Fuzzy quantitative attack tree analysis

Research output: Contribution to conferencePaperpeer-review

39 Downloads (Pure)

Abstract

Attack trees are important for security, as they help to identify weaknesses and vulnerabilities in a system. Quantitative attack tree analysis supports a number security metrics, which formulate important KPIs such as the shortest, most likely and cheapest attacks. A key bottleneck in quantitative analysis is that the values are usually not known exactly, due to insufficient data and/or lack of knowledge.
Fuzzy logic is a prominent framework to handle such uncertain values, with applications in numerous domains. While several studies proposed fuzzy approaches to attack tree analysis, none of them provided a firm definition of fuzzy metric values or generic algorithms for computation of fuzzy metrics.
In this work, we define a generic formulation for fuzzy metric values that applies to most quantitative metrics. The resulting metric value is a fuzzy number obtained by following Zadeh’s extension principle, obtained when we equip the basis attack steps, i.e., the leaves of the attack trees, with fuzzy numbers. In addition, we prove a modular decomposition theorem that yields abottom-up algorithm to efficiently calculate the top fuzzy metric value.
Original languageEnglish
Number of pages23
Publication statusPublished - 2024
Event27th International Conference on Fundamental Approaches to Software Engineering, FASE 2024 - Luxembourg City, Luxembourg
Duration: 6 Apr 202411 Apr 2024
Conference number: 27

Conference

Conference27th International Conference on Fundamental Approaches to Software Engineering, FASE 2024
Abbreviated titleFASE
Country/TerritoryLuxembourg
CityLuxembourg City
Period6/04/2411/04/24

Keywords

  • Attack trees
  • Quantitative analysis
  • Fuzzy numbers

Fingerprint

Dive into the research topics of 'Fuzzy quantitative attack tree analysis'. Together they form a unique fingerprint.

Cite this