An ontological lens on attack trees: Toward adequacy and interoperability

TL;DR

This paper uses an ontological framework to analyze attack trees, identifying key shortcomings in their conceptual foundation and proposing pathways for improved modeling and interoperability in security risk analysis.

Contribution

It provides an ontological critique of attack trees based on the COVER ontology, revealing four major limitations and suggesting directions for enhancing their formal semantics and interoperability.

Findings

Identified ambiguous terms in attack trees

Revealed ontological deficits in attack tree concepts

Discussed solutions for improving modeling guidance and interoperability

Abstract

Attack Trees (AT) are a popular formalism for security analysis. They are meant to display an attacker's goal decomposed into attack steps needed to achieve it and compute certain security metrics (e.g., attack cost, probability, and damage). ATs offer three important services: (a) conceptual modeling capabilities for representing security risk management scenarios, (b) a qualitative assessment to find root causes and minimal conditions of successful attacks, and (c) quantitative analyses via security metrics computation under formal semantics, such as minimal time and cost among all attacks. Still, the AT language presents limitations due to its lack of ontological foundations, thus compromising associated services. Via an ontological analysis grounded in the Common Ontology of Value and Risk (COVER) -- a reference core ontology based on the Unified Foundational Ontology (UFO) -- we investigate the ontological adequacy of AT and reveal four significant shortcomings: (1) ambiguous syntactical terms that can be interpreted in various ways; (2) ontological deficit concerning crucial domain-specific concepts; (3) lacking modeling guidance to construct ATs decomposing a goal; (4) lack of semantic interoperability, resulting in ad hoc stand-alone tools. We also discuss existing incremental solutions and how our analysis paves the way for overcoming those issues through a broader approach to risk management modeling.