ACT : Towards unifying the constructs of attack and ... - Semantic Scholar

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

RESEARCH ARTICLE

ACT : Towards unifying the constructs of attack and defense trees∗ Arpan Roy, Dong Seong Kim and Kishor S. Trivedi, Department of Electrical & Computer Engineering, Duke University, Durham, NC 27708, USA.

ABSTRACT Attack tree (AT) is one of the widely used non-state-space models for security analysis. The basic formalism of AT does not take into account defense mechanisms. Defense trees (DTs) have been developed to investigate the effect of defense mechanisms using measures such as attack cost, security investment cost, return on attack (ROA) and return on investment (ROI). DT, however, places defense mechanisms only at the leaf nodes and the corresponding ROI/ROA analysis does not incorporate the probabilities of attack. In attack response tree (ART), attack and response are both captured but ART suffers from the problem of state-space explosion, since solution of ART is obtained by means of a state space model. In this paper, we present a novel attack tree paradigm called attack countermeasure tree (ACT) which avoids the generation and solution of a state-space model and takes into account attacks as well as countermeasures (in the form of detection and mitigation events). In ACT, detection and mitigation are allowed not just at the leaf node but also at the intermediate nodes while at the same time the state-space explosion problem is avoided in its analysis. We study the consequences of incorporating countermeasures in the ACT using three case studies (ACT for BGP attack, ACT for a SCADA attack and ACT for malicious insider attacks). c 2011 John Wiley & Sons, Ltd. Copyright KEYWORDS attack trees, non-state-space model, mincuts, return on attack, return on investment. Correspondence Dr. Kishor S. Trivedi, Department of Electrical and Computer Engineering, Duke University, Durham, NC 27708, U.S.A. ∗

Email: [email protected]

1. INTRODUCTION The first step towards security modeling involves designing a scalable model [1, 2] that helps quantify security [3] in terms of key attributes such as the loss caused by attacks [4, 5] or the gain accrued from enforcing a security countermeasure [6]. This will aid not only in probabilistic risk analysis (PRA) of a system but also in the development of a scheme as to where in the system, security investment should be prioritized. The simplest model type in this context is attack tree (AT) [7, 2]. However, the basic formalism of AT does not include defense mechanisms. Defense trees (DTs) [8, 9] incorporate defense mechanisms in AT. However, it places defense mechanisms only at the leaf nodes. Return on Investment (ROI) and Return on Attack (ROA) analysis using DT does not incorporate probabilities of attack. In attack response trees (ARTs) [10], both attacks and

c 2011 John Wiley & Sons, Ltd. Copyright

responses are captured at any node but ARTs suffer from the state-space explosion problem (or the largeness problem) due to the use of a partially observable Markov decision process (POMDP) [11] as a solution technique. In this paper, we present a novel attack tree model called attack countermeasure tree (ACT). Our contributions are summarized as follows. In ACT, • defense mechanisms can be placed at any node of the tree, not just at the leaf nodes, • generation and analysis of attack scenarios and attack-countermeasure scenarios is automated using mincuts, • probabilistic analysis (using measures such as attack and security investment cost, Birnbaum importance measure, system risk, impact of an attack, ROI and ROA) is performed in an integrated manner (as shown in Figure 1), 1

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

ROI&ROA Risk Impact Cost Birnbaum Importance Prob. of attacks Structural Importance Mincuts

Probabilistic Analysis Attack Countermeasure Tree (ACT) Analysis

Qualititative Analysis

Figure 1. Analysis using ACT

• attack events and countermeasures are prioritized using structural and Birnbaum importance measure and • the consequences of incorporating countermeasures in the ACT are demonstrated using three case studies (ACT for BGP attack, ACT for a SCADA attack and ACT for malicious insider attacks) [10]. We have implemented an ACT module in the SHARPE (Symbolic Hierarchical Automated Reliability and Performance Evaluator) [12, 13] software package. This is not well known to do the tasks we were doing over the The remainder of this paper is organized as follows. Related work is presented in Section 2. Some basic terminology is defined in Section 3.1. The basic model for ACT is presented in Section 3.2. Section 3.3 describes qualitative and probabilistic analysis using ACT. Implementation of the ACT module in SHARPE is presented in Section 4. In Section 5, we demonstrate the utility of ACT by analyzing case studies (BGP attack [14], SCADA attack [15] and malicious insider attack [16]). Finally, we conclude the paper in Section 6.

2. RELATED WORK Weiss’s threat logic trees [17] and Amoroso’s threat trees [18] mark the beginning of the use of decision trees for characterizing attacks. Schneier developed the basic attack tree (AT) formalism [2] in which PGP AT was used to illustrate the applications of AT. Moore et.al [7] extended Schneier’s AT by introducing attack scenarios and attack profiles. Mauw et.al [19] developed an alternative formalism for AT where the goal was associated with the set of all mincuts. When applied to complex case studies, AT often became large and unwieldy. Therefore Daley [20] proposed a layered approach to partition attack tree nodes with respect to their functionality. Since attacks and faults both lead to system failure, Fovino et.al [21] integrated attacks into the fault tree structure by developing 2

A. Roy et al.

a graph theoretical model called extended fault tree (EFT) [21]. However, these ATs do not tak e into account defense mechanisms. To incorporate defense mechanisms in AT, Bistarelli et.al [8] used defense trees (DTs) and applied game theory to find the most cost effective set of countermeasures. Edge et.al [22] proposed protection trees (PTs) which only concentrate on defense mechanisms regardless of attacks. Zonouz et.al [10] proposed attackresponse trees (ARTs) that incorporate both attacks and responses but use a state-space model (partially observable stochastic game model) to find an optimal set of countermeasures. Thus, their model suffers from statespace explosion. We propose ACT which provides a simple yet compact approach for security analysis, harnessing the benefits of the aforementioned models while at the same time avoiding the state-space explosion problem.

3. ATTACK COUNTERMEASURE TREES 3.1. Preliminaries Ak an attack event Dk a detection event Mk a mitigation event CMk a countermeasure ACT = {V, ψ, E} (V: set of all vertices in ACT, ψ: set of all gates in ACT, E: set of all edges in ACT) where V= {∀k, vk : vk ∈ {Aj }|| vk ∈ {Di }|| vk ∈ {Ml }} where A1 , A2 , ..., D1 , D2 , ..., M1 , M2 , ... are the events of the ACT, ψ={∀k, ψk : ψk ∈ {AND, OR, k-of-n gate}}, E= {∀k, ek : ek ∈ (vi , ψj ) || ek ∈ (ψi , ψj )} and X = (xA1 xA2 ...xD1 xD2 ...xM1 xM2 ...) is a state vector for the ACT where xAk , xDk , xMk are the boolean variables associated with events Ak , Dk , Mk respectively. Φ(X) structure function of an ACT pAk probability of occurrence of attack event Ak pDk probability of success of detection event Dk pMk probability of success of mitigation event Mk Pgoal probability of attack success at the ACT goal pU D probability of undetected attack at the ACT goal pDU M probability of detected but unmitigated attack at the ACT goal ST IA structural importance measure of attack event Ak k B IA Birnbaum importance measure of attack event Ak k iAk impact of attack event Ak Igoal impact at the goal node of ACT cAk cost of attack event Ak Cattacker attack cost at the goal node of ACT cCMk security investment cost of countermeasure CMk

3.2. Formalism of ACT In this subsection the basic formalism of ACT is presented. In ACT, there are three distinct classes of events: attack events (e.g., install keystroke logger), detection events c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

A. Roy et al.

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

Attack success

Attack success

Attack success

AND

AND

A A

A

D

D1

(b)

(a)

D2

Dn

(c) Attack success

Attack success

Attack success

…

AND

AND AND

A A

AND

A

D

AND

AND

M

D

(d)

OR

OR M D1

D2

…

M1

Attack success

Attack success

Attack event

AND

Detection event

AND

Mitigation Event A

AND

AND AND

OR D2

…

AND

Dm

M1

M2

….

M1

D2

AND

…

OR D1

D1

Mn

(f)

(e)

A

….

M2

Dn

M2

Dn

Mn

Mn

(h)

(g)

Figure 2. (a) ACT with one attack event, (b) ACT with one attack and one detection event, (c) ACT with one attack and multiple detection events, (d) ACT with one attack, one detection and one mitigation event, (e) ACT with one attack, multiple detection and one mitigation event, (f) ACT with one attack, one detection and multiple mitigation events, (g) ACT with one attack, m detection and n mitigation events and (h) ACT with one attack and multiple pairs of detection and mitigation events

(e.g., detect keystroke logger) and mitigation events (e.g., remove keystroke logger). Figure 2(a) shows a simple ACT with a single attack event. The corresponding expression for the probability of a successful attack at the goal node is shown in Eq. (1).

In Figure 2(b), one attack event and one detection mechanism are used. The corresponding expression for probability of a successful undetected attack is:

Pgoal = pA

Pgoal = pA (1 − pD )

(1)

c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

(2) 3

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

Figure 2(c) is an extension of Figure 2(b) where n detection mechanisms are being used to detect one attack event. The corresponding Pgoal is: Pgoal = pA (1 − pD1 )(1 − pD2 )...(1 − pDn )

(3)

In ACT with only detections, mitigations are assumed to be perfect, i.e., they mitigate with probability one (or pM = 1). However if mitigations are imperfect (i.e., 0 ≤ pM < 1), mitigation techniques may be used in ACT in addition to detection mechanisms. Figure 2(d) shows an ACT with one attack event, one detection event and one mitigation event. Eq. (4) is the corresponding expression for the probability that attack was successful, i.e., either attack was undetected or attack was detected but unmitigated (D representing a detection event and M representing a mitigation event). Pgoal = pA (1 − pD + pD (1 − pM )) = pA (1 − pD × pM ))

n Y

(1 − pDi )) × pM )

(5)

i=1

Figure 2(f) shows an ACT with one attack event, one detection event and n mitigation events. Eq. (6) gives the corresponding probability of successful attack. For the ACT in Figure 2(f), the corresponding probability that attack is undetected is pU D =pA (1 − pD ) and the corresponding probability that Q attack is detected but unmitigated is pDU M =pA pD n i=1 (1 − pMi ).

Pgoal = pA (1 − pD × (1 −

n Y

(1 − pMi )))

(6)

i=1

Figure 2(g) shows an ACT with one attack event, m detection event and n mitigation events. Eq. (7) gives the corresponding probability of successful attack. Pgoal = pA (1 − (1 −

m Y

(1 − pDi )) × (1 −

i=1

n Y

(1 − pMi )))

i=1

(7)

Figure 2(h) shows an ACT with one attack event and n pairs of detection and mitigation events. The 4

Gate type AND gate OR gate k/n gate∗

for probability of attack success

Prob. of attack success Qn Qni=1 p(i) (1 − p(i)) Pn1 − n
i=1 j n−j j=k j p ∗ (1 − p) ∗ for identical inputs

nature of mitigation triggered depends on the nature of intrusion detected. Eq. (8) shows the corresponding expression for Pgoal . The corresponding Q probability that attack is undetected is pU D =pA n i=1 (1 − pDi ) and the corresponding probability that Qn attack is detected but unmitigated is pDU M = pA i=1 (1 − pDi × pMi ) − Q pA n i=1 (1 − pDi ).

(4)

Indeed, this probability can be split into two parts if desired: the probability of undetected attack, pU D =pA (1 − pD ) and the probability of a detected but unmitigated attack, pDU M =pA pD (1 − pM ). Figure 2(e) shows an ACT with one attack event, n detection events and one mitigation event and the corresponding equation for the probability of successful attack is in Eq. (5). For the ACT in Figure 2(e), the corresponding Q probability that attack is undetected is pU D =pA n i=1 (1 − pDi ) and the corresponding probability thatQattack is detected but unmitigated is pDU M =pA (1 − n i=1 (1 − pDi )) × (1 − pM ).

Pgoal = pA (1 − (1 −

Table I. Formulae

A. Roy et al.

Pgoal = pA

n Y

(1 − pDi + pDi (1 − pMi ))

= pA

i=1 n Y

(1 − pDi × pMi ))

(8)

i=1

Besides AND and OR gates, ACT also allows for k-outof-n gates (with identical or non-identical inputs). Table I enumerates formulae for output probability for AND, OR gates and k-of-n gates in an ACT. 3.3. Security Analysis using ACT In this section we present qualitative analysis and quantitative analysis using ACT. 3.3.1. Qualitative Analysis Qualitative analysis using ACT provide us with mincuts and structural importance measures. Mincut Analysis. In both AT and ACT, the top event is associated with the set of all mincuts. Mincuts of AT represent attack scenarios [23] whereas those of an ACT, represent attack-countermeasure scenarios. We show an example AT for BGP attack [14] (“resetting a BGP session” shown in Figure 3) and its corresponding ACT with countermeasures [24] (as depicted in Figure 4). Among others, countermeasures used include traceroute [25] as one of the detection mechanisms for spoofed TCP reset messages and sequence number randomization [24] as the corresponding mitigation technique. The top (or goal) event in the ACT can also be expressed as a boolean function (Φ(X)) of the leaf node events. In Eq. ( 9), Φ(X), the complementary boolean structure function for the AT in Figure 3 is given, where X is a state vector of the ACT and xAi is a boolean variable such that xAi = 1 when event Ai occurs else xAi = 0. Mincuts for the AT in Figure 3 are: {(A111 , A12 ),(A1121 , A12 ), (A1122 , A12 ),(A1123 , c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

A. Roy et al.

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

G: Reset a single BGP session Impact = Unavailability OR A1: Send message to router causing reset

A2: Alter configuration via compromised router

AND

OR A12: TCP sequence number attack A111: Send RST message to TCP stack

A112: Send BGP message OR

A1121: Notify

A1122: Open

A1123: Keep Alive

Figure 3. A simple attack tree for resetting the BGP session

Attack event Detection event Mitigation Event

G: Reset a single BGP session

OR

AND

AND

A1: Send message to router causing reset AND

OR

A111: Send RST message to TCP stack

AND

M 1: Randomize Seq. Num.

D1: Traceroute check

AND A112: Send BGP message A12 : TCP sequence number attack

A1122: Open

A1123: Keep Alive

D2: Router firewall alert

AND

M2: Secure router

AND

OR

A1121: Notify

A2: Alter configuration via compromised router

D12: TCP sequence number check

M12: MD5 authentication

Figure 4. A simple ACT for resetting a BGP session

A12 ),(A2 )}. Φ(X) = xA111 xA12 + xA1121 xA12 + xA1122 xA12 +xA1123 xA12 + xA2

(9)

The mincuts (attack countermeasure scenarios) of the ACT in Figure 4 are {(A111 , CM1 , A12 , CM12 ), (A1121 , c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

CM1 , A12 , CM12 ), (A1122 , CM1 , A12 , CM12 ), (A1123 , CM1 , A12 , CM12 ), (A2 , CM2 )} (where CM1 =(D1 M1 ), CM12 =(D12 M12 ), CM2 =(D2 M2 )). Each of the 5 mincuts represents a combination of events each of which on occurring will result in attack success at the goal. For instance the mincut (A1122 , CM1 , A12 , CM12 ) indicates

5

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

that if both the attack events A1122 and A12 were to occur and if both the countermeasures CM1 and CM12 fail, attack will succeed. From the mincut (A1122 , CM1 , A12 , CM12 ), we also observe that the pair of attack events (A1122 , A12 ) is covered by either of the countermeasures CM1 or CM12 . We use mincuts in Section 3.3.2 to develop an approach for the cost and the impact analysis in ACT. In future work, mincuts will also be used to find the optimal countermeasure set for an ACT. Structural Importance Measure Analysis. It is important to determine the most critical event in ACT. Towards this objective, structural importance measure [26] can be used. The concept of ordering system components based on structural importance was first introduced by Boland et al. [27]. Structural importance measure [28] is used when ACT has equiprobable events, i.e., we are provided with only the ACT but probability of attack (for attack events) and detection/mitigation (for detection/mitigation events) are unknown. Given an ACT, its boolean structure function (Φ(X)) can be built. Φ(X) = 1 when the attack succeeds whereas Φ(X) = 0 when attack fails. Two state vectors are considered:

Table II. Formulae

for attack cost and attack impact

Gate type

attack cost Pn i=1 cAi minn c Pki=1 Ai c i=1 Ai

AND gate OR gate k-of-n gatea a

A. Roy et al.

impact Pn i=1 iAi maxn i Pki=1 Ai i A i i=1

For k-of-n gate, it is assumed that (cA1 ,cA2 ,...,cAn ) are sorted in the

ascending order of their cost values and (iA1 ,iA2 ,...,iAn ) are sorted in the descending order of their impact values.

Repeated Event Non-repeat Event

G

AND

OR

OR

X = (xA1 xA2 ... xAk−1 xAk xAk+1 ... xAn ) X ′ = (xA1 xA2 ... xAk−1 xAk xAk+1 ... xAn ) The structural importance measure of an attack event (Ak ) in an ACT is defined to be the normalized count of state vectors where the component is relevant for the boolean ST structure function. The corresponding expression for IA k is shown in Eq. (10). ST IA k

=

P

X

Φ(X)Ak − Φ(X ′ )Ak 2n

(10)

An attack event (Ak ) is said to be relevant for a particular state vector X, when flipping the boolean value associated with attack event Ak flips the value of Φ(X) from 1 to 0. In other words, Ak is relevant to state vector X if Φ(X)Ak − Φ(X ′ )Ak = 1. Once the most critical event in the system is determined, it can be patched or the appropriate detection and mitigation for the component can be enforced.

3.3.2. Probabilistic Analysis The computation of probability of a successful attack in an ACT was discussed in Section 3.2. For ACT, the probability of a successful attack can be computed which can be further split into the probability that the attack is undetected and the probability that the attack is detected but unmitigated. When provided with values for parameters such as probabilities of attacks, cost etc., probabilistic (or quantitative) analysis can be performed using ACTs. Quantitative analysis using ACT can be viewed from two distinct viewpoints: attackers’ viewpoint and defender’s (or security analyst’s) viewpoint. 6

A1

A3

A2

A3

Figure 5. Attack tree with repeated events

The measures such as attack cost and ROA reflect the attacker’s perspective whereas the metrics such as security investment cost, risk, impact and ROI represent the defender’s perspective. Cost Computation. In ACT, cost may be of two types: cost of attack and security investment cost. Cost of attack in ACT (Cattacker ) with no repeated events is computed using the expressions in Table II [29]. In ACT, the cost of attack is the sum of the costs of the input events for an AND gate whereas it is the minimum of the cost of the input events for an OR gate. The cost of attack for a k-of-n gate is the sum of the cost of k lowest cost input events to the gate. For an ACT containing one or more repeated events (as shown in Figure 5), we use a simple procedure to compute the attack cost. SHARPE [13] can be used to generate the mincuts of the ACT. Attack cost for the mincut can be given by the sum of the attack costs of each attack event in the mincut. Attack cost of the mincut with lowest cost is selected to be the cost of attack for the ACT. In case of Figure 5, the ACT mincuts are {(A1 ,A2 ),A3 } and hence the corresponding Cattacker = min{cA1 +cA2 ,cA3 }. In case of an OR gate, we take a “panic approach” in c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

Probability of attack at goal in BGP ACT (Pgoal)

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

Structural importance measure of an attack event in BGP ACT

A. Roy et al.

(A2)

(A1) (A12)

Birnbaum importance measure of an attack event in BGP ACT

(a)

(CM12) (CM1) (CM2)

(CM2)

(b) (a)

(A2) (A1) (A12)

(CM2) (CM12) (CM1) (CM2) (CM1) (c)

(CM1)

(CM1)

(CM12)

(CM2)

(CM1) (CM2)

Probability of attack at goal in BGP ACT (Pgoal)

(CM2) (CM1) (CM2)

(CM1)

(d)

(CM2)

(CM1)

(CM12)

(CM2) (CM1)

Figure 6. Change in (a) structural importance measure, (b) corresponding change in Pgoal , (c) change in Birnbaum importance measure and (c) corresponding change in Pgoal for BGP ACT due to implementation of countemeasures

calculating the Cattacker at the output, meaning that out of different input events of an OR gate, we choose the minimum value of attack cost to be propagated. We do so because an attacker’s capabilities and preferences cannot be known in advance and the attacker is assumed to take the best way out (i.e., the minimum cost attack). For the same reason, we select the minimum cost mincut while computing Cattacker for an ACT with repeat events. Security investment cost for ACT is computed by summing the security investment cost of countermeasures present in the ACT. Also using ACT, the set of feasible attack scenarios can be built subject to attackers’ resource constraint (e.g., attack cost). This is called ‘capability based pruning’ of AT in SecurITree [30] AT analysis tool. If the total attack cost is provided as the attacker’s resource constraint, a subset of mincuts (or a subset of

attack scenarios) can be determined which the attacker can successfully exploit subject to his resource (cost) constraint.

c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

7

Impact Computation. Instead of pursuing a scaled approach for impact computation (for instance, normalized in a scale from 1-10 in [22]), in ACT, we use the exact value of impact [31] associated with every attack event. Even though countermeasures do not affect impact value directly, countermeasures do result in reducing risk which is the expected value of impact. Impact computation for different gates in ACT with no repeated events is summarized in Table II. If repeated events are present in the ACT, we follow a procedure similar to that used in cost computation. We first find the mincuts of the ACT. Impact of a mincut is the sum of the impact values of the attack

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

A. Roy et al.

SCADA compromised

Attack event Mitigation Event

OR

Incorrect monitoring

Power loads not provided

Incorrect estimates to customers

OR

OR

Unavailable network (LAN) (ULAN)

Problematic Control

OR

S2

Control servers

Workstation (WS)

Controlling agents AND

AND

2/3

S1

Unavailable network (UWAN)

OR Wrong state estimation (WSE)

Incomplete sensors

Database (DB)

AND

S3

AND

SCOPF

HMI

AND

G1 switch

AND

G2 restart

G3 restart

restart

Figure 7. ACT for SCADA system

events in the mincut. Impact of the mincut with highest impact value is selected to be the impact of the ACT. For instance, in case of the ACT in Figure 5(a), since the mincuts are {(A1 ,A2 ),A3 }, Igoal = max{iA1 +iA2 ,iA3 }. In case of an OR gate, we again assume the worst case scenario in calculating Igoal at the output, meaning that out of different input events of an OR gate, we choose the maximum value of impact to be propagated. We do so because an attacker’s capabilities and preferences cannot be known in advance and the security analyst has to be prepared for worst possible consequence (i.e., the maximum impact attack). For the same reason, we select the maximum impact mincut while computing Igoal of an ACT with repeat events. Birnbaum Importance Measure. When probabilities of attack/defense are known for ACT nodes, Birnbaum importance measure [32] (also termed ‘reliability importance measure’ for fault trees) is used to prioritize defense mechanisms to counteract attack events. The Birbaum importance measure of an attack event represents the change in the probability of attack at the goal caused by small change in the probability of attack of the ACT node

8

at Ak . The Birnbaum importance measure of an attack event Ak is defined as: B IA = k

∂Pgoal ∂pAk

(11)

B SHARPE can be used to compute IA . k

Risk Computation. In the context of ACT, risk can refer to two distinct measures namely, (i) risk to the attacker [33] and (ii) risk to the system [34]. Attacker’s risk of an atomic attack refers to the probability of detection of the atomic attack [33]. AttackTree+ AT analysis tool [35] refers to this type of risk as the ‘accepted risk’ of the attacker. Since we deal with probability of detection of atomic attacks in Pgoal computation in Section 3.2, in this subsection we discuss risk to the system. Risk to a system refers to the system’s risk to a particular attack scenario. In this context, two measures need to be taken into consideration. One is the amount of damage that an attack scenario can render to the system (Igoal ) and the other is the probability of attack success (Pgoal ). Combining the two, risk to the system can be defined as the expected value of the impact. The expression for system risk for ACTs is: c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

A. Roy et al.

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

G: Malicious Insider attack success

OR

A1 : Alteration

A2 : Distribution

A3 : Snooping

OR A11 : Unauthorized alternation of registry

AND

AND

A21 : File Sharing

A12 : Launch virus

A32 : Violation of organization policy

A31 : Misuse

OR

A411 : Poor Configuration

M12 : Launch mitigation (anti-virus)

A211 : Email OR

A213 : Online Chat

A413 : Sendmail Exploit

A412 : Steal Password

A214 : Copy to Media

AND

D412 : Track number of tries at password

OR

OR

A2121 : FTP to File Server

AND

OR

A212 : Electronic Drop Box

A2112 : Webbased account

A41 : Acquire admin privilege

AND

D12 : Detect virus attack (anti-virus)

A2111 : Local Account

A4 : Elevation

M412 : Request admin pin

OR A2141 : Floppy Disk

A2122 : Internet

A2142 : CDROM

A4121 : Sniff Network

A2143 : USB Drive

A4122 : Root Telnet

OR

A21221 : Post to News Group

A21222 : Post to Website

Figure 8. ACT for Malicious Insider Attack (MI ACT)

Risksys = Pgoal × Igoal

(12)

In an ACT without any countermeasures, application of CMi causes the output probability of the ACT node containing attack event Ak (point of application of CMi ) to decrease by △pAk CM (for instance, incorporation of i CMi may cause the ACT node in Figure 2(a) to become the ACT node in Figure 2(d)). In ACT, the decrease in risk (△RiskCMi ) for countermeasure CMi can be given by: △RiskCMi = Riskwithout CM − Riskwith CM i

= Igoal × (Pgoal

i

without CMi

− Pgoal

with CMi

)

(13)

where Pgoalwith CMi is Pgoal of the ACT with countermeasure CMi and Pgoalwithout CMi is Pgoal of the ACT without countermeasure CMi . Similarly for an ACT with incorporated countermeasure set SCM , the decrease in risk (△RiskSCM ) for countermeasure set SCM can be given by:

(ROA) [8, 9] is an index that is aimed at measuring the benefit to the attacker from a particular attack. Unlike attack cost, ROA changes with the application of specific countermeasures. ROA [4] is defined by: Risksys Igoal × Pgoal = (15) Cattacker Cattacker Next we discuss a quantification of Return on Investment (ROI) [6]. The basic definition of ROICMi is the profit obtained by the implementation of CMi (thereby signifying the efficacy of that countermeasure). ROI for countermeasure CMi is a function of the impact of attack of the ACT, the decrease in the probability of attack at the ACT goal (△PgoalCMi ) due to CMi and the security investment cost for CMi (cCMi ). Adapting Sonnenreich’s definition of Return on Investment [6] to the context of ACT, we have: ROA =

ROICMi = △RiskS

CM

= Riskwithout S

CM

= Igoal × (Pgoal

− Riskwith S

without SCM

CM

− Pgoal

with SCM

)

profit from CMi − Cost of implementing CMi Cost of implementing CMi (16)

(14)

bv ROA and ROI Computation. Two metrics from the field of economics have been adapted to the security scenario in order to quantify the nature of the competition between the attacker and the defender. Return on Attack c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

ROICMi =

Igoal × △PgoalCMi − cCMi cCMi

(17)

Note that, ROICMi ≥ -1.

9

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

4. IMPLEMENTATION We use SHARPE [13] for the evaluation of ACT. We have implemented a module for automatic description and evaluation of ACTs in SHARPE. For the computation of probability of attack, mincuts, structural and Birnbaum importance measure of ACT, we simply use the already existing algorithms for solving fault trees in SHARPE. We have added the relevant algorithms (described in Section 3.3.2) for computing cost, impact and risk in ACTs. ROA and ROI computation is done by defining functions in the SHARPE input file.

5. EXAMPLES For the analysis of ACT, we use the BGP ACT [14] of Figure 4, the SCADA ACT [10] of Figure 7 and ACT for malicious insider attack (MI ACT) of Figure 8 as case studies. Two significant characteristics of the SCADA ACT are: (i) it contains only attack and mitigation events and (ii) all mincuts are not covered by the mitigation techniques provided. The basic structure of the ACT for malicious insider attack (MI ACT) was proposed in [16]. We built on this structure by adding lower level subtrees from other sources (for instance, in MI ACT the subtree for attack by ‘elevation’ of malicious user (node A4 in Figure 8) is obtained from [36]). MI ACT has attack, detection and mitigation events. However in MI ACT as well, all the mincuts are not covered by the countermeasures provided. Figure 6(a) shows the variation in structural importance measure and Figure 6(c) shows the variation in Birnbaum importance measure of attack event Ai in BGP ACT due to implementation of countermeasure CMi . From Figure 6(c) and Figure 6(d), observe that maximum decrease in Pgoal is caused by the implementation of the countermeasure associated with the attack event with the B highest value of IA . For instance, in BGP ACT with k no defense (or the BGP AT), attack event A1 (‘Send B RESET message’) has highest value of IA leading to k the implementation of CM1 (‘Traceroute’) first. The corresponding decrease in Pgoal (shown in Figure 6(c)) is the maximum for all the countermeasures present. Therefore, implementation of countermeasures (CMi ) for B attack events (Ai ) with higher values of IA should be k prioritized. Similarly we can observe from Figure 6(a) and Figure 6(b) that implement countermeasures with higher ST IA should be prioritized. k The values for the input parameters for countermeasure nodes of all three ACTs are in Table III and the values for the input parameters for attack nodes of all three ACTs are in Table IV.

10

A. Roy et al.

Table III. Parameter values for attack nodes in ACT

ACT Node

A111 (BGP) A1121 (BGP) A1122 (BGP) A1123 (BGP) A12 (BGP) A2 (BGP) AS1 (SCADA) AS2 (SCADA) AS3 (SCADA) AW SE (SCADA) AU LAN (SCADA) AHM I (SCADA) ASCOP F (SCADA) AG1 (SCADA) AG2 (SCADA) AG3 (SCADA) ADB (SCADA) AU W AN (SCADA) AW S (SCADA) A11 (MI ACT) A12 (MI ACT) A2111 (MI ACT) A2112 (MI ACT) A2121 (MI ACT) A21221 (MI ACT) A21222 (MI ACT) A213 (MI ACT) A2141 (MI ACT) A2142 (MI ACT) A2143 (MI ACT) A31 (MI ACT) A32 (MI ACT) A411 (MI ACT) A4121 (MI ACT) A4122 (MI ACT) A413 (MI ACT)

Probability attack of attack cost(in $) 0.08 0.1 0.15 0.2 0.1 0.4 0.1 0.1 0.1 0.25 0.3 0.2 0.15 0.15 0.3 0.2 0.5 0.35 0.4 0.08 0.1 0.15 0.2 0.1 0.4 0.1 0.1 0.1 0.25 0.3 0.2 0.15 0.15 0.3 0.2 0.5

50 60 70 100 150 190 100 110 90 250 275 100 120 100 30 40 170 160 150 50 60 70 100 150 190 100 110 90 250 275 100 120 100 30 40 170

attack impact (in 103 $) 200 130 100 300 250 275 300 150 225 250 275 100 120 300 200 150 50 100 150 200 130 100 300 250 275 300 150 225 250 275 100 120 300 200 150 50

Figure 9(a) shows Pgoal for BGP ACT (with and without countermeasures), Figure 9(b) shows Pgoal for SCADA ACT (with and without countermeasures) and Figure 9(c) shows Pgoal for MI ACT (with and without countermeasures) with probability of attack value of all the leaf nodes in the ACT varying together in the range [0,1]. From Figure 9(a) we find that Pgoal value for BGP ACT decreases with the incorporation of detection mechanisms (Pgoal =PU D ). With only detection mechanisms in ACT, mitigations are assumed to be perfect, i.e., they work with probability one. Therefore with the incorporation of mitigations (imperfect mitigations) in BGP ACT, Pgoal increases (Pgoal =PU D +PDU M ). SCADA ACT has only attack and mitigation events. Here detections are assumed to be perfect, i.e., Pgoal =PU D +PDU M with all pDi =1. c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

1 Pgoal without D or M Pgoal with D Pgoal with D & M

0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0

0

0.2

0.4

0.6

0.8

Probability of attack at leaf node of BGP ACT

1

1

1

Probability of attack at the goal of MI ACT

Probability of attack at the goal of SCADA ACT (Pgoal )

Probability of attack at the goal of BGP ACT (Pgoal )

A. Roy et al.

0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 Pgoal_SCADA_ACT_without_M Pgoal_SCADA_ACT_with_M

0.1 0

0

0.2

0.4

0.6

0.8

Probability of attack at leaf node of SCADA ACT

(b)

(a)

1

0.9 0.8 0.7 0.6 0.5 0.4 0.3 Pgoal without D or M Pgoal with D Pgoal with D & M

0.2 0.1 0

0

0.2

0.4

0.6

0.8

1

Probability of attack at leaf node of MI ACT (c)

Figure 9. Pgoal vs. probability of attack values of all the leaf nodes of (a) BGP ACT, (b) SCADA ACT and (c) MI ACT

Table IV. Parameter values for countermeasure nodes in ACT

ACT Node

D1 (BGP) M1 (BGP) D12 (BGP) M12 (BGP) D2 (BGP) M2 (BGP) Mswitch (SCADA) MrestartG1 (SCADA) MrestartG2 (SCADA) MrestartG3 (SCADA) D12 (MI ACT) M12 (MI ACT) D412 (MI ACT) M412 (MI ACT)

Prob. of Security countermeasure investment success cost(in $) 0.5 10 0.6 30 0.8 10 0.5 20 0.7 15 0.5 35 0.25 15 0.4 25 0.5 20 0.6 30 0.5 10 0.6 30 0.8 10 0.5 20

and without countermeasures) with probability of attack at leaf nodes pS1 and pG1 varying together in the range [0,1] and impact values of the leaf nodes IS1 and IG1 varying together in the range 0-3×105 $. Observe from the surfaces that Risksys decreases with the incorporation of countermeasures (mitigations) in SCADA ACT. Figure 10(c) shows system risk (Risksys ) for the MI ACT (with and without countermeasures) with probability of attack at leaf node (pA31 ) varying together in the range [0,1] and impact value of leaf node A31 (iA31 ) varying uniformly in the range 0-3×105 $. From the surfaces, observe that for BGP, SCADA and MI ACT, Risksys increases with the probability of attack value at the leaf node. It is also directly proportional to the Igoal value of the corresponding ACT.

From Figure 9(b), we find that Pgoal decreases with the incorporation of mitigations in SCADA ACT. Similarly, from Figure 9(c) we find that Pgoal value for MI ACT decreases with the incorporation of detection mechanisms and then increases with the incorporation of mitigations (imperfect mitigations).

Risksys of different components in a system can also be compared using its ACT. Figure 11(a) shows Risksys for SCADA ACT against probability of attack values (ranging uniformly from 0 to 1) and impact values of the generator nodes G1 , G2 and G3 (ranging uniformly from 0-2×105 $) whereas Figure 11(b) shows Risksys for SCADA ACT against probability of attack values (ranging uniformly from 0 to 1) and impact values of the sensor nodes S1 , S2 and S3 (ranging uniformly from 0-2×105 $). From the surfaces, observe that sensors are higher risk components than the generators.

Figure 10(a) shows system risk (Risksys ) for the BGP ACT (with and without countermeasures) with probability of attack at leaf node (pA1123 ) varying together in the range [0,1] and impact value of leaf node A1123 (iA1123 ) varying uniformly in the range 0-3×105 $. Observe that Risksys decreases with the incorporation of detection mechanisms (assuming perfect mitigations) and then increases with the incorporation of mitigations in ACT. Figure 10(b) shows Risksys for the SCADA ACT (with

Figure 12(a) shows ROA for the BGP ACT (with and without countermeasures) with attack cost of leaf node A1123 varying uniformly in the range 0-200$ and attack impact value of leaf node A1123 varying uniformly in the range 0-3×105 $. As in the case of Risksys , ROA of BGP ACT decreases with the incorporation of detection mechanisms and then increases with the incorporation of mitigation techniques (imperfect mitigations) in ACT. Figure 12(b) shows ROA for the SCADA ACT (with

c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

11

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

Risk without D or M Risk with D Risk with D & M

Risk without D or M Risk with D Risk with D & M

Risk without CM Risk with CM 650

300

A. Roy et al.

240

600

200

150

100

500

Risk to the system (Risksys )

Risk to the system (Risk sys )

Risk to the system (Risk sys )

230

550

250

450 400 350 300 250

220

210

200

190

200 50 1 0.5 0

0

100

200

300

x 10^3

Impact value of leaf node A1123 of BGP ACT in dollars

Probability of attack of leaf node A1123 in BGP ACT

150 1

0.5

0

Probability of attack of leaf nodes S1 and G1 of SCADA ACT

(a)

100

0

200

300 x 10^3

180 1

200

0.5

Impact value of leaf nodes S1 and G1 of SCADA ACT in dollars

100 0

Probability of attack of

0

leaf node A31 in MI ACT

(b)

300 x 10^3

Impact value of leaf node A31 of MI ACT in dollars

(c)

Figure 10. Risk to system (Risksys ) (a) for BGP ACT against pA1123 (x axis) and iA1123 (y axis), (b) for SCADA ACT with both pS1 and pG1 being varied (x axis) and both IS1 and IG1 being varied (y axis) and (c) for MI ACT against pA31 (x axis) and iA31 (y axis)

30 Risk to the system

Risk to the system

1.5 1 0.5 0 0.4 2 0.2

Probability of attack 0 0 values for generators (G1,G2,G3)

1

Impact values x 10 for generators (G1,G2,G3)

5

(a)

20 10 0 0.4 0.2 Probability of attack 0 0 values for sensors (S1,S2,S3)

1

1.5

2

5 0.5 x 10 Impact values for sensors (S1,S2,S3)

(b)

Figure 11. Risksys in SCADA ACT (a) against the probability of attack values (x axis) and attack impact values (y axis) for the generators (G1 ,G2 ,G3 ) (b) against the probability of attack values (x axis) and attack impact values (y axis) for the sensors (S1 ,S2 ,S3 )

and without countermeasures) with attack cost of the leaf nodes S1 and G1 varying together in the range 0-200$ and impact values of the leaf nodes S1 and G1 varying together in the range 0-3×105 $. ROA for SCADA ACT decreases with incorporation of countermeasures. Figure 12(c) shows ROA for the MI ACT (with and without countermeasures) with attack cost of leaf node A31 varying uniformly in the range 0-200$ and attack impact value of leaf node A31 varying uniformly in the range 0-3×105 $. From the surfaces we see that for BGP, SCADA and MI ACT, ROA value is directly proportional to Igoal value and inversely proportional to Cattacker

12

value of the corresponding ACT. Figure 13(a) shows Pgoal for BGP ACT, Figure 13(b) shows Pgoal value for SCADA ACT and Figure 13(c) shows Pgoal for MI ACT with the probability that a countermeasure works (pCMi ) for all the countermeasures in the ACT varying together in the range [0,1]. For BGP, SCADA and MI ACT, it can be seen that Pgoal decreases with increasing pCMi . Moreover CM1 and CM12 have the same effect on Pgoal of BGP ACT and their plots overlap.

c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

A. Roy et al.

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

ROA without D & M ROA with D ROA with D & M

ROA without D or M ROA with D ROA with D & M

ROA without CM ROA with CM

9

9

1.6

8

8 1.4

7

1

0.8

0.6

0.4

0.2 0

Return on Attack (ROA)

Return on Attack (ROA)

Return on Attack (ROA)

7 1.2

6 5 4 3

100

100

0

Attack Cost for leaf node of BGP ACT (in dollars)

Impact value of leaf node of BGP ACT (in dollars)

(C A1123 in BGP ACT)

( i A1123 in BGP ACT)

4 3 2

0 0

1 300 0 x 10^3 x 10^3

200

5

1

2

50

6

50 0

100

Attack cost for leaf node of SCADA ACT (in dollars) (CS and CG in 1

200

100

300 x 10^3

50 100

Impact value of leaf nodes of SCADA ACT (in dollars) ( i S and i G in 1

1

Impact value of leaf node of MI ACT (in dollars)

( cA in MI ACT)

( iA

SCADA ACT)

(b)

(a)

31

400

300

Attack Cost for leaf node of MI ACT (in dollars) 31

1

SCADA ACT)

200

100

0

in MI ACT)

(c)

Figure 12. ROA against (a) varying attack impact value iA1123 (x axis) and attack cost value CA1123 (y axis) of the leaf node A1123 in BGP ACT, (b) varying attack impact value IS1 ,IG1 (x axis) and attack cost value CS1 ,CG1 (y axis) of leaf nodes S1 and G1 of SCADA ACT and (c) varying attack impact value iA31 (x axis) and attack cost value cA31 (y axis) of the leaf node A31 in MI ACT

0.9115

0.45

0.75 only only

0.35

0.3

0.25

0.2

0.15

0.1

only Pgoal_BGP_ACT_with_CM_{1} only Pgoal_BGP_ACT_with_CM_{12} Pgoal_BGP_ACT_with_CM_{2} only

0.05

0

0

0.2

0.4

0.6

0.8

Probability that the countermeasure works

(a)

1

0.911

Probability of attack at the goal of MI ACT

Probability of attack at the goal of SCADA ACT

Probability of attack at the goal of BGP ACT

0.4

0.9105

0.91

0.9095

0.909

0.9085 Pgoal_SCADA_ACT_with_CM_{switchHMI} Pgoal_SCADA_ACT_with_CM_{restartG3} 0.908

0

0.2

0.4

0.6

0.8

Probability that the countermeasure works

1

0.74

0.73

0.72

0.71

0.7 Pgoal with only D_{12} and M_{12} Pgoal with only D_{412} and M_{412} 0.69

0

0.2

0.4

0.6

0.8

1

Probability that the countermeasure works

(c)

(b)

Figure 13. Pgoal against the probability that a countermeasure succeeds for (a) BGP ACT, (b) SCADA ACT and (c) MI ACT

Figure 14(a) shows ROI for each countermeasure in BGP ACT, Figure 14(b) shows ROI for countermeasures (switch HMI) and (restart G3 ) for SCADA ACT and Figure 14(c) shows ROI for each countermeasure in MI ACT with security investment cost of the countermeasure (cCMi ) varying uniformly in the range 0-100$ and the corresponding pCMi varying uniformly in the range [0,1]. For all countermeasures, we observe that ROI = -1 for pCMi =0. From Figure 14(a), it can be seen that ROI from CM2 exceeds that from CM1 or CM12 . This allows the security analyst to prioritize the implementation of CM2 in BGP ACT. For SCADA ACT, ROI of and

the winter(restart G3 ) exceeds ROI of (switch HM I). Similarly for MI ACT, ROI of CM412 exceeds ROI of CM12 and CM123 and without this there will not be anything left to talk and .

c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

13

6. CONCLUSIONS In this paper, we have presented attack countermeasure trees (ACT), a non-state-space model that allows us to perform qualitative and probabilistic analysis of the

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

ROI_{CM_1} ROI_{CM_{12}} ROI_{CM_2}

ROI(switchHMI) ROI(restartG3)

25

5

Return on Investment (ROI)

3

)

CM

i

) i

Return on Investment (ROI

CM

Return on Investment (ROI

ROI of CM_{12} ROA of CM_{412}

4

20

15

10

5

0

0

−5 0 50

0.5

Probability that countermeasure (CM_i) works (p_{CM_i})

1

100

Security Investment Cost of a countermeasure (CM_i) in dollars

A. Roy et al.

3 2 1 0 −1 −2 0

0

(a)

2 1.5 1 0.5 0 0

0 0.5

50

0.5

Probability that countermeasure (CM_i) works (p_{CM_i})

2.5

1

100

Security Investment Cost of a countermeasure (CM_i) in dollars

50 1

Probability that countermeasure (CM_i) works (p_{CM_i})

100

Security Investment Cost of a countermeasure (CM_i) in dollars (c)

(b)

Figure 14. ROI for each countermeasure (a) against cCMi (x axis) and pCMi (y axis) for BGP ACT, (b) against cCMi (x axis) and pCMi (y axis) for SCADA ACT and (c) against cCMi (x axis) and pCMi (y axis) for MI ACT

security of a system. We take into account attacks as well as countermeasures (in the form of detection mechanisms and mitigation techniques). Detections and mitigations can be placed not just at the leaf node but also at any intermediate node. Events in ACT can be prioritized with the help of structural and Birnbaum importance measures. The effects of incorporating countermeasures in the ACT are demonstrated using three case studies (ACT for BGP attack, ACT for SCADA attack and ACT for malicious insider attack). In future work, we will explore the use of ACT for fast and efficient computation of optimal defense strategies for large systems using single and multi-objective optimization given certain security constraints (e.g., security investment cost, ROI) on a non-state space ACT model while continuing to avoid the state-space explosion problem.

7. RELATED WORK The authors would like to thank Dr. Dong Seong Kim for his insightful review of the subject material.

ACKNOWLEDGEMENTS This research was supported by US National Science Foundation grant NSF-CNS-08-31325. 14

REFERENCES 1. Ortalo R, Deswarte Y, Kaˆaniche M. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. on Software Engineering 1999; 25(5):633–650. 2. Schneier B. Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons Inc., New York, NY, USA, 2000. 3. Trivedi KS, Kim DS, Roy A, Medhi D. Dependability and security models. Proc. DRCN, IEEE, 2009; 11– 20. 4. Cremonini M, Martini P. Evaluating information security investments from attackers perspective: the Return-On-Attack (ROA). Proc. Fourth Workshop on the Economics of Information Security, 2005. 5. Kearney P, Br¨ugger L. A risk-driven security analysis method and modelling language. BT Technology J. 2007; 25(1):141–153. 6. Sonnenreich W, Albanese J, Stout B. Return On Security Investment (ROSI): A Practical Quantitative Model. J. of Research and Practice in Information Technology 2006; 38(1):45–56. 7. Moore AP, Ellison RJ, Linger RC. Attack Modeling for Information Security and Survivability. CMU/SEI-2001-TN-001 2001; . 8. Bistarelli S, Aglio MD, Peretti P. Strategic Games on Defense Trees. LNCS 2007; 4691:1–15. 9. Bistarelli S, Peretti P, Trubitsyna I. Defense trees for economic evaluation of security investments. Proc. ARES, 2006; 8–15. 10. Zonouz SA, Khurana H, Sanders WH, Yardley TM. RRE: A Game-Theoretic Intrusion Response and Recovery Engine. Proc. DSN, 2009; 439–448.

c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

A. Roy et al.

Attack Countermeasure Trees (ACT) : Towards unifying the constructs of attack and defense trees

11. Sondik E. The optimal control of partially observable Markov processes. PhD Thesis, Stanford Univ. Electronics Labs 1971. 12. Sahner R, Trivedi KS, Puliafito A. Performance and reliability analysis of computer systems: an example-based approach using the SHARPE software package. Kluwer Academic, Norwell, Massachusetts, USA, 1999. 13. Trivedi KS, Sahner R. Sharpe at the age of twenty two. ACM SIGMETRICS Perf. Eval. Review 2009; 36(4):52–57. 14. Convery S, Cook D, Franz M. An Attack Tree for the Border Gateway Protocol. Cisco Internet draft 2002; . 15. Baker GH, Berg A. Supervisory Control and Data Acquisition (SCADA) Systems. The Critical Infrastructure Protection Report 1.6 2002; . 16. Butts J, Mills R, Baldwin R. Developing an insider threat model using functional decomposition. Computer Network Security 2005; LNCS(3685):412–417. 17. Weiss JD. A System Security Engineering Process. Proc. of the 14th National Computer Security Conf., 1991. 18. Amoroso EG. Fundamentals of Computer Security Technology. Prentice-Hall Inc., Upper Saddle River, NJ, USA, 1994. 19. Mauw S, Oostdijk M. Foundations of Attack Trees. LNCS 2006; 3935:186–198. 20. Daley K, Larson R, Dawkins J. A Structural Framework for Modeling Multi-stage Network Attacks. Proc. ICPPW, 2002; 1530–1536. 21. Fovino IN, Masera M, Cian AD. Integrating Cyber Attacks Within Fault Trees. Reliability Engineering & System Safety 2009; 94(9):1394–1402. 22. Edge KS. A Framework for Analyzing and Mitigating the Vulnerabilities of Complex Systems via Attack and Protection Trees. PhD Thesis, Air Force Institute of Technology 2007. 23. Gan Z, Tang J, Wu P, Varadharajan V. A Novel Security Risk Evaluation for Information Systems. Proc. FCST, 2007; 67–73. 24. Kuhn R, Sriram K, Montgomery D. Border gateway protocol security: Recommendations of the national institute of standards and technology. NIST Special Publication 800-54 2007; . 25. Hu X, Mao ZM. Accurate real-time identification of IP prefix hijacking. Proc. IEEE S & P, 2007; 3–17. 26. Meng FC. Comparing the importance of system components by some structural characteristics. IEEE Trans. on Reliability 1996; 45(1):59–65. 27. Boland PJ, Proschan F, Tong YL. Optimal arrangement of components via pairwise rearrangements. Naval Research Logistics 1989; 36(6):807–815. 28. Fricks RM, Trivedi KS. Importance analysis with Markov chains. Proc. Reliability and Maintainability Symp., IEEE, 2003; 89–95.

29. Nicol DM, Sanders WH, Trivedi KS. Model-based evaluation: From dependability to security. IEEE Trans. on Dependable and Secure Computing 2004; 1(1):48–65. 30. Technologies A. Securitree. http://www.amenaza.com/software.php 2002. 31. Olzak T. A Practical Approach to Threat Modeling. Technical Report, Erudio Security, LLC 2006. 32. Birnbaum ZW. On The Importance of Different Components in a Multicomponent System. Multivariate Analysis - II, Krishnaiah PR (ed.), Academic Press, New York, NY, USA, 1969; 581–592. 33. Higuero MV, Unzilla JJ, Jacob E, Saiz P, Aguado M, Luengo D. Application of’attack trees’ in security analysis of digital contents e-commerce protocols with copyright protection. Proc. CCST, 2005; 57–60. 34. Lathrop S, Hill J, Surdu J. Modeling Network Attacks. Proc. 12th Conf. Behavior Representation in Modeling and Simulation, 2003; 401–407. 35. Software I. Attacktree+. http://www.isographsoftware.com/atpover.htm 2007. 36. Tidwell T, Larson R, Fitch K, Hale J. Modeling internet attacks. Proceedings of the 2001 IEEE Workshop on Information Assurance and security, vol. 59, IEEE, 2001.

c 2011 John Wiley & Sons, Ltd. Security Comm. Networks 2011; 3:1–15 DOI: 10.1002/sec

15