ACT: Attack Countermeasure Trees for Information Assurance Analysis

In modeling system response to security threats, researchers have made extensive use of state space models, notable instances including the partially observable stochastic game model proposed by Zonouz et.al. The drawback of these state space models is that they may suffer from state space explosion. Our approach in modeling defense makes use of a combinatorial model which helps avert this problem. We propose a new attack-tree (AT) model named attack-countermeasure trees (ACT) based on combinatorial modeling technique for modeling attacks and countermeasures. ACT enables one to (i) place defense mechanisms in the form of detection and mitigation techniques at any node of the tree, not just at the leaf nodes as in defense trees (DT) (ii) automate the generation of attack scenarios from the ACT using its mincuts and (iii) perform probabilistic analysis (e.g. probability of attack, attack and security investment cost, impact of an attack, system risk, return on attack (ROA) and return on investment (ROI)) in an integrated manner (iv) select an optimal countermeasure set from the pool of defense mechanisms using a method which is much less expensive compared to the state-space based approach (v) perform analysis for trees with both repeated and non-repeat events. For evaluation purposes, we suggest suitable algorithms and implement an ACT module in SHARPE. We demonstrate the utility of ACT using a practical case study (BGP attacks).