Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 2011; 3:1–15

DOI: 10.1002/sec

RESEARCH ARTICLE

ACT : Towards unifying the constructs of attack and defensetrees∗

Arpan Roy, Dong Seong Kim and Kishor S. Trivedi,

Department of Electrical & Computer Engineering,Duke University, Durham, NC 27708, USA.

ABSTRACT

Attack tree (AT) is one of the widely used non-state-space models for security analysis. The basic formalism of AT doesnot take into account defense mechanisms. Defense trees (DTs) have been developed to investigate the effect of defensemechanisms using measures such as attack cost, security investment cost, return on attack (ROA) and return on investment(ROI). DT, however, places defense mechanisms only at the leaf nodes and the corresponding ROI/ROA analysis doesnot incorporate the probabilities of attack. In attack response tree (ART), attack and response are both captured but ARTsuffers from the problem of state-space explosion, since solution of ART is obtained by means of a state space model. Inthis paper, we present a novel attack tree paradigm called attack countermeasure tree (ACT) which avoids the generationand solution of a state-space model and takes into account attacks as wellas countermeasures (in the form of detectionand mitigation events). In ACT, detection and mitigation are allowed not just atthe leaf node but also at the intermediatenodes while at the same time the state-space explosion problem is avoided in itsanalysis. We study the consequences ofincorporating countermeasures in the ACT using three case studies (ACTfor BGP attack, ACT for a SCADA attack andACT for malicious insider attacks).Copyright c© 2011 John Wiley & Sons, Ltd.

KEYWORDS

attack trees, non-state-space model, mincuts, return on attack, return on investment.

∗CorrespondenceDr. Kishor S. Trivedi, Department of Electrical and Computer Engineering, Duke University, Durham, NC 27708, U.S.A.

Email: [email protected]

1. INTRODUCTION

The first step towards security modeling involves designinga scalable model [1, 2] that helps quantify security [3]in terms of key attributes such as the loss caused byattacks [4, 5] or the gain accrued from enforcing asecurity countermeasure [6]. This will aid not only inprobabilistic risk analysis (PRA) of a system but alsoin the development of a scheme as to where in thesystem, security investment should be prioritized. Thesimplest model type in this context is attack tree (AT)[7, 2]. However, the basic formalism of AT does notinclude defense mechanisms. Defense trees (DTs) [8, 9]incorporate defense mechanisms in AT. However, it placesdefense mechanisms only at the leaf nodes. Return onInvestment (ROI) and Return on Attack (ROA) analysisusing DT does not incorporate probabilities of attack.In attack response trees (ARTs) [10], both attacks and

responses are captured at any node but ARTs sufferfrom the state-space explosion problem (or the largenessproblem) due to the use of a partially observable Markovdecision process (POMDP) [11] as a solution technique.

In this paper, we present a novel attack tree model calledattack countermeasure tree (ACT). Our contributions aresummarized as follows. In ACT,

• defense mechanisms can be placed at any node ofthe tree, not just at the leaf nodes,

• generation and analysis of attack scenarios andattack-countermeasure scenarios is automated usingmincuts,

• probabilistic analysis (using measures such asattack and security investment cost, Birnbaumimportance measure, system risk, impact of anattack, ROI and ROA) is performed in an integratedmanner (as shown in Figure 1),

Copyright c© 2011 John Wiley & Sons, Ltd. 1

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees A. Roy et al.

Attack Countermeasure Tree

(ACT)

Analysis

Qualititative

Analysis

Probabilistic

Analysis

Mincuts

Structural Importance

Prob. of attacks

Cost

ImpactRisk

ROI&ROA

Birnbaum Importance

Figure 1. Analysis using ACT

• attack events and countermeasures are prioritizedusing structural and Birnbaum importance measureand

• the consequences of incorporating countermeasuresin the ACT are demonstrated using three casestudies (ACT for BGP attack, ACT for a SCADAattack and ACT for malicious insider attacks) [10].

We have implemented an ACT module in the SHARPE(Symbolic Hierarchical Automated Reliability and Perfor-mance Evaluator) [12, 13] software package. This is notwell known to do the tasks we were doing over the

The remainder of this paper is organized as follows.Related work is presented in Section 2. Some basic ter-minology is defined in Section 3.1. The basic model forACT is presented in Section 3.2. Section 3.3 describesqualitative and probabilistic analysis using ACT. Imple-mentation of the ACT module in SHARPE is presentedin Section 4. In Section 5, we demonstrate the utility ofACT by analyzing case studies (BGP attack [14], SCADAattack [15] and malicious insider attack [16]). Finally, weconclude the paper in Section 6.

2. RELATED WORK

Weiss’s threat logic trees [17] and Amoroso’s threattrees [18] mark the beginning of the use of decisiontrees for characterizing attacks. Schneier developed thebasic attack tree (AT) formalism [2] in which PGP ATwas used to illustrate the applications of AT. Mooreet.al [7] extended Schneier’s AT by introducing attackscenarios and attack profiles. Mauwet.al [19] developed analternative formalism for AT where the goal was associatedwith the set of all mincuts. When applied to complex casestudies, AT often became large and unwieldy. ThereforeDaley [20] proposed a layered approach to partition attacktree nodes with respect to their functionality. Since attacksand faults both lead to system failure, Fovinoet.al [21]integrated attacks into the fault tree structure by developing

a graph theoretical model called extended fault tree (EFT)[21]. However, these ATs do not tak e into accountdefense mechanisms. To incorporate defense mechanismsin AT, Bistarelli et.al [8] used defense trees (DTs) andapplied game theory to find the most cost effective setof countermeasures. Edgeet.al [22] proposed protectiontrees (PTs) which only concentrate on defense mechanismsregardless of attacks. Zonouzet.al [10] proposed attack-response trees (ARTs) that incorporate both attacksand responses but use a state-space model (partiallyobservable stochastic game model) to find an optimal setof countermeasures. Thus, their model suffers from state-space explosion. We propose ACT which provides a simpleyet compact approach for security analysis, harnessing thebenefits of the aforementioned models while at the sametime avoiding the state-space explosion problem.

3. ATTACK COUNTERMEASURE TREES

3.1. Preliminaries

Ak an attack eventDk a detection eventMk a mitigation eventCMk a countermeasureACT = {V, ψ, E} (V: set of all vertices in ACT,ψ:set of all gates in ACT, E: set of all edges in ACT)where V= {∀k, vk: vk ∈ {Aj}|| vk ∈ {Di}|| vk ∈{Ml}} whereA1, A2, ..., D1, D2, ...,M1,M2, ... are theevents of the ACT,ψ={∀k, ψk: ψk ∈ {AND, OR, k-of-ngate}}, E= {∀k, ek: ek ∈ (vi, ψj) || ek ∈ (ψi , ψj)}and X = (xA1

xA2...xD1

xD2...xM1

xM2...) is a state

vector for the ACT wherexAk, xDk

, xMkare the boolean

variables associated with eventsAk,Dk,Mk respectively.Φ(X) structure function of an ACTpAk

probability of occurrence of attack eventAk

pDkprobability of success of detection eventDk

pMkprobability of success of mitigation eventMk

Pgoal probability of attack success at the ACT goalpUD probability of undetected attack at the ACT goalpDUM probability of detected but unmitigated attack atthe ACT goalIST

Akstructural importance measure of attack eventAk

IBAk

Birnbaum importance measure of attack eventAk

iAkimpact of attack eventAk

Igoal impact at the goal node of ACTcAk

cost of attack eventAk

Cattacker attack cost at the goal node of ACTcCMk

security investment cost of countermeasureCMk

3.2. Formalism of ACT

In this subsection the basic formalism of ACT is presented.In ACT, there are three distinct classes of events: attackevents (e.g., install keystroke logger), detection events

2 Security Comm. Networks 2011; 3:1–15 c© 2011 John Wiley & Sons, Ltd.DOI: 10.1002/sec

A. Roy et al. Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

Attack success

A

Attack success

A

Attack success

A

…

Attack success

A

AND

M

Attack success

AAND

AND

M1 M2 Mn

…

(a) (b) (c)

(d)

(h)

AND AND

DD2 DnD1

D

D1 D2 Dn

Attack event

Detection event

Mitigation Event

Attack success

M

… DnD1

A

D2

(f)

Attack success

M2 MnM1

….

ORD

A

(e)

OR

AND AND

AND

AND

ANDAND

AND

AND

Attack success

… DmD1

A

D2

OR

AND

AND

….M2 MnM1

OR

(g)

Figure 2. (a) ACT with one attack event, (b) ACT with one attack and one detection event, (c) ACT with one attack and multipledetection events, (d) ACT with one attack, one detection and one mitigation event, (e) ACT with one attack, multiple detection andone mitigation event, (f) ACT with one attack, one detection and multiple mitigation events, (g) ACT with one attack, m detection and

n mitigation events and (h) ACT with one attack and multiple pairs of detection and mitigation events

(e.g., detect keystroke logger) and mitigation events (e.g.,remove keystroke logger). Figure 2(a) shows a simple ACTwith a single attack event. The corresponding expressionfor the probability of a successful attack at the goal node isshown in Eq. (1).

Pgoal = pA (1)

In Figure 2(b), one attack event and one detectionmechanism are used. The corresponding expression forprobability of a successful undetected attack is:

Pgoal = pA(1 − pD) (2)

Security Comm. Networks 2011; 3:1–15 c© 2011 John Wiley & Sons, Ltd. 3DOI: 10.1002/sec


Figure 2(c) is an extension of Figure 2(b) wherendetection mechanisms are being used to detect one attackevent. The correspondingPgoal is:

Pgoal = pA(1 − pD1)(1 − pD2

)...(1 − pDn) (3)

In ACT with only detections, mitigations are assumedto be perfect, i.e., they mitigate with probability one (orpM = 1). However if mitigations are imperfect (i.e.,0 ≤pM < 1), mitigation techniques may be used in ACTin addition to detection mechanisms. Figure 2(d) showsan ACT with one attack event, one detection eventand one mitigation event. Eq. (4) is the correspondingexpression for the probability that attack was successful,i.e., either attack was undetected or attack was detectedbut unmitigated (D representing a detection event andMrepresenting a mitigation event).

Pgoal = pA(1 − pD + pD(1 − pM ))

= pA(1 − pD × pM ))(4)

Indeed, this probability can be split into two parts ifdesired: the probability of undetected attack,pUD=pA(1 −pD) and the probability of a detected but unmitigatedattack,pDUM =pApD(1 − pM ).

Figure 2(e) shows an ACT with one attack event,n

detection events and one mitigation event and the corre-sponding equation for the probability of successful attackis in Eq. (5). For the ACT in Figure 2(e), the correspondingprobability that attack is undetected ispUD=pA

∏n

i=1(1 −pDi) and the corresponding probability that attack isdetected but unmitigated ispDUM =pA(1 −

∏n

i=1(1 −pDi)) × (1 − pM ).

Pgoal = pA(1 − (1 −n

∏

i=1

(1 − pDi)) × pM ) (5)

Figure 2(f) shows an ACT with one attack event, onedetection event andn mitigation events. Eq. (6) givesthe corresponding probability of successful attack. Forthe ACT in Figure 2(f), the corresponding probabilitythat attack is undetected ispUD=pA(1 − pD) and thecorresponding probability that attack is detected butunmitigated ispDUM =pApD

∏n

i=1(1 − pMi).

Pgoal = pA(1 − pD × (1 −n

∏

i=1

(1 − pMi))) (6)

Figure 2(g) shows an ACT with one attack event,mdetection event andn mitigation events. Eq. (7) gives thecorresponding probability of successful attack.

Pgoal = pA(1 − (1 −

m∏

i=1

(1 − pDi)) × (1 −

n∏

i=1

(1 − pMi)))

(7)

Figure 2(h) shows an ACT with one attack eventand n pairs of detection and mitigation events. The

Table I. Formulae for probability of attack success

Gate type Prob. of attack success

AND gate∏n

i=1 p(i)OR gate 1 −

∏n

i=1(1 − p(i))k/n gate∗

∑n

j=k

(

n

j

)

pj ∗ (1 − p)n−j

∗for identical inputs

nature of mitigation triggered depends on the natureof intrusion detected. Eq. (8) shows the correspondingexpression forPgoal. The corresponding probability thatattack is undetected ispUD=pA

∏n

i=1(1 − pDi) andthe corresponding probability that attack is detected butunmitigated is pDUM = pA

∏n

i=1(1 − pDi × pMi) −pA

∏n

i=1(1 − pDi).

Pgoal = pA

n∏

i=1

(1 − pDi + pDi(1 − pMi))

= pA

n∏

i=1

(1 − pDi × pMi))

(8)

Besides AND and OR gates, ACT also allows for k-out-of-n gates (with identical or non-identical inputs). Table Ienumerates formulae for output probability for AND, ORgates and k-of-n gates in an ACT.

3.3. Security Analysis using ACT

In this section we present qualitative analysis andquantitative analysis using ACT.

3.3.1. Qualitative AnalysisQualitative analysis using ACT provide us with mincuts

and structural importance measures.

Mincut Analysis. In both AT and ACT, the top eventis associated with the set of all mincuts. Mincuts ofAT represent attack scenarios [23] whereas those of anACT, represent attack-countermeasure scenarios. We showan example AT for BGP attack [14] (“resetting a BGPsession” shown in Figure 3) and its corresponding ACTwith countermeasures [24] (as depicted in Figure 4).Among others, countermeasures used include traceroute[25] as one of the detection mechanisms for spoofed TCPreset messages and sequence number randomization [24]as the corresponding mitigation technique. The top (orgoal) event in the ACT can also be expressed as a booleanfunction (Φ(X)) of the leaf node events. In Eq. ( 9),Φ(X),the complementary boolean structure function for the ATin Figure 3 is given, where X is a state vector of the ACTand xAi is a boolean variable such thatxAi = 1 wheneventAi occurs elsexAi = 0. Mincuts for the AT in Figure3 are:{(A111, A12),(A1121, A12), (A1122, A12),(A1123,



A111: Send RST

message to TCP stack

A112: Send BGP

message

A12: TCP sequence

number attack

A1121:

Notify

A1122:

Open

A1123:

Keep Alive

G: Reset a single BGP session

Impact = Unavailability

A1: Send message to router

causing reset

A2: Alter configuration via

compromised router

AND

OR

OR

OR

Figure 3. A simple attack tree for resetting the BGP session

A111: Send

RST message

to TCP stack

A112: Send

BGP message

A12 : TCP

sequence

number attack

A1121:

Notify A1122: Open A1123: Keep

Alive

G: Reset a single BGP session

A1: Send message to

router causing reset

A2: Alter

configuration

via

compromised

router

Attack event

Detection event

Mitigation Event

M12: MD5

authentication

M2:

Secure

router

M1:

Randomize

Seq. Num.

D12: TCP

sequence

number check

D1: Trace-

route

checkD2: Router

firewall

alert

OR

OR

AND

AND

AND

AND

OR

AND AND

AND

Figure 4. A simple ACT for resetting a BGP session

A12),(A2)}.

Φ(X) = xA111xA12

+ xA1121xA12

+ xA1122xA12

+xA1123xA12

+ xA2

(9)

The mincuts (attack countermeasure scenarios) of theACT in Figure 4 are{(A111,CM1,A12,CM12), (A1121,

CM1, A12, CM12), (A1122, CM1, A12, CM12), (A1123,CM1,A12,CM12), (A2,CM2)} (whereCM1=(D1M1),CM12=(D12M12), CM2=(D2M2)). Each of the 5mincuts represents a combination of events each of whichon occurring will result in attack success at the goal. Forinstance the mincut (A1122, CM1, A12, CM12) indicates



that if both the attack eventsA1122 andA12 were to occurand if both the countermeasuresCM1 and CM12 fail,attack will succeed. From the mincut (A1122, CM1, A12,CM12), we also observe that the pair of attack events(A1122, A12) is covered by either of the countermeasuresCM1 or CM12. We use mincuts in Section 3.3.2 todevelop an approach for the cost and the impact analysisin ACT. In future work, mincuts will also be used to findthe optimal countermeasure set for an ACT.

Structural Importance Measure Analysis. It isimportant to determine the most critical event in ACT.Towards this objective, structural importance measure [26]can be used. The concept of ordering system componentsbased on structural importance was first introduced byBoland et al. [27]. Structural importance measure [28]is used when ACT has equiprobable events, i.e., weare provided with only the ACT but probability ofattack (for attack events) and detection/mitigation (fordetection/mitigation events) are unknown. Given an ACT,its boolean structure function (Φ(X)) can be built.Φ(X) = 1 when the attack succeeds whereasΦ(X) = 0when attack fails. Two state vectors are considered:

X = (xA1xA2

... xAk−1xAk

xAk+1... xAn)

X′ = (xA1

xA2... xAk−1

xAkxAk+1

... xAn)

The structural importance measure of an attack event (Ak)in an ACT is defined to be the normalized count of statevectors where the component is relevant for the booleanstructure function. The corresponding expression forIST

Ak

is shown in Eq. (10).

ISTAk

=

∑

X Φ(X)Ak− Φ(X ′)Ak

2n(10)

An attack event (Ak) is said to be relevant for a particularstate vectorX, when flipping the boolean value associatedwith attack eventAk flips the value ofΦ(X) from 1to 0. In other words,Ak is relevant to state vector X ifΦ(X)Ak

− Φ(X ′)Ak= 1. Once the most critical event

in the system is determined, it can be patched or theappropriate detection and mitigation for the componentcan be enforced.

3.3.2. Probabilistic AnalysisThe computation of probability of a successful attack

in an ACT was discussed in Section 3.2. For ACT,the probability of a successful attack can be computedwhich can be further split into the probability thatthe attack is undetected and the probability that theattack is detected but unmitigated. When provided withvalues for parameters such as probabilities of attacks,cost etc., probabilistic (or quantitative) analysis can beperformed using ACTs. Quantitative analysis using ACTcan be viewed from two distinct viewpoints: attackers’viewpoint and defender’s (or security analyst’s) viewpoint.

Table II. Formulae for attack cost and attack impact

Gate type attack cost impact

AND gate∑n

i=1 cAi

∑n

i=1 iAi

OR gate minni=1 cAi maxn

i=1 iAi

k-of-n gatea∑k

i=1 cAi

∑k

i=1 iAiaFor k-of-n gate, it is assumed that (cA1

,cA2,...,cAn

) are sorted in the

ascending order of their cost values and (iA1,iA2

,...,iAn) are sorted in the

descending order of their impact values.

G

A1 A2A3 A3

OR

AND

OR

Repeated Event

Non-repeat Event

Figure 5. Attack tree with repeated events

The measures such as attack cost and ROA reflect theattacker’s perspective whereas the metrics such as securityinvestment cost, risk, impact and ROI represent thedefender’s perspective.

Cost Computation. In ACT, cost may be of two types:cost of attack and security investment cost. Cost of attackin ACT (Cattacker) with no repeated events is computedusing the expressions in Table II [29]. In ACT, the cost ofattack is the sum of the costs of the input events for anAND gate whereas it is the minimum of the cost of theinput events for an OR gate. The cost of attack for a k-of-ngate is the sum of the cost ofk lowest cost input events tothe gate.

For an ACT containing one or more repeated events (asshown in Figure 5), we use a simple procedure to computethe attack cost. SHARPE [13] can be used to generatethe mincuts of the ACT. Attack cost for the mincut canbe given by the sum of the attack costs of each attackevent in the mincut. Attack cost of the mincut with lowestcost is selected to be the cost of attack for the ACT. Incase of Figure 5, the ACT mincuts are{(A1,A2),A3} andhence the correspondingCattacker = min{cA1

+cA2,cA3

}.In case of an OR gate, we take a “panic approach” in



(a)

Stru

ctur

al im

porta

nce m

easu

re o

f an

atta

ck e

vent

in

BG

P A

CT

(A12)

(A1)

(A2)

(CM1) (CM12)(CM2)

Birn

baum

impo

rtanc

e mea

sure

of a

n at

tack

even

t in

BG

P A

CT

(A12)

(A1)

(A2)

(CM1) (CM12)(CM2)

Prob

abil

ity

of a

ttac

k at

goa

l in

BG

P A

CT

(Pgo

al)

(c)

(CM2)(CM1) (CM12)

Pro

bab

ilit

y o

f at

tack

at g

oal

in

BG

P A

CT

(P

go

al)

(d)

(a)(CM2) (CM1)

(CM2)

(CM1) (CM2)

(CM1)

(CM2)

(CM1)(CM1)

(b)

(CM1)(CM2) (CM12)

(CM2) (CM1)(CM2)

Figure 6. Change in (a) structural importance measure, (b) corresponding change in Pgoal, (c) change in Birnbaum importancemeasure and (c) corresponding change in Pgoal for BGP ACT due to implementation of countemeasures

calculating theCattacker at the output, meaning that outof different input events of an OR gate, we choose theminimum value of attack cost to be propagated. We do sobecause an attacker’s capabilities and preferences cannotbe known in advance and the attacker is assumed to takethe best way out (i.e., the minimum cost attack). For thesame reason, we select the minimum cost mincut whilecomputingCattacker for an ACT with repeat events.

Security investment cost for ACT is computed bysumming the security investment cost of countermeasurespresent in the ACT. Also using ACT, the set of feasibleattack scenarios can be built subject to attackers’ resourceconstraint (e.g., attack cost). This is called ‘capabilitybased pruning’ of AT in SecurITree [30] AT analysistool. If the total attack cost is provided as the attacker’sresource constraint, a subset of mincuts (or a subset of

attack scenarios) can be determined which the attackercan successfully exploit subject to his resource (cost)constraint.

Impact Computation. Instead of pursuing a scaledapproach for impact computation (for instance, normalizedin a scale from 1-10 in [22]), in ACT, we use the exactvalue of impact [31] associated with every attack event.Even though countermeasures do not affect impact valuedirectly, countermeasures do result in reducing risk whichis the expected value of impact. Impact computationfor different gates in ACT with no repeated events issummarized in Table II. If repeated events are present inthe ACT, we follow a procedure similar to that used in costcomputation. We first find the mincuts of the ACT. Impactof a mincut is the sum of the impact values of the attack



Incorrect

monitoringUnavailable

network (LAN)

(ULAN)

Problematic

ControlDatabase

(DB)

Unavailable

network

(UWAN)

Workstation

(WS)

Incomplete

sensors

Wrong state

estimation

(WSE)

Control

servers

Controlling

agents

Power loads

not provided

Incorrect estimates to

customers

SCADA

compromised

S1 S2 S3

HMI

switch

G1 G2 G3

restart restart restart

2/3

AND AND AND AND

AND

SCOPF

AND

Attack event

Mitigation Event

OR

OROR

OR OR

Figure 7. ACT for SCADA system

events in the mincut. Impact of the mincut with highestimpact value is selected to be the impact of the ACT.For instance, in case of the ACT in Figure 5(a), since themincuts are{(A1,A2),A3}, Igoal = max{iA1

+iA2,iA3

}.In case of an OR gate, we again assume the worst casescenario in calculatingIgoal at the output, meaning thatout of different input events of an OR gate, we choosethe maximum value of impact to be propagated. We doso because an attacker’s capabilities and preferencescannot be known in advance and the security analyst hasto be prepared for worst possible consequence (i.e., themaximum impact attack). For the same reason, we selectthe maximum impact mincut while computingIgoal of anACT with repeat events.

Birnbaum Importance Measure. When probabilitiesof attack/defense are known for ACT nodes, Birnbaumimportance measure [32] (also termed ‘reliability impor-tance measure’ for fault trees) is used to prioritize defensemechanisms to counteract attack events. The Birbaumimportance measure of an attack event represents thechange in the probability of attack at the goal caused bysmall change in the probability of attack of the ACT node

at Ak. The Birnbaum importance measure of an attackeventAk is defined as:

IBAk

=∂Pgoal

∂pAk

(11)

SHARPE can be used to computeIBAk

.

Risk Computation. In the context of ACT, riskcan refer to two distinct measures namely, (i) risk to theattacker [33] and (ii) risk to the system [34]. Attacker’s riskof an atomic attack refers to the probability of detectionof the atomic attack [33]. AttackTree+ AT analysis tool[35] refers to this type of risk as the ‘accepted risk’ ofthe attacker. Since we deal with probability of detectionof atomic attacks inPgoal computation in Section 3.2, inthis subsection we discuss risk to the system. Risk to asystem refers to the system’s risk to a particular attackscenario. In this context, two measures need to be takeninto consideration. One is the amount of damage thatan attack scenario can render to the system (Igoal) andthe other is the probability of attack success (Pgoal).Combining the two, risk to the system can be definedas the expected value of the impact. The expression forsystem risk for ACTs is:



A2121: FTP

to File

Server

A2122:

Internet

A21221: Post to

News Group

A21222: Post to

Website

G: Malicious Insider attack success

A1: Alteration A4: Elevation

OR

OR

OR

A2141:

Floppy

Disk

A2142:

CD-

ROM

A2143:

USB

Drive

OR

A2111:

Local

Account

A2112:

Web-

based

account

OR

A211:

EmailA214: Copy

to Media

OR

A212:

Electronic

Drop Box

A213:

Online

Chat

A11:

Unauthorized

alternation of

registryA12:

Launch

virus

OR

A411: Poor

Configuration

A412:

Steal

Password

A413:

Sendmail

Exploit

OR

A41: Acquire

admin privilege

A4121:

Sniff

Network

A4122:

Root

Telnet

OR

A31: MisuseA32: Violation of

organization policy

AND

A3: SnoopingA2: Distribution

A21:

File

Sharing

AND

AND

AND

AND

M12: Launch

mitigation

(anti-virus)

D12: Detect virus

attack

(anti-virus)

D412: Track

number of tries

at password

M412: Request

admin pin

Figure 8. ACT for Malicious Insider Attack (MI ACT)

Risksys = Pgoal × Igoal (12)

In an ACT without any countermeasures, applicationof CMi causes the output probability of the ACT nodecontaining attack eventAk (point of application ofCMi)to decrease by△pAkCMi

(for instance, incorporation ofCMi may cause the ACT node in Figure 2(a) to becomethe ACT node in Figure 2(d)). In ACT, the decrease in risk(△RiskCMi ) for countermeasureCMi can be given by:

△RiskCMi= Riskwithout CMi

− Riskwith CMi

= Igoal × (Pgoalwithout CMi− Pgoalwith CMi

)

(13)

where Pgoalwith CMiis Pgoal of the ACT with

countermeasureCMi andPgoalwithout CMiisPgoal of the

ACT without countermeasureCMi. Similarly for an ACTwith incorporated countermeasure setSCM , the decreasein risk (△RiskSCM

) for countermeasure setSCM can begiven by:

△RiskSCM= Riskwithout SCM

− Riskwith SCM

= Igoal × (Pgoalwithout SCM− Pgoalwith SCM

)

(14)

bvROA and ROI Computation. Two metrics from the

field of economics have been adapted to the securityscenario in order to quantify the nature of the competitionbetween the attacker and the defender. Return on Attack

(ROA) [8, 9] is an index that is aimed at measuring thebenefit to the attacker from a particular attack. Unlikeattack cost, ROA changes with the application of specificcountermeasures. ROA [4] is defined by:

ROA =Risksys

Cattacker

=Igoal × Pgoal

Cattacker

(15)

Next we discuss a quantification of Return onInvestment (ROI) [6]. The basic definition ofROICMi isthe profit obtained by the implementation ofCMi (therebysignifying the efficacy of that countermeasure). ROI forcountermeasureCMi is a function of the impact of attackof the ACT, the decrease in the probability of attack atthe ACT goal (△PgoalCMi

) due toCMi and the securityinvestment cost forCMi (cCMi ). Adapting Sonnenreich’sdefinition of Return on Investment [6] to the context ofACT, we have:

ROICMi =profit from CMi − Cost of implementing CMi

Cost of implementing CMi(16)

ROICMi =Igoal ×△PgoalCMi

− cCMi

cCMi

(17)

Note that, ROICMi ≥ -1.



4. IMPLEMENTATION

We use SHARPE [13] for the evaluation of ACT. Wehave implemented a module for automatic description andevaluation of ACTs in SHARPE. For the computation ofprobability of attack, mincuts, structural and Birnbaumimportance measure of ACT, we simply use the alreadyexisting algorithms for solving fault trees in SHARPE. Wehave added the relevant algorithms (described in Section3.3.2) for computing cost, impact and risk in ACTs. ROAand ROI computation is done by defining functions in theSHARPE input file.

5. EXAMPLES

For the analysis of ACT, we use the BGP ACT [14] ofFigure 4, the SCADA ACT [10] of Figure 7 and ACT formalicious insider attack (MI ACT) of Figure 8 as casestudies. Two significant characteristics of the SCADAACT are: (i) it contains only attack and mitigation eventsand (ii) all mincuts are not covered by the mitigationtechniques provided. The basic structure of the ACTfor malicious insider attack (MI ACT) was proposed in[16]. We built on this structure by adding lower levelsubtrees from other sources (for instance, in MI ACTthe subtree for attack by ‘elevation’ of malicious user(nodeA4 in Figure 8) is obtained from [36]). MI ACThas attack, detection and mitigation events. However inMI ACT as well, all the mincuts are not covered by thecountermeasures provided.

Figure 6(a) shows the variation in structural importancemeasure and Figure 6(c) shows the variation in Birnbaumimportance measure of attack eventAi in BGP ACTdue to implementation of countermeasureCMi. FromFigure 6(c) and Figure 6(d), observe that maximumdecrease inPgoal is caused by the implementation of thecountermeasure associated with the attack event with thehighest value ofIB

Ak. For instance, in BGP ACT with

no defense (or the BGP AT), attack eventA1 (‘SendRESET message’) has highest value ofIB

Akleading to

the implementation ofCM1 (‘Traceroute’) first. Thecorresponding decrease inPgoal (shown in Figure 6(c))is the maximum for all the countermeasures present.Therefore, implementation of countermeasures (CMi) forattack events (Ai) with higher values ofIB

Akshould be

prioritized. Similarly we can observe from Figure 6(a) andFigure 6(b) that implement countermeasures with higherIST

Akshould be prioritized.

The values for the input parameters for countermeasurenodes of all three ACTs are in Table III and the values forthe input parameters for attack nodes of all three ACTs arein Table IV.

Table III. Parameter values for attack nodes in ACT

ACT Node Probability attack attackof attack cost(in $) impact

(in 103$)A111 (BGP) 0.08 50 200A1121 (BGP) 0.1 60 130A1122 (BGP) 0.15 70 100A1123 (BGP) 0.2 100 300A12 (BGP) 0.1 150 250A2 (BGP) 0.4 190 275AS1

(SCADA) 0.1 100 300AS2

(SCADA) 0.1 110 150AS3

(SCADA) 0.1 90 225AWSE (SCADA) 0.25 250 250AULAN (SCADA) 0.3 275 275AHMI (SCADA) 0.2 100 100ASCOPF (SCADA) 0.15 120 120AG1

(SCADA) 0.15 100 300AG2

(SCADA) 0.3 30 200AG3

(SCADA) 0.2 40 150ADB (SCADA) 0.5 170 50AUWAN (SCADA) 0.35 160 100AWS (SCADA) 0.4 150 150A11 (MI ACT) 0.08 50 200A12 (MI ACT) 0.1 60 130A2111 (MI ACT) 0.15 70 100A2112 (MI ACT) 0.2 100 300A2121 (MI ACT) 0.1 150 250A21221 (MI ACT) 0.4 190 275A21222 (MI ACT) 0.1 100 300A213 (MI ACT) 0.1 110 150A2141 (MI ACT) 0.1 90 225A2142 (MI ACT) 0.25 250 250A2143 (MI ACT) 0.3 275 275A31 (MI ACT) 0.2 100 100A32 (MI ACT) 0.15 120 120A411 (MI ACT) 0.15 100 300A4121 (MI ACT) 0.3 30 200A4122 (MI ACT) 0.2 40 150A413 (MI ACT) 0.5 170 50

Figure 9(a) showsPgoal for BGP ACT (with andwithout countermeasures), Figure 9(b) showsPgoal forSCADA ACT (with and without countermeasures) andFigure 9(c) showsPgoal for MI ACT (with and withoutcountermeasures) with probability of attack value of all theleaf nodes in the ACT varying together in the range [0,1].From Figure 9(a) we find thatPgoal value for BGP ACTdecreases with the incorporation of detection mechanisms(Pgoal=PUD). With only detection mechanisms in ACT,mitigations are assumed to be perfect, i.e., they workwith probability one. Therefore with the incorporation ofmitigations (imperfect mitigations) in BGP ACT,Pgoal

increases (Pgoal=PUD+PDUM ). SCADA ACT has onlyattack and mitigation events. Here detections are assumedto be perfect, i.e.,Pgoal=PUD+PDUM with all pDi=1.



(a) (b)

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Probability of attack at leaf node of BGP ACT

Pro

ba

bil

ity

of

att

ac

k a

t th

e g

oa

l o

f B

GP

AC

T

Pgoal without D or M

Pgoal with D

Pgoal with D & M(P

go

al)

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Probability of attack at leaf node of SCADA ACT

Pro

ba

bil

ity

of

att

ac

k a

t th

e g

oa

l o

f S

CA

DA

AC

T

Pgoal_SCADA_ACT_without_M

Pgoal_SCADA_ACT_with_M

(Pg

oa

l)

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Probability of attack at leaf node of MI ACT

Pro

ba

bil

ity

of

att

ac

k a

t th

e g

oa

l o

f M

I A

CT

Pgoal without D or M

Pgoal with D

Pgoal with D & M

(c)

Figure 9. Pgoal vs. probability of attack values of all the leaf nodes of (a) BGP ACT, (b) SCADA ACT and (c) MI ACT

Table IV. Parameter values for countermeasure nodes in ACT

ACT Node Prob. of Securitycountermeasure investment

success cost(in $)D1 (BGP) 0.5 10M1 (BGP) 0.6 30D12 (BGP) 0.8 10M12 (BGP) 0.5 20D2 (BGP) 0.7 15M2 (BGP) 0.5 35Mswitch (SCADA) 0.25 15MrestartG1(SCADA) 0.4 25MrestartG2(SCADA) 0.5 20MrestartG3(SCADA) 0.6 30D12 (MI ACT) 0.5 10M12 (MI ACT) 0.6 30D412 (MI ACT) 0.8 10M412 (MI ACT) 0.5 20

From Figure 9(b), we find thatPgoal decreases with theincorporation of mitigations in SCADA ACT. Similarly,from Figure 9(c) we find thatPgoal value for MI ACTdecreases with the incorporation of detection mechanismsand then increases with the incorporation of mitigations(imperfect mitigations).

Figure 10(a) shows system risk (Risksys) for the BGPACT (with and without countermeasures) with probabilityof attack at leaf node (pA1123

) varying together in therange [0,1] and impact value of leaf nodeA1123 (iA1123

)varying uniformly in the range 0-3×105$. Observe thatRisksys decreases with the incorporation of detectionmechanisms (assuming perfect mitigations) and thenincreases with the incorporation of mitigations in ACT.Figure 10(b) shows Risksys for the SCADA ACT (with

and without countermeasures) with probability of attackat leaf nodespS1

andpG1varying together in the range

[0,1] and impact values of the leaf nodesIS1and IG1

varying together in the range 0-3×105$. Observe fromthe surfaces that Risksys decreases with the incorporationof countermeasures (mitigations) in SCADA ACT.Figure 10(c) shows system risk (Risksys) for the MI ACT(with and without countermeasures) with probability ofattack at leaf node (pA31

) varying together in the range[0,1] and impact value of leaf nodeA31 (iA31

) varyinguniformly in the range 0-3×105$. From the surfaces,observe that for BGP, SCADA and MI ACT, Risksys

increases with the probability of attack value at the leafnode. It is also directly proportional to theIgoal value ofthe corresponding ACT.

Risksys of different components in a system can also becompared using its ACT. Figure 11(a) shows Risksys forSCADA ACT against probability of attack values (ranginguniformly from 0 to 1) and impact values of the generatornodesG1,G2 andG3 (ranging uniformly from 0-2×105$)whereas Figure 11(b) shows Risksys for SCADA ACTagainst probability of attack values (ranging uniformlyfrom 0 to 1) and impact values of the sensor nodesS1,S2 andS3 (ranging uniformly from 0-2×105$). From thesurfaces, observe that sensors are higher risk componentsthan the generators.

Figure 12(a) shows ROA for the BGP ACT (with andwithout countermeasures) with attack cost of leaf nodeA1123 varying uniformly in the range 0-200$ and attackimpact value of leaf nodeA1123 varying uniformly inthe range 0-3×105$. As in the case of Risksys, ROA ofBGP ACT decreases with the incorporation of detectionmechanisms and then increases with the incorporationof mitigation techniques (imperfect mitigations) in ACT.Figure 12(b) shows ROA for the SCADA ACT (with



0100

200300

0

0.5

150

100

150

200

250

300

Ris

k t

o t

he

sy

ste

m (

Ris

ksy

s)

Risk without D or M

Risk with D

Risk with D & M

x 10^3

(a)

Impact value of leaf

node A1123 of

BGP ACT in dollars

Probability of attack of

leaf node A1123 in BGP

ACT

0100

200300

00.5

1150

200

250

300

350

400

450

500

550

600

650

Ris

k t

o t

he

sy

ste

m (

Ris

ksy

s)

Risk without CM

Risk with CM

(b)


leaf nodes S1 and G1 of

SCADA ACT

Impact value of leaf nodes

S1 and G1 of SCADA

ACT in dollars

x 10^3

0100

200300

0

0.5

1180

190

200

210

220

230

240

Ris

k t

o t

he

sy

ste

m (

Ris

ksy

s)

Risk without D or M

Risk with D

Risk with D & M


node A31 of

MI ACT in dollars


leaf node A31 in MI ACT

(c)

x 10^3x 10^3

Figure 10. Risk to system (Risksys) (a) for BGP ACT against pA1123(x axis) and iA1123

(y axis), (b) for SCADA ACT with both pS1

and pG1being varied (x axis) and both IS1

and IG1being varied (y axis) and (c) for MI ACT against pA31

(x axis) and iA31(y axis)

0

1

2

x 105

0

0.2

0.40

0.5

1

1.5

Ris

k t

o t

he

sy

ste

m

00.5

11.5

2

x 105

0

0.2

0.40

10

20

30

Ris

k t

o t

he

sy

ste

m

Probability of attack

values for generators

(G1,G2,G3)

Impact values

for generators

(G1,G2,G3)

Impact values

for sensors

Probability of attack

values for sensors

(S1,S2,S3) (S1,S2,S3)

(a) (b)

Figure 11. Risksys in SCADA ACT (a) against the probability of attack values (x axis) and attack impact values (y axis) for thegenerators (G1,G2,G3) (b) against the probability of attack values (x axis) and attack impact values (y axis) for the sensors (S1,S2,S3)

and without countermeasures) with attack cost of theleaf nodesS1 and G1 varying together in the range0-200$ and impact values of the leaf nodesS1 andG1

varying together in the range 0-3×105$. ROA for SCADAACT decreases with incorporation of countermeasures.Figure 12(c) shows ROA for the MI ACT (with andwithout countermeasures) with attack cost of leaf nodeA31 varying uniformly in the range 0-200$ and attackimpact value of leaf nodeA31 varying uniformly in therange 0-3×105$. From the surfaces we see that for BGP,SCADA and MI ACT, ROA value is directly proportionalto Igoal value and inversely proportional toCattacker

value of the corresponding ACT.

Figure 13(a) showsPgoal for BGP ACT, Figure 13(b)showsPgoal value for SCADA ACT and Figure 13(c)shows Pgoal for MI ACT with the probability that acountermeasure works (pCMi ) for all the countermeasuresin the ACT varying together in the range [0,1]. For BGP,SCADA and MI ACT, it can be seen thatPgoal decreaseswith increasingpCMi . MoreoverCM1 andCM12 havethe same effect onPgoal of BGP ACT and their plotsoverlap.



050

100 0100

200300

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

Re

turn

on

Att

ack

(R

OA

)

ROA without D & M

ROA with D

ROA with D & M

(a)

1123( in BGP ACT)A1123( in BGP ACT)

AC

Attack Cost for leaf

node of BGP ACT (in

dollars)


node of BGP ACT (in

dollars)

1 1S G

x 10^30

50100 0

100200

3001

2

3

4

5

6

7

8

9

Re

turn

on

Att

ac

k (

RO

A)

ROA without CM

ROA with CM

(b)

1 1S

SCADA ACT)

G(C and C in

SCADA ACT)

Impact value of

leaf nodes of SCADA ACT

(in dollars)

Attack cost for leaf

node of SCADA ACT

(in dollars)

x 10^3x 10^3

i( i and i in

0

50

100 0100

200300

4000

1

2

3

4

5

6

7

8

9

Re

turn

on

Att

ac

k (

RO

A)

ROA without D or M

ROA with D

ROA with D & M

(c)

( in MI ACT)

Attack Cost for leaf

node of MI ACT

(in dollars)


node of MI ACT (in

dollars)

( in MI ACT)31Ac

31Ai

Figure 12. ROA against (a) varying attack impact value iA1123(x axis) and attack cost value CA1123

(y axis) of the leaf node A1123

in BGP ACT, (b) varying attack impact value IS1,IG1

(x axis) and attack cost value CS1,CG1

(y axis) of leaf nodes S1 and G1 ofSCADA ACT and (c) varying attack impact value iA31

(x axis) and attack cost value cA31(y axis) of the leaf node A31 in MI ACT

(a) (b)

0 0.2 0.4 0.6 0.8 10

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

Probability that the countermeasure works

Pro

ba

bil

ity

of

att

ack

at

the

go

al o

f B

GP

AC

T

Pgoal_BGP_ACT_with_CM_{1}



only

only

only

only

only

0 0.2 0.4 0.6 0.8 10.69

0.7

0.71

0.72

0.73

0.74

0.75


Pro

ba

bil

ity

of

att

ac

k a

t th

e g

oa

l o

f M

I A

CT

Pgoal with only D_{12} and M_{12}

Pgoal with only D_{412} and M_{412}

(c)

0 0.2 0.4 0.6 0.8 10.908

0.9085

0.909

0.9095

0.91

0.9105

0.911

0.9115


Pro

ba

bil

ity

of

att

ac

k a

t th

e g

oa

l o

f S

CA

DA

AC

T

Pgoal_SCADA_ACT_with_CM_{switchHMI}

Pgoal_SCADA_ACT_with_CM_{restartG3}

Figure 13. Pgoal against the probability that a countermeasure succeeds for (a) BGP ACT, (b) SCADA ACT and (c) MI ACT

Figure 14(a) shows ROI for each countermeasure inBGP ACT, Figure 14(b) shows ROI for countermeasures(switch HMI) and (restartG3) for SCADA ACT andFigure 14(c) shows ROI for each countermeasure in MIACT with security investment cost of the countermeasure(cCMi ) varying uniformly in the range 0-100$ and thecorrespondingpCMi varying uniformly in the range[0,1]. For all countermeasures, we observe that ROI =-1 for pCMi=0. From Figure 14(a), it can be seen thatROI from CM2 exceeds that fromCM1 or CM12. Thisallows the security analyst to prioritize the implementationof CM2 in BGP ACT. For SCADA ACT, ROI of and

the winter(restartG3) exceeds ROI of (switchHMI).Similarly for MI ACT, ROI of CM412 exceeds ROI ofCM12 and CM123 and without this there will not beanything left to talk and .

6. CONCLUSIONS

In this paper, we have presented attack countermeasuretrees (ACT), a non-state-space model that allows usto perform qualitative and probabilistic analysis of the



0

50

100

0

0.5

1

−2

−1

0

1

2

3

4

5

Re

turn

on

Inv

est

me

nt

(RO

I CM

i)

ROI(switchHMI)

ROI(restartG3)

(b)

Security Investment

Cost of a counter-

measure (CM_i) in

Probability that

countermeasure

(CM_i) works

dollars(p_{CM_i})

0

50

100

0

0.5

1

−5

0

5

10

15

20

25

Re

turn

on

Inv

est

me

nt

(RO

I CM

i)

ROI_{CM_1}

ROI_{CM_{12}}

ROI_{CM_2}

(a)

Security Investment

Cost of a counter-

measure (CM_i) in

Probability that

countermeasure

(CM_i) works

dollars(p_{CM_i})

0

50

100

0

0.5

1

0

0.5

1

1.5

2

2.5

3

Re

turn

on

Inve

stm

en

t (R

OI)

ROI of CM_{12}

ROA of CM_{412}

(c)

Security Investment

Cost of a counter-

measure (CM_i) in

Probability that

countermeasure

(CM_i) works

dollars(p_{CM_i})

Figure 14. ROI for each countermeasure (a) against cCMi(x axis) and pCMi

(y axis) for BGP ACT, (b) against cCMi(x axis) and

pCMi(y axis) for SCADA ACT and (c) against cCMi

(x axis) and pCMi(y axis) for MI ACT

security of a system. We take into account attacks as wellas countermeasures (in the form of detection mechanismsand mitigation techniques). Detections and mitigationscan be placed not just at the leaf node but also at anyintermediate node. Events in ACT can be prioritizedwith the help of structural and Birnbaum importancemeasures. The effects of incorporating countermeasures inthe ACT are demonstrated using three case studies (ACTfor BGP attack, ACT for SCADA attack and ACT formalicious insider attack). In future work, we will explorethe use of ACT for fast and efficient computation ofoptimal defense strategies for large systems using singleand multi-objective optimization given certain securityconstraints (e.g., security investment cost, ROI) on anon-state space ACT model while continuing to avoid thestate-space explosion problem.

7. RELATED WORK

The authors would like to thank Dr. Dong Seong Kim forhis insightful review of the subject material.

ACKNOWLEDGEMENTS

This research was supported by US National ScienceFoundation grant NSF-CNS-08-31325.

REFERENCES

1. Ortalo R, Deswarte Y, Kaaniche M. Experimentingwith quantitative evaluation tools for monitoringoperational security.IEEE Trans. on SoftwareEngineering 1999;25(5):633–650.

2. Schneier B.Secrets and Lies: Digital Security in aNetworked World. John Wiley and Sons Inc., NewYork, NY, USA, 2000.

3. Trivedi KS, Kim DS, Roy A, Medhi D. Dependabilityand security models.Proc. DRCN, IEEE, 2009; 11–20.

4. Cremonini M, Martini P. Evaluating informationsecurity investments from attackers perspective: theReturn-On-Attack (ROA).Proc. Fourth Workshop onthe Economics of Information Security, 2005.

5. Kearney P, Brugger L. A risk-driven security analysismethod and modelling language.BT Technology J.2007;25(1):141–153.

6. Sonnenreich W, Albanese J, Stout B. Return OnSecurity Investment (ROSI): A Practical QuantitativeModel. J. of Research and Practice in InformationTechnology 2006;38(1):45–56.

7. Moore AP, Ellison RJ, Linger RC. Attack Mod-eling for Information Security and Survivability.CMU/SEI-2001-TN-001 2001; .

8. Bistarelli S, Aglio MD, Peretti P. Strategic Games onDefense Trees.LNCS 2007;4691:1–15.

9. Bistarelli S, Peretti P, Trubitsyna I. Defense trees foreconomic evaluation of security investments.Proc.ARES, 2006; 8–15.

10. Zonouz SA, Khurana H, Sanders WH, Yardley TM.RRE: A Game-Theoretic Intrusion Response andRecovery Engine.Proc. DSN, 2009; 439–448.



11. Sondik E. The optimal control of partially observableMarkov processes. PhD Thesis, Stanford Univ.Electronics Labs 1971.

12. Sahner R, Trivedi KS, Puliafito A.Performanceand reliability analysis of computer systems: anexample-based approach using the SHARPE softwarepackage. Kluwer Academic, Norwell, Massachusetts,USA, 1999.

13. Trivedi KS, Sahner R. Sharpe at the age of twentytwo. ACM SIGMETRICS Perf. Eval. Review 2009;36(4):52–57.

14. Convery S, Cook D, Franz M. An Attack Tree for theBorder Gateway Protocol.Cisco Internet draft 2002;.

15. Baker GH, Berg A. Supervisory Control andData Acquisition (SCADA) Systems.The CriticalInfrastructure Protection Report 1.6 2002; .

16. Butts J, Mills R, Baldwin R. Developing an insiderthreat model using functional decomposition.Com-puter Network Security 2005;LNCS(3685):412–417.

17. Weiss JD. A System Security Engineering Process.Proc. of the 14th National Computer Security Conf.,1991.

18. Amoroso EG.Fundamentals of Computer SecurityTechnology. Prentice-Hall Inc., Upper Saddle River,NJ, USA, 1994.

19. Mauw S, Oostdijk M. Foundations of Attack Trees.LNCS 2006;3935:186–198.

20. Daley K, Larson R, Dawkins J. A StructuralFramework for Modeling Multi-stage NetworkAttacks.Proc. ICPPW, 2002; 1530–1536.

21. Fovino IN, Masera M, Cian AD. Integrating CyberAttacks Within Fault Trees.Reliability Engineering& System Safety 2009;94(9):1394–1402.

22. Edge KS. A Framework for Analyzing and Mitigatingthe Vulnerabilities of Complex Systems via Attackand Protection Trees. PhD Thesis, Air Force Instituteof Technology 2007.

23. Gan Z, Tang J, Wu P, Varadharajan V. A NovelSecurity Risk Evaluation for Information Systems.Proc. FCST, 2007; 67–73.

24. Kuhn R, Sriram K, Montgomery D. Border gatewayprotocol security: Recommendations of the nationalinstitute of standards and technology.NIST SpecialPublication 800-54 2007; .

25. Hu X, Mao ZM. Accurate real-time identification ofIP prefix hijacking.Proc. IEEE S & P, 2007; 3–17.

26. Meng FC. Comparing the importance of systemcomponents by some structural characteristics.IEEETrans. on Reliability 1996;45(1):59–65.

27. Boland PJ, Proschan F, Tong YL. Optimal arrange-ment of components via pairwise rearrangements.Naval Research Logistics 1989;36(6):807–815.

28. Fricks RM, Trivedi KS. Importance analysis withMarkov chains.Proc. Reliability and MaintainabilitySymp., IEEE, 2003; 89–95.

29. Nicol DM, Sanders WH, Trivedi KS. Model-basedevaluation: From dependability to security.IEEETrans. on Dependable and Secure Computing 2004;1(1):48–65.

30. Technologies A. Securitree.http://www.amenaza.com/software.php 2002.

31. Olzak T. A Practical Approach to Threat Modeling.Technical Report, Erudio Security, LLC 2006.

32. Birnbaum ZW. On The Importance of Different Com-ponents in a Multicomponent System.MultivariateAnalysis - II, Krishnaiah PR (ed.), Academic Press,New York, NY, USA, 1969; 581–592.

33. Higuero MV, Unzilla JJ, Jacob E, Saiz P, Aguado M,Luengo D. Application of’attack trees’ in securityanalysis of digital contents e-commerce protocolswith copyright protection.Proc. CCST, 2005; 57–60.

34. Lathrop S, Hill J, Surdu J. Modeling NetworkAttacks.Proc. 12th Conf. Behavior Representation inModeling and Simulation, 2003; 401–407.

35. Software I. Attacktree+. http://www.isograph-software.com/atpover.htm 2007.

36. Tidwell T, Larson R, Fitch K, Hale J. Modelinginternet attacks.Proceedings of the 2001 IEEEWorkshop on Information Assurance and security,vol. 59, IEEE, 2001.


Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees

Documents

Transcript of Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees