Attack Countermeasure Trees: A Non-state-space Approach ...Attack tree (AT) is one of the widely used combinatorial models in security analysis. The basic formalism of AT does not

Attack Countermeasure Trees: A Non-state-space

Approach Towards Analyzing Security and Finding

Optimal Countermeasure Sets

by

Arpan Roy

Department of Electrical and Computer EngineeringDuke University

Date:

Approved:

Kishor S. Trivedi, Supervisor

Chris Dwyer

Benjamin C. Lee

Thesis submitted in partial fulfillment of the requirements for the degree ofMaster of Science in the Department of Electrical and Computer Engineering

in the Graduate School of Duke University2010

Abstract(Security Modeling)

Attack Countermeasure Trees: A Non-state-space Approach

Towards Analyzing Security and Finding Optimal

Countermeasure Sets

by

Arpan Roy

Department of Electrical and Computer EngineeringDuke University

Date:

Approved:

Kishor S. Trivedi, Supervisor

Chris Dwyer

Benjamin C. Lee

An abstract of a thesis submitted in partial fulfillment of the requirements forthe degree of Master of Science in the Department of Electrical and Computer

Engineeringin the Graduate School of Duke University

2010

Copyright c© 2010 by Arpan RoyAll rights reserved

Abstract

Attack tree (AT) is one of the widely used combinatorial models in security analysis.

The basic formalism of AT does not take into account defense mechanisms. Defense

trees (DTs) have been developed to investigate the effect of defense mechanisms us-

ing measures such as attack cost, security investment cost, return on attack (ROA)

and return on investment (ROI). DT, however, places defense mechanisms only at

the leaf nodes and the corresponding ROI/ROA analysis does not incorporate the

probabilities of attack. In attack response tree (ART), attack and response are both

captured but ART suffers from the problem of state-space explosion, since solution of

ART is obtained by means of a partially observable Markov Decision Process model.

In this thesis, we present a novel attack tree paradigm called attack countermeasure

tree (ACT) which takes a purely noon-state-space approach to security analysis tak-

ing into account attacks as well as countermeasures (in the form of detection and

mitigation techniques). In ACT, detection and mitigation are allowed not just at the

leaf node but also at the intermediate nodes while at the same time the state-space

explosion problem is avoided in its analysis. We propose algorithms to perform single

and multiobjective optimization to find optimal countermeasure sets under different

sets of budgetary constraints. We illustrate the features of ACT using several case

studies.

iv

Contents

Abstract iv

List of Tables vii

List of Figures viii

List of Abbreviations and Symbols x

Acknowledgements xii

1 Introduction 1

1.1 Fault Trees and Attack Trees . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.3 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Background 6

2.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 SHARPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Attack Countermeasure Trees 9

3.1 Formalism of ACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.2 Security Analysis using ACT . . . . . . . . . . . . . . . . . . . . . . . 13

4 Examples of ACT Analysis 22

4.1 SHARPE Implementation . . . . . . . . . . . . . . . . . . . . . . . . 22

4.2 Analysis of Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

v

5 Optimal Countermeasure Selection 33

5.1 Optimization Problem . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5.1.1 Single Objective Optimization . . . . . . . . . . . . . . . . . . 34

5.2 Implementation of Optimization Toolbox . . . . . . . . . . . . . . . . 49

6 Conclusions and Future Work 52

6.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Bibliography 55

vi

List of Tables

3.1 Formulae for probability of attack success . . . . . . . . . . . . . . . 13

3.2 Formulae for attack cost and attack impact . . . . . . . . . . . . . . . 17

4.1 Parameter values for attack nodes in ACT . . . . . . . . . . . . . . . 25

4.2 Parameter values for countermeasure nodes in ACT . . . . . . . . . . 28

5.1 Procedure for reduction of constraint matrix T . . . . . . . . . . . . . 36

5.2 Algorithm for finding the optimal countermeasure set for an ACT withobjective function F1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5.3 Recursive Branch and Bound algorithm for finding optimal counter-measure set using objective function F2 . . . . . . . . . . . . . . . . . 43

5.4 Recursive Branch and Bound algorithm for finding optimal counter-measure set using objective function F2 (contd.) . . . . . . . . . . . . 44

5.5 Procedure for computing the lower bound for objective function F2 . 44

1 SHARPE code for computing mincuts of SCADA ACT . . . . . . . . 54

vii

List of Figures

1.1 Disadvantage of using state-space models . . . . . . . . . . . . . . . . 3

1.2 Analysis using ACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3.1 (a) ACT with one attack event (b) ACT with one attack and onedetection event (c) ACT with one attack and multiple detection events(d) ACT with one attack, one detection and one mitigation event (e)ACT with one attack, multiple detection and one mitigation event (f)ACT with one attack, one detection and multiple mitigation events (g)ACT with one attack and multiple pairs of detection and mitigationevents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2 A simple attack tree for resetting the BGP session . . . . . . . . . . . 13

3.3 A simple ACT for resetting a BGP session . . . . . . . . . . . . . . . 14

3.4 Attack tree with repeated events . . . . . . . . . . . . . . . . . . . . 17

4.1 Change in (a) structural importance measure, (b) corresponding changein Pgoal, (c) change in Birnbaum importance measure and (c) corre-sponding change in Pgoal for BGP ACT due to implementation ofcountemeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.2 ACT for SCADA system . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.3 ACT for Malicious Insider Attack (MI ACT) . . . . . . . . . . . . . . 27

4.4 Pgoal vs. probability of attack values of all the leaf nodes of (a) BGPACT, (b) SCADA ACT and (c) MI ACT . . . . . . . . . . . . . . . . 27

4.5 Risk to system (Risksys) (a) for BGP ACT against pA1123 (x axis) andiA1123 (y axis), (b) for SCADA ACT with both pS1 and pG1 beingvaried (x axis) and both IS1 and IG1 being varied (y axis) and (c) forMI ACT against pA31 (x axis) and iA31 (y axis) . . . . . . . . . . . . . 28

viii

4.6 Risksys in SCADA ACT (a) against the probability of attack values (xaxis) and attack impact values (y axis) for the generators (G1,G2,G3)(b) against the probability of attack values (x axis) and attack impactvalues (y axis) for the sensors (S1,S2,S3) . . . . . . . . . . . . . . . . 30

4.7 ROA against (a) varying attack impact value iA1123 (x axis) and attackcost value CA1123 (y axis) of the leaf node A1123 in BGP ACT, (b)varying attack impact value IS1 ,IG1 (x axis) and attack cost valueCS1 ,CG1 (y axis) of leaf nodes S1 and G1 of SCADA ACT and (c)varying attack impact value iA31 (x axis) and attack cost value cA31 (yaxis) of the leaf node A31 in MI ACT . . . . . . . . . . . . . . . . . . 30

4.8 Pgoal against the probability that a countermeasure succeeds for (a)BGP ACT, (b) SCADA ACT and (c) MI ACT . . . . . . . . . . . . . 31

4.9 ROI for each countermeasure (a) against cCMi(x axis) and pCMi

(yaxis) for BGP ACT, (b) against cCMi

(x axis) and pCMi(y axis) for

SCADA ACT and (c) against cCMi(x axis) and pCMi

(y axis) for MIACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5.1 Sample run of the procedure REDUCE (OPT ,T) (from Table 5.1) onthe constraint matrix T for the BGP ACT in Figure 3.3 . . . . . . . . 37

5.2 Instance of a cyclic constraint matrix using an ACT for TCP sequencenumber attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.3 Sample run of the algorithm in Table 5.3 on a cyclic constraint matrix T 45

5.4 Plot of Pgoal vs. probability of attack values of all the leaf nodes of (a)BGP ACT for the ACT with no countermeasure and under the twooptimal solutions (OPT1 and OPT2) and (b) SCADA ACT for theACT with no countermeasure (case 1) and under the three optimalsolutions (OPT1, OPT2 and OPT3) . . . . . . . . . . . . . . . . . . . 48

5.5 ROI of (a) the different countermeasure sets providing full cover againstcCMi

(x axis) and pCMi(y axis) for BGP ACT and (b) the different

countermeasure sets providing the required partial cover against cCMi

(x axis) and pCMi(y axis) for SCADA ACT . . . . . . . . . . . . . . 49

5.6 Runtime plot for optimization with objective function Fmo2 using (i)explicit enumeration, (ii) branch and bound algorithm (in Table 5.3)and (iii) a simple genetic algorithm (SGA) with increasing tree size . 50

5.7 Use case diagram for optimizer . . . . . . . . . . . . . . . . . . . . . 51

ix

List of Abbreviations and Symbols

Abbreviations

Common abbreviations used all throughout the thesis are listed as below. Abbrevi-ations and their corresponding full expressions are as follows:

AT Attack Tree, a simple combinatorial attack model (proposed in[70])

DT Defense Tree, a combinatorial security model with both attackevents and defense mechanisms (proposed in [6])

PT Protection Tree (proposed in [25])

ART Attack Response Tree with attacks and responses (proposed in[91])

ACT Attack Countermeasure Tree (proposed in [64])

ROA Return on Attack [17]

ROI Return on Investment (Return on Security Investment [76])

BGP Border Gateway Protocol

SCADA Supervisory Control and Data Acquisition system (an industrialcontrol system)

Symbols

General notes on symbol usage in text is shown here. The list of generic symbols

and their definitions are listed below.

Ak an attack event

Dk a detection event

x

Mk a mitigation event

CMk a countermeasure, generally a pair of defense mechanisms (Dk,Mk)

Φ(X) structure function of an ACT

pAkprobability of occurrence of attack event Ak

pDkprobability of success of detection event Dk

pMkprobability of success of mitigation event Mk

pgoal probability of attack success at the ACT goal

ISTAk

structural importance measure of attack event Ak

IBTAk

Birnbaum importance measure of attack event Ak

IAkimpact of attack event Ak

Igoal impact at the goal node of ACT

cAkcost of attack event Ak

Cgoal attack cost at the goal node of ACT

cCMksecurity investment cost of countermeasure CMk

xi

Acknowledgements

I would like to express my deepest gratitude towards my advisor, Professor Kishor

S. Trivedi for his insightful advice and guidance. Every discussion with him always

clarifies my confusions and inspires new ideas. During meetings and discussions, his

accurate memory and broad knowledge has impressed me. I would also like to thank

him for his encouragement and support that helped me build confidence when I feel

stuck in my research.

I would like to thank my committee members Dr. Chris Dwyer and Dr. Ben Lee

for their kindness to serve on my committee and for finding the time to read my

thesis and for giving numerous constructive suggestions to improve it.

I would also like to thank my colleagues and friends at Duke University, both for-

mer and present, Dr. Dong Seong Kim, Dr. Rivalino Matias, Dr. Roberto Pietran-

tuono, Fumio Machida, Kesari Mishra, Jae Shik Lim, Ferdinando Chiacchio, Xiaoyan

Yin, Rahul Ghosh and Francesco Longo for the wonderful working environment they

created and the generous help they offered me from time to time.

Finally I would like to thank my parents for their lasting love, support, guidance

and encouragement. Without them standing behind me, I would never have been

able to pursue this thesis.

Arpan Roy

xii

1

Introduction

The recent surge of security breaches in systems varying from low-end client desktops

to high-end servers and an unprecedented increase in the diversity of network security

bugs have led researchers to re-evaluate the utility of network security models. In

2007 alone, Symantec detected 711,912 new threats compared to 125,243 in 2006 an

increase of 468 percent in a year.

1.1 Fault Trees and Attack Trees

Attack tree is a model that is used to analyze the security of a computer against

network threats or the security of any system for that matter but can be used to

analyze the threats posed by any outside attacker on a system. Attack trees are

represented in the form of a tree like structure similar to fault trees composed of a

network of gates connecting leaf nodes representing simple attacks to a goal node.

Attack trees play the same role in intrusion detection and intrusion tolerance that

fault trees play in fault tolerance. There is a distinct duality in the lines of thought

pertaining to the analysis of attack trees. Some authors believe in analyzing attack

trees from the attacker’s perspective and some believe in analyzing attack trees from

1

the defender’s point of view. However either way the goal is the same; to produce

a model that will help understand system behavior. The driving reason behind the

creation of attack trees was to decompose a single high level threat into intermediate

short-term objectives and finally into individual attacker actions. Attack trees help

provide security analysts perspective with regard to not only attacks but also the

threats and vulnerabilities pertaining to these attacks. Owing to their similarity in

formalism, attack trees can use the same methodology that fault trees use in dealing

with shared or repeated events [18].

1.2 Motivation

The first step towards security modeling involves designing a scalable model [56, 71]

that helps quantify security [80] in terms of key attributes such as the loss caused

by attacks [17, 42] or the gain accrued from enforcing a security measure [76]. This

will aid not only in probabilistic risk analysis (PRA) of a system but also in the

development of a scheme as to where in the system, security investment should be

prioritized. The simplest model in this context is attack tree (AT) [52, 71].

However, the basic formalism of AT does not include defense mechanisms. De-

fense trees (DTs) [5, 6] incorporate defense mechanisms in AT. However, it places

defense mechanisms only at the leaf nodes. ROI/ROA analysis using DT does not in-

corporate probabilities of attack. In attack response trees (ARTs) [91], both attacks

and responses are captured at any node. However ARTs suffer from the state-space

explosion problem (or the largeness problem) due to the use of a state space model

(partially observable Markov decision process) [75] in the solution technique. When

the corresponding state-space model is built from an ART, the number of states

in the state-space model is exponential to the number of leaf nodes in the ART

(2no. of leaf nodes in the ART) as shown in Figure 1.1. Same problem exists with the use

of attack response graphs for security modeling [46].

2

Goal

A1 A3

AND

A2

R1

R1

R1

R1

R1

Attack Response TreeA3

A2

A1

A1A2 A1

A3A2 A3

R2 R3

000

010100001

011

111

110101

R3

A3 A1A2

R2

R2

R3

R3

R3 R2

R2

State-space Model

Marking of a state=(A1, A2, A3)

Figure 1.1: Disadvantage of using state-space models

1.3 Contribution

In this thesis, we will present a novel attack tree model called attack countermeasure

tree (ACT). Our contributions are summarized as follows. In ACT,

• defense mechanisms are placed at any node of the tree, not just at the leaf

nodes,

• generation and analysis of attack scenarios and attack-countermeasure scenar-

ios is automated using mincuts,

• probabilistic analysis (using measures such as attack and security investment

cost, Birnbaum importance measure, system risk, impact of an attack, ROI

and ROA) can be performed in an integrated manner (as shown in Figure 1.2),

3

• attack events and countermeasures are prioritized using structural and Birn-

baum importance measure and

• an optimal countermeasure set is selected from the pool of defense mechanisms

using non-state-space approach which is much less expensive than the state-

space approach for ART in [91].

Attack Countermeasure Tree (ACT)

Analysis

QualititativeAnalysis

ProbabilisticAnalysis

MincutsStructural Importance

Prob. of attacksCost

ImpactRisk

ROI&ROA

Birnbaum Importance

Figure 1.2: Analysis using ACT

We have implemented a new ACT module in the SHARPE [81] software package.

We use single as well as multi objective optimization to find possible optimal coun-

termeasures given certain security constraints (e.g., security investment cost, ROI).

We demonstrate the utility of ACT through case studies (SCADA attack [13], BGP

attack [15]).

The remainder of the thesis is organized as follows. Some background and related

work is presented in Chapter 2. Attack countermeasure trees (ACT) are presented

4

in Chapter 3. The basic model for ACT is presented in Section 3.1. Section 3.2

describes qualitative analysis (Section 3.2) and probabilistic analysis (Section 3.2)

using ACT. Implementation of ACT model in SHARPE is presented in Chapter 4.

In Chapter 5, we discuss the selection of an optimal countermeasure set using ACT.

Chapter 6 concludes the thesis.

5

2

Background

2.1 Related Work

Weiss’s threat logic trees [85] and Amoroso’s threat trees [1] mark the beginning of

the use of decision trees for characterizing attacks. Schneier developed the basic at-

tack tree (AT) formalism [71] to build hand-generated attack trees depicting breach

of email privacy for emails by exploiting the pretty-good-privacy program (PGP)

(used for encryption). An interesting observation by Schneier was that once an at-

tack tree has been built for exploiting a particular form of threat, its application

can be extended to any system that is vulnerable to that particular form of threat.

For instance, the PGP attack tree built by Schneier for unauthorized access to con-

fidential email messages (that use PGP encryption) can also be used to illustrate

an attack for unauthorized reading of data off hard disks (the same PGP program

is used for whole disk encryption). Moore et.al [52] extended Schneier’s AT by in-

troducing attack scenarios (mincuts) and attack profiles. Mauw et.al [47] developed

an alternative formalism for AT where the attack goal was associated with the set

of all mincuts. When applied to complex case studies, AT often became large and

6

unwieldy. Therefore Daley [18] proposed a layered approach to partition attack tree

nodes with respect to their functionality. Since attacks and faults both lead to system

failure, Fovino et.al [29] integrated attacks into the fault tree structure by developing

a graph theoretical model called extended fault tree (EFT) [29]. However these ATs

do not take into account defense mechanisms. Our notion of countermeasures is sim-

ilar to the notion of security hardening measures used by Dewri et.al [21] in attack

tree analysis. But in their case as well, the effects of security hardening measures

were studied outside the attack tree model.To incorporate defense mechanisms in AT,

Bistarelli et.al [5] used defense trees (DTs) and applied game theory to find the most

cost effective set of countermeasures. Edge et.al [25] proposed protection trees (PTs)

which only concentrate on defense mechanisms regardless of attacks. Foo et.al [27]

used intrusion graphs (I-GRAPHs) to model dynamic intrusion response. Zonouz

et.al [91] proposed attack-response trees (ARTs) that incorporate both attacks and

responses but use a state-space model (partially observable stochastic game model)

to find an optimal set of countermeasures. Thus, their model suffers from state-space

explosion. We propose ACT [?] which provides a simple yet compact approach for

security analysis, harnessing the benefits of all the above mentioned models and al-

lowing us to perform optimal countermeasure selection for different attack scenarios

under given constraints, using a non-state-space approach.

2.2 SHARPE

Symbolic Hierarchical Automated Reliability and Performability Evaluator (SHARPE)

is a software package capable of solving both non-state space and state space models.

The first version was written in C programming language and released in 1986. The

model types that have been incorporated in the current version include fault trees,

reliability block diagrams, acyclic series-parallel graphs, acyclic and cyclic Markov

and semi-Markov models, Markov regenerative models, generalized stochastic Petri

7

nets, stochastic reward nets and closed single- and multi-chain product-form queue-

ing networks. For the models listed above, both transient and steady state analysis

is available. SHARPE is also capable of handling hierarchical models and giving out

semi-symbolic (or semi-numeric) results.

8

3

Attack Countermeasure Trees

The graph theoretic definition of ACT is as below:

• ACT = {V, ψ, E} (V: set of all vertices in ACT, ψ: set of all gates in ACT,

E: set of all edges in ACT) where V= {∀k, vk: vk ∈ {Aj}|| vk ∈ {Di}|| vk

∈ {Ml}} where A1, A2, ..., D1, D2, ...,M1,M2, ... are the events in the ACT,

ψ={ψk: ψk ∈ {AND, OR, k-of-n gate}}, E= {∀k, ek: ek ∈ (vi, ψj) || ek ∈ (ψi

, ψj)} and X = (xA1xA2 ...xD1xD2 ...xM1xM2 ...) is a state vector for the ACT

where xAk, xDk

, xMkare the boolean variables associated with events Ak, Dk,

Mk respectively.

3.1 Formalism of ACT

In this subsection the basic formalism of ACT is presented. In ACT, there are three

distinct classes of events: attack events (e.g., install keystroke logger), detection

events (e.g., detect keystroke logger) and mitigation events (e.g., remove keystroke

logger). Figure 3.1(a) shows a simple ACT with a single attack event. The cor-

responding expression for the probability of a successful attack at the goal node is

9

shown in Eq. (3.1).

Pgoal = pA (3.1)

In Figure 3.1(b), one attack event and one detection mechanism are used. The

corresponding expression for probability of a successful undetected attack is:

Pgoal = pA(1− pD) (3.2)

Figure 3.1(c) is an extension of Figure 3.1(b) where n detection mechanisms are

being used to detect one attack event. The corresponding Pgoal is:

Pgoal = pA(1− pD1)(1− pD2)...(1− pDn) (3.3)

In ACT with only detections, mitigations are assumed to be perfect, i.e., they

mitigate with probability one (or pM = 1). However if mitigations are imperfect (i.e.,

0 ≤ pM < 1), mitigation techniques may be used in ACT in addition to detection

mechanisms. Figure 3.1(d) shows an ACT with one attack event, one detection

event and one mitigation event. Eq. (3.4) is the corresponding expression for the

probability that attack was successful, i.e., either attack was undetected or attack

was detected but unmitigated (D representing a detection event and M representing

a mitigation event).

Pgoal = pA(1− pD + pD(1− pM))

= pA(1− pD × pM))(3.4)

Indeed, this probability can be split into two parts if desired: the probability of

undetected attack, pUD=pA(1−pD) and the probability of a detected but unmitigated

attack, pDUM=pApD(1− pM).

Figure 3.1(e) shows an ACT with one attack event, n detection events and one

mitigation event and the corresponding equation for the probability of successful

10

Attack success

AAND

Attack success

A

AND

Attack success

A

…

AND

Attack success

A

AND

M

AND

Attack success

A AND

AND

M1 M2 Mn

…

(a) (b) (c)

(d)

(g)

AND AND

D D2 DnD1

D

D1 D2 Dn

Attack event

Detection event

Mitigation Event

Attack success

AND

AND

M… DnD1

A

D2

(f)

Attack success

AND

AND

M2 MnM1….

ORD

A

OR

(e)

Figure 3.1: (a) ACT with one attack event (b) ACT with one attack and onedetection event (c) ACT with one attack and multiple detection events (d) ACT withone attack, one detection and one mitigation event (e) ACT with one attack, multipledetection and one mitigation event (f) ACT with one attack, one detection andmultiple mitigation events (g) ACT with one attack and multiple pairs of detectionand mitigation events

11

attack is in Eq. (3.5). For the ACT in Figure 3.1(e), the corresponding probability

that attack is undetected is pUD=pA

∏ni=1(1−pDi

) and the corresponding probability

that attack is detected but unmitigated is pDUM=pA(1−∏n

i=1(1− pDi))× (1− pM).

Pgoal = pA(1− (1−n∏

i=1

(1− pDi))× pM) (3.5)

Figure 3.1(f) shows an ACT with one attack event, one detection event and n

mitigation events. Eq. (3.6) gives the corresponding probability of successful attack.

For the ACT in Figure 3.1(f), the corresponding probability that attack is undetected

is pUD=pA(1 − pD) and the corresponding probability that attack is detected but

unmitigated is pDUM=pApD

∏ni=1(1− pMi

).

Pgoal = pA(1− pD × (1−n∏

i=1

(1− pMi))) (3.6)

Figure 3.1(g) shows an ACT with one attack event and n pairs of detection

and mitigation events. The nature of mitigation triggered depends on the nature

of intrusion detected. Eq. (3.7) shows the corresponding expression for Pgoal. The

corresponding probability that attack is undetected is pUD=pA

∏ni=1(1 − pDi

) and

the corresponding probability that attack is detected but unmitigated is pDUM=

pA

∏ni=1(1− pDi

× pMi)− pA

∏ni=1(1− pDi

).

Pgoal = pA

n∏i=1

(1− pDi+ pDi

(1− pMi))

= pA

n∏i=1

(1− pDi× pMi

))

(3.7)

Besides AND and OR gates, ACT also allows for k-out-of-n gates (with identical

or non-identical inputs). Table 3.1 enumerates formulae for output probability for

12

A111: Send RST message to TCP stack

A112: Send BGP message

A12: TCP sequence number attack

A1121: Notify

A1122: Open

A1123: Keep Alive

G: Reset a single BGP sessionImpact = Unavailability

A1: Send message to router causing reset

A2: Alter configuration via compromised router

AND

OR

OR

OR

Figure 3.2: A simple attack tree for resetting the BGP session

AND, OR gates and k-of-n gates in an ACT.

3.2 Security Analysis using ACT

In this section we present qualitative analysis and quantitative analysis using ACT.

Table 3.1: Formulae for probability of attack success

Gate type Prob. of attack success

AND gate∏n

i=1 p(i)OR gate 1−

∏ni=1(1− p(i))

k/n gate∗∑n

j=k

(nj

)pj ∗ (1− p)n−j

∗for identical inputs

13

A111: Send RST message to TCP stack

A112: Send BGP message

A12 : TCP sequence

number attack

A1121: Notify A1122: Open A1123: Keep

Alive

G: Reset a single BGP session

A1: Send message to router causing reset

A2: Alter configuration

via compromised

router

Attack eventDetection eventMitigation Event

M12: MD5 authentication

M2: Secure router

M1:RandomizeSeq. Num.

D12: TCP sequence

number check

D1: Trace-route check D2: Router

firewall alert

OR

OR

AND

AND

AND

AND

OR

AND AND

AND

Figure 3.3: A simple ACT for resetting a BGP session

Qualitative Analysis

Qualitative analysis using ACT provide us with mincuts and structural importance

measures.

Mincut Analysis. In both AT and ACT, the top event is associated with the

set of all mincuts. Mincuts of AT represent attack scenarios [33] whereas those of an

ACT, represent attack-countermeasure scenarios. We show an example AT for BGP

attack [15] (“resetting a BGP session” shown in Figure 3.2) and its corresponding

ACT with countermeasures [43] (as depicted in Figure 3.3). Among others, counter-

measures used include traceroute [38] as one of the detection mechanisms for spoofed

TCP reset messages and sequence number randomization [43] as the corresponding

mitigation technique. The top (or goal) event in the ACT can also be expressed as

14

a boolean function (Φ(X)) of the leaf node events. In Eq. ( 3.8), Φ(X), the comple-

mentary boolean structure function for the AT in Figure 3.2 is given, where X is a

state vector of the ACT and xAiis a boolean variable such that xAi

= 1 when event

Ai occurs else xAi= 0. Mincuts for the AT in Figure 3.2 are: {(A111, A12),(A1121,

A12), (A1122, A12),(A1123, A12),(A2)}.

Φ(X) = xA111xA12 + xA1121xA12 + xA1122xA12

+xA1123xA12 + xA2

(3.8)

The mincuts (attack countermeasure scenarios) of the ACT in Figure 3.3 are {(A111,

CM1, A12, CM12), (A1121, CM1, A12, CM12), (A1122, CM1, A12, CM12), (A1123, CM1,

A12, CM12), (A2, CM2)} (where CM1=(D1M1), CM12=(D12M12), CM2=(D2M2)).

From the mincut (A1122, CM1, A12, CM12), observe that the pair of attack events

(A1122, A12) is covered by the countermeasures CM1 and CM12. We use mincuts

in Section 3.2 to develop an approach for the cost and the impact analysis in ACT.

Mincuts can also be used to find the optimal countermeasure set for an ACT.

Structural Importance Measure Analysis. It is important to determine the

most critical event in ACT. Towards this objective, structural importance measure

[50] can be used. The concept of ordering system components based on structural

importance was first introduced by Boland et al. [8]. Structural importance measure

[30] is used when ACT has equiprobable events, i.e., we are provided with only

the ACT but probability of attack (for attack events) and detection/mitigation (for

detection/mitigation events) are unknown. Given an ACT, its boolean structure

function (Φ(X)) can be built. Φ(X) = 1 when the attack succeeds whereas Φ(X) = 0

when attack fails. Two state vectors are considered:

X = (xA1 xA2 ... xAk−1xAk

xAk+1... xAn)

X ′ = (xA1 xA2 ... xAk−1xAk

xAk+1... xAn)

15

The structural importance measure of an attack event (Ak) in an ACT is defined

to be the normalized count of state vectors where the component is relevant for

the boolean structure function. The corresponding expression for ISTAk

is shown in

Eq. (3.9).

ISTAk

=

∑X Φ(X)Ak

− Φ(X ′)Ak

2n(3.9)

An attack event (Ak) is said to be relevant for a particular state vector X, when

flipping the boolean value associated with attack event Ak flips the value of Φ(X)

from 1 to 0. In other words, Ak is relevant to state vector X if Φ(X)Ak−Φ(X ′)Ak

= 1.

Once the most critical event in the system is determined, it can be patched or the

appropriate detection and mitigation for the component can be enforced.

Probabilistic Analysis

The computation of probability of a successful attack in an ACT was discussed in

Section 3.1. For ACT, the probability of a successful attack can be computed which

can be further split into the probability that the attack is undetected and the prob-

ability that the attack is detected but unmitigated. When provided with values for

parameters such as probabilities of attacks, cost etc., probabilistic (or quantitative)

analysis can be performed using ACTs. Quantitative analysis using ACT can be

viewed from two distinct viewpoints: attackers’ viewpoint and defender’s (or secu-

rity analyst’s) viewpoint. The measures such as attack cost and ROA reflect the

attacker’s perspective whereas the metrics such as security investment cost, risk, im-

pact and ROI represent the defender’s perspective.

Cost Computation. In ACT, cost may be of two types: cost of attack and

security investment cost. Cost of attack in ACT (Cattacker) with no repeated events

16

is computed using the expressions in Table 3.2 [53]. In ACT, the cost of attack is

the sum of the costs of the input events for an AND gate whereas it is the minimum

of the cost of the input events for an OR gate. The cost of attack for a k-of-n gate

is the sum of the cost of k lowest cost input events to the gate.

Table 3.2: Formulae for attack cost and attack impact

Gate type attack cost impact

AND gate∑n

i=1 cAi

∑ni=1 iAi

OR gate minni=1 cAi

maxni=1 iAi

k-of-n gatea∑k

i=1 cAi

∑ki=1 iAi

aFor k-of-n gate, it is assumed that (cA1 ,cA2 ,...,cAn) are sorted in the ascending order of

their cost values and (iA1 ,iA2 ,...,iAn) are sorted in the descending order of their impact values.

G

A1 A2A3 A3

OR

AND

OR

Repeated EventNon-repeat Event

Figure 3.4: Attack tree with repeated events

For an ACT containing one or more repeated events (as shown in Figure 3.4),

we use a simple procedure to compute the attack cost. SHARPE [81] can be used

17

to generate the mincuts of the ACT. Attack cost for the mincut can be given by

the sum of the attack costs of each attack event in the mincut. Attack cost of the

mincut with lowest cost is selected to be the cost of attack for the ACT. In case of

Figure 3.4, the ACT mincuts are {(A1,A2),A3} and hence the corresponding Cattacker

= min{cA1+cA2 ,cA3}.

Security investment cost for ACT is computed by summing the security invest-

ment cost of countermeasures present in the ACT. Also using ACT, the set of feasible

attack scenarios can be built subject to attackers’ resource constraint (e.g., attack

cost). This is called ‘capability based pruning’ of AT in SecurITree [78] AT analysis

tool. If the total attack cost is provided as the attacker’s resource constraint, a subset

of mincuts (or a subset of attack scenarios) can be determined which the attacker

can successfully exploit subject to his resource (cost) constraint.

Impact Computation. Instead of pursuing a scaled approach for impact com-

putation (for instance, normalized in a scale from 1-10 in [25]), in ACT, we use the

exact value of impact [55] associated with every attack event. Even though counter-

measures do not affect impact value directly, countermeasures do result in reducing

risk which is the expected value of impact. Impact computation for different gates

in ACT with no repeated events is summarized in Table 3.2. If repeated events are

present in the ACT, we follow a procedure similar to that used in cost computa-

tion. We first find the mincuts of the ACT. Impact of a mincut is the sum of the

impact values of the attack events in the mincut. Impact of the mincut with highest

impact value is selected to be the impact of the ACT. For instance, in case of the

ACT in Figure 3.4(a), since the mincuts are {(A1,A2),A3}, Igoal = max{iA1+iA2 ,iA3}.

Birnbaum Importance Measure. When probabilities of attack/defense are

known for ACT nodes, Birnbaum importance measure [?] (also termed ‘reliability

18

importance measure’ for fault trees) is used to prioritize defense mechanisms to

counteract attack events. The Birbaum importance measure of an attack event

represents the change in the probability of attack at the goal caused by small change

in the probability of attack of the ACT node at Ak. The Birnbaum importance

measure of an attack event Ak is defined as:

IBAk

=∂Pgoal

∂pAk

(3.10)

SHARPE can be used to compute IBAk

.

Risk Computation. In the context of ACT, risk can refer to two distinct mea-

sures namely, (i) risk to the attacker [36] and (ii) risk to the system [45]. Attacker’s

risk of an atomic attack refers to the probability of detection of the atomic attack

[36]. AttackTree+ AT analysis tool [72] refers to this type of risk as the ‘accepted

risk’ of the attacker. Since we deal with probability of detection of atomic attacks

in Pgoal computation in Section 3.1, in this subsection we discuss risk to the system.

Risk to a system refers to the system’s risk to a particular attack scenario. In this

context, two measures need to be taken into consideration. One is the amount of

damage that an attack scenario can render to the system (Igoal) and the other is the

probability of attack success (Pgoal). Combining the two, risk to the system can be

defined as the expected value of the impact. The expression for system risk for ACTs

is:

Risksys = Pgoal × Igoal (3.11)

In an ACT without any countermeasures, application of CMi causes the output prob-

ability of the ACT node containing attack event Ak (point of application of CMi) to

decrease by 4pAkCMi(for instance, incorporation of CMi may cause the ACT node

19

in Figure 3.1(a) to become the ACT node in Figure 3.1(d)). In ACT, the decrease

in risk (4RiskCMi) for countermeasure CMi can be given by:

4RiskCMi= Riskwithout CMi

− Riskwith CMi

= Igoal × (Pgoalwithout CMi− Pgoalwith CMi

)(3.12)

where Pgoalwith CMiis Pgoal of the ACT with countermeasure CMi and Pgoalwithout CMi

is Pgoal of the ACT without countermeasure CMi. Similarly for an ACT with incorpo-

rated countermeasure set SCM , the decrease in risk (4RiskSCM) for countermeasure

set SCM can be given by:

4RiskSCM= Riskwithout SCM

− Riskwith SCM

= Igoal × (Pgoalwithout SCM− Pgoalwith SCM

)(3.13)

ROA and ROI Computation. Two metrics from the field of economics have

been adapted to the security scenario in order to quantify the nature of the compe-

tition between the attacker and the defender. Return on Attack (ROA) [5, 6] is an

index that is aimed at measuring the benefit to the attacker from a particular attack.

Unlike attack cost, ROA changes with the application of specific countermeasures.

ROA [17] is defined by:

ROA =Risksys

Cattacker

=Igoal × Pgoal

Cattacker

(3.14)

Next we discuss a quantification of Return on Investment (ROI) [76]. The basic

definition of ROICMiis the profit obtained by the implementation of CMi (thereby

signifying the efficacy of that countermeasure). ROI for countermeasure CMi is

a function of the impact of attack of the ACT, the decrease in the probability of

attack at the ACT goal (4PgoalCMi) due to CMi and the security investment cost for

CMi (cCMi). Adapting Sonnenreich’s definition of Return on Investment [76] to the

context of ACT, we have:

20

ROICMi=

profit from CMi − Cost of implementing CMi

Cost of implementing CMi

(3.15)

ROICMi=Igoal ×4PgoalCMi

− cCMi

cCMi

(3.16)

Note that, ROICMi≥ -1.

21

4

Examples of ACT Analysis

4.1 SHARPE Implementation

We use SHARPE [81] for the evaluation of ACT. We have implemented a module

for automatic description and evaluation of ACTs in SHARPE. For the computa-

tion of probability of attack, mincuts, structural and Birnbaum importance mea-

sure of ACT, we simply use the already existing algorithms for solving fault trees

in SHARPE. These include a polynomial algorithm for analyzing ACTs with non-

repeat events and factoring, GKG-VT [82] (for sum of disjoint products method) and

BDD algorithms [10] for analyzing ACTs with repeated events. We have added the

relevant algorithms (described in Section 3.2) for computing cost, impact and risk

in ACTs. ROA and ROI computation is done by defining functions in the SHARPE

input file.

22

4.2 Analysis of Examples

For the analysis of ACT, we use the BGP ACT [15] of Figure 3.3, the SCADA ACT

[91] of Figure 4.2 and ACT for malicious insider attack (MI ACT) of Figure 4.3 as

case studies. Two significant characteristics of the SCADA ACT are: (i) it contains

only attack and mitigation events and (ii) all mincuts are not covered by the mit-

igation techniques provided. The basic structure of the ACT for malicious insider

attack (MI ACT) was proposed in [12]. We built on this structure by adding lower

level subtrees from other sources (for instance, in MI ACT the subtree for attack by

‘elevation’ of malicious user (node A4 in Figure 4.3) is obtained from [79]). MI ACT

has attack, detection and mitigation events. However in MI ACT as well, all the

mincuts are not covered by the countermeasures provided.

Figure 4.1(a) shows the variation in structural importance measure and Fig-

ure 4.1(c) shows the variation in Birnbaum importance measure of attack event Ai

in BGP ACT due to implementation of countermeasure CMi. From Figure 4.1(c)

and Figure 4.1(d), observe that maximum decrease in Pgoal is caused by the imple-

mentation of the countermeasure associated with the attack event with the highest

value of IBAk

. For instance, in BGP ACT with no defense (or the BGP AT), attack

event A1 (‘Send RESET message’) has highest value of IBAk

leading to the imple-

mentation of CM1 (‘Traceroute’) first. The corresponding decrease in Pgoal (shown

in Figure 4.1(c)) is the maximum for all the countermeasures present. Therefore,

implementation of countermeasures (CMi) for attack events (Ai) with higher val-

ues of IBAk

should be prioritized. Similarly we can observe from Figure 4.1(a) and

Figure 4.1(b) that implement countermeasures with higher ISTAk

should be prioritized.

The values for the input parameters for countermeasure nodes of all three ACTs

are in Table III and the values for the input parameters for attack nodes of all three

23

(a)

Struct

ural im

portan

ce me

asure o

f an a

ttack

event

in BGP

ACT

(A12)(A1)

(A2)

(CM1) (CM12)(CM2)

Birnba

umim

portan

ce me

asure o

f an att

ack ev

ent in

BGP A

CT

(A12)(A1)

(A2)

(CM1) (CM12)(CM2)

Prob

abili

ty of

attac

k at g

oal in

BGP

ACT

(Pgo

al)

(c)

(CM2)(CM1) (CM12)

Prob

abili

ty of

attac

k at g

oal i

n BGP

ACT

(Pgo

al)

(d)

(a)(CM2) (CM1)

(CM2)

(CM1) (CM2)(CM1)

(CM2)(CM1)

(CM1)

(b)

(CM1)(CM2) (CM12)(CM2) (CM1)

(CM2)

Figure 4.1: Change in (a) structural importance measure, (b) corresponding changein Pgoal, (c) change in Birnbaum importance measure and (c) corresponding changein Pgoal for BGP ACT due to implementation of countemeasures

ACTs are in Table IV.

Figure 5.4(a) shows Pgoal for BGP ACT (with and without countermeasures),

Figure 5.4(b) shows Pgoal for SCADA ACT (with and without countermeasures) and

Figure 5.4(c) shows Pgoal for MI ACT (with and without countermeasures) with

probability of attack value of all the leaf nodes in the ACT varying together in the

range [0,1]. From Figure 5.4(a) we find that Pgoal value for BGP ACT decreases with

the incorporation of detection mechanisms (Pgoal=PUD). With only detection mecha-

nisms in ACT, mitigations are assumed to be perfect, i.e., they work with probability

one. Therefore with the incorporation of mitigations (imperfect mitigations) in BGP

ACT, Pgoal increases (Pgoal=PUD+PDUM). SCADA ACT has only attack and miti-

24

Table 4.1: Parameter values for attack nodes in ACT

ACT Node Probability attack attackof attack cost(in $) impact

(in 103$)A111 (BGP) 0.08 50 200A1121 (BGP) 0.1 60 130A1122 (BGP) 0.15 70 100A1123 (BGP) 0.2 100 300A12 (BGP) 0.1 150 250A2 (BGP) 0.4 190 275AS1 (SCADA) 0.1 100 300AS2 (SCADA) 0.1 110 150AS3 (SCADA) 0.1 90 225AWSE (SCADA) 0.25 250 250AULAN (SCADA) 0.3 275 275AHMI (SCADA) 0.2 100 100ASCOPF (SCADA) 0.15 120 120AG1 (SCADA) 0.15 100 300AG2 (SCADA) 0.3 30 200AG3 (SCADA) 0.2 40 150ADB (SCADA) 0.5 170 50AUWAN (SCADA) 0.35 160 100AWS (SCADA) 0.4 150 150A11 (MI ACT) 0.08 50 200A12 (MI ACT) 0.1 60 130A2111 (MI ACT) 0.15 70 100A2112 (MI ACT) 0.2 100 300A2121 (MI ACT) 0.1 150 250A21221 (MI ACT) 0.4 190 275A21222 (MI ACT) 0.1 100 300A213 (MI ACT) 0.1 110 150A2141 (MI ACT) 0.1 90 225A2142 (MI ACT) 0.25 250 250A2143 (MI ACT) 0.3 275 275A31 (MI ACT) 0.2 100 100A32 (MI ACT) 0.15 120 120A411 (MI ACT) 0.15 100 300A4121 (MI ACT) 0.3 30 200A4122 (MI ACT) 0.2 40 150A413 (MI ACT) 0.5 170 50

25

Incorrect monitoring

Unavailable network (LAN)

(ULAN)

Problematic Control

Database(DB)

Unavailable network (UWAN)

Workstation(WS)

Incomplete sensors

Wrong state estimation

(WSE)

Control servers

Controlling agents

Power loads not provided

Incorrect estimates to customers

SCADAcompromised

S1 S2 S3

HMI

switch

G1 G2 G3

restart restart restart

2/3

AND AND AND AND

AND

SCOPF

AND

Attack event

Mitigation Event

OR

OROR

OR OR

Figure 4.2: ACT for SCADA system

gation events. Here detections are assumed be perfect, i.e., Pgoal=PUD+PDUM with

all pDi=1. From Figure 5.4(b), we find that Pgoal decreases with the incorporation of

mitigations in SCADA ACT. Similarly, from Figure 5.4(c) we find that Pgoal value

for MI ACT decreases with the incorporation of detection mechanisms and then in-

creases with the incorporation of mitigations (imperfect mitigations).

Figure 4.5(a) shows system risk (Risksys) for the BGP ACT (with and without

countermeasures) with probability of attack at leaf node (pA1123) varying together in

the range [0,1] and impact value of leaf node A1123 (iA1123) varying uniformly in the

26

A2121: FTP to File Server

A2122: Internet

A21221: Post to News Group

A21222: Post to Website

G: Malicious Insider attack success

A1: Alteration A4: Elevation

OR

OR

OR

A2141: Floppy

Disk

A2142: CD-

ROM

A2143: USB Drive

OR

A2111: Local

Account

A2112: Web-based

account

OR

A211: Email

A214: Copy to Media

OR

A212: Electronic Drop Box

A213: Online Chat

A11: Unauthorized alternation of

registryA12:

Launch virus

OR

A411: Poor Configuration

A412: Steal

Password

A413: Sendmail Exploit

OR

A41: Acquire admin privilege

A4121: Sniff

Network

A4122: Root Telnet

OR

A31: Misuse A32: Violation of organization policy

AND

A3: SnoopingA2: Distribution

A21: File

Sharing

AND

AND

AND

AND

M12: Launch mitigation

(anti-virus)

D12: Detect virus attack

(anti-virus)

D412: Track number of tries

at password

M412: Request admin pin

Figure 4.3: ACT for Malicious Insider Attack (MI ACT)

(a) (b)

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Probability of attack at leaf node of BGP ACT

Pro

bab

ility

of a

ttac

k at

th

e g

oal

of B

GP

AC

T

Pgoal without D or MPgoal with DPgoal with D & M

(Pg

oa

l)

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Probability of attack at leaf node of SCADA ACT

Pro

bab

ility

of

atta

ck a

t th

e g

oal

of

SCA

DA

AC

T

Pgoal_SCADA_ACT_without_MPgoal_SCADA_ACT_with_M

(Pg

oa

l)

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Probability of attack at leaf node of MI ACT

Pro

bab

ility

of a

ttac

k at

th

e g

oal

of M

I AC

T

Pgoal without D or MPgoal with DPgoal with D & M

(c)

Figure 4.4: Pgoal vs. probability of attack values of all the leaf nodes of (a) BGPACT, (b) SCADA ACT and (c) MI ACT

27

Table 4.2: Parameter values for countermeasure nodes in ACT

ACT Node Prob. of Securitycountermeasure investment

success cost(in $)D1 (BGP) 0.5 10M1 (BGP) 0.6 30D12 (BGP) 0.8 10M12 (BGP) 0.5 20D2 (BGP) 0.7 15M2 (BGP) 0.5 35Mswitch (SCADA) 0.25 15MrestartG1(SCADA) 0.4 25MrestartG2(SCADA) 0.5 20MrestartG3(SCADA) 0.6 30D12 (MI ACT) 0.5 10M12 (MI ACT) 0.6 30D412 (MI ACT) 0.8 10M412 (MI ACT) 0.5 20

0100

200300

00.5

150

100

150

200

250

300

Risk

to th

e sy

stem

(Risk

sys

)

Risk without D or MRisk with DRisk with D & M

x 10^3

(a)

Impact value of leaf node A1123 of BGP ACT in dollars

Probability of attack of

leaf node A1123 in BGP ACT

0100

200300

00.5

1150

200

250

300

350

400

450

500

550

600

650

Risk

to th

e sy

stem

(Risk

sys

)

Risk without CMRisk with CM

(b)

Probability of attack of leaf nodes S1 and G1 of SCADA ACT

Impact value of leaf nodesS1 and G1 of SCADA ACT in dollars

x 10^3

0100

200300

00.5

1180

190

200

210

220

230

240

Risk

to th

e sy

stem

(Ris

k sys)

Risk without D or MRisk with DRisk with D & M

Impact value of leaf node A31 of MI ACT in dollars

Probability of attack of

leaf node A31 in MI ACT

(c)

x 10^3 x 10^3

Figure 4.5: Risk to system (Risksys) (a) for BGP ACT against pA1123 (x axis) andiA1123 (y axis), (b) for SCADA ACT with both pS1 and pG1 being varied (x axis) andboth IS1 and IG1 being varied (y axis) and (c) for MI ACT against pA31 (x axis) andiA31 (y axis)

28

range 0-3×105$. Observe that Risksys decreases with the incorporation of detection

mechanisms (assuming perfect mitigations) and then increases with the incorpora-

tion of mitigations in ACT. Figure 4.5(b) shows Risksys for the SCADA ACT (with

and without countermeasures) with probability of attack at leaf nodes pS1 and pG1

varying together in the range [0,1] and impact values of the leaf nodes IS1 and IG1

varying together in the range 0-3×105$. Observe from the surfaces that Risksys de-

creases with the incorporation of countermeasures (mitigations) in SCADA ACT.

Figure 4.5(c) shows system risk (Risksys) for the MI ACT (with and without coun-

termeasures) with probability of attack at leaf node (pA31) varying together in the

range [0,1] and impact value of leaf node A31 (iA31) varying uniformly in the range

0-3×105$. From the surfaces, observe that for BGP, SCADA and MI ACT, Risksys

increases with the probability of attack value at the leaf node. It is also directly

proportional to the Igoal value of the corresponding ACT.

Risksys of different components in a system can also be compared using its ACT.

Figure 4.6(a) shows Risksys for SCADA ACT against probability of attack values

(ranging uniformly from 0 to 1) and impact values of the generator nodes G1, G2

and G3 (ranging uniformly from 0-2×105$) whereas Figure 4.6(b) shows Risksys for

SCADA ACT against probability of attack values (ranging uniformly from 0 to 1)

and impact values of the sensor nodes S1, S2 and S3 (ranging uniformly from 0-

2×105$). From the surfaces, observe that sensors are higher risk components than

the generators.

Figure 4.7(a) shows ROA for the BGP ACT (with and without countermeasures)

with attack cost of leaf node A1123 varying uniformly in the range 0-200$ and attack

impact value of leaf node A1123 varying uniformly in the range 0-3×105$. As in the

case of Risksys, ROA of BGP ACT decreases with the incorporation of detection

29

0

1

2

x 105

0

0.2

0.40

0.5

1

1.5

Risk

to th

e sy

stem

00.5

11.5

2

x 105

0

0.2

0.40

10

20

30

Ris

k to

th

e s

yste

m

Probability of attack values for generators(G1,G2,G3)

Impact values for generators(G1,G2,G3)

Impact values for sensors

Probability of attack values for sensors (S1,S2,S3) (S1,S2,S3)

(a) (b)

Figure 4.6: Risksys in SCADA ACT (a) against the probability of attack values(x axis) and attack impact values (y axis) for the generators (G1,G2,G3) (b) againstthe probability of attack values (x axis) and attack impact values (y axis) for thesensors (S1,S2,S3)

050

100 0100

200300

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

Retu

rn o

n At

tack

(RO

A)

ROA without D & MROA with DROA with D & M

(a)

1123( in BGP ACT)A1123( in BGP ACT)AC

Attack Cost for leaf node of BGP ACT (in dollars)

Impact value of leaf node of BGP ACT (in dollars)

1 1S G

x 10^30

50100 0

100200

3001

2

3

4

5

6

7

8

9

Retu

rn o

n At

tack

(RO

A)

ROA without CMROA with CM

(b)

1 1S

SCADA ACT)G(C and C in

SCADA ACT)

Impact value of leaf nodes of SCADA ACT (in dollars)

Attack cost for leaf node of SCADA ACT (in dollars)

x 10^3x 10^3

i ( i and i in

050

100 0100

200300

4000

1

2

3

4

5

6

7

8

9

Retu

rn o

n A

ttac

k (R

OA

)

ROA without D or MROA with DROA with D & M

(c)

( in MI ACT)

Attack Cost for leaf node of MI ACT (in dollars)

Impact value of leaf node of MI ACT (in dollars)( in MI ACT)

31Ac31Ai

Figure 4.7: ROA against (a) varying attack impact value iA1123 (x axis) and attackcost value CA1123 (y axis) of the leaf node A1123 in BGP ACT, (b) varying attackimpact value IS1 ,IG1 (x axis) and attack cost value CS1 ,CG1 (y axis) of leaf nodes S1

and G1 of SCADA ACT and (c) varying attack impact value iA31 (x axis) and attackcost value cA31 (y axis) of the leaf node A31 in MI ACT

30

mechanisms and then increases with the incorporation of mitigation techniques (im-

perfect mitigations) in ACT. Figure 4.7(b) shows ROA for the SCADA ACT (with

and without countermeasures) with attack cost of the leaf nodes S1 and G1 varying

together in the range 0-200$ and impact values of the leaf nodes S1 and G1 varying

together in the range 0-3×105$. ROA for SCADA ACT decreases with incorporation

of countermeasures. Figure 4.7(c) shows ROA for the MI ACT (with and without

countermeasures) with attack cost of leaf node A31 varying uniformly in the range

0-200$ and attack impact value of leaf node A31 varying uniformly in the range 0-

3×105$. From the surfaces we see that for BGP, SCADA and MI ACT, ROA value

is directly proportional to Igoal value and inversely proportional to Cattacker value of

the corresponding ACT.

(a) (b)

0 0.2 0.4 0.6 0.8 10

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

Probability that the countermeasure works

Pro

bab

ility

of a

ttac

k at

th

e g

oal

of B

GP

AC

T

Pgoal_BGP_ACT_with_CM_{1}Pgoal_BGP_ACT_with_CM_{12}Pgoal_BGP_ACT_with_CM_{2}

only

onlyonly

onlyonly

0 0.2 0.4 0.6 0.8 10.69

0.7

0.71

0.72

0.73

0.74

0.75


Pro

ba

bil

ity

of

att

ack

at

the

go

al o

f M

I AC

T

Pgoal with only D_{12} and M_{12}Pgoal with only D_{412} and M_{412}

(c)

0 0.2 0.4 0.6 0.8 10.908

0.9085

0.909

0.9095

0.91

0.9105

0.911

0.9115


Pro

bab

ility

of a

ttac

k at

th

e g

oal

of S

CA

DA

AC

T

Pgoal_SCADA_ACT_with_CM_{switchHMI}Pgoal_SCADA_ACT_with_CM_{restartG3}

Figure 4.8: Pgoal against the probability that a countermeasure succeeds for (a)BGP ACT, (b) SCADA ACT and (c) MI ACT

Figure 4.8(a) shows Pgoal for BGP ACT, Figure 4.8(b) shows Pgoal value for

SCADA ACT and Figure 4.8(c) shows Pgoal for MI ACT with the probability that

a countermeasure works (pCMi) for all the countermeasures in the ACT varying

together in the range [0,1]. For BGP, SCADA and MI ACT, it can be seen that Pgoal

31

0

50

100

0

0.5

1

−2

−1

0

1

2

3

4

5

Retu

rn o

n In

vest

men

t (RO

I CMi)

ROI(switchHMI)ROI(restartG3)

(b)

Security Investment Cost of a counter-measure (CM_i) in

Probability that countermeasure (CM_i) works

dollars(p_{CM_i})

0

50

100

0

0.5

1

−5

0

5

10

15

20

25

Retu

rn o

n In

vest

men

t (RO

I CMi)

ROI_{CM_1}ROI_{CM_{12}}ROI_{CM_2}

(a)



dollars(p_{CM_i})

0

50

100

0

0.5

1

0

0.5

1

1.5

2

2.5

3

Retu

rn o

n In

vest

men

t (RO

I)

ROI of CM_{12}ROA of CM_{412}

(c)



dollars(p_{CM_i})

Figure 4.9: ROI for each countermeasure (a) against cCMi(x axis) and pCMi

(yaxis) for BGP ACT, (b) against cCMi

(x axis) and pCMi(y axis) for SCADA ACT

and (c) against cCMi(x axis) and pCMi

(y axis) for MI ACT

decreases with increasing pCMi. Moreover CM1 and CM12 have the same effect on

Pgoal of BGP ACT and their plots overlap.

Figure 5.5(a) shows ROI for each countermeasure in BGP ACT, Figure 5.5(b)

shows ROI for countermeasures (switch HMI) and (restart G3) for SCADA ACT and

Figure 5.5(c) shows ROI for each countermeasure in MI ACT with security invest-

ment cost of the countermeasure (cCMi) varying uniformly in the range 0-100$ and

the corresponding pCMivarying uniformly in the range [0,1]. For all countermea-

sures, we observe that ROI = -1 for pCMi=0. From Figure 5.5(a), it can be seen that

ROI from CM2 exceeds that from CM1 or CM12. This allows the security analyst

to prioritize the implementation of CM2 in BGP ACT. For SCADA ACT, ROI of

(restart G3) exceeds ROI of (switch HMI). Similarly for MI ACT, ROI of CM412

exceeds ROI of CM12.

32

5

Optimal Countermeasure Selection

5.1 Optimization Problem

Often the system administrator has to work within a given set of budget constraints

which may preclude him from implementing all possible countermeasures. One such

objective of a security analyst is to select a subset of countermeasures such that the

security investment cost is minimized and the benefit from the countermeasures is

maximized. In the following subsections, we discuss different ways of formulating this

optimization problem. We first use minimization of the number of countermeasures

implemented in the ACT as an objective function and then discuss the use of other

objective functions such as minimization of security investment cost, minimization

of Pgoal and maximization of ROI for optimization. We have implemented all the

relevant optimization algorithms in a MATLAB toolbox. For analysis, we use the

BGP ACT [15] of Figure 3.3 and the SCADA ACT [91] of Figure 4.2 as case studies.

The values for the input parameters for attack nodes of both ACTs are in Table 4.2

and the values for the input parameters for countermeasure nodes of both ACTs are

in Table 4.2.

33

5.1.1 Single Objective Optimization

In this subsection, we look at single-objective optimization for finding the optimal

countermeasure set. From a given system, the security analyst can build its ACT.

SHARPE is used to generate the mincuts (attack-countermeasure scenarios) of the

ACT. Using the mincuts, the defender can select the minimal set of defense mecha-

nisms covering as many attack events as possible.

Full cover of attack events

Depending on the position of the countermeasures in ACT, we can select the min-

imum number of defense mechanisms under the condition that all attack events in

the ACT are covered (for e.g., as in the BGP ACT). As discussed in Section 3.2, a

countermeasure in an ACT mincut covers every attack event present in that ACT

mincut. The optimization problem, a special case of the set cover problem [16] can be

formulated as a binary integer programming problem. Full cover of ACT is achieved

if the countermeasures in the optimal set (OPT ) cover all the leaf attack events in

the ACT. Then the objective function can be given by:

F1 = min∀OPT ∈2CM

n∑i=1

1lOPT (CMi) : covered set = A (5.1)

where A = {A1, A2, A3, ..., Am} is the set of all attack events in ACT and CM =

{CM1, CM2, CM3, ..., CMn} is the set of all countermeasures in ACT, n=|CM| and

1lOPT (CMi) is the indicator function such that if CMi ∈ OPT , 1lOPT (CMi)=1 else

0.

We formulate this optimization problem as a binary integer programming prob-

lem. A constraint matrix (T) is generated from the ACT mincuts where the columns

34

represent the countermeasures (CMj) and the rows represent attack events (Ai). In-

stances of constraint matrix are shown in Figure 5.1. If CMj covers Ai, tij ((i,j)th

entry in T) = 1 else tij = 0. To find the optimal countermeasure set, we minimize

the number of columns that can be selected from the constraint matrix T, subject

to the constraint that each row (attack event) is covered by at least one column

(countermeasure). Hence the constraint (covered set = A) can be expressed as

∀Aj ∈ A,n∑

i=1

tij × 1lOPT (CMi) ≥ 1 (5.2)

This optimization problem then reduces to a special case of the set cover problem

also known as the ‘unate covering problem’ [48]. We proposed a preliminary version

of this greedy algorithm in [64].

To compute the cover, reduction techniques are applied to the constraint matrix.

Some terminology relevant to the reduction methods are:

• Essential Columns : Columns that contain the only non-zero entry of a certain

row are called essential columns.

• Row Dominance: Row Ai is said to dominate row Aj if row Ai contains at least

all the 1-entries in row Aj. Ai is referred to as the dominating row and Aj is

referred to as the dominated row.

• Column Dominance: Column CMi is said to dominate column CMj if CMi

contains at least all the 1-entries in CMj. CMi is referred to as the dominating

column and CMj is referred to as the dominated column.

Instances of essential columns and column dominance are also shown in Figure 5.1.

The procedure for reduction of the constraint matrix is described in Table 5.1. A

sample run of the procedure REDUCE(OPT ,T) on the constraint matrix of the BGP

ACT in Figure 3.3 is shown in Figure 5.1. This same reduction technique is used by

35

the Quine-McCluskey method for finding the smallest set of prime implicants that

cover a given Boolean sum of minterms. However in case of the Quine-McCluskey

method, the case of a cyclic constraint matrix does not arise.

Table 5.1: Procedure for reduction of constraint matrix T

REDUCE(OPT , T) {1. do {2. find essential columns {CM1,...,CMp} in T

remove essential columns {CM1,...,CMp} from Tremove rows {A1,...,Aq} covered by the essentialcolumns {CM1,...,CMp} from matrix TOPT =OPT

⋃{CM1,...,CMp}

rebuild matrix T3. check for row dominance∗

remove dominating rows {A1,...,Ar} from matrix Trebuild matrix T

4. check for column dominance∗

remove dominated columns {CM1,...,CMs}rebuild matrix T} while(reduction occurred in T)

5. return (OPT , T)}

∗ if two columns (or two rows) dominate each other (i.e., have the same one en-tries), we choose one column (or one row) arbitrarily as shown for constraint matrix T4 inFigure 5.1

For the BGP ACT in Figure 3.3, greedy solution works and returns an optimal

countermeasure set of OPT ={CM1,CM2} (as shown in Figure 5.1). However, only

greedy strategy does not work for all ACTs. For the ACT for TCP sequence number

attack in Figure 5.2, we see that reduction techniques do not work on the constraint

matrix as the matrix is devoid of essential columns, row or column dominance (this

form of a matrix is called a cyclic constraint matrix). So greedy strategy will fail

to return a solution if the ACT has a constraint matrix that is cyclic or a matrix

that after a certain amount of reduction becomes cyclic. This problem is a spe-

36

CM1 CM12 CM2

A111 1 1 0

A1121 1 1 0

A1122 1 1 0

A1123 1 1 0

A12 1 1 0

A2 0 0 1

Constraint Matrix T1

CM2 is an essential

column (for A )


Remove column CM2 and rows

covered by CM2 (A2)

Column Dominance: CM1dominates CM12, remove column CM12

CM’= φ

CM’=CM’ U {CM2}

CM’= {CM2}

CM’= {CM2}



Columns CM1 and CM12 dominate each other

CM’=CM’ U {CM1}

CM’= {CM1, CM2}

CM1 CM12 CM2

A111 1 1 0

A1121 1 1 0

A1122 1 1 0

A1123 1 1 0

A12 1 1 0

A2 0 0 1

CM1 CM12

A111 1 1

A1121 1 1

A1122 1 1

A1123 1 1

A12 1 1

Rebuild matrix T

CM1 CM12

A111 1 1

A1121 1 1

A1122 1 1

A1123 1 1

A12 1 1

2

Figure 5.1: Sample run of the procedure REDUCE (OPT ,T) (from Table 5.1) onthe constraint matrix T for the BGP ACT in Figure 3.3

cial case of the ‘unate covering problem’ called the ‘cyclic unate covering problem’.

Noel et.al. in [54] discussed facing a similar drawback while analyzing attack graphs

with their Topological Vulnerability Analysis tool [39] (TVA tool). Ideally if the

ACT has a cyclic constraint matrix or has a constraint matrix that is reducible to

a cyclic matrix, multiple optimal solutions exist. In this case, one way to find an

optimal solution is to do an implicit enumeration of all possible solutions. This also

helps avoid computational overhead. We use a branch and bound algorithm to dis-

play all possible optimal solutions. For the ACT for TCP sequence number attack

in Figure 5.2, the branch and bound algorithm returns all three optimal solutions

{CM1,CM2},{CM2,CM3} and {CM1,CM3}.

37

Table 5.2: Algorithm for finding the optimal countermeasure set for an ACT withobjective function F1

OPTCMACT (ACT mincuts from SHARPE) {1. Build A and CM.

where, A = set of attack events in ACTCM = set of all countermeasuresOPT (optimal set of countermeasures) = φm = |A|; n = |CM|

2. Initialize the m× n constraint matrix (T)for every Ai ∈ A

for every CMj ∈ CMif (attack event Ai is covered by countermeasure CMj)

set tij= 1else set tij= 0end if

end forend for

3. (OPT ,T) = REDUCE (OPT ,T) /*call matrix reduction*/4. if (T is a column matrix (CMk))

OPT =OPT⋃{CMk} /*greedy solution works*/

else /*cyclic unate covering problem*//*call branch and bound*/

matrix T is cyclic a

OPT =OPT⋃

B&BACT (P=φ,T,OPT 1=φ,ZL=0,ZU =∞,cCM = {1, 1, ..., 1})b

end if5. return OPT}

a an ACT with a cyclic constraint matrix is shown in Figure 5.2b Here B&BACT is called for a subproblem of the original problem if after a certainamount of reduction we are left with a cyclic constraint matrix. Here in case of objectivefunction F1, cCM is a set of all ones in the call to B&BACT.

To transition into the discussion of a suitable branch and bound algorithm for

our purposes, we start with objective function F2 shown in Eq. (5.6), that aims to

minimize the security investment cost in the system (constraint being full cover of

A). We can see that F2 is a general version of the objective function F1 where ∀CMi,

38

No essential columns, no row dominance, no column dominance.

Reduction techniques stop without termination

Cyclic Unate Covering Problem

ACT mincuts:A1A2CM2

’

A2A3CM3’

A3A1CM1’

GOAL: Integrity Compromise (TCP sequence number attack)

OR

AND

AND

CM2’ : MD5

authentication

AND

AND

AND

AND

Blind spoofing attack

Non-blind spoofing attack

Partially blind spoofing attack

A1: Guess sequence number

A2:Inject valid BGP message

A3:Sniff traffic

A3:Sniff traffic

A2:Inject valid BGP message

A1: Guess sequence number

CM3’ : Remove

SnifferCM1

’ : Sequence Number

Randomization

CM1 CM2 CM3

A1 1 1 0

A2 0 1 1

A3 1 0 1

Constraint Matrix T

Cyclic Matrix

Figure 5.2: Instance of a cyclic constraint matrix using an ACT for TCP sequencenumber attack

39

cCMi=1.


n∑i=1

1lOPT (CMi)× cCMi

(5.3)

With objective function F2 and the constraint which is still as in Eq. (5.2), the

optimization problem is still a binary integer programming problem. To compute

the cover under F2, we build a recursion tree of all possible solutions looking for the

optimal solution. After the first ‘best possible solution’ is found, the tree is pruned

whenever we come across a solution that is worse than the best possible solution.

Some terminology relevant to the branch and bound algorithm are as follows:

• Partial Solution: A partial solution consists of a subset of the entire solu-

tion space. For our purposes let us consider that the solution space can be

represented as {1lOPT (CM1), 1lOPT (CM2), ..., 1lOPT (CMm−1), 1lOPT (CMm),... ,

1lOPT (CMn−1), 1lOPT (CMn)}. If at some stage, we have a partial solution of

the form P={1lOPT (CM1), 1lOPT (CM2), ..., 1lOPT (CMm−1), 1lOPT (CMm)}=

{1,0,..., 0,1}, then this leaves us with a partial solution of {1,0,..., 0,1,...,

1lOPT (CMn−1), 1lOPT (CMn)}. Note that the size of the partial solution reflects

the depth of the recursion tree for the branch and bound algorithm where

search is at that point of time.

• Upper Bound (ZU): An upper bound for the value of the objective function

is assumed to be available. This is the value of the objective function for the

best feasible solution found so far. If no solution has been found, upper bound

is assumed to be ∞.

• Lower Bound (ZL): For each partial solution, a lower bound for the value of

the objective function of the solutions within that subset can be computed.

• Fathoming Rules : A partial solution is said to be fathomed at a certain level

40

of the recursion tree if it can be excluded from further consideration. A partial

solution can be fathomed if:

(a) Lower bound of the partial solution exceeds the current upper bound of

the objective function i.e., ZL ≥ ZU .

(b) The subset of solutions under this partial solution contains so feasible solu-

tions. In terms of the constraint matrix T and partial solution {1lOPT (CM1),

1lOPT (CM2), ..., 1lOPT (CMm−1), 1lOPT (CMm)}, the test is:

∃Aj ∈ A,m∑

i=1

tij × 1lOPT (CMi) +n∑

i=m+1

tij < 1 (5.4)

(c) A feasible solution (with respect to the current upper bound) under that

partial solution has already been found. In terms of the constraint ma-

trix T and partial solution {1lOPT (CM1), 1lOPT (CM2), ..., 1lOPT (CMm−1),

1lOPT (CMm)}, the test is:

∀Aj ∈ A,m∑

i=1

tij × 1lOPT (CMi) > 1 (5.5)

The recursive branch and bound algorithm [37] for computing the optimal counter-

measure set using objective function F2 is depicted in Table 5.3. For objective func-

tion F2, the constraint matrix for the ACT is created and the call B&BACT∗ (P=φ,

T, OPT =φ, ZL=0, ZU =∞, cCM) to the algorithm in Table 5.3 returns an optimal

countermeasure set corresponding to objective function F2 (where cCM={cCM1 , cCM2 , ..., cCMn}).

The corresponding procedure for computation of lower bound is shown in Table 5.5.

It is noted that the objective function F1 is a special case of objective function F2

where ∀CMi, cCMi=1. Using the algorithm in Table 5.2 on the ACT for TCP Se-

quence Number attack (shown in Figure 5.2) with objective function F1, we get the

optimal countermeasure set as {CM1,CM2}. Here one of the three optimal solutions

is selected by the branch and bound algorithm. For the BGP ACT, using F2 returns

an optimal countermeasure set of {CM12,CM2} with minimum security investment

41

cost = 80$.

In the absence of a cyclic constraint matrix, the algorithm in Table 5.2 is solv-

able in polynomial time [16]. Runtime = (total number of attack events in the

ACT)*(total number of defense mechanisms in the ACT)*min(|no of attack events|,|no

of defense mechanisms|) = O(mn ∗min(m,n)) which indicates polynomial runtime.

Assuming a reasonable security investment cost (acceptable values of n), the worst

case runtime is also polynomial. In the best case, the size of the recursion tree gen-

erated by the branch and bound algorithm in Table 5.3 is linear in the number of

variables (no. of countermeasures) [74]. A sample run of the algorithm in Table 5.3

with objective function F2 on an ACT that forms a 4×4 cyclic constraint matrix is

shown in Figure 5.3. The search tree shown has 13 nodes as opposed to 31 (24+1-1)

nodes in its explicit enumeration search tree.

Other objective functions: Other objective functions can also used to make a se-

lection of the optimal countermeasure set such as (in each case covered set = A). We

use the algorithm described in Table 5.3 to find the optimal solution using objective

function F3 (where COPT =∑n

i=1 1OPT (CMi)× cCMiand γ=103 is a normalization

constant).


COPT −ROIOPT ∗ COPT + COPT

γ (5.6)

Using the algorithm in Table 5.3 for objective function F3, we get an optimal

countermeasure set of {CM12,CM2} with maximum ROI=21.

When multiple detection mechanisms (Figure 3.1(e)) or multiple mitigation tech-

niques (Figure 3.1(f)) or both (Figure 3.1(g)) are provided for the same attack event,

only one detection mechanism (Figure 3.1(e)) or one mitigation technique (Fig-

ure 3.1(f)) or one detection mechanism and one mitigation technique (Figure 3.1(g))

42

Table 5.3: Recursive Branch and Bound algorithm for finding optimal countermea-sure set using objective function F2

B&BACT∗ (P , T, OPT , ZL, ZU , cCM){1. /*compute Current Lower Bound*/ZL=LOWER BOUND(P , ZL, cCM) /*set lower bound*/

2. /*start Fathoming Test 1*//*is current solution bounded ?*/if (ZL ≥ZU)

return (OPT ,ZU) /*return current optimal*//*end Fathoming Test 1*/

else3. /*start Fathoming Test 2*/

/*are there any feasible solutions in this subtree ?*/for every Ai ∈ A /*start Fathoming Test 2*/

sumi=0for every 1lOPT (CMj) ∈ P

sumi=sumi+tij ∗ 1lOPT (CMi)end forfor every 1lOPT (CMj) /∈ P & CMj ∈ CM

sumi=sumi+tijend forif (sumi = 0) /*current solution is bounded*/

return (OPT ,ZU) /*return current optimal*/end if

end for /*end Fathoming Test 2*/4. /*start Fathoming Test 3*/

/*is current P a feasible solution for this subtree?*/flag=0for every Ai ∈ A /*for every row*/

sumi=0for every 1lOPT (CMj) ∈ P

sumi=sumi+tij ∗ 1lOPT (CMj)end forif (sumi = 0)

flag=1end if

end forif (flag = 0) /*found new optimal*/

k=|P|set all 1lOPT (CMk+1) to 1lOPT (CMn) to 0/*set new optimal*/OPT =P

⋃{1lOPT (CMk+1),1lOPT (CMk+2),....,

1lOPT (CMn)}∗ here we use a branch and bound algorithm with lower bounds computation

corresponding to the respective objective function

43

Table 5.4: Recursive Branch and Bound algorithm for finding optimal countermea-sure set using objective function F2 (contd.)

/*set new upper bound = current ZL*/ZU = ZL

return (OPT ,ZU) /*return new optimal*/else

5. /*Fathoming Test 3 failed*//*Branch*/

1lOPT (CMk)=1(OPT ,ZU )= B&BACT (P

⋃1lOPT (CMk),T,OPT,ZL,

ZU , cCM )ZL, ZU , cCM )if (OPT = P

⋃1lOPT (CMk)) /*skip the right

subtree*/return (OPT ,ZU) /*return current optimal*/

else /*search the right subtree*/1lOPT (CMk)=0(OPT ,ZU )= B&BACT (P

⋃1lOPT (CMk), T,

OPT ,ZL, ZU , cCM )return (OPT ,ZU) /*return optimal*/

end ifend if}

Table 5.5: Procedure for computing the lower bound for objective function F2

LOWER BOUND(P , ZL, cCM) {1. k=|P|2. if 1lOPT (CMk) = 1

ZL=ZL + cCMk

return ZL /*return new lower bound*/else

return ZL /*return old lower bound*/end if}

44

φ

01

1011 0001

111 101 010011

0101

T CM1 CM2 CM3 CM4

A1 1 1 0 0

A2 0 1 1 0

A3 0 0 1 1

A4 1 0 0 1

ZL=0ZU= ∞

ZL=10ZU= ∞

ZL=0ZU= 25

ZL=0ZU= 25

ZL=20ZU= 25

ZL=20ZU= 25

ZL=35ZU= 25

ZL=45ZU= 25

ZL=25ZU= 45

ZL=30ZU= ∞

ZL=45ZU= ∞

CM1 CM2 CM3 CM4

10 20 15 25

ZL=10ZU= 45

0100

ZL=20ZU= 25ZU=ZL=45 ZU=ZL=25

Soln.=1110 Soln.=1010

Success: Fathoming

Test 3

Success: Fathoming

Test 3

Success: Fathoming

Test 1

Success: Fathoming

Test 1

Success: Fathoming

Test 2

Success: Fathoming

Test 2

Cost in $

11 ( )OPT CM

21 ( )OPT CM

31 ( )OPT CM

41 ( )OPT CM

Figure 5.3: Sample run of the algorithm in Table 5.3 on a cyclic constraint matrixT

are chosen respectively for the optimal countermeasure set found using objective

function F2. This is owing to the fact that the one detection mechanism provides the

same cover as two or more detection mechanisms while minimizing security invest-

ment cost. However when looking for the maximum ROI optimal countermeasure

set, multiple detection mechanisms under the same attack event may have higher

ROI than one detection mechanism. Hence the optimal countermeasure set obtained

using objective function F3 can have two or more detection mechanisms or mitigation

techniques or both for the same attack event.

45

Partial cover of attack events

Researchers have proposed building security models for networked systems using

paradigms such a attack trees and then finding attack paths in these models to

determine scenarios that could lead to damage. However sometimes the system

administrators are more interested in finding the best possible way of defending

their system given an enumerated set of countermeasures. This can be formulated

into an optimization problem termed as ’partial cover’. Depending on the motivation

behind partial cover, it may be of two types:

(a) Partial cover with intent : The system administrator has to work within a given

set of budget constraints which may preclude him from implementing all possible

countermeasures or even countermeasures that cover all the weak spots. Due to

cost constraints, this minimum set of countermeasures can cover only a subset

of all the leaf attack events in the ACT, this subset of the set of all attack events

(A) is termed as the ’critical vulnerability set’ (CVS) or the ’critical component

set’.

(b) Partial cover without intent : When the number of countermeasures provided or

found are insufficient in covering all the attack events in the ACT (e.g., as in

case of the SCADA ACT), the system administrator is said to be performing

partial cover without intent.

The subset of all attack events not being covered is a measure of the system’s ‘risk

exposure’. The problem then reduces to a special case of the full cover problem. The

objective function is same as in Eq. (5.1) but the constraint changes for partial cover

as shown below:


n∑i=1

1lOPT (CMi) : covered set = CVS (5.7)

The constraint, covered set = CVS can be otherwise expressed as

∀Aj ∈ CVS,n∑

i=1

tij × 1lOPT (CMi) ≥ 1 (5.8)

46

The SCADA ACT in Figure 4.2 is an instance of the case of partial cover without

intent. Here the system administrator is provided with countermeasures in deal-

ing with corruption in the power load system but none that deal with any cor-

rupt estimates provided by the customers. Optimal countermeasure set is computed

using the algorithm in Table 5.2 but with covered set = CVS = {HMI, SCOPF,

G1, G2, G3}. The optimal countermeasure sets are OPT1={(switch HMI),(restart

G1)},OPT2={(switch HMI),(restart G2)} and OPT3={(switch HMI),(restart G3)}.

Figure 5.4(a) shows Pgoal for BGP ACT (without countermeasures and under

different optimal solutions), Figure 5.4(b) shows Pgoal for SCADA ACT (without

countermeasures and under different optimal solutions) with probability of attack

value of all the leaf nodes in the ACT varying together in the range [0,1]. From

Figure 5.4(a) we find that Pgoal value for BGP ACT decreases with the incorpora-

tion of countermeasures i.e., under the two optimal countermeasure sets (using F1),

OPT1={CM1,CM2} and OPT2={CM12,CM2}. SCADA ACT has only attack and

mitigation events. From Figure 5.4(b), we find that Pgoal for SCADA ACT decreases

with the incorporation of mitigations i.e., under the three optimal countermeasure

sets (using F1 for partial cover), OPT1,OPT2 and OPT3.

Figure 5.5(a) shows ROI for each set of countermeasures in BGP ACT that pro-

vides full cover and Figure 5.5(b) shows ROI for each countermeasure set providing

the required partial cover for SCADA ACT with security investment costs of the

countermeasures (cCMis) varying uniformly in the range 0-100$ and the correspond-

ing pCMis varying uniformly in the range [0,1]. For all countermeasure sets, we

observe that ROI = -1 for all pCMi=0. From Figure 5.5(a), it can be seen that

ROI of {CM1, CM2} exceeds ROI of {CM12, CM2}. In agreement with these re-

sults, {CM1, CM2} is returned as the optimal countermeasure set under objective

function F3 for BGP ACT. For SCADA ACT, ROI of {switch HMI, restart G3} ex-

ceeds ROI of the other countermeasure sets providing the required partial cover. In

agreement with these results, {switch HMI, restart G3} is returned as the optimal

47

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Probability of attack at leaf node of BGP ACT

Pro

bab

ility

of

atta

ck a

t th

e g

oal

of

BG

P A

CT

Pgoal without D or MPgoal with OPT1Pgoal with OPT2

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Probability of attack at leaf node of SCADA ACT

Prob

abili

ty o

f att

ack

at th

e go

al o

f SC

AD

A A

CT

Pgoal_SCADA_ACT_without_MPgoal_SCADA_ACT_with_OPT1Pgoal_SCADA_ACT_with_OPT2Pgoal_SCADA_ACT_with_OPT3

Figure 5.4: Plot of Pgoal vs. probability of attack values of all the leaf nodes of (a)BGP ACT for the ACT with no countermeasure and under the two optimal solutions(OPT1 and OPT2) and (b) SCADA ACT for the ACT with no countermeasure (case1) and under the three optimal solutions (OPT1, OPT2 and OPT3)

countermeasure set under objective function F3 for SCADA ACT.

For increasing tree size, runtime for finding optimal countermeasure set using

objective function F2 (y-axis) is plotted against the number of leaf nodes (x-axis)

in the ACT in Figure 5.6. Our method returns an optimal solution for the ACT

with 5000 leaf nodes in almost 25 seconds on a computer system with an Intel(R)

Core(TM)2 CPU 1862.103 MHz processor with 2 MB of cache, 4 GB of memory

and the CentOS Release 5.4 (Linux 2.6.34) operating system which is much better

than the runtime of explicit enumeration technique (almost 70 minutes) and slightly

better than the runtime of a simple genetic algorithm (nearly 35 seconds) used for

the same objective function.

48

0

50

100

0

0.5

1

−5

0

5

10

15

20

25

Retu

rn o

n In

vest

men

t (RO

I)

0

50

100

0

0.5

1

−5

0

5

10

15

20

25

Retu

rn o

n In

vest

men

t (RO

I)

ROI_{CM_1,CM_2}ROI_{CM_{12},CM_2}

ROI(switchHMI,restartG1)ROI(switchHMI,restartG2)ROI(switchHMI,restartG3)

OPT

OPT

(b)



dollars(p_{CM_i})(a)



dollars(p_{CM_i})

Figure 5.5: ROI of (a) the different countermeasure sets providing full cover againstcCMi

(x axis) and pCMi(y axis) for BGP ACT and (b) the different countermeasure

sets providing the required partial cover against cCMi(x axis) and pCMi

(y axis) forSCADA ACT

5.2 Implementation of Optimization Toolbox

The general use-case diagram for the MATLAB optimization toolbox is shown in

Figure 5.7. A general parser reads in results from the SHARPE input and output

files to the MATLAB main optimizer module. The main optimizer module then

builds the matrix T and interacts with three separate module that extracts values of

Pgoal, structural importance measures and ROI from the SHARPE input and output

files according to the requirements of the optimization.

49

0 1000 2000 3000 4000 50000

10

20

30

40

50

60

70

Number of leaf nodes in ACT

Ru

nti

me

in s

eco

nd

s

Runtime with implicit enumerationRuntime with a SGARuntime with explicit enumeration

in minutes

Figure 5.6: Runtime plot for optimization with objective function Fmo2 using (i)explicit enumeration, (ii) branch and bound algorithm (in Table 5.3) and (iii) asimple genetic algorithm (SGA) with increasing tree size

50

SHARPE input files

SHARPE output files

Build covering matrix

Use branch and bound algorithm

Parser

SHARPE

Optimizer

Objective Function

F1 ?

Is matrix cyclic ?

Use greedy strategy

Yes

Display Optimal

Yes

No

No

Figure 5.7: Use case diagram for optimizer

51

6

Conclusions and Future Work

6.1 Conclusions

In this thesis we have presented attack countermeasure trees which allows us to per-

form qualitative and probabilistic analysis of the security of a system. Preliminary

concepts on combinatorial models and related work in reference to the context of

the use of combinatorial models in security modeling is presented in Chapter 2. The

basic model for ACT and its corresponding analysis is presented in Chapter 3. We

take into account attacks as well as countermeasures (in the form of detection mecha-

nisms and mitigation techniques). Detections and mitigations can be placed not just

at leaf nodes but also at any intermediate nodes (Section 3.1). Qualitative analysis

(Section 3.2) in the form of mincuts can be used for the automated generation and

analysis of attack scenarios and attack-countermeasure scenarios. Events in ACT

can be prioritized with the help of structural and Birnbaum importance measures.

Probabilistic analysis (using measures such as attack and security investment cost,

Birnbaum importance measure, system risk, impact of an attack, ROI and ROA)

can be performed in an integrated manner (Section 3.2). Implementation of ACT

52

model in SHARPE is presented in Chapter 4 along with results from results from the

analysis of case studies. ACT allows for fast and efficient computation of optimal de-

fense strategies for large systems using single and multi-objective optimization based

on a combinatorial model while at the same time avoiding the state-space explosion

problem.

6.2 Future Work

Although we have built attack countermeasure trees, implemented an ACT anal-

ysis module in SHARPE and developed algorithms for selecting an optimal set of

countermeasures from the ACT, many issues remain to be addressed. Future work

includes

• Computation of probability of attack values by applying Bayesian inference

rules to data gathered by an IDS namely, SNORT [91] over a certain period of

time.

• Concurrent and sequential application of countermeasures in ACT need to be

addressed by the use of state-space models.

53

Table 1: SHARPE code for computing mincuts of SCADA ACT

actree scadawdbasic S1 prob(ps1)basic S2 prob(ps2)basic S3 prob(ps3)basic HMI prob(pHMI)basic switch prob(pswitch)basic SCOPF prob(pscopf)basic G1 prob(pg1)basic restartG1 prob(prstg1)basic G2 prob(pg2)basic restartG2 prob(prstg2)basic G3 prob(pg3)basic restartG3 prob(prstg3)basic DB prob(pDB)basic WAN prob(pWAN)basic WS prob(pWS)basic WSE prob(pWSE)basic LAN prob(pLAN)kofn kofn0 2, 3, S1 S2 S3and and2 HMI switchand and0 and2 SCOPFand and3 G1 restartG1and and4 G2 restartG2and and5 G3 restartG3and and1 and3 and4 and5or or0 DB WAN WSor or1 kofn0 WSEor or2 and0 and1or or3 or1 LAN or2or or4 or0 or3endmincuts(scadawd)end

54

Bibliography

[1] E. G. Amoroso. Fundamentals of Computer Security Technology. Prentice-Hall,Inc., 1994.

[2] G. H. Baker and A. Berg. Supervisory Control and Data Acquisition (SCADA)Systems. The Critical Infrastructure Protection Report 1.6, 2002.

[3] Z. W. Birnbaum. On The Importance of Different Components in a Multicom-ponent System. In P. R. Krishnaiah, editor, Multivariate Analysis - II, pages581–592. Academic Press, New York, NY, USA, 1969.

[4] Z. W. Birnbaum. On The Importance of Different Components in a Multicom-ponent System. 1969.

[5] S. Bistarelli, M. Dall Aglio, and P. Peretti. Strategic Games on Defense Trees.LNCS, 4691:1–15, 2007.

[6] S. Bistarelli, P. Peretti, and I. Trubitsyna. Defense trees for economic evaluationof security investments. In Proc. ARES, pages 8–15, 2006.

[7] S. Bistarelli, P. Peretti, and I. Trubitsyna. Answer Set Optimization for and/orComposition of CP-Nets: A Security Scenario. LNCS, 4741:773, 2007.

[8] P. J. Boland, F. Proschan, and Y. L. Tong. Optimal arrangement of componentsvia pairwise rearrangements. Naval Research Logistics, 36(6), 1989.

[9] P. J. Brooke and R. F. Paige. Fault trees for security system design and analysis.Computers & Security, 22(3):256–264, 2003.

[10] R.E. Bryant. Graph-based algorithms for boolean function manipulation. IEEETransactions on computers, 100(35):677–691, 1986.

[11] D. A. Butler. A complete importance ranking for components of binary coherentsystems, with extensions to multi-state systems. Technical report, StanfordUniv., Calif. Dept. of Operations Research, 1977.

55

[12] J.W. Butts, R.F. Mills, and R.O. Baldwin. Developing an insider threat modelusing functional decomposition. Computer Network Security, pages 412–417,2005.

[13] E. J. Byres, M. Franz, and D. Miller. The use of attack trees in assessingvulnerabilities in SCADA systems. In Proc. IISW, 2004.

[14] H. Chen, Y. Xiao, X. Hong, F. Hu, and J.L. Xie. A survey of anonymityin wireless communication systems. Security and Communication Networks,2(5):427–444, 2009.

[15] S. Convery, D. Cook, and M. Franz. An Attack Tree for the Border GatewayProtocol. Cisco Internet draft 2002.

[16] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction toAlgorithms. MIT press, 2001.

[17] M. Cremonini and P. Martini. Evaluating information security investments fromattackers perspective: the Return-On-Attack (ROA). In Proc. Fourth Workshopon the Economics of Information Security, 2005.

[18] K. Daley, R. Larson, and J. Dawkins. A Structural Framework for ModelingMulti-stage Network Attacks. In Proc. ICPPW, pages 1530–1536, 2002.

[19] C. S. Date and C. Duration. ReSIST: Resilience for Survivability in IST.

[20] J. Dawkins and J. Hale. A systematic approach to multi-stage network attackanalysis. In Proc. IEEE Int. Information Assurance Workshop, pages 48–56,2004.

[21] R. Dewri, N. Poolsappasit, I. Ray, and D. Whitley. Optimal security hardeningusing multi-objective optimization on attack tree models of networks. In Proc.CCS, pages 204–213. ACM, 2007.

[22] P. Ebinger and T. Bucher. Modelling and Analysis of Attacks on the MANETRouting in AODV. LNCS, 4104:294, 2006.

[23] K. Edge, R. Raines, M. Grimaila, R. Baldwin, R. Bennington, and C. Reuter.Using Attack and Protection Trees to Analyze Threats and Defenses to Home-land Security. In Proc. MILCOM, pages 1–7, 2006.

56

[24] K. Edge, R. Raines, M. Grimaila, R. Baldwin, R. Bennington, and C. Reuter.The Use of Attack and Protection Trees to Analyze Security for an OnlineBanking System. In Proc. HICSS, pages 144–151, 2007.

[25] K. S. Edge. A Framework for Analyzing and Mitigating the Vulnerabilities ofComplex Systems via Attack and Protection Trees. PhD thesis, Air Force Insti-tute of Technology, 2007.

[26] J. H. Espedalen and H. I. Gjovik. Attack Trees Describing Security in Dis-tributed Internet-Enabled Metrology. Technical report, Institutt for informatikkog medieteknikk, 2007.

[27] B. Foo, Y. S. Wu, Y. C. Mao, S. Bagchi, and E. Spafford. ADEPTS: AdaptiveIntrusion Response Using Attack Graphs in an E-Commerce Environment. InProc. DSN, pages 508–517, 2005.

[28] I. N. Fovino and M. Masera. Through the Description of Attacks: A Multidi-mensional View. LNCS, 4166:15, 2006.

[29] I. N. Fovino, M. Masera, and A. De Cian. Integrating Cyber Attacks WithinFault Trees. Reliability Engineering & System Safety, 94(9):1394–1402, 2009.

[30] R. M. Fricks and K. S. Trivedi. Importance analysis with Markov chains. InProc. Reliability and Maintainability Symp., pages 89–95. IEEE, 2003.

[31] R. M. Fuhrer. Sequential Optimization of Asynchronous and SynchronousFinite-state Machines: Algorithms and Tools. PhD thesis, Columbia Univer-sity, 1999.

[32] C. Fung, Y. L. Chen, X. Wang, J. Lee, R. Tarquini, M. Anderson, and R. Linger.Survivability analysis of distributed systems using attack tree methodology. InProc. MILCOM, pages 583–589, 2005.

[33] Z. Gan, J. Tang, P. Wu, and V. Varadharajan. A Novel Security Risk Evaluationfor Information Systems. In Proc. FCST, pages 67–73, 2007.

[34] G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P. McDaniel, and A. Rubin.Working around BGP: An incremental approach to improving security and ac-curacy of interdomain routing. In Proc. NDSS, volume 3, 2003.

[35] M. V. Higuero, J. J. Unzilla, E. Jacob, P. Saiz, M. Aguado, and D. Luengo.Application of ‘Attack Trees’ Technique to Copyright Protection Protocols Using

57

Watermarking and Definition of a New Transactions Protocol SecDP (SecureDistribution Protocol). LNCS, 3311:264–275, 2004.

[36] M. V. Higuero, J. J. Unzilla, E. Jacob, P. Saiz, M. Aguado, and D. Luengo.Application of’attack trees’ in security analysis of digital contents e-commerceprotocols with copyright protection. In Proc. CCST, pages 57–60, 2005.

[37] F.S. Hillier, G.J. Lieberman, and G.J. Liberman. Introduction to operationsresearch. McGraw-Hill New York, 1990.

[38] X. Hu and Z. M. Mao. Accurate real-time identification of IP prefix hijacking.In Proc. IEEE S & P, pages 3–17, 2007.

[39] S. Jajodia, S. Noel, and B. OBerry. Topological analysis of network attackvulnerability. Managing Cyber Threats, 5(3):247–266, 2006.

[40] M. Kaaniche. Resilience evaluation with regard to accidental and maliciousthreats. ReSIST Summer School, 2007.

[41] F. Kargl, A. Klenk, S. Schlott, and M. Weber. Advanced detection of selfish ormalicious nodes in ad hoc networks. LNCS, 3313:152–165, 2005.

[42] P. Kearney and L. Brugger. A risk-driven security analysis method and mod-elling language. BT Technology J., 25(1):141–153, 2007.

[43] R. Kuhn, K. Sriram, and D. Montgomery. Border gateway protocol security:Recommendations of the national institute of standards and technology. NISTSpecial Publication 800-54, 2007.

[44] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: A prefixhijack alert system. In Proc. USENIX Security Symp., 2006.

[45] S. Lathrop, J. Hill, and J. Surdu. Modeling Network Attacks. In Proc. 12th Conf.Behavior Representation in Modeling and Simulation, pages 401–407, 2003.

[46] B. B. Madan and K. S. Trivedi. Security Modeling and Quantification of Intru-sion Tolerant Systems Using Attack-response Graph. J. of High Speed Networks,13(4):297–308, 2004.

[47] S. Mauw and M. Oostdijk. Foundations of Attack Trees. LNCS, 3935:186–198,2006.

58

[48] E. L. McCluskey. Minimization of Boolean functions. Bell Systems TechnologyJournal, 35:1417–1444, 1959.

[49] M. A. McQueen, W. F. Boyer, M. A. Flynn, and G. A. Beitel. Time-to-compromise Model for cyber risk reduction estimation. In First Workshop onQuality of Protection. Springer, 2005.

[50] F. C. Meng. Comparing the importance of system components by some struc-tural characteristics. IEEE Trans. on Reliability, 45(1):59–65, 1996.

[51] J. Mirkovic and P. Reiher. A taxonomy of DDoS attack and DDoS defensemechanisms. ACM SIGCOMM Computer Communication Review, 34(2):39–53,2004.

[52] A. P. Moore, R. J. Ellison, and R. C. Linger. Attack Modeling for InformationSecurity and Survivability. CMU/SEI-2001-TN-001, 2001.

[53] D. M. Nicol, W. H. Sanders, and K. S. Trivedi. Model-based evaluation: Fromdependability to security. IEEE Trans. on Dependable and Secure Computing,1(1):48–65, 2004.

[54] S. Noel and S. Jajodia. Optimal ids sensor placement and alert prioritizationusing attack graphs. J. of Network and Systems Management, 16(3):259–275,2008.

[55] T. Olzak. A Practical Approach to Threat Modeling. Technical report, ErudioSecurity, LLC, 2006.

[56] R. Ortalo, Y. Deswarte, and M. Kaaniche. Experimenting with quantitativeevaluation tools for monitoring operational security. IEEE Trans. on SoftwareEngineering, 25(5):633–650, 1999.

[57] E. K. Park, J. B. Yun, and H. P. In. Simulating Cyber Intrusion Using OrderedUML Model-based Scenarios. LNCS, 3398:643–651, 2005.

[58] T. Qiu, L. Ji, D. Pei, J. Wang, J. Xu, and H. Ballani. LOCK: LocatingCountermeasure-Capable Prefix Hijackers. In Proc. USENIX Security Sym.,2008.

[59] PAS Ralston, JH Graham, and JL Hieb. Cyber security risk assessment forSCADA and DCS networks. ISA transactions, 46(4):583–594, 2007.

59

[60] A. Rauzy. New Algorithms for Fault Tree Analysis. Reliability Engineering &System Safety, 40(3):203–211, 1993.

[61] I. Ray and N. Poolsapassit. Using attack trees to identify malicious attacks fromauthorized insiders. LNCS, 3679:231–246, 2005.

[62] I. Ray, N. Poolsappasit, and R. Dewri. An Opinion Model for Evaluating Mali-cious Activities in Pervasive Computing Systems. LNCS, 5094:297–312, 2008.

[63] A. Roy, D. Kim, and K. S. Trivedi. ACT: Attack Countermeasure Trees forInformation Assurance Analysis. In In Proc. INFOCOM (poster). IEEE, 2010.

[64] A. Roy, D. Kim, and K. S. Trivedi. Cyber Security analysis using Attack Coun-termeasure Trees. In Proc. CSIIRW. ACM, 2010.

[65] A. Roy, D. S. Kim, and K. S. Trivedi. ACT: Towards unifying the constructsof attack and defense trees. J. of Security and Communication Networks, SI:Insider Threats, 2011.

[66] R. Rudell. Logic Synthesis for VLSI Design. PhD thesis, University of California,Berkeley, 1989.

[67] R. Sahner, K. S. Trivedi, and A. Puliafito. Performance and reliability analysisof computer systems: an example-based approach using the SHARPE softwarepackage. Kluwer Academic, 1999.

[68] K. Sarda, D. Wijesekera, and S. Jajodia. Implementing consistency checking incorrelating attacks. LNCS, 3347:379–384, 2004.

[69] T. Schaberreiter, C. Wieser, I. Sanchez, J. Riekki, and J. R”oning. An Enumeration of RFID Related Threats. In Proc. of the 2008 TheSecond Int. Conf. on Mobile Ubiquitous Computing, Systems, Services and Tech-nologies, pages 381–389. IEEE Computer Society, 2008.

[70] B. Schneier. Modeling Security Threats. Dr. Dobb’s journal, 24(12), 1999.

[71] B. Schneier. Secrets and Lies: Digital Security in a Networked World. JohnWiley and Sons Inc., 2000.

[72] Isograph Software. Attacktree+. http://www.isograph-software.com/

atpover.htm.

60

http://www.isograph-software.com/atpover.htm

http://www.isograph-software.com/atpover.htm

[73] A. K. Somani and K. S. Trivedi. Phased-mission system analysis using Booleanalgebraic methods. In Proc. ACM SIGMETRICS conf. on Measurement andmodeling of computer systems, pages 98–107. ACM New York, NY, USA, 1994.

[74] P. Somol, P. Pudil, and J. Kittler. Fast branch & bound algorithms for op-timal feature selection. IEEE Transactions on Pattern Analysis and MachineIntelligence, pages 900–912, 2004.

[75] E.J. Sondik. The optimal control of partially observable Markov processes. PhDthesis, Stanford Univ. Electronics Labs, 1971.

[76] W. Sonnenreich, J. Albanese, and B. Stout. Return On Security Investment(ROSI): A Practical Quantitative Model. J. of Research and Practice in Infor-mation Technology, 38(1):45–56, 2006.

[77] M. Stamatelatos, G. Apostolakis, H. Dezfuli, C. Everline, S. Guarro, P. Moieni,A. Mosleh, T. Paulos, and R. Youngblood. Probabilistic risk assessment proce-dures guide for NASA managers and practitioners. NASA Office of Safety andMission Assurance, 2002.

[78] Amenaza Technologies. Securitree. http://www.amenaza.com/software.php.

[79] T. Tidwell, R. Larson, K. Fitch, and J. Hale. Modeling internet attacks. InProceedings of the 2001 IEEE Workshop on Information Assurance and security,volume 59. IEEE, 2001.

[80] K. S. Trivedi, D. S. Kim, A. Roy, and D. Medhi. Dependability and securitymodels. In Proc. DRCN, pages 11–20. IEEE, 2009.

[81] K. S. Trivedi and R. Sahner. Sharpe at the age of twenty two. ACM SIGMET-RICS Perf. Eval. Review, 36(4):52–57, 2009.

[82] M. Veeraraghavan and K. S. Trivedi. An improved algorithm for symbolic reli-ability analysis. IEEE Transactions on Reliability, 40(3):347–358, 1991.

[83] H. Wang and P. Liu. Modeling and evaluating the survivability of an intrusiontolerant database system. LNCS, 4189:207–224, 2006.

[84] Y. Wang, C. Lin, K. Meng, and J. Lv. Analysis of Attack Actions for E-Commerce Based on Stochastic Game Nets Model. Journal of Computers,4(6):461, 2009.

61

http://www.amenaza.com/software.php

[85] J. D. Weiss. A System Security Engineering Process. In Proc. of the 14thNational Computer Security Conf., 1991.

[86] Z. G. Wu and V. Varadharajan. A Novel Security Risk Evaluation for Informa-tion Systems. In Proc. FCST, pages 67–73, 2007.

[87] J. B. Yun, E. K. Park, E. G. Im, and H. P. In. A scalable, ordered scenario-based network security simulator. Systems Modeling and Simulation: Theoryand Applications, 3389:487–494, 2005.

[88] X. Zang, H. Sun, and K. S. Trivedi. A bdd-based algorithm for reliability graphanalysis, 2000.

[89] X. Zang, D. Wang, H. Sun, and K. S. Trivedi. A BDD-based algorithm foranalysis of multistate systems with multistate components. IEEE Trans. oncomputers, 52(12):1608–1618, 2003.

[90] Z. Zhang, Y. Zhang, Y. Hu, Z. Mao, and R. S. Bush. Detecting IP PrefixHijacking on My Own. In Proc. ACM SIGCOMM, 2008.

[91] S. A. Zonouz, H. Khurana, W. H. Sanders, and T. M. Yardley. RRE: A Game-Theoretic Intrusion Response and Recovery Engine. In Proc. DSN, pages 439–448, 2009.

62

Documents

Attack Countermeasure Trees: A Non-state-space Approach ...Attack tree (AT) is one of the widely used combinatorial models in security analysis. The basic formalism of AT does not