The increasing complexity of cyberattacks, often involving multiple vectors and aimed at achieving various goals, necessitates advanced modeling techniques to understand and predict attacker behavior. This paper proposes a formal approach to describe such attacks using a weakly connected oriented tree model that satisfies specific conditions. The model is designed to represent the attack surface and a collection of attack vectors, allowing for the analysis of possible attack scenarios. We introduce a sequential composition operation that combines sets of attack vectors, enabling the modeling of combined attacks. The study includes an example of an attack on an information system through a vulnerability that allows brute-force password guessing and phishing emails, with the goals of either obtaining a database or causing a denial of service. We investigate the set of attack scenarios generated by the model and formulate a rule for estimating the number of possible scenarios for an arbitrary number of attack vector sets. The proposed method facilitates preliminary analysis of attack scenarios, aiding cybersecurity professionals in making informed decisions about implementing additional defense mechanisms at various stages of an attack. The results demonstrate the applicability of the model for evaluating attack scenarios and provide a foundation for further research into more complex attack structures.

Keywords: attack modeling, information security, attack trajectory, attack scenario, attack vector, cybersecurity