Restructuring Attack Trees to Identify Incorrect or Missing Relationships between Nodes accepted for WESPr-18 collocated at APSEC2018

Hua Cai, Hironori Washizaki, Yoshiaki Fukazawa, Takao Okubo, Haruhiko Kaiya, Nobukazu Yoshioka, “Restructuring Attack Trees to Identify Incorrect or Missing Relationships between Nodes,” The International Workshop on Evidence-based Security and Privacy in the Wild 2018 (WESPr-18), December 4, 2018 in conjunction with APEC 2018 in Nara, Japan

Attack trees are often used to analyze a system or detect application programs vulnerable to attack. To aid in software design, a method to create safe and stable systems should be created. An attack tree has multiple levels and is composed of different nodes, including root nodes, sub nodes, and leaf nodes. These nodes can be separated into parent nodes and child nodes when discussing their relationship. Child nodes are defined as conditions that must be satisfied to make their direct parent nodes true. Although an attack tree can express vertical relationships between nodes well, it usually ignores parallel relationships of different branch nodes. Moreover, the relationship between parent-child nodes may be inaccurate due to a poorly designed attack tree. To solve these problems, we present a new way to derive an attack tree system in which the initial attack tree is reconstructed into a new attack tree using Interpretive Structural Modeling (abbr. ISM). The proposed method can easily repair the relationship between parent nodes and child nodes by removing parallel relationships. Finally, the proposed method derives a clear attack tree for more precise system’s threat analysis and better defensive measures.