The document introduces attack-defense trees (ADTrees) as a graphical representation of attacks on a system and defenses against those attacks. ADTrees extend traditional attack trees by allowing defenses as well as attacks. The key features of ADTrees are the representation of refinements, where a node's goal can be refined into subgoals, and countermeasures, where a node can have a child of the opposite type representing a counter to that node. Several semantics for evaluating properties of ADTrees are presented. The formalization of ADTrees includes attack-defense terms (ADTerms) that can represent ADTrees structurally.
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...IJCSES Journal
Nowadays, safety and security have become a requirement, integrated to each other, for information systems as a new generation of infrastructure systems distributed throughout networks. That opened the door for questions on whether these systems are safety-critical especially since they were tested in a closed, separated environment and are now deployed in an uncontrollable environment, namely the internet, where the number of threats is enormous. So it opened the door to talk about new development approach methods that take safety and security into consideration during the system development life cycle and most importantly, identifying hazard, risks and threats. We will conduct a survey exploring technical languages that were created by the scholars to combine safety and security requirement engineering and accident analysis technique languages.
Against MindsetArne Padmos[email protected]ABSTRACTT.docxdaniahendric
Against Mindset
Arne Padmos
[email protected]
ABSTRACT
The security field has adopted the social construct of the security
mindset: the idea that there exists a single attitude that allows
individuals to think like an attacker. However, there is little evidence
that the security mindset is an appropriate construct. We suggest
an alternative approach, consisting of multiple security-relevant
attitudes, which are linked to security roles within the systems
development life-cycle. To illustrate the usefulness of our approach,
we show how the framework can be used to help shape curricula.
CCS CONCEPTS
Social and professional topics → Computing education
KEYWORDS
Security mindset, attitudes, curriculum design, alignment.
ACM Reference Format:
Arne Padmos. 2018. Against Mindset. In New Security Paradigms Workshop
(NSPW ’18), August 28–31, 2018, Windsor, UK. ACM Press, New York, USA.
OVERVIEW
This paper contributes:
• A novel framework for exploring the role that attitudes play in
supporting security within system development life-cycles.
• An alternative approach to the singular security mindset, based
on attitudes from other professions that serve as metaphors.
• A new taxonomy of roles, in which diverse security-relevant
archetypes, attitudes, responsibilities, and tasks are aligned.
Instead of using a single archetype to represent security profes-
sionals, we have chosen to move from one to many. Based on an
analysis of the system development life-cycle, we distilled several
archetypes with a role to play in ensuring the security of systems.
The set of attributes is derived from common ways of grouping
actors, with a preference for binary attributes to split groups along
broad lines within development processes.
1. Security analyst: takes an attacker perspective, looks at lower-
level implementations, checks whether things are done right.
2. Security engineer: takes a defender perspective, develops one
or more lower-level implementations, tries to do things right.
3. Security forecaster: tries to simulate offensive action, looks at
higher-level designs, sees whether the right thing was picked.
4. Security architect: tries to simulate defensive action, prototypes
higher-level designs, tries to pick the appropriate thing to do.
5. Security manager: has an overarching view, seeks alignment
with the business, tries to balance relationships within teams.
This paper is in the public domain. Copying or redistribution is allowed, provided that
the article citation is given and that the author is clearly identified as the source.
NSPW ’18, August 28–31, 2018, Windsor, UK
ACM ISBN 978-1-4503-6597-0/18/08
https://doi.org/10.1145/3285002.3285004
Using other, older professions as metaphors, relevant attitudes
for the archetypes were identified. These indicate that there is more
to security than the security mindset and the hacker ethic.
1. Security analyst: critical and independent, in line with the world
view of auditors, military intelligen ...
Stackelberg Security Games Looking Beyond a Decade of Success.docxsusanschei
Stackelberg Security Games: Looking Beyond a Decade of Success
Arunesh Sinha1, Fei Fang2, Bo An3, Christopher Kiekintveld4, Milind Tambe5
1 University of Michigan, 2 Carnegie Mellon University, 3 Nanyang Technological University,
4 University of Texas at El Paso, 5 University of Southern California
[email protected], [email protected], [email protected],
[email protected]tep.edu, [email protected]
Abstract
The Stackelberg Security Game (SSG) model has
been immensely influential in security research
since it was introduced roughly a decade ago.
Furthermore, deployed SSG-based applications are
one of most successful examples of game theory
applications in the real world. We present a broad
survey of recent technical advances in SSG and re-
lated literature, and then look to the future by high-
lighting the new potential applications and open re-
search problems in SSG.
1 Introduction
Game theory has long held the promise of improving intel-
ligent decision making for complex security problems. This
promise has been partially realized with application of Stack-
elberg Security Games (SSG) to a variety of security prob-
lems since 2006. Starting with the application of allocating
security resources to eight terminals of the Los Angeles In-
ternational Airport, recent advances in SSGs have enabled
solving problems of immense complexity such as protecting
biodiversity in conservation areas that span over 2500 square
kilometers [Fang and Nguyen, 2016] and screening 800 mil-
lion airport passengers annually throughout USA [Brown et
al., 2016]. In this survey, we walk through the various innova-
tions in the application of SSGs with an eye towards potential
applications and research challenges in the near future.
Security is a critical concern around the world, manifest-
ing in such examples as infrastructure and human life pro-
tection, wildlife protection, and protection against cyber at-
tacks. In all of these domains, the defender has limited se-
curity resources that preclude full security coverage of im-
portant potential targets at all times. Thus, allocations of lim-
ited security resources must be intelligent, taking into account
differences in priorities of targets requiring security cover-
age, the response of adversaries to the security posture based
on knowledge gained from surveillance, and potential uncer-
tainty over the types, capabilities, knowledge, and priorities
of adversaries faced. Casting these problems as a Stackelberg
game is the basis of a growing literature on models and so-
lution methods for solving these games to yield randomized
security policies.
The SSG model has flourished, with dozens of papers
on SSGs every year in major AI conferences1. The ap-
plications have also spread across countries and application
domains. As reported in conferences such IJCAI’17 and
2017 Conference on Decision and Game Theory for Secu-
rity (GameSec’17), the SSGs framework is now being tested
in Israel for traffic monitoring, and in.
OPTIMIZING AND ANALYSING THE EFFECTIVENESS OF SECURITY HARDENING MEASURES USI...IJNSA Journal
To cope up the network security measures with the financial restrictions in the corporate world is still a challenge. At global scenario the tradeoff between the protection of IT infrastructure and the financial boundation for any organization using IT as valuable resource is quite essential. Every organization has different security needs and different budgets for coping with that therefore whether it has to look as single objective or as multiple objectives with fault tolerant feature is a critical issue. In the present paper an attempt has been taken to optimize and analyze the effectiveness of security hardening measures considering attack tree model as base. In short we can say that the main attention in the paper is-to rectify, to describe the notations of the attack tree model and to suggest a model which may be able to quantitatively specify the possible threats as well as cost of the security control while implementing the security hardening measures.
Army Study: Ontology-based Adaptive Systems of Cyber DefenseRDECOM
The U.S. Army Research Laboratory is part of the U.S. Army Research, Development and Engineering Command, which has the mission to ensure decisive overmatch for unified land operations to empower the Army, the joint warfighter and our nation. RDECOM is a major subordinate command of the U.S. Army Materiel Command.
Your Name University of the Cumberlands ISOL634-25 P.docxnettletondevon
Your Name
University of the Cumberlands
ISOL634-25 Physical Security
Week 17 Discussion Board
Professor Richards
Date
What is defensible space?
According to Fennelly (2013), defensible space is a surrogate term for the range of
mechanisms real and symbolic barriers, strongly defined areas of influence, improved
opportunities for surveillance that combine to bring an environment under the control of its
residents. To provide maximum security and control over an area, it should first be divided into
smaller, clearly defined areas or zones, which describe the defensible space (Wayland, 2015).
What is Crime Prevention through Environmental Design?
Crime Prevention through Environmental Design (CPTED) is a multidisciplinary
approach to the reduction of crime and the associated enhancement of the perception of personal
safety by inhabitants of an environment (Tipton & Nozaki, 2007). White (2014) stated that
CPTED is a concept in the security industry, basically meaning that you may be able to reduce
criminal acts from occurring with the proper design and planning of an environment. In theory,
Commented [MR1]: (Ensure you indent)
Commented [MR2]: (This is how you cite in the body of
your sentence)
Commented [MR3]:
Commented [MR4]: (This is how you cite at the end of
your sentences.
Commented [MR5]: Please use sub-headers for each
question you are answering
Commented [MR6]: Last names and year only
Commented [MR7]: Please cite
Commented [MR8]: You need to have in-text citation to
support your work. Without in-text citation your work is not
credible
you can make changes to the physical environment that allow for better physical and operational
controls of the property; as a result, it can further your crime prevention strategies.
References
Fennelly, L. J. (2013). Effective physical security (Fourth edition. ed.). Amsterdam: Butterworth-
Heinemannis an imprint of Elsevier.
Tipton, H. F., & Nozaki, M. K. (2007). Information security management handbook (6th ed.).
Boca Raton: Auerbach Publications.
Wayland, B. A. (2015). Emergency preparedness for business professionals : How to mitigate
and respond to attacks against your organization (1st edition. ed.). Wlatham, MA:
Elsevier.
White, J. M. (2014). Security risk assessment : Managing physical and operational security.
Amsterdam ; Boston: Butterworth-Heinemann is an imprint of Elsevier.
Commented [MR9]: You must have in-text citations along
with a reference list and they must correspond with each
other
Commented [MR10]: Last names with abbreviated first
name and year
Your Name
University of the Cumberlands
ISOL634-25 Physical Security
Week 17 Discussion Board
Professor Richards
Date
What is defensible space?
According to Fennelly (2013), defensible space is a surrogate term for the range of
mechanisms real and symbolic barriers, strongly defined areas of influence, improved
opportu.
A SURVEY ON TECHNIQUES REQUIREMENTS FOR INTEGRATEING SAFETY AND SECURITY ENGI...IJCSES Journal
Nowadays, safety and security have become a requirement, integrated to each other, for information systems as a new generation of infrastructure systems distributed throughout networks. That opened the door for questions on whether these systems are safety-critical especially since they were tested in a closed, separated environment and are now deployed in an uncontrollable environment, namely the internet, where the number of threats is enormous. So it opened the door to talk about new development approach methods that take safety and security into consideration during the system development life cycle and most importantly, identifying hazard, risks and threats. We will conduct a survey exploring technical languages that were created by the scholars to combine safety and security requirement engineering and accident analysis technique languages.
Against MindsetArne Padmos[email protected]ABSTRACTT.docxdaniahendric
Against Mindset
Arne Padmos
[email protected]
ABSTRACT
The security field has adopted the social construct of the security
mindset: the idea that there exists a single attitude that allows
individuals to think like an attacker. However, there is little evidence
that the security mindset is an appropriate construct. We suggest
an alternative approach, consisting of multiple security-relevant
attitudes, which are linked to security roles within the systems
development life-cycle. To illustrate the usefulness of our approach,
we show how the framework can be used to help shape curricula.
CCS CONCEPTS
Social and professional topics → Computing education
KEYWORDS
Security mindset, attitudes, curriculum design, alignment.
ACM Reference Format:
Arne Padmos. 2018. Against Mindset. In New Security Paradigms Workshop
(NSPW ’18), August 28–31, 2018, Windsor, UK. ACM Press, New York, USA.
OVERVIEW
This paper contributes:
• A novel framework for exploring the role that attitudes play in
supporting security within system development life-cycles.
• An alternative approach to the singular security mindset, based
on attitudes from other professions that serve as metaphors.
• A new taxonomy of roles, in which diverse security-relevant
archetypes, attitudes, responsibilities, and tasks are aligned.
Instead of using a single archetype to represent security profes-
sionals, we have chosen to move from one to many. Based on an
analysis of the system development life-cycle, we distilled several
archetypes with a role to play in ensuring the security of systems.
The set of attributes is derived from common ways of grouping
actors, with a preference for binary attributes to split groups along
broad lines within development processes.
1. Security analyst: takes an attacker perspective, looks at lower-
level implementations, checks whether things are done right.
2. Security engineer: takes a defender perspective, develops one
or more lower-level implementations, tries to do things right.
3. Security forecaster: tries to simulate offensive action, looks at
higher-level designs, sees whether the right thing was picked.
4. Security architect: tries to simulate defensive action, prototypes
higher-level designs, tries to pick the appropriate thing to do.
5. Security manager: has an overarching view, seeks alignment
with the business, tries to balance relationships within teams.
This paper is in the public domain. Copying or redistribution is allowed, provided that
the article citation is given and that the author is clearly identified as the source.
NSPW ’18, August 28–31, 2018, Windsor, UK
ACM ISBN 978-1-4503-6597-0/18/08
https://doi.org/10.1145/3285002.3285004
Using other, older professions as metaphors, relevant attitudes
for the archetypes were identified. These indicate that there is more
to security than the security mindset and the hacker ethic.
1. Security analyst: critical and independent, in line with the world
view of auditors, military intelligen ...
Stackelberg Security Games Looking Beyond a Decade of Success.docxsusanschei
Stackelberg Security Games: Looking Beyond a Decade of Success
Arunesh Sinha1, Fei Fang2, Bo An3, Christopher Kiekintveld4, Milind Tambe5
1 University of Michigan, 2 Carnegie Mellon University, 3 Nanyang Technological University,
4 University of Texas at El Paso, 5 University of Southern California
[email protected], [email protected], [email protected],
[email protected]tep.edu, [email protected]
Abstract
The Stackelberg Security Game (SSG) model has
been immensely influential in security research
since it was introduced roughly a decade ago.
Furthermore, deployed SSG-based applications are
one of most successful examples of game theory
applications in the real world. We present a broad
survey of recent technical advances in SSG and re-
lated literature, and then look to the future by high-
lighting the new potential applications and open re-
search problems in SSG.
1 Introduction
Game theory has long held the promise of improving intel-
ligent decision making for complex security problems. This
promise has been partially realized with application of Stack-
elberg Security Games (SSG) to a variety of security prob-
lems since 2006. Starting with the application of allocating
security resources to eight terminals of the Los Angeles In-
ternational Airport, recent advances in SSGs have enabled
solving problems of immense complexity such as protecting
biodiversity in conservation areas that span over 2500 square
kilometers [Fang and Nguyen, 2016] and screening 800 mil-
lion airport passengers annually throughout USA [Brown et
al., 2016]. In this survey, we walk through the various innova-
tions in the application of SSGs with an eye towards potential
applications and research challenges in the near future.
Security is a critical concern around the world, manifest-
ing in such examples as infrastructure and human life pro-
tection, wildlife protection, and protection against cyber at-
tacks. In all of these domains, the defender has limited se-
curity resources that preclude full security coverage of im-
portant potential targets at all times. Thus, allocations of lim-
ited security resources must be intelligent, taking into account
differences in priorities of targets requiring security cover-
age, the response of adversaries to the security posture based
on knowledge gained from surveillance, and potential uncer-
tainty over the types, capabilities, knowledge, and priorities
of adversaries faced. Casting these problems as a Stackelberg
game is the basis of a growing literature on models and so-
lution methods for solving these games to yield randomized
security policies.
The SSG model has flourished, with dozens of papers
on SSGs every year in major AI conferences1. The ap-
plications have also spread across countries and application
domains. As reported in conferences such IJCAI’17 and
2017 Conference on Decision and Game Theory for Secu-
rity (GameSec’17), the SSGs framework is now being tested
in Israel for traffic monitoring, and in.
OPTIMIZING AND ANALYSING THE EFFECTIVENESS OF SECURITY HARDENING MEASURES USI...IJNSA Journal
To cope up the network security measures with the financial restrictions in the corporate world is still a challenge. At global scenario the tradeoff between the protection of IT infrastructure and the financial boundation for any organization using IT as valuable resource is quite essential. Every organization has different security needs and different budgets for coping with that therefore whether it has to look as single objective or as multiple objectives with fault tolerant feature is a critical issue. In the present paper an attempt has been taken to optimize and analyze the effectiveness of security hardening measures considering attack tree model as base. In short we can say that the main attention in the paper is-to rectify, to describe the notations of the attack tree model and to suggest a model which may be able to quantitatively specify the possible threats as well as cost of the security control while implementing the security hardening measures.
Army Study: Ontology-based Adaptive Systems of Cyber DefenseRDECOM
The U.S. Army Research Laboratory is part of the U.S. Army Research, Development and Engineering Command, which has the mission to ensure decisive overmatch for unified land operations to empower the Army, the joint warfighter and our nation. RDECOM is a major subordinate command of the U.S. Army Materiel Command.
Your Name University of the Cumberlands ISOL634-25 P.docxnettletondevon
Your Name
University of the Cumberlands
ISOL634-25 Physical Security
Week 17 Discussion Board
Professor Richards
Date
What is defensible space?
According to Fennelly (2013), defensible space is a surrogate term for the range of
mechanisms real and symbolic barriers, strongly defined areas of influence, improved
opportunities for surveillance that combine to bring an environment under the control of its
residents. To provide maximum security and control over an area, it should first be divided into
smaller, clearly defined areas or zones, which describe the defensible space (Wayland, 2015).
What is Crime Prevention through Environmental Design?
Crime Prevention through Environmental Design (CPTED) is a multidisciplinary
approach to the reduction of crime and the associated enhancement of the perception of personal
safety by inhabitants of an environment (Tipton & Nozaki, 2007). White (2014) stated that
CPTED is a concept in the security industry, basically meaning that you may be able to reduce
criminal acts from occurring with the proper design and planning of an environment. In theory,
Commented [MR1]: (Ensure you indent)
Commented [MR2]: (This is how you cite in the body of
your sentence)
Commented [MR3]:
Commented [MR4]: (This is how you cite at the end of
your sentences.
Commented [MR5]: Please use sub-headers for each
question you are answering
Commented [MR6]: Last names and year only
Commented [MR7]: Please cite
Commented [MR8]: You need to have in-text citation to
support your work. Without in-text citation your work is not
credible
you can make changes to the physical environment that allow for better physical and operational
controls of the property; as a result, it can further your crime prevention strategies.
References
Fennelly, L. J. (2013). Effective physical security (Fourth edition. ed.). Amsterdam: Butterworth-
Heinemannis an imprint of Elsevier.
Tipton, H. F., & Nozaki, M. K. (2007). Information security management handbook (6th ed.).
Boca Raton: Auerbach Publications.
Wayland, B. A. (2015). Emergency preparedness for business professionals : How to mitigate
and respond to attacks against your organization (1st edition. ed.). Wlatham, MA:
Elsevier.
White, J. M. (2014). Security risk assessment : Managing physical and operational security.
Amsterdam ; Boston: Butterworth-Heinemann is an imprint of Elsevier.
Commented [MR9]: You must have in-text citations along
with a reference list and they must correspond with each
other
Commented [MR10]: Last names with abbreviated first
name and year
Your Name
University of the Cumberlands
ISOL634-25 Physical Security
Week 17 Discussion Board
Professor Richards
Date
What is defensible space?
According to Fennelly (2013), defensible space is a surrogate term for the range of
mechanisms real and symbolic barriers, strongly defined areas of influence, improved
opportu.
ISSA Journal September 2008Article Title Article Author.docxbagotjesusa
ISSA Journal | September 2008Article Title | Article Author
1�1�
ISSA The Global Voice of Information Security
Extending the McCumber Cube
to Model Network Defense
By Sean M. Price – ISSA member Northern Virginia, USA chapter
This article proposes an extension to the McCumber
Cube information security model to determine the best
countermeasures to achieve a desired security goal.
Confidentiality, integrity, and availability are the se-curity services of a system. In other words they are the security goals of system defense, intangible at-
tributes� providing assurances for the information protected.
Each service is realized when the appropriate countermea-
sures for a given information state are in place. But, it is not
enough to select countermeasures ad hoc. Countermeasures
should be selected to defend a system and its information
against specific types of attacks. When attacks against partic-
ular information states are considered, the necessary coun-
termeasures can be selected to achieve the desired security
service or goal. This article proposes an extension to the Mc-
Cumber Cube information security model as a way for the
security practitioner to consider the best countermeasures to
achieve the desired security goal.
Security models
Models are useful tools to help understand complex topics. A
well-developed model can often be represented graphically,
allowing a deeper understanding of the relationships of the
components that make the whole. A formal security model
is broadly applicable and rigorously developed using formal
methods.2 In contrast, an informal model is considered lack-
ing one or both of these qualities. There are a variety of in-
formal models in the information security world which are
regularly used by security practitioners to understand basic
information and concepts.
� Security goals often lack explicit definitions and are difficult to quantify. They are
usually based on policies with broad interpretations and tend to be qualitative. It is
true that security goals emerge from the confluence of information states and coun-
termeasures which have measurable attributes. But, the subjective nature of security
goals combined with informal modeling characterizes their attributes as intangible.
2 P. T. Devanbu and S. Stubblebine, “Software Engineering for Security: A Roadmap,”
Proceedings of the Conference on The Future of Software Engineering (2000), 227-239.
One such informal model is the generally accepted risk as-
sessment framework. This model is used to assess risk by
estimating asset values, vulnerabilities, threats with their
likelihood of exploiting a vulnerability, and losses. Figure �
illustrates this model. Note that this commonly used model
requires a substantial amount of estimating on the part of
the risk assessment participants. This is problematic when
reliable estimates cannot be obtained. Another problem with
this model is that it does not guide th.
Modeling SYN Flooding DoS Attacks using Attack Countermeasure Trees and Findi...idescitation
In this paper, a greedy algorithm is proposed, to find optimal set of
countermeasures that
minimizes total cost of Security Investment subject to constraint
that it covers entire set of attack events.
This algorithm makes use of Birnbaum’s
Structural Importance Measure to find compute criticality of basic attack events in
achieving the goal. It helps in prioritizing the countermeasures covering the attack events.
GENERATING REPRESENTATIVE ATTACK TEST CASES FOR EVALUATING AND TESTING WIRELE...IJNSA Journal
Openness of wireless communication medium and flexibility in dealing with wireless communication protocols and their vulnerabilities create a problem of poor security. Due to deficiencies in the security mechanisms of the first line of defense such as firewall and encryption, there are growing interests in detecting wireless attacks through a second line of defense in the form of Wireless Intrusion Detection System (WIDS). WIDS monitors the radio spectrum and system activities and detects attacks leaked from the first line of defense. Selecting a reliable WIDS system depends significantly on its functionality and performance evaluation. Comprehensive and credible evaluation of WIDSs necessitates taking into
account all possible attacks. While this is operationally impossible, it is necessary to select representative
attack test cases that are extracted mainly from a comprehensive classification of wireless attacks. Dealing with this challenge, this paper proposes a holistic taxonomy of wireless security attacks from the perspective of the WIDS evaluator. This proposed taxonomy includes all relevant necessary and sufficient dimensions for wireless attacks classification and it helps in generating and extracting the representative attack test cases.
Advanced Security Mechanism for Mobile Ad hoc Networks using Game Theoretic A...AM Publications
Game philosophy can deliver a useful tool to study the safety problem in mobile ad hoc networks (MANETs).
Most of obtainable works on smearing game theories to safety only consider two players in the security game typical: an
assailant and a protector. While this supposition may be valid for a network with centralized administration, it is not
truthful in MANETs, where centralized administration is not available. In this paper, using recent improvements in mean
field game theory, we propose a unique game hypothetical approach with multiple players for safety in MANETs. The mean
field game theory provides a powerful mathematical tool for problems with a large number of players. The future scheme
can enable an individual node in MANETs to make strategic security defense decisions without centralized administration.
Furthermore, each node in the planned scheme only needs to know its own state information and the collective
consequence of the other nodes in the MANET. Consequently, the proposed scheme is a fully dispersed scheme. Simulation
results are obtainable to illustrate the effectiveness of the proposed scheme.
WEEK 3 ESSAY QUESTIONS Instructions Answer all questions .docxcockekeshia
WEEK 3 ESSAY QUESTIONS
Instructions: Answer all questions in a single document. Then submit to the
appropriate assignment folder. Each response to a single essay question should
be about a half-page in length (about 150 words).
1. Cryptographic algorithms provide the underlying tools to most security
protocols used in today’s infrastructures. The choice of which type of
algorithm depends on the goal that you are trying to accomplish, such as
encryption or data integrity. These algorithms fall into two main categories:
symmetric key and asymmetric key cryptography. In this essay, please
discuss the strengths and weaknesses of symmetric key cryptography and
give an example of where this type of cryptography is used. Then discuss
the strengths and weaknesses of asymmetric key cryptography and give an
example of where this type of cryptography is used.
2. Cryptography has been used in one form or another for over 4000 years
and attacks on cryptography have been occurring since its inception. The
type of people attempting to break the code could be malicious in their
intent or could just be trying to identify weaknesses in the security so that
improvements can be made. In your essay response, define cryptanalysis
and describe some of the common cryptanalytic techniques used in attacks.
3. Many people overlook the importance of physical security when addressing
security concerns of the organization. Complex cryptography methods,
stringent access control lists, and vigilant intrusion detection/prevention
software will be rendered useless if an attacker gains physical access to
your data center. Site and facility security planning is equally important to
the technical controls that you implement when minimizing the access a
criminal will have to your assets. In your essay response, define CPTED and
describe how following the CPTED discipline can provide a more aesthetic
alternative to classic target hardening approaches. Make sure that the
three CPTED strategies are covered in your response.
WEEK 1 ESSAY QUESTIONS
Instructions: Answer all questions in a single document. Then submit to the
appropriate assignment folder. Each response to a single essay question should
be about a half-page in length (about 150 words).
1. In this week’s readings, you learned about two methods of risk analysis:
quantitative assessment and qualitative assessment. Explain the steps
taken to assess a risk from a quantitative perspective where monetary and
numeric values are assigned and discuss the formulas used to quantify risk.
Then, explain the methods used to assess risk from a qualitative
perspective where intangible values are evaluated such as the seriousness
of the risk or ramifications to the reputation of the company.
2. Domain 1 introduced numerous security terms that are used in assessing
risk. Please define the terms vulnerability, threat, threat agent, risk,
exposure and control. Then, describe the.
Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs.
(Source : RSA Conference USA 2017)
Secured cloud support for global softwareijseajournal
This paper presents core problem solution to security of Global Software Development Requirement
Information. Currently the major issue deals with hacking of sensitive client information which may lead to
major financial as well as social loss. To avoid this system provides cloud security by encryption of data as
well as deployment of tool over the cloud will provide significant security to whole global content
management system. The core findings are presented in terms of how hacker hacks such systems and what
counter steps need to follow. Our algorithmic development provide random information storage at various
cloud nodes to secure our client requirement data files.
A3 - Análise de ameaças - Threat analysis in goal oriented security requireme...Spark Security
Goal and threat modelling are important activities of security requirements engineering: goals express why a system is needed, while threats motivate the need for security. Unfortunately, existing approaches mostly consider goals and threats separately, and thus neglect the mutual influence between them. In this paper, we address this deficiency by proposing an approach that extends goal modelling with threat modelling and analysis.
ISSA Journal September 2008Article Title Article Author.docxbagotjesusa
ISSA Journal | September 2008Article Title | Article Author
1�1�
ISSA The Global Voice of Information Security
Extending the McCumber Cube
to Model Network Defense
By Sean M. Price – ISSA member Northern Virginia, USA chapter
This article proposes an extension to the McCumber
Cube information security model to determine the best
countermeasures to achieve a desired security goal.
Confidentiality, integrity, and availability are the se-curity services of a system. In other words they are the security goals of system defense, intangible at-
tributes� providing assurances for the information protected.
Each service is realized when the appropriate countermea-
sures for a given information state are in place. But, it is not
enough to select countermeasures ad hoc. Countermeasures
should be selected to defend a system and its information
against specific types of attacks. When attacks against partic-
ular information states are considered, the necessary coun-
termeasures can be selected to achieve the desired security
service or goal. This article proposes an extension to the Mc-
Cumber Cube information security model as a way for the
security practitioner to consider the best countermeasures to
achieve the desired security goal.
Security models
Models are useful tools to help understand complex topics. A
well-developed model can often be represented graphically,
allowing a deeper understanding of the relationships of the
components that make the whole. A formal security model
is broadly applicable and rigorously developed using formal
methods.2 In contrast, an informal model is considered lack-
ing one or both of these qualities. There are a variety of in-
formal models in the information security world which are
regularly used by security practitioners to understand basic
information and concepts.
� Security goals often lack explicit definitions and are difficult to quantify. They are
usually based on policies with broad interpretations and tend to be qualitative. It is
true that security goals emerge from the confluence of information states and coun-
termeasures which have measurable attributes. But, the subjective nature of security
goals combined with informal modeling characterizes their attributes as intangible.
2 P. T. Devanbu and S. Stubblebine, “Software Engineering for Security: A Roadmap,”
Proceedings of the Conference on The Future of Software Engineering (2000), 227-239.
One such informal model is the generally accepted risk as-
sessment framework. This model is used to assess risk by
estimating asset values, vulnerabilities, threats with their
likelihood of exploiting a vulnerability, and losses. Figure �
illustrates this model. Note that this commonly used model
requires a substantial amount of estimating on the part of
the risk assessment participants. This is problematic when
reliable estimates cannot be obtained. Another problem with
this model is that it does not guide th.
Modeling SYN Flooding DoS Attacks using Attack Countermeasure Trees and Findi...idescitation
In this paper, a greedy algorithm is proposed, to find optimal set of
countermeasures that
minimizes total cost of Security Investment subject to constraint
that it covers entire set of attack events.
This algorithm makes use of Birnbaum’s
Structural Importance Measure to find compute criticality of basic attack events in
achieving the goal. It helps in prioritizing the countermeasures covering the attack events.
GENERATING REPRESENTATIVE ATTACK TEST CASES FOR EVALUATING AND TESTING WIRELE...IJNSA Journal
Openness of wireless communication medium and flexibility in dealing with wireless communication protocols and their vulnerabilities create a problem of poor security. Due to deficiencies in the security mechanisms of the first line of defense such as firewall and encryption, there are growing interests in detecting wireless attacks through a second line of defense in the form of Wireless Intrusion Detection System (WIDS). WIDS monitors the radio spectrum and system activities and detects attacks leaked from the first line of defense. Selecting a reliable WIDS system depends significantly on its functionality and performance evaluation. Comprehensive and credible evaluation of WIDSs necessitates taking into
account all possible attacks. While this is operationally impossible, it is necessary to select representative
attack test cases that are extracted mainly from a comprehensive classification of wireless attacks. Dealing with this challenge, this paper proposes a holistic taxonomy of wireless security attacks from the perspective of the WIDS evaluator. This proposed taxonomy includes all relevant necessary and sufficient dimensions for wireless attacks classification and it helps in generating and extracting the representative attack test cases.
Advanced Security Mechanism for Mobile Ad hoc Networks using Game Theoretic A...AM Publications
Game philosophy can deliver a useful tool to study the safety problem in mobile ad hoc networks (MANETs).
Most of obtainable works on smearing game theories to safety only consider two players in the security game typical: an
assailant and a protector. While this supposition may be valid for a network with centralized administration, it is not
truthful in MANETs, where centralized administration is not available. In this paper, using recent improvements in mean
field game theory, we propose a unique game hypothetical approach with multiple players for safety in MANETs. The mean
field game theory provides a powerful mathematical tool for problems with a large number of players. The future scheme
can enable an individual node in MANETs to make strategic security defense decisions without centralized administration.
Furthermore, each node in the planned scheme only needs to know its own state information and the collective
consequence of the other nodes in the MANET. Consequently, the proposed scheme is a fully dispersed scheme. Simulation
results are obtainable to illustrate the effectiveness of the proposed scheme.
WEEK 3 ESSAY QUESTIONS Instructions Answer all questions .docxcockekeshia
WEEK 3 ESSAY QUESTIONS
Instructions: Answer all questions in a single document. Then submit to the
appropriate assignment folder. Each response to a single essay question should
be about a half-page in length (about 150 words).
1. Cryptographic algorithms provide the underlying tools to most security
protocols used in today’s infrastructures. The choice of which type of
algorithm depends on the goal that you are trying to accomplish, such as
encryption or data integrity. These algorithms fall into two main categories:
symmetric key and asymmetric key cryptography. In this essay, please
discuss the strengths and weaknesses of symmetric key cryptography and
give an example of where this type of cryptography is used. Then discuss
the strengths and weaknesses of asymmetric key cryptography and give an
example of where this type of cryptography is used.
2. Cryptography has been used in one form or another for over 4000 years
and attacks on cryptography have been occurring since its inception. The
type of people attempting to break the code could be malicious in their
intent or could just be trying to identify weaknesses in the security so that
improvements can be made. In your essay response, define cryptanalysis
and describe some of the common cryptanalytic techniques used in attacks.
3. Many people overlook the importance of physical security when addressing
security concerns of the organization. Complex cryptography methods,
stringent access control lists, and vigilant intrusion detection/prevention
software will be rendered useless if an attacker gains physical access to
your data center. Site and facility security planning is equally important to
the technical controls that you implement when minimizing the access a
criminal will have to your assets. In your essay response, define CPTED and
describe how following the CPTED discipline can provide a more aesthetic
alternative to classic target hardening approaches. Make sure that the
three CPTED strategies are covered in your response.
WEEK 1 ESSAY QUESTIONS
Instructions: Answer all questions in a single document. Then submit to the
appropriate assignment folder. Each response to a single essay question should
be about a half-page in length (about 150 words).
1. In this week’s readings, you learned about two methods of risk analysis:
quantitative assessment and qualitative assessment. Explain the steps
taken to assess a risk from a quantitative perspective where monetary and
numeric values are assigned and discuss the formulas used to quantify risk.
Then, explain the methods used to assess risk from a qualitative
perspective where intangible values are evaluated such as the seriousness
of the risk or ramifications to the reputation of the company.
2. Domain 1 introduced numerous security terms that are used in assessing
risk. Please define the terms vulnerability, threat, threat agent, risk,
exposure and control. Then, describe the.
Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs.
(Source : RSA Conference USA 2017)
Secured cloud support for global softwareijseajournal
This paper presents core problem solution to security of Global Software Development Requirement
Information. Currently the major issue deals with hacking of sensitive client information which may lead to
major financial as well as social loss. To avoid this system provides cloud security by encryption of data as
well as deployment of tool over the cloud will provide significant security to whole global content
management system. The core findings are presented in terms of how hacker hacks such systems and what
counter steps need to follow. Our algorithmic development provide random information storage at various
cloud nodes to secure our client requirement data files.
A3 - Análise de ameaças - Threat analysis in goal oriented security requireme...Spark Security
Goal and threat modelling are important activities of security requirements engineering: goals express why a system is needed, while threats motivate the need for security. Unfortunately, existing approaches mostly consider goals and threats separately, and thus neglect the mutual influence between them. In this paper, we address this deficiency by proposing an approach that extends goal modelling with threat modelling and analysis.
Similar to Foundations_of_Attack-Defense_Trees.pdf (20)
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...QADay
Lviv Direction QADay 2024 (Professional Development)
КАТЕРИНА АБЗЯТОВА
«Ефективне планування тестування ключові аспекти та практичні поради»
https://linktr.ee/qadayua
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
Foundations_of_Attack-Defense_Trees.pdf
1. See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/221026894
Foundations of Attack–Defense Trees
Conference Paper · September 2010
DOI: 10.1007/978-3-642-19751-2_6 · Source: DBLP
CITATIONS
244
READS
3,470
4 authors, including:
Some of the authors of this publication are also working on these related projects:
Distance bounding: a graph theoretical and formal approach (DIST) View project
PSF - Process Specification Formalism View project
Sjouke Mauw
University of Luxembourg
235 PUBLICATIONS 4,481 CITATIONS
SEE PROFILE
Patrick Schweitzer
FernUniversität in Hagen
19 PUBLICATIONS 1,151 CITATIONS
SEE PROFILE
All content following this page was uploaded by Sjouke Mauw on 13 December 2013.
The user has requested enhancement of the downloaded file.
2. Foundations of Attack–Defense Trees⋆
Barbara Kordy⋆⋆
, Sjouke Mauw, Saša Radomirović, Patrick Schweitzer⋆ ⋆ ⋆
{barbara.kordy, sjouke.mauw, sasa.radomirovic, patrick.schweitzer}@uni.lu
CSC and SnT, University of Luxembourg, 6, rue Coudenhove–Kalergi, L–1359
Luxembourg
Abstract. We introduce and give formal definitions of attack–defense
trees. We argue that these trees are a simple, yet powerful tool to analyze
complex security and privacy problems. Our formalization is generic in
the sense that it supports different semantical approaches. We present
several semantics for attack–defense trees along with usage scenarios,
and we show how to evaluate attributes.
1 Introduction
It is a well-known fact that the security of any sufficiently valuable system is
not static. In order to keep a system secure, it has to be defended against a
growing number of attacks. As better defensive measures get deployed, more
sophisticated attacks are developed, leading to an endless arms race and an
increasingly complex system.
A mature, large, and complex system poses several challenges. How can it
be decided whether a costly defensive measure implemented in the distant past
is still necessary today? What are the best defensive measures worth currently
investing in? How can newly discovered attacks and implemented defenses be
efficiently and systematically documented?
These types of challenges are not new. Similar challenges had to be overcome
by safety-critical systems. Moreover, the complexity of safety-critical systems
in aviation and nuclear power plants easily rivals the most complex security
applications. In the 1960s, fault tree analysis [1] was developed to evaluate the
safety of systems. Since the 1990s, similar structures have been used to support
system security engineering. One such structure are attack trees. The root of an
attack tree corresponds to an attacker’s goal. The children of a node in the tree
are refinements of the node’s goal into sub-goals. The leaves of the tree are the
attacker’s actions. Attack trees were popularized by Schneier [2] as a tool for
evaluating the security of systems and subsequently formalized by Mauw and
Oostdijk [3].
An obvious limitation of attack trees is that they cannot capture the inter-
action between attacks carried out on a system and the defenses put in place
⋆
The original publication is available at: www.springerlink.com
⋆⋆
B. Kordy was supported by the grant No. C08/IS/26 from FNR Luxembourg
⋆ ⋆ ⋆
P. Schweitzer was supported by the grant No. PHD−09−167 from FNR Luxembourg
3. to fend off the attacks. This consequently limits the precision with which the
best defensive strategies can be analyzed, since it does not take into account
the effects of existing defensive measures which may have been overcome by
new attacks. Similarly, a pure attack tree does not allow for the visualization
and consideration of the evolution of a system’s security, since the evolution can
only be understood in view of both, the attacker’s, as well as the defender’s,
actions.
These limitations can be overcome by introducing defensive actions as coun-
termeasures to attacks. In order to model the ongoing arms race between attacks
and defenses, it is necessary to allow for arbitrary alternation between these two
types of actions.
We therefore introduce and formalize attack–defense trees (ADTrees) as a
graphical representation of possible measures an attacker might take in order
to attack a system and the defenses that a defender can employ to protect the
system. Our formalization of ADTrees extends attack trees as defined in [3],
in two ways. It introduces defenses as described above and it generalizes the
interpretations and semantics of attack trees based on [3]. Consequently, our
formalism provides a single framework covering the attributes and semantics of
attack trees used in [4–6], including the notion of defense trees from [7, 8].
The main contribution of this paper is the development of a complete attack–
defense language. Our design of this language includes an algebra of attack–
defense terms (ADTerms), a graphical syntax (ADTrees), semantics derived from
first order models, semantics derived from algebraic specifications, and a method-
ology to analyze properties of attack–defense terms (attributes). Aside from the
specific semantics that we present here, several additional semantics are expected
to be useful for the analysis of an attack–defense tree. Two such examples would
be a temporal and a probabilistic semantics. The variety of semantics is a con-
sequence of different interpretations of what an attack–defense tree represents.
In the existing attack trees literature, several distinct interpretations have been
made. The present approach accommodates all these interpretations rather than
prescribing a single one.
Related Work. Fault trees have been introduced in the 1960s, and a formal
framework was given by Vesely et al. [1]. They have been used by Moore et al. [9]
to model attacks on systems, and by Cervesato and Meadows [10] to graphically
represent attacks on security protocols. Amoroso [11] considered so-called threat
trees on hospital computer systems and a simplified aircraft computer system.
Schneier [2] used the fault tree approach to describe security vulnerabilities of
systems coining the term attack trees. In [3], Mauw and Oostdijk have formalized
attack trees.
Edge et al. [5] have shown how to compute the probability, cost, risk, and
impact of an attacker’s goal using attack trees. They have shown how to translate
this information into protection trees in order to evaluate probability and cost for
protection against the attacker’s goal. Morais et al. [12] applied attack trees to
test an implementation of WTLS, a wireless security protocol. Sheyner et al. [13]
2
4. have automatically generated and analyzed attack graphs from the output of a
model checker for an intrusion detection system.
Willemson and Jürgenson [4] have extended the attack trees framework by
introducing an order on the set of leaves which helps to solve the optimization
problem of selecting the best attack given an attack tree. Bistarelli et al. [14] have
generalized attack trees, considering defensive measures against basic actions.
They have shown which measures to employ by using answer set programming, a
form of declarative programming oriented towards difficult (primarily NP-hard)
search problems.
In [15] it was shown that attack–defense trees and binary zero-sum two-player
extensive form games can be converted into each other. Both formalisms have
their advantages: attack–defense trees are more intuitive, because refinements
can be explicitly modeled, whereas the game theoretical approach benefits from
the well-studied methodology used in games.
Structure. The paper is organized as follows. In Section 2 we introduce attack–
defense trees, give an example and define attack–defense terms which are a formal
representation of attack–defense trees. Section 3 introduces semantics for attack–
defense trees. In Section 4 we evaluate attributes on attack–defense trees.
2 Attack–Defense Trees
We start by defining the terminology used throughout this paper. Then we de-
scribe an example of an attack–defense scenario. We end this section by defining
attack–defense terms.
2.1 Terminology
An ADTree is a node-labeled rooted tree describing the measures an attacker
might take in order to attack a system and the defenses that a defender can
employ to protect the system. An ADTree has nodes of two opposite types:
attack nodes and defense nodes.
The two key features of an ADTree are the representation of refinements and
countermeasures. Every node may have one or more children of the same type
representing a refinement into sub-goals of the node’s goal. If a node does not
have any children of the same type, it is called a non-refined node. Non-refined
nodes represent basic actions.
Every node may also have one child1
of opposite type, representing a coun-
termeasure. Thus, an attack node may have several children which refine the
attack and one child which defends against the attack. The defending child in
turn may have several children which refine the defense and one child that is an
attack node and counters the defense.
1
Note that allowing any number of children of opposite type leads to an equally
expressive, but more complicated formalism.
3
5. The refinement of a node of an ADTree is either disjunctive or conjunctive.
The goal of a disjunctively refined node is achieved when at least one of its
children’s goals is achieved. The goal of a conjunctively refined node is achieved
when all of its children’s goals are achieved.
The purpose of ADTrees is to analyze an attack–defense scenario. An attack–
defense scenario is a game between two players, the proponent (denoted by p)
and the opponent (denoted by o). The root of an ADTree represents the main
goal of the proponent. When the root is an attack node, the proponent is an
attacker and the opponent is a defender. Conversely, when the root is a defense
node, the proponent is a defender and the opponent is an attacker.
In ADTrees, we depict attack nodes by circles and defense nodes by rect-
angles, as shown in Figure 1. Refinement relations are indicated by solid edges
between nodes, and countermeasures are indicated by dotted edges. We depict a
conjunctive refinement of a node by connecting the edges going from this node
to its children of the same type with an arc.
2.2 Example
To demonstrate the features of ADTrees, we consider the following fictitious
scenario covering a collection of attacks on bank accounts.
Bank
Account
ATM
PIN
Eavesdrop Find Note
Memorize
Force
Card
Online
Password
Phishing
Key
Logger
2nd Auth
Factor
Key Fobs PIN Pad Malware
Browser OS
User Name
attack node
defense node
disjunctive refinement
conjunctive refinement
countermeasure
Fig. 1. Example of an ADTree: an attack on a bank account.
A bank wants to protect its customers’ bank accounts from theft. Two forms
of attacks on an individual’s bank account are considered. An attacker can steal
4
6. money from the account either by attacking online or through an ATM. In order
to steal money through an ATM, the attacker needs both, a PIN and a bank
card. We ignore how an attacker might obtain a bank card and focus on the PIN.
The PIN could be observed by eavesdropping on a customer while the customer
types her PIN. Alternatively, the attacker might acquire a note on which the
customer’s PIN is written up. A simple defensive measure against exposing a
note to an attacker is to memorize one’s PIN. This defense is of little use if an
attacker forces the customer to reveal the PIN.
For online banking attacks, an attacker needs to acquire a customer’s on-
line banking credentials, consisting of a user name and a password. While the
user name can be retrieved easily, retrieving a user’s password requires either a
phishing email or a key logger. To defend against lost or stolen passwords, the
bank introduces a second authentication factor. Two factor authentication can
be implemented using key fobs which have a built-in cryptographic token with
a pre-shared key known only to the token and the customer’s bank. An alter-
native to key fobs are PIN pads. Two factor authentication, however, is useless,
if the customer has malware on her computer. To install malware on a victim’s
computer, the attacker could attack either the browser or the operating system.
The ADTree representing the described state is shown in Figure 1. While
this ADTree is obviously incomplete, it is also clear that it would be very simple
to extend the ADTree with new attacks and defenses.
2.3 Formal Representation
In order to formally represent attack–defense scenarios, we define attack–defense
terms. We make use of the notion of an unranked function. An unranked function
f with domain D and range R denotes a family of functions (fk)k∈N, where
fk : Dk
→ R for k ∈ N. Given a set S, we denote by S∗
the set of all strings over
S, where ε stands for the empty string. We use ˙
∪ to denote a disjoint set union.
Definition 1. An AD–signature is a pair Σ = (S, F), such that
– S = {p, o} is a set of types, (we set p = o and o = p),
– F = {(∨p
k)k∈N, (∧p
k)k∈N, (∨o
k)k∈N, (∧o
k)k∈N, cp
, co
} ˙
∪ Bp ˙
∪ Bo
is a set of func-
tion symbols, equipped with a mapping type: F → S∗
× S, which expresses
the type of each function symbol, as follows. For every k ∈ N,
type(∨p
k) = (pk
, p), type(∨o
k) = (ok
, o),
type(∧p
k) = (pk
, p), type(∧o
k) = (ok
, o),
type(cp
) = (p o, p), type(co
) = (o p, o),
type(b) = (ε, p), for b ∈ Bp
, type(b) = (ε, o), for b ∈ Bo
.
The elements of Bp
and Bo
are typed constants, which we call proponent’s (p) and
opponent’s (o) basic actions, respectively. By B we denote the union Bp ˙
∪Bo
. The
unranked functions ∨p
, ∧p
, ∨o
, and ∧o
represent disjunctive (∨) and conjunctive
(∧) refinement operators for a proponent and an opponent, respectively. The
5
7. binary function cs
, where s ∈ S, connects actions of type s with actions of the
opposite type s. Intuitively, cs
(a, d) expresses that there exists an action d (of
type s) that counteracts the action a (of type s).
By TΣ we denote the set of all typed ground terms over the AD–signature
Σ. The elements of TΣ are called attack–defense terms (ADTerms). We have
TΣ = Tp
Σ ∪To
Σ, where Tp
Σ is the set of ADTerms of the proponent’s type, and To
Σ is
the set of ADTerms of the opponent’s type. The terms from Tp
Σ constitute formal
representations of ADTrees. Tables 1 and 2 show how to obtain the ADTerm
corresponding to an ADTree, and vice versa. Given an ADTree T, we denote by
ι(T) the ADTerm representing T. Given an ADTerm t, we denote by I(t) the
corresponding ADTree. In Tables 1 and 2 we assume that the proponent is an
attacker. If the proponent is a defender, circle nodes have to be replaced with
square nodes and vice versa. To condense the presentation even further, we leave
out the arcs, denoting conjunctions, in the cases where f = ∧s
, for s ∈ {p, o}.
Since the computations, as well as the internal structure of ADTrees, do not
depend on the names of the refined sub-goals, we represent the refined nodes
with the associated function symbols, only. Note that it is always possible to
also decorate the refined nodes with intuitive labels.
T b b f
T1
. . . Tk
f
T1
. . . Tk
where where where where
b ∈ Bp
b ∈ Bo
f ∈ {∨p
, ∧p
}, k ≥ 1 f ∈ {∨o
, ∧o
}, k ≥ 1
ι(T ) b b f(ι(T1), . . . , ι(Tk)) f(ι(T1), . . . , ι(Tk))
T b
T1
b
T1
f
T1
. . . Tk T ′
f
T1
. . . Tk T ′
where where where where
b ∈ Bp
b ∈ Bo
f ∈ {∨p
, ∧p
}, k ≥ 1 f ∈ {∨o
, ∧o
}, k ≥ 1
ι(T ) cp
(b, ι(T1)) co
(b, ι(T1)) cp
(f(ι(T1), . . . , ι(Tk)), ι(T ′
)) co
(f(ι(T1), . . . , ι(Tk)), ι(T ′
))
Table 1. Transformation from ADTrees to ADTerms
Example 1. The ADTerm representing the ADTree from Figure 1 is the following
∨p
∧p
∨p
Eavesdrop, cp
FindNote, co
(Memorize, Force)
, Card
,
∧p
cp
∨p
(Phish, KLog), co
∨o
(KFob, PPad), ∨p
(Br, OS)
, UName
.
6
8. t b ∈ Bp
b ∈ Bo
f(t1, . . . , tk), where f(t1, . . . , tk), where
f ∈ {∨p
, ∧p
}, k ≥ 1 f ∈ {∨o
, ∧o
}, k ≥ 1
I(t) b b f
I(t1) . . . I(tk)
f
I(t1) . . . I(tk)
t cp
(b, t′
), co
(b, t′
), cp
(t0, t′
), where co
(t0, t′
), where
b ∈ Bp
b ∈ Bo
t0 = f(t1, . . . , tk) and t0 = f(t1, . . . , tk) and
f ∈ {∨p
, ∧p
}, k ≥ 1 f ∈ {∨o
, ∧o
}, k ≥ 1
I(t) b
I(t′
)
b
I(t′
)
f
I(t1) . . . I(tk) I(t′
)
f
I(t1) . . . I(tk) I(t′
)
t cp
(t0, t′
), where co
(t0, t′
), where
t0 = cp
(t1, t2) t0 = co
(t1, t2)
I(t)
∨p
1
I(t0) I(t′
)
∨o
1
I(t0) I(t′
)
Table 2. Transformation from ADTerms to ADTrees
3 Semantics for Attack–Defense Terms
The main purpose of an ADTree is to specify and analyze an attack–defense
scenario. It is possible that two distinct ADTrees describe the same scenario.
In order to deal with such situations, we introduce the notion of equivalent
ADTrees. For instance, the ADTrees represented by ∧p
(a, b) and ∧p
(b, a) are
equivalent, if and only if the order of executing the sub-goals is irrelevant for
the achievement of the parent goal. Hence, we consider ADTerms modulo an
equivalence relation. This makes it possible to, e.g., transform an ADTerm into
a simpler or more appealing form.
Definition 2. A semantics for ADTerms is an equivalence relation on TΣ that
preserves types.
3.1 Models for Attack–Defense Terms
Several different approaches, like propositional logics or multiset interpretations,
were proposed in the literature to define semantics for attack trees [4, 16, 3]. In
this section, we extend them to attack–defense trees. This is achieved with the
help of first order models, cf. [17].
Definition 3. Consider the AD–signature Σ = (S, F). A model for ADTerms
is a pair M = (M, IM) consisting of a non-empty set M and a function IM
defined on F, called interpretation, such that
7
9. – IM(b) ∈ M, for b ∈ B,
– IM(fk): Mk
→ M, for fk ∈ {∨s
k, ∧s
k | s ∈ S},
– IM(cs
): M2
→ M, for s ∈ S.
Let M = (M, IM) be a model for ADTerms, and let t, t′
be ADTerms. The
interpretation of t in M is an element IM(t) ∈ M, defined as follows
IM(t) =
(
IM(b), if t = b ∈ B
IM(fk)(IM(t1), . . . , IM(tk)), if t = fk(t1, . . . , tk).
Since the objective of introducing semantics is to decide which ADTerms are
indistinguishable, we are interested in formulas of the form t = t′
. By definition,
the formula t = t′
is satisfied in M if IM(t) = IM(t′
). In this case we write
M |= t = t′
.
Definition 4. Let M = (M, IM) be a model for ADTerms. The equivalence
relation ≡M on TΣ, defined by
t ≡M t′
iff M |= t = t′
,
is called the semantics induced by the model M. The equivalence class defined by
an ADTerm t under this relation is denoted by [t]M.
Propositional Model. The most commonly used model for attack trees is
based on propositional logic, cf. [4, 16]. Here, we propose an extension of this
model to attack–defense trees. To every basic action b ∈ B, we associate a
propositional variable xb, and we denote by F the set of propositional formu-
las over these variables. Recall that two propositional formulas ψ and ψ′
are
equivalent (ψ ≈ ψ′
) iff for every valuation ν of propositional variables, we have
ν(ψ) = ν(ψ′
). By F/≈ we denote the quotient space defined by the relation ≈,
and [ψ]≈ ∈ F/≈ stands for the equivalence class defined by a formula ψ.
Definition 5. The propositional model for ADTerms is the pair P = (F/≈, IP ),
such that, for b ∈ B and s ∈ {p, o}
IP (b) = [xb]≈, IP (∨s
) = ∨, IP (∧s
) = ∧, IP (cs
) = ⋆,
where [ψ]≈ ∨ [ψ′
]≈ = [ψ ∨ ψ′
]≈, [ψ]≈ ∧ [ψ′
]≈ = [ψ ∧ ψ′
]≈ and [ψ]≈ ⋆ [ψ′
]≈ =
[ψ ∧ ¬ψ′
]≈, for all ψ, ψ′
∈ F.
The semantics ≡P induced by the propositional model P is called the proposi-
tional semantics. The interpretation of an ADTerm in P is a set of equivalent
propositional formulas expressing the satisfiability of the proponent’s goal.
Example 2. Consider t = cp
(b, ∧o
(d, e)) and t′
= cp
(∧p
(b, b), ∧o
(d, e)), where
b ∈ Bp
and d, e ∈ Bo
. The interpretation of t in the propositional model is the
equivalence class IP (t) = [xb ∧¬(xd ∧xe)]≈. The propositional formulas defining
this equivalence class are all satisfied iff variable xb is set to true and at least one
8
10. of the variables xd or xe is set to false. It models the fact that in order to achieve
his goal, the proponent has to execute the action depicted by b and at least one
counteraction, depicted by d or e, must not be executed by the opponent. Since,
xb ∧ ¬(xd ∧ xe) ≈ (xb ∧ xb) ∧ ¬(xd ∧ xe), we have IP (t) = IP (t′
), i.e., t ≡P t′
.
Thus, t and t′
are indistinguishable with respect to the propositional semantics.
As shown in Example 2, the propositional model assumes that the multiplic-
ity of a sub-goal is irrelevant (by idempotency of ∨ and ∧). This assumption,
however, might not be intended in all applications of ADTrees. It might, for in-
stance, depend on whether parallel or sequential execution of sub-goals is mod-
eled. In the multiset semantics, which we introduce next, we distinguish multiple
occurrences of the same actions.
Multiset Model. The model introduced in this paragraph extends the attack
trees model defined in [3]. It is suitable for analyzing scenarios in which multiple
occurrences of the same sub-goal are significant.
Given a set X, we use 2X
to denote the power set of X, and M(X) to denote
the set of all multisets of elements in X. We use {
|a1, . . . , an|
} to denote a multiset
composed of elements a1, . . . , an. The symbol ⊎ stands for the multiset union.
A pair (P, O) ∈ M(Bp
) × M(Bo
) is called a bundle, and it encodes how the pro-
ponent can achieve his goal. A bundle (P, O) represents the following situation:
in order to reach his goal, the proponent must perform all actions in P while
the opponent must not perform any of the actions in O. In the multiset model
we interpret terms with sets of bundles, i.e., with elements from 2M(Bp
)×M(Bo
)
.
Sets of bundles represent alternative possibilities for the proponent to achieve
his goal. A term representing a basic action b of the proponent’s type is thus
interpreted as a singleton {({
|b|
}, ∅)}, because in order to achieve his goal it is
sufficient for the proponent to execute the action b. A term representing a basic
action b of the opponent’s type is interpreted as {(∅, {
|b|
})}, because in order for
the proponent to be successful, the counteraction b must not be executed by the
opponent. To define the set of bundles that interprets a disjunctive proponent’s
goal, it is sufficient to take the union of the sets of bundles corresponding to its
sub-goals. To define the set of bundles that interprets a conjunctive proponent’s
goal we introduce the distributive product. The distributive product of two sets
of bundles S and Z is the following set of bundles
S ⊗ Z = {(PS ⊎ PZ, OS ⊎ OZ) | (PS, OS) ∈ S and (PZ, OZ) ∈ Z}.
The distributive product can be extended to any finite number of sets of bundles.
The construction given in the preceding paragraph leads to the multiset
model for ADTerms.
9
11. Definition 6. The multiset model for ADTerms is the following pair MS =
(2M(Bp
)×M(Bo
)
, IMS), where
IMS(b) = {({
|b|
}, ∅)}, for b ∈ Bp
, IMS(b) = {(∅, {
|b|
})}, for b ∈ Bo
,
IMS(∨p
) = ∪, IMS(∨o
) = ⊗,
IMS(∧p
) = ⊗, IMS(∧o
) = ∪,
IMS(cp
) = ⊗, IMS(co
) = ∪.
The equivalence relation on ADTerms induced by the multiset model is called
the multiset semantics, and is denoted by ≡MS. Note that IMS(∨s
) = IMS(∧s
),
for s ∈ {p, o}. This can be explained as follows: in order to achieve his disjunctive
goal, the proponent has to achieve only one among the corresponding sub-goals,
whereas in order to successfully prevent a disjunctive countermeasure of the op-
ponent, the proponent has to prevent all the corresponding sub-countermeasures.
A similar reasoning holds for conjunctive goals.
Example 3. Consider the ADTerms t and t′
introduced in Example 2, that have
been shown equivalent with respect to the propositional semantics. We have,
IMS(t) = {({
|b|
}, {
|d|
}), ({
|b|
}, {
|e|
})} and IMS(t′
) = {({
|b, b|
}, {
|d|
}), ({
|b, b|
}, {
|e|
})}.
Since, IMS(t) 6= IMS(t′
), we have MS 6|= t = t′
. Thus, the ADTerms t and
t′
are not equivalent with respect to the multiset semantics.
3.2 Comparing Semantics
In order to compare two semantics, we define what it means that one semantics
is finer than a second one. Such a relation allows us to import results about a
semantics into any semantics which is coarser.
Definition 7. Let ≡1 and ≡2 be two semantics for ADTerms. The semantics ≡1
is finer than the semantics ≡2 iff ≡1⊆≡2, i.e., for t, t′
∈ TΣ, t ≡1 t′
⇒ t ≡2 t′
.
The propositional semantics, as opposed to the multiset semantics, does not
distinguish multiple occurrences of a basic action. Thus, for instance, absorption
laws hold in the propositional but not in the multiset semantics. The relationship
between these two semantics is captured by the following proposition.
Proposition 1. The multiset semantics for ADTerms is finer than the propo-
sitional semantics for ADTerms.
In order to prove the proposition, we use the following lemma.
Lemma 1. Consider a function f : 2M(Bp
)×M(Bo
)
→ F defined as follows
f({({
|p1
1, . . . , pk1
1 |
}, {
|o1
1, . . . , om1
1 |
}), . . . , ({
|p1
n, . . . , pkn
n |
}, {
|o1
n, . . . , omn
n |
})}) =
(xp1
1
∧· · ·∧xp
k1
1
∧¬xo1
1
∧· · ·∧¬xo
m1
1
)∨· · ·∨(xp1
n
∧· · ·∧xpkn
n
∧¬xo1
n
∧· · ·∧¬xomn
n
),
and let t be an ADTerm. Then
f(IMS(t)) ∈
(
IP (t), if t ∈ Tp
Σ,
¬IP (t), if t ∈ To
Σ,
(1)
where ¬[ψ]≈ = [¬ψ]≈, for all ψ ∈ F.
10
12. Proof. The proof is by induction on the structure of t. Suppose t = b ∈ B, then
– if b ∈ Bp
, we get: f(IMS(b)) = f({({
|b|
}, ∅)}) = xb ∈ [xb]≈ = IP (b),
– if b ∈ Bo
, we get: f(IMS(b)) = f({(∅, {
|b|
})}) = ¬xb ∈ ¬[xb]≈ = ¬IP (b).
Let us now assume that t 6∈ B, and suppose that (1) holds for all the sub-terms
of t. The following observations, resulting from the definition of f, are crucial
for the remaining part of the proof. For all ADTerms t1, . . . , tk, we have
f
k
[
j=1
IMS(tj)
=
k
_
j=1
f IMS(tj)
, f
k
O
j=1
IMS(tj)
= DNF
k
^
j=1
f IMS(tj)
,
where DNF(ψ) denotes a disjunctive normal form of the formula ψ. We give a
complete proof for an ADTerm of the form t = co
(∨o
(t1, . . . , tk), t′
). The proofs
for the remaining cases are similar. Since t is of the opponent’s type, we show
that f(IMS(t)) ∈ ¬IP (t). From the type of the function symbol co
, we deduce
that t1, . . . , tk ∈ To
Σ and t′
∈ Tp
Σ. We have f(IMS(t)) =
= f
k
O
j=1
IMS(tj)
∪ IMS(t′
)
= f
k
O
j=1
IMS(tj)
∨ f IMS(t′
)
= DNF
k
^
j=1
f IMS(tj)
∨ f IMS(t′
)
∈
k
^
j=1
¬IP (tj)
∨ IP (t′
) = ¬
k
_
j=1
IP (tj)
∨ IP (t′
)
= ¬
k
_
j=1
IP (tj)
∧ ¬IP (t′
)
= ¬
k
_
j=1
IP (tj)
⋆ IP (t′
)
= ¬IP (t). ⊓
⊔
Proof of Proposition 1. Suppose t ≡MS t′
. Thus, by definition we have IMS(t) =
IMS(t′
). Using the function f from Lemma 1, we have
IP (t) ∋ f(IMS(t)) = f(IMS(t′
)) ∈ IP (t′
), for t, t′
∈ Tp
Σ,
IP (t) ∋ ¬f(IMS(t)) = ¬f(IMS(t′
)) ∈ IP (t′
), for t, t′
∈ To
Σ,
Thus, IP (t) = IP (t′
), i.e., t ≡P t′
, which concludes the proof. ⊓
⊔
Examples 2 and 3 show that the reciprocal of Proposition 1 does not hold.
Thus, the propositional semantics and the multiset semantics are not equal.
3.3 Equational Semantics
The propositional and multiset semantics were obtained by mapping ADTerms
to specific mathematical domains. An alternative way to define a semantics is to
directly specify an equivalence relation on ADTerms through a set of equations.
11
13. This approach covers a concept from [3], which uses a specific set of rewrite
rules to encode allowed tree transformations. Our framework is more general in
that we allow any set of equations to define an equivalence relation on ADTerms.
With the help of equations it is possible to implement tools that support iterative
transformations and modifications of ADTrees.
Let VAR denote a set of typed variables ranged over by X, Xi, Y, Z. We
extend the set TΣ to the set TVAR
Σ of typed ADTerms over the variables from
VAR. An equation is a pair (t, t′
) ∈ TVAR
Σ × TVAR
Σ , where t and t′
have the
same type. We use t = t′
to denote the equation (t, t′
). An algebraic specification
for ADTerms is a pair (Σ, E), where Σ is the AD–signature and E is a set of
equations. Given an algebraic specification (Σ, E), we denote by b
E the set of
equations derivable from E, which is the smallest set satisfying the following
– if t = t′
∈ E, then t = t′
∈ b
E,
– if σ: VAR → TVAR
Σ is a substitution, and t = t′
∈ b
E, then σ(t) = σ(t′
) ∈ b
E,
– if t = t′
∈ b
E, and C[ ] is a context (i.e., a term with a hole of the same type
as t), then C[t] = C[t′
] ∈ b
E,
– t = t ∈ b
E, for every t ∈ TVAR
Σ ,
– if t = t′
∈ b
E, then t′
= t ∈ b
E,
– if t = t′
∈ b
E and t′
= t′′
∈ b
E, then t = t′′
∈ b
E.
We now define a semantics for ADTerms induced by an algebraic specification.
Definition 8. The equational semantics for ADTerms induced by an algebraic
specification (Σ, E) is the equivalence relation ≡E on TΣ, defined by
t ≡E t′
iff t = t′
∈ b
E.
Example 4. Consider the equational semantics induced by an algebraic specifi-
cation (Σ, E), where
E = {∨p
(X1, . . . , Xk) = ∨p
(Xσ(1), . . . , Xσ(k)) | ∀ permutation σ of {1, . . . , k} }.
The equations in E encode the commutativity of the disjunctive operator for the
proponent. Thus, for t1 = ∨p
(a, b) and t2 = ∨p
(b, a), a, b ∈ Bp
, we have t1 ≡E t2.
In contrast, t′
1 = ∧p
(a, b) 6≡E t′
2 = ∧p
(b, a), because the commutativity of the
conjunctive operator for the proponent is not modeled by E.
Consider two algebraic specifications (Σ, E) and (Σ, E′
), such that E ⊆ E′
.
Since we have b
E ⊆ c
E′, the semantics ≡E is finer then ≡E′ .
4 Attributes
In order to analyze an attack–defense scenario represented by an ADTerm we
use attributes. An attribute is a value assigned to an ADTerm, expressing a
useful property, such as the minimal cost of an attack, expected impact, whether
special equipment is required, or whether a considered scenario is feasible. In [2],
Schneier introduces an intuitive, bottom-up algorithm for calculating the value
of an attribute on an attack tree. This idea is formalized in [3]. In this section
we extend it to attack–defense trees.
12
14. 4.1 Bottom-up Evaluation
Let Σ = (S, F) be the AD–signature. An attribute domain is a pair Aα =
(Dα, Iα), where Dα is a set of values, and Iα is a function,which to every fk ∈ F
with k 0, associates a k-ary operation Iα(fk) on Dα. An attribute for ADTerms
is a pair α = (Aα, βα) formed by an attribute domain Aα and a function βα : B →
Dα called a basic assignment for α. The next definition formalizes the bottom-up
procedure of calculating attribute values.
Definition 9. Let α = ((Dα, Iα), βα) be an attribute. The function α: TΣ → Dα
which calculates the value of the attribute α for every ground ADTerm t, is
defined recursively as follows
α(t) =
(
βα(t), if t ∈ B,
Iα(fk)(α(t1), . . . , α(tk)), if t = fk(t1, . . . , tk).
The following example illustrates the bottom-up evaluation of attribute values.
Example 5. Consider the ADTerm t = cp
(∧p
(a, b), co
(d, e)), where a, b, e ∈ Bp
,
d ∈ Bo
are independent basic actions. We define the following operations on
the interval [0, 1]: ⊕(x, y) = x + y − xy, ⊙(x, y) = xy and ⊖(x, y) = x(1 − y).
Using the attribute domain APr = ([0, 1], IPr), where IPr(∨s
) = ⊕, IPr(∧s
) = ⊙
and IPr(cs
) = ⊖, for s ∈ {p, o}, we calculate the success probability of the
attack–defense scenario represented by t. The success probabilities of basic ac-
tions are set as follows βPr(a) = 0.2, βPr(b) = 0.7, βPr(e) = 0.1, and βPr(d) =
0.9. According to Definition 9, we obtain Pr(t) = Pr(cp
(∧p
(a, b), co
(d, e))) =
⊖(⊙(0.2, 0.7), ⊖(0.9, 0.1)) = 0.0266.
4.2 Semantics Preserving Attribute Values
In our framework, we consider equivalent ADTrees as indistinguishable. Thus,
the evaluation of attributes for equivalent ADTerms should be consistent, i.e.,
should yield the same values. This issue has already been discussed in case of
attack trees, cf. [18, 3]. In [18], the evaluation of the attacker’s expected out-
come (based on cost, probabilities, expected penalties and gains) is considered.
Using the propositional semantics, Jürgenson and Willemson propose a non-
bottom-up procedure ensuring that the expected outcome attribute is calcu-
lated consistently. In their approach, optimization becomes necessary, because
the corresponding computations are exponential with respect to the size of a tree.
In [3], Mauw and Oostdijk consider a bottom-up way of calculating attributes,
as defined in Definition 9. They show that when using the multiset semantics
on attack trees, the attribute evaluation is consistent if the considered attribute
domain is distributive, i.e., if it constitutes a semi-ring. In the current paper, we
extend this result to any semantics for ADTrees. We introduce a notion of com-
patibility between a semantics and an attribute domain, which guarantees that
the intuitive properties modeled by the semantics are preserved by the attribute
domain. The compatibility is a necessary condition for consistent bottom-up
evaluation of attributes on ADTrees.
13
15. Definition 10. Let (Σ, E) be an algebraic specification, and let ≡ be a semantics
for ADTerms. The set E is called a complete set of axioms for ≡, iff the relations
≡ and b
E ∩ (TΣ × TΣ) are equal.
Example 6. Consider the equational semantics ≡E induced by an algebraic spec-
ification (Σ, E). It follows directly from Definition 8 that the set E is a complete
set of axioms for ≡E.
Let Aα = (Dα, Iα) be an attribute domain. Given t ∈ TVAR
Σ , we denote by
tα an expression, composed of the elements from B ∪ VAR (here considered as
variables) and operators Iα(fk), where fk ∈ F, k ≥ 1, defined as follows
tα =
(
t, if t ∈ B ∪ VAR,
Iα(fk) t1
α, . . . , tk
α
, if t = fk t1
, . . . , tk
.
Definition 11. An equivalence relation ≡ on TΣ is compatible with an attribute
domain Aα = (Dα, Iα) iff for all ADTerms t, t′
such that t ≡ t′
, the equality
tα = t′
α holds in Dα.
Consider a complete set of axioms E for a semantics ≡. It follows from Defini-
tions 11 and 10, that the semantics ≡ is compatible with an attribute domain
Aα iff for every equation t = t′
from E, the equality tα = t′
α holds in Dα.
In the following, we show that when considering a semantics that is compat-
ible with a given attribute domain, the evaluation of attributes on equivalent
ADTerms yields the same values.
Theorem 1. Let α = ((Dα, Iα), βα) be an attribute, and t, t′
be ADTerms. If
tα = t′
α holds in Dα, then α(t) = α(t′
).
Proof. Since tα = t′
α holds in Dα, we have σ(tα) = σ(t′
α), for every substitution
σ: B ∪ VAR → Dα. Thus, it suffices to show that for every ADTerm t, we have
βα(tα) = α(t). (2)
The proof of (2) is by induction on the structure of t. If t ∈ B, then tα = t,
thus βα(tα) = βα(t) = α(t). Suppose now, that for all ADTerms composing t,
we have (2), and let t = fk(t1
, . . . , tk
). We have
βα(tα) = βα(Iα(fk)(t1
α, . . . , tk
α)) = Iα(fk)(βα(t1
α), . . . , βα(tk
α))
= Iα(fk)(α(t1
), . . . , α(tk
)) = α(t). ⊓
⊔
Corollary 1. Let α = (Aα, βα) be an attribute and let ≡ be a semantics for
ADTerms compatible with Aα. If t ≡ t′
, then α(t) = α(t′
).
Corollary 1 guarantees that, given an attribute domain and a compatible
semantics, the attributes can be calculated in a consistent way, In Example 7
we show how the compatibility notion defined in Definition 11 covers the result
obtained by Mauw and Oostdijk in [3].
14
16. Example 7. The multiset semantics for attack trees used in [3] can be axioma-
tized with the following set of rules, for fi ∈ {∨p
i , ∧p
i }, i ≥ 1,
fk(X1, . . . , Xk) = fk(Xσ(1), . . . , Xσ(k)), for every permutation σ of {1, . . . , k},
fk+1(X1, . . . , Xk, fn(Y1, . . . , Yn)) = fk+n(X1, . . . , Xk, Y1, . . . , Yn),
∧p
(X, ∨p
(X1, . . . , Xk)) = ∨p
(∧p
(X, X1), . . . , ∧p
(X, Xk)),
∨p
(X, X, X1, . . . , Xk) = ∨p
(X, X1, . . . , Xk).
Note that the corresponding equalities always hold in every attribute domain
Aα = (Dα, Iα), such that (Dα, Iα(∨p
), Iα(∧p
)) constitutes a semi-ring. Thus,
the multiset semantics for attack trees is compatible with any attribute domain
being a semi-ring.
5 Conclusion and Future Work
We introduce attack–defense trees as a new formal approach for security assess-
ment. These ADTrees provide an intuitive and visual representation of interac-
tions between an attacker and a defender of a system, as well as the evolution
of the security mechanisms and vulnerabilities of a system.
The attack–defense language is based on ADTerms, i.e., the term algebra for
ADTrees. We define semantics for ADTrees as equivalence relations on ADTerms.
This general framework unifies different approaches [3–5] to attack trees that
have been proposed in the literature, because they all rely upon an underlying
equivalence relation.
Furthermore, analysis of ADTrees is supported through attributes and their
bottom-up evaluation. This extends the approach proposed for attack trees
in [3]. Finally, we formulate a necessary condition guaranteeing that equivalent
ADTerms yield the same attribute value.
The purpose of this paper is to lay a formal foundation for attack–defense
trees. To demonstrate the applicability of attack–defense trees on a real-world
example is impossible without a tool, due to the large size of the resulting attack–
defense trees. Examples for the applicability of a similar approach can, at present,
be found in works on attack trees, e.g., [5, 12, 19, 20].
In order to allow for meaningful case-studies with attack–defense trees, a
computer tool will be developed next. It will facilitate the construction of large
ADTrees, support their graphical representation, and assist in the analysis of
ADTrees by combining information assigned to the basic actions in an ADTree
into a single value for the analyzed scenario. Furthermore, automated generation
and analysis of ADTrees is planned for particular domains, such as network secu-
rity. The feasibility of such a work has been demonstrated by Sheyner et al. [13],
who have shown how to automatically generate and analyze attack graphs from
the output of a model checker for an intrusion detection system.
We also plan to extend the attack–defense framework to attack–defense
DAGs. Using DAGs one can model dependencies between the sub-goals. This
issue is crucial when taking the execution order of sub-goals into account or
when analyzing an attack–defense scenario from a probabilistic point of view.
15
17. References
1. Vesely, W.E., Goldberg, F.F., Roberts, N., Haasl, D.: Fault Tree Handbook. Tech-
nical Report NUREG-0492, U.S. Regulatory Commission (1981)
2. Schneier, B.: Attack Trees. Dr. Dobb’s Journal of Software Tools 24(12) (1999)
21–29
3. Mauw, S., Oostdijk, M.: Foundations of Attack Trees. In Won, D., Kim, S., eds.:
ICISC. Volume 3935 of LNCS., Springer (2005) 186–198
4. Willemson, J., Jürgenson, A.: Serial Model for Attack Tree Computations. In
Lee, D., Hong, S., eds.: Proc. ICISC 2009. Volume 5984 of LNCS., Springer (2010)
118–128
5. Edge, K.S., Dalton II, G.C., Raines, R.A., Mills, R.F.: Using Attack and Protec-
tion Trees to Analyze Threats and Defenses to Homeland Security. In: Military
Communications Conference, 2006. MILCOM 2006. IEEE. (2006) 1–7
6. Saini, V., Duan, Q., Paruchuri, V.: Threat Modeling Using Attack Trees. Journal
of Computing in Small Colleges 23(4) (2008) 124–131
7. Bistarelli, S., Fioravanti, F., Peretti, P.: Defense Trees for Economic Evaluation of
Security Investments. In: ARES, IEEE Computer Society (2006) 416–423
8. Bistarelli, S., Dall’Aglio, M., Peretti, P.: Strategic Games on Defense Trees. In
Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S.A., eds.: Formal Aspects
in Security and Trust. Volume 4691 of LNCS., Springer (2006) 1–15
9. Moore, A.P., Ellison, R.J., Linger, R.C.: Attack Modeling for Information Security
and Survivability. Technical Report CMU/ SEI-2001-TN-001, CMU Software Eng
(2001)
10. Cervesato, I., Meadows, C.: One Picture Is Worth a Dozen Connectives: A Fault-
Tree Representation of NPATRL Security Requirements. IEEE Transactions on
Dependable and Secure Computing 4 (2007) 216–227
11. Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall,
Inc., Upper Saddle River, NJ, USA (1994)
12. Morais, A.N.P., Martins, E., Cavalli, A.R., Jimenez, W.: Security Protocol Testing
Using Attack Trees. In: CSE (2), IEEE Computer Society (2009) 690–697
13. Sheyner, O., Haines, J.W., Jha, S., Lippmann, R., Wing, J.M.: Automated Gen-
eration and Analysis of Attack Graphs. In: IEEE Symposium on Security and
Privacy, Los Alamitos, CA, USA, IEEE Computer Society (2002) 273–284
14. Bistarelli, S., Peretti, P., Trubitsyna, I.: Analyzing Security Scenarios Using De-
fence Trees and Answer Set Programming. Electronic Notes in Theoretical Com-
puter Science 197(2) (2008) 121–129
15. Kordy, B., Mauw, S., Melissen, M., Schweitzer, P.: Attack–Defense Trees and Two-
Player Binary Zero-Sum Extensive Form Games Are Equivalent. Proceedings of
GameSec 2010. LNCS., Springer-Verlag. Avail. at http://arxiv.org/abs/1006.2732.
16. Rehák, M., Staab, E., Fusenig, V., Pěchouček, M., Grill, M., Stiborek, J., Bartoš,
K., Engel, T.: Runtime Monitoring and Dynamic Reconfiguration for Intrusion
Detection Systems. In Kirda, E., Jha, S., Balzarotti, D., eds.: Proceedings of
RAID ’09. Volume 5758 of LNCS., Springer-Verlag (2009) 61–80
17. Doets, K.: Basic Model Theory. Stanford: CSLI Publications (1996)
18. Jürgenson, A., Willemson, J.: Computing Exact Outcomes of Multi-parameter
Attack Trees. In Meersman, R., Tari, Z., eds.: OTM Conferences (2). Volume 5332
of LNCS., Springer (2008) 1036–1051
19. Amenaza: SecurITree http://www.amenaza.com/.
20. Isograph: AttackTree+ http://www.isograph-software.com/atpover.htm.
16
View publication stats