset semantics, we have introduced equational semantics. The latter semantics is, in fact, an alternative, unified presentation of semantics based on equational theory. We have expressed the propositional and the multiset seman- tics in terms of the equational semantics. This facilitates algorithmic treatment since the two different semantics have a unified formal foundation. To be able to perform quantitative security analysis, we have introduced the notion of an attribute for attack–defense trees. To guarantee that the evaluation of an attribute on two or more semantically equal attack–defense trees results in the same value, we have introduced the notion of a compatibility condition between semantics and attributes. We have also provided usability guidelines for attributes. These guidelines help a user to specify security-relevant questions that can unambiguously be answered using attributes. We have performed several case studies that allowed us to test and improve the attack–defense tree methodology. We have provided detailed explanations for our design choices during the case studies as well as extensive applicability guidelines that serve a prospective user of the attack–defense tree methodology as a user manual. We have demonstrated the usefulness of the formal foundations of attack–defense trees by relating attack–defense terms to other scientific research disciplines. Con- cretely, we have shown that attack–defense trees in the propositional semantics are computationally as complex as propositional attack trees. Moreover, we have described how to merge Bayesian networks with attack–defense trees and have il- lustrated that attack–defense trees in the propositional semantics are equivalent to a specific class of games frequently occurring in game theory. Concluding the thesis, we have related the attack–defense tree methodology to other graphical security models in an extensive literature overview over similar methodologies.