This research paper addresses the growing challenge of sophisticated, multi-stage cyberattacks that bypass traditional security measures like firewalls and intrusion detection systems. The study proposes a novel formal approach to model attacker behavior and analyze attack vectors, with a specific focus on estimating the total time required to execute an attack scenario. The core of the methodology is an extension of Labelled Transition Systems (LTS) into a Time-Labelled Transition System (TLTS). This model introduces a time function that assigns a delay to each event, enabling the calculation of the execution time for different attack paths. A formal language, utilizing sequence and choice operators, is developed for the compact description of complex attack scenarios. The paper formulates precise rules for generating all possible paths from a given attack vector and provides a method for calculating their total number. The practical application of the formalism is demonstrated through two detailed case studies: an attack leveraging a malicious mobile application and the compromise of an IoT video surveillance system. For each, the attack vector is presented both graphically and in the proposed notation, and all possible execution paths are explicitly derived. The concluded approach provides a valuable foundation for proactive security assessment, allowing for the formalization of attack surfaces and the estimation of implementation timeframes, which can be instrumental in developing enhanced defense mechanisms. Future work will involve modeling more complex scenarios incorporating active countermeasures.

Keywords: attack modeling, information security, transition system, time delay, formal language, attack scenario, attack trajectory, attack vector, cybersecurity, vulnerability analysis, information protection, attacker behavior

The increasing complexity of cyberattacks, often involving multiple vectors and aimed at achieving various goals, necessitates advanced modeling techniques to understand and predict attacker behavior. This paper proposes a formal approach to describe such attacks using a weakly connected oriented tree model that satisfies specific conditions. The model is designed to represent the attack surface and a collection of attack vectors, allowing for the analysis of possible attack scenarios. We introduce a sequential composition operation that combines sets of attack vectors, enabling the modeling of combined attacks. The study includes an example of an attack on an information system through a vulnerability that allows brute-force password guessing and phishing emails, with the goals of either obtaining a database or causing a denial of service. We investigate the set of attack scenarios generated by the model and formulate a rule for estimating the number of possible scenarios for an arbitrary number of attack vector sets. The proposed method facilitates preliminary analysis of attack scenarios, aiding cybersecurity professionals in making informed decisions about implementing additional defense mechanisms at various stages of an attack. The results demonstrate the applicability of the model for evaluating attack scenarios and provide a foundation for further research into more complex attack structures.

Keywords: attack modeling, information security, attack trajectory, attack scenario, attack vector, cybersecurity