Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Unified Compositional View of Attack Tree Metrics

Benedikt Peterseim, Milan Lopuhaä-Zwakenberg

TL;DR

This paper introduces a unified, compositional theory for attack tree (AT) metrics based on gs-monoidal channel categories. By modeling ATs as term graphs and AT components as channel-category objects, AT metrics are defined as functors between channel categories, enabling a modular, structure-preserving semantics that subsumes many existing metrics. The framework encompasses bottom-up semiring metrics, propositional and stochastic interpretations, minimal-attack semantics, multiset semantics, and fault-tree unreliability, while clarifying non-examples. The main contributions are a formal compositional semantics, a unification of prior AT metrics under a single categorical lens, and constructive results enabling metric computation via decomposition into atomic components. This approach provides a principled pathway to algorithmically compute and compare AT metrics and connects ATs to broader string-diagram formalisms used in diverse domains.

Abstract

Attack trees (ATs) are popular graphical models for reasoning about the security of complex systems, allowing for the quantification of risk through so-called AT metrics. A large variety of different such AT metrics have been proposed, and despite their wide-spread practical use, no systematic treatment of attack tree metrics so far is fully satisfactory. Existing approaches either fail to include important metrics, or they are too general to provide a useful systematic way for defining concrete AT metrics, giving only an abstract characterisation of their behaviour. We solve this problem by developing a compositional theory of ATs and their functorial semantics based on gs-monoidal categories. Viewing attack trees as string diagrams, we show that components of ATs form a channel category, a particular type of gs-monoidal category. AT metrics then correspond to functors of channel categories. This characterisation is both general enough to include all common AT metrics, and concrete enough to define AT metrics by their logical structure.

A Unified Compositional View of Attack Tree Metrics

TL;DR

This paper introduces a unified, compositional theory for attack tree (AT) metrics based on gs-monoidal channel categories. By modeling ATs as term graphs and AT components as channel-category objects, AT metrics are defined as functors between channel categories, enabling a modular, structure-preserving semantics that subsumes many existing metrics. The framework encompasses bottom-up semiring metrics, propositional and stochastic interpretations, minimal-attack semantics, multiset semantics, and fault-tree unreliability, while clarifying non-examples. The main contributions are a formal compositional semantics, a unification of prior AT metrics under a single categorical lens, and constructive results enabling metric computation via decomposition into atomic components. This approach provides a principled pathway to algorithmically compute and compare AT metrics and connects ATs to broader string-diagram formalisms used in diverse domains.

Abstract

Attack trees (ATs) are popular graphical models for reasoning about the security of complex systems, allowing for the quantification of risk through so-called AT metrics. A large variety of different such AT metrics have been proposed, and despite their wide-spread practical use, no systematic treatment of attack tree metrics so far is fully satisfactory. Existing approaches either fail to include important metrics, or they are too general to provide a useful systematic way for defining concrete AT metrics, giving only an abstract characterisation of their behaviour. We solve this problem by developing a compositional theory of ATs and their functorial semantics based on gs-monoidal categories. Viewing attack trees as string diagrams, we show that components of ATs form a channel category, a particular type of gs-monoidal category. AT metrics then correspond to functors of channel categories. This characterisation is both general enough to include all common AT metrics, and concrete enough to define AT metrics by their logical structure.

Paper Structure

This paper contains 28 sections, 9 theorems, 78 equations, 1 figure, 1 table.

Table of Contents

  1. Introduction
  2. Example: Two Min. Cost Metrics
  3. Two interpretations
  4. Two interpretations
  5. A unified way to define both attack tree metrics
  6. Syntax: Term Graphs
  7. The sequential composition of term graphs
  8. The parallel composition of term graphs
  9. Atomic term graphs
  10. Identity term graphs
  11. Term graphs of function symbols
  12. Copy, delete, swap
  13. Decomposition into atomic term graphs
  14. Semantics: Channels
  15. Semantics
  16. ...and 13 more sections

Key Result

Theorem 3.12

Every term graph is a sequential composite of parallel composites of atomic term graphs. In more detail, let $T$ be a term graph over a signature $\Sigma$. Then there exist $N$, $k_1, \dots, k_N\in \mathbb{Z}_{\geq 0}$, and atomic term graphs $A_{1,1}, \dots, A_{k_1,1}, \dots A_{1,N}, \dots A_{k_N,N

Figures (1)

  • Figure 1: Example attack tree: An attacker aims to gain unauthorised access to an office space. This requires passing a turnstile and entering through a secured door (top AND gate). To pass the turnstile, they can either forge an access badge or distract the guard and jump over (left OR gate). To enter the door, they can either also use a forged badge or follow an employee in (right OR gate). Basic attack steps are labelled with their cost: distracting the guard costs $\$30$, forging a badge $\$100$, and sneaking in $\$80$.

Theorems & Definitions (50)

  • Definition 3.1: Signature
  • Example 3.2
  • Definition 3.3
  • Example 3.4
  • Definition 3.5: Term graph
  • Definition 3.6: Attack tree
  • Definition 3.7: Attack tree component
  • Example 3.8
  • Definition 3.9: Sequential composition of term graphs
  • Definition 3.10: Parallel composition of term graphs
  • ...and 40 more