survey

Beyond 2014: Formal Methods for Attack Tree--based Security Modeling

Authors:

Wojciech Wideł,

Maxime Audinot,

Sophie PinchinatAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 52, Issue 4

Article No.: 75, Pages 1 - 36

https://doi.org/10.1145/3331524

Published: 30 August 2019 Publication History

Abstract

Attack trees are a well established and commonly used framework for security modeling. They provide a readable and structured representation of possible attacks against a system to protect. Their hierarchical structure reveals common features of the attacks and enables quantitative evaluation of security, thus highlighting the most severe vulnerabilities to focus on while implementing countermeasures. Since in real-life studies attack trees have a large number of nodes, their manual creation is a tedious and error-prone process, and their analysis is a computationally challenging task. During the last half decade, the attack tree community witnessed a growing interest in employing formal methods to deal with the aforementioned difficulties. We survey recent advances in graphical security modeling with focus on the application of formal methods to the interpretation, (semi-)automated creation, and quantitative analysis of attack trees and their extensions. We provide a unified description of existing frameworks, compare their features, and outline interesting open questions.

References

[1]

2005. Uppaal Cora. Retrieved May 29, 2018, from: http://people.cs.aau.dk/adavid/cora/.

[2]

2014. ATSyRA. Retrieved May 29, 2018, from: https://gforge.inria.fr/plugins/mediawiki/wiki/building/index.php/.

[3]

2018. ATSyRA Studio. Retrieved November 16, 2018, from: http://atsyra2.irisa.fr/.

[4]

Rajeev Alur, Mikhail Bernadsky, and P. Madhusudan. 2004. Optimal reachability for weighted timed games. In Proceedings of the ICALP (LNCS), Vol. 3142. Springer, 122--133.

[5]

Rajeev Alur and David Dill. 1990. Automata for modeling real-time systems. In Proceedings of the ICALP (LNCS), Vol. 443. Springer, 322--335.

Digital Library

[6]

Suzana Andova, Holger Hermanns, and Joost-Pieter Katoen. 2004. Discrete-time rewards model-checked. In Proceedings of the FORMATS (LNCS), Vol. 2791. Springer, 88--104.

[7]

Florian Arnold, Axel Belinfante, Freark van der Berg, Dennis Guck, and Mariëlle Stoelinga. 2013. DFTCalc: A Tool for efficient fault tree analysis. In Proceedings of the SAFECOMP (LNCS), Vol. 8153. Springer, 293--301.

Digital Library

[8]

Florian Arnold, Holger Hermanns, Reza Pulungan, and Mariëlle Stoelinga. 2014. Time-dependent analysis of attacks. In Proceedings of the POST (LNCS), Vol. 8414. Springer, 285--305.

[9]

Zaruhi Aslanyan. 2016. Stochastic Model Checking of Socio-Technical Models. Ph.D. Dissertation. Technical University of Denmark, Denmark.

[10]

Zaruhi Aslanyan. 2016. TREsPASS toolbox: Attack Tree Evaluator. Retrieved May 29, 2018, from: https://vimeo.com/145070436.

[11]

Zaruhi Aslanyan and Flemming Nielson. 2015. Pareto efficient solutions of attack--defence trees. In Proceedings of the POST (LNCS), Vol. 9036. Springer, 95--114.

Digital Library

[12]

Zaruhi Aslanyan and Flemming Nielson. 2017. Model checking exact cost for attack scenarios. In Proceedings of the POST (LNCS), Vol. 10204. Springer, 210--231.

Digital Library

[13]

Zaruhi Aslanyan, Flemming Nielson, and David Parker. 2016. Quantitative verification and synthesis of attack--defence scenarios. In Proceedings of the CSF. IEEE Computer Society, 105--119.

[14]

Maxime Audinot. 2018. Assisted Design and Analysis of Attack Trees. Ph.D. Dissertation. University Rennes 1, France.

[15]

Maxime Audinot, Sophie Pinchinat, and Barbara Kordy. 2017. Is my attack tree correct? In Proceedings of the ESORICS (LNCS), Vol. 10492. Springer, 83--102.

[16]

Maxime Audinot, Sophie Pinchinat, and Barbara Kordy. 2018. Guided design of attack trees: A system-based approach. In Proceedings of the CSF. IEEE Computer Society, 61--75.

[17]

Maxime Audinot, Sophie Pinchinat, François Schwarzentruber, and Florence Wacheux. 2018. Deciding the non-emptiness of attack trees. In Proceedings of the GraMSec 2018 (LNCS), Vol. 11086. Springer, 13--30.

[18]

Alessandra Bagnato, Barbara Kordy, Per Håkon Meland, and Patrick Schweitzer. 2012. Attribute decoration of attack--defense trees. Int. J. System of Syst. Eng. 3, 2 (2012), 1--35.

Digital Library

[19]

Matteo Beccaro. 2018. Attack trees methodology and application in red teaming operations. In Proceedings of the D-HITBSecConf. Retrieved from: https://conference.hitb.org/hitbsecconf2018pek/materials/D1T1%20-%20Attac%k%20Trees%20-%20Methodology%20and%20Application%20in%20Red%20Teaming%20Operati%ons%20-%20Matteo%20Beccaro.pdf.

[20]

Gerd Behrmann, Alexandre David, and Kim Guldstrand Larsen. 2004. A Tutorial on Uppaal. LNCS, Vol. 3185. Springer, 200--236.

[21]

Gerd Behrmann, Kim Guldstrand Larsen, and Jacob Illum Rasmussen. 2004. Priced timed automata: Algorithms and applications. In Proceedings of the FMCO (LNCS), Vol. 3657. Springer, 162--182.

Digital Library

[22]

Gerd Behrmann, Kim Guldstrand Larsen, and Jacob Illum Rasmussen. 2005. Optimal scheduling using priced timed automata. SIGMETRICS Perform. Eval. Rev. 32, 4 (Mar. 2005), 34--40.

Digital Library

[23]

Michel Berkelaar, Kjell Eikland, and Peter Notebaert. 2005. lp_solve: Open source (Mixed-Integer) Linear Programming system. Retrieved June 10, 2018, from: http://lpsolve.sourceforge.net/5.5/ Version 5.5.2.5, dated September 24, 2016.

[24]

Dimitris Bertsimas and John Tsitsiklis. 1997. Introduction to Linear Optimization. Athena Scientific.

Digital Library

[25]

Stefano Bistarelli, Fabio Fioravanti, Pamela Peretti, and Francesco Santini. 2012. Evaluation of complex security scenarios using defense trees and economic indexes. J. Exp. Theor. Artif. Intell. 24, 2 (2012), 161--192.

[26]

Henrik C. Bohnenkamp, Pedro R. D’Argenio, Holger Hermanns, and Joost-Pieter Katoen. 2006. MODEST: A Compositional modeling formalism for hard and softly timed systems. IEEE Trans. Softw. Eng. 32, 10 (2006), 812--830.

Digital Library

[27]

Angèle Bossuat and Barbara Kordy. 2018. Evil twins: Handling repetitions in attack--defense trees—A survival guide. In Proceedings of the GraMSec 2017 (LNCS), Vol. 10744. Springer, 17--37.

[28]

Patricia Bouyer and Vojtech Forejt. 2009. Reachability in stochastic timed games. In Proceedings of the ICALP (2) (LNCS), Vol. 5556. Springer, 103--114.

Digital Library

[29]

Thomas Brihaye, Véronique Bruyère, and Jean-François Raskin. 2004. Model-checking for weighted timed automata. In Proceedings of the FORMATS/FTRTFT (LNCS), Vol. 3253. Springer, 277--292.

[30]

Ahto Buldas, Aleksandr Lenin, Jan Willemson, and Anton Charnamord. 2017. Simple infeasibility certificates for attack trees. In Proceedings of the IWSEC (LNCS), Vol. 10418. Springer, 39--55.

[31]

Taolue Chen, Vojtech Forejt, Marta Z. Kwiatkowska, David Parker, and Aistis Simaitis. 2013. Automatic verification of competitive stochastic systems. Form. Meth. Syst. Des. 43, 1 (2013), 61--92.

[32]

Taolue Chen, Vojtech Forejt, Marta Z. Kwiatkowska, Aistis Simaitis, and Clemens Wiltsche. 2013. On stochastic games with multiple objectives. In Proceedings of the MFCS (LNCS), Vol. 8087. Springer, 266--277.

[33]

Manuel Clavel, Francisco Durán, Steven Eker, Patrick Lincoln, Narciso Martí-Oliet, José Meseguer, and Carolyn Talcott. 2007. All About Maude—A High-performance Logical Framework: How to Specify, Program and Verify Systems in Rewriting Logic. Springer.

Digital Library

[34]

Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In TACAS (LNCS), Vol. 4963. Springer, 337--340.

Digital Library

[35]

EAC Advisory Board and Standards Board. 2009. Election Operations Assessment—Threat Trees and Matrices and Threat Instance Risk Analyzer (TIRA). Retrieved June 13, 2018, from: https://www.eac.gov/assets/1/28/Election_Operations_Assessment_Threat_Trees_and_Matrices_and_Threat_Instance_Risk_Analyzer_(TIRA).pdf.

[36]

Barbara Fila and Wojciech Wideł. 2019. Attack--defense trees for abusing optical power meters: A case study and the OSEAD tool experience report. In Proceedings of the GraMSec (LNCS'19), Vol. 11720. Springer, (to appear). https://www.gramsec.uni.lu/presentations/gramsec19paper8.pdf.

[37]

Marlon Fraile, Margaret Ford, Olga Gadyatskaya, Rajesh Kumar, Mariëlle Stoelinga, and Rolando Trujillo-Rasua. 2016. Using attack--defense trees to analyze threats and countermeasures in an ATM: A case study. In Proceedings of the PoEM (LNBIP), Vol. 267. Springer, 326--334.

[38]

Olga Gadyatskaya. 2015. How to generate security cameras: Towards defence generation for socio-technical systems. In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 50--65.

[39]

Olga Gadyatskaya, René Rydhof Hansen, Kim Guldstrand Larsen, Axel Legay, Mads Chr. Olesen, and Danny Bøgsted Poulsen. 2016. Modelling attack--defense trees using timed automata. In Proceedings of the FORMATS (LNCS), Vol. 9884. Springer, 35--50.

[40]

Olga Gadyatskaya, Carlo Harpes, Sjouke Mauw, Cédric Muller, and Steve Muller. 2016. Bridging two worlds: Reconciling practical risk assessment methodologies with theory of attack trees. In Proceedings of the GraMSec 2016 (LNCS), Vol. 9987. Springer, 80--93.

[41]

Olga Gadyatskaya, Ravi Jhawar, Piotr Kordy, Karim Lounis, Sjouke Mauw, and Rolando Trujillo-Rasua. 2016. Attack trees for practical security assessment: Ranking of attack scenarios with ADTool 2.0. In Proceedings of the QEST (LNCS), Vol. 9826. Springer, 159--162.

[42]

Olga Gadyatskaya, Ravi Jhawar, Sjouke Mauw, Rolando Trujillo-Rasua, and Tim A. C. Willemse. 2017. Refinement-aware generation of attack trees. In Proceedings of the STM (LNCS), Vol. 10547. Springer, 164--179.

[43]

Jean-Yves Girard. 1987. Linear logic. Theor. Comput. Sci. 50 (1987), 1--102.

Digital Library

[44]

Marco Gribaudo, Mauro Iacono, and Stefano Marrone. 2015. Exploiting Bayesian networks for the analysis of combined attack trees. Electr. Notes Theor. Comput. Sci. 310 (2015), 91--111.

Digital Library

[45]

David F. Haasl, Norman H. Roberts, William E. Veselay, and Francine F. Goldberg. 1981. Fault Tree Handbook. Technical Report. Systems and Reliability Research, Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Comission.

[46]

Ernst Moritz Hahn, Arnd Hartmanns, Holger Hermanns, and Joost-Pieter Katoen. 2013. A compositional modelling and analysis framework for stochastic hybrid systems. Form. Meth. Syst. Des. 43, 2 (2013), 191--232.

Digital Library

[47]

René Rydhof Hansen, Peter Gjøl Jensen, Kim Guldstrand Larsen, Axel Legay, and Danny Bøgsted Poulsen. 2018. Quantitative evaluation of attack defense trees using stochastic timed automata. In Proceedings of the GraMSec 2017 (LNCS), Vol. 10744. Springer, 75--90.

[48]

Hans Hansson and Bengt Jonsson. 1994. A logic for reasoning about time and reliability. Form. Asp. Comput. 6, 5 (1994), 512--535.

Digital Library

[49]

Arnd Hartmanns and Holger Hermanns. 2014. The modest toolset: An integrated environment for quantitative modelling and verification. In Proceedings of the TACAS (LNCS), Vol. 8413. Springer, 593--598.

[50]

Thomas Henzinger, Zohar Manna, and Amir Pnueli. 1992. Timed transition systems. In Proceedings of the Workshop/School/Symposium of the REX Project (Research and Education in Concurrent Systems) (LNCS), Vol. 600. Springer, 226--251.

Digital Library

[51]

Holger Hermanns, Julia Krämer, Jan Krcál, and Mariëlle Stoelinga. 2016. The value of attack-defence diagrams. In Proceedings of the POST (LNCS), Vol. 9635. Springer, 163--185.

[52]

Jin B. Hong, Dong Seong Kim, Chun-Jen Chung, and Dijiang Huang. 2017. A survey on the usability and practical applications of Graphical Security Models. Comput. Sci. Rev. 26 (2017), 1--16.

Digital Library

[53]

Ross Horne. 2015. The consistency and complexity of multiplicative additive system virtual. Sci. Ann. Comp. Sci. 25, 2 (2015), 245--316.

[54]

Ross Horne, Sjouke Mauw, and Alwen Tiu. 2017. Semantics for specialising attack trees based on linear logic. Fundam. Inform. 153, 1-2 (2017), 57--86.

[55]

Marieta Georgieva Ivanova, Christian W. Probst, René Rydhof Hansen, and Florian Kammüller. 2015. Attack tree generation by policy invalidation. In Proceedings of the WISTP (LNCS), Vol. 9311. Springer, 249--259.

Digital Library

[56]

Marieta Georgieva Ivanova, Christian W. Probst, René Rydhof Hansen, and Florian Kammüller. 2015. Transforming graphical system models to graphical attack models. In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 82--96.

[57]

Ravi Jhawar, Barbara Kordy, Sjouke Mauw, Sasa Radomirovic, and Rolando Trujillo-Rasua. 2015. Attack trees with sequential conjunction. In Proceedings of the SEC (IFIP AICT), Vol. 455. Springer, 339--353.

[58]

Ravi Jhawar, Karim Lounis, and Sjouke Mauw. 2016. A stochastic framework for quantitative analysis of attack--defense trees. In Proceedings of the STM (LNCS), Vol. 9871. Springer, 138--153.

[59]

Mary A. Johnson and Michael R. Taaffe. 1988. The denseness of phase distributions. School of Industrial Engineering Research Memoranda 88-20, Purdue University.

[60]

Aivo Jürgenson and Jan Willemson. 2008. Computing exact outcomes of multi-parameter attack trees. In Proceedings of the OTM Conferences (2) (LNCS), Vol. 5332. Springer, 1036--1051.

Digital Library

[61]

Florian Kammüller. 2017. A proof calculus for attack trees in isabelle. In Proceedings of the DPM/CBT@ESORICS (LNCS), Vol. 10436. Springer, 3--18.

[62]

Florian Kammüller. 2018. Attack trees in Isabelle. In Proceedings of the ICICS (LNCS), Vol. 11149. Springer, 611--628.

[63]

Florian Kammüller and Christian W. Probst. 2013. Invalidating policies using structural information. In Proceedings of the IEEE Symposium on Security and Privacy Workshops. IEEE Computer Society, 76--81.

Digital Library

[64]

Florian Kammüller and Christian W. Probst. 2014. Combining generated data models with formal invalidation for insider threat analysis. In Proceedings of the IEEE Symposium on Security and Privacy Workshops. IEEE Computer Society, 229--235.

Digital Library

[65]

Joost-Pieter Katoen and Mariëlle Stoelinga. 2017. Boosting fault tree analysis by formal methods. In Proceedings of the ModelEd, TestEd, TrustEd (LNCS), Vol. 10500. Springer, 368--389.

[66]

Robert M. Keller. 1976. Formal verification of parallel programs. Commun. ACM 19, 7 (1976), 371--384.

Digital Library

[67]

Barbara Kordy, Piotr Kordy, and Yoann van den Boom. 2016. SPTool—Equivalence checker for SAND attack trees. In Proceedings of the CRiSIS (LNCS), Vol. 10158. Springer, 105--113.

[68]

Barbara Kordy, Sjouke Mauw, Sasa Radomirovic, and Patrick Schweitzer. 2014. Attack--defense trees. J. Log. Comput. 24, 1 (2014), 55--87.

[69]

Barbara Kordy, Ludovic Piètre-Cambacédès, and Patrick Schweitzer. 2014. DAG-based attack and defense modeling: Don’t miss the forest for the attack trees. Comput. Sci. Rev. 13--14 (2014), 1--38.

Digital Library

[70]

Barbara Kordy, Marc Pouly, and Patrick Schweitzer. 2014. A probabilistic framework for security scenarios with dependent actions. In Proceedings of the iFM (LNCS), Vol. 8739. Springer, 256--271.

[71]

Barbara Kordy, Marc Pouly, and Patrick Schweitzer. 2016. Probabilistic reasoning with graphical security models. Inf. Sci. 342 (2016), 111--131.

Digital Library

[72]

Barbara Kordy and Wojciech Wideł. 2017. How well can I secure my system? In Proceedings of the iFM’17 (LNCS), Vol. 10510. Springer, 332--347.

[73]

Barbara Kordy and Wojciech Wideł. 2018. On quantitative analysis of attack--defense trees with repeated labels. In Proceedings of the POST (LNCS), Vol. 10804. Springer, 325--346.

[74]

Rajesh Kumar. 2018. Truth or Dare: Quantitative Security Risk Analysis Via Attack Trees. Ph.D. Dissertation. University of Twente, The Netherlands.

[75]

Rajesh Kumar, Enno Ruijters, and Mariëlle Stoelinga. 2015. Quantitative attack tree analysis via priced timed automata. In Proceedings of the FORMATS (LNCS), Vol. 9268. Springer, 156--171.

[76]

Rajesh Kumar, Stefano Schivo, Enno Ruijters, Buǧra M. Yildiz, David Huistra, Jacco Brandt, Arend Rensink, and Mariëlle Stoelinga. 2018. Effective analysis of attack trees: A model-driven approach. In Proceedings of the FASE (LNCS), Alessandra Russo and Andy Andy Schürr (Eds.), Vol. 10802. Springer, 56--73.

[77]

Marta Kwiatkowska, David Parker, and Clemens Wiltsche. 2016. PRISM-Games 2.0: A Tool for Multi-objective Strategy Synthesis for Stochastic Games. LNCS, Vol. 9636. Springer, 560--566.

Digital Library

[78]

Kim Guldstrand Larsen, Paul Pettersson, and Wang Yi. 1997. UPPAAL in a nutshell. Int. J. Softw. Tools. Technol. Trans. 1, 1--2 (1997), 134--152.

Digital Library

[79]

Aleksandr Lenin. 2015. Reliable and Efficient Determination of the Likelihood of Rational Attacks. Ph.D. Dissertation. Tallinn University of Technology, Estonia.

[80]

Aleksandr Lenin, Jan Willemson, and Dyan Permata Sari. 2014. Attacker profiling in quantitative security assessment based on attack trees. In Proceedings of the NordSec (LNCS), Vol. 8788. Springer, 199--212.

[81]

Sjouke Mauw and Martijn Oostdijk. 2005. Foundations of attack trees. In Proceedings of the ICISC (LNCS), Vol. 3935. Springer, 186--198.

Digital Library

[82]

National Electric Sector Cybersecurity Organization Resource (NESCOR). 2015. Analysis of Selected Electric Sector High Risk Failure Scenarios, Version 2.0. Retrieved June 13, 2018, from: http://smartgrid.epri.com/doc/NESCOR%20Detailed%20Failure%20Scenarios%20v%2.pdf.

[83]

Abraham Neyman and Sylvain Sorin. 2003. Stochastic Games and Applications. NATO Science Series ASIC, Vol. 570. Kluwer Academic Publishers.

[84]

Peter Niebert, Stavros Tripakis, and Sergio Yovine. 2000. Minimum-time reachability for timed automata. In Proceedings of the IEEE Mediteranean Control Conference. IEEE, 8.

[85]

Hanne Riis Nielson, Flemming Nielson, and Roberto Vigo. 2012. A calculus for quality. In Proceedings of the FACS (LNCS), Vol. 7684. Springer, 188--204.

[86]

Judea Pearl. 1988. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann.

Digital Library

[87]

René Peeters. 2003. The maximum edge biclique problem is NP-complete. Discrete Appl. Math. 131, 3 (2003), 651--654.

Digital Library

[88]

Ludovic Piètre-Cambacédès and Marc Bouissou. 2010. Attack and defense modeling with BDMP. In Proceedings of the MMM-ACNS (LNCS), Vol. 6258. Springer, 86--101.

Digital Library

[89]

Sophie Pinchinat, Mathieu Acher, and Didier Vojtisek. 2014. Towards synthesis of attack trees for supporting computer-aided risk analysis. In Proceedings of the SEFM Workshops (LNCS), Vol. 8938. Springer, 363--375.

[90]

Sophie Pinchinat, Mathieu Acher, and Didier Vojtisek. 2015. ATSyRa: An integrated environment for synthesizing attack trees—(Tool Paper). In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 97--101.

[91]

Marc Pouly. 2010. NENOK—A software architecture for generic inference. Int. J. on Artif. Intel. Tools 19 (2010), 65--99.

[92]

Nicolas Privault. 2013. Discrete-time Markov chains. In Understanding Markov Chains: Examples and Applications. Springer, 77--94.

[93]

Christian W. Probst, Jan Willemson, and Wolter Pieters. 2015. The attack navigator. In Proceedings of the GraMSec 2015 (LNCS), Vol. 9390. Springer, 1--17.

[94]

Reza Pulungan and Holger Hermanns. 2009. Acyclic minimality by construction—almost. In Proceedings of the QEST. IEEE Computer Society, 63--72.

Digital Library

[95]

Martin L. Puterman. 2014. Markov Decision Processes: Discrete Stochastic Dynamic Programming. John Wiley 8 Sons.

[96]

Loukmen Regainia. 2018. Assisting in the Development and Testing of Secure Applications. Ph.D. Dissertation. University Clermont Auvergne, France.

[97]

Loukmen Regainia and Sébastien Salva. 2017. A methodology of security pattern classification and of attack-defense tree generation. In Proceedings of the ICISSP. SciTePress, 136--146.

[98]

N. Robertson and P. D. Seymour. 1983. Graph minors I: Excluding a forest. J. Comb. Theory, Ser. B 35, 1 (1983), 39--61.

[99]

Arpan Roy, Dong Seong Kim, and Kishor S. Trivedi. 2012. Attack countermeasure trees (ACT): Towards unifying the constructs of attack and defense trees. Sec. Commun. Netw. 5, 8 (2012), 929--943.

Digital Library

[100]

Enno Ruijters and Mariëlle Stoelinga. 2015. Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools. Comput. Sci. Rev. 15 (2015), 29--62.

Digital Library

[101]

Bruce Schneier. 1999. Attack trees. Dr. Dobb’s J. 24, 12 (1999), 21--29.

[102]

Patrick Schweitzer. 2013. Attack--Defense Trees. Ph.D. Dissertation. University of Luxembourg, Luxembourg.

[103]

Yann Thierry-Mieg. 2015. Symbolic model-checking using ITS-Tools. In Proceedings of the TACAS (LNCS), Vol. 9035. Springer, 231--237.

Digital Library

[104]

Axel Thümmler, Peter Buchholz, and Miklós Telek. 2006. A novel approach for phase-type fitting with the EM algorithm. IEEE Trans. Depend. Sec. Comput. 3, 3 (2006), 245--258.

Digital Library

[105]

Roberto Vigo, Flemming Nielson, and Hanne Riis Nielson. 2014. Automated generation of attack trees. In Proceedings of the CSF. IEEE Computer Society, 337--350.

Digital Library

[106]

Roberto Vigo, Flemming Nielson, and Hanne Riis Nielson. 2016. Discovering, quantifying, and displaying attacks. Log. Meth. Comput. Sci. 12, 4 (2016).

[107]

Jonathan D. Weiss. 1991. A system security engineering process. In Proceedings of the NCSC/NIST National Computer Security Conference. 572--581.

Cited By

Arias JOlarte CPetrucci LMaśko ŁPenczek WSidoruk T(2024)Optimal Scheduling of Agents in ADTrees: Specialized Algorithm and Declarative ModelsIEEE Transactions on Reliability10.1109/TR.2024.335445973:2(861-875)Online publication date: Jun-2024
https://doi.org/10.1109/TR.2024.3354459
Tavolato PLuh REresheim SGmeiner SSchrittwieser S(2024)Quantifying the Odds in Real World Attack Scenarios2024 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR61664.2024.10679461(845-852)Online publication date: 2-Sep-2024
https://doi.org/10.1109/CSR61664.2024.10679461
Konsta ALluch Lafuente ASpiga BDragoni N(2024)SurveyComputers and Security10.1016/j.cose.2023.103602137:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103602
Show More Cited By

Index Terms

Beyond 2014: Formal Methods for Attack Tree--based Security Modeling
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
    2. Logic and verification

Recommendations

Cyber security analysis using attack countermeasure trees
CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research

Attack tree (AT) is one of the widely used combinatorial models in cyber security analysis. The basic formalism of AT does not take into account defense mechanisms. Defense trees (DT) have been developed to investigate the effect of defense mechanisms ...
Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees

Attack tree (AT) is one of the widely used non-state-space models for security analysis. The basic formalism of AT does not take into account defense mechanisms. Defense trees (DTs) have been developed to investigate the effect of defense mechanisms ...
APT attacks on industrial control systems: A tale of three incidents
Abstract
Modern-day industries are complex socio-technical entities. Understanding the risks associated with the operation of such systems requires proper consideration of budget constraints, security expertise and evaluating the effects of ...
Highlights
- Modelling three APT incidents using attack trees.
- Demonstrate compositionality ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 52, Issue 4

July 2020

769 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3359984

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering

Issue’s Table of Contents

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 August 2019

Accepted: 01 May 2019

Revised: 01 December 2018

Received: 01 June 2018

Published in CSUR Volume 52, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
1,060
Total Downloads

Downloads (Last 12 months)123
Downloads (Last 6 weeks)12

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Arias JOlarte CPetrucci LMaśko ŁPenczek WSidoruk T(2024)Optimal Scheduling of Agents in ADTrees: Specialized Algorithm and Declarative ModelsIEEE Transactions on Reliability10.1109/TR.2024.335445973:2(861-875)Online publication date: Jun-2024
https://doi.org/10.1109/TR.2024.3354459
Tavolato PLuh REresheim SGmeiner SSchrittwieser S(2024)Quantifying the Odds in Real World Attack Scenarios2024 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR61664.2024.10679461(845-852)Online publication date: 2-Sep-2024
https://doi.org/10.1109/CSR61664.2024.10679461
Konsta ALluch Lafuente ASpiga BDragoni N(2024)SurveyComputers and Security10.1016/j.cose.2023.103602137:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103602
Bedoya MPalacios SDíaz-López DLaverde ENespoli P(2024)Enhancing DevSecOps practice with Large Language Models and Security Chaos EngineeringInternational Journal of Information Security10.1007/s10207-024-00909-w23:6(3765-3788)Online publication date: 5-Oct-2024
https://doi.org/10.1007/s10207-024-00909-w
Konsta ADi Federico GLluch Lafuente ABurattin A(2024)Attack Tree Generation via Process MiningLeveraging Applications of Formal Methods, Verification and Validation. REoCAS Colloquium in Honor of Rocce De Nicola10.1007/978-3-031-73709-1_22(356-372)Online publication date: 9-Oct-2024
https://doi.org/10.1007/978-3-031-73709-1_22
Dorfhuber FEisentraut JKlioba KKřetínský J(2024)QuADTool: Attack-Defense-Tree Synthesis, Analysis and Bridge to VerificationQuantitative Evaluation of Systems and Formal Modeling and Analysis of Timed Systems10.1007/978-3-031-68416-6_4(52-71)Online publication date: 10-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-68416-6_4
Brihaye TPinchinat STerefenko A(2024)Semantics of Attack-Defense Trees for Dynamic Countermeasures and a New Hierarchy of Star-Free LanguagesLATIN 2024: Theoretical Informatics10.1007/978-3-031-55601-2_17(257-271)Online publication date: 6-Mar-2024
https://doi.org/10.1007/978-3-031-55601-2_17
Yajima JInui MOikawa TKasahara FTsuji KMorikawa IYoshioka N(2023)ASRA-Q: AI Security Risk Assessment by Selective QuestionsJournal of Information Processing10.2197/ipsjjip.31.65431(654-666)Online publication date: 2023
https://doi.org/10.2197/ipsjjip.31.654
Lopuhaä-Zwakenberg MBudde CStoelinga M(2023)Efficient and Generic Algorithms for Quantitative Attack Tree AnalysisIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.321575220:5(4169-4187)Online publication date: 31-Aug-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3215752
Nour BPourzandi MDebbabi M(2023)A Survey on Threat Hunting in Enterprise NetworksIEEE Communications Surveys & Tutorials10.1109/COMST.2023.329951925:4(2299-2324)Online publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1109/COMST.2023.3299519
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents