Exploiting attack–defense trees to find an optimal set of countermeasures

摘要

Selecting the most pertinent countermeasures to secure a system is one of the ultimate goals of risk assessment. In this context, it is important to rely on modeling methods that the security experts are already familiar with, so that the solution can be smoothly adopted within industry.We propose a full-fledged framework, relying on attack–defense trees and integer linear programming, to find an optimal set of countermeasures. We use attack–defense trees formalized with directed acyclic graphs. This enables us to conveniently reason about attacker’s actions that can contribute to several distinct attacks, and countermeasures that can block different ways of attacking. We provide a constructive way of extracting all reasonable behaviors of the two actors from such models. We then exploit this extracted information to formulate a generic solution, based on integer linear programing, to address a wide class of optimization problems. We show how to instantiate it for specific security-relevant optimization criteria. We cover deterministic and probabilistic cases. The framework has been implemented in a prototype tool, and validated in a real-life case study.