survey

Beyond 2014: Formal Methods for Attack Tree--based Security Modeling

Authors:
Wojciech Wideł

Univ Rennes, INSA Rennes, CNRS, IRISA, Rennes Cedex, France

Univ Rennes, INSA Rennes, CNRS, IRISA, Rennes Cedex, France
View Profile

,
Maxime Audinot

Univ Rennes, CNRS, IRISA, Rennes Cedex, France

Univ Rennes, CNRS, IRISA, Rennes Cedex, France
View Profile

,
Barbara Fila

Univ Rennes, INSA Rennes, CNRS, IRISA, Rennes, France

Univ Rennes, INSA Rennes, CNRS, IRISA, Rennes, France

0000-0002-1824-7621
View Profile

,
Sophie Pinchinat

Univ Rennes, CNRS, IRISA, Rennes Cedex, France

Univ Rennes, CNRS, IRISA, Rennes Cedex, France
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 52 Issue 4Article No.: 75pp 1–36https://doi.org/10.1145/3331524

Published:30 August 2019Publication History

ACM Computing Surveys

Abstract

Attack trees are a well established and commonly used framework for security modeling. They provide a readable and structured representation of possible attacks against a system to protect. Their hierarchical structure reveals common features of the attacks and enables quantitative evaluation of security, thus highlighting the most severe vulnerabilities to focus on while implementing countermeasures. Since in real-life studies attack trees have a large number of nodes, their manual creation is a tedious and error-prone process, and their analysis is a computationally challenging task. During the last half decade, the attack tree community witnessed a growing interest in employing formal methods to deal with the aforementioned difficulties. We survey recent advances in graphical security modeling with focus on the application of formal methods to the interpretation, (semi-)automated creation, and quantitative analysis of attack trees and their extensions. We provide a unified description of existing frameworks, compare their features, and outline interesting open questions.

References

2005. Uppaal Cora. Retrieved May 29, 2018, from: http://people.cs.aau.dk/adavid/cora/.Google Scholar
2014. ATSyRA. Retrieved May 29, 2018, from: https://gforge.inria.fr/plugins/mediawiki/wiki/building/index.php/.Google Scholar
2018. ATSyRA Studio. Retrieved November 16, 2018, from: http://atsyra2.irisa.fr/.Google Scholar
Rajeev Alur, Mikhail Bernadsky, and P. Madhusudan. 2004. Optimal reachability for weighted timed games. In Proceedings of the ICALP (LNCS), Vol. 3142. Springer, 122--133.Google Scholar
Rajeev Alur and David Dill. 1990. Automata for modeling real-time systems. In Proceedings of the ICALP (LNCS), Vol. 443. Springer, 322--335. Google ScholarDigital Library
Suzana Andova, Holger Hermanns, and Joost-Pieter Katoen. 2004. Discrete-time rewards model-checked. In Proceedings of the FORMATS (LNCS), Vol. 2791. Springer, 88--104.Google ScholarCross Ref
Florian Arnold, Axel Belinfante, Freark van der Berg, Dennis Guck, and Mariëlle Stoelinga. 2013. DFTCalc: A Tool for efficient fault tree analysis. In Proceedings of the SAFECOMP (LNCS), Vol. 8153. Springer, 293--301. Google ScholarDigital Library
Florian Arnold, Holger Hermanns, Reza Pulungan, and Mariëlle Stoelinga. 2014. Time-dependent analysis of attacks. In Proceedings of the POST (LNCS), Vol. 8414. Springer, 285--305.Google ScholarCross Ref
Zaruhi Aslanyan. 2016. Stochastic Model Checking of Socio-Technical Models. Ph.D. Dissertation. Technical University of Denmark, Denmark.Google Scholar
Zaruhi Aslanyan. 2016. TREsPASS toolbox: Attack Tree Evaluator. Retrieved May 29, 2018, from: https://vimeo.com/145070436.Google Scholar
Zaruhi Aslanyan and Flemming Nielson. 2015. Pareto efficient solutions of attack--defence trees. In Proceedings of the POST (LNCS), Vol. 9036. Springer, 95--114. Google ScholarDigital Library
Zaruhi Aslanyan and Flemming Nielson. 2017. Model checking exact cost for attack scenarios. In Proceedings of the POST (LNCS), Vol. 10204. Springer, 210--231. Google ScholarDigital Library
Zaruhi Aslanyan, Flemming Nielson, and David Parker. 2016. Quantitative verification and synthesis of attack--defence scenarios. In Proceedings of the CSF. IEEE Computer Society, 105--119.Google ScholarCross Ref
Maxime Audinot. 2018. Assisted Design and Analysis of Attack Trees. Ph.D. Dissertation. University Rennes 1, France.Google Scholar
Maxime Audinot, Sophie Pinchinat, and Barbara Kordy. 2017. Is my attack tree correct? In Proceedings of the ESORICS (LNCS), Vol. 10492. Springer, 83--102.Google ScholarCross Ref
Maxime Audinot, Sophie Pinchinat, and Barbara Kordy. 2018. Guided design of attack trees: A system-based approach. In Proceedings of the CSF. IEEE Computer Society, 61--75.Google ScholarCross Ref
Maxime Audinot, Sophie Pinchinat, François Schwarzentruber, and Florence Wacheux. 2018. Deciding the non-emptiness of attack trees. In Proceedings of the GraMSec 2018 (LNCS), Vol. 11086. Springer, 13--30.Google Scholar
Alessandra Bagnato, Barbara Kordy, Per Håkon Meland, and Patrick Schweitzer. 2012. Attribute decoration of attack--defense trees. Int. J. System of Syst. Eng. 3, 2 (2012), 1--35. Google ScholarDigital Library
Matteo Beccaro. 2018. Attack trees methodology and application in red teaming operations. In Proceedings of the D-HITBSecConf. Retrieved from: https://conference.hitb.org/hitbsecconf2018pek/materials/D1T1%20-%20Attac%k%20Trees%20-%20Methodology%20and%20Application%20in%20Red%20Teaming%20Operati%ons%20-%20Matteo%20Beccaro.pdf.Google Scholar
Gerd Behrmann, Alexandre David, and Kim Guldstrand Larsen. 2004. A Tutorial on Uppaal. LNCS, Vol. 3185. Springer, 200--236.Google ScholarCross Ref
Gerd Behrmann, Kim Guldstrand Larsen, and Jacob Illum Rasmussen. 2004. Priced timed automata: Algorithms and applications. In Proceedings of the FMCO (LNCS), Vol. 3657. Springer, 162--182. Google ScholarDigital Library
Gerd Behrmann, Kim Guldstrand Larsen, and Jacob Illum Rasmussen. 2005. Optimal scheduling using priced timed automata. SIGMETRICS Perform. Eval. Rev. 32, 4 (Mar. 2005), 34--40. Google ScholarDigital Library
Michel Berkelaar, Kjell Eikland, and Peter Notebaert. 2005. lp_solve: Open source (Mixed-Integer) Linear Programming system. Retrieved June 10, 2018, from: http://lpsolve.sourceforge.net/5.5/ Version 5.5.2.5, dated September 24, 2016.Google Scholar
Dimitris Bertsimas and John Tsitsiklis. 1997. Introduction to Linear Optimization. Athena Scientific. Google ScholarDigital Library
Stefano Bistarelli, Fabio Fioravanti, Pamela Peretti, and Francesco Santini. 2012. Evaluation of complex security scenarios using defense trees and economic indexes. J. Exp. Theor. Artif. Intell. 24, 2 (2012), 161--192.Google ScholarCross Ref
Henrik C. Bohnenkamp, Pedro R. D’Argenio, Holger Hermanns, and Joost-Pieter Katoen. 2006. MODEST: A Compositional modeling formalism for hard and softly timed systems. IEEE Trans. Softw. Eng. 32, 10 (2006), 812--830. Google ScholarDigital Library
Angèle Bossuat and Barbara Kordy. 2018. Evil twins: Handling repetitions in attack--defense trees—A survival guide. In Proceedings of the GraMSec 2017 (LNCS), Vol. 10744. Springer, 17--37.Google ScholarCross Ref
Patricia Bouyer and Vojtech Forejt. 2009. Reachability in stochastic timed games. In Proceedings of the ICALP (2) (LNCS), Vol. 5556. Springer, 103--114. Google ScholarDigital Library
Thomas Brihaye, Véronique Bruyère, and Jean-François Raskin. 2004. Model-checking for weighted timed automata. In Proceedings of the FORMATS/FTRTFT (LNCS), Vol. 3253. Springer, 277--292.Google ScholarCross Ref
Ahto Buldas, Aleksandr Lenin, Jan Willemson, and Anton Charnamord. 2017. Simple infeasibility certificates for attack trees. In Proceedings of the IWSEC (LNCS), Vol. 10418. Springer, 39--55.Google ScholarCross Ref
Taolue Chen, Vojtech Forejt, Marta Z. Kwiatkowska, David Parker, and Aistis Simaitis. 2013. Automatic verification of competitive stochastic systems. Form. Meth. Syst. Des. 43, 1 (2013), 61--92.Google ScholarCross Ref
Taolue Chen, Vojtech Forejt, Marta Z. Kwiatkowska, Aistis Simaitis, and Clemens Wiltsche. 2013. On stochastic games with multiple objectives. In Proceedings of the MFCS (LNCS), Vol. 8087. Springer, 266--277.Google ScholarCross Ref
Manuel Clavel, Francisco Durán, Steven Eker, Patrick Lincoln, Narciso Martí-Oliet, José Meseguer, and Carolyn Talcott. 2007. All About Maude—A High-performance Logical Framework: How to Specify, Program and Verify Systems in Rewriting Logic. Springer. Google ScholarDigital Library
Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In TACAS (LNCS), Vol. 4963. Springer, 337--340. Google ScholarDigital Library
EAC Advisory Board and Standards Board. 2009. Election Operations Assessment—Threat Trees and Matrices and Threat Instance Risk Analyzer (TIRA). Retrieved June 13, 2018, from: https://www.eac.gov/assets/1/28/Election_Operations_Assessment_Threat_Trees_and_Matrices_and_Threat_Instance_Risk_Analyzer_(TIRA).pdf.Google Scholar
Barbara Fila and Wojciech Wideł. 2019. Attack--defense trees for abusing optical power meters: A case study and the OSEAD tool experience report. In Proceedings of the GraMSec (LNCS'19), Vol. 11720. Springer, (to appear). https://www.gramsec.uni.lu/presentations/gramsec19paper8.pdf.Google ScholarCross Ref
Marlon Fraile, Margaret Ford, Olga Gadyatskaya, Rajesh Kumar, Mariëlle Stoelinga, and Rolando Trujillo-Rasua. 2016. Using attack--defense trees to analyze threats and countermeasures in an ATM: A case study. In Proceedings of the PoEM (LNBIP), Vol. 267. Springer, 326--334.Google ScholarCross Ref
Olga Gadyatskaya. 2015. How to generate security cameras: Towards defence generation for socio-technical systems. In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 50--65.Google Scholar
Olga Gadyatskaya, René Rydhof Hansen, Kim Guldstrand Larsen, Axel Legay, Mads Chr. Olesen, and Danny Bøgsted Poulsen. 2016. Modelling attack--defense trees using timed automata. In Proceedings of the FORMATS (LNCS), Vol. 9884. Springer, 35--50.Google Scholar
Olga Gadyatskaya, Carlo Harpes, Sjouke Mauw, Cédric Muller, and Steve Muller. 2016. Bridging two worlds: Reconciling practical risk assessment methodologies with theory of attack trees. In Proceedings of the GraMSec 2016 (LNCS), Vol. 9987. Springer, 80--93.Google Scholar
Olga Gadyatskaya, Ravi Jhawar, Piotr Kordy, Karim Lounis, Sjouke Mauw, and Rolando Trujillo-Rasua. 2016. Attack trees for practical security assessment: Ranking of attack scenarios with ADTool 2.0. In Proceedings of the QEST (LNCS), Vol. 9826. Springer, 159--162.Google ScholarCross Ref
Olga Gadyatskaya, Ravi Jhawar, Sjouke Mauw, Rolando Trujillo-Rasua, and Tim A. C. Willemse. 2017. Refinement-aware generation of attack trees. In Proceedings of the STM (LNCS), Vol. 10547. Springer, 164--179.Google Scholar
Jean-Yves Girard. 1987. Linear logic. Theor. Comput. Sci. 50 (1987), 1--102. Google ScholarDigital Library
Marco Gribaudo, Mauro Iacono, and Stefano Marrone. 2015. Exploiting Bayesian networks for the analysis of combined attack trees. Electr. Notes Theor. Comput. Sci. 310 (2015), 91--111. Google ScholarDigital Library
David F. Haasl, Norman H. Roberts, William E. Veselay, and Francine F. Goldberg. 1981. Fault Tree Handbook. Technical Report. Systems and Reliability Research, Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Comission.Google Scholar
Ernst Moritz Hahn, Arnd Hartmanns, Holger Hermanns, and Joost-Pieter Katoen. 2013. A compositional modelling and analysis framework for stochastic hybrid systems. Form. Meth. Syst. Des. 43, 2 (2013), 191--232. Google ScholarDigital Library
René Rydhof Hansen, Peter Gjøl Jensen, Kim Guldstrand Larsen, Axel Legay, and Danny Bøgsted Poulsen. 2018. Quantitative evaluation of attack defense trees using stochastic timed automata. In Proceedings of the GraMSec 2017 (LNCS), Vol. 10744. Springer, 75--90.Google Scholar
Hans Hansson and Bengt Jonsson. 1994. A logic for reasoning about time and reliability. Form. Asp. Comput. 6, 5 (1994), 512--535.Google ScholarDigital Library
Arnd Hartmanns and Holger Hermanns. 2014. The modest toolset: An integrated environment for quantitative modelling and verification. In Proceedings of the TACAS (LNCS), Vol. 8413. Springer, 593--598.Google ScholarCross Ref
Thomas Henzinger, Zohar Manna, and Amir Pnueli. 1992. Timed transition systems. In Proceedings of the Workshop/School/Symposium of the REX Project (Research and Education in Concurrent Systems) (LNCS), Vol. 600. Springer, 226--251. Google ScholarDigital Library
Holger Hermanns, Julia Krämer, Jan Krcál, and Mariëlle Stoelinga. 2016. The value of attack-defence diagrams. In Proceedings of the POST (LNCS), Vol. 9635. Springer, 163--185.Google ScholarCross Ref
Jin B. Hong, Dong Seong Kim, Chun-Jen Chung, and Dijiang Huang. 2017. A survey on the usability and practical applications of Graphical Security Models. Comput. Sci. Rev. 26 (2017), 1--16. Google ScholarDigital Library
Ross Horne. 2015. The consistency and complexity of multiplicative additive system virtual. Sci. Ann. Comp. Sci. 25, 2 (2015), 245--316.Google Scholar
Ross Horne, Sjouke Mauw, and Alwen Tiu. 2017. Semantics for specialising attack trees based on linear logic. Fundam. Inform. 153, 1-2 (2017), 57--86.Google ScholarCross Ref
Marieta Georgieva Ivanova, Christian W. Probst, René Rydhof Hansen, and Florian Kammüller. 2015. Attack tree generation by policy invalidation. In Proceedings of the WISTP (LNCS), Vol. 9311. Springer, 249--259. Google ScholarDigital Library
Marieta Georgieva Ivanova, Christian W. Probst, René Rydhof Hansen, and Florian Kammüller. 2015. Transforming graphical system models to graphical attack models. In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 82--96.Google Scholar
Ravi Jhawar, Barbara Kordy, Sjouke Mauw, Sasa Radomirovic, and Rolando Trujillo-Rasua. 2015. Attack trees with sequential conjunction. In Proceedings of the SEC (IFIP AICT), Vol. 455. Springer, 339--353.Google ScholarCross Ref
Ravi Jhawar, Karim Lounis, and Sjouke Mauw. 2016. A stochastic framework for quantitative analysis of attack--defense trees. In Proceedings of the STM (LNCS), Vol. 9871. Springer, 138--153.Google ScholarCross Ref
Mary A. Johnson and Michael R. Taaffe. 1988. The denseness of phase distributions. School of Industrial Engineering Research Memoranda 88-20, Purdue University.Google Scholar
Aivo Jürgenson and Jan Willemson. 2008. Computing exact outcomes of multi-parameter attack trees. In Proceedings of the OTM Conferences (2) (LNCS), Vol. 5332. Springer, 1036--1051. Google ScholarDigital Library
Florian Kammüller. 2017. A proof calculus for attack trees in isabelle. In Proceedings of the DPM/CBT@ESORICS (LNCS), Vol. 10436. Springer, 3--18.Google ScholarCross Ref
Florian Kammüller. 2018. Attack trees in Isabelle. In Proceedings of the ICICS (LNCS), Vol. 11149. Springer, 611--628.Google ScholarCross Ref
Florian Kammüller and Christian W. Probst. 2013. Invalidating policies using structural information. In Proceedings of the IEEE Symposium on Security and Privacy Workshops. IEEE Computer Society, 76--81. Google ScholarDigital Library
Florian Kammüller and Christian W. Probst. 2014. Combining generated data models with formal invalidation for insider threat analysis. In Proceedings of the IEEE Symposium on Security and Privacy Workshops. IEEE Computer Society, 229--235. Google ScholarDigital Library
Joost-Pieter Katoen and Mariëlle Stoelinga. 2017. Boosting fault tree analysis by formal methods. In Proceedings of the ModelEd, TestEd, TrustEd (LNCS), Vol. 10500. Springer, 368--389.Google ScholarCross Ref
Robert M. Keller. 1976. Formal verification of parallel programs. Commun. ACM 19, 7 (1976), 371--384. Google ScholarDigital Library
Barbara Kordy, Piotr Kordy, and Yoann van den Boom. 2016. SPTool—Equivalence checker for SAND attack trees. In Proceedings of the CRiSIS (LNCS), Vol. 10158. Springer, 105--113.Google Scholar
Barbara Kordy, Sjouke Mauw, Sasa Radomirovic, and Patrick Schweitzer. 2014. Attack--defense trees. J. Log. Comput. 24, 1 (2014), 55--87.Google ScholarCross Ref
Barbara Kordy, Ludovic Piètre-Cambacédès, and Patrick Schweitzer. 2014. DAG-based attack and defense modeling: Don’t miss the forest for the attack trees. Comput. Sci. Rev. 13--14 (2014), 1--38. Google ScholarDigital Library
Barbara Kordy, Marc Pouly, and Patrick Schweitzer. 2014. A probabilistic framework for security scenarios with dependent actions. In Proceedings of the iFM (LNCS), Vol. 8739. Springer, 256--271.Google ScholarCross Ref
Barbara Kordy, Marc Pouly, and Patrick Schweitzer. 2016. Probabilistic reasoning with graphical security models. Inf. Sci. 342 (2016), 111--131. Google ScholarDigital Library
Barbara Kordy and Wojciech Wideł. 2017. How well can I secure my system? In Proceedings of the iFM’17 (LNCS), Vol. 10510. Springer, 332--347.Google ScholarCross Ref
Barbara Kordy and Wojciech Wideł. 2018. On quantitative analysis of attack--defense trees with repeated labels. In Proceedings of the POST (LNCS), Vol. 10804. Springer, 325--346.Google ScholarCross Ref
Rajesh Kumar. 2018. Truth or Dare: Quantitative Security Risk Analysis Via Attack Trees. Ph.D. Dissertation. University of Twente, The Netherlands.Google Scholar
Rajesh Kumar, Enno Ruijters, and Mariëlle Stoelinga. 2015. Quantitative attack tree analysis via priced timed automata. In Proceedings of the FORMATS (LNCS), Vol. 9268. Springer, 156--171.Google ScholarCross Ref
Rajesh Kumar, Stefano Schivo, Enno Ruijters, Buǧra M. Yildiz, David Huistra, Jacco Brandt, Arend Rensink, and Mariëlle Stoelinga. 2018. Effective analysis of attack trees: A model-driven approach. In Proceedings of the FASE (LNCS), Alessandra Russo and Andy Andy Schürr (Eds.), Vol. 10802. Springer, 56--73.Google ScholarCross Ref
Marta Kwiatkowska, David Parker, and Clemens Wiltsche. 2016. PRISM-Games 2.0: A Tool for Multi-objective Strategy Synthesis for Stochastic Games. LNCS, Vol. 9636. Springer, 560--566. Google ScholarDigital Library
Kim Guldstrand Larsen, Paul Pettersson, and Wang Yi. 1997. UPPAAL in a nutshell. Int. J. Softw. Tools. Technol. Trans. 1, 1--2 (1997), 134--152. Google ScholarDigital Library
Aleksandr Lenin. 2015. Reliable and Efficient Determination of the Likelihood of Rational Attacks. Ph.D. Dissertation. Tallinn University of Technology, Estonia.Google Scholar
Aleksandr Lenin, Jan Willemson, and Dyan Permata Sari. 2014. Attacker profiling in quantitative security assessment based on attack trees. In Proceedings of the NordSec (LNCS), Vol. 8788. Springer, 199--212.Google ScholarCross Ref
Sjouke Mauw and Martijn Oostdijk. 2005. Foundations of attack trees. In Proceedings of the ICISC (LNCS), Vol. 3935. Springer, 186--198. Google ScholarDigital Library
National Electric Sector Cybersecurity Organization Resource (NESCOR). 2015. Analysis of Selected Electric Sector High Risk Failure Scenarios, Version 2.0. Retrieved June 13, 2018, from: http://smartgrid.epri.com/doc/NESCOR%20Detailed%20Failure%20Scenarios%20v%2.pdf.Google Scholar
Abraham Neyman and Sylvain Sorin. 2003. Stochastic Games and Applications. NATO Science Series ASIC, Vol. 570. Kluwer Academic Publishers.Google Scholar
Peter Niebert, Stavros Tripakis, and Sergio Yovine. 2000. Minimum-time reachability for timed automata. In Proceedings of the IEEE Mediteranean Control Conference. IEEE, 8.Google Scholar
Hanne Riis Nielson, Flemming Nielson, and Roberto Vigo. 2012. A calculus for quality. In Proceedings of the FACS (LNCS), Vol. 7684. Springer, 188--204.Google Scholar
Judea Pearl. 1988. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann. Google ScholarDigital Library
René Peeters. 2003. The maximum edge biclique problem is NP-complete. Discrete Appl. Math. 131, 3 (2003), 651--654. Google ScholarDigital Library
Ludovic Piètre-Cambacédès and Marc Bouissou. 2010. Attack and defense modeling with BDMP. In Proceedings of the MMM-ACNS (LNCS), Vol. 6258. Springer, 86--101. Google ScholarDigital Library
Sophie Pinchinat, Mathieu Acher, and Didier Vojtisek. 2014. Towards synthesis of attack trees for supporting computer-aided risk analysis. In Proceedings of the SEFM Workshops (LNCS), Vol. 8938. Springer, 363--375.Google Scholar
Sophie Pinchinat, Mathieu Acher, and Didier Vojtisek. 2015. ATSyRa: An integrated environment for synthesizing attack trees—(Tool Paper). In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 97--101.Google Scholar
Marc Pouly. 2010. NENOK—A software architecture for generic inference. Int. J. on Artif. Intel. Tools 19 (2010), 65--99.Google ScholarCross Ref
Nicolas Privault. 2013. Discrete-time Markov chains. In Understanding Markov Chains: Examples and Applications. Springer, 77--94.Google Scholar
Christian W. Probst, Jan Willemson, and Wolter Pieters. 2015. The attack navigator. In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 1--17.Google Scholar
Reza Pulungan and Holger Hermanns. 2009. Acyclic minimality by construction—almost. In Proceedings of the QEST. IEEE Computer Society, 63--72. Google ScholarDigital Library
Martin L. Puterman. 2014. Markov Decision Processes: Discrete Stochastic Dynamic Programming. John Wiley 8 Sons.Google Scholar
Loukmen Regainia. 2018. Assisting in the Development and Testing of Secure Applications. Ph.D. Dissertation. University Clermont Auvergne, France.Google Scholar
Loukmen Regainia and Sébastien Salva. 2017. A methodology of security pattern classification and of attack-defense tree generation. In Proceedings of the ICISSP. SciTePress, 136--146.Google ScholarCross Ref
N. Robertson and P. D. Seymour. 1983. Graph minors I: Excluding a forest. J. Comb. Theory, Ser. B 35, 1 (1983), 39--61.Google ScholarCross Ref
Arpan Roy, Dong Seong Kim, and Kishor S. Trivedi. 2012. Attack countermeasure trees (ACT): Towards unifying the constructs of attack and defense trees. Sec. Commun. Netw. 5, 8 (2012), 929--943. Google ScholarDigital Library
Enno Ruijters and Mariëlle Stoelinga. 2015. Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools. Comput. Sci. Rev. 15 (2015), 29--62. Google ScholarDigital Library
Bruce Schneier. 1999. Attack trees. Dr. Dobb’s J. 24, 12 (1999), 21--29.Google Scholar
Patrick Schweitzer. 2013. Attack--Defense Trees. Ph.D. Dissertation. University of Luxembourg, Luxembourg.Google Scholar
Yann Thierry-Mieg. 2015. Symbolic model-checking using ITS-Tools. In Proceedings of the TACAS (LNCS), Vol. 9035. Springer, 231--237. Google ScholarDigital Library
Axel Thümmler, Peter Buchholz, and Miklós Telek. 2006. A novel approach for phase-type fitting with the EM algorithm. IEEE Trans. Depend. Sec. Comput. 3, 3 (2006), 245--258. Google ScholarDigital Library
Roberto Vigo, Flemming Nielson, and Hanne Riis Nielson. 2014. Automated generation of attack trees. In Proceedings of the CSF. IEEE Computer Society, 337--350. Google ScholarDigital Library
Roberto Vigo, Flemming Nielson, and Hanne Riis Nielson. 2016. Discovering, quantifying, and displaying attacks. Log. Meth. Comput. Sci. 12, 4 (2016).Google Scholar
Jonathan D. Weiss. 1991. A system security engineering process. In Proceedings of the NCSC/NIST National Computer Security Conference. 572--581.Google Scholar

Index Terms

Beyond 2014: Formal Methods for Attack Tree--based Security Modeling
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
    2. Logic and verification

Recommendations

Cyber security analysis using attack countermeasure trees
CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

Attack tree (AT) is one of the widely used combinatorial models in cyber security analysis. The basic formalism of AT does not take into account defense mechanisms. Defense trees (DT) have been developed to investigate the effect of defense mechanisms ...
Read More
Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees

Attack tree (AT) is one of the widely used non-state-space models for security analysis. The basic formalism of AT does not take into account defense mechanisms. Defense trees (DTs) have been developed to investigate the effect of defense mechanisms ...
Read More
APT attacks on industrial control systems: A tale of three incidents
Abstract
Modern-day industries are complex socio-technical entities. Understanding the risks associated with the operation of such systems requires proper consideration of budget constraints, security expertise and evaluating the effects of ...
Highlights
- Modelling three APT incidents using attack trees.
- Demonstrate compositionality ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 52, Issue 4
July 2020
769 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3359984
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering
Issue’s Table of Contents
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 August 2019
- Accepted: 1 May 2019
- Revised: 1 December 2018
- Received: 1 June 2018
Published in csur Volume 52, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Attack trees
attack--defense trees
automatic generation of security models
formal methods
graphical security modeling
logics
model checking
quantitative analysis of security
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 42
  Total Citations
  View Citations
- 1,015
  Total Downloads
- Downloads (Last 12 months)161
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Beyond 2014: Formal Methods for Attack Tree--based Security Modeling

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Cyber security analysis using attack countermeasure trees

Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees

APT attacks on industrial control systems: A tale of three incidents