Attack-Fault-Defense Trees (AFDT)

• Attack-Fault-Defense Trees (AFDTs) are a unified risk analysis framework that integrates fault trees, attack trees, and explicit defenses to model interdependencies in cyber-physical systems.
• They employ logical gates such as AND, OR, VOT(k/n), and inhibition to capture the complex, cascading effects of faults, attacks, and countermeasures.
• AFDTs support both qualitative minimal cut set analysis and quantitative probabilistic risk assessments, enabling iterative refinement and interdisciplinary collaboration in critical infrastructures.

Attack-Fault-Defense Trees (AFDTs) are a unified risk analysis framework that integrates the classical safety paradigm of Fault Trees (FTs), the security modeling strengths of Attack Trees (ATs), and explicit representations of countermeasures into one mathematically rigorous, visually intuitive structure. AFDTs are engineered for complex cyber-physical domains—such as satellite ground segments, smart grids, and mission-critical aerospace systems—where accidental failures (faults), malicious actions (attacks), and defenses exhibit intricate, mutually reinforcing interdependencies. By combining these aspects, AFDTs enable comprehensive, cross-domain modeling and analysis of resilience in interconnected systems (Soltani et al., 1 Apr 2025, Soltani et al., 30 Jun 2025).

1. Formal Structure and Semantics

An AFDT is formally a directed acyclic graph or tree, where:

• Leaves represent basic event types:
  • Basic Attack Steps (BASs): atomic adversarial actions.
  • Basic Component Failures (BCFs): primary faults or reliability events.
  • Basic Defense Steps (BDSs): atomic countermeasures.
• Internal nodes are gates, specifically:
  • AND ($\land$) Gates: all child events must occur for the parent to activate.
  • OR ($\lor$) Gates: at least one child event triggers the parent.
  • VOT($k/n$) Voting Gates: at least $k$ of $n$ inputs must fire.
  • INH (Inhibition): models the prevention of a threat/fault by a defense.

Let $T = (N, r, \ell, t, \chi)$, where $N$ is nodes, $r$ is the root/top-level event (TLE), $\ell$ type-annotates leaves, $t$ assigns gate types, and $\chi$ assigns child sets. An event’s activation in a risk scenario $R = (A, F, D)$ (sets of active BAS, BCF, BDS) is given recursively: leaves are activated as per $R$; AND, OR, and VOT gates follow the standard logical combinations; INH for event $c$ and defense $d$ activates only if $c$ is active and $d$ is not. The system is considered to have failed if the TLE evaluates to $1$ under $R$ (Soltani et al., 1 Apr 2025, Soltani et al., 30 Jun 2025).

2. Construction Methodology

AFDT construction proceeds via iterative elicitation and model refinement:

1. Define system boundaries and TLE: Specify what constitutes system failure (e.g., loss of Telecommand/Telemetry integrity) and enumerate all relevant assets and subsystems.
2. Elicit basic events: Safety engineers enumerate probabilistic or deterministic component faults (BCFs). Security analysts postulate adversarial BASs. Defense strategists identify implementable BDSs.
3. Select propagation gates: Use AND, OR, VOT($k/n$), or custom inhibition as dictated by the logical dependencies among events; capture redundancy, alternative paths, and defense interlocks.
4. Map defenses: For each BDS, draw INH-arcs to all BAS or BCF nodes it mitigates. Domain experts validate all mitigations and check physical/logical realizability.
5. Minimal Cut Set (MCS) analysis and iteration: Compute MCSs—minimal sets of basic events whose co-occurrence causes system failure. Present uncovered risks to stakeholders; adjust defenses or event sets as necessary (Soltani et al., 1 Apr 2025).

A typical workflow for AFDT construction in mission settings is shown below.

Step	Description	Key Personnel
1. Boundary	Define TLE and subsystems	Risk manager, architects
2. Event List	Elicit BCF, BAS, BDS	Safety, security, defense
3. Gates	Model propagation logic	Systems engineers
4. Defenses	Map BDS to threats/faults with INH	Domain experts
5. Iterate	Compute and review MCSs	All stakeholders

3. Analytical Techniques: Qualitative and Quantitative

AFDT supports both qualitative and quantitative analysis:

• Minimal Cut Sets (MCSs): A qualitative MCS is any inclusion-minimal set of BAS/BCF whose joint activation forces TLE activation. Identifying all MCSs highlights the “weakest links” and prioritizes defense investments. For a node $v$, MCSs are computed by set-union and minimization rules for AND/OR/VOT/INH, as formalized in recursive algorithms.
• Probabilistic Analysis: Assigning independent probabilities $p_x$ to each basic event $x$, one approximates the probability of system failure at the TLE as a sum over MCSs, adjusting for overlaps via inclusion–exclusion. For specific series–parallel topologies, the AND/OR formulas can be applied directly.
• Scenario Logic and Querying: AFDL (Attack-Fault-Defense Logic) and its domain-language LangAFDL enable formal queries: Boolean (“can event $e$ occur under given assumptions?”), Quantified (“does any $k$-of-$n$ failure trigger TLE always/sometimes?”), and Minimal Risk Set (“enumerate all minimal $R$ causing TLE”).
• Tool Support: Existing tools such as FaultTree+ or SecurITree can be extended to support AFDT’s inhibition logic and MCS automation (Soltani et al., 1 Apr 2025, Soltani et al., 30 Jun 2025).

4. Case Study: Application to Satellite Ground Segments

AFDT was applied in the Ascentio GSaaS context, modeling satellite ground segment operations:

• Assets: Telecommand/Telemetry pipelines, API servers, cloud-native infra, antennas, and operator UIs.
• Attack–Fault–Defense Subtrees:
  • “Ground Station Unavailability”: BCFs (e.g., UPS failure) and BASs (e.g., DDoS) aggregated via OR, with VOT(2/3) for antenna redundancy; DP defense (DDoS Protection) INH-linked to DDoS.
  • “Corrupted Telemetry Data”: AND of software bug BCF and SCA BAS; TSA (secure software assurance) inhibits both.
  • “Credential Leakage”: password, username, human error combined by AND; MFA inhibits the chain.
• Qualitative MCSs: {MITM} defended by E2E encryption; {DDoS} by DP; {Bug, SCA} by TSA; {Pass, Uname, HE} by MFA; but certain events (e.g., unplanned update UU) remained defendless.
• Defense prioritization: By analyzing the effect of defenses on MCS size and cardinality, the team identified MFA and TSA as highest priority, followed by network segmentation. Remaining gaps (e.g., COGS, UU) informed roadmap scheduling (Soltani et al., 1 Apr 2025, Soltani et al., 30 Jun 2025).

5. Formal Querying and Logic Extensions

The AFDL and LangAFDL languages enable precise, automated querying over AFDTs:

• AFDL: Formal logic comprising Boolean queries (ER, VR), thresholded implications (VOT$_k$), and minimal risk scenario (MRS) extraction.
• LangAFDL: Structured, template-driven layer for domain experts—allowing assumption blocks and query templates (“check exists,” “check forall,” “computeall MRS(...)”).
• Expressivity: Supports direct mapping from domain-specific concerns to logic: “Does defense suite $X$ eliminate minimal risk scenarios for failure $Y$?”; “Is $k$ out of $n$ human errors always sufficient for payload loss, with all defenses active?”
• Case study application: Queries over GSaaS and Gridshield demonstrate the framework's ability to determine whether alternative attack/fault scenarios can still compromise critical system functionality under different defense activations; enables the extraction of all minimal threat/fault sets triggering failures (Soltani et al., 30 Jun 2025).

6. Integration, Scalability, and Best Practices

AFDTs are designed for interdisciplinary, scalable modeling in complex infrastructure:

• Unified Modeling: Integrates classic FT (safety) and AT (security) concepts via explicit defense nodes, enabling joint safety-security analysis with countermeasure constraints.
• Interdisciplinary Collaboration: The visual and logical AFDT framework serves as a lingua franca among safety engineers, security architects, and system operators.
• Iterative and Modular Development: Encourages initial coarse models with successive refinement in subsystem-specific working groups; modular AFDTs can be integrated at higher levels using VOT/OR gates to manage scalability.
• Quantitative Integration: When event probabilities and defense reliability rates are available, AFDTs can be annotated for numerical risk assessment, employing (a) analytic formulae or (b) binary decision diagrams for exact calculations.
• Tool Integration: Existing analytic platforms can be adapted with inhibition gate logic for automated MCS and probabilistic assessment.
• Critical Gaps: The framework explicitly flags defendless risk paths, directing attention to emergent vulnerabilities as defense portfolios or system implementations evolve (Soltani et al., 1 Apr 2025, Soltani et al., 30 Jun 2025).

7. Significance and Broader Implications

AFDTs provide a structured approach to resilience analysis in systems where fault, threat, and defense domains interact non-trivially. The explicit modeling of inhibition (defensive mitigation), voting (redundancy), and combined qualitative/quantitative analysis enables fine-grained prioritization of risk mitigation strategies. The approach has demonstrated utility in satellite ground segments and smart grid systems, but is universally applicable to other cyber-physical infrastructures—industrial control, smart grids, and autonomous vehicles—by replicating the model construction, analysis, and iteration methodology.

AFDTs, through their synthesis of safety, security, and defense, underpin an integrated and scalable path toward resilient design and operation, meeting the assessment demands of increasingly interconnected mission-critical systems (Soltani et al., 1 Apr 2025, Soltani et al., 30 Jun 2025).