Abstract
The Attack Defense Tree framework was developed to facilitate abstract reasoning about security issues of complex systems. As such, a zoo of techniques and extensions have emerged in an attempt to extend the simple Boolean logic of Attack Defense Trees with behavioral properties and quantities. In this paper we expand the modeling power of Attack Defense Trees by introducing a notion of temporal dependencies between attacks, forcing specific ordering of event in successful attacks. Importantly, we introduce a notion of policy for the defender, facilitating a pseudo-active defender, mechanically reacting to the choices of an attacker. To easen the use of Attack Defense Trees we introduce a domain specific language (DSL) and an accompanying tool. The introduction of the DSL facilitates reuse, modularity, collaborative tree construction and separation of logical properties and quantitative/behavioral elements. The usefulness of our framework is exhibited on a small running example, utilizing the policy-notion to implement a reactive Break The Glass policy. We note that all the implemented analysis techniques use well established tools from the formal methods community to produce the given results, relying on non-trivial and automatic translation to and from the target formalisms. Lastly we present our Open Source prototype-tool, capable of conducting various analysis and visualizing the results.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Or most non-deterministic
References
Alur, R., Dill, D. L.: Automata for modeling real-time systems. In Paterson, M., editor, ICALP, volume 443 of Lecture Notes in Computer Science, pp. 322–335. Springer (1990). ISBN 3-540-52826-1
Aslanyan, Z., Nielson, F.: Pareto Efficient solutions of attack-defence trees. In: Principles of Security and Trust, volume 9036, p. 95 (2015). https://doi.org/10.1007/978-3-662-46666-7_6
Aslanyan, Z., Nielson, F., Parker, D.: Quantitative verification and synthesis of attack-defence scenarios. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27–July 1, 2016, pp. 105–119. IEEE Computer Society (2016). https://doi.org/10.1109/CSF.2016.15
Bossuat, A., Kordy, B.: Evil twins: handling repetitions in attack-defense trees—a survival guide. In: Liu et al. [13], pp. 17–37. ISBN 978-3-319-74859-7. https://doi.org/10.1007/978-3-319-74860-3_2
David, Alexandre, Larsen, G.Kim, Legay, Axel, Mikucionis, Marius, Poulsen, Danny Bøgsted: Uppaal SMC tutorial. STTT 17(4), 397–415 (2015). https://doi.org/10.1007/s10009-014-0361-y
Gadyatskaya, O., Hansen, R. R., Larsen, K. G., Legay, A., Olesen, M. C., Poulsen, D. B.: Modelling attack-defense trees using timed automata. In: Fränzle, M., Markey, N. (eds.) Formal Modeling and Analysis of Timed Systems—14th International Conference, FORMATS 2016, Quebec, QC, Canada, August 24–26, 2016, Proceedings, volume 9884 of Lecture Notes in Computer Science, pp. 35–50. Springer, https://doi.org/10.1007/978-3-319-44878-7_3. ISBN 978-3-319-44877-0
Hansen, R. R., Jensen, P., Larsen, K. G., Legay, A., Poulsen, D. B.: Quantitative evaluation of attack defense trees using stochastic timed automata. In: Liu et al. [13], pp. 75–90. ISBN 978-3-319-74859-7. https://doi.org/10.1007/978-3-319-74860-3_5
Hermanns, H., Krämer, J., Krčál, J., Stoelinga, M.: The value of attack-defence diagrams. In: Piessens, F., Viganò, L. (eds.) Principles of Security and Trust. POST 2016. Lecture Notes in Computer Science, vol, 9635, pp. 163–185. Springer, Berlin, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49635-0_9
Johnson, Pontus, Lagerström, Robert, Ekstedt, Mathias: A meta language for threat modeling and attack simulations. In: Doerr, Sebastian, Fischer, Mathias, Schrittwieser, Sebastian, Herrmann, Dominik (eds.) Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, pp. 38:1–38:8. ACM, Hamburg (2018). https://doi.org/10.1145/3230833.3232799. ISBN 978-1-4503-6448-5
Kordy, Barbara, Mauw, Sjouke, Radomirović, Saša, Schweitzer, Patrick: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014)
Kumar, Rajesh, Rensink, Arend, Stoelinga, Mariëlle: LOCKS: a property specification language for security goals. In: Haddad, M.Hisham, Wainwright, L.Roger, Chbeir, Richard (eds.) Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018, pp. 1907–1915. ACM, Pau (2018). https://doi.org/10.1145/3167132.3167336
Larsen, K.G., Pettersson, P., Yi, W.: UPPAAL in a nutshell. STTT 1(1–2), 134–152 (1997). https://doi.org/10.1007/s100090050010
Liu, P., Mauw, S., Stølen, K. (eds) Graphical Models for Security—4th International Workshop, GraMSec 2017, Santa Barbara, CA, USA, August 21, 2017, Revised Selected Papers
Schneier, B.: Attack trees. Dr. Dobb’s J. Softw. Tools 24(12), 21–22, 24, 26, 28–29 (1999)
Younes, L.S.Håkan: Verification and Planning for Stochastic Processes with Asynchronous Events. PhD thesis. Carnegie Mellon University, Pittsburgh (2005)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Hansen, R.R., Larsen, K.G., Legay, A. et al. ADTLang: a programming language approach to attack defense trees. Int J Softw Tools Technol Transfer 23, 89–104 (2021). https://doi.org/10.1007/s10009-020-00593-w
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10009-020-00593-w