MAL (the Meta Attack Language)

A Domain Specific Language for Probabilistic Threat Modeling and Attack Simulations

Attack simulations may be used to assess the cyber security of systems. In such simulations, the steps taken by an attacker in order to compromise sensitive system assets are traced, and a time estimate may be computed from the initial step to the compromise of assets of interest. Attack graphs constitute a suitable formalism for the modeling of attack steps and their dependencies, allowing the subsequent simulation.

To avoid the costly proposition of building new attack graphs for each system of a given type, domain-specific attack languages may be used. These languages codify the generic attack logic of the considered domain, thus facilitating the modeling, or instantiation, of a specific system in the domain. Examples of possible cyber security domains suitable for domain-specific attack languages are generic types such as cloud systems or embedded systems but may also be highly specialized kinds, e.g. Ubuntu installations; the objects of interest as well as the attack logic will differ significantly between such domains.

In this project, we propose the Meta Attack Language (MAL), which may be used to design domain-specific attack languages such as the aforementioned. The MAL provides a formalism that allows the semi-automated generation as well as the efficient computation of very large attack graphs. We declare the formal background to MAL, define its syntax and semantics, exemplify its use with a small domain-specific language and instance model, and report on the computational performance.

Keywords: Domain Specific Language, Cyber Security, Threat Modeling, Attack Graphs

MAL external web

The Meta Attack Language web

MAL code

The Meta Attack Language (MAL) – an open threat modelling language compiler on GitHub

MAL paper

Johnson, Lagerström, and Ekstedt, A Meta Language for Threat Modeling and Attack Simulations , in Proceedings of the 13th International Conference on Availability, Reliability and Security (ARES), 2018.

MAL based implementations

Papers

A probabilistic attack simulation language for the IT domain, by Sotirios Katsikeas, Simon Hacks, Pontus Johnson, Mathias Ekstedt, Robert Lagerström, Joar Jacobsson, Max Wällstedt and Per Eliasson, in Proc. of the 7th International Workshop on Graphical Models for Security ( GraMSec ), June 2020.

Probabilistic Modeling and Simulation of Vehicular Cyber Attacks: An Application of the Meta Attack Language by Sotirios Katsikeas, Pontus Johnson, Simon Hacks, and Robert Lagerström, in the Proc. of the 5th International Conference on Information Systems Security and Privacy ( ICISSP ), Feb. 2019.

Student Thesis Reports

[1]

M. af Rolén and N. Rahmani, "WebLang: A Prototype Modelling Language for Web Applications : A Meta Attack Language based Domain Specific Language for web applications," , 2023.

[2]

D. Mao, "Collecting Cyber Traces : Adding Forensic Evidence In Threat Models," , 2023.

[3]

Z. Zhou, "Evaluating Security Mechanisms of Substation Automation Systems," , 2023.

[4]

S. Berglund, "Modelling Cyber Security of Networks as a Reinforcement Learning Problem using Graphs : An Application of Reinforcement Learning to the Meta Attack Language," , 2022.

[5]

L. Cerovic, "StrideLang : Creation of a Domain-Specific Threat Modeling Language using STRIDE, DREAD and MAL," , 2022.

[6]

F. Grönberg and B. Thiberg, "Integrating the Meta Attack Language in the Cybersecurity Ecosystem: Creating new Security Tools Using Attack Simulation Results," , 2022.

[7]

E. Henriksson and K. Engberg, "Automating security processing of Integration flows : Automating input processing for Attack Simulations using Meta Attack Language and Common Vulnerability and Exposures," , 2022.

[8]

A. Misnik and S. Zakko, "Gamifying Attack Path Reporting : Preliminary design of an educational cyber security game," , 2022.

[9]

E. Thiele and E. Hachichou, "ztLang : A Modelling Language for Zero Trust Networks," , 2022.

[10]

F. Aasberg, "HypervisorLang : Attack Simulations of the OpenStack Nova Compute Node," , 2021.

[11]

J. Ekelund, "Security Evaluation of Damper System’s Communication and Update Process : Threat modeling using vehicleLang and securiCAD," , 2021.

[12]

P. Fahlander, "Containment Strategy Formalism in a Probabilistic Threat Modelling Framework," , 2021.

[13]

E. Hanstad and L. Villarroel, "En utvecklingsmiljö för MAL," , 2021.

[14]

N. Hersén, "Measuring Coverage of Attack Simulations on MAL Attack Graphs," , 2021.

[15]

I. Nordgren and A. Sederlin, "Validating enterpriseLang : A Domain- Specific Language Derived from the Meta Attack Language Framework," , 2021.

[16]

J. Sadiq and A. Hagelberg, "Achieving Full Attack Coverage and Compiling Guidelines for enterpriseLang," , 2021.

[17]

J. Settlin, "Formalise Defense Strategies in Design Patterns of Threat Models," , 2021.

[18]

N. Vemula, "Identifying Patterns in MAL Languages," , 2021.

[19]

H. A. Yaasin, "Validating a threat modeling language for enterprise systems," , 2021.

[20]

L. Evensjö, "Probability analysis and financial model development of MITRE ATT&CK Enterprise Matrix's attack steps and mitigations," , 2020.

[21]

N. Geng, "azureLang: Cyber Threat Modelling in Microsoft Azure cloud computing environment," , 2020.

[22]

O. Hovmark and E. Schüldt, "Towards Extending Probabilistic Attack Graphs with Forensic Evidence : An investigation of property list files in macOS," , 2020.

[23]

G. Nagy and K. Thai, "Investigating Traditional Software Testing Methods for use with the Meta Attack Language," , 2020.

[24]

S. Rosander, "StackLang : Automatic Attack Simulations Against the OpenStack Cloud Environment," , 2020.

[25]

L. Sun, "SCLEX-Lang : A Threat Modeling Language for Substation Automation Systems," , 2020.

[26]

L. Almgren and J. Holm Åström, "Probabilistic modelling and attack simulations on AWS Connected Vehicle Solution : An Application of the Meta Attack Language," , 2019.

[27]

J. Jefford-Baker, "ALCOL : Probabilistic Threat Modelling of the Amazon Elastic Container Service Domain," , 2019.

[28]

O. Åberg and E. Sparf, "Validating the Meta Attack Language using MITRE ATT&CK matrix," , 2019.

[29]

A. Girmay Mesele, "AUTOSARLang: Threat Modeling and Attack Simulation for Vehicle Cybersecurity," , 2018.

[30]

A. Singh Virdi, "AWSLang: Probabilistic Threat Modelling of the Amazon Web Services environment," , 2018.

Master theses

Nedo Skobalj, “ Validating vehicleLang for Domain-specific Threat Modelling of In-vehicle Network ,” KTH Royal Institute of Technology, School of Electrical Engineering and Computer Science, Master Thesis, 2019.

Sotirios Katsikeas, “ vehicleLang: a probabilistic modeling and simulation language for vehicular cyber attacks ,” KTH Royal Institute of Technology, School of Electrical Engineering and Computer Science, Master Thesis, 2018.

Ahmad Hawasli, azureLang: a probabilistic modeling and simulation language for cyber attacks in Microsoft Azure cloud infrastructure , KTH Royal Institute of Technology, School of Electrical Engineering and Computer Science, Master Thesis, 2018.

Xinyue Mao, Visualization and Natural Language Representation of Simulated Cyber Attacks, KTH, 2018.