A Novel Approach for Attack Tree to Attack Graph Transformation: Extended Version

10/06/2021 ∙ by Nathan Daniel Schiele, et al. ∙ 0

Attack trees and attack graphs are both common graphical threat models used by organizations to better understand possible cybersecurity threats. These models have been primarily seen as separate entities, to be used and researched in entirely different contexts, but recently there has emerged a new interest in combining the strengths of these models and in transforming models from one notation into the other. The existing works in this area focus on transforming attack graphs into attack trees. In this paper, we propose an approach to transform attack trees into attack graphs based on the fundamental understanding of how actions are represented in both structures. From this, we hope to enable more versatility in both structures.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Attack trees are a common and useful tool for threat modeling. They allow us to present attack components in a graphical structure that is relatively easily explained and understood. Each node in an attack tree represents a action, and its children represent actions in service to their parent action. The relationship between the children of a node describe the relationship between the components, OR, AND and SAND, describing if all components or only one component need to be completed, and in which order. The major advantage of this model is its compactness, allowing for even complex threats to be modeled concisely. However, attack trees have several downsides, particularly when understanding how the attacker interacts with the system. For instance, it is not evident from an attack tree what is a possible plan of a successful attack in this system nor is it simple to discuss overall mitigation strategies.

An alternative modeling structure, which addresses these downsides, are attack graphs [23]. Attack graphs represent all possible states a system may hold, and the transitions between those states. The major disadvantage of attack graphs is their size, with even small system models resulting in excessively large attack graphs [24]. Attack graphs are not as common in the security industry as the succinct nature of attack trees makes them more appealing to human experts. Additionally, attack graphs are arguably less intuitive, inhibiting their adoption and use by non-technical security experts [7].

However, attack graphs and attack trees represent similar information, and both are valid approaches for modeling potential attack vectors. Additionally, for both attack graphs and attack trees, there is a major consideration of how these models are to be generated, with automated generation at the forefront of current threat model research 

[26, 1, 12].

These two threat models each have their disadvantages, and these disadvantages are seemingly offset, or are easier to offset, by using the other model. It would be useful to have a way to transform one model into the other, and thus be able to combine their perspectives. However, to the best of our knowledge, there is currently no well-defined transformation between these two models. There have been works proposing methods of converting an attack graph into an attack tree [20, 6, 9]. Yet, to date, there has been little work into transforming an attack tree into an attack graph. This is the problem that we address in the present paper.

2 Related Work

Attack trees (ATs) have been fairly widely studied to date. First introduced by Schneier in 1999 as an efficient and effective means of conveying attack information [22]; several researchers have worked to develop the threat model further. Mauw and Oostdijk developed propositional and multiset semantics for attack trees [16]. Jhawar et al. developed a refinement of the sibling relationships, adding a Sequential AND or “SAND” relation, alongside discussing the utility and semantic implications (the SP graph semantics) of such a refinement [11]. Many works have attempted to generate attack trees automatically, given that many attack trees in industry are generated manually, and effective automatic attack tree generation would be a valuable contribution to this space [9, 25, 10, 5].

Attack graphs (AGs) similarly have been widely studied. Sheyner et al. laid out a formal, syntactic structure of a state-based attack graph and proposed a model checking method to generate attack graphs [23]. Noel and Jajodia focused on using topological aggregation to manage the complexity of attack graphs [18, 17]. Ou et al. described a more scalable methodology for generating attack graphs from a logical model [19]. In a broad review of previous works on attack graphs, Lippmann and Ingols found that scalability was the biggest limiting factor in the overall use of attack graphs, with attack graphs quickly becoming too large to be useful [15]. Other problems with attack graphs according to [15] include prescribing meaning to the states within the attack graph structure and the usability of attack graphs as a communication tool; given their size and complexity, attack graphs can be hard to use in industry, as developing recommendations from attack graphs is often too difficult. The primary recommendation in [15] was that future work on attack graphs would need to pay special attention to scalability.

An important topic in the attack graph literature is the meaning behind attack graph nodes. They most frequently represent the states of the associated system after some actions are taken. However, as Lallie et al. points out, attack graphs in literature suffer from inconsistency, and state definitions and labelling schema are not above these inconsistencies [14]

. In our review of the literature, we have found much of the literature can be broadly classified into two categories in the context of the meaning or labeling of attack graph states, those that use logical conditions roughly based on state as in

[19], or those that derive state meaning from some underlying system as in [20]. We take our cues from the literature in that final group, our states will be defined based on a set of actions defined from a system model. We note that other types of attach graphs assign different meaning to states, e.g, vulnerabilities or system hosts [12].

There have been some works on conversion between AGs and ATs, with the research largely focused on the conversion from attack graphs to attack trees.

Ag At.

Pinchinat et al., focused on generating attack trees from attack graphs using the ATSyRA approach [20, 21]. We are attempting the reverse transformation, and a similar designed library based methodology also from Pinchinat et al. of these transformation give us insight into how such transformations can function [20].

Dawkins and Hale, focused on an analysis of network models, and in that analysis described a method of creating attack chains representing complete or near complete attack vectors [3]. These attack chains could then be used to construct attack trees. The primary purpose of the work was not to develop a transformation between attack graphs and attack trees, and thus the transition is not fully developed [3]. Most recently, Haque and Atkinson have overviewed existing approaches to generate attack graphs and attack trees, and to convert attack graphs into attack trees, and have found that those works have suffered from inefficiency or inaccuracy [7].

Hong et al. describe that previous attempts to define a transformation from attack graphs to attack trees have failed due to the exponential size increases of attack graphs [9]. The state explosion problem broadly affects any state based modeling system, of which attack graphs are one; or better put by Valmari, ”the number of states of almost any system of interest is huge”. The biggest issue with the state explosion problem is the computational complexity, as the number of states in a system increases exponentially, the difficulty of handling this information becomes far more complex, as well as time and space inefficient. There are a number of common strategies used to minimize and mitigate the state explosion problem (SEP) [24], many of which we follow as discussed in Section 7. A major concern for any attack graph generation scheme will be handling the exponential number of states [19], and given a transformation from attack trees to attack graphs is a form of attack graph generation in itself, addressing the state explosion problem will be a major concern for us as well.

At Ag.

To the best of our knowledge, there have been no works on transforming attack trees into attack graphs. The reason for this gap could be that attack trees are more succinct threat models, not suffering from the state explosion problem, and are thus more handy for security analysis with human experts [3]. However, creating a transformation into attack trees opens up new interesting research directions, for example, new approaches to automatically generate attack graphs starting from automatically generated attack trees, or using existing, human-designed attack trees to capture security issues in relevant systems with application of the attack graph-based security monitoring.

Finally, attack trees and attack graphs have been very popular graphical security notations in the last 20 years, being featured in many research papers. We refer the interested reader to several surveys for more details about these notations and their applications: on attack trees [26] and on attack graphs [1, 4, 27], and on both attack trees and attack graphs, possibly among other graphical security models, [14, 13, 8].

3 Definitions

While many formal definitions of both attack trees (ATs) and attack graphs (AGs) exist, we will start from the following definitions. These definitions were selected because they share common properties with many modifications of both attack trees and attack graphs, and thus should enable modification of the algorithms described below to enable further development of this methodology. Specifically, we use a recursive attack tree definition à la Gadyatskaya et al. [5], and a basic state-based attack graph definition from Sheyner et al. [23].

Definition 1 (Attack Tree)

Let denote a set of actions, OR and AND be two unranked associate and commutative operators that are disjunctive and conjunctive respectively, and SAND be an unranked associate but non-commutative conjunctive operator. An attack tree is an expression over generated by the following formal grammar (for ):

This definition is recursive, as each subtree is a complete attack tree in and of itself. A single action by itself is an attack tree, and this fact will later be used to help develop our mapping schema in Section 5.

Definition 2 (Attack Graph)

An attack graph or is a tuple , where is a set of states, is a partial function that defines the transition relation for by the set of actions , is a set of initial states and is a set of success states.

This definition of attack graphs is the same proposed by Pinchinat et al. [20], who defined an attack graph to attack tree transformation, the inverse of what we propose. The is a set of actions based in the system model the attack graph is built around. Ultimately, the contents of will be wholly defined by such a system model. By convention, we define partial function with a set of mappings, given in the set . Expanding upon Definition 1, we can define two further functions that will be useful in the transformation algorithm. Both of these functions are inspired by the work of Gadyatskaya et al. [5] and focus on isolating specific elements of attack trees.

Definition 3 (Top Function)

This function obtains the action of the root node as follows (for ):

We call an attack tree of depth one a radical. The auxiliary function defined below obtains a single transition (radical) from one level of an attack tree to another.

Definition 4 (Rad Function)

The function finds the uppermost radical of a provided tree as input as follows (for ):

The previous definition introduces the idea of radical elements of attack trees. The intuition behind these radicals is that a radical in an attack tree is the smallest possible subtree. It is a component consisting solely of a root node, an operator and a set of children that are singular nodes themselves. Our attack graph transformation will use radicals as base components. As outlined in the definition above, a radical is found by using the rad function. The child nodes in a radical can themselves be root nodes of different radicals, and these radicals are likewise found by using the rad function on those child nodes.

Definition 5 (Kid Function)

The function returns the set of children of a radical:

Fundamentally, our transformation approach will take the form of defining the separate radicals, creating a mapped transformation of those radicals from an attack tree to attack graph, and then combining the radicals that are in the attack graph in a manner that retains the attack component information expressed in attack trees.

Zero and Single Element Radicals.

The radicals described thus far are of size ; they are dynamically defined such that any number of children in the radical can be directly mapped from attack trees to attack graphs. The implication is that , however this is not necessary. There are two edge cases that are worth mentioning, when and when . When , we have the case of a radical without children; this is the case of . Additionally, we have a graphical example of this single action mapping in Figure 3.

When , this would fit our definition of a radical, as there would be a defined root, operator and set of children with cardinality 1. However, our three defined radicals all converge when . This follows from our understanding of these operators. The difference between AND and SAND being that SAND is an ordered AND; when , there is only one possible order, thus AND and SAND are equivalent. For similar reasons, OR is also the same as both AND and SAND.

We introduce these edge cases for the sake of completeness of our approach. However, single element radicals are rare in real-world attack trees as their children nodes are often considered redundant and removed from the tree.

4 Transformation Example

for tree= draw, minimum height=1cm, anchor=parent, align=center, child anchor=parent, edge=¡- , adnode/.style=rounded rectangle,, [Get Root Access, adnode [Exploit Buffer Overflow, adnode [Deploy .rhhost file, adnode], [Remote login, adnode]], [Exploit Administrator, adnode, angle below [Invent Need For
Root Access, adnode] [Befriend
Administrator, adnode, arrow below [Get Phone Number, adnode], [Invite to Social Function, adnode] ] ] ]

Figure 1: A simple attack tree

Get Phone Number

Invent Needfor Root Access

Remote Login

Deploy .rhhost file

Invite toSocial Function

Get phonenumber

Exploit BufferOverflow

Exploit BufferOverflow


Invite toSocial Function

Invent Needfor Root Access


Exploit BufferOverflow

Get Root Access

Get Root Access

Get Root Access
Figure 2: An attack graph representation of the model in Figure 1

We begin with a simple example of an attack tree as seen in Figure 1. The overall goal is to get root access of a system. Directly below the overall root, we see two sub goals in an OR relationship; if any sub-goal, either exploiting a buffer overflow or exploiting an administrator, is accomplished, then the overall goal of getting root access will be accomplished. With exploiting the buffer overflow, we can see that there are two attack components, again in an OR relationship. Once again, if either component is completed, then the sub-goal is accomplished and by extension the overall goal is accomplished. With exploiting the administrator, we see two attack components in an AND relationship, meaning that both components will need to be accomplished to accomplish the sub-goal. One of these components has subcomponents in a SAND relationship, which need to be accomplished in a particular order before the parent action can be completed.

In the provided example, the order of subcomponents for exploiting the administrator is not important. There are AND relationships where the order of components is important or where the components specifically need to occur in parallel [11]; however, we are limiting our understanding of AND relationships to be unordered AND relationships, i.e., the attacker can execute actions in any order to successfully achieve the goal. The SAND component of the attack tree is an ordered AND, where a defined order is provided. The elements in the SAND relationship occur in the same order (first the administrator phone number needs to be obtained, then the administrator can be invited somewhere).

In Figure 2, we see an attack graph representation of the same information. First, we see that the nodes of the AT have now become the state transitions in the AG. We start from an initial state, with the only description of this state being that no attack component has been applied yet. The initial attack vectors (transitions outgoing from the initial state) are the basic components in the AT (the leaf nodes). We see some basic structures that will enable us to generalize the transformation procedure. Namely, we see that the components in an OR relationship (“Remote login” and “Deploy .rhhost file”) create fairly parallel paths through the attack graph. Additionally, for the AND relationship (“Invent need for root access” and “Befriend Administrator”), we see a type of a lattice structure, where transitions between states occur internally within the AND components before returning to an overall path. The generalization of these rules is introduced in the following section.

5 Mapping

Fundamentally, nodes in attack trees represent actions, while nodes in attack graphs represent system states. The edges in an attack tree represent the relationships between actions, while the edges in attack graphs represent state transitions. Our intuition is that state transitions and actions are equivalent concepts, and as such, we will base our transformation on this equivalence. We now present our transformation approach for radicals.

We create a distinction of and states, where states are already in the attack graph, while states are generated by a specific mapping.

5.1 Edge Cases

Single node.

To begin, let us consider the basic case of an attack tree with a single action or node, and what this extreme case would be in the form of an attack graph.

for tree= draw, minimum height=1cm, anchor=parent, align=center, child anchor=parent, edge=¡- , adnode/.style=rounded rectangle,, [Action, adnode, ]

(a) Attack Tree

(b) Attack Graph
Figure 3: Single action attack tree and attack graph

From Figure 3, we can see that the attack tree of a single action is very simple, it is merely a single node named after the action. In the attack graph, we have a similar mechanism to represent this action; however, this mechanism is in the form of a state transition, otherwise referred to as an edge. In graph theory, for an edge to exist, there must be nodes for an edge to exist between [2]; similarly, in attack graphs, we have a tuple that containing states and state transitions, and state transitions cannot exist without states.

We see our first example of and states. In the case of the single node attack tree in Figure 3, only a state transformation is described; however, as we just discussed, a state transition implies the existence of states in the attack graph. In order to resolve this paradox where state transitions need to exist without being created directly, we instead say that the defined state transition goes between two states. These were already in the attack graph, and thus do not need to be created for this mapping. Following from Definition 2, the complete form of this simple attack graph is given in Equation 1.


Where the only two states, and are the starting and solution states respectively, and the action is the defined state transition between them.

Radical with one child.

for tree= draw, minimum height=1cm, anchor=parent, align=center, child anchor=parent, edge=¡- , adnode/.style=rounded rectangle,, [Action 1, adnode, [Action 2, adnode] ]

(a) Attack Tree

Action 2

Action 1
(b) Attack Graph
Figure 4: Single child attack tree and attack graph

From Figure 4, we see a similar structure in the attack graph as in Figure 3. Both actions in the attack tree are directly mapped to state transitions in the attack graph. However, unlike in Figure 3, we now have two edges, and as all edges require a defined starting and ending state, we will require a third node in the attack graph. [2, 23]. As such, these two edges necessitate the creation of an intermediate state. The meaning behind this state is it is the resulting state after the completion of “Action 2” but before the completion of “Action 1”. This is our first encounter with states. As in Equation 1, we have the same starting states; however, now we introduce a state, as the generated intermediate state for this mapping. The state was not already in the attack graph. The resulting attack graph would be of the form:


We can begin to develop an intuition regarding how our transformation will be structured. Namely, nodes in attack trees will be directly mapped to edges (the state transitions) in attack graphs, and states will be created to enable such state transitions to exist. The states are given meaning by where they fall in the transition relation partial function. The only remaining concept that requires mapping is the operators (AND, SAND, and OR) in attack trees. Once the operator mapping is defined, we will have the means to create a transformation algorithm from attack trees to attack graphs.

5.2 OR Radical

Our understanding of the OR radical in attack trees is that only a single component (child action) of an OR radical needs to be completed for the goal, or root, of the OR to also be accomplished. In an attack graph where individual attack vectors are expressed more explicitly, we would expect that each individual OR component would contribute to a separate attack vector. These separate attack vectors will introduce separate states in the attack graph, as each attack component is a different state transition, and different state transitions result in different states.

for tree= draw, minimum height=1cm, anchor=parent, align=center, child anchor=parent, edge=¡- , adnode/.style=rounded rectangle,, [Higher Action, adnode, [Action 1, adnode] [, adnode] [Action , adnode] ]

(a) Attack Tree

Action 1


Higher Action

Higher Action

Higher Action
(b) Attack Graph
Figure 5: OR Radical

If we express solely this radical (that is, ) as an attack graph, we would generate the following graph. By convention, we organize separate the transition of different levels of the attack graph into separate sets and combine them for the final definition of the partial function transition relation . As with Equation 2, the states are already in the attack tree, while states are generated from this radical:


As we can see in Figures 4(a) and 4(b), and subsequently in Equation 3, the OR radical in an attack graph is a series of disjoint “legs” with a state transition culminating in a state for each attack component represented in the attack tree. As each attack component is unique, the system states that are a result of the application of those attack components must also be unique. This does not rule out the possibility of the application of unique attack components resulting in the same state; that would be a possible expansion of the radical mapping we have laid out here. Given that the “Higher Action” in this radical could itself be a component in another radical, we see that the “Higher Action” in the attack tree radical is again represented as a state transition in the attack graph. Here, we assume that only one component in the OR relationship will ever be completed in a single attack vector.

Given that the Actions  through in Figure 4(b) are distinct state transitions, we expect that the resulting states are different. The subgraph below the OR radical is thus duplicated for each element in the OR radical. If the only remainder of the graph below the OR radical was a solution state, as in the case of , then there would be a separate solution state for each element in the OR radical. If we consider the transition relation and the example of Figure 4(b), we operate under the expectation ; our expectation is the output of these functions are entirely different states in . This does not preclude the possibility of the output of different inputs resulting in the same state, merely that we expect that with different state inputs, the output states would thus be different. Intuitively, if the same action is applied to two different states, the resulting state would be different.

5.3 AND Radical

On the contrary to the OR operator, AND operators have an understanding of all actions in the AND needing to be performed for the AND to be completed. However, unlike the SAND operator, there is no defined order to the actions in an AND. Thus, the attack graph must represent all possible combinations of action orders for the actions within a single AND operator.

for tree= draw, minimum height=1cm, anchor=parent, align=center, child anchor=parent, edge=¡- , adnode/.style=rounded rectangle,, [Higher Action, adnode, angle below [Action 1, adnode] [Action 2, adnode] [Action 3, adnode] ]

(a) AND Radical

Action 1

Action 2

Action 3

Action 2

Action 3

Action 1

Action 3

Action 1

Action 2

Action 3

Action 2

Action 1

Higher Action
(b) AND Radical in an Attack Graph
Figure 6: AND Radical

Consider the AND radical in Figure 5(a). Transforming it into an attack graph, we would obtain the following graph (we continue with the convention presented in Equation 3):


As we can see in Figure 5(b) and subsequently in Equation 4, the AND radical in an attack graph creates a lattice structure such that intermediate states represent the application of some combination of different elements in an AND operator.

Generally speaking, on the row of the lattice, we see the application of distinct state transitions. In the first row, every state is the result of a single state transition. On the second, every state is the result of two state transitions. On the row, every state is the application of state transitions. We can find the number of states in a row by calculating the number of unique unordered grouping of state transitions with possible state transitions, this is simply . In the final row of the lattice, we have states, and thus we only have a single state. This follows from our understanding of the meaning of these states, as this state is the application of all the different actions in the AND radical. There is only one possible, unordered, way to apply all the actions in the AND radical, and this is the final resulting state. From this state, we apply the “Higher Action”, but as this is only applied to a single state at the end of the lattice, we only have a single final state from this radical.

In Figure 5(b), we see an AND radical with , a so-called AND. For the lack of space, generalization of the AND is provided in Appendix 0.A.

5.4 SAND Radical

The SAND, or Sequential AND, radical is similar to the AND in that all actions in the SAND need to be completed for the operator to evaluate as successful. However, unlike the AND operator, the SAND operator has a specified order. Actions in the SAND need to occur sequentially for the overall radical to be successful. For the tree shown in Figure 6(a) we would generate the following graph:

for tree= draw, minimum height=1cm, anchor=parent, align=center, child anchor=parent, edge=¡- , adnode/.style=rounded rectangle,, [Higher Action, adnode, arrow below [Action 1, adnode] [, adnode] [Action , adnode] ]

(a) Attack Tree

Action 1


Higher Action
(b) Attack Graph
Figure 7: SAND Radical

As we can see in Figure 6(b), the SAND radical is by far the simplest structure we have developed thus far. Like the other radicals, the overall starting and ending states are implied, and may be the overall attack graph starting and ending states, or may be internal states created by other radicals. As the order is defined, the actions are chained together in order, with the intermediate states representing the state of the system after the application of some of the actions.

In the SAND radical, actions are applied sequentially. As such, in the attack graph state transitions are also applied sequentially. This results in overall states (one state for each of actions).

6 Algorithm

The algorithm is effectively divided in two parts: analysis of the attack tree, and sequential construction of the attack graph. In the first portion of the algorithm, we find all the radicals present in the attack tree and store them in a radical dictionary. This radical dictionary, denoted as , is a dictionary data structure that represents a deconstructed attack tree, where all elements of the original attack tree are present, and stored separately as radicals. We store each radical using the radical root node value as the key. Once all the radicals in the attack tree are found and stored into the radical dictionary, the attack graph can be systematically constructed. This part is presented in Algorithm 1.

Attack Tree,
Radical Dictionary,
for  do
       if  then
             Add to        
Create Attack Graph,
while  do
       for  do
             if  in Key Set of  then
                    Add Radical to Attack Graph
                    Remove from                     
Assign values to states in attack graph
return Attack Graph
Algorithm 1 AT AG Transformation
Attack Tree Radical:
Attack Graph:
Remove from
the subgraph where
if  then
       Remove from
       for  in  do
             Add to and to
             Add to and to
             Add to and to
             Add , where to        
else if  then
       Create subgraph
       Add to
       Add to
       Add to
else if  then
       for  in  do
             Add to and to        
       Add to
Procedure 2 Add Radical to Attack Graph

The algorithm starts with an attack graph containing two states, and , the single starting and success states respectively. These two states are our initial states. There is a single edge between these two states, which is defined as equivalent to the overall root of the attack tree. Intuitively, the meaning behind this simple 2-state attack graph is that accomplishing the overall goal represented by an attack tree (the root), we move from an initial state to a success state. However, accomplishing the overall goal is hardly a single step in and of itself, if it were the attack tree would be a single node as in Figure 3. By expanding the edge between and in the initial attack graph, we can add the detailed information of the subcomponents of the overall goal to the attack graph. As such, while processing the attack tree components in the radical dictionary, we add additional states and state transformations to the attack graph, until our attack graph fully represents the original attack tree.

The sequential construction of the attack tree follows from this intuition. We check the edges in the attack graph to see if they are a key for a radical in the radical dictionary. Once we find an edge that is a key to a radical in the radical dictionary, we remove this edge from the attack graph, and replace it with the relevant defined mapping from Section 5. The procedure of adding a radical to the attack graph is presented in Procedure 2. This expansion will cause new states to be generated, which will then become states for other radicals. Additionally, these mappings will cause the keys to other elements of the radical dictionary to be added to the attack graph, which subsequently allow for the addition of every radical in the radical dictionary to be added to the attack graph. After a radical is added to the attack graph, it is removed from the radical dictionary. Once the radical dictionary is empty, all the radicals from the attack tree has been added to the attack graph, and the attack graph is thus a complete transformation from the original attack tree, representing similar information.

7 Discussion

Evaluation on the running example.

If we return to the example found in Section 4, we can see that the application of the algorithm as described in Figure 1 will exactly result in the attack graph shown in Figure 2. For every attack vector represented in the attack tree, the same attack vector is represented similarly in the attack graph, only with the introduction of states. These states are not provided with specific meaning outside of numbering as our specific definition; however, the ability to assign further meaning to these states is not excluded by our methodology.

The running example shows that the approach can create attack graphs from attack trees. We now discuss the main benefits of our methodology, how can it be extended, and what measures have we taken to address the state explosion problem. For the lack of space, semantical aspects of the OR decomposition and how does our approach relate to SP-graph semantics, the main semantics used for SAND-attack trees [11], are discussed in the Appendix 0.B.

Benefits of our approach.

One of the immediate benefits of our technique is that now it is possible to generate attack graphs from all human-designed attack trees from the literature and attack tree libraries. Indeed, most attack trees are created by humans, but attack graphs for any interesting system are generated automatically due to the state explosion problem, as discussed by Valmari [24]

. Thus by enabling the transformation from a human-generated attack tree to a transformed attack graph, we create an attack graph structure for a scenario of interest that potentially can be enhanced with the methods and tools created specifically for attack graphs (e.g., transformation into Bayesian networks 

[6]). Moreover, typically attack trees use more abstract attack scenarios than attack graphs. Thus, it would be interesting to compare automatically generated attack graphs with the transformed attack graphs, to understand which attacks have been missed in both cases.

Future applications.

Another advantage of enabling a direct transformation between attack trees and attack graphs is that new, automated generation schemes for attack graphs could become possible. As we mentioned earlier, significant research has already been performed into novel generation schemes for attack trees. A major branch of current attack tree research is into generation schema, particularly focusing on automated machine generation. Therefore, one advantage of being able to transform attack trees into attack graphs is the ability to use these novel generation methods to generate attack graphs.

While the transformation discussed here is in a single direction, as we discussed in Section 3, we deliberately use the same definition of attack graphs as Pinchinat et al. in their work on the ATSyRa algorithm which transforms attack graphs into attack trees [21]. As such, the attack graphs generated from our algorithm could be used as input into the ATSyRa algorithm to return them to attack trees.

This potentially enables the ability to convert an attack tree into an attack graph, the manipulation of the attack graph, and then conversion back into an attack tree. Furthermore, we now have a greater means to study potential edge cases within these models, for instance, the introduction of cycles within an attack graph, or the removal of a given state or specific attack vector.

Finally, thus far we have only concerned ourselves with a simple SAND attack tree [11], but further expansion of attack trees are available. For instance, we could expand this transformation to use an attack-defense tree (AD Tree) as an input, and then created an expanded attack graph representing the defensive actions represented in the attack tree. Expansion of the transformation methodology in this vein would similarly apply to the attack graph to attack tree ATSyRa transformation [20].

Addressing state explosion problem.

As pointed out by Antti Valmari, a major consideration in any state-based model will be the state explosion problem [24]. We thus want to define a sufficiently robust transformation, that results in an attack graph that contains enough information (i.e. states) without containing too many states.

Our primary means of achieving a reduction in the state is to eliminate backtracking or partial attack paths. By maintaining the monotonicity in generated attack graphs, we can prevent a factorial number of states from being generated. Back to the example in Figure 2, we have no state such that the same action has been taken multiple times. There is no state such that a path from to has two state transitions and where . If we were to allow partial pathing, the attack graph couple potentially not terminate, or would have significant cycling.

Another mitigation strategy we take is the understanding that the OR operator functions as more like an XOR operator. We can see this in action in Figure 2, where there is no state such that a path from to has the state transitions C and D. If we were to understand that the OR operator was not an XOR, then we would have to add states to attack graphs to allow for each vector that includes multiple components from the OR radical. This directly increases the number of states for each child, given children, from to . We further discuss this choice in Appendix 0.B.

8 Conclusions and Future Work

In this work, we have laid out a structure of a transformation that will take an attack tree as input and return an attack graph. This style of transformation already exists in literature, albeit in the opposite direction as ours. We have evaluated our transformation approach on a case study.

In terms of expansion of our work, firstly we would wish to define a transformation of Attack-Defense Trees (AD Trees). Such a transformation would likely require an alternative definition of attack graphs; however, it may be possible to define a transformation such that we only use the definition of attack graphs that we use here. Furthermore, we would like to attempt to define a more efficient state creation schema, which would make the transformation algorithm more space and time efficient.


  • [1] Barik, M.S., Sengupta, A., Mazumdar, C.: Attack graph generation and analysis techniques. Defence Science Journal 66(6) (2016)
  • [2] Biggs, N., Lloyd, E.K., Wilson, R.J.: Graph Theory, 1736-1936. Oxford University Press (1986)
  • [3] Dawkins, J., Hale, J.: A Systematic Approach to Multi-Stage Network Attack Analysis. Second IEEE International Information Assurance Workshop (2004)
  • [4] Feng, C., Han-Dong, M., Wei-Ming, Z.: Survey of attack graph technique. Computer Science 38(11), 12–18 (2011)
  • [5] Gadyatskaya, O., Jhawar, R., Mauw, S., Trujillo-Rasua, R., Willemse, T.A.C.: Refinement-Aware Generation of Attack Trees. In: Security and Trust Management. LNCS, vol. 10547, pp. 164–179. Springer (2017)
  • [6] Haque, M.S., Atkison, T.: An Evolutionary Approach of Attack Graph to Attack Tree Conversion. International Journal of Computer Network and Information Security 9, 1–16 (Nov 2017)
  • [7] Haque, S., Keffeler, M., Atkison, T.: An Evolutionary Approach of Attack Graphs and Attack Trees: A Survey of Attack Modeling. International Conference Security and Management (2017)
  • [8] Hong, J.B., Kim, D.S., Chung, C.J., Huang, D.: A survey on the usability and practical applications of graphical security models. Computer Science Review 26, 1–16 (2017)
  • [9] Hong, J.B., Kim, D.S., Takaoka, T.: Scalable Attack Representation Model Using Logic Reduction Techniques. In: 12th International Conference on Trust, Security and Privacy in Computing and Communications. pp. 404–411. IEEE (2013)
  • [10] Ivanova, M.G., Probst, C.W., Hansen, R.R., Kammüller, F.: Transforming Graphical System Models to Graphical Attack Models. In: Graphical Models for Security. LNCS, vol. 9390, pp. 82–96. Springer (2016)
  • [11] Jhawar, R., Kordy, B., Mauw, S., Radomirovic, S., Trujillo-Rasua, R.: Attack Trees with Sequential Conjunction. In: Proc. of SEC. IFIP AICT, vol. 455, pp. 339–353. Springer (2015)
  • [12] Kaynar, K.: A taxonomy for attack graph generation and usage in network security. Journal of Information Security and Applications 29, 27–56 (2016)
  • [13] Kordy, B., Pietre-Cambacedes, L., Schweitzer, P.: Dag-based attack and defense modeling: Don’t miss the forest for the attack trees. Computer science review 13, 1–38 (2014)
  • [14] Lallie, H.S., Debattista, K., Bal, J.: A review of attack graph and attack tree visual syntax in cyber security. Computer Science Review 35, 100219 (2020)
  • [15] Lippmann, R., Ingols, K.: An Annotated Review of Past Papers on Attack Graphs. MIT Lincoln Laboratory (2005)
  • [16] Mauw, S., Oostdijk, M.: Foundations of Attack Trees. In: Information Security and Cryptology - ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer (2006)
  • [17] Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proc. of VizSEC/DMSEC. pp. 109–118 (2004)
  • [18] Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs. In: IEEE 19th Annual Computer Security Applications Conference. pp. 86–95 (2003)
  • [19] Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proc. of CCS. pp. 336–345. ACM (2006)
  • [20] Pinchinat, S., Acher, M., Vojtisek, D.: Towards Synthesis of Attack Trees for Supporting Computer-Aided Risk Analysis. LNCS, vol. 8938 (2014)
  • [21] Pinchinat, S., Acher, M., Vojtisek, D.: ATSyRa: An Integrated Environment for Synthesizing Attack Trees. In: Graphical Models for Security. LNCS, vol. 9390, pp. 97–101. Springerg (2016)
  • [22] Schneier, B.: Attack trees. Dr. Dobbs Journal 24(12), 21–29 (1999)
  • [23] Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proc. of IEEE S&P. pp. 273–284. IEEE (2002)
  • [24] Valmari, A.: The state explosion problem, LNCS, vol. 1491. Springer (1998)
  • [25] Vigo, R., Nielson, F., Nielson, H.R.: Automated Generation of Attack Trees. In: 27th Computer Security Foundations Symposium. pp. 337–350. IEEE (2014)
  • [26] Wideł, W., Audinot, M., Fila, B., Pinchinat, S.: Beyond 2014: Formal methods for attack tree–based security modeling. ACM Comp. Surveys 52(4), 1–36 (2019)
  • [27] Zeng, J., Wu, S., Chen, Y., Zeng, R., Wu, C.: Survey of attack graph analysis methods from the perspective of data and knowledge processing. Security and Communication Networks (2019)

Appendix 0.A The -And Radical


We can see in Figure 5(b) the creation of a lattice structure in the attack graph; this structure allows for all possible application orders for actions in an AND radical. The row of the lattice represents the application of unique actions. As each subsequent row represents the application of one additional unique action, then we know there will be rows in the lattice; the final row will consist of a single node that is the application of all actions in the AND radical. Selecting unique actions out of possible actions is the same as picking an unordered group of from , which is the mathematical operator . As every row will have possible states, the total number of states resolves to:

for tree= draw, minimum height=1cm, anchor=parent, align=center, child anchor=parent, edge=¡- , adnode/.style=rounded rectangle,, [Higher Action, adnode, angle below [Action 1, adnode] [, adnode] [Action , adnode] ]

(a) Attack Tree

Action 1


Action 1



Action 1

Higher Action
(b) Attack Graph
Figure 8: AND Radical

Appendix 0.B Semantical Considerations

0.b.0.1 Xor-like Or.

Our interpretation of the OR refinement resembles more an exclusive-OR. To illustrate this point, consider again the OR radical mapping shown in Figure 4(b), in this mapping, we assume that only one of the OR actions will be completed. While a common understanding of an OR operator is that the output is true if one input is true, in our case, we are explicitly excluding the possibility of multiple actions happening in a single OR radical. Our primary reason for this is to reduce the number of states in the generated attack graph, which is further discussed in the next sub-section. It would be possible to allow a true OR, where multiple children of an OR radical can be components of a successful attack vector. These attack vectors would have redundant components, as including more than one subcomponent of an OR would introduce redundancy.

0.b.0.2 Relationship with SP-graph semantics

SP-graphs are one method of semantically representing attack trees [11]. If we consider the following small attack graph and its SP-graph semantics, we can see why our approach is fundamentally different than SP-graph semantics.

While network expressions of SP graphs and attack graphs might look similar, these structures are fundamentally different. SP graphs do not have a concept of states while states are central to attack graphs. Additionally, the common understanding of SP graphs focuses entirely on leaf nodes, with the understanding that intermediate nodes do not carry information and are primarily placeholders [16, 11]. Manually created attack trees are most likely to have intermediate nodes that carry meaning, and as such, should be included in any semantic representation of that attack tree. Our generated attack graphs assume that intermediate nodes carry meaning, which SP graphs assume that intermediate nodes are purely functional without independent meaning.

Given SP graphs are a valid semantic representation of attack trees, our attack graph generation schema requires an attack tree as input, and the visual similarities between these representations, it follows that attack graphs could potentially be generated from SP graphs directly. However, when examining our transformation algorithm, the most computationally intensive component is the generation and connection of the states in attack graphs. And as we just discussed, SP graphs do not have states. As such, an algorithm using SP graphs as input would still have a computationally expensive state generation and connection step, and would not be any faster or more efficient.