Calculating Adversarial Risk from Attack Trees: Control Strength and Probabilistic Attackers

Attack trees are a well-known formalism for quantitative analysis of cyber attacks consisting of multiple steps and alternative paths. It is possible to derive properties of the overall attacks from properties of individual steps, such as cost for the attacker and probability of success. However, in existing formalisms, such properties are considered independent. For example, investing more in an attack step would not increase the probability of success. As this seems counterintuitive, we introduce a framework for reasoning about attack trees based on the notion of control strength, annotating nodes with a function from attacker investment to probability of success. Calculation rules on such trees are defined to enable analysis of optimal attacker investment. Our second result consists of the translation of optimal attacker investment into the associated adversarial risk, yielding what we call adversarial risk trees. The third result is the introduction of probabilistic attacker strate- gies, based on the fitness (utility) of available scenarios. Together these contributions improve the possibilities for using attack trees in adversarial risk analysis.

[1]  Wolter Pieters,et al.  Reconciling Malicious and Accidental Risk in Cyber Security , 2014, J. Internet Serv. Inf. Secur..

[2]  Reza Pulungan,et al.  Time-Dependent Analysis of Attacks , 2014, POST.

[3]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[4]  Jr. Louis Anthony Cox,et al.  Game Theory and Risk Analysis , 2009 .

[5]  Stefano Bistarelli,et al.  Defense trees for economic evaluation of security investments , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[6]  Jan Willemson,et al.  Rational Choice of Security Measures Via Multi-parameter Attack Trees , 2006, CRITIS.

[7]  Bruce Tidor,et al.  An Analysis of Selection Procedures with Particular Attention Paid to Proportional and Boltzmann Selection , 1993, International Conference on Genetic Algorithms.

[8]  Marco Cremonini,et al.  Evaluating Information Security Investments from Attackers Perspective: the Return-On-Attack (ROA) , 2005, WEIS.

[9]  Barbara Kordy,et al.  ADTool: Security Analysis with Attack-Defense Trees , 2013, QEST.

[10]  Wolter Pieters,et al.  A move in the security measurement stalemate: elo-style ratings to quantify vulnerability , 2012, NSPW '12.

[11]  Wolter Pieters,et al.  Defining "The Weakest Link" Comparative Security in Complex Systems of Systems , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[12]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[13]  Wolter Pieters,et al.  Quantitative penetration testing with item response theory , 2013, 2013 9th International Conference on Information Assurance and Security (IAS).

[14]  Nulton,et al.  Statistical mechanics of combinatorial optimization. , 1988, Physical review. A, General physics.