Is My Attack Tree Correct?

  • Maxime Audinot
  • Sophie Pinchinat
  • Barbara Kordy
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


Attack trees are a popular way to represent and evaluate potential security threats on systems or infrastructures. The goal of this work is to provide a framework allowing to express and check whether an attack tree is consistent with the analyzed system. We model real systems using transition systems and introduce attack trees with formally specified node labels. We formulate the correctness properties of an attack tree with respect to a system and study the complexity of the corresponding decision problems. The proposed framework can be used in practice to assist security experts in manual creation of attack trees and enhance development of tools for automated generation of attack trees.


  1. 1.
    Aslanyan, Z., Nielson, F.: Pareto efficient solutions of attack-defence trees. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 95–114. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46666-7_6 Google Scholar
  2. 2.
    Aslanyan, Z., Nielson, F.: Model checking exact cost for attack scenarios. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 210–231. Springer, Heidelberg (2017). doi: 10.1007/978-3-662-54455-6_10 CrossRefGoogle Scholar
  3. 3.
    Audinot, M., Pinchinat, S.: On the soundness of attack trees. In: Kordy, B., Ekstedt, M., Kim, D.S. (eds.) GraMSec 2016. LNCS, vol. 9987, pp. 25–38. Springer, Cham (2016). doi: 10.1007/978-3-319-46263-9_2 CrossRefGoogle Scholar
  4. 4.
    Audinot, M., Pinchinat, S., Kordy, B.: Is my attack tree correct? (extended version). CoRR abs/1706.08507 (2017),
  5. 5.
    Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching time temporal logic. In: Kozen, D. (ed.) Logic of Programs 1981. LNCS, vol. 131, pp. 52–71. Springer, Heidelberg (1982). doi: 10.1007/BFb0025774 CrossRefGoogle Scholar
  6. 6.
    Cook, S.A.: The complexity of theorem-proving procedures. In: Proceedings of the Third Annual ACM Symposium on Theory of Computing, pp. 151–158. ACM (1971)Google Scholar
  7. 7.
    De Giacomo, G., Vardi, M.Y.: Linear temporal logic and linear dynamic logic on finite traces. In: IJCAI 2013 Proceedings of the Twenty-Third International Joint Conference on Artificial Intelligence, pp. 854–860. Association for Computing Machinery (2013)Google Scholar
  8. 8.
    Gadyatskaya, O., Hansen, R.R., Larsen, K.G., Legay, A., Olesen, M.C., Poulsen, D.B.: Modelling attack-defense trees using timed automata. In: Fränzle, M., Markey, N. (eds.) FORMATS 2016. LNCS, vol. 9884, pp. 35–50. Springer, Cham (2016). doi: 10.1007/978-3-319-44878-7_3 CrossRefGoogle Scholar
  9. 9.
    Garey, M.R., Johnson, D.S.: Computers and intractability, vol. 29. W.H. Freeman and Company, New York (2002)Google Scholar
  10. 10.
    Horne, R., Mauw, S., Tiu, A.: Semantics for specialising attack trees based on linear logic. Fundam. Inform. 153(1–2), 57–86 (2017)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Ivanova, M.G., Probst, C.W., Hansen, R.R., Kammüller, F.: Transforming graphical system models to graphical attack models. In: Mauw, S., Kordy, B., Jajodia, S. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 82–96. Springer, Cham (2016). doi: 10.1007/978-3-319-29968-6_6 CrossRefGoogle Scholar
  12. 12.
    Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015). doi: 10.1007/978-3-319-18467-8_23 CrossRefGoogle Scholar
  13. 13.
    Jürgenson, A., Willemson, J.: Serial model for attack tree computations. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 118–128. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14423-3_9 CrossRefGoogle Scholar
  14. 14.
    Kordy, B., Mauw, S., Radomirovic, S., Schweitzer, P.: Attack-defense trees. J. Log. Comput. 24(1), 55–87 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: Dag-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)CrossRefzbMATHGoogle Scholar
  16. 16.
    Kordy, B., Pouly, M., Schweitzer, P.: Probabilistic reasoning with graphical security models. Inf. Sci. 342, 111–131 (2016)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Kumar, R., Ruijters, E., Stoelinga, M.: Quantitative attack tree analysis via priced timed automata. In: Sankaranarayanan, S., Vicario, E. (eds.) FORMATS 2015. LNCS, vol. 9268, pp. 156–171. Springer, Cham (2015). doi: 10.1007/978-3-319-22975-1_11 CrossRefGoogle Scholar
  18. 18.
    Leyton-Brown, K., Hoos, H.H., Hutter, F., Xu, L.: Understanding the empirical hardness of NP-complete problems. Commun. ACM 57(5), 98–107 (2014)CrossRefGoogle Scholar
  19. 19.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). doi: 10.1007/11734727_17 CrossRefGoogle Scholar
  20. 20.
    OWASP: CISO AppSec Guide: Criteria for managing application security risks (2013)Google Scholar
  21. 21.
    Phillips, C.A., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Workshop on New Security Paradigms, pp. 71–79. ACM (1998)Google Scholar
  22. 22.
    Pieters, W., Padget, J., Dechesne, F., Dignum, V., Aldewereld, H.: Effectiveness of qualitative and quantitative security obligations. J. Inf. Sec. Appl. 22, 3–16 (2015)Google Scholar
  23. 23.
    Pinchinat, S., Acher, M., Vojtisek, D.: ATSyRa: an integrated environment for synthesizing attack trees. In: Mauw, S., Kordy, B., Jajodia, S. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 97–101. Springer, Cham (2016). doi: 10.1007/978-3-319-29968-6_7 CrossRefGoogle Scholar
  24. 24.
    Research, N., (RTO), T.O.: Improving Common Security Risk Analysis. Tech. Rep. AC/323(ISP-049)TP/193, North Atlantic Treaty Organisation, University of California, Berkeley (2008)Google Scholar
  25. 25.
    Roy, A., Kim, D.S., Trivedi, K.S.: Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees. Secur. Commun. Netw. 5(8), 929–943 (2012)CrossRefGoogle Scholar
  26. 26.
    Schneier, B.: Attack trees: modeling security threats. Dr. Dobb’s J. Softw. Tools 24(12), 21–29 (1999)Google Scholar
  27. 27.
    Schnoebelen, P.: The complexity of temporal logic model checking. Adv. Modal Logic 4(35), 393–436 (2002)MathSciNetzbMATHGoogle Scholar
  28. 28.
    Sheyner, O., Haines, J.W., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: IEEE S&P, pp. 273–284. IEEE Computer Society (2002)Google Scholar
  29. 29.
    Thierry-Mieg, Y.: Symbolic model-checking using ITS-tools. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 231–237. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46681-0_20 Google Scholar
  30. 30.
    Vigo, R., Nielson, F., Nielson, H.R.: Automated generation of attack trees. In: CSF, pp. 337–350. IEEE Computer Society (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Maxime Audinot
    • 1
    • 2
  • Sophie Pinchinat
    • 1
    • 2
  • Barbara Kordy
    • 1
    • 3
  1. 1.IRISARennesFrance
  2. 2.University Rennes 1RennesFrance
  3. 3.INSA RennesRennesFrance

Personalised recommendations