This paper presents the attack tree modeling technique of quantifying cyber-attacks on a hypothetical school network system. Attack trees are constructed by decomposing the path in the network system where attacks are plausible. Considered for the network system are two possible network attack paths. One network path represents an attack through the Internet, and the other represents an attack through the Wireless Access Points (WAPs) in the school network. The probabilities of success of the events, that is, 1) the attack payoff, and 2) the commitment of the attacker to infiltrate the network are estimated for the leaf nodes. These are used to calculate the Returns on Attacks (ROAs) at the Root Nodes. For Phase I, the “As Is” network, the ROA values for both attack paths, are higher than 7 (8.00 and 9.35 respectively), which are high values and unacceptable operationally. In Phase II, countermeasures are implemented, and the two attack trees reevaluated. The probabilities of success of the events, the attack payoff and the commitment of the attacker are then re-estimated. Also, the Returns on Attacks (ROAs) for the Root Nodes are re-assessed after executing the countermeasures. For one attack tree, the ROA value of the Root Node was reduced to 4.83 from 8.0, while, for the other attack tree, the ROA value of the Root Node changed to 3.30 from 9.35. ROA values of 4.83 and 3.30 are acceptable as they fall within the medium value range. The efficacy of this method whereby, attack trees are deployed to mitigate computer network risks, as well as using it to assess the vulnerability of computer networks is quantitatively substantiated.
Xynos, K., Sutherland, I., Read, H., Everitt, E. and Blyth, A.J.C. (2010) Penetration Testing and Vulnerability Assessments: A Professional Approach. International Cyber Resilience Conference, Perth, 23-14 August 2010, 126-132.
[3]
World Institute for Nuclear Security (2012) Human Reliability as a Factor in Nuclear Security. Presented at the A WINS International Best Practice Guide for Your Organization. Vienna.
[4]
World Institute for Nuclear Security (2015) Managing Internal Threat. A WINS International Best Practice Guide for Your Organization. Vienna.
Roger, G.J. (2010) Being Vulnerable to the Threat of Confusing Threats with Vulnerabilities. Journal of Physical Security, 4, 30-34.
[7]
Al-Mohannadi, H., Mirza, Q., Namanya, A., Awan, I., Cullen, A. and Disso, J. (2016) Cyber-Attack Modeling Analysis Techniques: An Overview. IEEE 4th International Conference on Future Internet of Things and Cloud Workshops, Vienna, 22-24 August 2016, 69-76. https://doi.org/10.1109/W-FiCloud.2016.29
[8]
Almohannadi, H., Awan, I., Al Hamar, J., Cullen, A., Disso, J.P. and Armitage, L. (2018) Cyber Threat Intelligence from Honeypot Data Using Elasticsearch. IEEE 32nd International Conference on Advanced Information Networking and Applications, Cracow, 16-18 May 2018, 900-906. https://doi.org/10.1109/AINA.2018.00132
[9]
Akinola, A.A., Kuye, A.O. and Ayodeji, A. (2014) Cyber-Attacks Analysis of a School Network. 55th Annual Meeting of Institute of Nuclear Materials Management, Atlanta, 20-24 July 2014.
[10]
Baker, W. (2007) Necessary Measures: Metric-Driven Information Security Risk Peltier Assessment and Decision Making. Communications of the ACM, 50, 101-106.
https://doi.org/10.1145/1290958.1290969
[11]
Balzarotti, D., Monga, M. and Sicari, S. (2006) Assessing the Risk of Using Vulnerable Components. In: Gollmann, D., Massacci, F. and Yautsiukhin, A., Eds., Quality of Protection, Advances in Information Security, Vol. 23, Springer US, Boston, 65-77.
https://doi.org/10.1007/978-0-387-36584-8_6
[12]
Dacier, M., Deswarte, Y. and Kaaniche, M. (1996) Models and Tools for Quantitative Assessment of Operational Security. In: Katsikas, S.K. and Gritzalis, D., Eds., Information Systems Security, Springer US, Boston, 177-186.
https://doi.org/10.1007/978-1-5041-2919-0_15
[13]
Edge, K.S., Raines, R.A., Baldwin, R.W., Grimaila, M.R., Bennington, R.W. and Reuter, C.E. (2007) Analyzing Security Measures for Mobile Ad Hoc Networks Using Attack and Protection Trees. Journal of Information Warfare, 6, 25-38.
[14]
LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H. and Muehrcke, C. (2011) Model-Based Security Metrics Using Adversary View Security Evaluation (ADVISE). Eighth International Conference on Quantitative Evaluation of Systems, Aachen, 5-8 September 2011, 191-200. https://doi.org/10.1109/QEST.2011.34
[15]
Mell, P., Scarfone, K. and Romanosky, S. (2006) Common Vulnerability Scoring System. IEEE Security & Privacy, 4, 85-89. https://doi.org/10.1109/MSP.2006.145
[16]
Amenaza Technologies Limited (2005) Fundamentals of Capabilities-Based Attack Tree Analysis. Calgary, 25.
[17]
Cremonini, M. and Martini, P. (2005) Evaluating Information Security Investments from Attackers Perspective: The Return-on-Attack (ROA). 4th Workshop on the Economics on Information Security, Cambridge, 1-3 June 2005.
