Towards Automating the Construction & Maintenance of Attack Trees: a Feasibility Study
This addresses the problem of human cognitive scalability in securing large, continuously-changing system designs for security risk management professionals, but it is an incremental improvement as it builds on existing attack tree methods.
The paper tackles the difficulty of maintaining security risk assessments for large, evolving system architectures by proposing an automated approach to construct and maintain attack trees, based on system architectures, risk assessments, and a security knowledge database.
Security risk management can be applied on well-defined or existing systems; in this case, the objective is to identify existing vulnerabilities, assess the risks and provide for the adequate countermeasures. Security risk management can also be applied very early in the system's development life-cycle, when its architecture is still poorly defined; in this case, the objective is to positively influence the design work so as to produce a secure architecture from the start. The latter work is made difficult by the uncertainties on the architecture and the multiple round-trips required to keep the risk assessment study and the system architecture aligned. This is particularly true for very large projects running over many years. This paper addresses the issues raised by those risk assessment studies performed early in the system's development life-cycle. Based on industrial experience, it asserts that attack trees can help solve the human cognitive scalability issue related to securing those large, continuously-changing system-designs. However, big attack trees are difficult to build, and even more difficult to maintain. This paper therefore proposes a systematic approach to automate the construction and maintenance of such big attack trees, based on the system's operational and logical architectures, the system's traditional risk assessment study and a security knowledge database.