Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Attack Tree Distance: a practical examination of tree difference measurement within cyber security

Nathan D. Schiele, Olga Gadyatskaya

TL;DR

This work addresses the absence of a formal method to compare attack trees in cyber threat modeling. It proposes multiple distance measures that blend structure and semantic similarity, notably a tree edit-distance variant with refinement costs (TED) and a radical-distance (RD) approach, aided by embedding-based label comparisons. Through theory and an empirical study with 39 student-generated trees, semantic similarity proves a viable component for node-label comparison, and TED and RD emerge as the most promising measures, with a data-driven weighted sum (WSD) offering additional performance. The results support using these distances to share attack trees, identify similar threats, and potentially guide automated generation of attack trees in real-world scenarios involving unfiltered labels and varied node semantics.

Abstract

CONTEXT. Attack treesare a recommended threat modeling tool, but there is no established method to compare them. OBJECTIVE. We aim to establish a method to compare "real" attack trees, based on both the structure of the tree itself and the meaning of the node labels. METHOD. We define four methods of comparison (three novel and one established) and compare them to a dataset of attack trees created from a study run on students (n = 39). These attack trees all follow from the same scenario, but have slightly different labels. RESULTS. We find that applying semantic similarity as a means of comparing node labels is a valid approach. Further, we find that treeedit distance (established) and radical distance (novel) are themost promising methods of comparison in most circumstances. CONCLUSION. We show that these two methods are valid as means of comparing attack trees, and suggest a novel technique for using semantic similarity to compare node labels. We further suggest that these methods can be used to compare attack trees in a real-world scenario, and that they can be used to identify similar attack trees.

Attack Tree Distance: a practical examination of tree difference measurement within cyber security

TL;DR

This work addresses the absence of a formal method to compare attack trees in cyber threat modeling. It proposes multiple distance measures that blend structure and semantic similarity, notably a tree edit-distance variant with refinement costs (TED) and a radical-distance (RD) approach, aided by embedding-based label comparisons. Through theory and an empirical study with 39 student-generated trees, semantic similarity proves a viable component for node-label comparison, and TED and RD emerge as the most promising measures, with a data-driven weighted sum (WSD) offering additional performance. The results support using these distances to share attack trees, identify similar threats, and potentially guide automated generation of attack trees in real-world scenarios involving unfiltered labels and varied node semantics.

Abstract

CONTEXT. Attack treesare a recommended threat modeling tool, but there is no established method to compare them. OBJECTIVE. We aim to establish a method to compare "real" attack trees, based on both the structure of the tree itself and the meaning of the node labels. METHOD. We define four methods of comparison (three novel and one established) and compare them to a dataset of attack trees created from a study run on students (n = 39). These attack trees all follow from the same scenario, but have slightly different labels. RESULTS. We find that applying semantic similarity as a means of comparing node labels is a valid approach. Further, we find that treeedit distance (established) and radical distance (novel) are themost promising methods of comparison in most circumstances. CONCLUSION. We show that these two methods are valid as means of comparing attack trees, and suggest a novel technique for using semantic similarity to compare node labels. We further suggest that these methods can be used to compare attack trees in a real-world scenario, and that they can be used to identify similar attack trees.

Paper Structure

This paper contains 56 sections, 2 theorems, 3 equations, 7 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Background
  2. Research
  3. Research Questions
  4. Motivation
  5. Requirements
  6. Theoretical Requirement
  7. Usability Requirements
  8. Validation Requirements
  9. Other considerations
  10. Related Work
  11. Semantic Similarity
  12. Threshold Problem
  13. Distance Measures
  14. Label Distance
  15. Tree Edit Distance
  16. ...and 41 more sections

Key Result

Lemma 1

$\gamma(\Delta)$ only applies in the case of changing one node into another.

Figures (7)

  • Figure 1: An attack tree adapted from Naik et al. naikEvaluationPotentialAttack2022 that is used in the study described in Section \ref{['sec:methodology']}.
  • Figure 2: Process of calculating the distance between two node labels.
  • Figure 3: Counterexamples
  • Figure 4: AT1 for semantic similarity limit ($\epsilon$) ranging from 0 to 1 with steps of 0.01
  • Figure 5: AT2 for semantic similarity limit ($\epsilon$) ranging from 0 to 1 with steps of 0.01
  • ...and 2 more figures

Theorems & Definitions (8)

  • Definition 1
  • Definition 2
  • Lemma 1
  • Proof 1
  • Lemma 2
  • Proof 2
  • Proof 3
  • Proof 4