Papers
Topics
Authors
Recent
Search
2000 character limit reached

Evidence-Guided Attack Tree Search

Updated 4 July 2026
  • Evidence-Guided Attack Tree Search (EGATS) is a methodology that constructs and refines attack trees using empirical evidence from logs, the MITRE ATT&CK framework, and exploit validations.
  • It leverages evidence to constrain admissible structures, parameterize leaves with quantitative metrics, and guide online search via techniques like Monte Carlo tree search.
  • EGATS supports more efficient security analysis by integrating formal semantics, evidence-based scoring, and optimized search strategies into attack tree synthesis.

“Evidence-Guided Attack Tree Search” (EGATS; Editor’s term) can be understood as a family of methods in which attack-tree construction, parameterization, and exploration are constrained by empirical evidence rather than specified entirely by hand. In recent work, the evidence takes several forms: attack event logs mined into Process Trees and translated into trace-equivalent attack trees; MITRE ATT&CK campaign frequencies converted into tactic-conditioned likelihoods; white-box exploit validations attached to state transitions; and judge or model-probability signals used to steer Monte Carlo tree search. Under this interpretation, EGATS is not a single canonical algorithm but a unifying view of attack-tree synthesis and analysis in which evidence restricts admissible structure, quantitative annotations prioritize alternatives, and search procedures exploit those annotations to rank or prune candidate attacks (Konsta et al., 2024, Nicoletti et al., 2024, Tung et al., 30 Jan 2026, Li et al., 24 Nov 2025).

1. Conceptual basis

Attack trees are a graphical model of security used to study threat scenarios, but manual construction is labor-intensive. Evidence-guided approaches address that limitation by deriving or constraining tree structure from observations rather than relying exclusively on expert decomposition. In the process-mining setting, attack logs are summarized into a Process Tree and then translated deterministically into an attack tree. In the MITRE setting, campaign intelligence is normalized into tactic–technique structures with empirical likelihoods. In white-box cyber-range planning, validated exploits define a state-transition graph whose exploration induces an implicit attack tree. In LLM jailbreak search, the tree is over prompt-rewrite strategies, and node values are derived from harmfulness, responsibility, and co-relevance evidence (Konsta et al., 2024, Nicoletti et al., 2024, Tung et al., 30 Jan 2026, Li et al., 24 Nov 2025).

A central distinction in this literature is where the “search” occurs. In “Attack Tree Generation via Process Mining,” the method does not search or optimize over multiple alternative attack trees explicitly; instead, it searches over process models via process discovery parameters and then applies a single deterministic translation proven correct via trace semantics. By contrast, the MITRE and MCTS-based lines of work make the search dimension explicit: they either evaluate alternative tree instantiations under quantitative metrics or traverse a tree of actions and states using UCT or PUCT-style policies (Konsta et al., 2024, Nicoletti et al., 2024, Tung et al., 30 Jan 2026, Li et al., 24 Nov 2025).

This suggests a useful conceptual partition of EGATS into three layers. First, evidence can determine which structures are admissible. Second, evidence can parameterize leaves or subgoals with probabilities, costs, times, or confidence values. Third, evidence can alter online exploration priorities by changing node priors, edge values, or pruning decisions. The literature covers all three layers, but not always within one unified framework.

2. Evidence sources and construction pipelines

One evidence source is the event log of attack executions. In the process-mining pipeline, a log is a collection of cases, each case corresponds to one attack instance, and each case is a sequence of events whose minimum required attributes are case id and activity. Logs are converted to XES and processed by the Inductive Miner, whose noise threshold controls whether infrequent behaviors are retained or filtered. The output Process Tree is then translated structurally into an attack tree and exported to RisQFLan format, so the resulting model is evidence-backed at the log level and configurable through mining parameters (Konsta et al., 2024).

A second evidence source is MITRE ATT&CK campaign intelligence. “How hard can it be? Quantifying MITRE attack campaigns with attack trees and cATM logic” constructs empirical conditional probabilities

PEA=Pr(EA)P_{E \mid A} = \Pr(E \mid A)

from all recorded Enterprise campaigns, where EE is a technique or sub-technique and AA is a tactic. The paper normalizes coarse-grained, fine-grained, and mixed parent/sub-technique annotations before computing these frequencies, then instantiates template attack trees in hard, default, and easy variants. The result is a deterministic, data-driven attack-tree model aligned with the ATT&CK hierarchy tactics \rightarrow techniques \rightarrow sub-techniques, with evidence entering both as structural inclusion and as leaf likelihoods (Nicoletti et al., 2024).

A third evidence source is exploit validation in a real environment. In AEGIS, the reconnaissance scanner produces software inventory and a directed connectivity graph; the exploit searcher collects CVE-based and non-CVE candidates; and the exploit validator executes each candidate using a Terminal Use Agent. Success is confirmed through white-box filesystem checks, and each validated exploit is summarized as

a=(exec,conn,result,p),a = (exec, conn, result, p),

where execexec is the required shell set, connconn captures connectivity requirements, resultresult is the shell set gained on success, and p[0,1]p \in [0,1] is a confidence score. Only empirically validated exploits become edges in the attack graph used for subsequent planning, so the search space is explicitly evidence-pruned before search begins (Tung et al., 30 Jan 2026).

A fourth evidence source is node-local behavioral evidence in strategy trees. In ACE-Safety, a state is

EE0

where EE1 is the original malicious query, EE2 is a group of rewritten queries, EE3 the defender outputs, and EE4 the judge scores. Priors over strategy actions are computed from attacker log-probabilities and defender refusal likelihoods, while node rewards use group-evaluated harmfulness. Although this setting is not a classical infrastructure attack tree, it is an explicit realization of evidence-guided tree exploration in which observed model behavior changes action priors and backpropagated values (Li et al., 24 Nov 2025).

3. Formal semantics and expressive operators

The formal basis of EGATS depends on the semantics assigned to attack-tree operators. In “Attack Tree Generation via Process Mining,” attack trees are defined by

EE5

with a trace semantics EE6 compatible with RisQFLan. Sequence in the source Process Tree is translated into sequential conjunction in the attack tree, parallel composition into AND, inclusive choice into OR, and exclusive choice into XOR, with internal EE7-labeled nodes introduced because Process Tree inner nodes do not carry goal labels. The key theorem is trace equivalence:

EE8

This gives a semantics-preserving bridge from evidence-induced process models to attack trees (Konsta et al., 2024).

Sequential structure is not an implementation detail but a semantic extension with its own theory. “Attack Trees with Sequential Conjunction” introduces SAND attack trees as closed terms over EE9 and interprets them as sets of series-parallel graphs. The semantics maps AA0 to set union, AA1 to parallel composition, and AA2 to sequential composition. The paper proves a complete axiomatization of this semantics, defines normal forms, and gives a term rewriting system that is strongly terminating and confluent. For EGATS, this matters because semantically equivalent trees can be normalized to a canonical form, which is directly useful for deduplication and state-space control in search (Jhawar et al., 2015).

Quantitative analysis requires an additional semantic layer. “Efficient and Generic Algorithms for Quantitative Attack Tree Analysis” classifies models along two dimensions—proper trees versus DAGs, and static versus dynamic gates—and defines minimal attacks for static trees as subsets of BAS and for dynamic trees as posets of BAS. Metrics are then defined compositionally over semiring or dynamic semiring attribute domains. In the dynamic case, the semantic object is not just a set of leaves but a partial order whose maximal chains and connected components determine how AA3, AA4, and AA5 compose values (Lopuhaä-Zwakenberg et al., 2022).

A plausible implication is that EGATS is best viewed as a semantics-first methodology. Evidence can change the admissible structures or the numerical attributes, but the meaning of refinement operators must remain stable if quantitative search results are to be interpretable.

4. Quantitative scoring and evidence propagation

The quantitative layer of EGATS turns evidence into search guidance. In the generic framework of “Efficient and Generic Algorithms for Quantitative Attack Tree Analysis,” a static attribute domain is AA6, while a dynamic attribute domain is AA7. This abstraction subsumes metrics such as minimum cost, minimum time, minimum skill, maximal damage, attack probability of the most likely path, k-top metrics, Pareto fronts, and uncertainty intervals. The attack-tree value is computed by combining leaf attributions within attacks and then aggregating across attacks, with the precise operators determined by the chosen domain (Lopuhaä-Zwakenberg et al., 2022).

In the MITRE campaign setting, the principal quantitative object is the max-probability metric under the semiring

AA8

together with the derived security index

AA9

Here, higher \rightarrow0 means lower probability of success and therefore greater security under the model. The hard, default, and easy templates induce a security range \rightarrow1. For Wocao, the paper reports easy/default/hard/custom values \rightarrow2, \rightarrow3, \rightarrow4, and \rightarrow5; for Dream Job, \rightarrow6, \rightarrow7, \rightarrow8, and \rightarrow9. The custom models lie within the template-derived ranges, and the default-template ordering agrees with the custom-model ordering for these two campaigns (Nicoletti et al., 2024).

The same work introduces cATM as a metric-aware logic for attack-tree queries. Its second layer allows formulas of the form

\rightarrow0

so quantitative reasoning can both inspect sub-attack values and override node attributes with intervals. This is important for evidence-guided analysis because the tree need not be rebuilt when evidence changes; instead, the attribution can be refined inside the query semantics. The paper uses 3-valued semantics \rightarrow1, with \rightarrow2 capturing the indeterminate region created by interval-valued metrics (Nicoletti et al., 2024).

In AEGIS, the quantitative signal is simpler but operationally decisive. The confidence score \rightarrow3 obtained during exploit validation initializes edge values, and finite-horizon value iteration uses

\rightarrow4

with \rightarrow5 and horizon \rightarrow6. On failure from a given state, the corresponding state–action value is set to \rightarrow7, effectively suppressing that branch at that state in later search. In ACE-Safety, the analogous role is played by harmfulness, responsibility, and co-relevance scores, with \rightarrow8 used for search reward and group- and tree-aware normalized rewards used for RL updates (Tung et al., 30 Jan 2026, Li et al., 24 Nov 2025).

5. Search procedures and computational regimes

Evidence-guided search appears in several algorithmic regimes. In process-mining-based construction, the search bias is indirect: the user adjusts mining parameters such as the Inductive Miner’s noise threshold, thereby selecting one Process Tree that balances fitness, generalization, and simplicity before deterministic translation. The translation itself is structurally recursive and essentially linear in the size of the Process Tree. On 1,000 random models for each of three configurations, the reported average translation times are \rightarrow9 ms, a=(exec,conn,result,p),a = (exec, conn, result, p),0 ms, and a=(exec,conn,result,p),a = (exec, conn, result, p),1 ms, with maximum times a=(exec,conn,result,p),a = (exec, conn, result, p),2 ms, a=(exec,conn,result,p),a = (exec, conn, result, p),3 ms, and a=(exec,conn,result,p),a = (exec, conn, result, p),4 ms. This makes translation inexpensive relative to discovery, so the principal evidence-guided choice lies upstream in model discovery rather than downstream in tree synthesis (Konsta et al., 2024).

For classical quantitative attack trees, tree-structured static and dynamic models admit linear-time bottom-up evaluation over generic semiring domains. DAG-structured static attack trees are harder: the paper proves NP-hardness for general metric computation, then gives a BDD-based algorithm whose runtime is linear in BDD size rather than tree size. The BDD formulation also supports k-top analysis through shortest-path style computation on the decision diagram. Dynamic DAGs are left as an open problem, so the efficient exact regime currently covers tree-structured SATs and DATs and BDD-representable static DAGs (Lopuhaä-Zwakenberg et al., 2022).

In real-environment exploit planning, AEGIS uses Monte Carlo Tree Search with UCT. Selection uses an exploration weight a=(exec,conn,result,p),a = (exec, conn, result, p),5, chosen to favor exploitation because actions cost a=(exec,conn,result,p),a = (exec, conn, result, p),6–a=(exec,conn,result,p),a = (exec, conn, result, p),7 minutes each. Expansion follows execution rather than preceding it, because the successor state is only known after the exploit runs in the environment. The state is a set of held shells a=(exec,conn,result,p),a = (exec, conn, result, p),8, with a=(exec,conn,result,p),a = (exec, conn, result, p),9, so each tree node is already a compact summary of accumulated capabilities. This is not a classical AND/OR tree, but it is an evidence-guided search tree over attack states whose branching factor is restricted to previously validated actions (Tung et al., 30 Jan 2026).

In ACE-Safety, GS-MCTS makes the search policy itself evidence-driven. The prior over actions is

execexec0

where execexec1 and execexec2 are softmax-normalized attacker and defender signals. Action selection then uses a PUCT rule combining execexec3, execexec4, and visit counts. Expansion is group-aware: rather than a single rollout, the method samples a group of execexec5 rewrites and evaluates all of them, taking

execexec6

as node reward. This design makes the search robust to LLM stochasticity and explicitly couples structural exploration to observed model behavior (Li et al., 24 Nov 2025).

Taken together, these regimes show that EGATS does not require a single search primitive. It may use parameterized discovery, exact dynamic programming, BDD compaction, or MCTS, provided that evidence enters the mechanism that restricts, scores, or orders the explored structures.

6. Limitations, misconceptions, and open problems

A recurring misconception is that evidence guidance automatically yields explicit optimization over a space of attack trees. The process-mining pipeline shows otherwise: evidence may constrain the model class through discovery parameters, while the final attack tree is obtained by a single semantics-preserving transformation. In that setting, “search” occurs at the process-discovery stage, not at the attack-tree level (Konsta et al., 2024).

A second misconception is that evidence-derived probabilities are calibrated estimates of real-world frequency. The MITRE campaign work explicitly relies on publicly known, successful campaigns and adopts a frequentist interpretation in which past observed frequencies approximate future likelihoods. It also assumes independence when multiplying BAS probabilities. The authors therefore characterize the resulting security index primarily as a comparative device for transparent and accountable quantitatively-informed decisions, not as an unbiased estimate of ground-truth attack probability (Nicoletti et al., 2024).

Expressivity also remains bounded. The process-mining translation does not provide final handling of the loop operator execexec7, which is acknowledged as out of scope. SAND attack trees, while formally well-founded, use a series-parallel semantic domain; arbitrary non-series-parallel partial orders are not represented exactly. Efficient generic analysis of DAG-structured dynamic attack trees remains open. These constraints delimit what current EGATS-style formalisms can encode without resorting to heavier model-checking or ad hoc extensions (Konsta et al., 2024, Jhawar et al., 2015, Lopuhaä-Zwakenberg et al., 2022).

Operational systems inherit domain-specific limits. AEGIS is primarily limited to CVE-based exploits with public proof-of-concepts and does not generate persistence mechanisms, OT attacks, or threat-actor-coherent paths. ACE-Safety uses relatively shallow search with a simple reward based on execexec8, and its limitations section notes that benchmark-focused evaluation may miss nuanced real-world adversarial behaviors. These points suggest that evidence-guided search remains strongly dependent on the fidelity of its evidence model, whether that model is a log, an ATT&CK corpus, a validation oracle, or a judge LLM (Tung et al., 30 Jan 2026, Li et al., 24 Nov 2025).

The current literature therefore supports a precise but bounded interpretation of EGATS. Evidence can already govern structure induction, leaf attribution, and online search in technically rigorous ways. What remains incomplete is a fully unified framework that simultaneously handles structural uncertainty, rich temporal dependencies, probabilistic updating, and scalable exploration over dynamic DAG-like attack models.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Evidence-Guided Attack Tree Search (EGATS).