Attack Trees: A Notion of Missing Attacks

  • Sophie PinchinatEmail author
  • Barbara Fila
  • Florence Wacheux
  • Yann Thierry-Mieg
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11720)


Attack trees are widely used for security modeling and risk analysis. Classically, an attack tree combines possible actions of the attacker into attacks. In most existing approaches, an attack tree represents generic ways of attacking a system, but without taking any specific system or its configuration into account. This means that such a generic attack tree may contain attacks that are not applicable to the analyzed system, and also that a given system could enable some attacks that the attack tree did not capture.

To overcome this problem, we extend the attack tree setting with a model of the analyzed system, allowing us to introduce precise path semantics of an attack tree and to define missing attacks. We investigate the missing attack existence problem and show how to solve it by calls to the NP oracle that answers the trace attack tree membership problem; the latter problem has been implemented and is available as an open source prototype.


Risk analysis Attack trees Path semantics Missing attacks Complexity 


  1. 1.
    Amenaza: SecurITree (2001–2013).
  2. 2.
    Audinot, M., Pinchinat, S., Kordy, B.: Is my attack tree correct? In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 83–102. Springer, Cham (2017). Scholar
  3. 3.
    Audinot, M., Pinchinat, S., Kordy, B.: Guided design of attack trees: a system-based approach. In: CSF, pp. 61–75. IEEE Computer Society (2018)Google Scholar
  4. 4.
    Audinot, M., Pinchinat, S., Schwarzentruber, F., Wacheux, F.: Deciding the non-emptiness of attack trees. In: Cybenko, G., Pym, D., Fila, B. (eds.) GraMSec 2018. LNCS, vol. 11086, pp. 13–30. Springer, Cham (2019). Scholar
  5. 5.
    Baier, C., Katoen, J.: Principles of Model Checking. MIT Press, Cambridge (2008)zbMATHGoogle Scholar
  6. 6.
    Berman, P., Karpinski, M., Scott, A.D.: Approximation hardness of short symmetric instances of MAX-3SAT. Electronic Colloquium on Computational Complexity (ECCC) 10(049) (2003).
  7. 7.
    EAC Advisory Board and Standards Board: Election Operations Assessment - Threat Trees and Matrices and Threat Instance Risk Analyzer (TIRA) (2009). _Assessment_Threat_Trees_and_Matrices_and_Threat_Instance_Risk_Analyzer_(TIRA).pdf
  8. 8.
    Gadyatskaya, O., Harpes, C., Mauw, S., Muller, C., Muller, S.: Bridging two worlds: reconciling practical risk assessment methodologies with theory of attack trees. In: Kordy, B., Ekstedt, M., Kim, D.S. (eds.) GraMSec 2016. LNCS, vol. 9987, pp. 80–93. Springer, Cham (2016). Scholar
  9. 9.
    Gadyatskaya, O., Jhawar, R., Mauw, S., Trujillo-Rasua, R., Willemse, T.A.C.: Refinement-aware generation of attack trees. In: Livraga, G., Mitchell, C. (eds.) STM 2017. LNCS, vol. 10547, pp. 164–179. Springer, Cham (2017). Scholar
  10. 10.
    Hong, J.B., Kim, D.S., Chung, C., Huang, D.: A survey on the usability and practical applications of Graphical Security Models. Comput. Sci. Rev. 26, 1–16 (2017)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Isograph: AttackTree+ (2004–2005).
  12. 12.
    Ivanova, M.G., Probst, C.W., Hansen, R.R., Kammüller, F.: Attack tree generation by policy invalidation. In: Akram, R.N., Jajodia, S. (eds.) WISTP 2015. LNCS, vol. 9311, pp. 249–259. Springer, Cham (2015). Scholar
  13. 13.
    Jhawar, R., Kordy, B., Mauw, S., Radomirović, S., Trujillo-Rasua, R.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015). Scholar
  14. 14.
    Jürgenson, A., Willemson, J.: Computing exact outcomes of multi-parameter attack trees. In: Meersman, R., Tari, Z. (eds.) OTM 2008. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008). Scholar
  15. 15.
    Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)CrossRefGoogle Scholar
  16. 16.
    Kordy, B., Wideł, W.: On quantitative analysis of attack–defense trees with repeated labels. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 325–346. Springer, Cham (2018). Scholar
  17. 17.
    Mantel, H., Probst, C.W.: On the meaning and purpose of attack trees. In: CSF, pp. 184–199. IEEE Computer Society (2019)Google Scholar
  18. 18.
    Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). Scholar
  19. 19.
    National Electric Sector Cybersecurity Organization Resource (NESCOR): Analysis of selected electric sector high risk failure scenarios, version 2.0 (2015).
  20. 20.
    Pinchinat, S., Acher, M., Vojtisek, D.: Towards synthesis of attack trees for supporting computer-aided risk analysis. In: Canal, C., Idani, A. (eds.) SEFM 2014. LNCS, vol. 8938, pp. 363–375. Springer, Cham (2015). Scholar
  21. 21.
    Pinchinat, S., Acher, M., Vojtisek, D.: ATSyRa: an integrated environment for synthesizing attack trees. In: Mauw, S., Kordy, B., Jajodia, S. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 97–101. Springer, Cham (2016). Scholar
  22. 22.
    Saffidine, A., Cong, S.L., Pinchinat, S., Schwarzentruber, F.: The Packed Interval Covering Problem is NP-complete. CoRR abs/1906.03676 (2019).
  23. 23.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  24. 24.
    Stockmeyer, L.J.: The polynomial-time hierarchy. Theoret. Comput. Sci. 3(1), 1–22 (1976)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Vigo, R., Nielson, F., Nielson, H.R.: Automated generation of attack trees. In: CSF, pp. 337–350. IEEE Computer Society (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Sophie Pinchinat
    • 1
    Email author
  • Barbara Fila
    • 2
  • Florence Wacheux
    • 1
  • Yann Thierry-Mieg
    • 3
  1. 1.Univ Rennes, CNRS, IRISARennesFrance
  2. 2.Univ Rennes, INSA Rennes, CNRS, IRISARennesFrance
  3. 3.Sorbonne Université, CNRS, LIP6ParisFrance

Personalised recommendations