Abstract

Attack trees is a simple formalism for describing security threats against a system. From such a description, one can automate the answering of questions such as "Is any attack possible?", "Is special equipment needed for all attacks?" and "What skill level is needed from the attacker?" The original formalism of attack trees (proposed by Bruce Schneier in 1999) does not capture some essential properties of systems, therefore we have extended it in order to be useful. In particular, we allow cycles in the tree (!), and discuss how to solve the synthesis problem in this more general case. We also discuss the problem of answering the problem of how to synthesize the minimum cost of an attack, and how that problem differs from the previously mentioned ones.