Foundations of Attack Trees

  • Sjouke Mauw
  • Martijn Oostdijk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3935)


Attack trees have found their way to practice because they have proved to be an intuitive aid in threat analysis. Despite, or perhaps thanks to, their apparent simplicity, they have not yet been provided with an unambiguous semantics. We argue that such a formal interpretation is indispensable to precisely understand how attack trees can be manipulated during construction and analysis. We provide a denotational semantics, based on a mapping to attack suites, which abstracts from the internal structure of an attack tree, we study transformations between attack trees, and we study the attribution and projection of an attack tree.


attack trees semantics threat analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    TANAT – Threat ANd Attack Tree Modeling plus Simulation (2004),
  2. 2.
    ARES corporation. Risk techniques, fault trees. Technical report, Available from:
  3. 3.
    Einarsson, S., Rausand, M.: An approach to vulnerability analysis of complex industrial systems. Risk Analysis 18(5), 535–545 (1998)CrossRefGoogle Scholar
  4. 4.
    Landwehr, C.E.: Formal models for computer security. Computing Surveys 13(3), 247–277 (1981)CrossRefGoogle Scholar
  5. 5.
    Amaneza Technologies Limited. A quick tour of attack tree based risk analysis using SecurITree. Technical report (2002)Google Scholar
  6. 6.
    McDermott, J.P.: Attack net penetration testing. In: Proc. 2000 workshop on New Security Paradigm, pp. 15–20. ACM, New York (2001)Google Scholar
  7. 7.
    Meadows, C.: Open issues in formal methods for cryptographic protocol analysis. In: DARPA Information Survivability Conference & Exposition, vol. 1, pp. 237–250 (2000)Google Scholar
  8. 8.
    Opel, A.: Design and implementation of a support tool for attack trees (2005)Google Scholar
  9. 9.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proc. New Security Paradigms Workshop, pp. 71–79 (1998)Google Scholar
  10. 10.
    Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s journal (December 1999)Google Scholar
  11. 11.
    Schneier, B.: Secrets & Lies: Digital Security in a Networked World. Wiley, Chichester (2000)Google Scholar
  12. 12.
    Stefan, J., Schumacher, M.: Collaborative attack modeling. In: SAC 2002, pp. 253–259. ACM, New York (2002)Google Scholar
  13. 13.
    Swiler, L.P., Philips, C., Ellis, D., Chakarian, S.: Computer-attack graph generation tool. In: Proc. DARPA Information Survivability Conference and Exposition, June 2001, vol. 2, pp. 307–321 (2001)Google Scholar
  14. 14.
    Terese: Term Rewriting Systems. Cambridge Tracts in Theoretical Computer Science, vol. 55. Cambridge University Press, Cambridge (2003)Google Scholar
  15. 15.
    Tidwell, T., Larson, R., Fitch, K., Hale, J.: Modeling internet attacks. In: Proc. of the 2001 IEEE Workshop on Information Assurance and Security (2001)Google Scholar
  16. 16.
    Vesely, W.E., et al.: Fault tree handbook. Technical Report NUREG-0492, U.S. Nuclear Regulatory Commission (January 1981)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sjouke Mauw
    • 1
  • Martijn Oostdijk
    • 2
  1. 1.Eindhoven University of TechnologyNetherlands
  2. 2.Radboud University NijmegenNetherlands

Personalised recommendations