There were discussions of placing attack trees 1, 2 in existing SGML derivatives 3 that describe system architecture or govern security modules, but nothing like unanimity appears to have been reached.
The issues include
- The complexity in which attacks relate to individual architectural components and
- That the nodes described in Schreier's tree proposal don't directly correlate with elements of authorization and authentication markups.
Some academic approaches of interest treat attacks as anti-goals in a goal tree 4.
Most important to the development of attack model formalization is that attack relationships do not frequently form trees. Although attack relationships can always be represented by graphs (nodes connected by edges), attack categorization often requires multiple parental relationships to comprehensively represent the conceptual realities of security.
The removal of the single parent restriction of a tree allows the attributes of nodes and edges to contain what vendors are now calling metadata, which is a misnomer. The metadata of these modelling formats does not always describe overarching qualities of the attack tree.
CySeMeL may not catch on as an acronym, but The Royal Institute of Technology has approached the relationships without the single parent restriction, calling the modelling language as a graph tool 5. Such could lead to a more lasting and adaptable standard.
The automated generation of attack trees is being investigated by IEEE authors 6, and the ACM has interest in this same direction. Either may later lead to standardization.
Another direction is to piggyback UML with a security model diagram 7.
It appears that the upstream academic work is still as varied as the product array available to architects, system administrators, security teams, and managers. Inter-operable products may be further down the road, but if other standards that appeal to narrow audiences are any indication, import export menu items and converters may be the first emergence of at least partially inter-operable semantics.
[1] Early reference to attack trees in Dr. Dobbs Journal at https://www.schneier.com/academic/archives/1999/12/attack_trees.html.
[2] Later development from Bruse Schneier on Attack Trees http://tnlandforms.us/cs494-cns01/attacktrees.pdf
[3] Generating attacks in SysML activity diagrams by detecting attack; by Samir OuchaniEmail authorGabriele Lenzini; DOI: 10.1007/s12652-015-0269-8
[4] Design of a Modelling Language for Information System Security Risk Management, by Nicolas Mayer, Patrick Heymans (Member IEEE), and Raimundas Matulevičius.
[5] A Manual for the Cyber Security Modeling Language; by Hannes Holm, Mathias Ekstedt, Teodor Sommestad, Matus Korman; Department of Industrial Information and Control Systems, Royal Institute of Technology, 100 44 Stockholm, Sweden; http://www.kth.se/polopoly_fs/1.433836!/Menu/general/column-content/attachment/cysemol_manual_short.pdf.
[6] Automated Generation of Attack Trees; Roberto Vigo, Flemming Nielson, and Hanne Riis Nielson; Department of Applied Mathematics and Computer Science; Technical University of Denmark; 2014; http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6957121
[7] SecureUML: A UML-Based Modeling Language for Model-Driven Security?; Torsten Lodderstedt, David Basin, and Jürgen Doser; Institute for Computer Science, University of Freiburg, Germany; {tolo,basin,doser}@informatik.uni-freiburg.de
