tTree+: A Threat Tree Model for Representing Complex Semantics.

Threat tree model is widely used for risk analysis for software assurance. This model is convenient to convey the logical relations between various threat conditions that will result in a threat iteratively. However, tree representation imposes a limitation in that threat semantics can only present in a solely layered style in a tree structure, e.g., conditions represented by children nodes in the threat tree with edge relations in terms of "and" or "or" will result in the threat represented by the father node. It may not be sufficient for representing certain special cases such as cross-layer conditions, e.g., the nodes at different layers (a child and a uncle) may compose threat conditions, which cannot be represented in a regular tree style. In other words, the conditions represented by a child and a uncle may lead to a threat, either new or not. To extend the semantics of current threat tree model, in this paper, we propose a new threat tree model called tTree+, by extending and converting a non-layered tree representation to a layered tree presentation. Some algorithms are proposed by adding a duplicated node and rebuilding related layers, so that original algorithms for tree operations can be remained without any amendment. This extended tree model can extend the outreach of semantics for further threat analysis, so that the more complex threat can be described and analyzed.