Method for Attack Tree Data Transformation and Import Into IT Risk Analysis Expert Systems

Featured Application

This paper proposes a novel approach of knowledge base formation for expert systems, dedicated to IT security risk analysis, using attack trees as a source of information. Automating the conversion of attack trees to a format that expert systems can use can be applied for minimizing time expenses while creating the knowledge base of an expert system and keeping it up to date, and for further applications as a risk assessment tool by small–medium enterprises.

Abstract

Information technology (IT) security risk analysis preventatively helps organizations in identifying their vulnerable systems or internal controls. Some researchers propose expert systems (ES) as the solution for risk analysis automation since risk analysis by human experts is expensive and timely. By design, ES need a knowledge base, which must be up to date and of high quality. Manual creation of databases is also expensive and cannot ensure stable information renewal. These facts make the knowledge base automation process very important. This paper proposes a novel method of converting attack trees to a format usable by expert systems for utilizing the existing attack tree repositories in facilitating information and IT security risk analysis. The method performs attack tree translation into the Java Expert System Shell (JESS) format, by consistently applying ATTop, a software bridging tool that enables automated analysis of attack trees using a model-driven engineering approach, translating attack trees into the eXtensible Markup Language (XML) format, and using the newly developed ATES (attack trees to expert system) program, performing further XML conversion into JESS compatible format. The detailed method description, along with samples of attack tree conversion and results of conversion experiments on a significant number of attack trees, are presented and discussed. The results demonstrate the high method reliability rate and viability of attack trees as a source for the knowledge bases of expert systems used in the IT security risk analysis process.

1. Introduction

It is well known that IT security risk assessment is a vital and sometimes regulatorily mandated process which helps in identifying risks; prioritizing protective measures; and protecting customers, businesses, and private information. Expert systems play a crucial role in taking the knowledge from a security expert, expressed as rules, and allowing it to be shared effortlessly. Many authors [1,2,3] emphasize that expert systems are adequate for automating risk assessments, thereby minimizing the need for a company to have a security expert. This is of great importance for small–medium sized enterprises that lack human and financial resources. Although the concept of expert systems is not new and is widely used in many areas [4,5], their application in information security area, including risk analysis [6], is relatively new; i.e., expert systems and methods of their optimization, including methods of automated knowledge base formation, remain a relevant research topic due to a big dynamics and many method application perspectives [7,8].

Sometimes it becomes a problem, since high-quality knowledge is expensive. On the other hand, there exist many sources of systematic information that can be used for knowledge base creation, which can minimize the process expenses at least partially. The idea of automating knowledge base formation is relatively new; still, some research on the area was already done, and currently, proposed methods have demonstrated the possibility and benefits of such an approach. In our previous research, methods for transformation of ontologies into expert system (ES) knowledge base format [9] and integration of data from websites on regional malware distribution [10] for further use in the expert system-based risk analysis were discussed.

Attack trees can assist in the IT risk analysis process by providing a structure to contemplate an attack against a system; i.e., attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks, which can be very useful while evaluating possible threats and their probabilities during the risk assessment. The primary purpose of attack trees is to model security threats, represent attacks against a system, and analyze attack vectors. Some researchers have demonstrated [11,12,13,14] that attack trees can be used as a supportive tool in the fields of defense and vulnerability detection. Attack trees are also successfully used in information security risk analysis [15], and design processes of security and defense systems [16] and their analysis [17]. The versatility of attack trees and their wide areas of application have allowed making an assumption that attack trees can be considered as a reliable source of information that can be applied for increasing the efficiency of expert systems. This paper proposes the idea of using attack trees for IT security risk analysis by converting them into ES knowledge base rules.

By developing a process which streamlines the risk assessment process via expert systems, risk analysis can be brought into a more affordable place for small and medium enterprise (SME) category businesses and individuals while simultaneously increasing the accuracy of the risk assessment process [1,18] for everyone, especially SMEs that cannot afford to hire high-quality security experts for risk analysis. Under current methods, a cybersecurity professional, when using an attack tree, is required to painstakingly proceed through several attack trees to perform a risk analysis for a system or to base his decision on a subjective valuation. This is a task that can take a considerable amount of time and effort, as an expert will have to spend his time going through every attack route possible within the attack trees, some of which can have thousands of nodes [19]. Solving the problem of converting attack trees to formats that an expert system can utilize will help reduce the labor costs associated with performing risk assessments. The creation of a knowledge base should provide a higher level of information security, since countless examples of attack trees already exist, with varying levels of detail and complexity, targeted against different information systems and platforms. Utilizing an expert system for this process would also ensure accuracy, reliability, and repeatability for the risk analyses conducted. By converting attack trees to formats usable by expert systems, the benefits of attack trees and expert systems can be combined and multiplied. Moreover, crucially, this method allows the use of existing resources and repositories of attack trees to assist in building a wide knowledge base.

This paper proposes a novel approach of knowledge base formation for expert systems, dedicated to IT security risk analysis, using attack trees as a source of information. The method proposed in this manuscript is novel and exclusive by approach, in that attack trees are being transformed into the expert system knowledge base rules, in contrast to the earlier approaches, where attempts to perform direct use of attack trees’ data without transformation were presented. The approach proposed provides a unique possibility to generate an integral knowledge base of an expert system, by integrating different attack trees taken from various sources. Moreover, the generated rules can be imported into the existing knowledge base, where knowledge on other areas of information security risk is already systematized. While performing transformations, information on attack directions, probabilities, impacts, and possible countermeasures is imported, thereby providing the possibility to use an expert system for decision making and making recommendations on risk management. The research aims to improve the methods for the creation of a knowledge base for the eventual purpose of assisting with conducting risk analyses on an information system or set of systems.

Automating the conversion of attack trees to a format that expert systems can use is relevant and essential because it will allow small companies and individuals to perform risk assessments at a level comparable to an assessment conducted by someone with the resources of large companies [18]. Findings on attack tree data transformation and import into expert risk analysis systems can be applied to significantly reduce the amount of time, effort, and the monetary investment required for the risk analysis of a given company or agency. Additionally, this will allow organizations with limited security financing to prioritize the defense of the most likely places at which an attack could occur.

This article is organized as follows. Section 1, the current section, is an introduction. Section 2 presents related work on attack trees and expert systems. Section 3 presents an approach of automating the conversion of attack trees into a format that can be accepted by an expert system. Section 4 details the experiments, and the weaknesses and strengths of the methodology. Finally, Section 5 concludes the paper.

2. Prior and Related Work

In them classic case, humans—real experts—form expert system knowledge bases. However, it is a slow and expensive method, causing one of the biggest problems in for broader use of expert systems. Nevertheless, expert systems are used nowadays for solving actual problems, e.g., first-line IT service desks, medicine, and law. Several researchers are working on this topic, and several methods of automating the ES knowledge base formation have been proposed.

Currently, three main ways of ES knowledge base formation can be distinguished:

• Manual—the knowledge base is created by human experts in the field;
• Semi-automated—the knowledge base’s formation is partly automated;
• Automated—the knowledge base’s formation is fully automated, which is the most interesting for our research.

Automated knowledge base formation can be classified into two approaches:

• The first approach is based on using existing knowledge sources directly in their native formats, e.g., ontologies and databases, without additional transformations.
• The second is applied when existing knowledge sources are transformed into ES knowledge base rules.

The first method is cheaper but is very static. Early studies on using existing knowledge sources directly in their native formats considered it to not be a problem until there is a need to change, update, add, or delete information. Using information sources directly in expert systems needs specific ES modification and lacks flexibility. Finally, it is very difficult or sometimes even not possible to merge several sources of information having different formats. The second approach, when existing information sources are transformed into the ES knowledge base rules, is more superior and flexible, and has more areas of application, compared to the first, but requires additional methods of data transformation, additional time, and is sensitive to the correctness of data transformation.

Automated expert system knowledge base formation methods using existing information sources are currently of great interest to researchers. Unfortunately, not too many methods have been proposed for integrating IT security-related data into expert systems. One such method was presented in our earlier research on the use of existing information security ontologies [9]. This method enables the integration of sources that have a deep structure and keeps valuable information on possible recommended controls in the expert systems’ knowledge base. In our further research [10] the applicability of data importation to the knowledge base from the websites was analyzed; specifically, regional malware distribution was imported to prove the influence of geographical threat prevalence on the risk assessment results. It has also ensured regular (in fact daily) updates for the knowledge base. The main limitation of both methods is that they do not give information on cybersecurity attacks, which is crucial while performing IT security risk analysis. Using attack trees as sources for ES, dedicated for IT security risk analysis, knowledge base creation will allow analyzing not only attack vectors, but also the price, likelihood, and defensive measures of such attacks.

Several methods for using attack trees for IT security risk assessments were proposed. One such method is IT security risk assessment for a ship control system based on attack trees [20]. This method uses attack trees directly—not transforming them to ES knowledge base rules—and is dedicated to supervisory control and data acquisition (SCADA) systems. Another example is the method to find the optimal set of countermeasures [21]. This method is a framework relying on attack–defense trees and oriented toward modeling in The Attack-Defense Tree Tool (ADTool) 2.0. The main limitation of such methods is that they use attack trees directly as sources and are not as universal as is needed for expert systems.

An attack tree, first expressed by Bruce Schneier as a “formal, methodical way of describing the security of systems based on varying attacks,” is typically a graphical representation of vulnerabilities within an IT system, although it can be expressed in a text format which is not graphical in nature [22,23]. Whether graphical or text format is represented, there are some similarities between these two representations. Every path through the attack tree represents a unique attack vector through the organization and shows what vulnerabilities an attacker can leverage to obtain access to sensitive material [22]. At every level or leaf of the attack tree, there are different vulnerabilities, some of which must be combined to cause a breach and some which are capable of causing breaches by themselves. These are known respectively as “and” and “or” decompositions, and are represented differently based on whether the graphical, text, or combination format of the attack tree is used [22]. It is up to the creator of the attack tree as to how much information is shown and in what formats the attributes are represented, as there are no formal standards in place [23,24,25,26]. Despite the lack of formal standards, there are some recommendations for attack tree generation, such as creating the trees, measuring the probabilities of each leaf, removing or marking improbable attack paths, generating countermeasures, and applying the most appropriate countermeasures to leaves [19,27].

An example of the attack tree in a graphical format is shown in Figure 1.

Each independent level is called a “leaf” node, and vulnerabilities are moved through during an attack from the bottom to the top, which is called the “root” node [23]. For this attack tree, straight horizontal lines represent “and” decompositions, and curved horizontal lines represent “or” decompositions.

There are several programs which can be used to aid with the graphical representation portion of the attack tree creation process. However, there is still a large amount of input required on the part of an expert person with manual attack tree generation [17,28]. Many of these graphing tools also include analysis functions to both ensure that data are entered in an accepted format and to analyze the paths from leaf nodes to the root node.

An example of the text format for an attack tree is shown in Figure 2, which shows an attack tree for intellectual property theft against the fictional ACME, Inc.

Just as with the graphical format, the tasks at each level are shown as “and” or “or” to show whether all steps or only one must be conducted at that level to progress with the attack. At the top of the text format shown in Figure 2, it can be noted that all six nodes are “or” nodes to the root and only node two has “and” nodes for its children. Text formats are often used when dealing with more complex attack trees, as they are easier to read than a complex and branching graphical format with dozens of paths [23].

The easiest way of working with attack trees for a human expert is the graphical format. However, for integration into information systems, text format is preferred. For solving this problem, researchers [29,30,31] have proposed methods for transforming attack trees from graphical format to text and vice versa. This has increased the usability of attack trees. Nowadays, attack trees are widely used in the fields of defense, risks analysis, threat modeling against information, electronic systems, computer control, and physical systems. Based on the analysis of attack trees’ data, practitioners can define actions to reduce or annihilate risks. A significant barrier in integrating attack trees into the knowledge base of ES is that attack trees can become largely complex and thus hard to specify [32].

3. Attack Trees in XML

The eXtensible Markup Language, or XML, is a language created by the World Wide Web Consortium (W3C) to store and transport data in a format which is readable to both computers and humans (W3Schools, n.d.). It is designed to be extremely flexible and allows creators to define their naming conventions within the XML structure. For example, the attack tree in Figure 3 is an example tree from the ADTree attack tree graphing tool named “RFID Communication Block” that was exported to XML by the tool.

The result of this export is presented in Figure 4.

This variability in XML formatting raises problems within the attack tree conversion process, as each tool may define attributes using different names. For example, on line 11 of Figure 4 text, the term “switchRole” indicates that the node “Secure Warehouse” is a countermeasure node rather than a vulnerability node. In the universal metamodel for attack trees (UATS) format of this same file, “switchRole” is only called “role,” but this means any program that wants to extract and work with this XML data must be programmed to find all names for these attributes.

Some tools can be used to aid with the graphical representation portion of the attack tree creation process, although there is still a large amount of input required on the part of an expert person with manual attack tree generation [17,28]. While some researchers have tried to overcome this via crowdsourcing, others have attempted to utilize AI to generate the attack trees while an expert person reviews the automated creation results [34,35,36]. One common task which requires the use of an expert person is verification that the vulnerabilities expressed by an attack tree correlate with the system the attack tree is designed for [34]. Research has been performed with the goal of reducing the expert-required workload, including attempts at utilizing vulnerability databases such as the National Vulnerability Database (NVD) and Mitre Organization’s Common Attack Pattern Enumeration and Classification (CAPEC) [35]. While this research has shown considerable promise, there remains a need for experts at multiple steps in the attack tree generation, verification, and review stages. By inputting these attack trees into an expert system which has been configured to present an expert opinion, the need for an expert person could be further minimized.

4. Method

The proposed method is a process which utilizes two software bridging programs together to implement the automation of converting information from attack trees into an expert system of knowledge based rules. This method is implemented via a Python-based program named ATES, which will take output in UATS format from the ATTop program mentioned above and will create ES knowledge base rules to the output files. The output of ATES is either one or two files, depending upon the user selection, which are readable by the JESS language. Version one outputs a singular file containing the structure for the JESS expert system and the attack tree data, while version two outputs two files, one containing the structure for the JESS expert system and the other containing the attack tree data. The general proposed method view is presented in Figure 5.

As was said earlier, the proposed method is based on data transformation from attack trees (lAT₁ .. AT_k) collected from different sources (S₁ .. S_n) into ES knowledge base facts. Nodes and leaves (N₁ .. N_z) of the attack trees are transformed into facts (F₁ .. F_z), while the root of the attack tree is used to generate the attack description (A₁ .. A_k). Every attack tree transformed is saved in the form of C Language Integrated Production System (CLIPS) rules in a newly generated file (CLP₁ .. CLP_k). Every generated CLP file is formed as a knowledge base of an expert system (KB₁ .. KB_k) that can be later imported into the unique expert system (ES₁ .. ES_k) or can be merged with an existing knowledge base (dotted notation on Figure 5).

The method proposed does not depend on the source of attack trees, and it does not limit the amount of attack trees; i.e., S—the source of all attack trees—can be formed of several different sources.

$$S=\{S_1,S_2,\dots ,S_n\}$$

Each source can have several attack trees (AT).

$$S_1=\{A{T}_1,A{T}_2,\dots ,A{T}_l\},$$

$$S_2=\{A{T}_{l+1},A{T}_{l+2},\dots ,A{T}_j\},$$

$$\dots$$

$$S_n=\{A{T}_{y+1},A{T}_{y+2},\dots ,A{T}_k\}.$$

Due to that attack trees from different sources can be joined, thereby forming the set of attack trees AT.

$$AT=\sum _{i=1}^n{S}_i$$

$$AT=\{A{T}_1,A{T}_2,\dots ,A{T}_k\}.$$

Each attack tree can be of a different depth and structure, with a different number of leaves (marked as N). Still, every attack tree has a root leave, called the root node (marked as R).

$$A{T}_1=\{R_1,N_1,N_2,\dots ,N_o\},$$

$$A{T}_2=\{R_2,N_{o+1},N_{o+2},\dots ,N_p\},$$

$$\dots$$

$$A{T}_k=\{R_k,N_{x+1},N_{p+2},\dots ,N_z\}.$$

By joining leaves and root nodes of all attack trees, we will get the set of attack tree elements NR.

$$NR=\sum _{i=0}^{k}A{T}_i$$

$$NR=\{R_1,R_2,\dots ,R_k,N_1,N_2,\dots ,N_z\}.$$

Transformation: Every element in set AT is transformed into elements in set A:

$$AT\{A{T}_1,A{T}_2,\dots ,A{T}_k\}\Rightarrow A\{A_1,A_2,\dots ,A_k\};$$

i.e., the attack tree is transformed into separate attacks in the knowledge base. Since AT set is formed of several elements, this means that every element should be transformed separately. Set of attack tree elements NR is transformed into a set of knowledge base facts and aims FG:

$$NR\{R_1,R_2,\dots ,R_k,N_1,N_2,\dots ,N_z\}\Rightarrow FG\{G_1,G_2,\dots ,G_k,F_1,F_2,\dots ,F_z\}.$$

In other words, every attack set A is formed of the attack aim G and facts F:

$$A_1=\{G_1,F_1,F_2,\dots ,F_o\},$$

$$A_2=\{G_2,F_{o+1},F_{o+2},\dots ,F_p\},$$

$$\dots$$

$$A_k=\{G_k,F_{x+1},F_{p+2},\dots ,F_z\}.$$

After the transformation is performed, it is necessary to prepare data in a format suitable for the expert system. We are using C Language Integrated Production System (CLIPS) rules. As for that, the CLP file is formed, it is composed of three main elements:

• Tree template (TT)—information about the converted attack tree (AT name, and root node (attack goal) name);
• Node template (NN)—a predefined structure to work with facts generated from attack trees;
• Facts about the attack, generated in the transformation process.

That is, the CLP is composed of the following elements:

$$CL{P}_1=\{TT,NT,A_1\}=\{TT,NT,G_1,F_1,F_2,\dots ,F_o\},$$

$$CL{P}_2=\{TT,NT,A_2\}=\{TT,NT,G_2,F_{o+1},F_{o+2},\dots ,F_p\},$$

$$...$$

$$CL{P}_k=\{TT,NT,A_k\}=\{TT,NT,G_k,F_{x+1},F_{x+2},\dots ,F_z\}.$$

Figure 6 depicts an activity diagram of the attack tree data proceeding by the methodology from creation as an attack tree to the final transformation to the JESS expert system knowledge base rules.

The main steps presented in Figure 6 are described below.

• Get AT data in XML format. The initial transformation of AT into XML format is performed due to its versatility.
• In UATS format. XML UATS format enables the use of a larger variety of AT sources, so our tool is made to work with XML UATS from the beginning. Examples of AT in XML UATS and graphical formats are given in Figure 7.

• Convert to UATS using ATTop. The attack tree can be directly exported to XML UATS or converted from various formats. The tool we propose using in this step is ATTop [37].
• Input AT Data to ATES. ATES is our Python-based software for the method’s practical implementation that performs conversion of UATS into the JESS format.
• Conversion Py script. Conversion engine which converts XML UATS to CLP rules and DAT facts by applying defined patterns. Examples of resulting ES knowledge base facts are presented in Figure 8.

• Exception handler. The exception handler, a “try–except” code block that will terminate the processes and return an error message to the user in case any errors occur.
• Process termination. Terminates the process if any error occurs.
• Output data. Converted rules are exported to the CLP and DAT files (or one combined file if the user selects this option), supported by the JESS ES platform.
• JESS facts. The result of the transformation process is a JESS-based expert system knowledge base of rules and facts.
• Working memory. Automatically generated ES knowledge base rules and facts in CLP format are imported into ES working memory.
• Prepared knowledge base structure. ES should be able to work with the given (imported) facts. Our method utilizes the prepared knowledge base structure (Figure 9), which accepts facts generated by ATES.

• Inference engine. We use the JESS inference engine, which utilizes the RETE algorithm.
• Perform IT security risk analysis. At this moment, our ES is prepared for IT security risk analysis, utilizing automatically generated knowledge base rules from the attack trees.
• Risk analysis results and recommendations. The expert system, interacting with the user, performs risk analysis, and gives the results.

While performing the conversion of UATS into the ES knowledge base facts, each attack tree node is transformed into one fact, as presented in Figure 10.

On the left side of Figure 10 is an attack tree, and on the right side—two samples of generated ES facts. Every generated fact has the following structure:

• ID. It is the ID of the node. Count from top to bottom and from left to right.
• Name. The name of the node is read from the attack tree.
• Parent. Depicts which node is the parent of the current node. The value is the node ID number.
• Connector. It defines the node type. Possible values are OR, AND.
• Cost. It is the cost of the attack if this value is specified in the attack tree.
• Time. It is the time needed to perform the attack if this value is given in the attack tree.
• Exploited. It is the state of the node. By default, all values have FALSE values, and they can be changed during the risk analysis process in the ES. A value can become TRUE based on the user’s answers.
• Probability. It is the probability of the attack if this value is given in the attack tree.
• Difficulty. It is the difficulty of the attack if this value is given in the attack tree.
• Countermeasure. It identifies whether the node already has countermeasures applied or not. Possible values are TRUE, FALSE.
• Children. It shows what children this current node has. The value is node ID numbers.

5. Results and Discussion

The method proposed was practically implemented, and several experiments were performed to demonstrate method reliability and applicability. For method implementation, the ATES tool, which converts AT to ES knowledge base rules, was developed. Later, automatically generated ES knowledge base rules and facts were imported into the created ES (based on JESS), which allows us to perform risk analysis using the generated knowledge base. Figure 11 provides details on the path that the attack tree passes through in the ATES program.

The ATES was written in Python version 3.8 and should be compatible with any Python version greater than 3. Below the short description of functions implemented in ATES is provided:

• Preparing attack tree data (data pre-processing). The creation of an attack tree in one of the various formats accepted by ATTop or direct creation of a UATS XML file must be done by the user. Once the UATS file is returned from ATTop, the ATES program is ready to accept the file for translation. Successful transformation to UATS via ATTop is demonstrated in Figure 12.

• Add file. Once the UATS file is returned from ATTop, the ATES program is ready to accept the file for translation. ATES has a simple GUI created using the Tkinter package in Python.
• Translatev1/2. This function is wholly encased in a “try–except” block which is a built-in function of Python which is designed for error handling. Any errors from any of the functions within this block result in the deletion of the data and, because of how this “try–except” block is configured, an error message gets displayed on the screen.
• Ates. The ates function first takes the files in input and retrieves the filename; then sends the files to the inputter function for parsing; then sends the parsed data to the inputter function to extract the necessary node information into lists, before finally sending the lists to the printer function which will write the files. The ates function will also take the value sent with file data from the translate functions, called pvalue, and will modify the new file name to differentiate between version one and version two if the pvalue is 2.
• Inputter. The inputter function parses the XML file using the defused XML ElementTree package built into Python. Using the defused XML package prevents code execution from maliciously crafted XML files. The function returns an XML document object model, or DOM, for use by the lister function.
• Lister. The lister function takes the XML DOM from the inputter function and extracts the necessary data from it. It does this by first creating empty lists, then finding the attributes to fill each list. It then returns the full lists to the ates function to be sent to the printer function.
• Printer. The printer function has a “try–except” block for creating a directory to store the output files from the conversion process. The files created by this function will also expect this directory to exist and will provide the user with the command to run if the files are in this directory. Next, the function will open the new .clf file in write mode, or create it in write mode if it does not exist, and write the JESS program code which has been written. If pvalue is 1 then the function will write necessary JESS code and the list data from lister into the same file, but, if pvalue is 2, then it will write an additional JESS code and create a new .dat file for containing the attack tree’s node data. All the files will be named automatically based upon the original input file name. Once these processes have been completed, the files will be saved and closed.

Successful attack tree conversion to JESS expert system knowledge base is demonstrated in Figure 13. Converted files are automatically exported to the directory “Attack_trees/JESS” in CLP format.

• JESS ES file(s). The produced JESS programs have an initial welcome message at the top of each file with instructions on where to place the files and with what JESS command to run the files. Successful JESS operation is shown in Figure 14.

The attack trees used for testing ATES’ accuracy and capability for error handling have been sourced through numerous scientific articles covering various topics relating to attack trees, attack trees examples from attack tree tools, and results in Internet searches for attack tree examples. Additionally, the Mitre organization has a plethora of information which is easily turned into example attack trees, such as what is available within the CAPEC [38] and ATT&CK [39] databases. The citations for the use of these attack trees have been listed beneath the root node of the attack tree as a comment within the pre-ATTop conversion XML file for that attack tree. Applicability of the method proposed for automated formation of an expert system’s knowledge base was evaluated and approved experimentally.

Table 1. Attack tree sources.

Attack Tree Sources	Quantity of Attack Trees
A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie—combining new version of attack tree with bowtie analysis [40]	7
ADTool example attack trees [41]	10
Attack Modelling for Information Security and Survivability [22]	2
Attack tree-based evaluation of physical protection systems vulnerability [42]	1
Attack trees with sequential conjunction [43]	2
Automated Generation of Attack Trees by Unfolding Graph Transformation Systems [24]	2
Beyond attack trees: dynamic security modelling with Boolean logic Driven Markov Processes (BDMP ) [44]	2
Bridging two worlds: Reconciling practical risk assessment methodologies with theory of attack trees [18]	1
Crowdsourcing Computer Security Attack Trees [36]	1
DAG-based attack and defense modelling: Don’t miss the forest for the attack trees [25]	1
Effective Analysis of Attack Trees: A Model-Driven Approach [45]	1
Is my attack tree correct? [34]	1
Mission oriented risk and design analysis of critical information systems [46]	1
Multi-vendor Penetration Testing in the Advanced Metering Infrastructure [47]	3
Producing and Evaluating Crowdsourced Computer Security Attack Trees [48]	1
Risk assessment of cyber attacks in ECPS based on attack tree and AHP [49]	1
SANS ICS Attack Surfaces [50]	1
Security risk assessment framework for smart car using the attack tree analysis [51]	5
Semi-automatically Augmenting Attack Trees using an Annotated Attack Tree Library [35]	2
Studying Cyber Security Threats to Web Platforms Using Attack Tree Diagrams [52]	1
Survivability analysis of SOA based on attack tree models [53]	1
Understanding risk through attack tree analysis [54]	2
The total quantity of sourced attack trees:	49

indicates the number of attack trees used in this process and their top-level sources. The uniqueness of the approach proposed is the provided possibility to generate integral knowledge base of an expert system, by integrating different attack trees taken from various sources.

In the experiment, 22 different free sources with attack trees were analyzed, and 49 different attack trees were transformed. One attack tree, in general, is dedicated to one main attack, so it allows ES to assess the risk for 49 different types of attacks. During the experiment, a ruleset composed of 875 facts was created. These facts allow us to assess the risk of 49 attacks and to analyze 826 controls (Figure 15). This can be considered as a significant achievement in the area of information security risk management, since effective and source-independent utilization of existing and reliable information sources and their adaption for use in expert systems creates preconditions for performing information security risk analysis even by non-security specialists.

The experiment has shown that, out of approximately 50 attack trees, there were zero errors with the ATES conversion program when inputs were correctly configured. When a non-XML file is submitted, a syntax error is raised and the data are destroyed by the program. If, however, a file is in XML but does not contain the expected formatting, then a syntax error is displayed, and a file is created with pythonic “none” data instead of the attack tree node data. Additionally, the resulting JESS expert systems were functioning as intended.

Development of an expert system, including development of an inference engine, was out of scope of this research. Still, in order to demonstrate that automatically generated rules are practically applicable, the earlier expert system prototype developed by our team and utilizing the OWASP Risk Rating Methodology [55] was used. The system prototype is JESS based and was presented in [10]. The generated rules, including information attack success rates, were imported from the tree, presented in Figure 16.

This example utilizes the “How to block communication between an RFID reader and tag” attack tree. In each tree, information on attack probability success is stored. Nodes marked in red represent attack nodes, while green nodes define countermeasures, i.e., defense nodes. As stated earlier, this attack tree, stored in XML format, was converted using the proposed method and later imported into the existing expert system prototype (used for risk analysis). Impact estimation at the current step was obtained from the user input. Risk calculation was done by the classical equation: risk = likelihood × impact. The sample of the risk evaluation obtained is presented on Figure 17.

The green color marks the impact, entered by the expert system user. It can be also imported from the attack tree if such information is included in it. The blue color denotes the likelihood that is imported from the attack tree. The likelihood can vary depending on the availability or absence of countermeasures. In this sample the likelihood is calculated for the case when no countermeasures are applied. The red color is used to highlight the risk, calculated by the expert system according to the equation provided above. Since the ES, evaluating both technical and business risks, was utilized for the experiments, they both can be seen on the screen.

The provided example should not be seen as finite or unconditional. It is just used to demonstrate that the rules generated by the method proposed can be integrated and used in the new or existing expert system dedicated for information security risk analysis. The knowledge base created can be utilized not only for the risk calculation, but also for evaluating other criteria and estimations important in the risk assessment process. The method proposed can transform and import any kind of information stored in a tree, such as likelihood, price of the attack, weight coefficients, impacts, and others. Moreover, information imported can be used for detecting the most probable attack vector or, as shown on Figure 16, for making suggestions of possible controls and countermeasures. Still, this is already a part of the specific expert system decision making process, which is out of scope of this research, and can be considered as a perspective research topic.

5.1. Current Issues and Controls Applied

As with any methodology, there are some limitations and issues. Below the short descriptions of such issues are provided with comments on the controls that were or could be applied to minimize their influences on the quality of results:

• One potential issue of the method proposed is that there is a small possibility that data are altered during the transformation processes. To resolve this issue, the data were visually compared during the heuristic phase from the input to the resulting files to verify the accuracy.
• Another weakness of the proposed method is that the output data will only be as reliable as the input data. That is to say that, if an inaccurate attack tree is converted to the expert system rules, then the expert system will not provide accurate information regarding any eventual risk assessments. There is, ultimately, not any way around this issue beyond double-checking that the attack trees are accurate, come from the reliable sources, and apply to the system in question. This will require that users of this method would have some knowledge of their systems and that they are receiving accurate attack tree information.
• Potentially, the greatest issue in this method lies in the extreme variability within XML. This has been mitigated somewhat by using the output from ATTop to standardize the expected input to ATES. However, the naming conventions of various tools being capable of significant differences for the same attributes (e.g., the attribute identifier “duration” referring to the length of time required for an attack could also be called “time” or even “length” by specific tools) means that the only solution is to code each tool’s naming convention into the lister function.

5.2. Advantages of the Methodology

The main advantages of the method proposed are related to the flexibility in data processing and output:

• Due to the popularity and ease of use of the Python programming language, it is relatively easy to increase the acceptable attack tree formats by determining the attribute identifiers used within that tool’s XML format. Utilizing an “if–then” statement within the lister function would allow for the conversion of these attack trees as well.
• The configuration of version two allows for a relatively small set of changes which would mean a single JESS expert system could read the .dat files for multiple attack trees. As the data are already in a separate file, it would be possible to select multiple .dat files to minimize consumed storage space on a device. This was not pursued by the authors due to a lack of necessity in modern systems.
• Finally, there are several points where data can be configured by the user, and it will be accepted throughout. It is possible to set the attribute values either before translation in ATTop, after translation from ATTop and before input to ATES, after output from ATES by manually editing the data files, or inside the JESS program created by ATES. The most efficient and accurate method is to either modify the final JESS .dat files or the XML files after being output from ATTop.

5.3. Future Work

Further research on the methodology improvement will be concentrated on:

• Incorporation of PDF files as a source of attack tree;
• Minimizing the time for the file inputting process by creating the automated input file batch process;
• Resolving the issues related to the variability of attack tree representation and naming formats.

6. Conclusions

The analysis performed has shown that current methods of attack tree analysis involve human experts performing expert analyses of attack trees and the systems being utilized by a company to determine the best method of defense for that system or company. The vast amounts of data about possible attacks against information systems collected in the form of attack trees can be seen as prospective sources of data for the automatic creation of knowledge bases for expert systems, dedicated for IT security risk analysis, thereby minimizing the knowledge base creation process’s expenses and ensuring process reliability.

A method was proposed that utilizes several tools: already existing ATTop, which performs the initial conversion of attack tree data into the unified UATS XML format, and the newly developed ATES tool, which performs further transformation into the CLIPS rules supported by the JESS expert system platform, which was chosen for the experiments due to its broad adoption.

The experiments performed have covered data importation from attack trees from 22 different sources and allowed creating the knowledge base that could be used to assess risks of 49 cyber attacks and propose over 826 possible controls. The method has demonstrated reliability while converting attack trees of a supported type. Throughout the heuristic portion of experiments, the data conversion correctness was confirmed to be valuable by JESS and was tested on the JESS platform to verify that accidental attack tree data modification will not occur during any phase of the translation process. Still, the recent trends in attack tree representation, transformation, and generation show a large amount of variability in attack tree representation and generation. This variability leads to some difficulties in the transformation that could require further research.