Skip to main content
To KTH's start page To KTH's start page

MAL (the Meta Attack Language)

A Domain Specific Language for Probabilistic Threat Modeling and Attack Simulations

Attack simulations may be used to assess the cyber security of systems. In such simulations, the steps taken by an attacker in order to compromise sensitive system assets are traced, and a time estimate may be computed from the initial step to the compromise of assets of interest. Attack graphs constitute a suitable formalism for the modeling of attack steps and their dependencies, allowing the subsequent simulation. 

To avoid the costly proposition of building new attack graphs for each system of a given type, domain-specific attack languages may be used. These languages codify the generic attack logic of the considered domain, thus facilitating the modeling, or instantiation, of a specific system in the domain. Examples of possible cyber security domains suitable for domain-specific attack languages are generic types such as cloud systems or embedded systems but may also be highly specialized kinds, e.g. Ubuntu installations; the objects of interest as well as the attack logic will differ significantly between such domains. 

In this project, we propose the Meta Attack Language (MAL), which may be used to design domain-specific attack languages such as the aforementioned. The MAL provides a formalism that allows the semi-automated generation as well as the efficient computation of very large attack graphs. We declare the formal background to MAL, define its syntax and semantics, exemplify its use with a small domain-specific language and instance model, and report on the computational performance.  

Keywords: Domain Specific Language, Cyber Security, Threat Modeling, Attack Graphs

MAL external web

The Meta Attack Language web

MAL code

The Meta Attack Language (MAL) – an open threat modelling language compiler on GitHub

MAL paper

Johnson, Lagerström, and Ekstedt, A Meta Language for Threat Modeling and Attack Simulations , in Proceedings of the 13th International Conference on Availability, Reliability and Security (ARES), 2018.

MAL based implementations


A probabilistic attack simulation language for the IT domain, by Sotirios Katsikeas, Simon Hacks, Pontus Johnson, Mathias Ekstedt, Robert Lagerström, Joar Jacobsson, Max Wällstedt and Per Eliasson, in Proc. of the 7th International Workshop on Graphical Models for Security ( GraMSec ), June 2020.

Probabilistic Modeling and Simulation of Vehicular Cyber Attacks: An Application of the Meta Attack Language by Sotirios Katsikeas, Pontus Johnson, Simon Hacks, and Robert Lagerström, in the Proc. of the 5th International Conference on Information Systems Security and Privacy ( ICISSP ), Feb. 2019.

Student Thesis Reports

E. Hanstad and L. Villarroel, "En utvecklingsmiljö för MAL," , 2021.

Master theses

Nedo Skobalj, “ Validating vehicleLang for Domain-specific Threat Modelling of In-vehicle Network ,” KTH Royal Institute of Technology, School of Electrical Engineering and Computer Science, Master Thesis, 2019.

Sotirios Katsikeas, “ vehicleLang: a probabilistic modeling and simulation language for vehicular cyber attacks ,” KTH Royal Institute of Technology, School of Electrical Engineering and Computer Science, Master Thesis, 2018.

Ahmad Hawasli, azureLang: a probabilistic modeling and simulation language for cyber attacks in Microsoft Azure cloud infrastructure , KTH Royal Institute of Technology, School of Electrical Engineering and Computer Science, Master Thesis, 2018.

Xinyue Mao, Visualization and Natural Language Representation of Simulated Cyber Attacks, KTH, 2018.