Skip to main content

ADTLang: a programming language approach to attack defense trees


The Attack Defense Tree framework was developed to facilitate abstract reasoning about security issues of complex systems. As such, a zoo of techniques and extensions have emerged in an attempt to extend the simple Boolean logic of Attack Defense Trees with behavioral properties and quantities. In this paper we expand the modeling power of Attack Defense Trees by introducing a notion of temporal dependencies between attacks, forcing specific ordering of event in successful attacks. Importantly, we introduce a notion of policy for the defender, facilitating a pseudo-active defender, mechanically reacting to the choices of an attacker. To easen the use of Attack Defense Trees we introduce a domain specific language (DSL) and an accompanying tool. The introduction of the DSL facilitates reuse, modularity, collaborative tree construction and separation of logical properties and quantitative/behavioral elements. The usefulness of our framework is exhibited on a small running example, utilizing the policy-notion to implement a reactive Break The Glass policy. We note that all the implemented analysis techniques use well established tools from the formal methods community to produce the given results, relying on non-trivial and automatic translation to and from the target formalisms. Lastly we present our Open Source prototype-tool, capable of conducting various analysis and visualizing the results.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18


  1. 1.

    Or most non-deterministic


  1. 1.

    Alur, R., Dill, D. L.: Automata for modeling real-time systems. In Paterson, M., editor, ICALP, volume 443 of Lecture Notes in Computer Science, pp. 322–335. Springer (1990). ISBN 3-540-52826-1

  2. 2.

    Aslanyan, Z., Nielson, F.: Pareto Efficient solutions of attack-defence trees. In: Principles of Security and Trust, volume 9036, p. 95 (2015).

  3. 3.

    Aslanyan, Z., Nielson, F., Parker, D.: Quantitative verification and synthesis of attack-defence scenarios. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27–July 1, 2016, pp. 105–119. IEEE Computer Society (2016).

  4. 4.

    Bossuat, A., Kordy, B.: Evil twins: handling repetitions in attack-defense trees—a survival guide. In: Liu et al. [13], pp. 17–37. ISBN 978-3-319-74859-7.

  5. 5.

    David, Alexandre, Larsen, G.Kim, Legay, Axel, Mikucionis, Marius, Poulsen, Danny Bøgsted: Uppaal SMC tutorial. STTT 17(4), 397–415 (2015).

    Article  Google Scholar 

  6. 6.

    Gadyatskaya, O., Hansen, R. R., Larsen, K. G., Legay, A., Olesen, M. C., Poulsen, D. B.: Modelling attack-defense trees using timed automata. In: Fränzle, M., Markey, N. (eds.) Formal Modeling and Analysis of Timed Systems—14th International Conference, FORMATS 2016, Quebec, QC, Canada, August 24–26, 2016, Proceedings, volume 9884 of Lecture Notes in Computer Science, pp. 35–50. Springer, ISBN 978-3-319-44877-0

  7. 7.

    Hansen, R. R., Jensen, P., Larsen, K. G., Legay, A., Poulsen, D. B.: Quantitative evaluation of attack defense trees using stochastic timed automata. In: Liu et al. [13], pp. 75–90. ISBN 978-3-319-74859-7.

  8. 8.

    Hermanns, H., Krämer, J., Krčál, J., Stoelinga, M.: The value of attack-defence diagrams. In: Piessens, F., Viganò, L. (eds.) Principles of Security and Trust. POST 2016. Lecture Notes in Computer Science, vol, 9635, pp. 163–185. Springer, Berlin, Heidelberg (2016).

  9. 9.

    Johnson, Pontus, Lagerström, Robert, Ekstedt, Mathias: A meta language for threat modeling and attack simulations. In: Doerr, Sebastian, Fischer, Mathias, Schrittwieser, Sebastian, Herrmann, Dominik (eds.) Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, pp. 38:1–38:8. ACM, Hamburg (2018). ISBN 978-1-4503-6448-5

    Chapter  Google Scholar 

  10. 10.

    Kordy, Barbara, Mauw, Sjouke, Radomirović, Saša, Schweitzer, Patrick: Attack-defense trees. J. Logic Comput. 24(1), 55–87 (2014)

    MathSciNet  Article  Google Scholar 

  11. 11.

    Kumar, Rajesh, Rensink, Arend, Stoelinga, Mariëlle: LOCKS: a property specification language for security goals. In: Haddad, M.Hisham, Wainwright, L.Roger, Chbeir, Richard (eds.) Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC 2018, pp. 1907–1915. ACM, Pau (2018).

    Chapter  Google Scholar 

  12. 12.

    Larsen, K.G., Pettersson, P., Yi, W.: UPPAAL in a nutshell. STTT 1(1–2), 134–152 (1997).

    Article  MATH  Google Scholar 

  13. 13.

    Liu, P., Mauw, S., Stølen, K. (eds) Graphical Models for Security—4th International Workshop, GraMSec 2017, Santa Barbara, CA, USA, August 21, 2017, Revised Selected Papers

  14. 14.

    Schneier, B.: Attack trees. Dr. Dobb’s J. Softw. Tools 24(12), 21–22, 24, 26, 28–29 (1999)

  15. 15.

    Younes, L.S.Håkan: Verification and Planning for Stochastic Processes with Asynchronous Events. PhD thesis. Carnegie Mellon University, Pittsburgh (2005)

    Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Danny Bøgsted Poulsen.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Hansen, R.R., Larsen, K.G., Legay, A. et al. ADTLang: a programming language approach to attack defense trees. Int J Softw Tools Technol Transfer 23, 89–104 (2021).

Download citation


  • Attack-Defense tree
  • Security
  • Modelling
  • U\(\textsc {ppaal}\)