ATM: a Logic for Quantitative Security Properties on Attack Trees

TL;DR

ATM is a logic framework that enables the formal specification and analysis of quantitative security properties on attack trees, facilitating security assessment and scenario analysis for critical systems.

Contribution

The paper introduces ATM, a novel logic for expressing and analyzing quantitative security metrics on attack trees, with algorithms for property checking and metric computation.

Findings

Applied ATM to a CubeSAT case study demonstrating attack scenarios.

Developed algorithms based on binary decision diagrams for property verification.

Showcased the expressiveness of ATM in modeling security metrics like cost, probability, and skill.

Abstract

Critical infrastructure systems - for which high reliability and availability are paramount - must operate securely. Attack trees (ATs) are hierarchical diagrams that offer a flexible modelling language used to assess how systems can be attacked. ATs are widely employed both in industry and academia but - in spite of their popularity - little work has been done to give practitioners instruments to formulate queries on ATs in an understandable yet powerful way. In this paper we fill this gap by presenting ATM, a logic to express quantitative security properties on ATs. ATM allows for the specification of properties involved with security metrics that include "cost", "probability" and "skill" and permits the formulation of insightful what-if scenarios. To showcase its potential, we apply ATM to the case study of a CubeSAT, presenting three different ways in which an attacker can compromise its availability. We showcase property specification on the corresponding attack tree and we present theory and algorithms - based on binary decision diagrams - to check properties and compute metrics of ATM-formulae.