Skip to main content
Springer Nature Link
Log in

Learning Attack Trees by Genetic Algorithms

  • Conference paper
  • First Online:
Theoretical Aspects of Computing – ICTAC 2023 (ICTAC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14446))

Included in the following conference series:

  • 471 Accesses

Abstract

Attack trees are a graphical formalism for security assessment. They are particularly valued for their explainability and high accessibility without security or formal methods expertise. They can be used, for instance, to quantify the global insecurity of a system arising from the unreliability of its parts, graphically explain security bottlenecks, or identify additional vulnerabilities through their systematic decomposition. However, in most cases, the main hindrance in the practical deployment is the need for a domain expert to construct the tree manually or using further models. This paper demonstrates how to learn attack trees from logs, i.e., sets of traces, typically stored abundantly in many application domains. To this end, we design a genetic algorithm and apply it to classes of trees with different expressive power. Our experiments on real data show that comparably simple yet highly accurate trees can be learned efficiently, even from small data sets.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks.

  2. 2.

    https://graphviz.org/.

  3. 3.

    We interpret the refinement specification as library similar to [33].

  4. 4.

    There is no optimal combination for the weights. Hence, we explore different weights and how they influence the overall fitness in Sect. 4.

  5. 5.

    The artifact can be found at https://doi.org/10.5281/zenodo.8352279.

  6. 6.

    We already have about one million distinct traces with \(n=9\). However, this is only an upper bound since we stop the traces as soon as the root turns \(\textsf{tt}\).

  7. 7.

    https://www.model.in.tum.de/~kraemerj/upload/3dplots/.

  8. 8.

    https://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.

References

  1. Jalil, K.A., Kamarudin, M.H., Masrek, M.N.: Comparison of machine learning algorithms performance in detecting network intrusion. In: 2010 International Conference on Networking and Information Technology, pp. 221–226. IEEE (2010)

    Google Scholar 

  2. Alhomidi, M., Reed, M.: Finding the minimum cut set in attack graphs using genetic algorithms. In: 2013 International Conference on Computer Applications Technology (ICCAT), pp. 1–6. IEEE (2013)

    Google Scholar 

  3. André, É., et al.: Parametric analyses of attack-fault trees. In: 2019 19th International Conference on Application of Concurrency to System Design (ACSD), pp. 33–42. IEEE (2019)

    Google Scholar 

  4. Bates, D., et al.: Fitting linear mixed-effects models using lme4 (2014)

    Google Scholar 

  5. Bryans, J., et al.: A template-based method for the generation of attack trees. In: Laurent, M., Giannetsos, T. (eds.) WISTP 2019. LNCS, vol. 12024, pp. 155–165. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41702-4_10

    Chapter  Google Scholar 

  6. Budde, C.E., Bucur, D., Verkuil, B.: Automated fault tree learning from continuous-valued sensor data. Int. J. Prognostics Health Manag. 13(2) (2022). https://doi.org/10.36001/ijphm.2022.v13i2.3160. ISSN 2153-2648

  7. Buldas, A., et al.: Attribute evaluation on attack trees with incomplete information. Comput. Secur. 88, 101630 (2020)

    Article  Google Scholar 

  8. Chawla, N.V.: C4. 5 and imbalanced data sets: investigating the effect of sampling method, probabilistic estimate, and decision tree structure. In: Proceedings of the ICML, Toronto, ON, Canada, vol. 3, p. 66. CIBC (2003)

    Google Scholar 

  9. Fila, B., Wideł, W.: Attack–defense trees for abusing optical power meters: a case study and the OSEAD tool experience report. In: Albanese, M., Horne, R., Probst, C.W. (eds.) GraMSec 2019. LNCS, vol. 11720, pp. 95–125. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36537-0_6

    Chapter  Google Scholar 

  10. Gadyatskaya, O., Trujillo-Rasua, R.: New directions in attack tree research: catching up with industrial needs. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 115–126. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74860-3_9

    Chapter  Google Scholar 

  11. Gadyatskaya, O., et al.: Attack trees for practical security assessment: ranking of attack scenarios with ADTool 2.0. In: Agha, G., Van Houdt, B. (eds.) QEST 2016. LNCS, vol. 9826, pp. 159–162. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43425-4_10

    Chapter  Google Scholar 

  12. Gonçalves, E.C., Freitas, A.A., Plastino, A.: A survey of genetic algorithms for multi-label classification. In: 2018 IEEE Congress on Evolutionary Computation (CEC), pp. 1–8 (2018)

    Google Scholar 

  13. Gupta, M., et al.: Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decis. Support Syst. 41(3), 592–603 (2006)

    Article  Google Scholar 

  14. Hermanns, H., et al.: The value of attack-defence diagrams. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 163–185. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49635-0_9

    Chapter  Google Scholar 

  15. Hong, J.B., Kim, D.S., Takaoka, T.: Scalable attack representation model using logic reduction techniques. In: 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 404–411. IEEE (2013)

    Google Scholar 

  16. Hosmer, D.W., Jr., Lemeshow, S., Sturdivant, R.X.: Applied Logistic Regression, vol. 398. Wiley, Hoboken (2013)

    Book  MATH  Google Scholar 

  17. Ivanova, M.G., et al.: Attack tree generation by policy invalidation. In: Akram, R.N., Jajodia, S. (eds.) WISTP 2015. LNCS, vol. 9311, pp. 249–259. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24018-3_16

    Chapter  Google Scholar 

  18. Jhawar, R., et al.: Attack trees with sequential conjunction. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 339–353. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18467-8_23

    Chapter  Google Scholar 

  19. Jhawar, R., et al.: Semi-automatically augmenting attack trees using an annotated attack tree library. In: Katsikas, S.K., Alcaraz, C. (eds.) STM 2018. LNCS, vol. 11091, pp. 85–101. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01141-3_6

    Chapter  Google Scholar 

  20. Jimenez-Roa, L.A., et al.: Automatic inference of fault tree models via multi-objective evolutionary algorithms. IEEE Trans. Dependable Secure Comput. 20(4), 3317–3327 (2023). https://doi.org/10.1109/tdsc.2022.3203805. ISSN 1545-5971

    Article  Google Scholar 

  21. Jürgenson, A., Willemson, J.: On fast and approximate attack tree computations. In: Kwak, J., Deng, R.H., Won, Y., Wang, G. (eds.) ISPEC 2010. LNCS, vol. 6047, pp. 56–66. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12827-1_5

    Chapter  Google Scholar 

  22. Kim, D., Choi, J., Han, K.: Risk management-based security evaluation model for telemedicine systems. BMC Med. Inform. Decis. Mak. 20(1), 1–14 (2020)

    Article  Google Scholar 

  23. Kordy, B., Pietre-Cambacedes, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. CoRR, abs/1303.7397 (2013). http://arxiv.org/abs/1303.7397

  24. Kordy, B., et al.: Foundations of attack-defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6 ISBN 978-3-642-19750-5

    Chapter  Google Scholar 

  25. Kumar, R., Stoelinga, M.: Quantitative security and safety analysis with attack-fault trees. In: High Assurance Systems Engineering (HASE), pp. 25–32 (2017). https://doi.org/10.1109/HASE.2017.12

  26. Lenin, A., Willemson, J., Sari, D.P.: Attacker profiling in quantitative security assessment based on attack trees. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 199–212. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11599-3_12

    Chapter  Google Scholar 

  27. Linard, A., Bucur, D., Stoelinga, M.: Fault trees from data: efficient learning with an evolutionary algorithm. In: Guan, N., Katoen, J.-P., Sun, J. (eds.) SETTA 2019. LNCS, vol. 11951, pp. 19–37. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35540-1_2

    Chapter  Google Scholar 

  28. Majeed, P.G., Kumar, S.: Genetic algorithms in intrusion detection systems: a survey. Int. J. Innov. Appl. Stud. 5(3), 233 (2014)

    Google Scholar 

  29. RTO NATO. Improving common security risk analysis. Technical report, RTO Technical Report TR-IST-049, Research and Technology Organisation of NATO (2008)

    Google Scholar 

  30. Pawar, S.N.: Intrusion detection in computer network using genetic algorithm approach: a survey. Int. J. Adv. Eng. Technol. 6(2), 730 (2013)

    Google Scholar 

  31. Pinchinat, S., Acher, M., Vojtisek, D.: ATSyRa: an integrated environment for synthesizing attack trees. In: Mauw, S., Kordy, B., Jajodia, S. (eds.) GraMSec 2015. LNCS, vol. 9390, pp. 97–101. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29968-6_7

    Chapter  Google Scholar 

  32. Pinchinat, S., Acher, M., Vojtisek, D.: Towards synthesis of attack trees for supporting computer-aided risk analysis. In: Canal, C., Idani, A. (eds.) SEFM 2014. LNCS, vol. 8938, pp. 363–375. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15201-1_24

    Chapter  Google Scholar 

  33. Pinchinat, S., Schwarzentruber, F., Lê Cong, S.: Library-based attack tree synthesis. In: Eades III, H., Gadyatskaya, O. (eds.) GraMSec 2020. LNCS, vol. 12419, pp. 24–44. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62230-5_2

    Chapter  Google Scholar 

  34. Ramos, J.L.H., Skarmeta, A.: Assessing vulnerabilities in IoT-based ambient assisted living systems. Secur. Privacy Internet Things Challenges Solutions 27, 94 (2020)

    Google Scholar 

  35. Rosmansyah, Y., Hendarto, I., Pratama, D.: Impersonation attack-defense tree. Int. J. Emerg. Technol. Learn. (iJET) 15(19), 239–246 (2020)

    Article  Google Scholar 

  36. Schneier, B.: Secrets & Lies: Digital Security in a Networked World, 1st edn. Wiley, New York (2000). ISBN 0471253111

    Google Scholar 

  37. Sheyner, O., et al.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP 2002, Washington, DC, USA, p. 273. IEEE Computer Society (2002). http://dl.acm.org/citation.cfm?id=829514.830526. ISBN 0-7695-1543-6

  38. Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)

    Google Scholar 

  39. Vigo, R., Nielson, F., Nielson, H.R.: Automated generation of attack trees. In: 2014 IEEE 27th Computer Security Foundations Symposium, pp. 337–350. IEEE (2014)

    Google Scholar 

  40. Widel, W., et al.: Beyond 2014: formal methods for attack tree-based security modeling. ACM Comput. Surv. (CSUR) 52(4), 1–36 (2019)

    Article  Google Scholar 

Download references

Acknowledgement

The work was partially supported by the MUNI Award in Science and Humanities (MUNI/I/1757/2021) of the Grant Agency of Masaryk University.

Author information

Authors and Affiliations

  1. Technical University of Munich, Munich, Germany

    Florian Dorfhuber, Julia Eisentraut & Jan Křetínský

  2. Masaryk University Brno, Brno, Czech Republic

    Florian Dorfhuber & Jan Křetínský

Authors
  1. Florian Dorfhuber
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Julia Eisentraut
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jan Křetínský
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Florian Dorfhuber .

Editor information

Editors and Affiliations

  1. RWTH Aachen University, Aachen, Germany

    Erika Ábrahám

  2. Eindhoven University of Technology, Eindhoven, The Netherlands

    Clemens Dubslaff

  3. University of Oslo, Oslo, Norway

    Silvia Lizeth Tapia Tarifa

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dorfhuber, F., Eisentraut, J., Křetínský, J. (2023). Learning Attack Trees by Genetic Algorithms. In: Ábrahám, E., Dubslaff, C., Tarifa, S.L.T. (eds) Theoretical Aspects of Computing – ICTAC 2023. ICTAC 2023. Lecture Notes in Computer Science, vol 14446. Springer, Cham. https://doi.org/10.1007/978-3-031-47963-2_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-47963-2_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-47962-5

  • Online ISBN: 978-3-031-47963-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics