9,219 research outputs found
Formal Template-Based Generation of Attack–Defence Trees for Automated Security Analysis
Systems that integrate cyber and physical aspects to create cyber-physical systems (CPS) are becoming increasingly complex, but demonstrating the security of CPS is hard and security is frequently compromised. These compromises can lead to safety failures, putting lives at risk. Attack Defense Trees with sequential conjunction (ADS) are an approach to identifying attacks on a system and identifying the interaction between attacks and the defenses that are present within the CPS. We present a semantic model for ADS and propose a methodology for generating ADS automatically. The methodology takes as input a CPS system model and a library of templates of attacks and defenses. We demonstrate and validate the effectiveness of the ADS generation methodology using an example from the automotive domain
Quantitative Verification and Synthesis of Attack-Defence Scenarios
Attack-defence trees are a powerful technique for formally evaluating attack-defence scenarios. They represent in an intuitive, graphical way the interaction between an attacker and a defender who compete in order to achieve conflicting objectives. We propose a novel framework for the formal analysis of quantitative properties of complex attack-defence scenarios, using an extension of attack-defence trees which models temporal ordering of actions and allows explicit dependencies in the strategies adopted by attackers and defenders. We adopt a game-theoretic approach, translating attack-defence trees to two-player stochastic games, and then employ probabilistic model checking techniques to formally analyse these models. This provides a means to both verify formally specified security properties of the attack-defence scenarios and, dually, to synthesise strategies for attackers or defenders which guarantee or optimise some quantitative property, such as the probability of a successful attack, the expected cost incurred, or some multi-objective trade-off between the two. We implement our approach, building upon the PRISM-games model checker, and apply it to a case study of an RFID goods management system
Time dependent analysis with dynamic counter measure trees
The success of a security attack crucially depends on time: the more time available to the attacker, the higher the probability of a successful attack. Formalisms such as Reliability block diagrams, Reliability graphs and Attack Countermeasure trees provide quantitative information about attack scenarios, but they are provably insufficient to model dependent actions which involve costs, skills, and time. In this presentation, we extend the Attack Countermeasure trees with a notion of time; inspired by the fact that there is a strong correlation between the amount of resources in which the attacker invests (in this case time) and probability that an attacker succeeds. This allows for an effective selection of countermeasures and rank them according to their resource consumption in terms of costs/skills of installing them and effectiveness in preventing an attack
Formalising attack trees to support economic analysis
Attack trees and attack graphs are both examples of what one might term attack modelling techniques. The primary purpose of such techniques is to help establish and enumerate the ways in which a system could be compromised; as such, they play a key role in the (security) risk analysis process. Given their role and the consequent need to ensure that they are correct, there are good reasons for capturing such artefacts in a formal manner. We describe such a formal approach, which has been motivated by a desire to model attacks from the perspectives of attackers, to support economic analysis. As an illustration, we consider exploitation cost
Formalising attack trees to support economic analysis
Attack trees and attack graphs are both examples of what one might term attack modelling techniques. The primary purpose of such techniques is to help establish and enumerate the ways in which a system could be compromised; as such, they play a key role in the (security) risk analysis process. Given their role and the consequent need to ensure that they are correct, there are good reasons for capturing such artefacts in a formal manner. We describe such a formal approach, which has been motivated by a desire to model attacks from the perspectives of attackers, to support economic analysis. As an illustration, we consider exploitation cost
Hackers vs. Security: Attack-Defence Trees as Asynchronous Multi-Agent Systems
Attack-Defence Trees (ADTs) are well-suited to assess possible attacks to
systems and the efficiency of counter-measures. In this paper, we first enrich
the available constructs with reactive patterns that cover further security
scenarios, and equip all constructs with attributes such as time and cost to
allow quantitative analyses. Then, ADTs are modelled as (an extension of)
Asynchronous Multi-Agents Systems--EAMAS. The ADT-EAMAS transformation is
performed in a systematic manner that ensures correctness. The transformation
allows us to quantify the impact of different agents configurations on metrics
such as attack time. Using EAMAS also permits parametric verification: we
derive constraints for property satisfaction. Our approach is exercised on
several case studies using the Uppaal and IMITATOR tools.Comment: This work was partially funded by the NWO project SEQUOIA (grant
15474), EU project SUCCESS (102112) and the PHC van Gogh PAMPAS. The work of
Arias and Petrucci has been supported by the BQR project AMoJA
- …