Linear attack trees

In visualisations, it is widely agreed that it is better to have more simple elements than fewer, complex elements (Tufte, 1990). A tree works well in situations where the structure is fairly simple and small. However, the attack trees that are used in TREsPASS are already more complex than can comfortably be fit on a screen. Working with and studying attack trees from a visualisation point of view, one can question the role of intermediate nodes. Other than being a labelled container for their child nodes, they are not actually steps along the attack path but nevertheless occupy a large part of the attack tree. We can visually simplify attack trees by turning them into linear sequences of their required children. This will result in more paths, but each path will be easier to follow. The simplification and conversion to straight paths benefit readability from a visualisation standpoint. One path now shows a user the steps that need to be taken in a straight and easy to follow line (although it does not usually imply a temporal or causal sequence).
Visualising attacker skills. Red indicates how far an low-skilled attacker could come, orange a medium-skilled attacker and yellow a high-skilled attacker.
Two visualisations of the same attack tree visualised as attack steps on attack traces, both ordered clockwise where the top is the most vulnerable attack trace. On the left, only vulnerabilities are highlighted, while on the right a differentiation is made between physical nodes and virtual nodes.
Three visualisations of the same attack tree as linear paths for each attack trace, each depicting one parameter (cost, time, difficulty). All values of each attack trace are generalised to one total value. They are ordered clockwise where the top is the most vulnerable attack trace.


Stacking Visual Elements

Another legend was also developed in the case that additional parameters to each step may be needed. By mapping different visual elements (thickness and colour to threat level) of a line to a scale of threat, it is possible to modularise this element and stack it to any number of parameters.

Visually, this becomes just as effective as the original legend because a step in which all parameters have a high perceived threat level will stand out much more strongly than a step with a low perceived threat level. When combined to form a path, this legend is very informative on which steps and connections are areas of vulnerability.


The principle of stacking visualisation elements, in this example four parameters. Note that low as well as high can be represented with a thick and red line, depending on the type of parameter.
Top: application of stacking elements to an attack trace in an attack tree. Each parameter has its own space and can be inspected individually. Generally this would be used in a zoomed in detail view. Middle: application of stacking elements to an attack trace in an attack tree. Each node is generalised to the average parameter values. Bottom: Most general view of the attack trace, where the values of each parameter are abstracted to one value.
Alternative view on the same data as the figure above, where the visual elements are stacked without in-between space, therefor adding total height as a visual clue for each node. Also this view can be abstracted depending on zoom-level.