Regression nodes: extending attack trees with data from social sciences

In the field of security, attack trees are often used to assess security vulnerabilities probabilistically in relation to multi-step attacks. The nodes are usually connected via AND-gates, where all children must be executed, or via OR-gates, where only one action is necessary for the attack step to succeed. This logic, however, is not suitable for including human interaction such as that of social engineering, because the attacker may combine different persuasion principles to different degrees, with different associated success probabilities. Experimental results in this domain are typically represented by regression equations rather than logical gates. This paper therefore proposes an extension to attack trees involving a regression-node, illustrated by data obtained from a social engineering experiment. By allowing the annotation of leaf nodes with experimental data from social science, the regression-node enables the development of integrated socio-technical security models.

[1]  David Heckerman,et al.  A Tutorial on Learning with Bayesian Networks , 1999, Innovations in Bayesian Networks.

[2]  R. Cialdini Influence: Science and Practice , 1984 .

[3]  Andy P. Field,et al.  Discovering Statistics Using SPSS , 2000 .

[4]  Andrew Gelman,et al.  Data Analysis Using Regression and Multilevel/Hierarchical Models , 2006 .

[5]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[6]  J. Concato,et al.  A simulation study of the number of events per variable in logistic regression analysis. , 1996, Journal of clinical epidemiology.

[7]  Wei-min Li,et al.  Space Based Information System Security Risk Evaluation Based on Improved Attack Trees , 2011, 2011 Third International Conference on Multimedia Information Networking and Security.

[8]  Stefano Bistarelli,et al.  Defense trees for economic evaluation of security investments , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[9]  Serdar Kenan Gul,et al.  An Evaluation of the Rational Choice Theory in Criminology , 2009 .

[10]  Z. Winstok Partner Violence as a Rational Choice , 2013 .

[11]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[12]  David J. Parish,et al.  Unified P arametrizable Attack Tree , 2011 .

[13]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[14]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[15]  Ronald R. Yager OWA trees and their role in security modeling using attack trees , 2006, Inf. Sci..

[16]  Bülent Yener,et al.  Modeling and detection of complex attacks , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[17]  Ronald V. Clarke,et al.  The Reasoning Criminal: Rational Choice Perspectives on Offending , 2017 .

[18]  Igor Nai Fovino,et al.  Integrating cyber attacks within fault trees , 2009, Reliab. Eng. Syst. Saf..

[19]  William H. Sanders,et al.  Ieee Transactions on Parallel and Distributed Systems Rre: a Game-theoretic Intrusion Response and Recovery Engine , 2022 .

[20]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[21]  Sabina Kleitman,et al.  The Role of Individual Differences in the Accuracy of Confidence Judgments , 2002, The Journal of general psychology.

[22]  Wolter Pieters,et al.  The persuasion and security awareness experiment: reducing the success of social engineering attacks , 2015, Journal of Experimental Criminology.

[23]  N. Weinstein Unrealistic optimism about future life events , 1980 .

[24]  Dong Seong Kim,et al.  Cyber security analysis using attack countermeasure trees , 2010, CSIIRW '10.

[25]  Parvaiz Ahmed Khand System level security modeling using attack trees , 2009, 2009 2nd International Conference on Computer, Control and Communication.

[26]  Richard F. Paige,et al.  Fault trees for security system design and analysis , 2003, Comput. Secur..

[27]  Jie Wang,et al.  Unified Parametrizable Attack Tree , 2011 .

[28]  Barbara Kordy,et al.  Foundations of Attack-Defense Trees , 2010, Formal Aspects in Security and Trust.