Risk Assessment – Attack/Defense Tree (ADTree)

Main Characteristics

The ADTree is comprised by two separate codes; the User Interface and the Solver. The building block icons in the User Interface are used to construct within the display panel the flow chart of the ADTree. Users have complete freedom defining the structure of the ADTree. Threats face alternative sequences of paths and defense elements to reach a target along each available route. The user can define offensive (threats) or defensive (paths and defense elements) attributes and assign a strength to each one using a linguistic term. At each path element or defense element the user can also define the match-up between offensive and defensive attributes. The Solver computes the probability of each threat reaching each target successfully.

The ADTree allows to assign ranges of offensive and defensive capabilities in order to automatically analyze a large number of alternative setups. It performs dynamic simulations for capturing collaboration between threats or collaboration between defense elements. It can perform simulations for injuries and casualties when the target includes humans. Finally, it can perform parallel cost computations associated with the various levels of defensive capabilities and determine a total cost for each route in the ADTree and also a total cost for the entire ADTree. In this manner it is possible to conduct in parallel a financial analysis for the structure of the ADTree which is analyzed. Any national security threat can be analyzed by the ADTree due to its flexibility.

Typical Applications

Flow chart showing ADTree for SCADA system attack

A representative cybersecurity scenario that considers an attack on the supervisory control and data acquisition system (SCADA) of a power generator has as goal to trip the circuit breaker of the power system. The threat has five alternative routes to pursue this by launching an attack either on the front end processor (approach 1), on the status evaluation module (approach 2), on the human-machine interface (approach 3), on the remote terminal unit (approach 4), or on the relay (approach 5). By considering that the probability of the threat taking anyone approach of attack is the same, the ADTree identifies how to redistribute the original resources to generate a balanced defense along any possible approach.

Flowchart showing coordination between attackers and allocation of resources between defenders: Border Patrol Activity with three layers of defense.

The ADTree is applicable to any attack-defense scenario (active shooter, cyberattack, border patrol activity, etc.).

Prepopulated scenarios can be used during training for exploring what-if scenarios.

The ADTree can be used for identifying the most critical vulnerabilities in order to harden the defense in the most efficient manner. It helps determining how to allocate resources in order to do more with less.