Attack Tree Analysis Research Articles

Identification of Security Scenarios in offshore Oil&Gas production facilities based on past incident analysis

Offshore Oil&Gas installations may be attractive targets of intentional attacks due to their presence in socio-political sensitive areas, their economic significance, and the high impact of scenarios that can be triggered by the mismanagement of the hazardous substances handled (e.g., crude oil, natural gas, etc.). In the present study, a new dataset including 112 past security-related incidents that affected the offshore Oil&Gas sector in the last decades was developed and analyzed using Exploratory Data Analysis (EDA), Root Cause Analysis (RCA), and Attack Tree Analysis (ATA). Significant differences were found in the types of threats and attack modes, with terrorism identified as the primary threat, followed by robbery and kidnapping. The identified scenarios caused fatalities, injuries, and asset damages at the targeted facilities, underscoring their potential to cause severe impacts, comparable to the outcomes of safety-related accidents. Tables linking identified attack modes, scenarios, and consequences specific contribution to the SVA workflow proposed by the API Recommended Practices 70 and 70I were obtained. Overall, the results obtained support the application of suitable Security Vulnerability/Risk Assessment (SVA/SRA) methodologies concerning the identification and characterization of adversaries, the definition of attack modes, the evaluation of effectiveness of existing security barriers, and the assessment of consequences.

Complying with ISO 26262 and ISO/SAE 21434: A Safety and Security Co-Analysis Method for Intelligent Connected Vehicle.

A cyber-physical system (CPS) integrates communication and automation technologies into the operational processes of physical systems. Nowadays, as a complex CPS, an intelligent connected vehicle (ICV) may be exposed to accidental functional failures and malicious attacks. Therefore, ensuring the ICV's safety and security is crucial. Traditional safety/security analysis methods, such as failure mode and effect analysis and attack tree analysis, cannot provide a comprehensive analysis for the interactions between the system components of the ICV. In this work, we merge system-theoretic process analysis (STPA) with the concept phase of ISO 26262 and ISO/SAE 21434. We focus on the interactions between components while analyzing the safety and security of ICVs to reduce redundant efforts and inconsistencies in determining safety and security requirements. To conquer STPA's abstraction in describing causal scenarios, we improved the physical component diagram of STPA-SafeSec by adding interface elements. In addition, we proposed the loss scenario tree to describe specific scenarios that lead to unsafe/unsecure control actions. After hazard/threat analysis, a unified risk assessment process is proposed to ensure consistency in assessment criteria and to streamline the process. A case study is implemented on the autonomous emergency braking system to demonstrate the validation of the proposed method.

Efficient and Generic Algorithms for Quantitative Attack Tree Analysis

Numerous analysis methods for quantitative attack tree analysis have been proposed. These algorithms compute relevant security metrics, i.e. performance indicators that quantify how good the security of a system is; typical metrics being the most likely attack, the cheapest, or the most damaging one. However, existing methods are only geared towards specific metrics or do not work on general attack trees. This paper classifies attack trees in two dimensions: proper trees vs. directed acyclic graphs (i.e. with shared subtrees); and static vs. dynamic gates. For three out of these four classes, we propose novel algorithms that work over a generic attribute domain, encompassing a large number of concrete security metrics defined on the attack tree semantics; dynamic attack trees with directed acyclic graph structure are left as an open problem. We also analyse the computational complexity of our methods.

Explanation of Student Attendance AI Prediction with the Isabelle Infrastructure Framework

Right from the beginning, attendance has played an important role in the education systems, not only in student success but in the overall interest of the matter. Although all schools try to accentuate good attendance, still some schools find it hard to achieve the required level (96% in UK) of average attendance. The most productive way of increasing the pupils′ attendance rate is to predict when it is going to go down, understand the reasons—why it happened—and act on the affecting factors so as to prevent it. Artificial intelligence (AI) is an automated machine learning solution for different types of problems. Several machine learning (ML) models like logistic regression, decision trees, etc. are easy to understand; however, complicated (Neural Network, BART etc.) ML models are not transparent but are black-boxes for humans. It is not always evident how machine intelligence arrived at a decision. However, not always, but in critical applications it is important that humans can understand the reasons for such decisions. In this paper, we present a methodology on the application example of pupil attendance for constructing explanations for AI classification algorithms. The methodology includes building a model of the application in the Isabelle Insider and Infrastructure framework (IIIf) and an algorithm (PCR) that helps us to obtain a detailed logical rule to specify the performance of the black-box algorithm, hence allowing us to explain it. The explanation is provided within the logical model of the IIIf, thus is suitable for human audiences. It has been shown that the RR-cycle of IIIf can be adapted to provide a method for iteratively extracting an explanation by interleaving attack tree analysis with precondition refinement, which finally yields a general rule that describes the decision taken by a black-box algorithm produced by Artificial intelligence.

STRIDE threat model-based framework for assessing the vulnerabilities of modern vehicles

Modern automobiles are becoming increasingly sophisticated with enhanced features. Modern car systems have hundreds of millions of lines of code, which increase the attack surface. To address this concern, this paper proposes a new cybersecurity analysis framework that complies with the ISO/SAE 21434:2021 standard. The framework uses the Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privileges (STRIDE) threat model, the Attack Tree Analysis (ATA) approach, and the Common Vulnerability Scoring System (CVSS) as a key score exploitation matrix to rate identified potential threats. To evaluate, the framework was applied, to real-life scenarios, to examine the possible cyber threats in Advanced Driver-Assistance Systems (ADAS). To assess, a tool was implemented to automate threat impact ratings, according to safety, operational, financial, privacy, and legislative metrics. It also automates attack feasibility ratings considering attack vectors, complexity, authentication, and risk level identification based on a five-by-five risk matrix. As a result, 199 potential threats were identified and addressed in, four targeted, ADAS-related use cases. For the Lane-Keeping safety-critical use case, as an example, five security requirements were elicited as countermeasures. These results show that ADAS in modern vehicles are vulnerable to cyberattacks.

THREATGET: Towards Automated Attack Tree Analysis for Automotive Cybersecurity

The automotive domain is moving away from simple isolated vehicles to interconnected networks of heterogeneous systems forming a complex transportation infrastructure. The additional means of communication result in increased attack surfaces which can be exploited by physical as well as remote attackers if not secured thoroughly. Thus, the automotive sector is exposed to new cyber risk factors. Consequently, joint approaches targeting securing vehicles and infrastructure by identifying and mitigating potential threats for the automotive domain have been developed in several research projects. This paper builds on developments originating from these projects and correlated standards and regulations. Moreover, the extension of an existing threat modeling tool—THREATGET—with a novel automated approach toward attack propagation will be introduced. Therefore, we will conduct an analysis of a real-world example from the automotive domain. Furthermore, we will identify and analyze potential threats and discuss their accumulation to automatically generate an attack tree.

A Framework for Modeling and Detecting Security Vulnerabilities in Human-Machine Pair Programming

<p>To detect and mitigate security vulnerabilities early in the coding phase is an important strategy for secure software development. Existing solutions typically focus on finding certain vulnerabilities in certain computer systems without giving a systematic way of handling different types of vulnerabilities. In this paper, we present a framework for systematically modeling and detecting potential security vulnerabilities during the construction of programs using a particular programming paradigm known as Human-Machine Pair Programming. The framework provides designers with a general way of modeling a class of attacks in detail, and shows how programmers can discover and fix a vulnerability in a timely manner. Specifically, our framework advocates three primary steps: (1) generating an attack tree to model a given security threat, (2) constructing vulnerability-matching patterns based on the result of the attack tree analysis, and (3) detecting corresponding vulnerabilities based on the patterns during the program construction. We also present a case study to demonstrate how it works in practice.</p> <p> </p>

Towards enhanced threat modelling and analysis using a Markov Decision Process

The complexity of socio-technical systems using Ambient Intelligence (AmI) and the Internet of Things (IoT) is growing exponentially, involving numerous entities, such as humans, infrastructures, and cyber systems. Achieving and maintaining a specified level of security and privacy in such systems is challenging and crucial. Attack Tree is a powerful technique used in safety and reliability engineering. In this paper, we attempted to enhance Attack Tree analysis by transforming it into a Markov Decision Process (MDP) model. We propose an algorithm to transform an Attack Tree into an MDP model. We argue that formal methods, such as probabilistic model checking can significantly improve the security analysis capabilities. Moreover, the mixture of MDP and probabilistic model checking can overcome the limitations of Attack Trees, such as state explosion, scalability, and manual interaction. We used a probabilistic model checker, namely PRISM to model an attack scenario and perform security analysis on it. To demonstrate the significance, we took a real-world use case and performed a probabilistic analysis on it. The results revealed that formal analysis can prove certain properties, which were not possible to verify using attack trees.

Method for Attack Tree Data Transformation and Import Into IT Risk Analysis Expert Systems

Information technology (IT) security risk analysis preventatively helps organizations in identifying their vulnerable systems or internal controls. Some researchers propose expert systems (ES) as the solution for risk analysis automation since risk analysis by human experts is expensive and timely. By design, ES need a knowledge base, which must be up to date and of high quality. Manual creation of databases is also expensive and cannot ensure stable information renewal. These facts make the knowledge base automation process very important. This paper proposes a novel method of converting attack trees to a format usable by expert systems for utilizing the existing attack tree repositories in facilitating information and IT security risk analysis. The method performs attack tree translation into the Java Expert System Shell (JESS) format, by consistently applying ATTop, a software bridging tool that enables automated analysis of attack trees using a model-driven engineering approach, translating attack trees into the eXtensible Markup Language (XML) format, and using the newly developed ATES (attack trees to expert system) program, performing further XML conversion into JESS compatible format. The detailed method description, along with samples of attack tree conversion and results of conversion experiments on a significant number of attack trees, are presented and discussed. The results demonstrate the high method reliability rate and viability of attack trees as a source for the knowledge bases of expert systems used in the IT security risk analysis process.

Comparative Analysis of Threat Modeling Methods for Cloud Computing towards Healthcare Security Practice

Healthcare organizations consist of unique activities including collaborating on patients care and emergency care. The sector also accumulates high sensitive multifaceted patients’ data such as text reports, radiology images and pathological slides. The large volume of the data is often stored as Electronic Health Records (EHR) which must be frequently updated while ensuring higher percentage up-time for constant availability of patients’ records. Healthcare as a critical infrastructure also needs highly skilled IT personnel, Information and Communication Technol-ogy (ICT) and infrastructure with regular maintenance culture. Fortunately, cloud computing can provide these necessary services at a lower cost. But with all thees enormous benefits of cloud computing, it is characterized with various information security issues which is not enticing to healthcare. Amid many threat modelling methods, which of them is suitable for identifying cloud related threats towards the adoption of cloud computing for healthcare? This paper compared threat modelling methods to determine their suitability for identifying and managing healthcare related threats in cloud computing. Threat modelling in pervasive computing (TMP) was identified to be suitable and can be combined with Attack Tree (AT), Attack Graph (AG) and Practical Threat Analysis (PTA) or STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege). Also Attack Tree (AT) could be complemented with TMP, AG and STRIDE or PTA. Healthcare IT security professionals can hence rely on these methods in their security practices, to identify cloud related threats for healthcare. Essentially, privacy related threat modeling methods such as LINDDUN framework, need to be included in these synergy of cloud related threat modelling methods towards enhancing security and privacy for healthcare needs.

制御システムセキュリティ対策自己評価ツール「J-CLICS（攻撃経路対策編）」の作成

制御システムセキュリティ対策自己評価ツール「J-CLICS（攻撃経路対策編）」の作成

Beyond 2014

Attack trees are a well established and commonly used framework for security modeling. They provide a readable and structured representation of possible attacks against a system to protect. Their hierarchical structure reveals common features of the attacks and enables quantitative evaluation of security, thus highlighting the most severe vulnerabilities to focus on while implementing countermeasures. Since in real-life studies attack trees have a large number of nodes, their manual creation is a tedious and error-prone process, and their analysis is a computationally challenging task. During the last half decade, the attack tree community witnessed a growing interest in employing formal methods to deal with the aforementioned difficulties. We survey recent advances in graphical security modeling with focus on the application of formal methods to the interpretation, (semi-)automated creation, and quantitative analysis of attack trees and their extensions. We provide a unified description of existing frameworks, compare their features, and outline interesting open questions.

Attack Tree Design and Analysis of Offshore Oil and Gas Process Complex SCADA System

Attack Tree Design and Analysis of Offshore Oil and Gas Process Complex SCADA System

Vulnerability Analysis for the Authentication Protocols in Trusted Computing Platforms and a Proposed Enhancement of the OffPAD Protocol

Trusted computing architecture ensures the behavior of software that runs on a user machine by protecting software-level attacks. Due to the potential of exposing a user’s private information while accessing a system, many studies have focused on analyzing existing protocols to develop new methods based on biometrics or additional devices to add new layers of security to the authentication process. For a few years, the idea of utilizing the combination of something you know with something you have and a personal authentication device (PAD) has become common in verification protocols. Very recently, a more secure PAD, namely the Offline Personal Authentication Device (OffPAD), was invented to improve the authentication process. This single device can be used to manage the identities of both users and service providers as well as support the authentication process, while being offline most of the time. In this paper, a rigorous vulnerability analysis for OffPAD-based authentication techniques is conducted using an attack tree analysis. Finally, to overcome the vulnerabilities, mitigation techniques are proposed.

A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie – combining new version of attack tree with bowtie analysis

The introduction of connected systems and digital technology in process industries creates new cyber-security vulnerabilities that can be exploited by sophisticated threats and lead to undesirable safety accidents. Thus, identifying these vulnerabilities during risk analysis becomes an important part for effective industrial risk evaluation. However, nowadays, safety and security are analyzed separately when they should not be. This is because a security threat can lead to the same dangerous phenomenon as a safety incident. In this paper, a new method that considers safety and security together during industrial risk analysis is proposed. This approach combines bowtie analysis, commonly used for safety analysis, with a new extended version of attack tree analysis, introduced for security analysis of industrial control systems. The combined use of bowtie and attack tree provides an exhaustive representation of risk scenarios in terms of safety and security. We then propose an approach for evaluating the risk level based on two-term likelihood parts, one for safety and one for security. The application of this approach is demonstrated using the case study of a risk scenario in a chemical facility.

Security risk assessment framework for smart car using the attack tree analysis

As the automobile industry has recently adopted information technologies, the latter are being used to replace mechanical systems with electronically-controlled systems. Moreover, automobiles are evolving into smart cars or connected cars as they are connected to various IT devices and networks such as VANET (Vehicular Ad hoc NETwork). Although there were no concerns about the hacking of automobiles in the past, various security threats are now emerging as electronic systems are gradually filling up the interiors of many automobiles, which are in turn being connected to external networks. As such, researchers have begun studying smart car security, leading to the disclosure of security threats through the testing or development of various automobile security technologies. However, the security threats facing smart cars do not occur frequently and, practically speaking, it is unrealistic to attempt to cope with every possible security threat when considering such factors as performance, compatibility, and so forth. Moreover, the excessive application of security technology will increase the overall vehicle cost and lower the effectiveness of investment. Therefore, smart car security risks should be assessed and prioritized to establish efficient security measures. To that end, this study constructed a security risk assessment framework in a bid to establish efficient measures for smart car security. The proposed security risk assessment framework configured the assessment procedure based on the conventional security risk analysis model GMITS (ISO13335) and utilized ‘attack tree analysis’ to assess the threats and vulnerabilities. The security risk assessment framework used the results of an asset analysis, threat/vulnerability analysis, and risk analysis to finally assess the risk and identify the risk rating. Moreover, it actually applied the proposed framework to assess security risks concerning targeted increases in vehicle velocity and leakages of personal information, which are the leading threats faced by smart cars. Here, the framework was applied to vehicle velocity increase and personal information leakage, which are the leading threats.

Technique of rapid construction, modification and analysis of attack trees

Application of modeling techniques of network attacks is a promising task in information security. This paper describes an approach to analytical modeling of network-based attacks trees. The novelty of the proposed method lays in the possibility of its application for systems operating in near real time mode. The paper describes the main domain models and algorithms of attack trees construction and modification.

Detection of red attack stage mountain pine beetle infestation with high spatial resolution satellite imagery

The on-going mountain pine beetle outbreak in British Columbia, Canada, has reached historic proportions. There is an operational need for efficient and cost-effective methods to identify red attack trees in these areas. In this paper, we examine the use of an unsupervised clustering 4-m multispectral IKONOS imagery for the detection of mountain pine beetle red attack at sites with low and medium levels of attack. Independent validation data were collected from aerial photography and were used to determine the accuracy with which mountain pine beetle red attack could be detected using the multispectral IKONOS imagery. Concentric buffers, in 1-m increments to a maximum of 4 m, were applied to red attack pixels to characterize attribute accuracy as a function of positional accuracy. When a one-pixel buffer (4 m) is applied, the accuracy with which mountain pine beetle red attack could be detected using the multispectral IKONOS imagery was 71% (low attack) and 92% (medium attack). Analysis of red attack trees that were omitted in the analysis of the multispectral IKONOS image indicated that detection of red attack was most effective for larger tree crowns (diameter > 1.5 m) that were less than 11 m from other red attack trees. These results demonstrate that the unsupervised classification of mountain pine beetle red attack using multispectral IKONOS imagery is an operationally viable approach.