Abstract
Ensuring security of complex systems is a difficult task that requires utilization of numerous tools originating from various domains. Among those tools we find attack–defense trees, a simple yet practical model for analysis of scenarios involving two competing parties. Enhancing the well-established model of attack trees, attack–defense trees are trees with labeled nodes, offering an intuitive representation of possible ways in which an attacker can harm a system, and means of countering the attacks that are available to the defender. The growing palette of methods for quantitative analysis of attack–defense trees provides security experts with tools for determining the most threatening attacks and the best ways of securing the system against those attacks. Unfortunately, many of those methods might fail or provide the user with distorted results if the underlying attack–defense tree contains multiple nodes bearing the same label. We address this issue by studying conditions ensuring that the standard bottom-up evaluation method for quantifying attack–defense trees yields meaningful results in the presence of repeated labels. For the case when those conditions are not satisfied, we devise an alternative approach for quantification of attacks.
Highlights
Beginning with 19th century chemistry and a groundbreaking work of Cayley, who used them for the purposes of enumeration of isomers, trees – connected acyclic graphs – have a long history of application to various domains. Those include safety analysis of systems using the model of fault trees [10], developed in 1960s, and security analysis with the assistance of the attack trees, which the fault trees inspired
The objective of the current paper is to address the problem of quantitative analysis of attack–defense trees with repeated labels
Among methods for quantitative analysis of scenarios modeled with attack– defense trees are so called attributes, introduced intuitively by Schneier in [26] and formalized for attack trees in [15,22], and for attack–defense trees in [18]
Summary
Beginning with 19th century chemistry and a groundbreaking work of Cayley, who used them for the purposes of enumeration of isomers, trees – connected acyclic graphs – have a long history of application to various domains. Attack– defense trees enhance attack trees with nodes labeled with goals of a defender, enabling modeling of interactions between the two competing actors They have been used to evaluate the security of real-life systems, such as ATMs [7], RFID managed warehouses [4] and cyber-physical systems [16]. Bossuat and Kordy have established a classification of repeated labels in attack– defense trees, depending on whether the corresponding nodes represent exactly the same instance or different instances of a goal [5] They point out that, if the meaning of repeated labels is not properly specified, the fast, bottom-up method for identifying attacks that optimize an attribute (e.g., minimal cost, probability of success, etc.), as used in [15,18,22], might yield tainted results.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
