Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Attack Countermeasure Trees: A Non-state-space
Approach Towards Analyzing Security and Finding
Optimal Countermeasure Sets
by
Arpan Roy
Department of Electrical and Computer EngineeringDuke University
Date:
Approved:
Kishor S. Trivedi, Supervisor
Chris Dwyer
Benjamin C. Lee
Thesis submitted in partial fulfillment of the requirements for the degree ofMaster of Science in the Department of Electrical and Computer Engineering
in the Graduate School of Duke University2010
Abstract(Security Modeling)
Attack Countermeasure Trees: A Non-state-space Approach
Towards Analyzing Security and Finding Optimal
Countermeasure Sets
by
Arpan Roy
Department of Electrical and Computer EngineeringDuke University
Date:
Approved:
Kishor S. Trivedi, Supervisor
Chris Dwyer
Benjamin C. Lee
An abstract of a thesis submitted in partial fulfillment of the requirements forthe degree of Master of Science in the Department of Electrical and Computer
Engineeringin the Graduate School of Duke University
2010
Copyright c© 2010 by Arpan RoyAll rights reserved
Abstract
Attack tree (AT) is one of the widely used combinatorial models in security analysis.
The basic formalism of AT does not take into account defense mechanisms. Defense
trees (DTs) have been developed to investigate the effect of defense mechanisms us-
ing measures such as attack cost, security investment cost, return on attack (ROA)
and return on investment (ROI). DT, however, places defense mechanisms only at
the leaf nodes and the corresponding ROI/ROA analysis does not incorporate the
probabilities of attack. In attack response tree (ART), attack and response are both
captured but ART suffers from the problem of state-space explosion, since solution of
ART is obtained by means of a partially observable Markov Decision Process model.
In this thesis, we present a novel attack tree paradigm called attack countermeasure
tree (ACT) which takes a purely noon-state-space approach to security analysis tak-
ing into account attacks as well as countermeasures (in the form of detection and
mitigation techniques). In ACT, detection and mitigation are allowed not just at the
leaf node but also at the intermediate nodes while at the same time the state-space
explosion problem is avoided in its analysis. We propose algorithms to perform single
and multiobjective optimization to find optimal countermeasure sets under different
sets of budgetary constraints. We illustrate the features of ACT using several case
studies.
iv
Contents
Abstract iv
List of Tables vii
List of Figures viii
List of Abbreviations and Symbols x
Acknowledgements xii
1 Introduction 1
1.1 Fault Trees and Attack Trees . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Background 6
2.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 SHARPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Attack Countermeasure Trees 9
3.1 Formalism of ACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Security Analysis using ACT . . . . . . . . . . . . . . . . . . . . . . . 13
4 Examples of ACT Analysis 22
4.1 SHARPE Implementation . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2 Analysis of Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
v
5 Optimal Countermeasure Selection 33
5.1 Optimization Problem . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.1 Single Objective Optimization . . . . . . . . . . . . . . . . . . 34
5.2 Implementation of Optimization Toolbox . . . . . . . . . . . . . . . . 49
6 Conclusions and Future Work 52
6.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Bibliography 55
vi
List of Tables
3.1 Formulae for probability of attack success . . . . . . . . . . . . . . . 13
3.2 Formulae for attack cost and attack impact . . . . . . . . . . . . . . . 17
4.1 Parameter values for attack nodes in ACT . . . . . . . . . . . . . . . 25
4.2 Parameter values for countermeasure nodes in ACT . . . . . . . . . . 28
5.1 Procedure for reduction of constraint matrix T . . . . . . . . . . . . . 36
5.2 Algorithm for finding the optimal countermeasure set for an ACT withobjective function F1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.3 Recursive Branch and Bound algorithm for finding optimal counter-measure set using objective function F2 . . . . . . . . . . . . . . . . . 43
5.4 Recursive Branch and Bound algorithm for finding optimal counter-measure set using objective function F2 (contd.) . . . . . . . . . . . . 44
5.5 Procedure for computing the lower bound for objective function F2 . 44
1 SHARPE code for computing mincuts of SCADA ACT . . . . . . . . 54
vii
List of Figures
1.1 Disadvantage of using state-space models . . . . . . . . . . . . . . . . 3
1.2 Analysis using ACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1 (a) ACT with one attack event (b) ACT with one attack and onedetection event (c) ACT with one attack and multiple detection events(d) ACT with one attack, one detection and one mitigation event (e)ACT with one attack, multiple detection and one mitigation event (f)ACT with one attack, one detection and multiple mitigation events (g)ACT with one attack and multiple pairs of detection and mitigationevents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 A simple attack tree for resetting the BGP session . . . . . . . . . . . 13
3.3 A simple ACT for resetting a BGP session . . . . . . . . . . . . . . . 14
3.4 Attack tree with repeated events . . . . . . . . . . . . . . . . . . . . 17
4.1 Change in (a) structural importance measure, (b) corresponding changein Pgoal, (c) change in Birnbaum importance measure and (c) corre-sponding change in Pgoal for BGP ACT due to implementation ofcountemeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.2 ACT for SCADA system . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.3 ACT for Malicious Insider Attack (MI ACT) . . . . . . . . . . . . . . 27
4.4 Pgoal vs. probability of attack values of all the leaf nodes of (a) BGPACT, (b) SCADA ACT and (c) MI ACT . . . . . . . . . . . . . . . . 27
4.5 Risk to system (Risksys) (a) for BGP ACT against pA1123 (x axis) andiA1123 (y axis), (b) for SCADA ACT with both pS1 and pG1 beingvaried (x axis) and both IS1 and IG1 being varied (y axis) and (c) forMI ACT against pA31 (x axis) and iA31 (y axis) . . . . . . . . . . . . . 28
viii
4.6 Risksys in SCADA ACT (a) against the probability of attack values (xaxis) and attack impact values (y axis) for the generators (G1,G2,G3)(b) against the probability of attack values (x axis) and attack impactvalues (y axis) for the sensors (S1,S2,S3) . . . . . . . . . . . . . . . . 30
4.7 ROA against (a) varying attack impact value iA1123 (x axis) and attackcost value CA1123 (y axis) of the leaf node A1123 in BGP ACT, (b)varying attack impact value IS1 ,IG1 (x axis) and attack cost valueCS1 ,CG1 (y axis) of leaf nodes S1 and G1 of SCADA ACT and (c)varying attack impact value iA31 (x axis) and attack cost value cA31 (yaxis) of the leaf node A31 in MI ACT . . . . . . . . . . . . . . . . . . 30
4.8 Pgoal against the probability that a countermeasure succeeds for (a)BGP ACT, (b) SCADA ACT and (c) MI ACT . . . . . . . . . . . . . 31
4.9 ROI for each countermeasure (a) against cCMi(x axis) and pCMi
(yaxis) for BGP ACT, (b) against cCMi
(x axis) and pCMi(y axis) for
SCADA ACT and (c) against cCMi(x axis) and pCMi
(y axis) for MIACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.1 Sample run of the procedure REDUCE (OPT ,T) (from Table 5.1) onthe constraint matrix T for the BGP ACT in Figure 3.3 . . . . . . . . 37
5.2 Instance of a cyclic constraint matrix using an ACT for TCP sequencenumber attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.3 Sample run of the algorithm in Table 5.3 on a cyclic constraint matrix T 45
5.4 Plot of Pgoal vs. probability of attack values of all the leaf nodes of (a)BGP ACT for the ACT with no countermeasure and under the twooptimal solutions (OPT1 and OPT2) and (b) SCADA ACT for theACT with no countermeasure (case 1) and under the three optimalsolutions (OPT1, OPT2 and OPT3) . . . . . . . . . . . . . . . . . . . 48
5.5 ROI of (a) the different countermeasure sets providing full cover againstcCMi
(x axis) and pCMi(y axis) for BGP ACT and (b) the different
countermeasure sets providing the required partial cover against cCMi
(x axis) and pCMi(y axis) for SCADA ACT . . . . . . . . . . . . . . 49
5.6 Runtime plot for optimization with objective function Fmo2 using (i)explicit enumeration, (ii) branch and bound algorithm (in Table 5.3)and (iii) a simple genetic algorithm (SGA) with increasing tree size . 50
5.7 Use case diagram for optimizer . . . . . . . . . . . . . . . . . . . . . 51
ix
List of Abbreviations and Symbols
Abbreviations
Common abbreviations used all throughout the thesis are listed as below. Abbrevi-ations and their corresponding full expressions are as follows:
AT Attack Tree, a simple combinatorial attack model (proposed in[70])
DT Defense Tree, a combinatorial security model with both attackevents and defense mechanisms (proposed in [6])
PT Protection Tree (proposed in [25])
ART Attack Response Tree with attacks and responses (proposed in[91])
ACT Attack Countermeasure Tree (proposed in [64])
ROA Return on Attack [17]
ROI Return on Investment (Return on Security Investment [76])
BGP Border Gateway Protocol
SCADA Supervisory Control and Data Acquisition system (an industrialcontrol system)
Symbols
General notes on symbol usage in text is shown here. The list of generic symbols
and their definitions are listed below.
Ak an attack event
Dk a detection event
x
Mk a mitigation event
CMk a countermeasure, generally a pair of defense mechanisms (Dk,Mk)
Φ(X) structure function of an ACT
pAkprobability of occurrence of attack event Ak
pDkprobability of success of detection event Dk
pMkprobability of success of mitigation event Mk
pgoal probability of attack success at the ACT goal
ISTAk
structural importance measure of attack event Ak
IBTAk
Birnbaum importance measure of attack event Ak
IAkimpact of attack event Ak
Igoal impact at the goal node of ACT
cAkcost of attack event Ak
Cgoal attack cost at the goal node of ACT
cCMksecurity investment cost of countermeasure CMk
xi
Acknowledgements
I would like to express my deepest gratitude towards my advisor, Professor Kishor
S. Trivedi for his insightful advice and guidance. Every discussion with him always
clarifies my confusions and inspires new ideas. During meetings and discussions, his
accurate memory and broad knowledge has impressed me. I would also like to thank
him for his encouragement and support that helped me build confidence when I feel
stuck in my research.
I would like to thank my committee members Dr. Chris Dwyer and Dr. Ben Lee
for their kindness to serve on my committee and for finding the time to read my
thesis and for giving numerous constructive suggestions to improve it.
I would also like to thank my colleagues and friends at Duke University, both for-
mer and present, Dr. Dong Seong Kim, Dr. Rivalino Matias, Dr. Roberto Pietran-
tuono, Fumio Machida, Kesari Mishra, Jae Shik Lim, Ferdinando Chiacchio, Xiaoyan
Yin, Rahul Ghosh and Francesco Longo for the wonderful working environment they
created and the generous help they offered me from time to time.
Finally I would like to thank my parents for their lasting love, support, guidance
and encouragement. Without them standing behind me, I would never have been
able to pursue this thesis.
Arpan Roy
xii
1
Introduction
The recent surge of security breaches in systems varying from low-end client desktops
to high-end servers and an unprecedented increase in the diversity of network security
bugs have led researchers to re-evaluate the utility of network security models. In
2007 alone, Symantec detected 711,912 new threats compared to 125,243 in 2006 an
increase of 468 percent in a year.
1.1 Fault Trees and Attack Trees
Attack tree is a model that is used to analyze the security of a computer against
network threats or the security of any system for that matter but can be used to
analyze the threats posed by any outside attacker on a system. Attack trees are
represented in the form of a tree like structure similar to fault trees composed of a
network of gates connecting leaf nodes representing simple attacks to a goal node.
Attack trees play the same role in intrusion detection and intrusion tolerance that
fault trees play in fault tolerance. There is a distinct duality in the lines of thought
pertaining to the analysis of attack trees. Some authors believe in analyzing attack
trees from the attacker’s perspective and some believe in analyzing attack trees from
1
the defender’s point of view. However either way the goal is the same; to produce
a model that will help understand system behavior. The driving reason behind the
creation of attack trees was to decompose a single high level threat into intermediate
short-term objectives and finally into individual attacker actions. Attack trees help
provide security analysts perspective with regard to not only attacks but also the
threats and vulnerabilities pertaining to these attacks. Owing to their similarity in
formalism, attack trees can use the same methodology that fault trees use in dealing
with shared or repeated events [18].
1.2 Motivation
The first step towards security modeling involves designing a scalable model [56, 71]
that helps quantify security [80] in terms of key attributes such as the loss caused
by attacks [17, 42] or the gain accrued from enforcing a security measure [76]. This
will aid not only in probabilistic risk analysis (PRA) of a system but also in the
development of a scheme as to where in the system, security investment should be
prioritized. The simplest model in this context is attack tree (AT) [52, 71].
However, the basic formalism of AT does not include defense mechanisms. De-
fense trees (DTs) [5, 6] incorporate defense mechanisms in AT. However, it places
defense mechanisms only at the leaf nodes. ROI/ROA analysis using DT does not in-
corporate probabilities of attack. In attack response trees (ARTs) [91], both attacks
and responses are captured at any node. However ARTs suffer from the state-space
explosion problem (or the largeness problem) due to the use of a state space model
(partially observable Markov decision process) [75] in the solution technique. When
the corresponding state-space model is built from an ART, the number of states
in the state-space model is exponential to the number of leaf nodes in the ART
(2no. of leaf nodes in the ART) as shown in Figure 1.1. Same problem exists with the use
of attack response graphs for security modeling [46].
2
Goal
A1 A3
AND
A2
R1
R1
R1
R1
R1
Attack Response TreeA3
A2
A1
A1A2 A1
A3A2 A3
R2 R3
000
010100001
011
111
110101
R3
A3 A1A2
R2
R2
R3
R3
R3 R2
R2
State-space Model
Marking of a state=(A1, A2, A3)
Figure 1.1: Disadvantage of using state-space models
1.3 Contribution
In this thesis, we will present a novel attack tree model called attack countermeasure
tree (ACT). Our contributions are summarized as follows. In ACT,
• defense mechanisms are placed at any node of the tree, not just at the leaf
nodes,
• generation and analysis of attack scenarios and attack-countermeasure scenar-
ios is automated using mincuts,
• probabilistic analysis (using measures such as attack and security investment
cost, Birnbaum importance measure, system risk, impact of an attack, ROI
and ROA) can be performed in an integrated manner (as shown in Figure 1.2),
3
• attack events and countermeasures are prioritized using structural and Birn-
baum importance measure and
• an optimal countermeasure set is selected from the pool of defense mechanisms
using non-state-space approach which is much less expensive than the state-
space approach for ART in [91].
Attack Countermeasure Tree (ACT)
Analysis
QualititativeAnalysis
ProbabilisticAnalysis
MincutsStructural Importance
Prob. of attacksCost
ImpactRisk
ROI&ROA
Birnbaum Importance
Figure 1.2: Analysis using ACT
We have implemented a new ACT module in the SHARPE [81] software package.
We use single as well as multi objective optimization to find possible optimal coun-
termeasures given certain security constraints (e.g., security investment cost, ROI).
We demonstrate the utility of ACT through case studies (SCADA attack [13], BGP
attack [15]).
The remainder of the thesis is organized as follows. Some background and related
work is presented in Chapter 2. Attack countermeasure trees (ACT) are presented
4
in Chapter 3. The basic model for ACT is presented in Section 3.1. Section 3.2
describes qualitative analysis (Section 3.2) and probabilistic analysis (Section 3.2)
using ACT. Implementation of ACT model in SHARPE is presented in Chapter 4.
In Chapter 5, we discuss the selection of an optimal countermeasure set using ACT.
Chapter 6 concludes the thesis.
5
2
Background
2.1 Related Work
Weiss’s threat logic trees [85] and Amoroso’s threat trees [1] mark the beginning of
the use of decision trees for characterizing attacks. Schneier developed the basic at-
tack tree (AT) formalism [71] to build hand-generated attack trees depicting breach
of email privacy for emails by exploiting the pretty-good-privacy program (PGP)
(used for encryption). An interesting observation by Schneier was that once an at-
tack tree has been built for exploiting a particular form of threat, its application
can be extended to any system that is vulnerable to that particular form of threat.
For instance, the PGP attack tree built by Schneier for unauthorized access to con-
fidential email messages (that use PGP encryption) can also be used to illustrate
an attack for unauthorized reading of data off hard disks (the same PGP program
is used for whole disk encryption). Moore et.al [52] extended Schneier’s AT by in-
troducing attack scenarios (mincuts) and attack profiles. Mauw et.al [47] developed
an alternative formalism for AT where the attack goal was associated with the set
of all mincuts. When applied to complex case studies, AT often became large and
6
unwieldy. Therefore Daley [18] proposed a layered approach to partition attack tree
nodes with respect to their functionality. Since attacks and faults both lead to system
failure, Fovino et.al [29] integrated attacks into the fault tree structure by developing
a graph theoretical model called extended fault tree (EFT) [29]. However these ATs
do not take into account defense mechanisms. Our notion of countermeasures is sim-
ilar to the notion of security hardening measures used by Dewri et.al [21] in attack
tree analysis. But in their case as well, the effects of security hardening measures
were studied outside the attack tree model.To incorporate defense mechanisms in AT,
Bistarelli et.al [5] used defense trees (DTs) and applied game theory to find the most
cost effective set of countermeasures. Edge et.al [25] proposed protection trees (PTs)
which only concentrate on defense mechanisms regardless of attacks. Foo et.al [27]
used intrusion graphs (I-GRAPHs) to model dynamic intrusion response. Zonouz
et.al [91] proposed attack-response trees (ARTs) that incorporate both attacks and
responses but use a state-space model (partially observable stochastic game model)
to find an optimal set of countermeasures. Thus, their model suffers from state-space
explosion. We propose ACT [?] which provides a simple yet compact approach for
security analysis, harnessing the benefits of all the above mentioned models and al-
lowing us to perform optimal countermeasure selection for different attack scenarios
under given constraints, using a non-state-space approach.
2.2 SHARPE
Symbolic Hierarchical Automated Reliability and Performability Evaluator (SHARPE)
is a software package capable of solving both non-state space and state space models.
The first version was written in C programming language and released in 1986. The
model types that have been incorporated in the current version include fault trees,
reliability block diagrams, acyclic series-parallel graphs, acyclic and cyclic Markov
and semi-Markov models, Markov regenerative models, generalized stochastic Petri
7
nets, stochastic reward nets and closed single- and multi-chain product-form queue-
ing networks. For the models listed above, both transient and steady state analysis
is available. SHARPE is also capable of handling hierarchical models and giving out
semi-symbolic (or semi-numeric) results.
8
3
Attack Countermeasure Trees
The graph theoretic definition of ACT is as below:
• ACT = {V, ψ, E} (V: set of all vertices in ACT, ψ: set of all gates in ACT,
E: set of all edges in ACT) where V= {∀k, vk: vk ∈ {Aj}|| vk ∈ {Di}|| vk
∈ {Ml}} where A1, A2, ..., D1, D2, ...,M1,M2, ... are the events in the ACT,
ψ={ψk: ψk ∈ {AND, OR, k-of-n gate}}, E= {∀k, ek: ek ∈ (vi, ψj) || ek ∈ (ψi
, ψj)} and X = (xA1xA2 ...xD1xD2 ...xM1xM2 ...) is a state vector for the ACT
where xAk, xDk
, xMkare the boolean variables associated with events Ak, Dk,
Mk respectively.
3.1 Formalism of ACT
In this subsection the basic formalism of ACT is presented. In ACT, there are three
distinct classes of events: attack events (e.g., install keystroke logger), detection
events (e.g., detect keystroke logger) and mitigation events (e.g., remove keystroke
logger). Figure 3.1(a) shows a simple ACT with a single attack event. The cor-
responding expression for the probability of a successful attack at the goal node is
9
shown in Eq. (3.1).
Pgoal = pA (3.1)
In Figure 3.1(b), one attack event and one detection mechanism are used. The
corresponding expression for probability of a successful undetected attack is:
Pgoal = pA(1− pD) (3.2)
Figure 3.1(c) is an extension of Figure 3.1(b) where n detection mechanisms are
being used to detect one attack event. The corresponding Pgoal is:
Pgoal = pA(1− pD1)(1− pD2)...(1− pDn) (3.3)
In ACT with only detections, mitigations are assumed to be perfect, i.e., they
mitigate with probability one (or pM = 1). However if mitigations are imperfect (i.e.,
0 ≤ pM < 1), mitigation techniques may be used in ACT in addition to detection
mechanisms. Figure 3.1(d) shows an ACT with one attack event, one detection
event and one mitigation event. Eq. (3.4) is the corresponding expression for the
probability that attack was successful, i.e., either attack was undetected or attack
was detected but unmitigated (D representing a detection event and M representing
a mitigation event).
Pgoal = pA(1− pD + pD(1− pM))
= pA(1− pD × pM))(3.4)
Indeed, this probability can be split into two parts if desired: the probability of
undetected attack, pUD=pA(1−pD) and the probability of a detected but unmitigated
attack, pDUM=pApD(1− pM).
Figure 3.1(e) shows an ACT with one attack event, n detection events and one
mitigation event and the corresponding equation for the probability of successful
10
Attack success
AAND
Attack success
A
AND
Attack success
A
…
AND
Attack success
A
AND
M
AND
Attack success
A AND
AND
M1 M2 Mn
…
(a) (b) (c)
(d)
(g)
AND AND
D D2 DnD1
D
D1 D2 Dn
Attack event
Detection event
Mitigation Event
Attack success
AND
AND
M… DnD1
A
D2
(f)
Attack success
AND
AND
M2 MnM1….
ORD
A
OR
(e)
Figure 3.1: (a) ACT with one attack event (b) ACT with one attack and onedetection event (c) ACT with one attack and multiple detection events (d) ACT withone attack, one detection and one mitigation event (e) ACT with one attack, multipledetection and one mitigation event (f) ACT with one attack, one detection andmultiple mitigation events (g) ACT with one attack and multiple pairs of detectionand mitigation events
11
attack is in Eq. (3.5). For the ACT in Figure 3.1(e), the corresponding probability
that attack is undetected is pUD=pA
∏ni=1(1−pDi
) and the corresponding probability
that attack is detected but unmitigated is pDUM=pA(1−∏n
i=1(1− pDi))× (1− pM).
Pgoal = pA(1− (1−n∏
i=1
(1− pDi))× pM) (3.5)
Figure 3.1(f) shows an ACT with one attack event, one detection event and n
mitigation events. Eq. (3.6) gives the corresponding probability of successful attack.
For the ACT in Figure 3.1(f), the corresponding probability that attack is undetected
is pUD=pA(1 − pD) and the corresponding probability that attack is detected but
unmitigated is pDUM=pApD
∏ni=1(1− pMi
).
Pgoal = pA(1− pD × (1−n∏
i=1
(1− pMi))) (3.6)
Figure 3.1(g) shows an ACT with one attack event and n pairs of detection
and mitigation events. The nature of mitigation triggered depends on the nature
of intrusion detected. Eq. (3.7) shows the corresponding expression for Pgoal. The
corresponding probability that attack is undetected is pUD=pA
∏ni=1(1 − pDi
) and
the corresponding probability that attack is detected but unmitigated is pDUM=
pA
∏ni=1(1− pDi
× pMi)− pA
∏ni=1(1− pDi
).
Pgoal = pA
n∏i=1
(1− pDi+ pDi
(1− pMi))
= pA
n∏i=1
(1− pDi× pMi
))
(3.7)
Besides AND and OR gates, ACT also allows for k-out-of-n gates (with identical
or non-identical inputs). Table 3.1 enumerates formulae for output probability for
12
A111: Send RST message to TCP stack
A112: Send BGP message
A12: TCP sequence number attack
A1121: Notify
A1122: Open
A1123: Keep Alive
G: Reset a single BGP sessionImpact = Unavailability
A1: Send message to router causing reset
A2: Alter configuration via compromised router
AND
OR
OR
OR
Figure 3.2: A simple attack tree for resetting the BGP session
AND, OR gates and k-of-n gates in an ACT.
3.2 Security Analysis using ACT
In this section we present qualitative analysis and quantitative analysis using ACT.
Table 3.1: Formulae for probability of attack success
Gate type Prob. of attack success
AND gate∏n
i=1 p(i)OR gate 1−
∏ni=1(1− p(i))
k/n gate∗∑n
j=k
(nj
)pj ∗ (1− p)n−j
∗for identical inputs
13
A111: Send RST message to TCP stack
A112: Send BGP message
A12 : TCP sequence
number attack
A1121: Notify A1122: Open A1123: Keep
Alive
G: Reset a single BGP session
A1: Send message to router causing reset
A2: Alter configuration
via compromised
router
Attack eventDetection eventMitigation Event
M12: MD5 authentication
M2: Secure router
M1:RandomizeSeq. Num.
D12: TCP sequence
number check
D1: Trace-route check D2: Router
firewall alert
OR
OR
AND
AND
AND
AND
OR
AND AND
AND
Figure 3.3: A simple ACT for resetting a BGP session
Qualitative Analysis
Qualitative analysis using ACT provide us with mincuts and structural importance
measures.
Mincut Analysis. In both AT and ACT, the top event is associated with the
set of all mincuts. Mincuts of AT represent attack scenarios [33] whereas those of an
ACT, represent attack-countermeasure scenarios. We show an example AT for BGP
attack [15] (“resetting a BGP session” shown in Figure 3.2) and its corresponding
ACT with countermeasures [43] (as depicted in Figure 3.3). Among others, counter-
measures used include traceroute [38] as one of the detection mechanisms for spoofed
TCP reset messages and sequence number randomization [43] as the corresponding
mitigation technique. The top (or goal) event in the ACT can also be expressed as
14
a boolean function (Φ(X)) of the leaf node events. In Eq. ( 3.8), Φ(X), the comple-
mentary boolean structure function for the AT in Figure 3.2 is given, where X is a
state vector of the ACT and xAiis a boolean variable such that xAi
= 1 when event
Ai occurs else xAi= 0. Mincuts for the AT in Figure 3.2 are: {(A111, A12),(A1121,
A12), (A1122, A12),(A1123, A12),(A2)}.
Φ(X) = xA111xA12 + xA1121xA12 + xA1122xA12
+xA1123xA12 + xA2
(3.8)
The mincuts (attack countermeasure scenarios) of the ACT in Figure 3.3 are {(A111,
CM1, A12, CM12), (A1121, CM1, A12, CM12), (A1122, CM1, A12, CM12), (A1123, CM1,
A12, CM12), (A2, CM2)} (where CM1=(D1M1), CM12=(D12M12), CM2=(D2M2)).
From the mincut (A1122, CM1, A12, CM12), observe that the pair of attack events
(A1122, A12) is covered by the countermeasures CM1 and CM12. We use mincuts
in Section 3.2 to develop an approach for the cost and the impact analysis in ACT.
Mincuts can also be used to find the optimal countermeasure set for an ACT.
Structural Importance Measure Analysis. It is important to determine the
most critical event in ACT. Towards this objective, structural importance measure
[50] can be used. The concept of ordering system components based on structural
importance was first introduced by Boland et al. [8]. Structural importance measure
[30] is used when ACT has equiprobable events, i.e., we are provided with only
the ACT but probability of attack (for attack events) and detection/mitigation (for
detection/mitigation events) are unknown. Given an ACT, its boolean structure
function (Φ(X)) can be built. Φ(X) = 1 when the attack succeeds whereas Φ(X) = 0
when attack fails. Two state vectors are considered:
X = (xA1 xA2 ... xAk−1xAk
xAk+1... xAn)
X ′ = (xA1 xA2 ... xAk−1xAk
xAk+1... xAn)
15
The structural importance measure of an attack event (Ak) in an ACT is defined
to be the normalized count of state vectors where the component is relevant for
the boolean structure function. The corresponding expression for ISTAk
is shown in
Eq. (3.9).
ISTAk
=
∑X Φ(X)Ak
− Φ(X ′)Ak
2n(3.9)
An attack event (Ak) is said to be relevant for a particular state vector X, when
flipping the boolean value associated with attack event Ak flips the value of Φ(X)
from 1 to 0. In other words, Ak is relevant to state vector X if Φ(X)Ak−Φ(X ′)Ak
= 1.
Once the most critical event in the system is determined, it can be patched or the
appropriate detection and mitigation for the component can be enforced.
Probabilistic Analysis
The computation of probability of a successful attack in an ACT was discussed in
Section 3.1. For ACT, the probability of a successful attack can be computed which
can be further split into the probability that the attack is undetected and the prob-
ability that the attack is detected but unmitigated. When provided with values for
parameters such as probabilities of attacks, cost etc., probabilistic (or quantitative)
analysis can be performed using ACTs. Quantitative analysis using ACT can be
viewed from two distinct viewpoints: attackers’ viewpoint and defender’s (or secu-
rity analyst’s) viewpoint. The measures such as attack cost and ROA reflect the
attacker’s perspective whereas the metrics such as security investment cost, risk, im-
pact and ROI represent the defender’s perspective.
Cost Computation. In ACT, cost may be of two types: cost of attack and
security investment cost. Cost of attack in ACT (Cattacker) with no repeated events
16
is computed using the expressions in Table 3.2 [53]. In ACT, the cost of attack is
the sum of the costs of the input events for an AND gate whereas it is the minimum
of the cost of the input events for an OR gate. The cost of attack for a k-of-n gate
is the sum of the cost of k lowest cost input events to the gate.
Table 3.2: Formulae for attack cost and attack impact
Gate type attack cost impact
AND gate∑n
i=1 cAi
∑ni=1 iAi
OR gate minni=1 cAi
maxni=1 iAi
k-of-n gatea∑k
i=1 cAi
∑ki=1 iAi
aFor k-of-n gate, it is assumed that (cA1 ,cA2 ,...,cAn) are sorted in the ascending order of
their cost values and (iA1 ,iA2 ,...,iAn) are sorted in the descending order of their impact values.
G
A1 A2A3 A3
OR
AND
OR
Repeated EventNon-repeat Event
Figure 3.4: Attack tree with repeated events
For an ACT containing one or more repeated events (as shown in Figure 3.4),
we use a simple procedure to compute the attack cost. SHARPE [81] can be used
17
to generate the mincuts of the ACT. Attack cost for the mincut can be given by
the sum of the attack costs of each attack event in the mincut. Attack cost of the
mincut with lowest cost is selected to be the cost of attack for the ACT. In case of
Figure 3.4, the ACT mincuts are {(A1,A2),A3} and hence the corresponding Cattacker
= min{cA1+cA2 ,cA3}.
Security investment cost for ACT is computed by summing the security invest-
ment cost of countermeasures present in the ACT. Also using ACT, the set of feasible
attack scenarios can be built subject to attackers’ resource constraint (e.g., attack
cost). This is called ‘capability based pruning’ of AT in SecurITree [78] AT analysis
tool. If the total attack cost is provided as the attacker’s resource constraint, a subset
of mincuts (or a subset of attack scenarios) can be determined which the attacker
can successfully exploit subject to his resource (cost) constraint.
Impact Computation. Instead of pursuing a scaled approach for impact com-
putation (for instance, normalized in a scale from 1-10 in [25]), in ACT, we use the
exact value of impact [55] associated with every attack event. Even though counter-
measures do not affect impact value directly, countermeasures do result in reducing
risk which is the expected value of impact. Impact computation for different gates
in ACT with no repeated events is summarized in Table 3.2. If repeated events are
present in the ACT, we follow a procedure similar to that used in cost computa-
tion. We first find the mincuts of the ACT. Impact of a mincut is the sum of the
impact values of the attack events in the mincut. Impact of the mincut with highest
impact value is selected to be the impact of the ACT. For instance, in case of the
ACT in Figure 3.4(a), since the mincuts are {(A1,A2),A3}, Igoal = max{iA1+iA2 ,iA3}.
Birnbaum Importance Measure. When probabilities of attack/defense are
known for ACT nodes, Birnbaum importance measure [?] (also termed ‘reliability
18
importance measure’ for fault trees) is used to prioritize defense mechanisms to
counteract attack events. The Birbaum importance measure of an attack event
represents the change in the probability of attack at the goal caused by small change
in the probability of attack of the ACT node at Ak. The Birnbaum importance
measure of an attack event Ak is defined as:
IBAk
=∂Pgoal
∂pAk
(3.10)
SHARPE can be used to compute IBAk
.
Risk Computation. In the context of ACT, risk can refer to two distinct mea-
sures namely, (i) risk to the attacker [36] and (ii) risk to the system [45]. Attacker’s
risk of an atomic attack refers to the probability of detection of the atomic attack
[36]. AttackTree+ AT analysis tool [72] refers to this type of risk as the ‘accepted
risk’ of the attacker. Since we deal with probability of detection of atomic attacks
in Pgoal computation in Section 3.1, in this subsection we discuss risk to the system.
Risk to a system refers to the system’s risk to a particular attack scenario. In this
context, two measures need to be taken into consideration. One is the amount of
damage that an attack scenario can render to the system (Igoal) and the other is the
probability of attack success (Pgoal). Combining the two, risk to the system can be
defined as the expected value of the impact. The expression for system risk for ACTs
is:
Risksys = Pgoal × Igoal (3.11)
In an ACT without any countermeasures, application of CMi causes the output prob-
ability of the ACT node containing attack event Ak (point of application of CMi) to
decrease by 4pAkCMi(for instance, incorporation of CMi may cause the ACT node
19
in Figure 3.1(a) to become the ACT node in Figure 3.1(d)). In ACT, the decrease
in risk (4RiskCMi) for countermeasure CMi can be given by:
4RiskCMi= Riskwithout CMi
− Riskwith CMi
= Igoal × (Pgoalwithout CMi− Pgoalwith CMi
)(3.12)
where Pgoalwith CMiis Pgoal of the ACT with countermeasure CMi and Pgoalwithout CMi
is Pgoal of the ACT without countermeasure CMi. Similarly for an ACT with incorpo-
rated countermeasure set SCM , the decrease in risk (4RiskSCM) for countermeasure
set SCM can be given by:
4RiskSCM= Riskwithout SCM
− Riskwith SCM
= Igoal × (Pgoalwithout SCM− Pgoalwith SCM
)(3.13)
ROA and ROI Computation. Two metrics from the field of economics have
been adapted to the security scenario in order to quantify the nature of the compe-
tition between the attacker and the defender. Return on Attack (ROA) [5, 6] is an
index that is aimed at measuring the benefit to the attacker from a particular attack.
Unlike attack cost, ROA changes with the application of specific countermeasures.
ROA [17] is defined by:
ROA =Risksys
Cattacker
=Igoal × Pgoal
Cattacker
(3.14)
Next we discuss a quantification of Return on Investment (ROI) [76]. The basic
definition of ROICMiis the profit obtained by the implementation of CMi (thereby
signifying the efficacy of that countermeasure). ROI for countermeasure CMi is
a function of the impact of attack of the ACT, the decrease in the probability of
attack at the ACT goal (4PgoalCMi) due to CMi and the security investment cost for
CMi (cCMi). Adapting Sonnenreich’s definition of Return on Investment [76] to the
context of ACT, we have:
20
ROICMi=
profit from CMi − Cost of implementing CMi
Cost of implementing CMi
(3.15)
ROICMi=Igoal ×4PgoalCMi
− cCMi
cCMi
(3.16)
Note that, ROICMi≥ -1.
21
4
Examples of ACT Analysis
4.1 SHARPE Implementation
We use SHARPE [81] for the evaluation of ACT. We have implemented a module
for automatic description and evaluation of ACTs in SHARPE. For the computa-
tion of probability of attack, mincuts, structural and Birnbaum importance mea-
sure of ACT, we simply use the already existing algorithms for solving fault trees
in SHARPE. These include a polynomial algorithm for analyzing ACTs with non-
repeat events and factoring, GKG-VT [82] (for sum of disjoint products method) and
BDD algorithms [10] for analyzing ACTs with repeated events. We have added the
relevant algorithms (described in Section 3.2) for computing cost, impact and risk
in ACTs. ROA and ROI computation is done by defining functions in the SHARPE
input file.
22
4.2 Analysis of Examples
For the analysis of ACT, we use the BGP ACT [15] of Figure 3.3, the SCADA ACT
[91] of Figure 4.2 and ACT for malicious insider attack (MI ACT) of Figure 4.3 as
case studies. Two significant characteristics of the SCADA ACT are: (i) it contains
only attack and mitigation events and (ii) all mincuts are not covered by the mit-
igation techniques provided. The basic structure of the ACT for malicious insider
attack (MI ACT) was proposed in [12]. We built on this structure by adding lower
level subtrees from other sources (for instance, in MI ACT the subtree for attack by
‘elevation’ of malicious user (node A4 in Figure 4.3) is obtained from [79]). MI ACT
has attack, detection and mitigation events. However in MI ACT as well, all the
mincuts are not covered by the countermeasures provided.
Figure 4.1(a) shows the variation in structural importance measure and Fig-
ure 4.1(c) shows the variation in Birnbaum importance measure of attack event Ai
in BGP ACT due to implementation of countermeasure CMi. From Figure 4.1(c)
and Figure 4.1(d), observe that maximum decrease in Pgoal is caused by the imple-
mentation of the countermeasure associated with the attack event with the highest
value of IBAk
. For instance, in BGP ACT with no defense (or the BGP AT), attack
event A1 (‘Send RESET message’) has highest value of IBAk
leading to the imple-
mentation of CM1 (‘Traceroute’) first. The corresponding decrease in Pgoal (shown
in Figure 4.1(c)) is the maximum for all the countermeasures present. Therefore,
implementation of countermeasures (CMi) for attack events (Ai) with higher val-
ues of IBAk
should be prioritized. Similarly we can observe from Figure 4.1(a) and
Figure 4.1(b) that implement countermeasures with higher ISTAk
should be prioritized.
The values for the input parameters for countermeasure nodes of all three ACTs
are in Table III and the values for the input parameters for attack nodes of all three
23
(a)
Struct
ural im
portan
ce me
asure o
f an a
ttack
event
in BGP
ACT
(A12)(A1)
(A2)
(CM1) (CM12)(CM2)
Birnba
umim
portan
ce me
asure o
f an att
ack ev
ent in
BGP A
CT
(A12)(A1)
(A2)
(CM1) (CM12)(CM2)
Prob
abili
ty of
attac
k at g
oal in
BGP
ACT
(Pgo
al)
(c)
(CM2)(CM1) (CM12)
Prob
abili
ty of
attac
k at g
oal i
n BGP
ACT
(Pgo
al)
(d)
(a)(CM2) (CM1)
(CM2)
(CM1) (CM2)(CM1)
(CM2)(CM1)
(CM1)
(b)
(CM1)(CM2) (CM12)(CM2) (CM1)
(CM2)
Figure 4.1: Change in (a) structural importance measure, (b) corresponding changein Pgoal, (c) change in Birnbaum importance measure and (c) corresponding changein Pgoal for BGP ACT due to implementation of countemeasures
ACTs are in Table IV.
Figure 5.4(a) shows Pgoal for BGP ACT (with and without countermeasures),
Figure 5.4(b) shows Pgoal for SCADA ACT (with and without countermeasures) and
Figure 5.4(c) shows Pgoal for MI ACT (with and without countermeasures) with
probability of attack value of all the leaf nodes in the ACT varying together in the
range [0,1]. From Figure 5.4(a) we find that Pgoal value for BGP ACT decreases with
the incorporation of detection mechanisms (Pgoal=PUD). With only detection mecha-
nisms in ACT, mitigations are assumed to be perfect, i.e., they work with probability
one. Therefore with the incorporation of mitigations (imperfect mitigations) in BGP
ACT, Pgoal increases (Pgoal=PUD+PDUM). SCADA ACT has only attack and miti-
24
Table 4.1: Parameter values for attack nodes in ACT
ACT Node Probability attack attackof attack cost(in $) impact
(in 103$)A111 (BGP) 0.08 50 200A1121 (BGP) 0.1 60 130A1122 (BGP) 0.15 70 100A1123 (BGP) 0.2 100 300A12 (BGP) 0.1 150 250A2 (BGP) 0.4 190 275AS1 (SCADA) 0.1 100 300AS2 (SCADA) 0.1 110 150AS3 (SCADA) 0.1 90 225AWSE (SCADA) 0.25 250 250AULAN (SCADA) 0.3 275 275AHMI (SCADA) 0.2 100 100ASCOPF (SCADA) 0.15 120 120AG1 (SCADA) 0.15 100 300AG2 (SCADA) 0.3 30 200AG3 (SCADA) 0.2 40 150ADB (SCADA) 0.5 170 50AUWAN (SCADA) 0.35 160 100AWS (SCADA) 0.4 150 150A11 (MI ACT) 0.08 50 200A12 (MI ACT) 0.1 60 130A2111 (MI ACT) 0.15 70 100A2112 (MI ACT) 0.2 100 300A2121 (MI ACT) 0.1 150 250A21221 (MI ACT) 0.4 190 275A21222 (MI ACT) 0.1 100 300A213 (MI ACT) 0.1 110 150A2141 (MI ACT) 0.1 90 225A2142 (MI ACT) 0.25 250 250A2143 (MI ACT) 0.3 275 275A31 (MI ACT) 0.2 100 100A32 (MI ACT) 0.15 120 120A411 (MI ACT) 0.15 100 300A4121 (MI ACT) 0.3 30 200A4122 (MI ACT) 0.2 40 150A413 (MI ACT) 0.5 170 50
25
Incorrect monitoring
Unavailable network (LAN)
(ULAN)
Problematic Control
Database(DB)
Unavailable network (UWAN)
Workstation(WS)
Incomplete sensors
Wrong state estimation
(WSE)
Control servers
Controlling agents
Power loads not provided
Incorrect estimates to customers
SCADAcompromised
S1 S2 S3
HMI
switch
G1 G2 G3
restart restart restart
2/3
AND AND AND AND
AND
SCOPF
AND
Attack event
Mitigation Event
OR
OROR
OR OR
Figure 4.2: ACT for SCADA system
gation events. Here detections are assumed be perfect, i.e., Pgoal=PUD+PDUM with
all pDi=1. From Figure 5.4(b), we find that Pgoal decreases with the incorporation of
mitigations in SCADA ACT. Similarly, from Figure 5.4(c) we find that Pgoal value
for MI ACT decreases with the incorporation of detection mechanisms and then in-
creases with the incorporation of mitigations (imperfect mitigations).
Figure 4.5(a) shows system risk (Risksys) for the BGP ACT (with and without
countermeasures) with probability of attack at leaf node (pA1123) varying together in
the range [0,1] and impact value of leaf node A1123 (iA1123) varying uniformly in the
26
A2121: FTP to File Server
A2122: Internet
A21221: Post to News Group
A21222: Post to Website
G: Malicious Insider attack success
A1: Alteration A4: Elevation
OR
OR
OR
A2141: Floppy
Disk
A2142: CD-
ROM
A2143: USB Drive
OR
A2111: Local
Account
A2112: Web-based
account
OR
A211: Email
A214: Copy to Media
OR
A212: Electronic Drop Box
A213: Online Chat
A11: Unauthorized alternation of
registryA12:
Launch virus
OR
A411: Poor Configuration
A412: Steal
Password
A413: Sendmail Exploit
OR
A41: Acquire admin privilege
A4121: Sniff
Network
A4122: Root Telnet
OR
A31: Misuse A32: Violation of organization policy
AND
A3: SnoopingA2: Distribution
A21: File
Sharing
AND
AND
AND
AND
M12: Launch mitigation
(anti-virus)
D12: Detect virus attack
(anti-virus)
D412: Track number of tries
at password
M412: Request admin pin
Figure 4.3: ACT for Malicious Insider Attack (MI ACT)
(a) (b)
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Probability of attack at leaf node of BGP ACT
Pro
bab
ility
of a
ttac
k at
th
e g
oal
of B
GP
AC
T
Pgoal without D or MPgoal with DPgoal with D & M
(Pg
oa
l)
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Probability of attack at leaf node of SCADA ACT
Pro
bab
ility
of
atta
ck a
t th
e g
oal
of
SCA
DA
AC
T
Pgoal_SCADA_ACT_without_MPgoal_SCADA_ACT_with_M
(Pg
oa
l)
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Probability of attack at leaf node of MI ACT
Pro
bab
ility
of a
ttac
k at
th
e g
oal
of M
I AC
T
Pgoal without D or MPgoal with DPgoal with D & M
(c)
Figure 4.4: Pgoal vs. probability of attack values of all the leaf nodes of (a) BGPACT, (b) SCADA ACT and (c) MI ACT
27
Table 4.2: Parameter values for countermeasure nodes in ACT
ACT Node Prob. of Securitycountermeasure investment
success cost(in $)D1 (BGP) 0.5 10M1 (BGP) 0.6 30D12 (BGP) 0.8 10M12 (BGP) 0.5 20D2 (BGP) 0.7 15M2 (BGP) 0.5 35Mswitch (SCADA) 0.25 15MrestartG1(SCADA) 0.4 25MrestartG2(SCADA) 0.5 20MrestartG3(SCADA) 0.6 30D12 (MI ACT) 0.5 10M12 (MI ACT) 0.6 30D412 (MI ACT) 0.8 10M412 (MI ACT) 0.5 20
0100
200300
00.5
150
100
150
200
250
300
Risk
to th
e sy
stem
(Risk
sys
)
Risk without D or MRisk with DRisk with D & M
x 10^3
(a)
Impact value of leaf node A1123 of BGP ACT in dollars
Probability of attack of
leaf node A1123 in BGP ACT
0100
200300
00.5
1150
200
250
300
350
400
450
500
550
600
650
Risk
to th
e sy
stem
(Risk
sys
)
Risk without CMRisk with CM
(b)
Probability of attack of leaf nodes S1 and G1 of SCADA ACT
Impact value of leaf nodesS1 and G1 of SCADA ACT in dollars
x 10^3
0100
200300
00.5
1180
190
200
210
220
230
240
Risk
to th
e sy
stem
(Ris
k sys)
Risk without D or MRisk with DRisk with D & M
Impact value of leaf node A31 of MI ACT in dollars
Probability of attack of
leaf node A31 in MI ACT
(c)
x 10^3 x 10^3
Figure 4.5: Risk to system (Risksys) (a) for BGP ACT against pA1123 (x axis) andiA1123 (y axis), (b) for SCADA ACT with both pS1 and pG1 being varied (x axis) andboth IS1 and IG1 being varied (y axis) and (c) for MI ACT against pA31 (x axis) andiA31 (y axis)
28
range 0-3×105$. Observe that Risksys decreases with the incorporation of detection
mechanisms (assuming perfect mitigations) and then increases with the incorpora-
tion of mitigations in ACT. Figure 4.5(b) shows Risksys for the SCADA ACT (with
and without countermeasures) with probability of attack at leaf nodes pS1 and pG1
varying together in the range [0,1] and impact values of the leaf nodes IS1 and IG1
varying together in the range 0-3×105$. Observe from the surfaces that Risksys de-
creases with the incorporation of countermeasures (mitigations) in SCADA ACT.
Figure 4.5(c) shows system risk (Risksys) for the MI ACT (with and without coun-
termeasures) with probability of attack at leaf node (pA31) varying together in the
range [0,1] and impact value of leaf node A31 (iA31) varying uniformly in the range
0-3×105$. From the surfaces, observe that for BGP, SCADA and MI ACT, Risksys
increases with the probability of attack value at the leaf node. It is also directly
proportional to the Igoal value of the corresponding ACT.
Risksys of different components in a system can also be compared using its ACT.
Figure 4.6(a) shows Risksys for SCADA ACT against probability of attack values
(ranging uniformly from 0 to 1) and impact values of the generator nodes G1, G2
and G3 (ranging uniformly from 0-2×105$) whereas Figure 4.6(b) shows Risksys for
SCADA ACT against probability of attack values (ranging uniformly from 0 to 1)
and impact values of the sensor nodes S1, S2 and S3 (ranging uniformly from 0-
2×105$). From the surfaces, observe that sensors are higher risk components than
the generators.
Figure 4.7(a) shows ROA for the BGP ACT (with and without countermeasures)
with attack cost of leaf node A1123 varying uniformly in the range 0-200$ and attack
impact value of leaf node A1123 varying uniformly in the range 0-3×105$. As in the
case of Risksys, ROA of BGP ACT decreases with the incorporation of detection
29
0
1
2
x 105
0
0.2
0.40
0.5
1
1.5
Risk
to th
e sy
stem
00.5
11.5
2
x 105
0
0.2
0.40
10
20
30
Ris
k to
th
e s
yste
m
Probability of attack values for generators(G1,G2,G3)
Impact values for generators(G1,G2,G3)
Impact values for sensors
Probability of attack values for sensors (S1,S2,S3) (S1,S2,S3)
(a) (b)
Figure 4.6: Risksys in SCADA ACT (a) against the probability of attack values(x axis) and attack impact values (y axis) for the generators (G1,G2,G3) (b) againstthe probability of attack values (x axis) and attack impact values (y axis) for thesensors (S1,S2,S3)
050
100 0100
200300
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
Retu
rn o
n At
tack
(RO
A)
ROA without D & MROA with DROA with D & M
(a)
1123( in BGP ACT)A1123( in BGP ACT)AC
Attack Cost for leaf node of BGP ACT (in dollars)
Impact value of leaf node of BGP ACT (in dollars)
1 1S G
x 10^30
50100 0
100200
3001
2
3
4
5
6
7
8
9
Retu
rn o
n At
tack
(RO
A)
ROA without CMROA with CM
(b)
1 1S
SCADA ACT)G(C and C in
SCADA ACT)
Impact value of leaf nodes of SCADA ACT (in dollars)
Attack cost for leaf node of SCADA ACT (in dollars)
x 10^3x 10^3
i ( i and i in
050
100 0100
200300
4000
1
2
3
4
5
6
7
8
9
Retu
rn o
n A
ttac
k (R
OA
)
ROA without D or MROA with DROA with D & M
(c)
( in MI ACT)
Attack Cost for leaf node of MI ACT (in dollars)
Impact value of leaf node of MI ACT (in dollars)( in MI ACT)
31Ac31Ai
Figure 4.7: ROA against (a) varying attack impact value iA1123 (x axis) and attackcost value CA1123 (y axis) of the leaf node A1123 in BGP ACT, (b) varying attackimpact value IS1 ,IG1 (x axis) and attack cost value CS1 ,CG1 (y axis) of leaf nodes S1
and G1 of SCADA ACT and (c) varying attack impact value iA31 (x axis) and attackcost value cA31 (y axis) of the leaf node A31 in MI ACT
30
mechanisms and then increases with the incorporation of mitigation techniques (im-
perfect mitigations) in ACT. Figure 4.7(b) shows ROA for the SCADA ACT (with
and without countermeasures) with attack cost of the leaf nodes S1 and G1 varying
together in the range 0-200$ and impact values of the leaf nodes S1 and G1 varying
together in the range 0-3×105$. ROA for SCADA ACT decreases with incorporation
of countermeasures. Figure 4.7(c) shows ROA for the MI ACT (with and without
countermeasures) with attack cost of leaf node A31 varying uniformly in the range
0-200$ and attack impact value of leaf node A31 varying uniformly in the range 0-
3×105$. From the surfaces we see that for BGP, SCADA and MI ACT, ROA value
is directly proportional to Igoal value and inversely proportional to Cattacker value of
the corresponding ACT.
(a) (b)
0 0.2 0.4 0.6 0.8 10
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
Probability that the countermeasure works
Pro
bab
ility
of a
ttac
k at
th
e g
oal
of B
GP
AC
T
Pgoal_BGP_ACT_with_CM_{1}Pgoal_BGP_ACT_with_CM_{12}Pgoal_BGP_ACT_with_CM_{2}
only
onlyonly
onlyonly
0 0.2 0.4 0.6 0.8 10.69
0.7
0.71
0.72
0.73
0.74
0.75
Probability that the countermeasure works
Pro
ba
bil
ity
of
att
ack
at
the
go
al o
f M
I AC
T
Pgoal with only D_{12} and M_{12}Pgoal with only D_{412} and M_{412}
(c)
0 0.2 0.4 0.6 0.8 10.908
0.9085
0.909
0.9095
0.91
0.9105
0.911
0.9115
Probability that the countermeasure works
Pro
bab
ility
of a
ttac
k at
th
e g
oal
of S
CA
DA
AC
T
Pgoal_SCADA_ACT_with_CM_{switchHMI}Pgoal_SCADA_ACT_with_CM_{restartG3}
Figure 4.8: Pgoal against the probability that a countermeasure succeeds for (a)BGP ACT, (b) SCADA ACT and (c) MI ACT
Figure 4.8(a) shows Pgoal for BGP ACT, Figure 4.8(b) shows Pgoal value for
SCADA ACT and Figure 4.8(c) shows Pgoal for MI ACT with the probability that
a countermeasure works (pCMi) for all the countermeasures in the ACT varying
together in the range [0,1]. For BGP, SCADA and MI ACT, it can be seen that Pgoal
31
0
50
100
0
0.5
1
−2
−1
0
1
2
3
4
5
Retu
rn o
n In
vest
men
t (RO
I CMi)
ROI(switchHMI)ROI(restartG3)
(b)
Security Investment Cost of a counter-measure (CM_i) in
Probability that countermeasure (CM_i) works
dollars(p_{CM_i})
0
50
100
0
0.5
1
−5
0
5
10
15
20
25
Retu
rn o
n In
vest
men
t (RO
I CMi)
ROI_{CM_1}ROI_{CM_{12}}ROI_{CM_2}
(a)
Security Investment Cost of a counter-measure (CM_i) in
Probability that countermeasure (CM_i) works
dollars(p_{CM_i})
0
50
100
0
0.5
1
0
0.5
1
1.5
2
2.5
3
Retu
rn o
n In
vest
men
t (RO
I)
ROI of CM_{12}ROA of CM_{412}
(c)
Security Investment Cost of a counter-measure (CM_i) in
Probability that countermeasure (CM_i) works
dollars(p_{CM_i})
Figure 4.9: ROI for each countermeasure (a) against cCMi(x axis) and pCMi
(yaxis) for BGP ACT, (b) against cCMi
(x axis) and pCMi(y axis) for SCADA ACT
and (c) against cCMi(x axis) and pCMi
(y axis) for MI ACT
decreases with increasing pCMi. Moreover CM1 and CM12 have the same effect on
Pgoal of BGP ACT and their plots overlap.
Figure 5.5(a) shows ROI for each countermeasure in BGP ACT, Figure 5.5(b)
shows ROI for countermeasures (switch HMI) and (restart G3) for SCADA ACT and
Figure 5.5(c) shows ROI for each countermeasure in MI ACT with security invest-
ment cost of the countermeasure (cCMi) varying uniformly in the range 0-100$ and
the corresponding pCMivarying uniformly in the range [0,1]. For all countermea-
sures, we observe that ROI = -1 for pCMi=0. From Figure 5.5(a), it can be seen that
ROI from CM2 exceeds that from CM1 or CM12. This allows the security analyst
to prioritize the implementation of CM2 in BGP ACT. For SCADA ACT, ROI of
(restart G3) exceeds ROI of (switch HMI). Similarly for MI ACT, ROI of CM412
exceeds ROI of CM12.
32
5
Optimal Countermeasure Selection
5.1 Optimization Problem
Often the system administrator has to work within a given set of budget constraints
which may preclude him from implementing all possible countermeasures. One such
objective of a security analyst is to select a subset of countermeasures such that the
security investment cost is minimized and the benefit from the countermeasures is
maximized. In the following subsections, we discuss different ways of formulating this
optimization problem. We first use minimization of the number of countermeasures
implemented in the ACT as an objective function and then discuss the use of other
objective functions such as minimization of security investment cost, minimization
of Pgoal and maximization of ROI for optimization. We have implemented all the
relevant optimization algorithms in a MATLAB toolbox. For analysis, we use the
BGP ACT [15] of Figure 3.3 and the SCADA ACT [91] of Figure 4.2 as case studies.
The values for the input parameters for attack nodes of both ACTs are in Table 4.2
and the values for the input parameters for countermeasure nodes of both ACTs are
in Table 4.2.
33
5.1.1 Single Objective Optimization
In this subsection, we look at single-objective optimization for finding the optimal
countermeasure set. From a given system, the security analyst can build its ACT.
SHARPE is used to generate the mincuts (attack-countermeasure scenarios) of the
ACT. Using the mincuts, the defender can select the minimal set of defense mecha-
nisms covering as many attack events as possible.
Full cover of attack events
Depending on the position of the countermeasures in ACT, we can select the min-
imum number of defense mechanisms under the condition that all attack events in
the ACT are covered (for e.g., as in the BGP ACT). As discussed in Section 3.2, a
countermeasure in an ACT mincut covers every attack event present in that ACT
mincut. The optimization problem, a special case of the set cover problem [16] can be
formulated as a binary integer programming problem. Full cover of ACT is achieved
if the countermeasures in the optimal set (OPT ) cover all the leaf attack events in
the ACT. Then the objective function can be given by:
F1 = min∀OPT ∈2CM
n∑i=1
1lOPT (CMi) : covered set = A (5.1)
where A = {A1, A2, A3, ..., Am} is the set of all attack events in ACT and CM =
{CM1, CM2, CM3, ..., CMn} is the set of all countermeasures in ACT, n=|CM| and
1lOPT (CMi) is the indicator function such that if CMi ∈ OPT , 1lOPT (CMi)=1 else
0.
We formulate this optimization problem as a binary integer programming prob-
lem. A constraint matrix (T) is generated from the ACT mincuts where the columns
34
represent the countermeasures (CMj) and the rows represent attack events (Ai). In-
stances of constraint matrix are shown in Figure 5.1. If CMj covers Ai, tij ((i,j)th
entry in T) = 1 else tij = 0. To find the optimal countermeasure set, we minimize
the number of columns that can be selected from the constraint matrix T, subject
to the constraint that each row (attack event) is covered by at least one column
(countermeasure). Hence the constraint (covered set = A) can be expressed as
∀Aj ∈ A,n∑
i=1
tij × 1lOPT (CMi) ≥ 1 (5.2)
This optimization problem then reduces to a special case of the set cover problem
also known as the ‘unate covering problem’ [48]. We proposed a preliminary version
of this greedy algorithm in [64].
To compute the cover, reduction techniques are applied to the constraint matrix.
Some terminology relevant to the reduction methods are:
• Essential Columns : Columns that contain the only non-zero entry of a certain
row are called essential columns.
• Row Dominance: Row Ai is said to dominate row Aj if row Ai contains at least
all the 1-entries in row Aj. Ai is referred to as the dominating row and Aj is
referred to as the dominated row.
• Column Dominance: Column CMi is said to dominate column CMj if CMi
contains at least all the 1-entries in CMj. CMi is referred to as the dominating
column and CMj is referred to as the dominated column.
Instances of essential columns and column dominance are also shown in Figure 5.1.
The procedure for reduction of the constraint matrix is described in Table 5.1. A
sample run of the procedure REDUCE(OPT ,T) on the constraint matrix of the BGP
ACT in Figure 3.3 is shown in Figure 5.1. This same reduction technique is used by
35
the Quine-McCluskey method for finding the smallest set of prime implicants that
cover a given Boolean sum of minterms. However in case of the Quine-McCluskey
method, the case of a cyclic constraint matrix does not arise.
Table 5.1: Procedure for reduction of constraint matrix T
REDUCE(OPT , T) {1. do {2. find essential columns {CM1,...,CMp} in T
remove essential columns {CM1,...,CMp} from Tremove rows {A1,...,Aq} covered by the essentialcolumns {CM1,...,CMp} from matrix TOPT =OPT
⋃{CM1,...,CMp}
rebuild matrix T3. check for row dominance∗
remove dominating rows {A1,...,Ar} from matrix Trebuild matrix T
4. check for column dominance∗
remove dominated columns {CM1,...,CMs}rebuild matrix T} while(reduction occurred in T)
5. return (OPT , T)}
∗ if two columns (or two rows) dominate each other (i.e., have the same one en-tries), we choose one column (or one row) arbitrarily as shown for constraint matrix T4 inFigure 5.1
For the BGP ACT in Figure 3.3, greedy solution works and returns an optimal
countermeasure set of OPT ={CM1,CM2} (as shown in Figure 5.1). However, only
greedy strategy does not work for all ACTs. For the ACT for TCP sequence number
attack in Figure 5.2, we see that reduction techniques do not work on the constraint
matrix as the matrix is devoid of essential columns, row or column dominance (this
form of a matrix is called a cyclic constraint matrix). So greedy strategy will fail
to return a solution if the ACT has a constraint matrix that is cyclic or a matrix
that after a certain amount of reduction becomes cyclic. This problem is a spe-
36
CM1 CM12 CM2
A111 1 1 0
A1121 1 1 0
A1122 1 1 0
A1123 1 1 0
A12 1 1 0
A2 0 0 1
Constraint Matrix T1
CM2 is an essential
column (for A )
Constraint Matrix T3
Remove column CM2 and rows
covered by CM2 (A2)
Column Dominance: CM1dominates CM12, remove column CM12
CM’= φ
CM’=CM’ U {CM2}
CM’= {CM2}
CM’= {CM2}
Constraint Matrix T2
Constraint Matrix T4
Columns CM1 and CM12 dominate each other
CM’=CM’ U {CM1}
CM’= {CM1, CM2}
CM1 CM12 CM2
A111 1 1 0
A1121 1 1 0
A1122 1 1 0
A1123 1 1 0
A12 1 1 0
A2 0 0 1
CM1 CM12
A111 1 1
A1121 1 1
A1122 1 1
A1123 1 1
A12 1 1
Rebuild matrix T
CM1 CM12
A111 1 1
A1121 1 1
A1122 1 1
A1123 1 1
A12 1 1
2
Figure 5.1: Sample run of the procedure REDUCE (OPT ,T) (from Table 5.1) onthe constraint matrix T for the BGP ACT in Figure 3.3
cial case of the ‘unate covering problem’ called the ‘cyclic unate covering problem’.
Noel et.al. in [54] discussed facing a similar drawback while analyzing attack graphs
with their Topological Vulnerability Analysis tool [39] (TVA tool). Ideally if the
ACT has a cyclic constraint matrix or has a constraint matrix that is reducible to
a cyclic matrix, multiple optimal solutions exist. In this case, one way to find an
optimal solution is to do an implicit enumeration of all possible solutions. This also
helps avoid computational overhead. We use a branch and bound algorithm to dis-
play all possible optimal solutions. For the ACT for TCP sequence number attack
in Figure 5.2, the branch and bound algorithm returns all three optimal solutions
{CM1,CM2},{CM2,CM3} and {CM1,CM3}.
37
Table 5.2: Algorithm for finding the optimal countermeasure set for an ACT withobjective function F1
OPTCMACT (ACT mincuts from SHARPE) {1. Build A and CM.
where, A = set of attack events in ACTCM = set of all countermeasuresOPT (optimal set of countermeasures) = φm = |A|; n = |CM|
2. Initialize the m× n constraint matrix (T)for every Ai ∈ A
for every CMj ∈ CMif (attack event Ai is covered by countermeasure CMj)
set tij= 1else set tij= 0end if
end forend for
3. (OPT ,T) = REDUCE (OPT ,T) /*call matrix reduction*/4. if (T is a column matrix (CMk))
OPT =OPT⋃{CMk} /*greedy solution works*/
else /*cyclic unate covering problem*//*call branch and bound*/
matrix T is cyclic a
OPT =OPT⋃
B&BACT (P=φ,T,OPT 1=φ,ZL=0,ZU =∞,cCM = {1, 1, ..., 1})b
end if5. return OPT}
a an ACT with a cyclic constraint matrix is shown in Figure 5.2b Here B&BACT is called for a subproblem of the original problem if after a certainamount of reduction we are left with a cyclic constraint matrix. Here in case of objectivefunction F1, cCM is a set of all ones in the call to B&BACT.
To transition into the discussion of a suitable branch and bound algorithm for
our purposes, we start with objective function F2 shown in Eq. (5.6), that aims to
minimize the security investment cost in the system (constraint being full cover of
A). We can see that F2 is a general version of the objective function F1 where ∀CMi,
38
No essential columns, no row dominance, no column dominance.
Reduction techniques stop without termination
Cyclic Unate Covering Problem
ACT mincuts:A1A2CM2
’
A2A3CM3’
A3A1CM1’
GOAL: Integrity Compromise (TCP sequence number attack)
OR
AND
AND
CM2’ : MD5
authentication
AND
AND
AND
AND
Blind spoofing attack
Non-blind spoofing attack
Partially blind spoofing attack
A1: Guess sequence number
A2:Inject valid BGP message
A3:Sniff traffic
A3:Sniff traffic
A2:Inject valid BGP message
A1: Guess sequence number
CM3’ : Remove
SnifferCM1
’ : Sequence Number
Randomization
CM1 CM2 CM3
A1 1 1 0
A2 0 1 1
A3 1 0 1
Constraint Matrix T
Cyclic Matrix
Figure 5.2: Instance of a cyclic constraint matrix using an ACT for TCP sequencenumber attack
39
cCMi=1.
F2 = min∀OPT ∈2CM
n∑i=1
1lOPT (CMi)× cCMi
(5.3)
With objective function F2 and the constraint which is still as in Eq. (5.2), the
optimization problem is still a binary integer programming problem. To compute
the cover under F2, we build a recursion tree of all possible solutions looking for the
optimal solution. After the first ‘best possible solution’ is found, the tree is pruned
whenever we come across a solution that is worse than the best possible solution.
Some terminology relevant to the branch and bound algorithm are as follows:
• Partial Solution: A partial solution consists of a subset of the entire solu-
tion space. For our purposes let us consider that the solution space can be
represented as {1lOPT (CM1), 1lOPT (CM2), ..., 1lOPT (CMm−1), 1lOPT (CMm),... ,
1lOPT (CMn−1), 1lOPT (CMn)}. If at some stage, we have a partial solution of
the form P={1lOPT (CM1), 1lOPT (CM2), ..., 1lOPT (CMm−1), 1lOPT (CMm)}=
{1,0,..., 0,1}, then this leaves us with a partial solution of {1,0,..., 0,1,...,
1lOPT (CMn−1), 1lOPT (CMn)}. Note that the size of the partial solution reflects
the depth of the recursion tree for the branch and bound algorithm where
search is at that point of time.
• Upper Bound (ZU): An upper bound for the value of the objective function
is assumed to be available. This is the value of the objective function for the
best feasible solution found so far. If no solution has been found, upper bound
is assumed to be ∞.
• Lower Bound (ZL): For each partial solution, a lower bound for the value of
the objective function of the solutions within that subset can be computed.
• Fathoming Rules : A partial solution is said to be fathomed at a certain level
40
of the recursion tree if it can be excluded from further consideration. A partial
solution can be fathomed if:
(a) Lower bound of the partial solution exceeds the current upper bound of
the objective function i.e., ZL ≥ ZU .
(b) The subset of solutions under this partial solution contains so feasible solu-
tions. In terms of the constraint matrix T and partial solution {1lOPT (CM1),
1lOPT (CM2), ..., 1lOPT (CMm−1), 1lOPT (CMm)}, the test is:
∃Aj ∈ A,m∑
i=1
tij × 1lOPT (CMi) +n∑
i=m+1
tij < 1 (5.4)
(c) A feasible solution (with respect to the current upper bound) under that
partial solution has already been found. In terms of the constraint ma-
trix T and partial solution {1lOPT (CM1), 1lOPT (CM2), ..., 1lOPT (CMm−1),
1lOPT (CMm)}, the test is:
∀Aj ∈ A,m∑
i=1
tij × 1lOPT (CMi) > 1 (5.5)
The recursive branch and bound algorithm [37] for computing the optimal counter-
measure set using objective function F2 is depicted in Table 5.3. For objective func-
tion F2, the constraint matrix for the ACT is created and the call B&BACT∗ (P=φ,
T, OPT =φ, ZL=0, ZU =∞, cCM) to the algorithm in Table 5.3 returns an optimal
countermeasure set corresponding to objective function F2 (where cCM={cCM1 , cCM2 , ..., cCMn}).
The corresponding procedure for computation of lower bound is shown in Table 5.5.
It is noted that the objective function F1 is a special case of objective function F2
where ∀CMi, cCMi=1. Using the algorithm in Table 5.2 on the ACT for TCP Se-
quence Number attack (shown in Figure 5.2) with objective function F1, we get the
optimal countermeasure set as {CM1,CM2}. Here one of the three optimal solutions
is selected by the branch and bound algorithm. For the BGP ACT, using F2 returns
an optimal countermeasure set of {CM12,CM2} with minimum security investment
41
cost = 80$.
In the absence of a cyclic constraint matrix, the algorithm in Table 5.2 is solv-
able in polynomial time [16]. Runtime = (total number of attack events in the
ACT)*(total number of defense mechanisms in the ACT)*min(|no of attack events|,|no
of defense mechanisms|) = O(mn ∗min(m,n)) which indicates polynomial runtime.
Assuming a reasonable security investment cost (acceptable values of n), the worst
case runtime is also polynomial. In the best case, the size of the recursion tree gen-
erated by the branch and bound algorithm in Table 5.3 is linear in the number of
variables (no. of countermeasures) [74]. A sample run of the algorithm in Table 5.3
with objective function F2 on an ACT that forms a 4×4 cyclic constraint matrix is
shown in Figure 5.3. The search tree shown has 13 nodes as opposed to 31 (24+1-1)
nodes in its explicit enumeration search tree.
Other objective functions: Other objective functions can also used to make a se-
lection of the optimal countermeasure set such as (in each case covered set = A). We
use the algorithm described in Table 5.3 to find the optimal solution using objective
function F3 (where COPT =∑n
i=1 1OPT (CMi)× cCMiand γ=103 is a normalization
constant).
F3 = min∀OPT ∈2CM
COPT −ROIOPT ∗ COPT + COPT
γ (5.6)
Using the algorithm in Table 5.3 for objective function F3, we get an optimal
countermeasure set of {CM12,CM2} with maximum ROI=21.
When multiple detection mechanisms (Figure 3.1(e)) or multiple mitigation tech-
niques (Figure 3.1(f)) or both (Figure 3.1(g)) are provided for the same attack event,
only one detection mechanism (Figure 3.1(e)) or one mitigation technique (Fig-
ure 3.1(f)) or one detection mechanism and one mitigation technique (Figure 3.1(g))
42
Table 5.3: Recursive Branch and Bound algorithm for finding optimal countermea-sure set using objective function F2
B&BACT∗ (P , T, OPT , ZL, ZU , cCM){1. /*compute Current Lower Bound*/ZL=LOWER BOUND(P , ZL, cCM) /*set lower bound*/
2. /*start Fathoming Test 1*//*is current solution bounded ?*/if (ZL ≥ZU)
return (OPT ,ZU) /*return current optimal*//*end Fathoming Test 1*/
else3. /*start Fathoming Test 2*/
/*are there any feasible solutions in this subtree ?*/for every Ai ∈ A /*start Fathoming Test 2*/
sumi=0for every 1lOPT (CMj) ∈ P
sumi=sumi+tij ∗ 1lOPT (CMi)end forfor every 1lOPT (CMj) /∈ P & CMj ∈ CM
sumi=sumi+tijend forif (sumi = 0) /*current solution is bounded*/
return (OPT ,ZU) /*return current optimal*/end if
end for /*end Fathoming Test 2*/4. /*start Fathoming Test 3*/
/*is current P a feasible solution for this subtree?*/flag=0for every Ai ∈ A /*for every row*/
sumi=0for every 1lOPT (CMj) ∈ P
sumi=sumi+tij ∗ 1lOPT (CMj)end forif (sumi = 0)
flag=1end if
end forif (flag = 0) /*found new optimal*/
k=|P|set all 1lOPT (CMk+1) to 1lOPT (CMn) to 0/*set new optimal*/OPT =P
⋃{1lOPT (CMk+1),1lOPT (CMk+2),....,
1lOPT (CMn)}∗ here we use a branch and bound algorithm with lower bounds computation
corresponding to the respective objective function
43
Table 5.4: Recursive Branch and Bound algorithm for finding optimal countermea-sure set using objective function F2 (contd.)
/*set new upper bound = current ZL*/ZU = ZL
return (OPT ,ZU) /*return new optimal*/else
5. /*Fathoming Test 3 failed*//*Branch*/
1lOPT (CMk)=1(OPT ,ZU )= B&BACT (P
⋃1lOPT (CMk),T,OPT,ZL,
ZU , cCM )ZL, ZU , cCM )if (OPT = P
⋃1lOPT (CMk)) /*skip the right
subtree*/return (OPT ,ZU) /*return current optimal*/
else /*search the right subtree*/1lOPT (CMk)=0(OPT ,ZU )= B&BACT (P
⋃1lOPT (CMk), T,
OPT ,ZL, ZU , cCM )return (OPT ,ZU) /*return optimal*/
end ifend if}
Table 5.5: Procedure for computing the lower bound for objective function F2
LOWER BOUND(P , ZL, cCM) {1. k=|P|2. if 1lOPT (CMk) = 1
ZL=ZL + cCMk
return ZL /*return new lower bound*/else
return ZL /*return old lower bound*/end if}
44
φ
01
1011 0001
111 101 010011
0101
T CM1 CM2 CM3 CM4
A1 1 1 0 0
A2 0 1 1 0
A3 0 0 1 1
A4 1 0 0 1
ZL=0ZU= ∞
ZL=10ZU= ∞
ZL=0ZU= 25
ZL=0ZU= 25
ZL=20ZU= 25
ZL=20ZU= 25
ZL=35ZU= 25
ZL=45ZU= 25
ZL=25ZU= 45
ZL=30ZU= ∞
ZL=45ZU= ∞
CM1 CM2 CM3 CM4
10 20 15 25
ZL=10ZU= 45
0100
ZL=20ZU= 25ZU=ZL=45 ZU=ZL=25
Soln.=1110 Soln.=1010
Success: Fathoming
Test 3
Success: Fathoming
Test 3
Success: Fathoming
Test 1
Success: Fathoming
Test 1
Success: Fathoming
Test 2
Success: Fathoming
Test 2
Cost in $
11 ( )OPT CM
21 ( )OPT CM
31 ( )OPT CM
41 ( )OPT CM
Figure 5.3: Sample run of the algorithm in Table 5.3 on a cyclic constraint matrixT
are chosen respectively for the optimal countermeasure set found using objective
function F2. This is owing to the fact that the one detection mechanism provides the
same cover as two or more detection mechanisms while minimizing security invest-
ment cost. However when looking for the maximum ROI optimal countermeasure
set, multiple detection mechanisms under the same attack event may have higher
ROI than one detection mechanism. Hence the optimal countermeasure set obtained
using objective function F3 can have two or more detection mechanisms or mitigation
techniques or both for the same attack event.
45
Partial cover of attack events
Researchers have proposed building security models for networked systems using
paradigms such a attack trees and then finding attack paths in these models to
determine scenarios that could lead to damage. However sometimes the system
administrators are more interested in finding the best possible way of defending
their system given an enumerated set of countermeasures. This can be formulated
into an optimization problem termed as ’partial cover’. Depending on the motivation
behind partial cover, it may be of two types:
(a) Partial cover with intent : The system administrator has to work within a given
set of budget constraints which may preclude him from implementing all possible
countermeasures or even countermeasures that cover all the weak spots. Due to
cost constraints, this minimum set of countermeasures can cover only a subset
of all the leaf attack events in the ACT, this subset of the set of all attack events
(A) is termed as the ’critical vulnerability set’ (CVS) or the ’critical component
set’.
(b) Partial cover without intent : When the number of countermeasures provided or
found are insufficient in covering all the attack events in the ACT (e.g., as in
case of the SCADA ACT), the system administrator is said to be performing
partial cover without intent.
The subset of all attack events not being covered is a measure of the system’s ‘risk
exposure’. The problem then reduces to a special case of the full cover problem. The
objective function is same as in Eq. (5.1) but the constraint changes for partial cover
as shown below:
F1 = min∀OPT ∈2CM
n∑i=1
1lOPT (CMi) : covered set = CVS (5.7)
The constraint, covered set = CVS can be otherwise expressed as
∀Aj ∈ CVS,n∑
i=1
tij × 1lOPT (CMi) ≥ 1 (5.8)
46
The SCADA ACT in Figure 4.2 is an instance of the case of partial cover without
intent. Here the system administrator is provided with countermeasures in deal-
ing with corruption in the power load system but none that deal with any cor-
rupt estimates provided by the customers. Optimal countermeasure set is computed
using the algorithm in Table 5.2 but with covered set = CVS = {HMI, SCOPF,
G1, G2, G3}. The optimal countermeasure sets are OPT1={(switch HMI),(restart
G1)},OPT2={(switch HMI),(restart G2)} and OPT3={(switch HMI),(restart G3)}.
Figure 5.4(a) shows Pgoal for BGP ACT (without countermeasures and under
different optimal solutions), Figure 5.4(b) shows Pgoal for SCADA ACT (without
countermeasures and under different optimal solutions) with probability of attack
value of all the leaf nodes in the ACT varying together in the range [0,1]. From
Figure 5.4(a) we find that Pgoal value for BGP ACT decreases with the incorpora-
tion of countermeasures i.e., under the two optimal countermeasure sets (using F1),
OPT1={CM1,CM2} and OPT2={CM12,CM2}. SCADA ACT has only attack and
mitigation events. From Figure 5.4(b), we find that Pgoal for SCADA ACT decreases
with the incorporation of mitigations i.e., under the three optimal countermeasure
sets (using F1 for partial cover), OPT1,OPT2 and OPT3.
Figure 5.5(a) shows ROI for each set of countermeasures in BGP ACT that pro-
vides full cover and Figure 5.5(b) shows ROI for each countermeasure set providing
the required partial cover for SCADA ACT with security investment costs of the
countermeasures (cCMis) varying uniformly in the range 0-100$ and the correspond-
ing pCMis varying uniformly in the range [0,1]. For all countermeasure sets, we
observe that ROI = -1 for all pCMi=0. From Figure 5.5(a), it can be seen that
ROI of {CM1, CM2} exceeds ROI of {CM12, CM2}. In agreement with these re-
sults, {CM1, CM2} is returned as the optimal countermeasure set under objective
function F3 for BGP ACT. For SCADA ACT, ROI of {switch HMI, restart G3} ex-
ceeds ROI of the other countermeasure sets providing the required partial cover. In
agreement with these results, {switch HMI, restart G3} is returned as the optimal
47
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Probability of attack at leaf node of BGP ACT
Pro
bab
ility
of
atta
ck a
t th
e g
oal
of
BG
P A
CT
Pgoal without D or MPgoal with OPT1Pgoal with OPT2
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Probability of attack at leaf node of SCADA ACT
Prob
abili
ty o
f att
ack
at th
e go
al o
f SC
AD
A A
CT
Pgoal_SCADA_ACT_without_MPgoal_SCADA_ACT_with_OPT1Pgoal_SCADA_ACT_with_OPT2Pgoal_SCADA_ACT_with_OPT3
Figure 5.4: Plot of Pgoal vs. probability of attack values of all the leaf nodes of (a)BGP ACT for the ACT with no countermeasure and under the two optimal solutions(OPT1 and OPT2) and (b) SCADA ACT for the ACT with no countermeasure (case1) and under the three optimal solutions (OPT1, OPT2 and OPT3)
countermeasure set under objective function F3 for SCADA ACT.
For increasing tree size, runtime for finding optimal countermeasure set using
objective function F2 (y-axis) is plotted against the number of leaf nodes (x-axis)
in the ACT in Figure 5.6. Our method returns an optimal solution for the ACT
with 5000 leaf nodes in almost 25 seconds on a computer system with an Intel(R)
Core(TM)2 CPU 1862.103 MHz processor with 2 MB of cache, 4 GB of memory
and the CentOS Release 5.4 (Linux 2.6.34) operating system which is much better
than the runtime of explicit enumeration technique (almost 70 minutes) and slightly
better than the runtime of a simple genetic algorithm (nearly 35 seconds) used for
the same objective function.
48
0
50
100
0
0.5
1
−5
0
5
10
15
20
25
Retu
rn o
n In
vest
men
t (RO
I)
0
50
100
0
0.5
1
−5
0
5
10
15
20
25
Retu
rn o
n In
vest
men
t (RO
I)
ROI_{CM_1,CM_2}ROI_{CM_{12},CM_2}
ROI(switchHMI,restartG1)ROI(switchHMI,restartG2)ROI(switchHMI,restartG3)
OPT
OPT
(b)
Security Investment Cost of a counter-measure (CM_i) in
Probability that countermeasure (CM_i) works
dollars(p_{CM_i})(a)
Security Investment Cost of a counter-measure (CM_i) in
Probability that countermeasure (CM_i) works
dollars(p_{CM_i})
Figure 5.5: ROI of (a) the different countermeasure sets providing full cover againstcCMi
(x axis) and pCMi(y axis) for BGP ACT and (b) the different countermeasure
sets providing the required partial cover against cCMi(x axis) and pCMi
(y axis) forSCADA ACT
5.2 Implementation of Optimization Toolbox
The general use-case diagram for the MATLAB optimization toolbox is shown in
Figure 5.7. A general parser reads in results from the SHARPE input and output
files to the MATLAB main optimizer module. The main optimizer module then
builds the matrix T and interacts with three separate module that extracts values of
Pgoal, structural importance measures and ROI from the SHARPE input and output
files according to the requirements of the optimization.
49
0 1000 2000 3000 4000 50000
10
20
30
40
50
60
70
Number of leaf nodes in ACT
Ru
nti
me
in s
eco
nd
s
Runtime with implicit enumerationRuntime with a SGARuntime with explicit enumeration
in minutes
Figure 5.6: Runtime plot for optimization with objective function Fmo2 using (i)explicit enumeration, (ii) branch and bound algorithm (in Table 5.3) and (iii) asimple genetic algorithm (SGA) with increasing tree size
50
SHARPE input files
SHARPE output files
Build covering matrix
Use branch and bound algorithm
Parser
SHARPE
Optimizer
Objective Function
F1 ?
Is matrix cyclic ?
Use greedy strategy
Yes
Display Optimal
Yes
No
No
Figure 5.7: Use case diagram for optimizer
51
6
Conclusions and Future Work
6.1 Conclusions
In this thesis we have presented attack countermeasure trees which allows us to per-
form qualitative and probabilistic analysis of the security of a system. Preliminary
concepts on combinatorial models and related work in reference to the context of
the use of combinatorial models in security modeling is presented in Chapter 2. The
basic model for ACT and its corresponding analysis is presented in Chapter 3. We
take into account attacks as well as countermeasures (in the form of detection mecha-
nisms and mitigation techniques). Detections and mitigations can be placed not just
at leaf nodes but also at any intermediate nodes (Section 3.1). Qualitative analysis
(Section 3.2) in the form of mincuts can be used for the automated generation and
analysis of attack scenarios and attack-countermeasure scenarios. Events in ACT
can be prioritized with the help of structural and Birnbaum importance measures.
Probabilistic analysis (using measures such as attack and security investment cost,
Birnbaum importance measure, system risk, impact of an attack, ROI and ROA)
can be performed in an integrated manner (Section 3.2). Implementation of ACT
52
model in SHARPE is presented in Chapter 4 along with results from results from the
analysis of case studies. ACT allows for fast and efficient computation of optimal de-
fense strategies for large systems using single and multi-objective optimization based
on a combinatorial model while at the same time avoiding the state-space explosion
problem.
6.2 Future Work
Although we have built attack countermeasure trees, implemented an ACT anal-
ysis module in SHARPE and developed algorithms for selecting an optimal set of
countermeasures from the ACT, many issues remain to be addressed. Future work
includes
• Computation of probability of attack values by applying Bayesian inference
rules to data gathered by an IDS namely, SNORT [91] over a certain period of
time.
• Concurrent and sequential application of countermeasures in ACT need to be
addressed by the use of state-space models.
53
Table 1: SHARPE code for computing mincuts of SCADA ACT
actree scadawdbasic S1 prob(ps1)basic S2 prob(ps2)basic S3 prob(ps3)basic HMI prob(pHMI)basic switch prob(pswitch)basic SCOPF prob(pscopf)basic G1 prob(pg1)basic restartG1 prob(prstg1)basic G2 prob(pg2)basic restartG2 prob(prstg2)basic G3 prob(pg3)basic restartG3 prob(prstg3)basic DB prob(pDB)basic WAN prob(pWAN)basic WS prob(pWS)basic WSE prob(pWSE)basic LAN prob(pLAN)kofn kofn0 2, 3, S1 S2 S3and and2 HMI switchand and0 and2 SCOPFand and3 G1 restartG1and and4 G2 restartG2and and5 G3 restartG3and and1 and3 and4 and5or or0 DB WAN WSor or1 kofn0 WSEor or2 and0 and1or or3 or1 LAN or2or or4 or0 or3endmincuts(scadawd)end
54
Bibliography
[1] E. G. Amoroso. Fundamentals of Computer Security Technology. Prentice-Hall,Inc., 1994.
[2] G. H. Baker and A. Berg. Supervisory Control and Data Acquisition (SCADA)Systems. The Critical Infrastructure Protection Report 1.6, 2002.
[3] Z. W. Birnbaum. On The Importance of Different Components in a Multicom-ponent System. In P. R. Krishnaiah, editor, Multivariate Analysis - II, pages581–592. Academic Press, New York, NY, USA, 1969.
[4] Z. W. Birnbaum. On The Importance of Different Components in a Multicom-ponent System. 1969.
[5] S. Bistarelli, M. Dall Aglio, and P. Peretti. Strategic Games on Defense Trees.LNCS, 4691:1–15, 2007.
[6] S. Bistarelli, P. Peretti, and I. Trubitsyna. Defense trees for economic evaluationof security investments. In Proc. ARES, pages 8–15, 2006.
[7] S. Bistarelli, P. Peretti, and I. Trubitsyna. Answer Set Optimization for and/orComposition of CP-Nets: A Security Scenario. LNCS, 4741:773, 2007.
[8] P. J. Boland, F. Proschan, and Y. L. Tong. Optimal arrangement of componentsvia pairwise rearrangements. Naval Research Logistics, 36(6), 1989.
[9] P. J. Brooke and R. F. Paige. Fault trees for security system design and analysis.Computers & Security, 22(3):256–264, 2003.
[10] R.E. Bryant. Graph-based algorithms for boolean function manipulation. IEEETransactions on computers, 100(35):677–691, 1986.
[11] D. A. Butler. A complete importance ranking for components of binary coherentsystems, with extensions to multi-state systems. Technical report, StanfordUniv., Calif. Dept. of Operations Research, 1977.
55
[12] J.W. Butts, R.F. Mills, and R.O. Baldwin. Developing an insider threat modelusing functional decomposition. Computer Network Security, pages 412–417,2005.
[13] E. J. Byres, M. Franz, and D. Miller. The use of attack trees in assessingvulnerabilities in SCADA systems. In Proc. IISW, 2004.
[14] H. Chen, Y. Xiao, X. Hong, F. Hu, and J.L. Xie. A survey of anonymityin wireless communication systems. Security and Communication Networks,2(5):427–444, 2009.
[15] S. Convery, D. Cook, and M. Franz. An Attack Tree for the Border GatewayProtocol. Cisco Internet draft 2002.
[16] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction toAlgorithms. MIT press, 2001.
[17] M. Cremonini and P. Martini. Evaluating information security investments fromattackers perspective: the Return-On-Attack (ROA). In Proc. Fourth Workshopon the Economics of Information Security, 2005.
[18] K. Daley, R. Larson, and J. Dawkins. A Structural Framework for ModelingMulti-stage Network Attacks. In Proc. ICPPW, pages 1530–1536, 2002.
[19] C. S. Date and C. Duration. ReSIST: Resilience for Survivability in IST.
[20] J. Dawkins and J. Hale. A systematic approach to multi-stage network attackanalysis. In Proc. IEEE Int. Information Assurance Workshop, pages 48–56,2004.
[21] R. Dewri, N. Poolsappasit, I. Ray, and D. Whitley. Optimal security hardeningusing multi-objective optimization on attack tree models of networks. In Proc.CCS, pages 204–213. ACM, 2007.
[22] P. Ebinger and T. Bucher. Modelling and Analysis of Attacks on the MANETRouting in AODV. LNCS, 4104:294, 2006.
[23] K. Edge, R. Raines, M. Grimaila, R. Baldwin, R. Bennington, and C. Reuter.Using Attack and Protection Trees to Analyze Threats and Defenses to Home-land Security. In Proc. MILCOM, pages 1–7, 2006.
56
[24] K. Edge, R. Raines, M. Grimaila, R. Baldwin, R. Bennington, and C. Reuter.The Use of Attack and Protection Trees to Analyze Security for an OnlineBanking System. In Proc. HICSS, pages 144–151, 2007.
[25] K. S. Edge. A Framework for Analyzing and Mitigating the Vulnerabilities ofComplex Systems via Attack and Protection Trees. PhD thesis, Air Force Insti-tute of Technology, 2007.
[26] J. H. Espedalen and H. I. Gjovik. Attack Trees Describing Security in Dis-tributed Internet-Enabled Metrology. Technical report, Institutt for informatikkog medieteknikk, 2007.
[27] B. Foo, Y. S. Wu, Y. C. Mao, S. Bagchi, and E. Spafford. ADEPTS: AdaptiveIntrusion Response Using Attack Graphs in an E-Commerce Environment. InProc. DSN, pages 508–517, 2005.
[28] I. N. Fovino and M. Masera. Through the Description of Attacks: A Multidi-mensional View. LNCS, 4166:15, 2006.
[29] I. N. Fovino, M. Masera, and A. De Cian. Integrating Cyber Attacks WithinFault Trees. Reliability Engineering & System Safety, 94(9):1394–1402, 2009.
[30] R. M. Fricks and K. S. Trivedi. Importance analysis with Markov chains. InProc. Reliability and Maintainability Symp., pages 89–95. IEEE, 2003.
[31] R. M. Fuhrer. Sequential Optimization of Asynchronous and SynchronousFinite-state Machines: Algorithms and Tools. PhD thesis, Columbia Univer-sity, 1999.
[32] C. Fung, Y. L. Chen, X. Wang, J. Lee, R. Tarquini, M. Anderson, and R. Linger.Survivability analysis of distributed systems using attack tree methodology. InProc. MILCOM, pages 583–589, 2005.
[33] Z. Gan, J. Tang, P. Wu, and V. Varadharajan. A Novel Security Risk Evaluationfor Information Systems. In Proc. FCST, pages 67–73, 2007.
[34] G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P. McDaniel, and A. Rubin.Working around BGP: An incremental approach to improving security and ac-curacy of interdomain routing. In Proc. NDSS, volume 3, 2003.
[35] M. V. Higuero, J. J. Unzilla, E. Jacob, P. Saiz, M. Aguado, and D. Luengo.Application of ‘Attack Trees’ Technique to Copyright Protection Protocols Using
57
Watermarking and Definition of a New Transactions Protocol SecDP (SecureDistribution Protocol). LNCS, 3311:264–275, 2004.
[36] M. V. Higuero, J. J. Unzilla, E. Jacob, P. Saiz, M. Aguado, and D. Luengo.Application of’attack trees’ in security analysis of digital contents e-commerceprotocols with copyright protection. In Proc. CCST, pages 57–60, 2005.
[37] F.S. Hillier, G.J. Lieberman, and G.J. Liberman. Introduction to operationsresearch. McGraw-Hill New York, 1990.
[38] X. Hu and Z. M. Mao. Accurate real-time identification of IP prefix hijacking.In Proc. IEEE S & P, pages 3–17, 2007.
[39] S. Jajodia, S. Noel, and B. OBerry. Topological analysis of network attackvulnerability. Managing Cyber Threats, 5(3):247–266, 2006.
[40] M. Kaaniche. Resilience evaluation with regard to accidental and maliciousthreats. ReSIST Summer School, 2007.
[41] F. Kargl, A. Klenk, S. Schlott, and M. Weber. Advanced detection of selfish ormalicious nodes in ad hoc networks. LNCS, 3313:152–165, 2005.
[42] P. Kearney and L. Brugger. A risk-driven security analysis method and mod-elling language. BT Technology J., 25(1):141–153, 2007.
[43] R. Kuhn, K. Sriram, and D. Montgomery. Border gateway protocol security:Recommendations of the national institute of standards and technology. NISTSpecial Publication 800-54, 2007.
[44] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: A prefixhijack alert system. In Proc. USENIX Security Symp., 2006.
[45] S. Lathrop, J. Hill, and J. Surdu. Modeling Network Attacks. In Proc. 12th Conf.Behavior Representation in Modeling and Simulation, pages 401–407, 2003.
[46] B. B. Madan and K. S. Trivedi. Security Modeling and Quantification of Intru-sion Tolerant Systems Using Attack-response Graph. J. of High Speed Networks,13(4):297–308, 2004.
[47] S. Mauw and M. Oostdijk. Foundations of Attack Trees. LNCS, 3935:186–198,2006.
58
[48] E. L. McCluskey. Minimization of Boolean functions. Bell Systems TechnologyJournal, 35:1417–1444, 1959.
[49] M. A. McQueen, W. F. Boyer, M. A. Flynn, and G. A. Beitel. Time-to-compromise Model for cyber risk reduction estimation. In First Workshop onQuality of Protection. Springer, 2005.
[50] F. C. Meng. Comparing the importance of system components by some struc-tural characteristics. IEEE Trans. on Reliability, 45(1):59–65, 1996.
[51] J. Mirkovic and P. Reiher. A taxonomy of DDoS attack and DDoS defensemechanisms. ACM SIGCOMM Computer Communication Review, 34(2):39–53,2004.
[52] A. P. Moore, R. J. Ellison, and R. C. Linger. Attack Modeling for InformationSecurity and Survivability. CMU/SEI-2001-TN-001, 2001.
[53] D. M. Nicol, W. H. Sanders, and K. S. Trivedi. Model-based evaluation: Fromdependability to security. IEEE Trans. on Dependable and Secure Computing,1(1):48–65, 2004.
[54] S. Noel and S. Jajodia. Optimal ids sensor placement and alert prioritizationusing attack graphs. J. of Network and Systems Management, 16(3):259–275,2008.
[55] T. Olzak. A Practical Approach to Threat Modeling. Technical report, ErudioSecurity, LLC, 2006.
[56] R. Ortalo, Y. Deswarte, and M. Kaaniche. Experimenting with quantitativeevaluation tools for monitoring operational security. IEEE Trans. on SoftwareEngineering, 25(5):633–650, 1999.
[57] E. K. Park, J. B. Yun, and H. P. In. Simulating Cyber Intrusion Using OrderedUML Model-based Scenarios. LNCS, 3398:643–651, 2005.
[58] T. Qiu, L. Ji, D. Pei, J. Wang, J. Xu, and H. Ballani. LOCK: LocatingCountermeasure-Capable Prefix Hijackers. In Proc. USENIX Security Sym.,2008.
[59] PAS Ralston, JH Graham, and JL Hieb. Cyber security risk assessment forSCADA and DCS networks. ISA transactions, 46(4):583–594, 2007.
59
[60] A. Rauzy. New Algorithms for Fault Tree Analysis. Reliability Engineering &System Safety, 40(3):203–211, 1993.
[61] I. Ray and N. Poolsapassit. Using attack trees to identify malicious attacks fromauthorized insiders. LNCS, 3679:231–246, 2005.
[62] I. Ray, N. Poolsappasit, and R. Dewri. An Opinion Model for Evaluating Mali-cious Activities in Pervasive Computing Systems. LNCS, 5094:297–312, 2008.
[63] A. Roy, D. Kim, and K. S. Trivedi. ACT: Attack Countermeasure Trees forInformation Assurance Analysis. In In Proc. INFOCOM (poster). IEEE, 2010.
[64] A. Roy, D. Kim, and K. S. Trivedi. Cyber Security analysis using Attack Coun-termeasure Trees. In Proc. CSIIRW. ACM, 2010.
[65] A. Roy, D. S. Kim, and K. S. Trivedi. ACT: Towards unifying the constructsof attack and defense trees. J. of Security and Communication Networks, SI:Insider Threats, 2011.
[66] R. Rudell. Logic Synthesis for VLSI Design. PhD thesis, University of California,Berkeley, 1989.
[67] R. Sahner, K. S. Trivedi, and A. Puliafito. Performance and reliability analysisof computer systems: an example-based approach using the SHARPE softwarepackage. Kluwer Academic, 1999.
[68] K. Sarda, D. Wijesekera, and S. Jajodia. Implementing consistency checking incorrelating attacks. LNCS, 3347:379–384, 2004.
[69] T. Schaberreiter, C. Wieser, I. Sanchez, J. Riekki, and J. R”oning. An Enumeration of RFID Related Threats. In Proc. of the 2008 TheSecond Int. Conf. on Mobile Ubiquitous Computing, Systems, Services and Tech-nologies, pages 381–389. IEEE Computer Society, 2008.
[70] B. Schneier. Modeling Security Threats. Dr. Dobb’s journal, 24(12), 1999.
[71] B. Schneier. Secrets and Lies: Digital Security in a Networked World. JohnWiley and Sons Inc., 2000.
[72] Isograph Software. Attacktree+. http://www.isograph-software.com/
atpover.htm.
60
[73] A. K. Somani and K. S. Trivedi. Phased-mission system analysis using Booleanalgebraic methods. In Proc. ACM SIGMETRICS conf. on Measurement andmodeling of computer systems, pages 98–107. ACM New York, NY, USA, 1994.
[74] P. Somol, P. Pudil, and J. Kittler. Fast branch & bound algorithms for op-timal feature selection. IEEE Transactions on Pattern Analysis and MachineIntelligence, pages 900–912, 2004.
[75] E.J. Sondik. The optimal control of partially observable Markov processes. PhDthesis, Stanford Univ. Electronics Labs, 1971.
[76] W. Sonnenreich, J. Albanese, and B. Stout. Return On Security Investment(ROSI): A Practical Quantitative Model. J. of Research and Practice in Infor-mation Technology, 38(1):45–56, 2006.
[77] M. Stamatelatos, G. Apostolakis, H. Dezfuli, C. Everline, S. Guarro, P. Moieni,A. Mosleh, T. Paulos, and R. Youngblood. Probabilistic risk assessment proce-dures guide for NASA managers and practitioners. NASA Office of Safety andMission Assurance, 2002.
[78] Amenaza Technologies. Securitree. http://www.amenaza.com/software.php.
[79] T. Tidwell, R. Larson, K. Fitch, and J. Hale. Modeling internet attacks. InProceedings of the 2001 IEEE Workshop on Information Assurance and security,volume 59. IEEE, 2001.
[80] K. S. Trivedi, D. S. Kim, A. Roy, and D. Medhi. Dependability and securitymodels. In Proc. DRCN, pages 11–20. IEEE, 2009.
[81] K. S. Trivedi and R. Sahner. Sharpe at the age of twenty two. ACM SIGMET-RICS Perf. Eval. Review, 36(4):52–57, 2009.
[82] M. Veeraraghavan and K. S. Trivedi. An improved algorithm for symbolic reli-ability analysis. IEEE Transactions on Reliability, 40(3):347–358, 1991.
[83] H. Wang and P. Liu. Modeling and evaluating the survivability of an intrusiontolerant database system. LNCS, 4189:207–224, 2006.
[84] Y. Wang, C. Lin, K. Meng, and J. Lv. Analysis of Attack Actions for E-Commerce Based on Stochastic Game Nets Model. Journal of Computers,4(6):461, 2009.
61
[85] J. D. Weiss. A System Security Engineering Process. In Proc. of the 14thNational Computer Security Conf., 1991.
[86] Z. G. Wu and V. Varadharajan. A Novel Security Risk Evaluation for Informa-tion Systems. In Proc. FCST, pages 67–73, 2007.
[87] J. B. Yun, E. K. Park, E. G. Im, and H. P. In. A scalable, ordered scenario-based network security simulator. Systems Modeling and Simulation: Theoryand Applications, 3389:487–494, 2005.
[88] X. Zang, H. Sun, and K. S. Trivedi. A bdd-based algorithm for reliability graphanalysis, 2000.
[89] X. Zang, D. Wang, H. Sun, and K. S. Trivedi. A BDD-based algorithm foranalysis of multistate systems with multistate components. IEEE Trans. oncomputers, 52(12):1608–1618, 2003.
[90] Z. Zhang, Y. Zhang, Y. Hu, Z. Mao, and R. S. Bush. Detecting IP PrefixHijacking on My Own. In Proc. ACM SIGCOMM, 2008.
[91] S. A. Zonouz, H. Khurana, W. H. Sanders, and T. M. Yardley. RRE: A Game-Theoretic Intrusion Response and Recovery Engine. In Proc. DSN, pages 439–448, 2009.
62