Quantitative Questions on Attack-Defense Trees

  title={Quantitative Questions on Attack-Defense Trees},
  author={Barbara Kordy and Sjouke Mauw and Patrick Schweitzer},
Attack---defense trees are a novel methodology for graphical security modeling and assessment. The methodology includes intuitive and formal components that can be used for quantitative analysis of attack---defense scenarios. In practice, we use intuitive questions to ask about aspects of scenarios we are interested in. Formally, a computational procedure, using a bottom-up algorithm, is applied to derive the corresponding numerical values. This paper bridges the gap between the intuitive and… 
Exploiting attack–defense trees to find an optimal set of countermeasures
A constructive way of extracting all reasonable behaviors of the two actors from such models is provided, which is exploited to formulate a generic solution, based on integer linear programing, to address a wide class of optimization problems.
Formal modeling and quantitative analysis of security using attack-defense trees
This thesis has developed the theoretical foundations and quantitative evaluation algorithms for the model where an attacker's action can contribute to several attacks and a countermeasure can prevent several threats.
Quantitative Security Risk Modeling and Analysis with RisQFLan
On Quantitative Analysis of Attack-Defense Trees with Repeated Labels
This work addresses conditions ensuring that the standard bottom-up evaluation method for quantifying attack–defense trees yields meaningful results in the presence of repeated labels, and devise an alternative approach for quantification of attacks.
Evil Twins: Handling Repetitions in Attack-Defense Trees - A Survival Guide
This paper defines the notion of well-formed attack–defense trees and adapt existing semantics to correctly capture the presence of repeated labels and provides formal guidelines on how to deal with attack– defense trees where several nodes have the same label.
Quantitative Verification and Synthesis of Attack-Defence Scenarios
A novel framework for the formal analysis of quantitative properties of complex attack-defence scenarios is proposed, using an extension of attack- defence trees which models temporal ordering of actions and allows explicit dependencies in the strategies adopted by attackers and defenders.
Attack-Tree Series: A Case for Dynamic Attack Tree Analysis
This paper introduces attack-tree series, a time-indexed set of attack trees, as a model to capture and visualize the evolution of security scenarios, and introduces the notion of a temperature function as a special type of attribute that expresses the importance of change in the data values.
Probabilistic reasoning with graphical security models


Computational Aspects of Attack-Defense Trees
This paper identifies semantics for which extending attack trees with defense nodes does not increase the computational complexity, which implies that, for these semantics, every query that can be solved efficiently on attack trees can also be solved efficient on attack---defense trees.
Foundations of Attack-Defense Trees
We introduce and give formal definitions of attack-defense trees. We argue that these trees are a simple, yet powerful tool to analyze complex security and privacy problems. Our formalization is
Attribute Decoration of Attack-Defense Trees
The case study led the authors to define concrete guidelines that can be used by software developers, security analysts, and system owners when performing similar assessments, to obtain condensed information, such as performance indicators or other key security figures.
Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees
A novel attack tree paradigm called attack countermeasure tree (ACT) is presented which avoids the generation and solution of a state-space model and takes into account attacks as well as countermeasures (in the form of detection and mitigation events).
Foundations of Attack Trees
A denotational semantics is provided, based on a mapping to attack suites, which abstracts from the internal structure of an attack tree, which is indispensable to precisely understand how attack trees can be manipulated during construction and analysis.
Beyond Attack Trees: Dynamic Security Modeling with Boolean Logic Driven Markov Processes (BDMP)
This work shows how this new BDMP approach can be seen as preferable to attack trees and Petri net-based methods, allowing efficient scenarios processing and time dependent quantifications.
Threat modeling using attack trees
This paper presents a practical, high-level guide to understand the concepts of threat modeling to students in an introductory level Security course or even a Managerial course and uses the concept of Attack Trees to this end.
Cyber security analysis using attack countermeasure trees
A novel attack tree named attack countermeasure trees (ACT) in which defense mechanisms can be applied at any node of the tree, not just at leaf node level and optimal countermeasures set can be selected from the pool of defense mechanisms without constructing a state-space model.
Strategic Games on Defense Trees
This paper uses defense trees, an extension of attack trees with countermeasures, to represent attack scenarios and game theory to detect the most promising actions attacker and defender, providing decision makers with a useful tool for performing better evaluation of IT security investments during the risk management process.
Rational Choice of Security Measures Via Multi-parameter Attack Trees
A simple risk-analysis based method for studying the security of institutions against rational (gain-oriented) attacks and uses elementary game theory to decide whether the system under protection is a realistic target for gain-oriented attackers.