Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Cyber-attacks are becoming one of the main threats of cyber security of critical infrastructures (CI) and information systems since the last decade [1]. Recent cybercrimes and cyber espionages have shown that stealthy and sophisticated attacks, such as advanced persistent threats (APT) will do great harm to information systems. For example, the famous security corporation RSA suffered from the compromise of private key server; Google e-mail servers were infiltrated and intercepted and the clients’ information was leaked. Great economic and reputational damage came with such cyber-attacks [2].

Considerable countermeasures have been taken for the sake of information systems security. However, most current defending techniques based on border protection are of little effect faced with targeted and complicated attacks because they mainly focus on one-shot known types [3]. But to improve information protection, the interaction between attackers and defenders must be considered.

In this paper, a risk framework based on attack-defense trees to analyze the cyber-attack risks by calculating the benefits of both sides is proposed. Several metrics were defined as quantitative analysis. ROA (Return on attack) and ROI (Return on Investment) were introduced to illustrate the impact of taking relative countermeasures towards attacks. Besides, algorithms of how to generate attack-defense trees were given and ADTool [4, 5] was made use of as well. At last, the approach was demonstrated through a numerical case.

The remainder of the paper is as follows. In Sect. 2 we summarize related work on modeling attack and defense with tree structure. Our own framework is declared in Sect. 3. Application and numerical illustrations are depicted in Sect. 4. Finally, we discuss our results and draw conclusions.

2 Related Work

Attack tree has been widely utilized to systemically analyze attacks risks, which can implicitly illustrate the attack path. The concept of attack tree model was first introduced by Schneier [6]. In [7], the attack tree model was extended by adding attack scenarios and profiles. However, attack tree only works from the perspective of attackers and is complicated in visualization. To show the effect of defense mechanism, Edge et al. proposed protection trees from the perspective of defenders [8]. In [9], Bistarelli et al. proposed the defense tree model. But neither the protection tree nor defense tree is able to be employed without attack tree. To solve this problem, Roy et al. introduced attack countermeasure tree to combine attack and defense yet it’s too complicated to be realized [10].

In [11, 12], Kordy et al. proposed attack-defense tree (ADTree) which combines attack tree and defense tree to one structure. ADTree describes the interactions between attacker and defender and the iterative counteraction for after the actions of both. Therefore, it can clearly show the system risks before and after the implementation of countermeasures towards specific domains. For the convenience of application, Kordy et al. later proposed tree construction tool namely ADTool to generate ADTree. By numerating system risks due to vulnerabilities and attack success possibility, the ADTree can be well applied to practical cases such as vehicle network [13] and CPS network [14] hence we employ it as the foundation of our analysis.

3 Modeling with ADTree

3.1 Attack-Defense Tree Model

In an attack-defense tree model, the scenario is divided into the attack phase and defense phase and the properties are abstracted as nodes. The targeted node of the attacker is the root of the tree and to complete his compromise, the attacker has to start exploiting from the leaf node and move progressively layer by layer until managing the invasion of the root node. Meanwhile, the defenders have to take countermeasures relative to each node in the attack path to keep the attacker from continuing his move. Attention that during each move of both sides there is a cost of move. To better understand the model, the formal definition of ADTree is as the following.

Definition 1.

The ADTree is a triad \( ADT = \left( {N,E,R} \right) \). \( N = \left( {N_{a} ,N_{b} } \right) \) is the set of nodes the tree while \( N_{a} \) represents the set of attack nodes which is also the property node of the system compromised and \( N_{d} \) represents the set of defense nodes which, in other words, represents the defense countermeasures. We also define \( Pa\left( N \right) \) as the parent node set of \( N \). \( E = \left( {N_{i} ,N_{j} } \right) \) represents the edge between \( N_{i} \) and \( N_{j} \). \( R = \left( {AND,OR} \right) \) is defined as the relations of attacks. In this paper, the basic relation operators are “AND” and “OR”, which mean that the attacker/defender has to complete all his attack/defense to move on to the higher layer and the attacker/defender just needs to complete at least one respectively.

An instance is given in Fig. 1 to illustrate the structure of ADTree. Notice that the circular nodes are the attack nodes and the rectangular nodes represent the defense nodes. Corresponding defense countermeasures are depicted as the dotted line. Child nodes with arc represent AND operation nodes while those without represent OR operation nodes.

Fig. 1.
figure 1

An instance of attack-defense tree. This shows the possible attack path of illegally obtaining accounts and corresponding countermeasures towards password safety

Full size image

3.2 Risk Analysis Framework with ADTree

Based on the ADTree theory and some concepts in [14], we establish the risk analysis framework by introducing several metrics. Our goal is to evaluate the risks resulting from potential attacks and the effects of countermeasures undertaken.

Step 1. Understanding system vulnerability

Attackers always take good advantage of vulnerabilities to exploit information system. It cannot be denied that some cyber-attacks, APT attacks for example, utilizes unidentified vulnerabilities such as 0 day vulnerabilities, but most do not. Common system vulnerabilities could be found on the lists of CVE (Common Vulnerabilities and Exposures) and defenders can score them with CVSS (Common Vulnerabilities Scoring System)Footnote 1.

Step 2. Gathering attack information

After understanding system vulnerabilities, corresponding countermeasures should be made and attack path should be predicted according to the occurrence probability and extent of damage. Defense cost need to be taken into consideration as well. Attack information such as attack target, attack nodes, attack success probability, attack/defense cost and impact loss could be obtained from detection of attacks and vulnerability scanning. Besides, attack behavior database is also reference which needs regular updates. For the sake of convenience, definitions of such information are as follows.

Definition 2.

Attack success probability \( p_{i} \): the possibility of successfully committing an attack through risk \( i\left( {i = 1,2, \ldots ,m} \right) \) which ranges from 0 to 1.

Definition 3.

Attack cost \( c_{i} \in \left( {0,\infty } \right) \): the resource required to commit an attacks, including human resource and physical resource needed.

Definition 4.

Defense cost \( d_{i} \in \left( {0,\infty } \right) \): the resource required to undertake countermeasures, capital of purchasing and employing security equipment and human resource included.

Definition 5.

Potential loss \( l_{i} \): the potential loss that may be resulted from attacking through risk \( i \) and can be divided into 1 to 10 levels according to the severity.

Step 3. Constructing ADTree

After completing step 1 and step 2, it is necessary to construct ADTree model for attack and defense

The risk \( i \) is composed of atom attacks numbering \( 1,2, \ldots ,n \) and can be expressed as the son nodes of one attack node. For the simplicity of calculation and comparison, monetary unit is introduced as a measure of attack costs and protection costs. Human resource consumed can be regards as monetary units, such as 100 dollars per hour. Assuming that the attacker employs his attack through risk \( i \) at time \( t \), the defender shall undertake responding measures at time \( t + 1 \) after monitoring the attack. Therefore, the values of \( c_{i} \), \( d_{i} \) and \( l_{i} \) shall change as a result of defense action. \( t \) is regarded as the attack time and \( t + 1 \) as the defense time. First, the expressions of metrics at attack time are as shown in Table 1. Notice that under the different relations of “AND” and “OR”, the expressions differ.

Table 1. Metric equation during attack phase \( (t) \)
Full size table

Extents of system risk can be reflected in \( p_{i} \) and \( l_{i} \). The greater \( p_{i} \) and \( l_{i} \) are, the more risks the system is facing. Besides, attack cost matters and rational attackers tend to choose the attack profile which costs less. As a consequence, system risk assessment metrics \( r_{i} \left( t \right) \) can be expressed as

$$ r_{i} \left( t \right) = \frac{{p_{i} \left( t \right) \cdot l_{i} \left( t \right)}}{{c_{i} \left( t \right)}} $$
(1)

Now that the basic metrics have been defined, it is important to construct ADTM (ADTree with metrics). The key algorithm pseudocode is as follows.

Step 4. Countermeasures implementation

The defender implements corresponding countermeasures to counter with attacks or to diminish the possibility of potential attacks hence the attack cost, defense cost and potential loss are not as the same as what they are at \( t \). It is difficult to determine the value of attack success probability \( p_{i} \) as it changes as the attack-defense environment. First, for the convenience of analysis, assuming that \( p_{i} \) keeps stable during the time interval \( \left[ {t,t + 1} \right] \) namely \( p_{i} \left( t \right) = p_{i} \left( {t + 1} \right) \).

Define the increment of attack cost due to the implementation of defense actions as \( \Delta c_{k} \left( t \right) \) at \( t + 1 \). Theoretically, \( \Delta c_{k} \left( t \right) \) is proportional to the value of defense cost. With the scale factor \( \lambda \), the incremental equation is as follows:

$$ \Delta c_{k} \left( t \right) = \lambda \times d_{k} \left( t \right) $$
(2)

\( \lambda \) is influenced by security strategy, security operation and personnel training. Meanwhile the potential loss can be updated at \( t + 1 \)

$$ l_{i} \left( {t + 1} \right) = \alpha \times l_{i} \left( t \right) $$
(3)

where \( \alpha = 1 - \varphi \) represents surplus factor as a representative of the vulnerability rate that cannot be repaired due to the capability constraints of defenders. The formulation of \( \varphi \) is defined as

$$ \varphi \left( {t + 1} \right) = \frac{{N_{g} \left( {t + 1} \right)}}{{N_{c} \left( {t + 1} \right)}} $$
(4)

where \( N_{g} \) represents the number of vulnerability that can be repaired through undertaking countermeasures and \( N_{c} \) represents the number that cannot. From the equations above, metrics at \( t + 1 \) can be derived as numerated in Table 2.

Table 2. Metric equation during defense phase \( (t + 1) \)
Full size table

Step 5. Risk analysis

In order to evaluate system risk, the concepts of \( ROA \) (Return on Attack) and \( ROI \) (Return on Investment) are defined as follows.

Definition 6.

\( ROA \): the expected return rate of the attacker after his investment on the attacks. Its formulation is

$$ ROA\left( {t + 1} \right) = \frac{{p_{i} \left( t \right) \times l_{i} \left( {t + 1} \right)}}{{c_{i} \left( {t + 1} \right)}} $$
(5)

Definition 7.

\( ROI \): the expected return rate of the defender after his investment on the defense actions for the system security. Its formulation is

$$ ROI = \frac{{\Delta ALE}}{CI} $$
(6)

In (6), \( \Delta ALE \) is the differential of loss resulting from the attacker after and before the implementation of countermeasures, expressed as \( ROA\left( {t + 1} \right) - ROA\left( t \right) \). While \( CI \) is the countermeasures cost of defenders which can also be represented as \( d\left( {t + 1} \right) \). The reason to define as this is to associate \( ROA \) and \( ROI \) to evaluate the effects of countermeasures. Consequently, (6) is turned to

$$ ROI = \frac{{ROA\left( {t + 1} \right) - ROA\left( t \right)}}{{d\left( {t + 1} \right)}} $$
(7)

Now it’s necessary to update Algorithm 1 to generate UADTM (updated ADT with metrics). The key algorithm pseudocode is as follows.

Considering that system risk can be represented with attack utility, it’s reasonable that \( ROA \) and \( r(t) \) have the same expression to simplify the analysis. Therefore, the risk value is substituted by \( ROA \) in Algorithm 2.

From the perspective of the attacker, the goal is to maximizing \( ROA \) while minimizing the attack cost; while for the defender, the goal is to maximizing \( ROI \) while keeping the defense cost to the least level. Therefore, the defender shall consider how to minimize \( ROA \) and for the attacker, on the contrary, is to minimize \( ROI \).

4 Risk Analysis Framework

In this section, a framework towards network attacks will first be established according to the metrics and definitions above, as shown in Fig. 2. Then numerical illustrations are given as a demonstration.

Fig. 2.
figure 2

Framework of system risk analysis based on ADTree including two stages

Full size image

4.1 Framework Construction

Based on the approach given, the framework of network risk analysis could be established as follows. The process is composed of the system risk understanding and the construction of ADTree.

Stage 1. Understanding system risks

The main task in this phase is to collect system vulnerability and attack information detected.

First, network properties shall be modeled and assigned values. Then techniques such as vulnerability scanning, flux monitoring and malware detection are utilized to understand the risk information. Besides, potential attack path could be illustrated and the loss shall be estimated thru the inquiry of attack behavior database. Risks can also be scored referring to CVSS.

Stage 2. Establishing attack-defense tree analysis framework

After gathering the necessary information, relative metrics before and after the implementation of countermeasures need to be taken into consideration. Based on the five steps proposed, analysis framework could be established through the following three steps.

  1. (1)

    ADTree construction. By employing ADTool, input the values of the parameters at \( t \) and construct the tree based on Algorithm 1 proposed to generate ADTM.

  2. (2)

    Countermeasures undertaken. System metrics change at the defense time \( t + 1 \) and need to be updated and generate UADTM based on Algorithm 2.

  3. (3)

    Risk evaluation. After generating ADTM and UADTM, values of \( ROA \) and \( ROI \) of each node need to be calculated as the reference.

4.2 Numerical Illustrations

In this section, numerical illustrations are given to demonstrate the framework proposed. As for the possible attack path, we consider Night Dragon attack [15], one example of APT attacks, whose goal is to infect target hosts, install remote control tools, establish stealthy transfer tunnel and steal confidential documents. The ADTree of the attack and some defense actions are shown in Fig. 3.

Fig. 3.
figure 3

ADTree structure for modeling attack path and corresponding countermeasures

Full size image

In the case of \( \lambda = 0.5,\alpha = 0.3 \), the updated metrics are shown in Fig. 4. The calculation of each metric has been defined in the previous page. As is shown in Fig. 4 and Table 3, when the defender implements countermeasure worth 55 k dollars toward the node of password crack, the attack cost increment is 22.81 k dollars. Attention that for the convenience of analysis, attack success possibility \( p \) is assumed to remain unchanged. The loss impact drops from 7.78 to 5.53 and the values of \( ROA \) diminishes by 54.55%. It can be inferred that by taking specific defense actions, the risk of password cracked reduces by 54.55%. From Fig. 4, it can also be inferred that both the attacker and defender can learn from the interaction of attack-defense. Considering the persistent characteristics of current cyber-attacks, the process can be derived iteratively between the attacker and defender. The closer is the attack node to the root node, the more the corresponding defense cost is while defense cost comes to the least on the leaf nodes. This illustrates that countermeasures should be implemented as soon as the attack has been detected. Besides, attacks might be deterred if the attack cost is too high while the return on attack is little as a consequence of defense actions.

Fig. 4.
figure 4

ADTree structure for modeling attack path and corresponding countermeasures with metrics. This structure is in the case of \( \lambda = 0.5,\alpha = 0.3 \)

Full size image
Table 3. Metric values and variations of the password crack node
Full size table

5 Conclusion

Considering the interaction of the attacker and defender, a framework of tree structure to evaluate the system risks caused by network attacks was established based on the theory of attack-defense tree. By constructing ADTree for specific attack-defense scenario and calculating the values of return on attack, the risks of specific attack before and after the implementation of defense actions can be compared quantitatively. The paper also suggests that the defender should take defense measures as soon as possible once the detection of attacks. In addition, taking specific countermeasures may possibly deter attackers as a result of the increase of attack costs and decline in return. In the future work, optimal strategy will be studied instead of the just given statics. Besides, attackers are assumed to be rational to choose the least cost route in this paper. Behaviors of irrational attackers and specific scenarios will also be studied in the future work to extend the proposed framework.