On Validating Attack Trees with Attack Effects

Threats or attacks can be decomposed into more primitive attacks/events by attack trees. These trees can show possible scenarios of threats. In addition, the quantitative properties of attacks, called attributes, can be integrated along with the tree structures. This paper introduces a formal system for attack trees focusing on refinement scenarios, and enriches attack trees with effects of attacks, which allows the evaluation of the validity of attack decomposition systematically. The property that sub-attacks refine an attack is described by the relationship among their effects, that is defined as consistency of a branch. Consistent attack trees support a systematic approach for the entire attack tree process. Furthermore the effects of attacks in consistent attack trees are well-behaved as an attribute. These ideas are applied to the case study of a vehicular network system. As an application, possible degrees of mitigation for attacks in attack trees are discussed.

[1]  Susan Snedaker,et al.  Business Continuity and Disaster Recovery Planning for IT Professionals , 2007 .

[2]  Sophie Pinchinat,et al.  Is My Attack Tree Correct? , 2017, ESORICS.

[3]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[4]  Sophie Pinchinat,et al.  Guided Design of Attack Trees: A System-Based Approach , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[5]  Igor Nai Fovino,et al.  Integrating cyber attacks within fault trees , 2009, Reliab. Eng. Syst. Saf..

[6]  Barbara Kordy,et al.  Attack Trees with Sequential Conjunction , 2015, SEC.

[7]  William H. Sanders,et al.  Security Analysis of Urban Railway Systems: The Need for a Cyber-Physical Perspective , 2014, SAFECOMP Workshops.

[8]  Sophie Pinchinat,et al.  Is my attack tree correct? Extended version , 2017, ArXiv.

[9]  Ludovic Apvrille,et al.  Security requirements for automotive on-board networks , 2009, 2009 9th International Conference on Intelligent Transport Systems Telecommunications, (ITST).

[10]  Igor Nai Fovino,et al.  Through the Description of Attacks: A Multidimensional View , 2006, SAFECOMP.

[11]  Ross Horne,et al.  Semantics for Specialising Attack Trees based on Linear Logic , 2017, Fundam. Informaticae.

[12]  Sanford Friedenthal,et al.  A Practical Guide to SysML: The Systems Modeling Language , 2008 .

[13]  Mariëlle Stoelinga,et al.  Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools , 2014, Comput. Sci. Rev..

[14]  Hirotaka Yoshida,et al.  A Comparative Study of JASO TP15002-Based Security Risk Assessment Methods for Connected Vehicle System Design , 2019, Secur. Commun. Networks.

[15]  Christos Strydis,et al.  Attack-tree-based Threat Modeling of Medical Implants , 2018, PROOFS@CHES.

[16]  RuijtersEnno,et al.  Fault tree analysis , 2015 .

[17]  Olga Gadyatskaya,et al.  New Directions in Attack Tree Research: Catching up with Industrial Needs , 2017, GraMSec@CSF.

[18]  David J. Parish,et al.  Unified P arametrizable Attack Tree , 2011 .