on attack/defense trees - satoss.uni.lusatoss.uni.lu/seminars/srm/pdfs/patrick-srm.pdf · on...

On Attack/Defense Trees

Patrick SchweitzerSaToSS, Faculty of Sciences, Communication and Technology

University of Luxembourg

November 17th 2009

1/23

Outline

1 Intuition and overview of existing approaches to model attacks

2 Attack Trees

3 The new approach to include defenses

4 Future work

2/23

Intuition and overview

Intuition

Get money(illegally)

Get moneyfrom a bank

Rob a

bank

Steal from

ATM

S2

S2

S2

Hack into

computer

system

Rob a storeEnter with

a gun2 3.1

4.14.2

4.3

3.2

3.33.4

Enter

disguised

Enter

at night2

Go toloan shark

3/23

Intuition and overview

Intuition

Get money(illegally)

Get moneyfrom a bank

Rob a

bank

Steal from

ATM

S2

S2

S2

Hack into

computer

system

Rob a storeEnter with

a gun2 3.1

4.14.2

4.3

3.2

3.33.4

Enter

disguised

Enter

at night2

Go toloan shark

3/23

Intuition and overview

Intuition

Get money(illegally)

Get moneyfrom a bank

Rob a

bank

Steal from

ATM

S2

S2

S2

Hack into

computer

system

Rob a storeEnter with

a gun2 3.1

4.14.2

4.3

3.2

3.33.4

Enter

disguised

Enter

at night2

Go toloan shark

3/23

Intuition and overview

Guide to modeling attacks

Intuitive start: A mindmap (a special graph)

Problem: Complexity

Solution: Computer support (requires formalism)

Literature: Several approaches

4/23

Intuition and overview

Guide to modeling attacks

Intuitive start: A mindmap (a special graph)

Problem: Complexity

Solution: Computer support (requires formalism)

Literature: Several approaches

4/23

Intuition and overview

Guide to modeling attacks

Intuitive start: A mindmap (a special graph)

Problem: Complexity

Solution: Computer support (requires formalism)

Literature: Several approaches

4/23

Intuition and overview

Guide to modeling attacks

Intuitive start: A mindmap (a special graph)

Problem: Complexity

Solution: Computer support (requires formalism)

Literature: Several approaches

4/23

Intuition and overview

Different approaches to modeling attacks

Attack TreesEssentially all information is contained in the leaves.

Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes

Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.

. . .

5/23

Intuition and overview

Different approaches to modeling attacks

Attack TreesEssentially all information is contained in the leaves.

Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes

Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.

. . .

5/23

Intuition and overview

Different approaches to modeling attacks

Attack TreesEssentially all information is contained in the leaves.

Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes

Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.

. . .

5/23

Attack Trees

1 Intuition and overview of existing approaches to model attacks

2 Attack Trees

3 The new approach to include defenses

4 Future work

6/23

Attack Trees

Attack Trees - the concept

Attack: How to get free food?

7/23

Attack Trees

Attack Trees - the concept

Attack: How to get free food?

Free food

7/23

Attack Trees

Attack Trees - the concept

Attack: How to get free food?

Free food∨

Eat ’n’ runPretendto work

at restaurant

7/23

Attack Trees

Attack Trees - the concept

Attack: How to get free food?

Free food∨

Eat ’n’ run∧

Order meal Sneak out

Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack

7/23

Attack Trees

Attack Trees - the concept

Attack: How to get free food?

Free food∨

Eat ’n’ run∧

Order meal Sneak out

Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack∧

Wait oncustomers

Steal part oftheir food

Sneak out

7/23

Attack Trees

Attack Trees - the concept

Attack: How to get free food?

Free food∨

Eat ’n’ run∧

Order meal Sneak out

Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack∧

Wait oncustomers

Steal part oftheir food

Sneak out

Essentially a set of multisets,e.g.:

{{{Order meal, sneak out}},

{{Ask Chef to prepare}},

{{Wait on customers,

steal part of their food,

sneak out}}}

7/23

Attack Trees

Properties of the existing model

Important properties of Attack Trees

Uses and and or nodes

Simple normal form: trees of depth 1

Attributes can be attached to the leaves:then the attribute can be calculated for the root

Projection only works for some attributes(Projection = Restriction of an attribute)

8/23

Attack Trees

Properties of the existing model

Important properties of Attack Trees

Uses and and or nodes

Simple normal form: trees of depth 1

Attributes can be attached to the leaves:then the attribute can be calculated for the root

Projection only works for some attributes(Projection = Restriction of an attribute)

8/23

Attack Trees

Properties of the existing model

Important properties of Attack Trees

Uses and and or nodes

Simple normal form: trees of depth 1

Attributes can be attached to the leaves:then the attribute can be calculated for the root

Projection only works for some attributes(Projection = Restriction of an attribute)

8/23

Attack Trees

Properties of the existing model

Important properties of Attack Trees

Uses and and or nodes

Simple normal form: trees of depth 1

Attributes can be attached to the leaves:then the attribute can be calculated for the root

Projection only works for some attributes(Projection = Restriction of an attribute)

8/23

Attack Trees

Including a defense in the framework

Free food∨

Eat ’n’ run∧

Order meal Sneak out

Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack∧

Wait oncustomers

Steal part oftheir food

Sneak out

9/23

Attack Trees

Including a defense in the framework

Free food∨

Eat ’n’ run∧

Order meal Sneak out

Policeman

Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack∧

Wait oncustomers

Steal part oftheir food

Sneak out

Policeman

9/23

Attack Trees

Attack and Defense Trees

Consider the Defense Tree ’law enforcement’ instead of apoliceman.

Consider the Attack Tree ’Mafia’ attached to law enforcement.

and so on...

New framework: Attack Tree - Defense Tree - Attack Tree - ...

10/23

Attack Trees

Attack and Defense Trees

Consider the Defense Tree ’law enforcement’ instead of apoliceman.

Consider the Attack Tree ’Mafia’ attached to law enforcement.

and so on...

New framework: Attack Tree - Defense Tree - Attack Tree - ...

10/23

Attack Trees

Attack and Defense Trees

Consider the Defense Tree ’law enforcement’ instead of apoliceman.

Consider the Attack Tree ’Mafia’ attached to law enforcement.

and so on...

New framework: Attack Tree - Defense Tree - Attack Tree - ...

10/23

The new approach to include defenses

1 Intuition and overview of existing approaches to model attacks

2 Attack Trees

3 The new approach to include defenses

4 Future work

11/23

The new approach to include defenses

The general idea: two functions describing the nodes

Structure: rooted tree T = (V , E , r , τ, φ)(non-empty, finite, directed, connected, acyclic, rooted)Type: τ : V → {©,�,♦} Connector φ : V → {∨, ∧, ¬, −}

12/23

The new approach to include defenses

The general idea: two functions describing the nodes

Structure: rooted tree T = (V , E , r , τ, φ)(non-empty, finite, directed, connected, acyclic, rooted)Type: τ : V → {©,�,♦} Connector φ : V → {∨, ∧, ¬, −}

τ(v) ∈ {©,�} =⇒ τ(w) ∈ {τ(v),♦} (1)

τ(v) ∈ {©,�} and | Childrenv | > 1 ⇐⇒φ(v) ∈ {∨, ∧} (2)

τ(v) ∈ {©,�} and | Childrenv | ≤ 1 ⇐⇒φ(v) = − (3)

τ(v) = ♦ =⇒ τ(w) ∈ {f (v),♦} (4)

τ(v) = ♦ =⇒ | Childrenv | = 1 (5)

τ(v) = ♦ ⇐⇒φ(v) = ¬ (6)

v , w ∈ V and (v , w) ∈ E

12/23

The new approach to include defenses

The additional properties

∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

13/23

The new approach to include defenses

The additional properties

∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (1):τ(v) ∈ {©,�} =⇒ τ(w) ∈ {τ(v),♦}

13/23

The new approach to include defenses

The additional properties

∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (2):τ(v) ∈ {©,�} and | Childrenv | > 1⇐⇒φ(v) ∈ {∨, ∧}

13/23

The new approach to include defenses

The additional properties

∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (3):τ(v) ∈ {©,�} and | Childrenv | ≤ 1⇐⇒φ(v) = −

13/23

The new approach to include defenses

The additional properties

∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (4):τ(v) = ♦ =⇒ τ(w) ∈ {f (v),♦}

13/23

The new approach to include defenses

The additional properties

∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (5):τ(v) = ♦ =⇒ | Childrenv | = 1

13/23

The new approach to include defenses

The additional properties

∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (6):τ(v) = ♦ ⇐⇒ φ(v) = ¬

13/23

The new approach to include defenses

Semantics of the Adtrees

∨

−

¬

∧

D1 −

∧

D2 D3 ¬

A1

∧

A2 ∧

A3 A4 ¬

∨

D4 D5

∨

A5 A6

Semantics of the adtree:Unique variable associated to leaf

JvK =

v if v ∈ L(T ),∨

w∈Childrenv

JwK if φ(v) = ∨,

∧

w∈Childrenv

JwK if φ(v) = ∧,

JwK if φ(v) = − and

Childrenv = {w},

¬JwK if φ(v) = ¬ and

Childrenv = {w}.

14/23

The new approach to include defenses

Logical formulas associated to trees

∨

−

¬

∧

D1 −

∧

D2 D3 ¬

A1

∧

A2 ∧

A3 A4 ¬

∨

D4 D5

∨

A5 A6Propositional logic corresponding to thetree:

((¬(D1 ∧ ((D2 ∧ D3 ∧ (¬A1))))))∨(A2 ∧ (A3 ∧ A4 ∧ (¬(D4 ∨ D5)))∨(A5 ∨ A6)

15/23

The new approach to include defenses

Trees in normal form

∨

A1 A5 A6 ¬

D1

¬

D2

¬

D3

∧

A2 A3 A4 ¬

D4

¬

D5

Normal form:A1 ∨ A5 ∨ A6 ∨ ¬D1 ∨ ¬D2 ∨ ¬D3 ∨ (A2 ∧ A3 ∧ A4 ∧ ¬D4 ∧ ¬D5)

16/23

The new approach to include defenses

Exemplary transformation: Distributivity ∧ to ∨

∧

b

X1

. . .

k

b

Xk

∨

b

Y1

. . .

l

b

Yl

−→ ∨

∧

b

X1

. . .

k

b

Xk

b

Y1

. . .

l

∧

b

X1

. . .

k

b

Xk

b

Yl

With k ≥ 1 and l ≥ 2

17/23

The new approach to include defenses

Full set of transformation rules

• Distributivity (A ∨ B) ∧ C → (A ∧ C) ∨ (B ∧ C)• 1−level absorption (A ∧ B) ∨ A → A

• 2−level absorption as above• Double negation ¬¬A → A

• Empty refinement no formula• Associativity (∨ and ∧) (A ∨ B) ∨ C → A ∨ B ∨ C

• De Morgan (∨ and ∧) ¬(A ∨ B) → ¬A ∧ ¬B

• Idempotency (∨ and ∧) X ∨ X → X

18/23

The new approach to include defenses

Full set of transformation rules

• Distributivity (A ∨ B) ∧ C → (A ∧ C) ∨ (B ∧ C)• 1−level absorption (A ∧ B) ∨ A → A

• 2−level absorption as above• Double negation ¬¬A → A

• Empty refinement no formula• Associativity (∨ and ∧) (A ∨ B) ∨ C → A ∨ B ∨ C

• De Morgan (∨ and ∧) ¬(A ∨ B) → ¬A ∧ ¬B

• Idempotency (∨ and ∧) X ∨ X → X

18/23

The new approach to include defenses

Full set of transformation rules

• Distributivity (A ∨ B) ∧ C → (A ∧ C) ∨ (B ∧ C)• 1−level absorption (A ∧ B) ∨ A → A

• 2−level absorption as above• Double negation ¬¬A → A

• Empty refinement no formula• Associativity (∨ and ∧) (A ∨ B) ∨ C → A ∨ B ∨ C

• De Morgan (∨ and ∧) ¬(A ∨ B) → ¬A ∧ ¬B

• Idempotency (∨ and ∧) X ∨ X → X

18/23

The new approach to include defenses

Currently working on

Proving the uniqueness of the normal forms

Requires: • Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible

• Local confluence (Barbara - finished)Order of applying the rules leads to same result

19/23

The new approach to include defenses

Currently working on

Proving the uniqueness of the normal forms

Requires: • Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible

• Local confluence (Barbara - finished)Order of applying the rules leads to same result

19/23

The new approach to include defenses

Currently working on

Proving the uniqueness of the normal forms

Requires: • Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible

• Local confluence (Barbara - finished)Order of applying the rules leads to same result

19/23

The new approach to include defenses

Termination function

Termination function:A function from the trees into a totally ordered set,s.t. the value before applying a transformation rule >

the value after applying a transformation rule.

20/23

The new approach to include defenses

Termination function

Termination function:A function from the trees into a totally ordered set,s.t. the value before applying a transformation rule >

the value after applying a transformation rule.

Whiteboard

20/23

Future work

1 Intuition and overview of existing approaches to model attacks

2 Attack Trees

3 The new approach to include defenses

4 Future work

21/23

Future work

Work on generalizing the framework

Introduce attributes to the leaves

Allow directed acyclic graphs

Consider temporal order of children

Check out the two existing software packages

. . .

22/23

Summary

1 Intuition and overview of existing approaches to model attacks

2 Attack Trees

3 The new approach to include defenses

4 Future work

23/23