Saved in:
Bibliographic Details
Main Authors: Prelipcean, Dumitru-Bogdan, Dima, Cătălin
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2509.13035
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908542662868992
author Prelipcean, Dumitru-Bogdan
Dima, Cătălin
author_facet Prelipcean, Dumitru-Bogdan
Dima, Cătălin
contents Threat detection systems rely on rule-based logic to identify adversarial behaviors, yet the conformance of these rules to high-level threat models is rarely verified formally. We present a formal verification framework that models both detection logic and attack trees as labeled transition systems (LTSs), enabling automated conformance checking via bisimulation and weak trace inclusion. Detection rules specified in the Generic Threat Detection Language (GTDL, a general-purpose detection language we formalize in this work) are assigned a compositional operational semantics, and threat models expressed as attack trees are interpreted as LTSs through a structural trace semantics. Both representations are translated to LNT, a modeling language supported by the CADP toolbox. This common semantic domain enables systematic and automated verification of detection coverage. We evaluate our approach on real-world malware scenarios such as LokiBot and Emotet and provide scalability analysis through parametric synthetic models. Results confirm that our methodology identifies semantic mismatches between threat models and detection rules, supports iterative refinement, and scales to realistic threat landscapes.
format Preprint
id arxiv_https___arxiv_org_abs_2509_13035
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Bridging Threat Models and Detections: Formal Verification via CADP
Prelipcean, Dumitru-Bogdan
Dima, Cătălin
Cryptography and Security
Threat detection systems rely on rule-based logic to identify adversarial behaviors, yet the conformance of these rules to high-level threat models is rarely verified formally. We present a formal verification framework that models both detection logic and attack trees as labeled transition systems (LTSs), enabling automated conformance checking via bisimulation and weak trace inclusion. Detection rules specified in the Generic Threat Detection Language (GTDL, a general-purpose detection language we formalize in this work) are assigned a compositional operational semantics, and threat models expressed as attack trees are interpreted as LTSs through a structural trace semantics. Both representations are translated to LNT, a modeling language supported by the CADP toolbox. This common semantic domain enables systematic and automated verification of detection coverage. We evaluate our approach on real-world malware scenarios such as LokiBot and Emotet and provide scalability analysis through parametric synthetic models. Results confirm that our methodology identifies semantic mismatches between threat models and detection rules, supports iterative refinement, and scales to realistic threat landscapes.
title Bridging Threat Models and Detections: Formal Verification via CADP
topic Cryptography and Security
url https://arxiv.org/abs/2509.13035