Evaluation of Attributes on Attack–Defense Trees

Consequently, an ADTree has nodes of two opposite types: attack nodes and defense nodes. The root of an ADTree represents the main goal of the attacker. Every node of an ADTree may have one or more children of the same type representing a refinement into sub-goals of the node’s goal. The refinement of a node can be either disjunctive or conjunctive. The goal of a disjunctively refined node is achieved when at least one of its refining children goals is achieved. The goal of a conjunctively refined node is achieved when all of its refining children goals are achieved. The nodes without any children of the same type are called nonrefined nodes, and they represent basic attack or defense actions. Every node may also have one child of the opposite type, representing a countermeasure. Thus, an attack node may have several children which refine the attack and one child which defends against the attack. A defense node in turn may have several children which refine the corresponding defense and one child being an attack node and countering the defense.