Modeling and Simulating Cyber Attacks Using Attack Trees and Security Testing Tools: A Case Study of an ICT Department
Keywords:
Cyber attack simulation, Attack tree, Information security, Academic information systems, ICT department.Abstract
The increasing reliance of higher education institutions on information systems has significantly expanded the cyber attack surface, making academic environments attractive targets for cyber threats. This study proposes an attack tree–based approach to model and simulate potential cyber attacks against an academic information system managed by an ICT department. The research employs a controlled case study design, combining technical attack simulation and analytical modeling to identify realistic attack paths and prioritize mitigation strategies. Cyber attack simulations were conducted in a staging environment using Nmap for network reconnaissance, OWASP ZAP for dynamic web application security testing, and SQLMap for controlled verification of potential SQL injection vulnerabilities. The results of these simulations were systematically mapped into an attack tree model, representing hierarchical attack paths from initial reconnaissance to exploitation and potential impact. Each node in the attack tree was evaluated based on likelihood and impact to support risk prioritization. The findings indicate that the most critical attack paths are associated with web application vulnerabilities and weaknesses in authentication mechanisms, which may lead to unauthorized access and data exposure if left unmitigated. The attack tree model effectively integrates technical evidence from multiple tools into a structured analytical framework, enabling clearer visualization of attack feasibility and mitigation priorities. This study demonstrates that attack tree–based modeling can serve as a practical and systematic approach to strengthening cybersecurity posture in academic ICT departments..
References
A. Limanovskaja and V. Davidavičienė, “Digital Transformation in Higher Education: Challenges and Transformation Directions,” Economics and Culture, vol. 22, no. 2, pp. 83–92, Dec. 2025, doi: 10.2478/jec-2025-0016.
I. Simplice, O. Fidel, C. G. Kennedy, K. Okokpujie, and S. Gabriel, “Enhancing Information System Security: A Vulnerability Assessment of a Web Application Using OWASP Top 10 List,” Lecture Notes in Networks and Systems, vol. 914 LNNS, pp. 385–397, 2024, doi: 10.1007/978-981-97-0573-3_31.
A. Roy, D. S. Kim, and K. S. Trivedi, “Attack countermeasure trees (ACT): Towards unifying the constructs of attack and defense trees,” Security and Communication Networks, vol. 5, no. 8, pp. 929–943, 2012, doi: 10.1002/sec.299.
R. Vigo, F. Nielson, and H. R. Nielson, “Automated generation of attack trees,” Proceedings of the Computer Security Foundations Workshop, vol. 2014-January, pp. 337–350, Nov. 2014, doi: 10.1109/CSF.2014.31.
A. Bhardwaj, V. Sapra, and L. Sapra, “Evading Firewalls & Enumerate SNMP Using Advanced NMAP Techniques,” 2023 3rd Asian Conference on Innovation in Technology, ASIANCON 2023, 2023, doi: 10.1109/ASIANCON58793.2023.10270155.
J. Bryans, L. S. Liew, H. N. Nguyen, G. Sabaliauskaite, S. Shaikh, and F. Zhou, “A Template-Based Method for the Generation of Attack Trees,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12024 LNCS, pp. 155–165, 2020, doi: 10.1007/978-3-030-41702-4_10.
Z. C. S. S. Hlaing and M. Khaing, “A Detection and Prevention Technique on SQL Injection Attacks,” 2020 IEEE Conference on Computer Applications, ICCA 2020, Feb. 2020, doi: 10.1109/ICCA49400.2020.9022833.
F. Dorfhuber, J. Eisentraut, and J. Křetínský, “Learning Attack Trees by Genetic Algorithms,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14446 LNCS, pp. 55–73, 2023, doi: 10.1007/978-3-031-47963-2_5.
A. Chaturvedi, B. Lakhani, T. Agarwal, Mohana, M. Moharir, and A. R. Ashok Kumar, “A Comprehensive Vulnerability Tools Analysis for Security and Control in IT Environment and Organizations,” 5th International Conference on Electronics and Sustainable Communication Systems, ICESC 2024 - Proceedings, pp. 612–618, 2024, doi: 10.1109/ICESC60852.2024.10689860.
F. Barman, N. Alkaabi, H. Almenhali, M. Alshedi, and R. Ikuesan, “A Methodical Framework for Conducting Reconnaissance and Enumeration in the Ethical Hacking Lifecycle,” European Conference on Information Warfare and Security, ECCWS, 2023, Accessed: Feb. 21, 2026. [Online]. Available: https://www.scopus.com/pages/publications/85167621456?origin=scopusAI
J. Koman and M. Janiszewski, “SCAnME - scanner comparative analysis and metrics for evaluation,” International Journal of Information Security 2025 24:3, vol. 24, no. 3, pp. 147-, May 2025, doi: 10.1007/s10207-025-01054-8.
M. Baklizi, M. Alkhazaleh, M. B. Y. Alzghoul, A. Maaita, J. Zraqou, and M. AlShaikh-Hasan, “Evaluating the effectiveness of Havij for structured query language injection exploitation in web applications,” Bulletin of Electrical Engineering and Informatics, vol. 14, no. 6, pp. 4823–4833, Dec. 2025, doi: 10.11591/eei.v14i6.10751.
A. Sethapanee, T. Nimitrchai, and S. Fugkeaw, “AutoRat: Automated Risk Assessment Tool for Network Mapper Scanning,” Lecture Notes in Networks and Systems, vol. 453 LNNS, pp. 99–110, 2022, doi: 10.1007/978-3-030-99948-3_10.
A. Zanke, T. Weber, P. Dornheim, and M. Engel, “Assessing information security culture: A mixed-methods approach to navigating challenges in international corporate IT departments,” Comput. Secur., vol. 144, p. 103938, Sep. 2024, doi: 10.1016/j.cose.2024.103938.
R. Jhawar, B. Kordy, S. Mauw, S. Radomirović, and R. Trujillo-Rasua, “Attack trees with sequential conjunction,” IFIP Adv. Inf. Commun. Technol., vol. 455, pp. 339–353, 2015, doi: 10.1007/978-3-319-18467-8_23.
B. Kordy, L. Piètre-Cambacédès, and P. Schweitzer, “DAG-based attack and defense modeling: Don’t miss the forest for the attack trees,” Comput. Sci. Rev., vol. 13–14, no. C, pp. 1–38, 2014, doi: 10.1016/j.cosrev.2014.07.001.
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, “Automated generation and analysis of attack graphs,” Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, vol. 2002-January, pp. 273–284, 2002, doi: 10.1109/SECPRI.2002.1004377.
Y. Cherdantseva et al., “A review of cyber security risk assessment methods for SCADA systems,” Comput. Secur., vol. 56, pp. 1–27, Feb. 2016, doi: 10.1016/j.cose.2015.09.009.
