[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content
Springer Nature Link
Log in

Strategic Games on Defense Trees

  • Conference paper
Formal Aspects in Security and Trust (FAST 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4691))

Included in the following conference series:

Abstract

In this paper we use defense trees, an extension of attack trees with countermeasures, to represent attack scenarios and game theory to detect the most promising actions attacker and defender. On one side the attacker wants to break the system (with as little efforts as possible), on the opposite side the defender want to protect it (sustaining the minimum cost).

As utility function for the attacker and for the defender we consider economic indexes (like the Return on Investment (ROI) and the Return on Attack (ROA)). We show how our approach can be used to evaluate effectiveness and economic profitability of countermeasures as well as their deterrent effect on attackers, thus providing decision makers with a useful tool for performing better evaluation of IT security investments during the risk management process.

Partially supported by the MIUR PRIN 2005-015491.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Bistarelli, S., Fioravanti, F., Peretti, P.: Defense tree for economic evaluations of security investment. In: 1st International Conference on Availability, Reliability and Security (ARES 2006), pp. 416–423 (2006)

    Google Scholar 

  2. Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: IEEE Symposium on Computer Security and Privacy (1987)

    Google Scholar 

  3. Cremonini, M., Martini, P.: Evaluating information security investments from attackers perspective: the Return-On-Attack (ROA). In: Fourth Workshop on the Economics of Information Security (June 2005)

    Google Scholar 

  4. Foster, N.L.: The application of software and safety engineering techniques to security protocol development. PhD thesis, University of York, Department of Computer Science (2002)

    Google Scholar 

  5. Fudenberg, D., Tirole, J.: Game Theory. MIT Press, Cambridge (1991)

    Google Scholar 

  6. Gibbons, R.: A Primer in Game Theory. Pearson Higher Education (1992)

    Google Scholar 

  7. Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)

    Article  Google Scholar 

  8. Howard, LeBlanc.: Writing Secure Code. Microsoft Press, Redmond (2002)

    Google Scholar 

  9. Krutz, R.L., Vines, R.D., Stroz, E.M.: The CISSP Prep Guide: Mastering the Ten Domains of Computer Security. Wiley, Chichester (2001)

    Google Scholar 

  10. Liu, Y.: Intrusion Detection for Wireless Networks. PhD thesis, Stevens Institute of Technology (2006)

    Google Scholar 

  11. McKelvey, R.D., McLennan, A.M., Turocy, T.L.: Gambit: Software tools for game theory (version 0.2006.01.20) (2006), http://econweb.tamu.edu/gambit

  12. Meritt, J.W.: A method for quantitative risk analysis. In: Proceedings of the 22nd National Information Systems Security Conference (October 1999)

    Google Scholar 

  13. Osborne, M.J.: An introduction to game theory. Oxford University Press, Oxford (2003)

    Google Scholar 

  14. Schechter, S.E.: Computer Security Strength & Risk: A Quantitative Approach. PhD thesis, Harvard University (May 2004)

    Google Scholar 

  15. Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s Journal (1999)

    Google Scholar 

  16. Schneier, B.: Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, Chichester (2000)

    Google Scholar 

  17. Sonnenreich, W., Albanese, J., Stout, B.: Return On Security Investment (ROSI): A practical quantitative model. In: Security in Information Systems, Proceedings of the 3rd International Workshop on Security in Information Systems, WOSIS 2005, pp. 239–252. INSTICC Press (2005)

    Google Scholar 

  18. Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. Nist special publication 800–830, NIST, National Institute of Standard Technology (July 2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Scienze, Università degli Studi “G. d’Annunzio”, Pescara, Italy

    Stefano Bistarelli, Marco Dall’Aglio & Pamela Peretti

  2. Istituto di Informatica e Telematica, CNR, Pisa, Italy

    Stefano Bistarelli

Authors
  1. Stefano Bistarelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marco Dall’Aglio
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pamela Peretti
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Theo Dimitrakos Fabio Martinelli Peter Y. A. Ryan Steve Schneider

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bistarelli, S., Dall’Aglio, M., Peretti, P. (2007). Strategic Games on Defense Trees. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds) Formal Aspects in Security and Trust. FAST 2006. Lecture Notes in Computer Science, vol 4691. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75227-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-75227-1_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-75226-4

  • Online ISBN: 978-3-540-75227-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics