Fuzzy quantitative attack tree analysis

Research output: Contribution to conferencePaperpeer-review

6 Downloads (Pure)


Attack trees are important for security, as they help to identify weaknesses and vulnerabilities in a system. Quantitative attack tree analysis supports a number security metrics, which formulate important KPIs such as the shortest, most likely and cheapest attacks. A key bottleneck in quantitative analysis is that the values are usually not known exactly, due to insufficient data and/or lack of knowledge.
Fuzzy logic is a prominent framework to handle such uncertain values, with applications in numerous domains. While several studies proposed fuzzy approaches to attack tree analysis, none of them provided a firm definition of fuzzy metric values or generic algorithms for computation of fuzzy metrics.
In this work, we define a generic formulation for fuzzy metric values that applies to most quantitative metrics. The resulting metric value is a fuzzy number obtained by following Zadeh’s extension principle, obtained when we equip the basis attack steps, i.e., the leaves of the attack trees, with fuzzy numbers. In addition, we prove a modular decomposition theorem that yields abottom-up algorithm to efficiently calculate the top fuzzy metric value.
Original languageEnglish
Number of pages23
Publication statusPublished - 2024
Event27th International Conference on Fundamental Approaches to Software Engineering, FASE 2024 - Luxembourg City, Luxembourg
Duration: 6 Apr 202411 Apr 2024
Conference number: 27


Conference27th International Conference on Fundamental Approaches to Software Engineering, FASE 2024
Abbreviated titleFASE
CityLuxembourg City


  • Attack trees
  • Quantitative analysis
  • Fuzzy numbers


Dive into the research topics of 'Fuzzy quantitative attack tree analysis'. Together they form a unique fingerprint.

Cite this