Abstract
The success of a security attack crucially depends on the resources available to an attacker: time, budget, skill level, and risk appetite. Insight in these dependencies and the most vulnerable system parts is key to providing effective counter measures.
This paper considers attack trees, one of the most prominent security formalisms for threat analysis. We provide an effective way to compute the resources needed for a successful attack, as well as the associated attack paths. These paths provide the optimal ways, from the perspective of the attacker, to attack the system, and provide a ranking of the most vulnerable system parts.
By exploiting the priced timed automaton model checker Uppaal CORA, we realize important advantages over earlier attack tree analysis methods: we can handle more complex gates, temporal dependencies between attack steps, shared subtrees, and realistic, multi-parametric cost structures. Furthermore, due to its compositionality, our approach is flexible and easy to extend.
We illustrate our approach with several standard case studies from the literature, showing that our method agrees with existing analyses of these cases, and can incorporate additional data, leading to more informative results.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aagedal, J., Braber, F., Dimitrakos, T., Gran, B.A., Raptis, D., StĆølen, K.: Model-based risk assessment to improve enterprise security. In: Proc. 6th Int. Enterprise Distributed Object Computing Conf. (EDOC 2002), p. 51 (2002)
Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 126(2), 183ā235 (1994)
Amoroso, E.: Fundamentals of computer security technology. Prentice-Hall Inc., Upper Saddle River (1994)
Arnold, F., Hermanns, H., Pulungan, R., Stoelinga, M.: Time-dependent analysis of attacks. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 285ā305. Springer, Heidelberg (2014)
Risk Management. Australian/New Zealand Standard, AS/NZS 4360:2004 14443 (2004)
Technical standard to Risk Taxonomy, The Open Group, C081 (2009)
Behrmann, G., Larsen, K.G., Rasmussen, J.I.: Optimal scheduling using priced timed automata. SIGMETRICS Performance Evaluation Review 32(4) (2005)
Behrmann, G., Larsen, K.G., Rasmussen, J.I.: Priced timed automata: algorithms and applications. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2004. LNCS, vol. 3657, pp. 162ā182. Springer, Heidelberg (2005)
Bengtsson, J.E., Yi, W.: Timed automata: semantics, algorithms and tools. In: Desel, J., Reisig, W., Rozenberg, G. (eds.) Lectures on Concurrency and Petri Nets. LNCS, vol. 3098, pp. 87ā124. Springer, Heidelberg (2004)
Bouyer, P.: Weighted timed automata: Model-checking and games. Electronic Notes in Theoretical Computer Science 158, 3ā17 (2006)
Bowles, J.B., Hanczaryk, W.: Threat effects analysis: Applying FMEA to model computer system threats. In: 2008 Annual Reliability and Maintainability Symp., pp. 463ā468. IEEE, January 2008
Brihaye, T., BruyĆØre, V., Raskin, J.-F.: Model-checking for weighted timed automata. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS 2004 and FTRTFT 2004. LNCS, vol. 3253, pp. 277ā292. Springer, Heidelberg (2004)
Buckshaw, D.L.: Use of Decision Support Techniques for Information System Risk Management. John Wiley Sons, Ltd. (2014)
Buldas, A., Laud, P., Priisalu, J., Saarepera, M., Willemson, J.: Rational choice of security measures via multi-parameter attack trees. In: LĆ³pez, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 235ā248. Springer, Heidelberg (2006)
Dacier, M., Deswarte, Y.: Privilege graph: an extension to the typed access matrix model. In: Proc. Third European Symp. on Research in Computer Security (ESORICS), Brighton, UK, November 7ā9. pp. 319ā334 (1994)
Ford, M.D., Keefe, K., LeMay, E., Sanders, W.H., Muehrcke, C.: Implementing the ADVISE security modeling formalism in Mƶbius. In: Proc. 43rd Int. Conf. on Dependable Systems and Networks (DSN), pp. 1ā8 (2013)
Hansson, J., Wrage, L., Feiler, P.H., Morley, J., Lewis, B.A., Hugues, J.: Architectural modeling to verify security and nonfunctional behavior. IEEE Security & Privacy 8(1), 43ā49 (2010)
JĆ¼rgenson, A., Willemson, J.: Processing multi-parameter attacktrees with estimated parameter values. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 308ā319. Springer, Heidelberg (2007)
JĆ¼rgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1036ā1051. Springer, Heidelberg (2008)
Kordy, B., PiĆØtre-CambacĆ©dĆØs, L., Schweitzer, P.: DAG-based attack and defense modeling: Donāt miss the forest for the attack trees. Computer Science Review 13ā14, 1ā38 (2014)
LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H.: Model-based security metrics using adversary view security evaluation (ADVISE). In: 2011 Eigth Int. Conf. on Quantitative Eval. of Systems (QEST). IEEE (2011)
Lenin, A., Willemson, J., Sari, D.P.: Attacker profiling in quantitative security assessment based on attack trees. In: Bernsmed, K., Fischer-HĆ¼bner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 199ā212. Springer, Heidelberg (2014)
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186ā198. Springer, Heidelberg (2006)
McQueen, M., Boyer, W., Flynn, M., Beitel, G.: Quantitative cyber risk reduction estimation methodology for a small scada control system. In: Proc. 39th Annual Hawaii Int. Conf. on System Sciences (HICSS), vol. 9, p. 226, January 2006
PiĆØtre-CambacĆ©dĆØs, L., Bouissou, M.: Beyond attack trees: Dynamic security modeling with boolean logic driven markov processes (BDMP). In: Dependable Computing Conf. (EDCC), pp. 199ā208 (2010)
Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231ā246. Springer, Heidelberg (2005)
Schneier, B.: Attack trees: modeling security threats. In: Dr. Dobbās journal, December 1999
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Security and Privacy, Proc. 2002 IEEE Symp., pp. 273ā284 (2002)
Uppaal CORA. http://people.cs.aau.dk/ adavid/cora/index.html
Weiss, J.: A system security engineering process. In: Proc. 14th National Computer Security Conference, vol. 249, October 1991
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kumar, R., Ruijters, E., Stoelinga, M. (2015). Quantitative Attack Tree Analysis via Priced Timed Automata. In: Sankaranarayanan, S., Vicario, E. (eds) Formal Modeling and Analysis of Timed Systems. FORMATS 2015. Lecture Notes in Computer Science(), vol 9268. Springer, Cham. https://doi.org/10.1007/978-3-319-22975-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-22975-1_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22974-4
Online ISBN: 978-3-319-22975-1
eBook Packages: Computer ScienceComputer Science (R0)