Learning Attack Trees by Genetic Algorithms

Attack trees are a graphical formalism for security assessment. They are particularly valued for their explainability and high accessibility without security or formal methods expertise. They can be used, for instance, to quantify the global insecurity of a system arising from the unreliability of its parts, graphically explain security bottlenecks, or identify additional vulnerabilities through their systematic decomposition. However, in most cases, the main hindrance in the practical deployment is the need for a domain expert to construct the tree manually or using further models. This paper demonstrates how to learn attack trees from logs, i.e., sets of traces, typically stored abundantly in many application domains. To this end, we design a genetic algorithm and apply it to classes of trees with different expressive power. Our experiments on real data show that comparably simple yet highly accurate trees can be learned efficiently, even from small data sets.