Information technology (IT) security risk analysis preventatively helps organizations in identifying their vulnerable systems or internal controls. Some researchers propose expert systems (ES) as the solution for risk analysis automation since risk analysis by human experts is expensive and timely. By design, ES need a knowledge base, which must be up to date and of high quality. Manual creation of databases is also expensive and cannot ensure stable information renewal. These facts make the knowledge base automation process very important. This paper proposes a novel method of converting attack trees to a format usable by expert systems for utilizing the existing attack tree repositories in facilitating information and IT security risk analysis. The method performs attack tree translation into the Java Expert System Shell (JESS) format, by consistently applying ATTop, a software bridging tool that enables automated analysis of attack trees using a model-driven engineering approach, translating attack trees into the eXtensible Markup Language (XML) format, and using the newly developed ATES (attack trees to expert system) program, performing further XML conversion into JESS compatible format. The detailed method description, along with samples of attack tree conversion and results of conversion experiments on a significant number of attack trees, are presented and discussed. The results demonstrate the high method reliability rate and viability of attack trees as a source for the knowledge bases of expert systems used in the IT security risk analysis process.
Read full abstract