I am writing an application to assist with security assessments.
It uses Access to manage the various data objects used: assets, threats, attack scenarios, etc.
The threat and risk assessment computations are pretty simple but there is one aspect that seems hard to structure in a relational database.
Attack Trees. Attack trees are used to evaluate the cost and likelihood of an attack being successful.
For a more detailed description Bruce Schneier has an excellent blog post. https://www.schneier.com/academic/ar...ack_trees.html
The attack tree consists of nodes representing stages of the attack where the root of the tree is a successful attack.
Subtrees are used to decompose the attack into various possibilities.
Schneier's paper presents an attck tree for opening a safe.
The root node says open safe,
Under that are nodes describing how it might be done.
Subtrees can be AND nodes or OR nodes. AND notes are list of requirements where all of the elements must be met to succeed. OR nodes list alternatives where any one of the list is sufficient for success.
1. Open Safe
1.1 Pick Lock
1.2 Learn Combination
1.2.1 Find Written Combo
1.2.2 Get combo from target
1.2.2.1 Threaten
1.2.2.2 Blackmail
1.2.2.3 Eavesdrop
1.2.2.4 Bribe
1.3 Cut open safe
1.4 Install Improperly
I have all of the elements of the attack tree stored in my database but I don't see how one would store the tree itself.
Storing trees as linked lists is straightforward in most languages. What I am asking, is there is a way to store this kind of structure in a relational database?
If I build the structures using VBA modules then I will need to figure out how to store them. XML or JSON would do the trick I guess.
Any thoughts would be greatly appreciated.
Hank Cohen
Ooo! does Access support recursive SQL?