Skip to content

Monitor Threats Behavior Tree

The Monitor Threats Behavior Tree is shown below.

---
title: Monitor Threats Behavior Tree
---
flowchart LR
    fb["?"]
    seq["→"]
    fb --> seq
    par["#8649; (1)"]
    seq --> par
    at_seq["→"]
    par -->|A| at_seq
    mon_attacks["monitor attacks"]
    at_seq --> mon_attacks
    cs_to_A["CS &rarr; A<br/>(emit CA)"]
    at_seq --> cs_to_A
    ex_seq["&rarr;"]
    par -->|B| ex_seq
    mon_exploits["monitor public exploits"]
    ex_seq --> mon_exploits
    ex_fb["?"]
    ex_seq --> ex_fb
    cs_in_P(["CS in P?"])
    ex_fb --> cs_in_P
    cs_to_P["CS &rarr; P<br/>(emit CP)"]
    ex_fb --> cs_to_P
    cs_to_X["CS &rarr; X<br/>(emit CX)"]
    ex_seq --> cs_to_X
    rep_seq["&rarr;"]
    par -->|C| rep_seq
    mon_reports["monitor public reports"]
    rep_seq --> mon_reports
    rep_cs_to_P["CS &rarr; P<br/>(emit CP)"]
    rep_seq --> rep_cs_to_P
    term_embargo["terminate embargo"]
    seq --> term_embargo
    cs_unchanged(["CS unchanged?"])
    fb --> cs_unchanged

For our purposes, monitoring consists of a set of parallel tasks, any one of which can lead to embargo termination. The three conditions of interest are taken straight from the embargo exit criteria.

  • (A) If attacks are observed, the \(q^{cs} \xrightarrow{\mathbf{A}} A\) transition occurs, and a \(CA\) message is emitted.

  • (B) If a public exploit is observed, the \(q^{cs} \xrightarrow{\mathbf{X}} X\) transition occurs, and a \(CX\) message is emitted. In the special case where the exploit is made public prior to the vulnerability itself being made public,1 there is an additional \(q^{cs} \xrightarrow{\mathbf{P}} P\) transition and \(CP\) emission.

  • (C) Finally, if the vulnerability information has been made public, then the \(q^{cs} \xrightarrow{\mathbf{P}} P\) and emits \(CP\).

In the event that one or more of these events is detected, the Terminate Embargo Behavior Tree is triggered.

There are many other good reasons to monitor and maintain awareness of cybersecurity threats. The behavior shown here is intended as a minimal set of things that CVD Participants should watch out for in the course of performing their CVD practice.

See also: Terminate Embargo Behavior Tree

  1. Corresponding to a Type 3 Zero Day Exploit as defined in ยง6.5.1 of A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure