Event/Attack Trees: Unified Risk Analysis

• Event/attack trees are formal graphical models that represent and analyze malicious actions, accidental faults, and defensive interventions in complex systems.
• These models employ logical gates such as AND, OR, threshold voting, and inhibition to propagate probabilities and capture dependencies between attack steps, component failures, and defenses.
• They enable both qualitative minimal cut set analysis and quantitative risk computation, supporting resilience assessment in cyber-physical and mission-critical infrastructures.

Event/Attack trees are formal graphical models used to systematically represent, analyze, and quantify the pathways by which a system can be compromised, failed, or protected through malicious actions, accidental faults, and defensive interventions. Evolving from classical attack trees, which capture only the hierarchical decomposition of attacker goals into sub-goals, modern event/attack tree frameworks such as @@@@1@@@@ (AFDTs) integrate attack vectors, fault events, and defense mechanisms within a unified, formally specified structure. These models support both qualitative analyses (e.g., minimal cut sets) and quantitative evaluations (e.g., risk, probability of system compromise), and are foundational in cyber-physical risk management where security, safety, and defense are deeply interconnected (Soltani et al., 1 Apr 2025).

1. Formal Foundations and Syntax

An event/attack tree is formally represented as a rooted, directed acyclic graph in which nodes denote events—distinguishing between basic attack steps (BAS), basic component failures (BCF), basic defense steps (BDS), and intermediate or top-level events (INT). The graph structure is enhanced by gates, including AND, OR, threshold voting (VOT(k,n)), and inhibition (INH) connectors. Formally, an AFDT is a tuple

$A = (N, E, \lambda, \Gamma, \rho, \pi)$

where:

• $N$ is the set of nodes,
• $E \subseteq N \times N$ is the parent–child relation,
• $$\lambda: N \to \{\mathrm{BAS}, \mathrm{BCF}, \mathrm{BDS}, \mathrm{INT}\}$$ is the node labelling function,
• $\Gamma$ assigns gate semantics to INT nodes (AND, OR, VOT, INH),
• $$\rho: \mathrm{BAS} \cup \mathrm{BCF} \rightarrow [0,1]$$ assigns probability of occurrence (successful attack or failure),
• $\pi: \mathrm{BDS}\rightarrow [0,1]$ assigns the defense success probability.

Gate semantics propagate probabilities:

• AND: $P(n) = \prod_{i=1}^m P(c_i)$,
• OR: $P(n)= 1 - \prod_{i=1}^m (1-P(c_i))$,
• VOT(k,m): $$P(n)=\sum_{J \subseteq \{1,\ldots,m\}, |J| \ge k} \prod_{i \in J}P(c_i)\prod_{i \notin J}(1-P(c_i))$$,
• INH ($A$, $D$): $P(n)=P(A)\cdot (1-P(D))$ (propagation blocked if defense succeeds).

This formalism enables precise specification of concurent, sequential, and defensive dependencies.

2. Structural Taxonomy and Semantics

Event/attack trees generalize classical attack and fault trees by categorizing nodes as follows:

• BAS: Atomic attack steps (e.g., MITM, DDoS).
• BCF: Component failures (e.g., hardware bug).
• BDS: Defensive/mitigation actions (e.g., DDoS protection).
• INT: Intermediate event aggregators, each with a gate.

Gates express the logical and probabilistic dependencies:

• AND/OR: Boolean logic (all/any children must activate).
• VOT(k/n): Redundancy modeling (at least $k$ out of $n$ must trigger).
• INH: Inhibition modeling (defense blocks attacker/fault propagation).

Mixing BCF and BAS under a single gate models intertwined safety and security failures. For example, a VOT(2/3) gate with two BAS and one BCF child expresses vulnerabilities arising from combinations of attacks and accidental faults.

3. Construction Methodology

Event/attack tree development, as exemplified in (Soltani et al., 1 Apr 2025), follows a rigorous, expert-driven workflow:

1. Define Top-Level Event (TLE): Specify the root system-level compromise or failure.
2. Elicit Attack/Failure Pathways: Identify distinct failure/attack vectors.
3. Catalog Leaf Events (BAS/BCF): Enumerate atomic actions and failures.
4. Introduce Defenses (BDS/INH): Explicitly model protective mechanisms and their inhibition relations.
5. Assemble Gates: Organize intermediate nodes using appropriate gate types, including voting and inhibition gates.
6. Iterate & Validate: Refine and validate with domain experts, ensuring each modeled pathway corresponds to realistic scenarios.

This methodology supports top-down decomposition and interdisciplinary review, facilitating thorough resilience assessment.

4. Qualitative and Quantitative Analysis

Minimal Cut Set (MCS) Analysis

The minimal cut set is a subset of leaves whose joint activation guarantees TLE activation. In AFDTs, the MCS changes contingent on defense activation—removal or enlargement of cut sets is directly attributable to the presence/absence of specific defenses.

Typical example:

• $\mathrm{MCS}_1$: $\{\text{MITM}\}$, eliminated by E2E encryption.
• $\mathrm{MCS}_2$: $\{\text{DDoS}\}$, eliminated by DDoS protection.
• $\mathrm{MCS}_3$: $\{\mathrm{AS}_1, \mathrm{AS}_2\}$, eliminated by segmentation.

Probability Calculation

Under independence, the probability of the TLE can be recursively computed using gate semantics, or approximated via cut set multiplicities:

$$P(\mathrm{TLE}) \approx 1 - \prod_{c \in \text{leaves}} (1 - P(c))^{m_c}$$

where $m_c$ is multiplicity in minimal cuts. For subtrees with inhibition (e.g., DDoS defended by DP),

$P_\mathrm{DDoS\_sub} = p_D \cdot (1-q_{DP})$

where $p_D$ is the attack/failure probability and $q_{DP}$ the defense success probability.

5. Case Study: Safety-Security Interactions and Defense Effects

Applied to the Ground Segment for satellite missions:

• Vulnerabilities: Network attacks (e.g., MITM, DDoS) interact with cloud and hardware failures (e.g., unpatched updates, hardware bugs), enabling compromise of telecommand flows.
• Compound Scenarios: Credential compromise emerges from side-channel and procedural errors, malicious code injection coincides with misconfigurations.
• Defense Effectiveness:
  • E2E encryption obviates the MITM cut set.
  • DDoS protection removes the DDoS cut set.
  • Segmentation eliminates MCSs involving multiple App-Server nodes.
  • MFA and timestamp authentication defend composite attack–fault pathways.

Residual unprotected events are exposed explicitly, guiding future defensive investment.

6. Comparative Evaluation and Limitations

Event/attack trees, and especially AFDTs, extend traditional attack tree expressiveness by:

• Incorporating accidental failures (BCFs) and modeling interactions with deliberate attacks (BASs).
• Capturing defense steps (BDS) and facilitating localized, probabilistic countermeasure modeling (INH gates).
• Unifying safety, security, and defense logic under a single formal semantics.

Advantages:

• Enables fine-grained what-if and resilience trade-off analysis.
• Supports voting/threshold redundancy analysis natively.
• Seamless integration of quantitative risk metrics.

Limitations:

• Model complexity and parameter elicitation scale rapidly with system size.
• Independence assumptions (crucial for bottom-up probability calculation) may not hold—correlated failures/attacks complicate analysis.
• Advanced gates (VOT, INH) and interactions demand automated tool support and rigorous formal evaluation.

7. Broader Impact on Cyber-Physical Risk Management

Event/attack trees have become essential in engineering reliable satellite ground segments, autonomous vehicles, electrical grids, and other mission-critical cyber-physical systems. By jointly modeling attacks, faults, and defenses, these frameworks enable system architects and analysts to quantitatively reason about complex, interdependent risk domains. This supports informed decision-making for resilience investment, mitigation prioritization, and interdisciplinary collaboration between safety engineers, security experts, and operational stakeholders (Soltani et al., 1 Apr 2025).