FFORT Attack Trees Input Format

Attack Trees in FFORT are provided in an extended version of the Galileo textual format originally described in the Galileo manual .
The version used in FFORT is extended with additional gates and attributes for repairable attack (maintenance) trees.

We assume familiarity with attack trees and their structure. For an overview, see this paper.

Basic structure

A attack tree is a directed acyclic graph, in which the leaves describe basic attack steps (BAS) and the internal nodes describe gates. One of the root nodes is called the top level event, describing the system failure being analysed.

Unlike standard Galileo, we do not require an AT to have a unique root. This more easily allows the analysis of multiple failure types in one AT, as one only needs to change the top level event.

This structure is encoded as follows: Each non-empty line of a Galileo file describes one node in the FT. The top level event is marked by the special toplevel <name>; line. Gates are described using <name> <gate> <child1> <child2> <...>;. BASes are described as <name> <attr1>=<val1> <attr2>=<val2> <...>;.

Syntax details

Every non-empty line ends with a semicolon. A name is a sequence of letters, numbers, underscores, and/or hyphens. Optionally, a name can be enclosed in double quote marks (FTs in FFORT always do so).

We support the following types of gates (extensions beyond standard Galileo are denoted in blue):

Gate Type Symbol Description
OR or Fails when any child fails.
AND and Fails when all children fail.
K of M (voting) KofM Fails when any K children fail.
sequential-AND sand Sequential AND gate, all child seps must be performed in order (from left to right) sequentially, child steps cannot be performed parralel.

For BASes, we support the following attributes listed in the table below (extensions beyond standard Galileo denoted in blue). We denote the domain of natural numbers, including 0 and Infinity (integers ⊂ [0,inf]) by , and probabilities (real values between 0 and 1, inclusive, [0,1]) by . A 0 or 1 represents a discrete false or true respectively.

Attribute Syntax Domain Description
Probability prob=# Probability of the BAS. This is either a discrete probability (0 or 1 for true or false)
Min cost min_cost=# Minimum amount of cost required of the attacker to perform an attack of this type.
min time (sequential) min_ts=# Minimum amount of time required to perform this BAS, which can only be performed sequentially with other steps.
min time (parallel) min_tp=# Minimum amount of time required to perform this BAS, which can be performed in parallel with other steps.
min skill min_skill=# Minimum skill level that an attacker must have to be able to perform this attack.
max challenge max_challenge=# Maximum challenge level for an attacker to execute the BAS.
max damage max_damage=# Maximum amount of damage experienced by this attack being performed.


An example can be seen below (the HECS-1-1 FT from FFORT), with the graphical representation on the left and the Galileo description on the right.

toplevel "System";
"System" or "Processor" "Memory" "Bus" "Interface";
"Processor" and "PG1" "PG2";
"PG1" wsp "P1" "Ps";
"PG2" wsp "P2" "Ps";
"Memory" 3of5 "M1" "M2" "M3" "M4" "M5";
"Bus" and "B1" "B2";
"Interface" or "Hw" "SW";
"P1" lambda=1.0e-4;
"P2" lambda=1.0e-4;
"Ps" lambda=1.0e-4 dorm=0.4;
"M1" lambda=6.0e-5;
"M2" lambda=6.0e-5;
"M3" lambda=6.0e-5;
"M4" lambda=6.0e-5;
"M5" lambda=6.0e-5;
"B1" lambda=1.0e-6;
"B2" lambda=1.0e-6;
"HW" lambda=5.0e-5;
"SW" lambda=6.0e-5;

Failure time distributions

The failure times of basic events can be governed by several probability distributions. We currently support discrete probabilities, exponential distributions, and Erlang distributions, as well as combinations of the discrete distribution with the others.

A discrete distribution is governed by a single failure probability p. If the event fails, it is failed for the entire time being analysed (i.e., it's failure time is 0, and it cannot be repaired).

An exponential distribution is governed by a failure rate λ, specifying that the probability of the basic event failing before time T follows the equation P(T ≤ t) = 1-e-λt.

An Erlang distribution is governed by a number of phases N and a failure rate λ, specifying that failure of the event occurs after N successive exponential distributions have expired, each with rate λ.

A combined distribution is formed when both a failure probability p and time distribution D are specified. In this case, with probability 1-p, the BE never fails. With probability p, the BE fails at times as specified by the distribution D.