on attack/defense trees - satoss.uni.lusatoss.uni.lu/seminars/srm/pdfs/patrick-srm.pdf · on...

On Attack/Defense Trees

Patrick SchweitzerSaToSS, Faculty of Sciences, Communication and Technology

University of Luxembourg

November 17th 2009

1/23

Outline

1 Intuition and overview of existing approaches to model attacks

2 Attack Trees

3 The new approach to include defenses

4 Future work

2/23

Intuition and overview

Intuition

Get money(illegally)

Get moneyfrom a bank

Rob a

bank

Steal from

ATM

S2

S2

S2

Hack into

computer

system

Rob a storeEnter with

a gun2 3.1

4.14.2

4.3

3.2

3.33.4

Enter

disguised

Enter

at night2

Go toloan shark

3/23


Guide to modeling attacks

Intuitive start: A mindmap (a special graph)

Problem: Complexity

Solution: Computer support (requires formalism)

Literature: Several approaches

4/23


Different approaches to modeling attacks

Attack TreesEssentially all information is contained in the leaves.

Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes

Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.

. . .

5/23

Attack Trees


2 Attack Trees


4 Future work

6/23

Attack Trees

Attack Trees - the concept

Attack: How to get free food?

7/23

Attack Trees



Free food

7/23

Attack Trees



Free food∨

Eat ’n’ runPretendto work

at restaurant

7/23

Attack Trees



Free food∨

Eat ’n’ run∧

Order meal Sneak out

Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack

7/23

Attack Trees



Free food∨

Eat ’n’ run∧


Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack∧

Wait oncustomers

Steal part oftheir food

Sneak out

7/23

Attack Trees



Free food∨

Eat ’n’ run∧


Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack∧

Wait oncustomers


Sneak out

Essentially a set of multisets,e.g.:

{{{Order meal, sneak out}},

{{Ask Chef to prepare}},

{{Wait on customers,

steal part of their food,

sneak out}}}

7/23

Attack Trees

Properties of the existing model

Important properties of Attack Trees

Uses and and or nodes

Simple normal form: trees of depth 1

Attributes can be attached to the leaves:then the attribute can be calculated for the root

Projection only works for some attributes(Projection = Restriction of an attribute)

8/23

Attack Trees

Including a defense in the framework

Free food∨

Eat ’n’ run∧


Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack∧

Wait oncustomers


Sneak out

9/23

Attack Trees

Including a defense in the framework

Free food∨

Eat ’n’ run∧


Policeman

Pretendto work

at restaurant∨

Ask Chefto prepare

Salamiattack∧

Wait oncustomers


Sneak out

Policeman

9/23

Attack Trees

Attack and Defense Trees

Consider the Defense Tree ’law enforcement’ instead of apoliceman.

Consider the Attack Tree ’Mafia’ attached to law enforcement.

and so on...

New framework: Attack Tree - Defense Tree - Attack Tree - ...

10/23

The new approach to include defenses


2 Attack Trees


4 Future work

11/23


The general idea: two functions describing the nodes

Structure: rooted tree T = (V , E , r , τ, φ)(non-empty, finite, directed, connected, acyclic, rooted)Type: τ : V → {©,�,♦} Connector φ : V → {∨, ∧, ¬, −}

12/23


The general idea: two functions describing the nodes

Structure: rooted tree T = (V , E , r , τ, φ)(non-empty, finite, directed, connected, acyclic, rooted)Type: τ : V → {©,�,♦} Connector φ : V → {∨, ∧, ¬, −}

τ(v) ∈ {©,�} =⇒ τ(w) ∈ {τ(v),♦} (1)

τ(v) ∈ {©,�} and | Childrenv | > 1 ⇐⇒φ(v) ∈ {∨, ∧} (2)

τ(v) ∈ {©,�} and | Childrenv | ≤ 1 ⇐⇒φ(v) = − (3)

τ(v) = ♦ =⇒ τ(w) ∈ {f (v),♦} (4)

τ(v) = ♦ =⇒ | Childrenv | = 1 (5)

τ(v) = ♦ ⇐⇒φ(v) = ¬ (6)

v , w ∈ V and (v , w) ∈ E

12/23


The additional properties

∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

13/23



∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (1):τ(v) ∈ {©,�} =⇒ τ(w) ∈ {τ(v),♦}

13/23



∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (2):τ(v) ∈ {©,�} and | Childrenv | > 1⇐⇒φ(v) ∈ {∨, ∧}

13/23



∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (3):τ(v) ∈ {©,�} and | Childrenv | ≤ 1⇐⇒φ(v) = −

13/23



∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (4):τ(v) = ♦ =⇒ τ(w) ∈ {f (v),♦}

13/23



∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (5):τ(v) = ♦ =⇒ | Childrenv | = 1

13/23



∨

−

¬

∧

− −

∧

− − ¬

−

∧

− ∧

− − ¬

∨

− −

∨

− −

Property (6):τ(v) = ♦ ⇐⇒ φ(v) = ¬

13/23


Semantics of the Adtrees

∨

−

¬

∧

D1 −

∧

D2 D3 ¬

A1

∧

A2 ∧

A3 A4 ¬

∨

D4 D5

∨

A5 A6

Semantics of the adtree:Unique variable associated to leaf

JvK =

v if v ∈ L(T ),∨

w∈Childrenv

JwK if φ(v) = ∨,

∧

w∈Childrenv

JwK if φ(v) = ∧,

JwK if φ(v) = − and

Childrenv = {w},

¬JwK if φ(v) = ¬ and

Childrenv = {w}.

14/23


Logical formulas associated to trees

∨

−

¬

∧

D1 −

∧

D2 D3 ¬

A1

∧

A2 ∧

A3 A4 ¬

∨

D4 D5

∨

A5 A6Propositional logic corresponding to thetree:

((¬(D1 ∧ ((D2 ∧ D3 ∧ (¬A1))))))∨(A2 ∧ (A3 ∧ A4 ∧ (¬(D4 ∨ D5)))∨(A5 ∨ A6)

15/23


Trees in normal form

∨

A1 A5 A6 ¬

D1

¬

D2

¬

D3

∧

A2 A3 A4 ¬

D4

¬

D5

Normal form:A1 ∨ A5 ∨ A6 ∨ ¬D1 ∨ ¬D2 ∨ ¬D3 ∨ (A2 ∧ A3 ∧ A4 ∧ ¬D4 ∧ ¬D5)

16/23


Exemplary transformation: Distributivity ∧ to ∨

∧

b

X1

. . .

k

b

Xk

∨

b

Y1

. . .

l

b

Yl

−→ ∨

∧

b

X1

. . .

k

b

Xk

b

Y1

. . .

l

∧

b

X1

. . .

k

b

Xk

b

Yl

With k ≥ 1 and l ≥ 2

17/23


Full set of transformation rules

• Distributivity (A ∨ B) ∧ C → (A ∧ C) ∨ (B ∧ C)• 1−level absorption (A ∧ B) ∨ A → A

• 2−level absorption as above• Double negation ¬¬A → A

• Empty refinement no formula• Associativity (∨ and ∧) (A ∨ B) ∨ C → A ∨ B ∨ C

• De Morgan (∨ and ∧) ¬(A ∨ B) → ¬A ∧ ¬B

• Idempotency (∨ and ∧) X ∨ X → X

18/23


Currently working on

Proving the uniqueness of the normal forms

Requires: • Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible

• Local confluence (Barbara - finished)Order of applying the rules leads to same result

19/23


Termination function

Termination function:A function from the trees into a totally ordered set,s.t. the value before applying a transformation rule >

the value after applying a transformation rule.

20/23


Termination function

Termination function:A function from the trees into a totally ordered set,s.t. the value before applying a transformation rule >

the value after applying a transformation rule.

Whiteboard

20/23

Future work


2 Attack Trees


4 Future work

21/23

Future work

Work on generalizing the framework

Introduce attributes to the leaves

Allow directed acyclic graphs

Consider temporal order of children

Check out the two existing software packages

. . .

22/23

Summary


2 Attack Trees


4 Future work

23/23