Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Quantitative analysis of attack-fault trees via Markov decision processes

Milan Lopuhaä-Zwakenberg

TL;DR

This work tackles the problem of jointly analyzing safety and security in attack-fault trees by computing Pareto fronts between system reliability $P$ and attacker cost $C$. It introduces a unified framework that transforms AFTs into reduced binary decision diagrams (BDDs) and interprets the resulting structure as an acyclic Markov decision process to efficiently synthesize Pareto-optimal attacker strategies. The authors define cost-probability Pareto fronts, PMC(\hat{\Lambda}) and PEC(\hat{\Lambda}), and prove their computability via bottom-up ROBDD-based algorithms, with rigorous treatment of mixed strategies and multi-objective optimization. Compared with existing automata-based methods, the proposed approach is lightweight and scalable, demonstrated on an oil-pipeline cyber-attack case where a small BDD suffices to obtain the Pareto front and corresponding strategies.

Abstract

Adequate risk assessment of safety critical systems needs to take both safety and security into account, as well as their interaction. A prominent methodology for modeling safety and security are attack-fault trees (AFTs), which combine the well-established fault tree and attack tree methodologies for safety and security, respectively. AFTs can be used for quantitative analysis as well, capturing the interplay between safety and security metrics. However, existing approaches are based on modeling the AFT as a priced-timed automaton. This allows for a wide range of analyses, but Pareto analsis is still lacking, and analyses that exist are computationally expensive. In this paper, we combine safety and security analysis techniques to introduce a novel method to find the Pareto front between the metrics reliability (safety) and attack cost (security) using Markov decision processes. This gives us the full interplay between safety and security while being considerably more lightweight and faster than the automaton approach. We validate our approach on a case study of cyberattacks on an oil pipe line.

Quantitative analysis of attack-fault trees via Markov decision processes

TL;DR

This work tackles the problem of jointly analyzing safety and security in attack-fault trees by computing Pareto fronts between system reliability and attacker cost . It introduces a unified framework that transforms AFTs into reduced binary decision diagrams (BDDs) and interprets the resulting structure as an acyclic Markov decision process to efficiently synthesize Pareto-optimal attacker strategies. The authors define cost-probability Pareto fronts, PMC(\hat{\Lambda}) and PEC(\hat{\Lambda}), and prove their computability via bottom-up ROBDD-based algorithms, with rigorous treatment of mixed strategies and multi-objective optimization. Compared with existing automata-based methods, the proposed approach is lightweight and scalable, demonstrated on an oil-pipeline cyber-attack case where a small BDD suffices to obtain the Pareto front and corresponding strategies.

Abstract

Adequate risk assessment of safety critical systems needs to take both safety and security into account, as well as their interaction. A prominent methodology for modeling safety and security are attack-fault trees (AFTs), which combine the well-established fault tree and attack tree methodologies for safety and security, respectively. AFTs can be used for quantitative analysis as well, capturing the interplay between safety and security metrics. However, existing approaches are based on modeling the AFT as a priced-timed automaton. This allows for a wide range of analyses, but Pareto analsis is still lacking, and analyses that exist are computationally expensive. In this paper, we combine safety and security analysis techniques to introduce a novel method to find the Pareto front between the metrics reliability (safety) and attack cost (security) using Markov decision processes. This gives us the full interplay between safety and security while being considerably more lightweight and faster than the automaton approach. We validate our approach on a case study of cyberattacks on an oil pipe line.
Paper Structure (6 sections, 1 equation, 2 figures)

This paper contains 6 sections, 1 equation, 2 figures.

Table of Contents

  1. Introduction
  2. Related work
  3. Attack-fault tree semantics
  4. Example of AFT analysis
  5. Quantitative analysis
  6. Strategies

Figures (2)

  • Figure 1: An example of an AFT. In order to rob a bank, an attacker needs to both a disabled alarm and an open vault. The former can be accomplished by either hacking the alarm or by a power outage, which can be both accidental, or the result of an attack. The open vault can be a result of cracking the vault, or the vault can be left open by accident.
  • Figure 2: The example AFT discussed in Section \ref{['sec:example']}.

Theorems & Definitions (4)

  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition
  • definition thmcounterdefinition