Attack Countermeasure Trees: A Non-state-space Approach Towards Analyzing Security and Finding Optimal Countermeasure Set

Abstract

Attack tree (AT) is one of the widely used non-statespacemodels in security analysis. The basic formalism of ATdoes not take into account defense mechanisms. Defense trees(DTs) have been developed to investigate the effect of defensemechanisms usinghg measures such as attack cost, securityinvestment cost, return on attack (ROA) and return on investment(ROI). DT, however, places defense mechanisms only at theleaf nodes and the corresponding ROI/ROA analysis does notincorporate the probabilities of attack. In attack response tree(ART), attack and response are both captured but ART suffersfrom the problem of state-space explosion, since solution ofART is obtained by means of a state space model. In thispaper, we present a novel attack tree paradigm called attackcountermeasure tree (ACT) which avoids the generation andsolution of the state-space model and takes into account attacks aswell as countermeasures (in the form of detection and mitigationevents). In ACT, detection and mitigation are allowed not just atthe leaf node but also at the intermediate nodes while at the sametime the state-space explosion problem is avoided in its analysis.We use single and multiobjective optimization to find optimalcountermeasures under different constraints. We illustrate thefeatures of ACT using several case studies.