Quantitative attack tree analysis: Stochastic bounds and numerical analysis

Abstract

This paper presents an efficient numerical analysis of the time dependence of the attacker’s success in an attack tree. The leaves of the attack tree associated with the basic attack steps are annotated with finite discrete probability distributions. By a bottom-up approach, the output distributions of the gates, and finally the output distribution at the root of the attack tree is computed. The algorithmic complexities of the gate functions depend on the number of bins of the input distributions. Since the number of bins may increase rapidly due to the successive applications of the gate function, we aim to control the sizes of the input distributions. By using the stochastic ordering and the stochastic monotonicity, we analyze the underlying attack tree by constructing the reduced-size upper and lower distributions. Thus at the root of the attack tree, we compute the bounding distributions of the time when the system would be compromised. The main advantage of this approach is the possibility to have a tradeoff between the accuracy of the bounds and the algorithmic complexity. For a given time t, we can compute the bounds on the probability for the attacker’s success at time t. The time-dependent behavior of attacks is important to have insights on the security of the system and to develop effective countermeasures.