title: What do you ask an attack tree? (And how should it reply?)
keywords: Attack trees, Model-driven engineering, Query, Model transformation
topics: Dependability, security and performance , Logics and semantics , Software Technology
committee: Mariƫlle Stoelinga ,
Stefano Schivo
type: Research Project


Attack Trees are a way to collect and formalize information about possible ways to threaten an important asset. They are useful to represent the steps which a malicious attacker needs to take in order to compromise the target. However, Attack Trees are not natively provided with a query language. This means that, in order to analyze an Attack Tree with e.g. Timed Automata, we can automatically translate only the Attack into Timed Automata. The queries need to be specified directly in the query language of the UPPAAL tool, which we use to analyse Timed Autoamta. This is not convenient: a generic language designed for Attack Trees would allow a security expert to keep working with Attack Trees without having to learn anything about the underlying Timed Automata world used in the analysis phase.

By applying the techniques of model-driven engineering, we propose to define appropriate translations between the domain of Attack Trees and the query languages of the tools we use to analyse Attack Trees.

Moreover, depending on the type of query we ask, we would like to integrate the response in the original Attack Tree model, or to provide it in a format that still "talks the language" of Attack Trees. Big lists of unlabelled numbers or a simple "No" may not be useful answers to a serious security expert. Translations "back" into the Attack Tree environment would allow security experts to concentrate on Attack Trees, while powerful formal tools work in the background to solve their queries.