Attack Cloud

Representing the hierarchical nature of a structure in a tree structure or tree diagram is very common, but it also has its disadvantages. Especially in larger structures (500+ nodes) the tree form is not always the most optimal way to present a structure in a graphical form, let alone make this actionable. In an attempt to provide a better overview for very large attack trees (1.000—500.000 nodes) we developed what we refer to as the attack cloud. An attack cloud aims to represent all the steps possible in an attack tree. Because there is often no sense of order in an attack path, linearisation can potentially be misleading. This cloud format allows to see which steps are involved in which attacks while still understanding the full context. Steps that are a higher potential threat are closer to the root node at the center, which creates a logical hierarchy of information. By removing duplicates, this approach could potentially also allow us to view entire attack trees as a threat landscape.

The attack cloud graph is divided in sections on the basis of the main action from a label (for instance In, Make, or Force), giving a user a general idea of the action attached to a node. The placement and colour of a node are based on the combination of all known parameters for a node (for instance cost, time, probability and difficulty). The size of the node represents the number of occurrences of this node. Hovering over a node lets the user inspect all parameters, view the label with actions, actors and types, and lets the user mitigate the threat-level of a node by means of altering the parameters as counter-measures. This can be fed back into the Attack Navigator Map from which another analysis can be run.

The top row consists of the various types, like action or actor. The second row shows the type of action or actor. Below the text, a mini-visualisation of all the data that determines the position and colour of the node, is displayed. A circle indicates in colour and number the general threat score of the node in question, and a bar graph with the four parameters this general threat score is composed of.
Legend to the Attack Cloud visualisation
Legend to the Attack Cloud visualisation


The XML-output from the TreeMaker tool generates labels that are very long and not very ‘human readable’. By restructuring the text into understandable pieces, those labels can become much more informative.

Visualisation based on the Cloud case study that was first modelled in the ANM. The ANM generated an attack tree via the TreeMaker tool, and converted into linear attack paths. In this example there are three main actions on which the nodes are ordered. The scale of the visualisation automatically adapts to the data presented, here the scale is between ,30 and ,25. Also, most values in this example were default values, resulting in only two colours (yellow and red), while all shades between those colours would be possible.
A user hovers over one of the nodes and a large tool tip label appears. This tool tip contains the label describing the action attached to the node, in the form of a circle that indicates in colour and number the general threat score of this node, and a bar graph with the four parameters the general threat score is composed of. Clicking on the node makes the tool tip editable, and the user can edit or apply mitigations to the node. These are applied by changing the parameters in the tool tip or by dragging the node to a different position in the graph, updating the parameters. On the right, the 50 most threatening paths are displayed. On hover over the node in the main graph, those paths are highlighted where this node appears. To highlight the exact position of the node in the attack path, the node in question is given a white circle.
A user hovers over one of the nodes in the column on the right side of the graph. This “attack path” is highlighted with a grey bar, and the corresponding node appears with a white outline. All nodes that are part of this path draw lines to the `goal’ node in the middle of the graph. The colour of these paths indicate difficulty, the colour indicates time.
Example of an attack cloud based on a large attack tree with as main actions "go to", "out", "make", "execute", "force", "in", and "move"
Example of an attack cloud based on a large attack tree with as main actions “go to”, “out”, “make”, “execute”, “force”, “in”, and “move”

Explore the interactive version here 

2 thoughts on “Attack Cloud

Comments are closed.