While the concept of
attack graphs has been discussed, once thing that is lacking is a standard
definition for an attack graph. This
blog hopes to resolve that by presenting a new standard: the Cyber Attack Graph
Schema (CAGS) 1.0
1.
All property names must be lower
case
2.
Nodes must have the following
properties:
1.
"class": May be
"actor", "event", "condition",
"attribute"
2.
"cpt": must be a JSON
string in the format defined at
http://infosecanalytics.blogspot.com/2013/03/conditional-probability-tables-in-json.html
3.
"start": The time the node
is created. Time should be in ISO 8601 combined date and time format (e.g.
2013-03-14T16:57Z)
4.
"id": Assigned by
database.
3.
Nodes must have property
"label".
4.
The "label" property of
nodes of "class" "event", "condition", or
"actor" will contain a string holding a narrative describing the
actor, event, or condition
5.
The "label" property of
nodes of "class" "attribute" must contain a JSON formatted
string with a single "{'type':'value'}" pair. Type is the type/name
of the attribute and value the value.
6.
Nodes of any class MAY have property
"comments" providing additional narrative on the node
7.
Nodes of any class MAY have property
"finish" providing a finish time for the node. Time should be in ISO
8601 combined date and time format (e.g. 2013-03-14T16:57Z)
8.
Edges must have the following
properties:
1.
"source": the id of the
source node
2.
"target": the id of the
target node
3.
"id": id assigned by the
database
4.
"relationship":
1.
Value of "influence" if
"source" property "class" is "attribute" and
"target" property "class" is "event" or
"condition". Value of "leads to" if "source"
property "class" is "event", "threat"
2.
Value of "influence" if
"condition" and "target" property "class" is
"actor", "event", or "condition"
3.
Value of "described by" if
"source" property "class" is "event",
"condition", or "actor" and "target" property
"class" is "attribute"
4.
Value of "described by" if
both "source" and "target" property "class" are
"attribute"
5.
"directed": value of
"True"
9.
Edges may have a property
"confidence" with an integer value from 0 to 100 representing the
percent confidence
10.
Edges must be directed
11.
Nodes and Edges may have additional
properties, however they will not be validated and may be ignored by the attack
graph.
12.
Nodes and Edges missing values may
still be accepted if the value can be filled in.