An attack tree is a conceptual model that represents many possible ways in which a given system can be attacked to achieve a given high level attack goal. Attack trees have been known for a long time and they proved to be useful in the security analysis of computer systems. However, attack trees for real-world systems tend to have a very large size, hence, their manual generation and interpretation are tedious tasks, sometimes even practically infeasible. Therefore, the goal of this project is to develop automated methods for generating and interpreting attack trees. The envisioned input to attack tree generation is a high-level system model and an attacker model, both provided as sets of statements in a first-order logic, as well as an attack goal, also given as a statement of the same logic. For the interpretation of an attack tree, the truth values of the basic attack steps in the leaves are provided as input.

This work is part of an EU funded research project, called DOSS, and its results should support automated penetration testing of computer systems as envisioned in the DOSS project. In particular, the generated attack trees should guide the selection of security test cases to be executed on the system and the interpretation of the attack trees, combined with the results of the selected tests, should allow for identifying and explaining vulnerabilities and for providing recommendations for fixing the system. The first-order logic to be used for system and attacker modelling, as well as an example system to be analyzed, have already been developed within the DOSS project, and they serve as starting points for this work.

The specific tasks of the student include the following:

• Overview of the literature on automated attack tree generation;
• Understanding the system and attacker modelling concepts developed in the DOSS project, as well as the envisioned automated penetration testing framework which the results of this work should be integrated with;
• Design and implementation of an automated attack tree generation method within the context given above;
• Design and implementation of automated methods for interpreting attack trees and guiding the process of making the system secure;
• Illustration of the operation of both methods on the example system provided.