Attack Countermeasure Trees: A Non-state-space Approach Towards Analyzing Security and Finding Optimal Countermeasure Set

Abstract

<p>Attack tree (AT) is one of the widely used non-statespace</p><p>models in security analysis. The basic formalism of AT</p><p>does not take into account defense mechanisms. Defense trees</p><p>(DTs) have been developed to investigate the effect of defense</p><p>mechanisms usinghg measures such as attack cost, security</p><p>investment cost, return on attack (ROA) and return on investment</p><p>(ROI). DT, however, places defense mechanisms only at the</p><p>leaf nodes and the corresponding ROI/ROA analysis does not</p><p>incorporate the probabilities of attack. In attack response tree</p><p>(ART), attack and response are both captured but ART suffers</p><p>from the problem of state-space explosion, since solution of</p><p>ART is obtained by means of a state space model. In this</p><p>paper, we present a novel attack tree paradigm called attack</p><p>countermeasure tree (ACT) which avoids the generation and</p><p>solution of the state-space model and takes into account attacks as</p><p>well as countermeasures (in the form of detection and mitigation</p><p>events). In ACT, detection and mitigation are allowed not just at</p><p>the leaf node but also at the intermediate nodes while at the same</p><p>time the state-space explosion problem is avoided in its analysis.</p><p>We use single and multiobjective optimization to find optimal</p><p>countermeasures under different constraints. We illustrate the</p><p>features of ACT using several case studies.</p>