We use proprietary and third party´s cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy

# Revision history [back]

### Inconsistencies in logical/topological attack graphs/paths

I'm facing a problem with understanding attack graphs, attack paths in both: logical and topological view - I conisder generated graphs are inconsistent.

### Example 1

Firstly I tried to analyze this input file from examples: https://github.com/fiware-cybercaptor/cybercaptor-client/blob/master/doc/dataSet.xml

I uploaded the xml and generated graph with no errors or warnings. Graph has only one attack path.

Example 1a: Logical Attack Graph + Attack Path

As far as I understand Attack Path differs from Attack graph in that way the directed arcs/arrows are aimed at opposite direction. In a Graph theory a Path is a subgraph of a Graph. The problem is that both generated logical graphs (attack path and attack graph) are structurally different: Major differences are marked on the picture above. A subpath containing most important vertex (the attack indicator - rule execCode()) is marked green. Marked vertices (green and purple) are directly connected to that subpath on the Attack Graph, but not on the Attack Path. Why?

Example 1b: Topological Attack Graph + Attack Path

The structure of topological attack graph and attack path have different direction of edges. Why?

### Example 2

Second example is from this appendix: https://github.com/fiware-cybercaptor/cybercaptor-data-extraction/blob/master/doc/topology-file-specifications.md [end of the page]

There are generated 2 attack paths - only first is considered. Example 2 (three screenshots): Logical and topological view of attack path and topological attack graph

Logical attack path shows that the consequence of an attack is code execution on linux-user-2 execCode('linux-user-2', user) - which is show and marked with a rectangle. Topological attack path shows that the target is linux-user-1. This looks like contradiction of targets! Isn't it?

Bottom screenshot show topological view of attack graph where one of the targets is linux-user-2.

For me these observed differences are crucial and discredit whole attack graph analysis. Please correct me if I'm wrong, maybe I understand these graphs in wrong way, so please explain me the process of reading the results - how and why these graphs are so different. I'm desirious to involve myself into this project, it's great and after 2 weeks of fiddling with it I've got with many ideas how to improve it. If these issues are real please guide me how to fix them.