Modelling Security Risk Scenarios Using Subjective Attack Trees

Nasser Al-Hadhrami, Matthew Collinson, Nir Oren

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Downloads (Pure)

Abstract

We propose a novel attack tree model, called a subjective attack tree, aiming to address the limitations of traditional attack trees, which use precise values for likelihoods of security events. In many situations, it is often difficult to elicit accurate probabilities due to lack of knowledge, or insufficient historical data, making the evaluation of risk in existing approaches unreliable. In this paper, we consider the modelling of uncertainty about probabilities, via subjective opinions, resulting in a model taking second-order uncertainty into account. We propose an approach to derive subjective opinions about security events based on two main criteria, namely a vulnerability level and technical difficulty to conduct an attack, using subjective logic. These subjective opinions are then used as input parameters in the proposed model. The propagation method of subjective opinions is also discussed. Our approach is evaluated against traditional attack trees using the Stuxnet self-installation scenario. Our results show that taking uncertainty about probabilities into account during security risk analysis can lead to different outcomes, and therefore different security decisions.
Original languageEnglish
Title of host publicationRisks and Security of Internet and Systems
Subtitle of host publicationCRiSIS 2020
EditorsJoaquin Garcia Alfaro, Jean Leneutre, Nora Cuppens, Reda Yaich
PublisherSpringer Nature Switzerland AG
Pages201-218
Number of pages18
Volume12528
ISBN (Electronic)978-3-030-68887-5
ISBN (Print)978-3-030-68886-8
DOIs
Publication statusPublished - 12 Feb 2021
Event15th International Conference: CRiSIS 2020 - Paris, France
Duration: 4 Nov 20206 Nov 2020
Conference number: 15th
https://www.springer.com/gp/book/9783030688868

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume12528
ISSN (Electronic)0302-9743

Conference

Conference15th International Conference
CountryFrance
CityParis
Period4/11/206/11/20
Internet address

Keywords

  • Attack trees
  • Risk analysis
  • Subjective logic

Fingerprint

Dive into the research topics of 'Modelling Security Risk Scenarios Using Subjective Attack Trees'. Together they form a unique fingerprint.

Cite this