Abstract
Considering the lack of theoretical analysis for systems under complicated attacks, a framework was proposed to analyze attack risks based on attack-defense trees. The attack period was divided into attack phase and defense phase and metrics was defined. First, action nodes were constructed by collecting system vulnerabilities and capturing invasive events, and defense strategies were mapped to defense nodes in the tree structure. Besides, formal definitions were given and attack-defense tree with metrics was constructed using ADTool and relevant algorithms. In addition, concepts of ROA (Return on attack) and ROI (Return on Investment) were introduced to analyze system risk as well as to evaluate countermeasures. Finally, a risk analysis framework based on attack-defense trees was established and numerical case was given to demonstrate the proposed approach. The result showed that the framework could clearly describe the practical scenario of the interaction between attacks and defenses. The objective of risk analysis and countermeasures evaluation could be achieved.
Access provided by CONRICYT-eBooks. Download conference paper PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
Cyber-attacks are becoming one of the main threats of cyber security of critical infrastructures (CI) and information systems since the last decade [1]. Recent cybercrimes and cyber espionages have shown that stealthy and sophisticated attacks, such as advanced persistent threats (APT) will do great harm to information systems. For example, the famous security corporation RSA suffered from the compromise of private key server; Google e-mail servers were infiltrated and intercepted and the clients’ information was leaked. Great economic and reputational damage came with such cyber-attacks [2].
Considerable countermeasures have been taken for the sake of information systems security. However, most current defending techniques based on border protection are of little effect faced with targeted and complicated attacks because they mainly focus on one-shot known types [3]. But to improve information protection, the interaction between attackers and defenders must be considered.
In this paper, a risk framework based on attack-defense trees to analyze the cyber-attack risks by calculating the benefits of both sides is proposed. Several metrics were defined as quantitative analysis. ROA (Return on attack) and ROI (Return on Investment) were introduced to illustrate the impact of taking relative countermeasures towards attacks. Besides, algorithms of how to generate attack-defense trees were given and ADTool [4, 5] was made use of as well. At last, the approach was demonstrated through a numerical case.
The remainder of the paper is as follows. In Sect. 2 we summarize related work on modeling attack and defense with tree structure. Our own framework is declared in Sect. 3. Application and numerical illustrations are depicted in Sect. 4. Finally, we discuss our results and draw conclusions.
2 Related Work
Attack tree has been widely utilized to systemically analyze attacks risks, which can implicitly illustrate the attack path. The concept of attack tree model was first introduced by Schneier [6]. In [7], the attack tree model was extended by adding attack scenarios and profiles. However, attack tree only works from the perspective of attackers and is complicated in visualization. To show the effect of defense mechanism, Edge et al. proposed protection trees from the perspective of defenders [8]. In [9], Bistarelli et al. proposed the defense tree model. But neither the protection tree nor defense tree is able to be employed without attack tree. To solve this problem, Roy et al. introduced attack countermeasure tree to combine attack and defense yet it’s too complicated to be realized [10].
In [11, 12], Kordy et al. proposed attack-defense tree (ADTree) which combines attack tree and defense tree to one structure. ADTree describes the interactions between attacker and defender and the iterative counteraction for after the actions of both. Therefore, it can clearly show the system risks before and after the implementation of countermeasures towards specific domains. For the convenience of application, Kordy et al. later proposed tree construction tool namely ADTool to generate ADTree. By numerating system risks due to vulnerabilities and attack success possibility, the ADTree can be well applied to practical cases such as vehicle network [13] and CPS network [14] hence we employ it as the foundation of our analysis.
3 Modeling with ADTree
3.1 Attack-Defense Tree Model
In an attack-defense tree model, the scenario is divided into the attack phase and defense phase and the properties are abstracted as nodes. The targeted node of the attacker is the root of the tree and to complete his compromise, the attacker has to start exploiting from the leaf node and move progressively layer by layer until managing the invasion of the root node. Meanwhile, the defenders have to take countermeasures relative to each node in the attack path to keep the attacker from continuing his move. Attention that during each move of both sides there is a cost of move. To better understand the model, the formal definition of ADTree is as the following.
Definition 1.
The ADTree is a triad \( ADT = \left( {N,E,R} \right) \). \( N = \left( {N_{a} ,N_{b} } \right) \) is the set of nodes the tree while \( N_{a} \) represents the set of attack nodes which is also the property node of the system compromised and \( N_{d} \) represents the set of defense nodes which, in other words, represents the defense countermeasures. We also define \( Pa\left( N \right) \) as the parent node set of \( N \). \( E = \left( {N_{i} ,N_{j} } \right) \) represents the edge between \( N_{i} \) and \( N_{j} \). \( R = \left( {AND,OR} \right) \) is defined as the relations of attacks. In this paper, the basic relation operators are “AND” and “OR”, which mean that the attacker/defender has to complete all his attack/defense to move on to the higher layer and the attacker/defender just needs to complete at least one respectively.
An instance is given in Fig. 1 to illustrate the structure of ADTree. Notice that the circular nodes are the attack nodes and the rectangular nodes represent the defense nodes. Corresponding defense countermeasures are depicted as the dotted line. Child nodes with arc represent AND operation nodes while those without represent OR operation nodes.
3.2 Risk Analysis Framework with ADTree
Based on the ADTree theory and some concepts in [14], we establish the risk analysis framework by introducing several metrics. Our goal is to evaluate the risks resulting from potential attacks and the effects of countermeasures undertaken.
Step 1. Understanding system vulnerability
Attackers always take good advantage of vulnerabilities to exploit information system. It cannot be denied that some cyber-attacks, APT attacks for example, utilizes unidentified vulnerabilities such as 0 day vulnerabilities, but most do not. Common system vulnerabilities could be found on the lists of CVE (Common Vulnerabilities and Exposures) and defenders can score them with CVSS (Common Vulnerabilities Scoring System)Footnote 1.
Step 2. Gathering attack information
After understanding system vulnerabilities, corresponding countermeasures should be made and attack path should be predicted according to the occurrence probability and extent of damage. Defense cost need to be taken into consideration as well. Attack information such as attack target, attack nodes, attack success probability, attack/defense cost and impact loss could be obtained from detection of attacks and vulnerability scanning. Besides, attack behavior database is also reference which needs regular updates. For the sake of convenience, definitions of such information are as follows.
Definition 2.
Attack success probability \( p_{i} \): the possibility of successfully committing an attack through risk \( i\left( {i = 1,2, \ldots ,m} \right) \) which ranges from 0 to 1.
Definition 3.
Attack cost \( c_{i} \in \left( {0,\infty } \right) \): the resource required to commit an attacks, including human resource and physical resource needed.
Definition 4.
Defense cost \( d_{i} \in \left( {0,\infty } \right) \): the resource required to undertake countermeasures, capital of purchasing and employing security equipment and human resource included.
Definition 5.
Potential loss \( l_{i} \): the potential loss that may be resulted from attacking through risk \( i \) and can be divided into 1 to 10 levels according to the severity.
Step 3. Constructing ADTree
After completing step 1 and step 2, it is necessary to construct ADTree model for attack and defense
The risk \( i \) is composed of atom attacks numbering \( 1,2, \ldots ,n \) and can be expressed as the son nodes of one attack node. For the simplicity of calculation and comparison, monetary unit is introduced as a measure of attack costs and protection costs. Human resource consumed can be regards as monetary units, such as 100 dollars per hour. Assuming that the attacker employs his attack through risk \( i \) at time \( t \), the defender shall undertake responding measures at time \( t + 1 \) after monitoring the attack. Therefore, the values of \( c_{i} \), \( d_{i} \) and \( l_{i} \) shall change as a result of defense action. \( t \) is regarded as the attack time and \( t + 1 \) as the defense time. First, the expressions of metrics at attack time are as shown in Table 1. Notice that under the different relations of “AND” and “OR”, the expressions differ.
Extents of system risk can be reflected in \( p_{i} \) and \( l_{i} \). The greater \( p_{i} \) and \( l_{i} \) are, the more risks the system is facing. Besides, attack cost matters and rational attackers tend to choose the attack profile which costs less. As a consequence, system risk assessment metrics \( r_{i} \left( t \right) \) can be expressed as
Now that the basic metrics have been defined, it is important to construct ADTM (ADTree with metrics). The key algorithm pseudocode is as follows.
Step 4. Countermeasures implementation
The defender implements corresponding countermeasures to counter with attacks or to diminish the possibility of potential attacks hence the attack cost, defense cost and potential loss are not as the same as what they are at \( t \). It is difficult to determine the value of attack success probability \( p_{i} \) as it changes as the attack-defense environment. First, for the convenience of analysis, assuming that \( p_{i} \) keeps stable during the time interval \( \left[ {t,t + 1} \right] \) namely \( p_{i} \left( t \right) = p_{i} \left( {t + 1} \right) \).
Define the increment of attack cost due to the implementation of defense actions as \( \Delta c_{k} \left( t \right) \) at \( t + 1 \). Theoretically, \( \Delta c_{k} \left( t \right) \) is proportional to the value of defense cost. With the scale factor \( \lambda \), the incremental equation is as follows:
\( \lambda \) is influenced by security strategy, security operation and personnel training. Meanwhile the potential loss can be updated at \( t + 1 \)
where \( \alpha = 1 - \varphi \) represents surplus factor as a representative of the vulnerability rate that cannot be repaired due to the capability constraints of defenders. The formulation of \( \varphi \) is defined as
where \( N_{g} \) represents the number of vulnerability that can be repaired through undertaking countermeasures and \( N_{c} \) represents the number that cannot. From the equations above, metrics at \( t + 1 \) can be derived as numerated in Table 2.
Step 5. Risk analysis
In order to evaluate system risk, the concepts of \( ROA \) (Return on Attack) and \( ROI \) (Return on Investment) are defined as follows.
Definition 6.
\( ROA \): the expected return rate of the attacker after his investment on the attacks. Its formulation is
Definition 7.
\( ROI \): the expected return rate of the defender after his investment on the defense actions for the system security. Its formulation is
In (6), \( \Delta ALE \) is the differential of loss resulting from the attacker after and before the implementation of countermeasures, expressed as \( ROA\left( {t + 1} \right) - ROA\left( t \right) \). While \( CI \) is the countermeasures cost of defenders which can also be represented as \( d\left( {t + 1} \right) \). The reason to define as this is to associate \( ROA \) and \( ROI \) to evaluate the effects of countermeasures. Consequently, (6) is turned to
Now it’s necessary to update Algorithm 1 to generate UADTM (updated ADT with metrics). The key algorithm pseudocode is as follows.
Considering that system risk can be represented with attack utility, it’s reasonable that \( ROA \) and \( r(t) \) have the same expression to simplify the analysis. Therefore, the risk value is substituted by \( ROA \) in Algorithm 2.
From the perspective of the attacker, the goal is to maximizing \( ROA \) while minimizing the attack cost; while for the defender, the goal is to maximizing \( ROI \) while keeping the defense cost to the least level. Therefore, the defender shall consider how to minimize \( ROA \) and for the attacker, on the contrary, is to minimize \( ROI \).
4 Risk Analysis Framework
In this section, a framework towards network attacks will first be established according to the metrics and definitions above, as shown in Fig. 2. Then numerical illustrations are given as a demonstration.
4.1 Framework Construction
Based on the approach given, the framework of network risk analysis could be established as follows. The process is composed of the system risk understanding and the construction of ADTree.
Stage 1. Understanding system risks
The main task in this phase is to collect system vulnerability and attack information detected.
First, network properties shall be modeled and assigned values. Then techniques such as vulnerability scanning, flux monitoring and malware detection are utilized to understand the risk information. Besides, potential attack path could be illustrated and the loss shall be estimated thru the inquiry of attack behavior database. Risks can also be scored referring to CVSS.
Stage 2. Establishing attack-defense tree analysis framework
After gathering the necessary information, relative metrics before and after the implementation of countermeasures need to be taken into consideration. Based on the five steps proposed, analysis framework could be established through the following three steps.
-
(1)
ADTree construction. By employing ADTool, input the values of the parameters at \( t \) and construct the tree based on Algorithm 1 proposed to generate ADTM.
-
(2)
Countermeasures undertaken. System metrics change at the defense time \( t + 1 \) and need to be updated and generate UADTM based on Algorithm 2.
-
(3)
Risk evaluation. After generating ADTM and UADTM, values of \( ROA \) and \( ROI \) of each node need to be calculated as the reference.
4.2 Numerical Illustrations
In this section, numerical illustrations are given to demonstrate the framework proposed. As for the possible attack path, we consider Night Dragon attack [15], one example of APT attacks, whose goal is to infect target hosts, install remote control tools, establish stealthy transfer tunnel and steal confidential documents. The ADTree of the attack and some defense actions are shown in Fig. 3.
In the case of \( \lambda = 0.5,\alpha = 0.3 \), the updated metrics are shown in Fig. 4. The calculation of each metric has been defined in the previous page. As is shown in Fig. 4 and Table 3, when the defender implements countermeasure worth 55 k dollars toward the node of password crack, the attack cost increment is 22.81 k dollars. Attention that for the convenience of analysis, attack success possibility \( p \) is assumed to remain unchanged. The loss impact drops from 7.78 to 5.53 and the values of \( ROA \) diminishes by 54.55%. It can be inferred that by taking specific defense actions, the risk of password cracked reduces by 54.55%. From Fig. 4, it can also be inferred that both the attacker and defender can learn from the interaction of attack-defense. Considering the persistent characteristics of current cyber-attacks, the process can be derived iteratively between the attacker and defender. The closer is the attack node to the root node, the more the corresponding defense cost is while defense cost comes to the least on the leaf nodes. This illustrates that countermeasures should be implemented as soon as the attack has been detected. Besides, attacks might be deterred if the attack cost is too high while the return on attack is little as a consequence of defense actions.
5 Conclusion
Considering the interaction of the attacker and defender, a framework of tree structure to evaluate the system risks caused by network attacks was established based on the theory of attack-defense tree. By constructing ADTree for specific attack-defense scenario and calculating the values of return on attack, the risks of specific attack before and after the implementation of defense actions can be compared quantitatively. The paper also suggests that the defender should take defense measures as soon as possible once the detection of attacks. In addition, taking specific countermeasures may possibly deter attackers as a result of the increase of attack costs and decline in return. In the future work, optimal strategy will be studied instead of the just given statics. Besides, attackers are assumed to be rational to choose the least cost route in this paper. Behaviors of irrational attackers and specific scenarios will also be studied in the future work to extend the proposed framework.
Notes
- 1.
Available at https://www.first.org/cvss.
References
Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: The cousins of stuxnet: Duqu, flame, and gauss. Future Internet 4(4), 971–1003 (2012)
Virvilis, N., Gritzalis, D.: The big four-what we did wrong in advanced persistent threat detection? In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 248–254. IEEE, September 2013
Laszka, A., Johnson, B., Grossklags, J.: Mitigating covert compromises. In: International Conference on Web and Internet Economics, pp. 319–332. Springer, Heidelberg, December 2013
Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: International Conference on Quantitative Evaluation of Systems, pp. 173–176. Springer, Heidelberg, August 2013
Gadyatskaya, O., Jhawar, R., Kordy, P., Lounis, K., Mauw, S., Trujillo-Rasua, R.: Attack trees for practical security assessment: ranking of attack scenarios with ADTool 2.0. In: International Conference on Quantitative Evaluation of Systems, pp. 159–162. Springer International Publishing, August 2016
Schneier, B.: Attack trees. Dobb’s J. 24(12), 21–29 (1999)
Moore, A.P., Ellison, R.J., Linger, R.C.: Attack modeling for information security and survivability. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst (No. CMU-SEI-2001-TN-001) (2001)
Edge, K.S., Dalton, G.C., Raines, R.A., Mills, R.F.: Using attack and protection trees to analyze threats and defenses to homeland security. In: IEEE Military Communications Conference, MILCOM 2006, pp. 1–7. IEEE, October 2006
Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: The First International Conference on Availability, Reliability and Security, 2006, ARES 2006, pp. 8–pp. IEEE, April 2006
Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: International Workshop on Formal Aspects in Security and Trust, pp. 80–95. Springer, Heidelberg, September 2010
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Attack–defense trees. J. Logic Comput. 24, 55–87 (2012). exs029
Du, S., Li, X., Du, J., Zhu, H.: An attack-and-defence game for security assessment in vehicular ad hoc networks. Peer-to-peer Netw. Appl. 7(3), 215–228 (2014)
Ji, X., Yu, H., Fan, G., Fu, W.: Attack-defense trees based cyber security analysis for CPSs. In: 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), pp. 693–698. IEEE, May 2016
Wueest, C.: Targeted Attacks Against the Energy Sector. Symantec Security Response, Mountain View (2014)
Acknowledgments
This work was partially supported by the National Natural Science Foundation of China (61572521).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Sun, W., Lv, L., Su, Y., Wang, X.A. (2018). Cyber-Attack Risks Analysis Based on Attack-Defense Trees. In: Barolli, L., Zhang, M., Wang, X. (eds) Advances in Internetworking, Data & Web Technologies. EIDWT 2017. Lecture Notes on Data Engineering and Communications Technologies, vol 6. Springer, Cham. https://doi.org/10.1007/978-3-319-59463-7_67
Download citation
DOI: https://doi.org/10.1007/978-3-319-59463-7_67
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59462-0
Online ISBN: 978-3-319-59463-7
eBook Packages: EngineeringEngineering (R0)