Attack-Defense Trees with Offensive and Defensive Attributes (with Appendix)

TL;DR

This work extends Attack-Defense Trees by introducing attacker and defender semiring attribute domains and a formal Pareto-front analysis for multi-criteria security assessment. It provides a Bottom-Up algorithm for tree-shaped ADTs and a Binary Decision Diagram (BDDs) based approach for DAG-shaped ADTs, with a defense-first variable order to ensure correctness. The authors prove key correctness results and demonstrate practical scalability on randomly generated ADTs up to 325 nodes, as well as a real-world Money Theft case study, revealing richer defender-attack trade-offs than single-metric analyses. The framework enables resource-aware security planning by producing non-dominated defender-attack strategy pairs, guiding efficient allocation of defensive budgets. Future work includes probabilistic extensions, modular decomposition, and dynamic ADTs to model time-dependent behavior.

Abstract

Effective risk management in cybersecurity requires a thorough understanding of the interplay between attacker capabilities and defense strategies. Attack-Defense Trees (ADTs) are a commonly used methodology for representing this interplay; however, previous work in this domain has only focused on analyzing metrics such as cost, damage, or time from the perspective of the attacker. This approach provides an incomplete view of the system, as it neglects to model defender attributes: in real-world scenarios, defenders have finite resources for countermeasures and are similarly constrained. In this paper, we propose a novel framework that incorporates defense metrics into ADTs, and we present efficient algorithms for computing the Pareto front between defense and attack metrics. Our methods encode both attacker and defender metrics as semirings, allowing our methods to be used for many metrics such as cost, damage, and skill. We analyze tree-structured ADTs using a bottom-up approach and general ADTs by translating them into binary decision diagrams. Experiments on randomly generated ADTS demonstrate that both approaches effectively handle ADTs with several hundred nodes.

Figures (13)

• Figure 1: An AT depicting how the attacker can steal user data. To obtain the user's data, the attacker must obtain both credentials and the decryption key. The credentials can be stolen in four different ways: blackmailing the user ($BU$), conducting a phishing attack ($PA$), exploiting a software vulnerability ($ESV$), or leveraging access control vulnerabilities ($ACV$).
• Figure 2: Attack-defense tree extending the attack tree of Fig. \ref{['fig:AT']}. The defender can prevent phishing attacks ($PA$) through anti-phishing user training ($APUT$), and $SDK$ through $SKO$. Regular software updates ($SU$) prevent both $ESV$ and $ACV$. DNS Hijack ($DNS$), which does not directly contribute to reaching the top node, disables the $SU$ defense. Lastly, blackmailing the user ($BU$) has no countermeasure.
• Figure 3: Tree-structured ADT annotated with offensive and defensive costs.
• Figure 4: An AADT (with min cost as both attacker and defender metrics) with $|\text{PF}(T)| = 2^n$.
• Figure 5: The AADT of Example \ref{['example5']}

Theorems & Definitions (26)

• Definition 1: Attack-Defense Tree
• Definition 2: Event
• Definition 3: Structure Function
• Definition 4: Semiring Attribute Domain
• Definition 5: Augmented Attack-Defense Tree
• Definition 6: Metric Values
• Example 1
• Definition 7: Optimal Attack Response
• Definition 8
• Example 2