Created question in FIWARE Q/A platform on 08-03-2016 at 12:03
Please, ANSWER this question AT https://ask.fiware.org/question/417/inconsistencies-in-logicaltopological-attack-graphspaths/

Question:
Inconsistencies in logical/topological attack graphs/paths

Description:
I'm facing a problem with understanding attack graphs, attack paths in both: logical and topological view - I conisder generated graphs are inconsistent.

Example 1

Firstly I tried to analyze this input file from examples: https://github.com/fiware-cybercaptor...

I uploaded the xml and generated graph with no errors or warnings. Graph has only one attack path.

Example 1a: Logical Attack Graph + Attack Path

As far as I understand Attack Path differs from Attack graph in that way the directed arcs/arrows are aimed at opposite direction. In a Graph theory a Path is a subgraph of a Graph. The problem is that both generated logical graphs (attack path and attack graph) are structurally different: Major differences are marked on the picture above. A subpath containing most important vertex (the attack indicator - rule execCode()) is marked green. Marked vertices (green and purple) are directly connected to that subpath on the Attack Graph, but not on the Attack Path. Why?

Example 1b: Topological Attack Graph + Attack Path

The structure of topological attack graph and attack path have different direction of edges. Why?

Example 2

Second example is from this appendix: https://github.com/fiware-cybercaptor... [end of the page]

There are generated 2 attack paths - only first is considered.
Example 2 (three screenshots): Logical and topological view of attack path and topological attack graph

Logical attack path shows that the consequence of an attack is code execution on linux-user-2 execCode('linux-user-2', user) - which is show and marked with a rectangle. Topological attack path shows that the target is linux-user-1. This looks like contradiction of targets! Isn't it?

Bottom screenshot show topological view of attack graph where one of the targets is linux-user-2.

For me these observed differences are crucial and discredit whole attack graph analysis.
Please correct me if I'm wrong, maybe I understand these graphs in wrong way, so please explain me the process of reading the results - how and why these graphs are so different. I'm desirious to involve myself into this project, it's great and after 2 weeks of fiddling with it I've got with many ideas how to improve it. If these issues are real please guide me how to fix them.