Quantitative Verification and Synthesis of Attack-Defence Scenarios

Attack-defence trees are a powerful technique for formally evaluating attack-defence scenarios. They represent in an intuitive, graphical way the interaction between an attacker and a defender who compete in order to achieve conflicting objectives. We propose a novel framework for the formal analysis of quantitative properties of complex attack-defence scenarios, using an extension of attack-defence trees which models temporal ordering of actions and allows explicit dependencies in the strategies adopted by attackers and defenders. We adopt a game-theoretic approach, translating attack-defence trees to two-player stochastic games, and then employ probabilistic model checking techniques to formally analyse these models. This provides a means to both verify formally specified security properties of the attack-defence scenarios and, dually, to synthesise strategies for attackers or defenders which guarantee or optimise some quantitative property, such as the probability of a successful attack, the expected cost incurred, or some multi-objective trade-off between the two. We implement our approach, building upon the PRISM-games model checker, and apply it to a case study of an RFID goods management system.

[1]  Barbara Kordy,et al.  Attack-Defense Trees and Two-Player Binary Zero-Sum Extensive Form Games Are Equivalent , 2010, GameSec.

[2]  Barbara Kordy,et al.  A Probabilistic Framework for Security Scenarios with Dependent Actions , 2014, IFM.

[3]  Alessandra Bagnato,et al.  Attribute Decoration of Attack-Defense Trees , 2012, Int. J. Secur. Softw. Eng..

[4]  Barbara Kordy,et al.  Attack Trees with Sequential Conjunction , 2015, SEC.

[5]  Barbara Kordy,et al.  Quantitative Questions on Attack-Defense Trees , 2012, ICISC.

[6]  Marta Z. Kwiatkowska,et al.  Stochastic Model Checking , 2007, SFM.

[7]  Bengt Jonsson,et al.  A logic for reasoning about time and reliability , 1990, Formal Aspects of Computing.

[8]  Taolue Chen,et al.  Automatic verification of competitive stochastic systems , 2012, Formal Methods in System Design.

[9]  Stefano Bistarelli,et al.  Strategic Games on Defense Trees , 2006, Formal Aspects in Security and Trust.

[10]  J. Kemeny,et al.  Denumerable Markov chains , 1969 .

[11]  Roberto Vigo,et al.  Security Games for Cyber-Physical Systems , 2013, NordSec.

[12]  L. Shapley,et al.  Stochastic Games* , 1953, Proceedings of the National Academy of Sciences.

[13]  Taolue Chen,et al.  On Stochastic Games with Multiple Objectives , 2013, MFCS.

[14]  Reza Pulungan,et al.  Time-Dependent Analysis of Attacks , 2014, POST.

[15]  David K. Y. Yau,et al.  A game theoretic study of attack and defense in cyber-physical systems , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[16]  Rajesh Kumar,et al.  Quantitative Attack Tree Analysis via Priced Timed Automata , 2015, FORMATS.

[17]  Jeannette M. Wing,et al.  Game strategies in network security , 2005, International Journal of Information Security.

[18]  Barbara Kordy,et al.  Foundations of Attack-Defense Trees , 2010, Formal Aspects in Security and Trust.

[19]  Flemming Nielson,et al.  Pareto Efficient Solutions of Attack-Defence Trees , 2015, POST.

[20]  Florian Kammüller,et al.  Attack Tree Generation by Policy Invalidation , 2015, WISTP.

[21]  Holger Hermanns,et al.  The Value of Attack-Defence Diagrams , 2016, POST.

[22]  Marta Z. Kwiatkowska,et al.  PRISM-Games 2.0: A Tool for Multi-objective Strategy Synthesis for Stochastic Games , 2016, TACAS.

[23]  Flemming Nielson,et al.  Automated Generation of Attack Trees , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[24]  Wei-min Li,et al.  Space Based Information System Security Risk Evaluation Based on Improved Attack Trees , 2011, 2011 Third International Conference on Multimedia Information Networking and Security.