Hierarchical Attack Representation Model (HARM)

• HARM is a hierarchical cybersecurity framework that decomposes attack scenarios into modular events, offering both qualitative and quantitative insights.
• It employs DAG and tree structures with Boolean connectors to model logical dependencies and aggregate risk using probability formulas.
• HARM is significant for enabling scalable, stakeholder-friendly analysis in multi-domain environments, enhancing penetration testing and risk assessment.

The Hierarchical Attack Representation Model (HARM) is an advanced paradigm in cybersecurity modeling that integrates layered, structured techniques for decomposing, quantifying, and analyzing attack scenarios across complex systems. Conceptually, HARM builds on the hierarchical divide-and-conquer strategy, formalizes multi-level attack paths, and supports both qualitative and quantitative reasoning about threats and defenses. Its lineage, as evidenced by contemporary survey and modeling work, encompasses directed acyclic graph (DAG)-based methodologies, layered attack graphs and trees, metric-driven formalism, and multi-domain application—from IT networks to distributed control systems.

1. Foundations in DAG-Based Security Modeling

HARM draws its structural and analytical principles from the body of DAG-based attack and defense modeling, which articulates scenarios as acyclic, hierarchical decompositions (Kordy et al., 2013). Key features include:

• Progressive refinement: attack scenarios originate from a root event and are recursively decomposed into subgoals or basic actions, forming a modular hierarchy.
• Node semantics: each node reflects an event, vulnerability, or defense, and edges model logical, temporal, or probabilistic dependencies.
• Boolean connectors: AND, OR, priority AND, or k-out-of-n nodes encode alternative strategies and required conjunctions.
• Quantification capabilities: several formalisms (e.g., Bayesian attack graphs, BDMPs) permit annotation of nodes with metrics like cost, probability of success, and mean time to attack.

These representational choices enable efficient bottom-up calculation of global risk or defense posture, while the acyclic nature allows modularity and scalability. HARM extends these ideas by integrating complementary views—attack sequences, misuse case maps, and defense mappings—thus ensuring stakeholder-friendly and rigorous analysis.

2. Taxonomy and Selection of Hierarchical Formalisms

The diversity of hierarchical attack modeling approaches is mapped via a taxonomy considering:

Aspect	Example Options	Relevance to HARM
Orientation	Attack, Defense, Both	HARM generally requires combined view
Temporal Modeling	Static, Sequential	Hierarchy may encode order/trigger logic
Quantification	Yes/No/Versatile	Enables metrics (probability, cost)
Structure	Tree, DAG	Tree for refinement, DAG for dependencies
Formalization Level	Informal–Formal	HARM balances visual and quantitative

This taxonomy can be used to filter and select the appropriate methodology for HARM instantiation, dependent on user requirements for defense modeling, formal analysis, or scalability (Kordy et al., 2013).

3. Core Structural Properties and Mathematical Formulation

Typical hierarchical attack representations employ graph-theoretic and probabilistic formulas that propagate attributes up the tree/DAG structure. For instance, a classical formula for attack success probability in a node $A$ is:

$\mathsf{Pr}(A) = 1 - \prod_{i=1}^{n} (1 - p_i)$

where $p_i$ are probabilities of child node attacks. This formula characterizes how sub-components aggregate risk in stochastic models. Diagrams use tree structures with AND/OR connectors, visually mapping refinement and dependencies.

Structural modularity is central: global scenarios (root) are refined through connectors into leaf-level atomic attack steps, permitting the recombination of manageable chunks for computational analysis.

4. Comparative Analysis: HARM vs DAG-Based Methods

While HARM provides a generalized hierarchical model, certain DAG-based approaches (notably BDMPs, unified parameterizable attack trees) incorporate advanced features such as time-order, embedded defense actions, and triggers. HARM explicitly combines symbolic (e.g., attack patterns and sequences) and quantifiable (attack trees, defense maps) representations to provide a multi-perspective picture of both attacks and system architecture (Kordy et al., 2013).

Many DAG-based methods focus primarily either on qualitative modeling (basic attack trees) or quantitative computation (Bayesian networks), whereas HARM's dual emphasis is on stakeholder usability, bridging informal graphical intuitions and rigorous metric propagation.

5. Quantitative and Visual Analysis Tools

Attack representation models leverage both mathematical formulas and visual diagrams for analysis and communication. Hierarchical diagrams clarify the refinement process and connector logic, while formulas enable risk aggregation and predictive metrics. For models supporting quantitative propagation, LaTeX expressions such as:

$\mathsf{Pr}(A) = 1 - \prod_{i=1}^{n} (1 - p_i)$

and visual threat trees with labeled nodes and connectors enhance model interpretability for qualitative and quantitative analysis alike.

These tools bridge intuition (for stakeholders) and analysis (for practitioners), supporting HARM's emphasis on comprehensive and accessible modeling.

6. Selection Criteria and Practical Deployment

Adopting an appropriate hierarchical attack representation method—whether for HARM or related formalisms—requires assessment of modeling focus (attack-only, defense-embedded), quantification needs, formalization rigor, usability (tool support, case studies), and scalability (Kordy et al., 2013).

For applications necessitating detailed mapping of defenses, sequential dependencies, and quantitative risk (e.g., penetration testing, risk analysis), models such as attack-defense trees, BDMPs, or parameterizable attack trees are recommended. Taxonomy tables in the literature serve as pre-screening matrices, guiding the selection of the best fit for a given system and objective.

7. Impact and Significance of HARM in Comprehensive Security Modeling

HARM and its underpinning hierarchical formalisms provide a systematic framework for decomposing, analyzing, and mitigating complex attack scenarios. They address limitations of flat or single-layer approaches (state-space explosion, lack of countermeasures, poor scalability) and enable both qualitative and quantitative assessment across heterogeneous and evolving environments.

The integration of formal mathematical underpinnings with visual and narrative modeling augments communication among stakeholders while supporting predictive, risk-driven security operations.

This approach drives advancements in automated security assessment, penetration testing, and real-time decision support, as evidenced by the broad survey and taxonomy of DAG-based graphical security models (Kordy et al., 2013). The balance of clarity, modeling power, and quantitative analysis positions HARM as a cornerstone methodology for critical infrastructure, enterprise networks, and cyber-physical system security.