A Novel Approach for Attack Tree to Attack Graph Transformation: Extended Version
This work addresses a specific gap in cybersecurity modeling for organizations, but it is incremental as it extends existing transformation efforts from attack graphs to attack trees.
The paper tackles the problem of transforming attack trees into attack graphs to combine their strengths in cybersecurity threat modeling, proposing an approach based on understanding action representations to enable more versatility in both structures.
Attack trees and attack graphs are both common graphical threat models used by organizations to better understand possible cybersecurity threats. These models have been primarily seen as separate entities, to be used and researched in entirely different contexts, but recently there has emerged a new interest in combining the strengths of these models and in transforming models from one notation into the other. The existing works in this area focus on transforming attack graphs into attack trees. In this paper, we propose an approach to transform attack trees into attack graphs based on the fundamental understanding of how actions are represented in both structures. From this, we hope to enable more versatility in both structures.