Automated Generation of Attack Trees

Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review

Abstract

Attack trees are widely used to represent threat scenarios in a succinct and intuitive manner, suitable for conveying security information to non-experts. The manual construction of such objects relies on the creativity and experience of specialists, and therefore it is error-prone and impracticable for large systems. Nonetheless, the automated generation of attack trees has only been explored in connection to computer networks and levering rich models, whose analysis typically leads to an exponential blow-up of the state space. We propose a static analysis approach where attack trees are automatically inferred from a process algebraic specification in a syntax-directed fashion, encompassing a great many application domains and avoiding incurring systematically an exponential explosion. Moreover, we show how the standard propositional denotation of an attack tree can be used to phrase interesting quantitative problems, that can be solved through an encoding into Satisfiability Modulo Theories. The flexibility and effectiveness of the approach is demonstrated on the study of a national-scale authentication system, whose attack tree is computed thanks to a Java implementation of the framework.
Original languageEnglish
Title of host publicationProceedings of the IEEE 27th Computer Security Foundations Symposium, CSF 2014
PublisherIEEE
Publication date2014
Pages337-350
ISBN (Print)978-1-4799-4290-9
DOIs
Publication statusPublished - 2014
Event27th Computer Security Foundations Symposium (CSF 2014) - Vienna, Austria
Duration: 19 Jul 201422 Jul 2014
Conference number: 27
http://csf2014.di.univr.it/index

Conference

Conference27th Computer Security Foundations Symposium (CSF 2014)
Number27
CountryAustria
CityVienna
Period19/07/201422/07/2014
Internet address

Keywords

  • Computing and Processing
  • Attack tree generation
  • Attack trees
  • Calculus
  • Cryptography
  • Input variables
  • Mobile communication
  • Quality Calculus
  • Satisfiability Modulo Theory
  • Semantics
  • Syntactics

Cite this

Vigo, R., Nielson, F., & Nielson, H. R. (2014). Automated Generation of Attack Trees. In Proceedings of the IEEE 27th Computer Security Foundations Symposium, CSF 2014 (pp. 337-350). IEEE. https://doi.org/10.1109/CSF.2014.31