Abstract
Attack trees are a well established and commonly used framework for security modeling. They provide a readable and structured representation of possible attacks against a system to protect. Their hierarchical structure reveals common features of the attacks and enables quantitative evaluation of security, thus highlighting the most severe vulnerabilities to focus on while implementing countermeasures. Since in real-life studies attack trees have a large number of nodes, their manual creation is a tedious and error-prone process, and their analysis is a computationally challenging task. During the last half decade, the attack tree community witnessed a growing interest in employing formal methods to deal with the aforementioned difficulties. We survey recent advances in graphical security modeling with focus on the application of formal methods to the interpretation, (semi-)automated creation, and quantitative analysis of attack trees and their extensions. We provide a unified description of existing frameworks, compare their features, and outline interesting open questions.
- 2005. Uppaal Cora. Retrieved May 29, 2018, from: http://people.cs.aau.dk/adavid/cora/.Google Scholar
- 2014. ATSyRA. Retrieved May 29, 2018, from: https://gforge.inria.fr/plugins/mediawiki/wiki/building/index.php/.Google Scholar
- 2018. ATSyRA Studio. Retrieved November 16, 2018, from: http://atsyra2.irisa.fr/.Google Scholar
- Rajeev Alur, Mikhail Bernadsky, and P. Madhusudan. 2004. Optimal reachability for weighted timed games. In Proceedings of the ICALP (LNCS), Vol. 3142. Springer, 122--133.Google Scholar
- Rajeev Alur and David Dill. 1990. Automata for modeling real-time systems. In Proceedings of the ICALP (LNCS), Vol. 443. Springer, 322--335. Google ScholarDigital Library
- Suzana Andova, Holger Hermanns, and Joost-Pieter Katoen. 2004. Discrete-time rewards model-checked. In Proceedings of the FORMATS (LNCS), Vol. 2791. Springer, 88--104.Google ScholarCross Ref
- Florian Arnold, Axel Belinfante, Freark van der Berg, Dennis Guck, and Mariëlle Stoelinga. 2013. DFTCalc: A Tool for efficient fault tree analysis. In Proceedings of the SAFECOMP (LNCS), Vol. 8153. Springer, 293--301. Google ScholarDigital Library
- Florian Arnold, Holger Hermanns, Reza Pulungan, and Mariëlle Stoelinga. 2014. Time-dependent analysis of attacks. In Proceedings of the POST (LNCS), Vol. 8414. Springer, 285--305.Google ScholarCross Ref
- Zaruhi Aslanyan. 2016. Stochastic Model Checking of Socio-Technical Models. Ph.D. Dissertation. Technical University of Denmark, Denmark.Google Scholar
- Zaruhi Aslanyan. 2016. TREsPASS toolbox: Attack Tree Evaluator. Retrieved May 29, 2018, from: https://vimeo.com/145070436.Google Scholar
- Zaruhi Aslanyan and Flemming Nielson. 2015. Pareto efficient solutions of attack--defence trees. In Proceedings of the POST (LNCS), Vol. 9036. Springer, 95--114. Google ScholarDigital Library
- Zaruhi Aslanyan and Flemming Nielson. 2017. Model checking exact cost for attack scenarios. In Proceedings of the POST (LNCS), Vol. 10204. Springer, 210--231. Google ScholarDigital Library
- Zaruhi Aslanyan, Flemming Nielson, and David Parker. 2016. Quantitative verification and synthesis of attack--defence scenarios. In Proceedings of the CSF. IEEE Computer Society, 105--119.Google ScholarCross Ref
- Maxime Audinot. 2018. Assisted Design and Analysis of Attack Trees. Ph.D. Dissertation. University Rennes 1, France.Google Scholar
- Maxime Audinot, Sophie Pinchinat, and Barbara Kordy. 2017. Is my attack tree correct? In Proceedings of the ESORICS (LNCS), Vol. 10492. Springer, 83--102.Google ScholarCross Ref
- Maxime Audinot, Sophie Pinchinat, and Barbara Kordy. 2018. Guided design of attack trees: A system-based approach. In Proceedings of the CSF. IEEE Computer Society, 61--75.Google ScholarCross Ref
- Maxime Audinot, Sophie Pinchinat, François Schwarzentruber, and Florence Wacheux. 2018. Deciding the non-emptiness of attack trees. In Proceedings of the GraMSec 2018 (LNCS), Vol. 11086. Springer, 13--30.Google Scholar
- Alessandra Bagnato, Barbara Kordy, Per Håkon Meland, and Patrick Schweitzer. 2012. Attribute decoration of attack--defense trees. Int. J. System of Syst. Eng. 3, 2 (2012), 1--35. Google ScholarDigital Library
- Matteo Beccaro. 2018. Attack trees methodology and application in red teaming operations. In Proceedings of the D-HITBSecConf. Retrieved from: https://conference.hitb.org/hitbsecconf2018pek/materials/D1T1%20-%20Attac%k%20Trees%20-%20Methodology%20and%20Application%20in%20Red%20Teaming%20Operati%ons%20-%20Matteo%20Beccaro.pdf.Google Scholar
- Gerd Behrmann, Alexandre David, and Kim Guldstrand Larsen. 2004. A Tutorial on Uppaal. LNCS, Vol. 3185. Springer, 200--236.Google ScholarCross Ref
- Gerd Behrmann, Kim Guldstrand Larsen, and Jacob Illum Rasmussen. 2004. Priced timed automata: Algorithms and applications. In Proceedings of the FMCO (LNCS), Vol. 3657. Springer, 162--182. Google ScholarDigital Library
- Gerd Behrmann, Kim Guldstrand Larsen, and Jacob Illum Rasmussen. 2005. Optimal scheduling using priced timed automata. SIGMETRICS Perform. Eval. Rev. 32, 4 (Mar. 2005), 34--40. Google ScholarDigital Library
- Michel Berkelaar, Kjell Eikland, and Peter Notebaert. 2005. lp_solve: Open source (Mixed-Integer) Linear Programming system. Retrieved June 10, 2018, from: http://lpsolve.sourceforge.net/5.5/ Version 5.5.2.5, dated September 24, 2016.Google Scholar
- Dimitris Bertsimas and John Tsitsiklis. 1997. Introduction to Linear Optimization. Athena Scientific. Google ScholarDigital Library
- Stefano Bistarelli, Fabio Fioravanti, Pamela Peretti, and Francesco Santini. 2012. Evaluation of complex security scenarios using defense trees and economic indexes. J. Exp. Theor. Artif. Intell. 24, 2 (2012), 161--192.Google ScholarCross Ref
- Henrik C. Bohnenkamp, Pedro R. D’Argenio, Holger Hermanns, and Joost-Pieter Katoen. 2006. MODEST: A Compositional modeling formalism for hard and softly timed systems. IEEE Trans. Softw. Eng. 32, 10 (2006), 812--830. Google ScholarDigital Library
- Angèle Bossuat and Barbara Kordy. 2018. Evil twins: Handling repetitions in attack--defense trees—A survival guide. In Proceedings of the GraMSec 2017 (LNCS), Vol. 10744. Springer, 17--37.Google ScholarCross Ref
- Patricia Bouyer and Vojtech Forejt. 2009. Reachability in stochastic timed games. In Proceedings of the ICALP (2) (LNCS), Vol. 5556. Springer, 103--114. Google ScholarDigital Library
- Thomas Brihaye, Véronique Bruyère, and Jean-François Raskin. 2004. Model-checking for weighted timed automata. In Proceedings of the FORMATS/FTRTFT (LNCS), Vol. 3253. Springer, 277--292.Google ScholarCross Ref
- Ahto Buldas, Aleksandr Lenin, Jan Willemson, and Anton Charnamord. 2017. Simple infeasibility certificates for attack trees. In Proceedings of the IWSEC (LNCS), Vol. 10418. Springer, 39--55.Google ScholarCross Ref
- Taolue Chen, Vojtech Forejt, Marta Z. Kwiatkowska, David Parker, and Aistis Simaitis. 2013. Automatic verification of competitive stochastic systems. Form. Meth. Syst. Des. 43, 1 (2013), 61--92.Google ScholarCross Ref
- Taolue Chen, Vojtech Forejt, Marta Z. Kwiatkowska, Aistis Simaitis, and Clemens Wiltsche. 2013. On stochastic games with multiple objectives. In Proceedings of the MFCS (LNCS), Vol. 8087. Springer, 266--277.Google ScholarCross Ref
- Manuel Clavel, Francisco Durán, Steven Eker, Patrick Lincoln, Narciso Martí-Oliet, José Meseguer, and Carolyn Talcott. 2007. All About Maude—A High-performance Logical Framework: How to Specify, Program and Verify Systems in Rewriting Logic. Springer. Google ScholarDigital Library
- Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In TACAS (LNCS), Vol. 4963. Springer, 337--340. Google ScholarDigital Library
- EAC Advisory Board and Standards Board. 2009. Election Operations Assessment—Threat Trees and Matrices and Threat Instance Risk Analyzer (TIRA). Retrieved June 13, 2018, from: https://www.eac.gov/assets/1/28/Election_Operations_Assessment_Threat_Trees_and_Matrices_and_Threat_Instance_Risk_Analyzer_(TIRA).pdf.Google Scholar
- Barbara Fila and Wojciech Wideł. 2019. Attack--defense trees for abusing optical power meters: A case study and the OSEAD tool experience report. In Proceedings of the GraMSec (LNCS'19), Vol. 11720. Springer, (to appear). https://www.gramsec.uni.lu/presentations/gramsec19paper8.pdf.Google ScholarCross Ref
- Marlon Fraile, Margaret Ford, Olga Gadyatskaya, Rajesh Kumar, Mariëlle Stoelinga, and Rolando Trujillo-Rasua. 2016. Using attack--defense trees to analyze threats and countermeasures in an ATM: A case study. In Proceedings of the PoEM (LNBIP), Vol. 267. Springer, 326--334.Google ScholarCross Ref
- Olga Gadyatskaya. 2015. How to generate security cameras: Towards defence generation for socio-technical systems. In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 50--65.Google Scholar
- Olga Gadyatskaya, René Rydhof Hansen, Kim Guldstrand Larsen, Axel Legay, Mads Chr. Olesen, and Danny Bøgsted Poulsen. 2016. Modelling attack--defense trees using timed automata. In Proceedings of the FORMATS (LNCS), Vol. 9884. Springer, 35--50.Google Scholar
- Olga Gadyatskaya, Carlo Harpes, Sjouke Mauw, Cédric Muller, and Steve Muller. 2016. Bridging two worlds: Reconciling practical risk assessment methodologies with theory of attack trees. In Proceedings of the GraMSec 2016 (LNCS), Vol. 9987. Springer, 80--93.Google Scholar
- Olga Gadyatskaya, Ravi Jhawar, Piotr Kordy, Karim Lounis, Sjouke Mauw, and Rolando Trujillo-Rasua. 2016. Attack trees for practical security assessment: Ranking of attack scenarios with ADTool 2.0. In Proceedings of the QEST (LNCS), Vol. 9826. Springer, 159--162.Google ScholarCross Ref
- Olga Gadyatskaya, Ravi Jhawar, Sjouke Mauw, Rolando Trujillo-Rasua, and Tim A. C. Willemse. 2017. Refinement-aware generation of attack trees. In Proceedings of the STM (LNCS), Vol. 10547. Springer, 164--179.Google Scholar
- Jean-Yves Girard. 1987. Linear logic. Theor. Comput. Sci. 50 (1987), 1--102. Google ScholarDigital Library
- Marco Gribaudo, Mauro Iacono, and Stefano Marrone. 2015. Exploiting Bayesian networks for the analysis of combined attack trees. Electr. Notes Theor. Comput. Sci. 310 (2015), 91--111. Google ScholarDigital Library
- David F. Haasl, Norman H. Roberts, William E. Veselay, and Francine F. Goldberg. 1981. Fault Tree Handbook. Technical Report. Systems and Reliability Research, Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Comission.Google Scholar
- Ernst Moritz Hahn, Arnd Hartmanns, Holger Hermanns, and Joost-Pieter Katoen. 2013. A compositional modelling and analysis framework for stochastic hybrid systems. Form. Meth. Syst. Des. 43, 2 (2013), 191--232. Google ScholarDigital Library
- René Rydhof Hansen, Peter Gjøl Jensen, Kim Guldstrand Larsen, Axel Legay, and Danny Bøgsted Poulsen. 2018. Quantitative evaluation of attack defense trees using stochastic timed automata. In Proceedings of the GraMSec 2017 (LNCS), Vol. 10744. Springer, 75--90.Google Scholar
- Hans Hansson and Bengt Jonsson. 1994. A logic for reasoning about time and reliability. Form. Asp. Comput. 6, 5 (1994), 512--535.Google ScholarDigital Library
- Arnd Hartmanns and Holger Hermanns. 2014. The modest toolset: An integrated environment for quantitative modelling and verification. In Proceedings of the TACAS (LNCS), Vol. 8413. Springer, 593--598.Google ScholarCross Ref
- Thomas Henzinger, Zohar Manna, and Amir Pnueli. 1992. Timed transition systems. In Proceedings of the Workshop/School/Symposium of the REX Project (Research and Education in Concurrent Systems) (LNCS), Vol. 600. Springer, 226--251. Google ScholarDigital Library
- Holger Hermanns, Julia Krämer, Jan Krcál, and Mariëlle Stoelinga. 2016. The value of attack-defence diagrams. In Proceedings of the POST (LNCS), Vol. 9635. Springer, 163--185.Google ScholarCross Ref
- Jin B. Hong, Dong Seong Kim, Chun-Jen Chung, and Dijiang Huang. 2017. A survey on the usability and practical applications of Graphical Security Models. Comput. Sci. Rev. 26 (2017), 1--16. Google ScholarDigital Library
- Ross Horne. 2015. The consistency and complexity of multiplicative additive system virtual. Sci. Ann. Comp. Sci. 25, 2 (2015), 245--316.Google Scholar
- Ross Horne, Sjouke Mauw, and Alwen Tiu. 2017. Semantics for specialising attack trees based on linear logic. Fundam. Inform. 153, 1-2 (2017), 57--86.Google ScholarCross Ref
- Marieta Georgieva Ivanova, Christian W. Probst, René Rydhof Hansen, and Florian Kammüller. 2015. Attack tree generation by policy invalidation. In Proceedings of the WISTP (LNCS), Vol. 9311. Springer, 249--259. Google ScholarDigital Library
- Marieta Georgieva Ivanova, Christian W. Probst, René Rydhof Hansen, and Florian Kammüller. 2015. Transforming graphical system models to graphical attack models. In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 82--96.Google Scholar
- Ravi Jhawar, Barbara Kordy, Sjouke Mauw, Sasa Radomirovic, and Rolando Trujillo-Rasua. 2015. Attack trees with sequential conjunction. In Proceedings of the SEC (IFIP AICT), Vol. 455. Springer, 339--353.Google ScholarCross Ref
- Ravi Jhawar, Karim Lounis, and Sjouke Mauw. 2016. A stochastic framework for quantitative analysis of attack--defense trees. In Proceedings of the STM (LNCS), Vol. 9871. Springer, 138--153.Google ScholarCross Ref
- Mary A. Johnson and Michael R. Taaffe. 1988. The denseness of phase distributions. School of Industrial Engineering Research Memoranda 88-20, Purdue University.Google Scholar
- Aivo Jürgenson and Jan Willemson. 2008. Computing exact outcomes of multi-parameter attack trees. In Proceedings of the OTM Conferences (2) (LNCS), Vol. 5332. Springer, 1036--1051. Google ScholarDigital Library
- Florian Kammüller. 2017. A proof calculus for attack trees in isabelle. In Proceedings of the DPM/CBT@ESORICS (LNCS), Vol. 10436. Springer, 3--18.Google ScholarCross Ref
- Florian Kammüller. 2018. Attack trees in Isabelle. In Proceedings of the ICICS (LNCS), Vol. 11149. Springer, 611--628.Google ScholarCross Ref
- Florian Kammüller and Christian W. Probst. 2013. Invalidating policies using structural information. In Proceedings of the IEEE Symposium on Security and Privacy Workshops. IEEE Computer Society, 76--81. Google ScholarDigital Library
- Florian Kammüller and Christian W. Probst. 2014. Combining generated data models with formal invalidation for insider threat analysis. In Proceedings of the IEEE Symposium on Security and Privacy Workshops. IEEE Computer Society, 229--235. Google ScholarDigital Library
- Joost-Pieter Katoen and Mariëlle Stoelinga. 2017. Boosting fault tree analysis by formal methods. In Proceedings of the ModelEd, TestEd, TrustEd (LNCS), Vol. 10500. Springer, 368--389.Google ScholarCross Ref
- Robert M. Keller. 1976. Formal verification of parallel programs. Commun. ACM 19, 7 (1976), 371--384. Google ScholarDigital Library
- Barbara Kordy, Piotr Kordy, and Yoann van den Boom. 2016. SPTool—Equivalence checker for SAND attack trees. In Proceedings of the CRiSIS (LNCS), Vol. 10158. Springer, 105--113.Google Scholar
- Barbara Kordy, Sjouke Mauw, Sasa Radomirovic, and Patrick Schweitzer. 2014. Attack--defense trees. J. Log. Comput. 24, 1 (2014), 55--87.Google ScholarCross Ref
- Barbara Kordy, Ludovic Piètre-Cambacédès, and Patrick Schweitzer. 2014. DAG-based attack and defense modeling: Don’t miss the forest for the attack trees. Comput. Sci. Rev. 13--14 (2014), 1--38. Google ScholarDigital Library
- Barbara Kordy, Marc Pouly, and Patrick Schweitzer. 2014. A probabilistic framework for security scenarios with dependent actions. In Proceedings of the iFM (LNCS), Vol. 8739. Springer, 256--271.Google ScholarCross Ref
- Barbara Kordy, Marc Pouly, and Patrick Schweitzer. 2016. Probabilistic reasoning with graphical security models. Inf. Sci. 342 (2016), 111--131. Google ScholarDigital Library
- Barbara Kordy and Wojciech Wideł. 2017. How well can I secure my system? In Proceedings of the iFM’17 (LNCS), Vol. 10510. Springer, 332--347.Google ScholarCross Ref
- Barbara Kordy and Wojciech Wideł. 2018. On quantitative analysis of attack--defense trees with repeated labels. In Proceedings of the POST (LNCS), Vol. 10804. Springer, 325--346.Google ScholarCross Ref
- Rajesh Kumar. 2018. Truth or Dare: Quantitative Security Risk Analysis Via Attack Trees. Ph.D. Dissertation. University of Twente, The Netherlands.Google Scholar
- Rajesh Kumar, Enno Ruijters, and Mariëlle Stoelinga. 2015. Quantitative attack tree analysis via priced timed automata. In Proceedings of the FORMATS (LNCS), Vol. 9268. Springer, 156--171.Google ScholarCross Ref
- Rajesh Kumar, Stefano Schivo, Enno Ruijters, Buǧra M. Yildiz, David Huistra, Jacco Brandt, Arend Rensink, and Mariëlle Stoelinga. 2018. Effective analysis of attack trees: A model-driven approach. In Proceedings of the FASE (LNCS), Alessandra Russo and Andy Andy Schürr (Eds.), Vol. 10802. Springer, 56--73.Google ScholarCross Ref
- Marta Kwiatkowska, David Parker, and Clemens Wiltsche. 2016. PRISM-Games 2.0: A Tool for Multi-objective Strategy Synthesis for Stochastic Games. LNCS, Vol. 9636. Springer, 560--566. Google ScholarDigital Library
- Kim Guldstrand Larsen, Paul Pettersson, and Wang Yi. 1997. UPPAAL in a nutshell. Int. J. Softw. Tools. Technol. Trans. 1, 1--2 (1997), 134--152. Google ScholarDigital Library
- Aleksandr Lenin. 2015. Reliable and Efficient Determination of the Likelihood of Rational Attacks. Ph.D. Dissertation. Tallinn University of Technology, Estonia.Google Scholar
- Aleksandr Lenin, Jan Willemson, and Dyan Permata Sari. 2014. Attacker profiling in quantitative security assessment based on attack trees. In Proceedings of the NordSec (LNCS), Vol. 8788. Springer, 199--212.Google ScholarCross Ref
- Sjouke Mauw and Martijn Oostdijk. 2005. Foundations of attack trees. In Proceedings of the ICISC (LNCS), Vol. 3935. Springer, 186--198. Google ScholarDigital Library
- National Electric Sector Cybersecurity Organization Resource (NESCOR). 2015. Analysis of Selected Electric Sector High Risk Failure Scenarios, Version 2.0. Retrieved June 13, 2018, from: http://smartgrid.epri.com/doc/NESCOR%20Detailed%20Failure%20Scenarios%20v%2.pdf.Google Scholar
- Abraham Neyman and Sylvain Sorin. 2003. Stochastic Games and Applications. NATO Science Series ASIC, Vol. 570. Kluwer Academic Publishers.Google Scholar
- Peter Niebert, Stavros Tripakis, and Sergio Yovine. 2000. Minimum-time reachability for timed automata. In Proceedings of the IEEE Mediteranean Control Conference. IEEE, 8.Google Scholar
- Hanne Riis Nielson, Flemming Nielson, and Roberto Vigo. 2012. A calculus for quality. In Proceedings of the FACS (LNCS), Vol. 7684. Springer, 188--204.Google Scholar
- Judea Pearl. 1988. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann. Google ScholarDigital Library
- René Peeters. 2003. The maximum edge biclique problem is NP-complete. Discrete Appl. Math. 131, 3 (2003), 651--654. Google ScholarDigital Library
- Ludovic Piètre-Cambacédès and Marc Bouissou. 2010. Attack and defense modeling with BDMP. In Proceedings of the MMM-ACNS (LNCS), Vol. 6258. Springer, 86--101. Google ScholarDigital Library
- Sophie Pinchinat, Mathieu Acher, and Didier Vojtisek. 2014. Towards synthesis of attack trees for supporting computer-aided risk analysis. In Proceedings of the SEFM Workshops (LNCS), Vol. 8938. Springer, 363--375.Google Scholar
- Sophie Pinchinat, Mathieu Acher, and Didier Vojtisek. 2015. ATSyRa: An integrated environment for synthesizing attack trees—(Tool Paper). In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 97--101.Google Scholar
- Marc Pouly. 2010. NENOK—A software architecture for generic inference. Int. J. on Artif. Intel. Tools 19 (2010), 65--99.Google ScholarCross Ref
- Nicolas Privault. 2013. Discrete-time Markov chains. In Understanding Markov Chains: Examples and Applications. Springer, 77--94.Google Scholar
- Christian W. Probst, Jan Willemson, and Wolter Pieters. 2015. The attack navigator. In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 1--17.Google Scholar
- Reza Pulungan and Holger Hermanns. 2009. Acyclic minimality by construction—almost. In Proceedings of the QEST. IEEE Computer Society, 63--72. Google ScholarDigital Library
- Martin L. Puterman. 2014. Markov Decision Processes: Discrete Stochastic Dynamic Programming. John Wiley 8 Sons.Google Scholar
- Loukmen Regainia. 2018. Assisting in the Development and Testing of Secure Applications. Ph.D. Dissertation. University Clermont Auvergne, France.Google Scholar
- Loukmen Regainia and Sébastien Salva. 2017. A methodology of security pattern classification and of attack-defense tree generation. In Proceedings of the ICISSP. SciTePress, 136--146.Google ScholarCross Ref
- N. Robertson and P. D. Seymour. 1983. Graph minors I: Excluding a forest. J. Comb. Theory, Ser. B 35, 1 (1983), 39--61.Google ScholarCross Ref
- Arpan Roy, Dong Seong Kim, and Kishor S. Trivedi. 2012. Attack countermeasure trees (ACT): Towards unifying the constructs of attack and defense trees. Sec. Commun. Netw. 5, 8 (2012), 929--943. Google ScholarDigital Library
- Enno Ruijters and Mariëlle Stoelinga. 2015. Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools. Comput. Sci. Rev. 15 (2015), 29--62. Google ScholarDigital Library
- Bruce Schneier. 1999. Attack trees. Dr. Dobb’s J. 24, 12 (1999), 21--29.Google Scholar
- Patrick Schweitzer. 2013. Attack--Defense Trees. Ph.D. Dissertation. University of Luxembourg, Luxembourg.Google Scholar
- Yann Thierry-Mieg. 2015. Symbolic model-checking using ITS-Tools. In Proceedings of the TACAS (LNCS), Vol. 9035. Springer, 231--237. Google ScholarDigital Library
- Axel Thümmler, Peter Buchholz, and Miklós Telek. 2006. A novel approach for phase-type fitting with the EM algorithm. IEEE Trans. Depend. Sec. Comput. 3, 3 (2006), 245--258. Google ScholarDigital Library
- Roberto Vigo, Flemming Nielson, and Hanne Riis Nielson. 2014. Automated generation of attack trees. In Proceedings of the CSF. IEEE Computer Society, 337--350. Google ScholarDigital Library
- Roberto Vigo, Flemming Nielson, and Hanne Riis Nielson. 2016. Discovering, quantifying, and displaying attacks. Log. Meth. Comput. Sci. 12, 4 (2016).Google Scholar
- Jonathan D. Weiss. 1991. A system security engineering process. In Proceedings of the NCSC/NIST National Computer Security Conference. 572--581.Google Scholar
Index Terms
- Beyond 2014: Formal Methods for Attack Tree--based Security Modeling
Recommendations
Cyber security analysis using attack countermeasure trees
CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence ResearchAttack tree (AT) is one of the widely used combinatorial models in cyber security analysis. The basic formalism of AT does not take into account defense mechanisms. Defense trees (DT) have been developed to investigate the effect of defense mechanisms ...
Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees
Attack tree (AT) is one of the widely used non-state-space models for security analysis. The basic formalism of AT does not take into account defense mechanisms. Defense trees (DTs) have been developed to investigate the effect of defense mechanisms ...
APT attacks on industrial control systems: A tale of three incidents
AbstractModern-day industries are complex socio-technical entities. Understanding the risks associated with the operation of such systems requires proper consideration of budget constraints, security expertise and evaluating the effects of ...
Highlights- Modelling three APT incidents using attack trees.
- Demonstrate compositionality ...
Comments