Authors: Edge K.S., Dalton G.C., Raines R.A. and Mills R.F. Affiliation: Air Force Inst. of Technol.

Published by: Military Communications Conference, 2006. MILCOM 2006. IEEE 

Presented by Yean-Ru Chen

Dec. 23, 2011

Using attack and protection trees to analyze threats and defenses to homeland security

2

Outline Introduction & Motivation Attack Trees Metrics Protection Trees Homeland Security Information Network

(HSIN) Example and Results & Analysis Conclusions

3

Introduction & Motivation To provide a reliable, cost effective (with

limited resources) method to decide how to best protect a critical system from attackers.

Using attack trees to find out the vulnerabilities and using protection trees to take successfully and appropriately defenses from attacks.

4

Attack Trees It is also called Threat Logic Trees (TLT).

Tree structure with child nodes having AND or OR relationships.

Root node: attacker’s goal Can be further decomposed into sub-goals

Leaf nodes: individual attacker actions (attackers can actually control)

ANDOR

5

Metrics Attack Tree

6

Metrics P: probability of success (attack successfully)

Obtained by either analyst estimation or historical data

Cost: cost to carry out a certain attack/the sub-goal/the goal Obtained by either analyst estimation or historical

data Impact: impact to the system Risk: calculated using the other metrics

7

Metrics

8

Metrics

9

Metrics The parent of nodes with an OR relationship

always has a higher probability of success then any of the child nodes.

The parent node of children with an AND relationship always has a lower probability of success than the highest (? lowest) probability child node.

10

Protection Trees Compared with attack tree: also AND/OR type

tree structures

Protection trees can yield an analysis of where protections should be placed in order to get the greatest protection for the least expenditure of resources.

The root node of a protection tree directly corresponds with the root node in an attack tree, but the rest of the tree's structure may differ widely.

11

OR in attack tree AND in protection tree

There is not always a one to one correspondence between nodes in the attack tree and the protection tree.

12

13

Homeland Security Information Network (HSIN) Example and Results & Analysis

For example: Now we just have only $25K of resources available to use in protecting the JRIES system

Highest Risk

Attack Tree Protection Tree

14

We choose the cheapest one to protect server.

cheaper one

cheaper one

Protection Tree

15

16

17

Finally, they use 22k to reduce the probability of success and let the attatacker should spend much money to attack.

Before After

18

Conclusions This paper has shown how attack and

protection trees can be used to analyze a system's vulnerabilities and determine where to place appropriate protections in a logical manner.

Metrics that can be used in attack and protection trees were introduced and operators for the metrics were developed.

19

Thank you for your attention!