Is my attack tree correct? Extended version

Attack trees are a popular way to represent and evaluate potential security threats on systems or infrastructures. The goal of this work is to provide a framework allowing to express and check whether an attack tree is consistent with the analyzed system. We model real systems using transition systems and introduce attack trees with formally specified node labels. We formulate the correctness properties of an attack tree with respect to a system and study the complexity of the corresponding decision problems. The proposed framework can be used in practice to assist security experts in manual creation of attack trees and enhance development of tools for automated generation of attack trees.

[1]  Jan Willemson,et al.  Serial Model for Attack Tree Computations , 2009, ICISC.

[2]  Sophie Pinchinat,et al.  Is My Attack Tree Correct? , 2017, ESORICS.

[3]  Rajesh Kumar,et al.  Quantitative Attack Tree Analysis via Priced Timed Automata , 2015, FORMATS.

[4]  Yann Thierry-Mieg,et al.  Symbolic Model-Checking Using ITS-Tools , 2015, TACAS.

[5]  Mathieu Acher,et al.  ATSyRa: An Integrated Environment for Synthesizing Attack Trees - (Tool Paper) , 2015, GraMSec@CSF.

[6]  Flemming Nielson,et al.  Model Checking Exact Cost for Attack Scenarios , 2017, POST.

[7]  Ross Horne,et al.  Semantics for Specialising Attack Trees based on Linear Logic , 2017, Fundam. Informaticae.

[8]  Flemming Nielson,et al.  Pareto Efficient Solutions of Attack-Defence Trees , 2015, POST.

[9]  Giuseppe De Giacomo,et al.  Linear Temporal Logic and Linear Dynamic Logic on Finite Traces , 2013, IJCAI.

[10]  Dong Seong Kim,et al.  Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees , 2012, Secur. Commun. Networks.

[11]  Kevin Leyton-Brown,et al.  Understanding the empirical hardness of NP-complete problems , 2014, CACM.

[12]  Philippe Schnoebelen,et al.  The Complexity of Temporal Logic Model Checking , 2002, Advances in Modal Logic.

[13]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[14]  Barbara Kordy,et al.  Probabilistic reasoning with graphical security models , 2016, Inf. Sci..

[15]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[16]  Sophie Pinchinat,et al.  On the Soundness of Attack Trees , 2016, GraMSec@CSF.

[17]  Julian Padget,et al.  Effectiveness of qualitative and quantitative security obligations , 2015, J. Inf. Secur. Appl..

[18]  Flemming Nielson,et al.  Automated Generation of Attack Trees , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[19]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[20]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[21]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching Time Temporal Logic , 2008, 25 Years of Model Checking.

[22]  Barbara Kordy,et al.  Attack-defense trees , 2014, J. Log. Comput..

[23]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[24]  Florian Kammüller,et al.  Transforming Graphical System Models to Graphical Attack Models , 2015, GraMSec@CSF.

[25]  Kim G. Larsen,et al.  Modelling Attack-defense Trees Using Timed Automata , 2016, FORMATS.

[26]  Barbara Kordy,et al.  Attack Trees with Sequential Conjunction , 2015, SEC.