Skip to main content
To KTH's start page

MAL (the Meta Attack Language)

A Domain Specific Language for Probabilistic Threat Modeling and Attack Simulations

Attack simulations may be used to assess the cybersecurity of systems. In such simulations, the steps taken by an attacker in order to compromise sensitive system assets are traced, and a time estimate may be computed from the initial step to the compromise of assets of interest. Attack graphs constitute a suitable formalism for the modeling of attack steps and their dependencies, allowing the subsequent simulation.

To avoid the costly proposition of building new attack graphs for each system of a given type, domain-specific attack languages may be used. These languages codify the generic attack logic of the considered domain, thus facilitating the modeling, or instantiation, of a specific system in the domain. Examples of possible cybersecurity domains suitable for domain-specific attack languages are generic types such as cloud systems or embedded systems but may also be highly specialized kinds, e.g. Ubuntu installations; the objects of interest as well as the attack logic will differ significantly between such domains.

In this project, we propose the Meta Attack Language (MAL), which may be used to design domain-specific attack languages such as the aforementioned. The MAL provides a formalism that allows the semi-automated generation as well as the efficient computation of very large attack graphs. We declare the formal background to MAL, define its syntax and semantics, exemplify its use with a small domain-specific language and instance model, and report on the computational performance.

The git repository has more information, tools and languages: github.com/mal-lang

Keywords: Domain Specific Language, Cybersecurity, Threat Modeling, Attack Graphs

A large number of research papers have been authored by the group on MAL related work, for instance the following:

Research Papers

[1]
S. Katsikeas et al., "Development and validation of coreLang : A threat modeling language for the ICT domain," Computers & Security, vol. 146, 2024.
[2]
S. Katsikeas et al., "Empirical evaluation of a threat modeling language as a cybersecurity assessment tool," Computers & Security, vol. 140, 2024.
[3]
V. Engström, G. Nebbione and M. Ekstedt, "A Metalanguage for Dynamic Attack Graphs and Lazy Generation," in ARES 2024 - 19th International Conference on Availability, Reliability and Security, Proceedings, 2024.
[4]
W. Widel et al., "The meta attack language-a formal description," Computers & Security, vol. 130, pp. 103284, 2023.
[5]
W. Widel, P. Mukherjee and M. Ekstedt, "Security Countermeasures Selection Using the Meta Attack Language and Probabilistic Attack Graphs," IEEE Access, vol. 10, pp. 89645-89662, 2022.
[6]
J. Nyberg, P. Johnson and A. Mehes, "Cyber threat response using reinforcement learning in graph-based attack simulations," in Proceedings of the IEEE/IFIP Network Operations and Management Symposium 2022 : Network and Service Management in the Era of Cloudification, Softwarization and Artificial Intelligence, NOMS 2022, 2022.
[7]
P. Fahlander et al., "Containment Strategy Formalism in a Probabilistic Threat Modelling Framework," in Proceedings of the 8th international conference on information systems security and privacy (ICISSP), 2022, pp. 108-120.
[8]
W. Xiong et al., "Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix," Software and Systems Modeling, vol. 21, no. 1, pp. 157-177, 2022.
[9]
S. Hacks et al., "Towards a Systematic Method for Developing Meta Attack Language Instances," in Enterprise, Business-Process and Information Systems Modeling 23rd International Conference, BPMDS 2022 and 27th International Conference, EMMSAD 2022, Held at CAiSE 2022, Leuven, Belgium, June 6–7, 2022, Proceedings, 2022, pp. 139-154.
[10]
S. Katsikeas et al., "VehicleLang : A probabilistic modeling and simulation language for modern vehicle IT infrastructures," Computers & Security, vol. 117, 2022.
[11]
S. Hacks and S. Katsikeas, "Towards an Ecosystem of Domain Specific Languages for Threat Modeling," in Advanced Information Systems Engineering, 2021, pp. 3-18.
[12]
W. Xiong, S. Hacks and R. Lagerström, "A Method for Quality Assessment of Threat Modeling Languages : The Case of enterpriseLang," in PoEM’21 Forum: 14th IFIP WG 8.1 Working Conference on the Practice of Enterprise Modelling, 2021, pp. 49-58.
[13]
S. Hacks et al., "Integrating Security Behavior into Attack Simulations," in ARES 2021: The 16th International Conference on Availability, Reliability and Security, 2021.
[14]
W. Xiong, S. Hacks and R. Lagerström, "A Method for Quality Assessment of Threat Modeling Languages : The Case of enterpriseLang," in CEUR Workshop Proceedings, 2021, pp. 49-58.
[15]
E. Rencelj Ling and M. Ekstedt, "Generating Threat Models and Attack Graphs based on the IEC 61850 System Configuration description Language," in Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems, 2021.
[16]
W. Xiong, S. Hacks and R. Lagerström, "A Method for Assigning Probability Distributions in Attack Simulation Languages," Complex Systems Informatics and Modeling Quarterly, no. 26, pp. 55-77, 2021.
[17]
S. Hacks et al., "powerLang : a probabilistic attack simulation language for the power domain," Energy Informatics, vol. 3, no. 1, 2020.
[18]
S. Katsikeas et al., "An Attack Simulation Language for the IT Domain," in Graphical Models for Security : 7th International Workshop, GraMSec 2020, Boston, MA, USA, June 22, 2020, Revised Selected Papers, 2020, pp. 67-86.
[19]
W. Xiong and S. Hacks, "Threat Modeling and Attack Simulations for Enterprise and ICS," in CS3STHLM Stockholm 19-22 October 2020,, 2020.
[20]
S. Katsikeas et al., "Probabilistic Modeling and Simulation of Vehicular Cyber Attacks : An Application of the Meta Attack Language," in Proceedings of the 5th international conference on information systems security and privacy (ICISSP), 2019, pp. 175-182.
[21]
S. Hacks et al., "Creating Meta Attack Language Instances using ArchiMate : Applied to Electric Power and Energy System Cases," in Proceeding of the 2019 IEEE 23rd International Enterprise Distributed Object Computing Conference (EDOC), 2019.
[22]
W. Xiong and R. Lagerström, "Threat Modeling of Connected Vehicles : A privacy analysis and extension of vehicleLang," in 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), 2019.
[23]
P. Johnson, R. Lagerström and M. Ekstedt, "A Meta Language for Threat Modeling and Attack Simulations," in ACM International Conference Proceeding Series, 2018.

In addition, the following student thesis projects are examples of work related to MAL:

Student Thesis Papers

[1]
B. Johansson, "The Cyber Attacker’s Intuition : A Proof-of-Concept for enabling a more realistic selection policy in MAL Attack-Defense Graphs.," , 2025.
[2]
S. Maltin, "User behavior modeling and synthetic log generation in Meta Attack Language," , 2025.
[3]
C. Ejemyr, "Extending Attack Graph Analysis With PageRank to Multivariate Stochastic Graphs," , 2024.
[4]
J. Ekenblad, "Enhancing Cybersecurity Defenses through Structural Patterns in Threat Modeling," , 2024.
[5]
A. Hojlas, "Towards Requirements for Practical Attack Graph Generation : A study on how to achieve some degree of automation," , 2024.
[6]
F. Lundqvist, "VehicleLang 2.0 : Threat modeling the Automotive Domain and the IT domain together with corelang.," , 2024.
[7]
V. Lundén, "Automated Threat Modelling in an Existing Medical System : Evaluating the Usage of Meta Attack Language," , 2024.
[8]
F. Wallin Forsell, "Cyber Security Assessment of Distribution System Operators Using the Meta Attack Language : Effect of Sharing Data with Third Party Networks," , 2024.
[9]
M. af Rolén and N. Rahmani, "WebLang: A Prototype Modelling Language for Web Applications : A Meta Attack Language based Domain Specific Language for web applications," , 2023.
[10]
D. Mao, "Collecting Cyber Traces : Adding Forensic Evidence In Threat Models," , 2023.
[11]
Z. Zhou, "Evaluating Security Mechanisms of Substation Automation Systems," , 2023.
[12]
S. Berglund, "Modelling Cyber Security of Networks as a Reinforcement Learning Problem using Graphs : An Application of Reinforcement Learning to the Meta Attack Language," , 2022.
[13]
L. Cerovic, "StrideLang : Creation of a Domain-Specific Threat Modeling Language using STRIDE, DREAD and MAL," , 2022.
[14]
F. Grönberg and B. Thiberg, "Integrating the Meta Attack Language in the Cybersecurity Ecosystem: Creating new Security Tools Using Attack Simulation Results," , 2022.
[15]
E. Henriksson and K. Engberg, "Automating security processing of Integration flows : Automating input processing for Attack Simulations using Meta Attack Language and Common Vulnerability and Exposures," , 2022.
[16]
A. Misnik and S. Zakko, "Gamifying Attack Path Reporting : Preliminary design of an educational cyber security game," , 2022.
[17]
E. Thiele and E. Hachichou, "ztLang : A Modelling Language for Zero Trust Networks," , 2022.
[18]
F. Aasberg, "HypervisorLang : Attack Simulations of the OpenStack Nova Compute Node," , 2021.
[19]
J. Ekelund, "Security Evaluation of Damper System’s Communication and Update Process : Threat modeling using vehicleLang and securiCAD," , 2021.
[20]
P. Fahlander, "Containment Strategy Formalism in a Probabilistic Threat Modelling Framework," , 2021.
[21]
E. Hanstad and L. Villarroel, "En utvecklingsmiljö för MAL," , 2021.
[22]
N. Hersén, "Measuring Coverage of Attack Simulations on MAL Attack Graphs," , 2021.
[23]
I. Nordgren and A. Sederlin, "Validating enterpriseLang : A Domain- Specific Language Derived from the Meta Attack Language Framework," , 2021.
[24]
J. Sadiq and A. Hagelberg, "Achieving Full Attack Coverage and Compiling Guidelines for enterpriseLang," , 2021.
[25]
J. Settlin, "Formalise Defense Strategies in Design Patterns of Threat Models," , 2021.
[26]
N. Vemula, "Identifying Patterns in MAL Languages," , 2021.
[27]
H. A. Yaasin, "Validating a threat modeling language for enterprise systems," , 2021.
[28]
L. Evensjö, "Probability analysis and financial model development of MITRE ATT&CK Enterprise Matrix's attack steps and mitigations," , 2020.
[29]
N. Geng, "azureLang: Cyber Threat Modelling in Microsoft Azure cloud computing environment," , 2020.
[30]
O. Hovmark and E. Schüldt, "Towards Extending Probabilistic Attack Graphs with Forensic Evidence : An investigation of property list files in macOS," , 2020.
[31]
G. Nagy and K. Thai, "Investigating Traditional Software Testing Methods for use with the Meta Attack Language," , 2020.
[32]
S. Rosander, "StackLang : Automatic Attack Simulations Against the OpenStack Cloud Environment," , 2020.
[33]
L. Sun, "SCLEX-Lang : A Threat Modeling Language for Substation Automation Systems," , 2020.
[34]
L. Almgren and J. Holm Åström, "Probabilistic modelling and attack simulations on AWS Connected Vehicle Solution : An Application of the Meta Attack Language," , 2019.
[35]
J. Jefford-Baker, "ALCOL : Probabilistic Threat Modelling of the Amazon Elastic Container Service Domain," , 2019.
[36]
O. Åberg and E. Sparf, "Validating the Meta Attack Language using MITRE ATT&CK matrix," , 2019.
[37]
A. Girmay Mesele, "AUTOSARLang: Threat Modeling and Attack Simulation for Vehicle Cybersecurity," , 2018.
[38]
A. Singh Virdi, "AWSLang: Probabilistic Threat Modelling of the Amazon Web Services environment," , 2018.