Abstract
We propose a novel attack tree model, called a subjective attack tree, aiming to address the limitations of traditional attack trees, which use precise values for likelihoods of security events. In many situations, it is often difficult to elicit accurate probabilities due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable. In this paper, we consider the modelling of uncertainty about probabilities, via subjective opinions, resulting in a model taking second-order uncertainty into account. We propose an approach to derive subjective opinions about security events based on two main criteria, namely a vulnerability level and technical difficulty to conduct an attack, using subjective logic. These subjective opinions are then used as input parameters in the proposed model. The propagation method of subjective opinions is also discussed. Our approach is evaluated against traditional attack trees using the Stuxnet self-installation scenario. Our results show that taking uncertainty about probabilities into account during security risk analysis can lead to different outcomes, and therefore different security decisions.
Original language | English |
---|---|
Title of host publication | Risks and Security of Internet and Systems |
Subtitle of host publication | CRiSIS 2020 |
Editors | Joaquin Garcia Alfaro, Jean Leneutre, Nora Cuppens, Reda Yaich |
Publisher | Springer Nature Switzerland AG |
Pages | 201-218 |
Number of pages | 18 |
Volume | 12528 |
ISBN (Electronic) | 978-3-030-68887-5 |
ISBN (Print) | 978-3-030-68886-8 |
DOIs | |
Publication status | Published - 12 Feb 2021 |
Event | 15th International Conference: CRiSIS 2020 - Paris, France Duration: 4 Nov 2020 → 6 Nov 2020 Conference number: 15th https://www.springer.com/gp/book/9783030688868 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 12528 |
ISSN (Electronic) | 0302-9743 |
Conference
Conference | 15th International Conference |
---|---|
Country/Territory | France |
City | Paris |
Period | 4/11/20 → 6/11/20 |
Internet address |
Keywords
- Attack trees
- Risk analysis
- Subjective logic