PDDLAssistant: A tool for assisting construction and maintenance of attack graphs using PDDL

Attack graph is a well-known representation for computer security vulnerabilities, which captures how malicious activities can lead to a system compromise. A key weakness in the attack graph representation is that it scales poorly, particularly in large domains where the graph needs to enumerate both user and system interactions. One way to address this problem is to translate the attack graph model into a Planner Domain Definition Language (PDDL) representation, which can then be used by an AI planner to derive attack paths. Building the PDDL representation for large attack graphs is an incremental process, which demands a lot of time and effort mainly due to the lack of automated tools to assist developers in debugging and maintenance. In this paper, we introduce a methodology and a tool, PDDLAssistant, designed to promote incremental development of PDDL representations for cyber-security domain. PDDLAssistant attempts to reconcile different versions of PDDL representations by generating explanations for changes in plans resulting from running the representation against an AI planner. In addition, PDDLAssistant constructs abstract syntax trees (AST) for the PDDL representation, which may be used to visualize the representation itself and planning problems. We evaluate the usability of PDDLAssistant against our attack graph, PAG (Personalized Attack Graph). CCS CONCEPTS • Security and privacy → Formal security models; Logic and verification; Vulnerability management; • Computing methodologies→ Planning and scheduling; Planning for deterministic actions;Modelingmethodologies; Knowledge representation and reasoning; Model verification and validation;