{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,10]],"date-time":"2026-01-10T19:21:37Z","timestamp":1768072897650,"version":"3.49.0"},"publisher-location":"Cham","reference-count":41,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783031572586","type":"print"},{"value":"9783031572593","type":"electronic"}],"license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,4,6]],"date-time":"2024-04-06T00:00:00Z","timestamp":1712361600000},"content-version":"vor","delay-in-days":96,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Attack trees are important for security, as they help to identify weaknesses and vulnerabilities in a system. Quantitative attack tree analysis supports a number security metrics, which formulate important KPIs such as the shortest, most likely and cheapest attacks.<\/jats:p><jats:p>A key bottleneck in quantitative analysis is that the values are usually not known exactly, due to insufficient data and\/or lack of knowledge. Fuzzy logic is a prominent framework to handle such uncertain values, with applications in numerous domains. While several studies proposed fuzzy approaches to attack tree analysis, none of them provided a firm definition of fuzzy metric values or generic algorithms for computation of fuzzy metrics.<\/jats:p><jats:p>In this work, we define a generic formulation for fuzzy metric values that applies to most quantitative metrics. The resulting metric value is a fuzzy number obtained by following Zadeh\u2019s extension principle, obtained when we equip the basis attack steps, i.e., the leaves of the attack trees, with fuzzy numbers. In addition, we prove a modular decomposition theorem that yields a bottom-up algorithm to efficiently calculate the top fuzzy metric value.<\/jats:p>","DOI":"10.1007\/978-3-031-57259-3_10","type":"book-chapter","created":{"date-parts":[[2024,4,5]],"date-time":"2024-04-05T13:01:39Z","timestamp":1712322099000},"page":"210-231","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Fuzzy quantitative attack tree analysis"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3235-5952","authenticated-orcid":false,"given":"Thi Kim Nhung","family":"Dang","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5687-854X","authenticated-orcid":false,"given":"Milan","family":"Lopuha\u00e4-Zwakenberg","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6793-8165","authenticated-orcid":false,"given":"Mari\u00eblle","family":"Stoelinga","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,4,6]]},"reference":[{"key":"10_CR1","unstructured":"Isograph. https:\/\/www.isograph.com\/software\/attacktree\/"},{"key":"10_CR2","unstructured":"Risk Tree. https:\/\/risktree.2t-security.co.uk"},{"key":"10_CR3","unstructured":"Amenaza\u2019s SecurITree. https:\/\/www.amenaza.com\/AT-tool.php"},{"key":"10_CR4","doi-asserted-by":"publisher","unstructured":"de\u00a0Barros, L.C., Bassanezi, R.C., Lodwick, W.A.: The Extension Principle of Zadeh and Fuzzy Numbers, pp. 23\u201341. Springer Berlin Heidelberg, Berlin, Heidelberg (2017). https:\/\/doi.org\/10.1007\/978-3-662-53324-6_2","DOI":"10.1007\/978-3-662-53324-6_2"},{"key":"10_CR5","doi-asserted-by":"publisher","unstructured":"Basiura, B., Duda, J., Gawe\u0142, B., Opi\u0142a, J., Pe\u0142ech-Pilichowski, T., R\u0119biasz, B., Skalna, I.: Fuzzy Numbers, pp. 1\u201326. Springer International Publishing, Cham (2015). https:\/\/doi.org\/10.1007\/978-3-319-26494-3_1","DOI":"10.1007\/978-3-319-26494-3_1"},{"key":"10_CR6","doi-asserted-by":"crossref","unstructured":"Bowles, J.B., Pelaez, C.E.: Application of fuzzy logic to reliability engineering. Proceedings of the IEEE 83(3), 435\u2013449 (1995)","DOI":"10.1109\/5.364489"},{"key":"10_CR7","doi-asserted-by":"crossref","unstructured":"Couso, I., Borgelt, C., Hullermeier, E., Kruse, R.: Fuzzy sets in data analysis: From statistical foundations to machine learning. IEEE Computational Intelligence Magazine 14(1), 31\u201344 (2019)","DOI":"10.1109\/MCI.2018.2881642"},{"key":"10_CR8","doi-asserted-by":"publisher","unstructured":"Czoga\u0142a, E., Leski, J.: Fuzzy and Neuro-Fuzzy Intelligent Systems, pp. 1\u201326. Physica Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-7908-1853-6","DOI":"10.1007\/978-3-7908-1853-6"},{"key":"10_CR9","doi-asserted-by":"publisher","unstructured":"Dang, T.K.N., Lopuha\u00e4-Zwakenberg, M., Stoelinga, M.: Fuzzy quantitative attack tree analysis (Jan 2024). https:\/\/doi.org\/10.5281\/zenodo.10554728","DOI":"10.5281\/zenodo.10554728"},{"key":"10_CR10","doi-asserted-by":"publisher","unstructured":"Dubois, D., Prade, H.: Fuzzy real algebra: Some results. Fuzzy Sets and Systems 2(4), 327\u2013348 (1979). https:\/\/doi.org\/10.1016\/0165-0114(79)90005-8","DOI":"10.1016\/0165-0114(79)90005-8"},{"key":"10_CR11","doi-asserted-by":"publisher","unstructured":"Garg, S., Aujla, G.S.: An attack tree based comprehensive framework for the risk and security assessment of vanet using the concepts of game theory and fuzzy logic. Journal of Emerging Technologies in Web Intelligence 6(2), 247 - 252 (2014). https:\/\/doi.org\/10.4304\/jetwi.6.2.247-252","DOI":"10.4304\/jetwi.6.2.247-252"},{"key":"10_CR12","doi-asserted-by":"publisher","unstructured":"Hu, G., Phan, H., Ouache, R., Gandhi, H., Hewage, K., Sadiq, R.: Fuzzy fault tree analysis of hydraulic fracturing flowback water storage failure. Journal of Natural Gas Science and Engineering 72, 103039 (2019). https:\/\/doi.org\/10.1016\/j.jngse.2019.103039","DOI":"10.1016\/j.jngse.2019.103039"},{"key":"10_CR13","doi-asserted-by":"publisher","unstructured":"Jezewski, M., Czabanski, R., Leski, J.: Introduction to Fuzzy Sets, pp. 3\u201322. Springer International Publishing, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-59614-3_1","DOI":"10.1007\/978-3-319-59614-3_1"},{"key":"10_CR14","doi-asserted-by":"publisher","unstructured":"Kabir, S.: An overview of fault tree analysis and its application in model based dependability analysis. Expert Systems with Applications 77, 114\u2013135 (2017). https:\/\/doi.org\/10.1016\/j.eswa.2017.01.058","DOI":"10.1016\/j.eswa.2017.01.058"},{"key":"10_CR15","doi-asserted-by":"publisher","unstructured":"Kabir, S., Papadopoulos, Y.: A review of applications of fuzzy sets to safety and reliability engineering. International Journal of Approximate Reasoning 100, 29\u201355 (2018). https:\/\/doi.org\/10.1016\/j.ijar.2018.05.005","DOI":"10.1016\/j.ijar.2018.05.005"},{"key":"10_CR16","doi-asserted-by":"publisher","unstructured":"Kim, C., Ju, Y., Gens, M.: Multilevel fault tree analysis using fuzzy numbers. Computers & Operations Research 23(7), 695\u2013703 (1996). https:\/\/doi.org\/10.1016\/0305-0548(95)00070-4","DOI":"10.1016\/0305-0548(95)00070-4"},{"key":"10_CR17","doi-asserted-by":"publisher","unstructured":"Komal: Chapter 4 - fuzzy attack tree analysis of security threat assessment in an internet security system using algebraic t-norm and t-conorm. In: Garg, H., Ram, M. (eds.) Engineering Reliability and Risk Assessment, pp. 53\u201364. Advances in Reliability Science, Elsevier (2023). https:\/\/doi.org\/10.1016\/B978-0-323-91943-2.00003-4","DOI":"10.1016\/B978-0-323-91943-2.00003-4"},{"key":"10_CR18","doi-asserted-by":"crossref","unstructured":"Kumar, R., Ruijters, E., Stoelinga, M.: Quantitative attack tree analysis via priced timed automata. In: Sankaranarayanan, S., Vicario, E. (eds.) Formal Modeling and Analysis of Timed Systems. pp. 156\u2013171. Springer International Publishing, Cham (2015)","DOI":"10.1007\/978-3-319-22975-1_11"},{"key":"10_CR19","doi-asserted-by":"publisher","unstructured":"Li, R., Li, F., Zhang, J.: Vehicle network security situation assessment method based on attack tree. In: IOP Conference Series: Earth and Environmental Science. vol.\u00a0428. Institute of Physics Publishing (2020). https:\/\/doi.org\/10.1088\/1755-1315\/428\/1\/012021","DOI":"10.1088\/1755-1315\/428\/1\/012021"},{"key":"10_CR20","doi-asserted-by":"publisher","unstructured":"Liang, G.S., Wang, M.J.J.: Fuzzy fault-tree analysis using failure possibility. Microelectronics Reliability 33(4), 583\u2013597 (1993). https:\/\/doi.org\/10.1016\/0026-2714(93)90326-T","DOI":"10.1016\/0026-2714(93)90326-T"},{"key":"10_CR21","doi-asserted-by":"publisher","unstructured":"Lin, C.T., Wang, M.J.J.: Hybrid fault tree analysis using fuzzy sets. Reliability Engineering & System Safety 58(3), 205\u2013213 (1997). https:\/\/doi.org\/10.1016\/S0951-8320(97)00072-0","DOI":"10.1016\/S0951-8320(97)00072-0"},{"key":"10_CR22","doi-asserted-by":"publisher","unstructured":"Lopuha\u00e4-Zwakenberg, M., Budde, C.E., Stoelinga, M.: Efficient and generic algorithms for quantitative attack tree analysis. IEEE Transactions on Dependable and Secure Computing pp. 1\u201318 (2022). https:\/\/doi.org\/10.1109\/TDSC.2022.3215752","DOI":"10.1109\/TDSC.2022.3215752"},{"key":"10_CR23","doi-asserted-by":"publisher","unstructured":"Mahmood, Y.A., Ahmadi, A., Verma, A.K., Srividya, A., Kumar, U.: Fuzzy fault tree analysis: a review of concept and application. International Journal of System Assurance Engineering and Management 4, 19\u201332 (2013). https:\/\/doi.org\/10.1007\/s13198-013-0145-x","DOI":"10.1007\/s13198-013-0145-x"},{"key":"10_CR24","doi-asserted-by":"crossref","unstructured":"Massanet, S., Riera, J.V., Torrens, J., Herrera-Viedma, E.: A new linguistic computational model based on discrete fuzzy numbers for computing with words. Information Sciences 258, 277\u2013290 (2014)","DOI":"10.1016\/j.ins.2013.06.055"},{"key":"10_CR25","doi-asserted-by":"crossref","unstructured":"Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Information Security and Cryptology-ICISC 2005: 8th International Conference, Seoul, Korea, December 1-2, 2005, Revised Selected Papers 8. pp. 186\u2013198. Springer (2006)","DOI":"10.1007\/11734727_17"},{"key":"10_CR26","unstructured":"Pandey, M.: Fault tree analysis. Lecture notes, University of Waterloo, Waterloo (2005)"},{"key":"10_CR27","doi-asserted-by":"publisher","unstructured":"Peng, Z., Xiaodong, M., Zongrun, Y., Zhaoxiang, Y.: An approach of fault diagnosis for system based on fuzzy fault tree. In: Proceedings of the 2008 International Conference on MultiMedia and Information Technology. p. 697-700. MMIT \u201908, IEEE Computer Society, USA (2009). https:\/\/doi.org\/10.1109\/MMIT.2008.142","DOI":"10.1109\/MMIT.2008.142"},{"key":"10_CR28","doi-asserted-by":"publisher","unstructured":"Purba, J.H., Sony Tjahyani, D., Ekariansyah, A.S., Tjahjono, H.: Fuzzy probability based fault tree analysis to propagate and quantify epistemic uncertainty. Annals of Nuclear Energy 85, 1189\u20131199 (2015). https:\/\/doi.org\/10.1016\/j.anucene.2015.08.002","DOI":"10.1016\/j.anucene.2015.08.002"},{"key":"10_CR29","doi-asserted-by":"publisher","unstructured":"Purba, J.H., Tjahyani, D.T.S., Susila, I.P., Widodo, S., Ekariansyah, A.S.: Fuzzy probability and $$\\alpha $$-cut based-fault tree analysis approach to evaluate the reliability and safety of complex engineering systems. Quality and Reliability Engineering International 38, 2356 \u2013 2371 (2022). https:\/\/doi.org\/10.1002\/qre.3080","DOI":"10.1002\/qre.3080"},{"key":"10_CR30","doi-asserted-by":"crossref","unstructured":"Reche, F., Morales, M., Salmer\u00f3n, A.: Construction of fuzzy measures over product spaces. Mathematics 8(9), \u00a01605 (2020)","DOI":"10.3390\/math8091605"},{"key":"10_CR31","doi-asserted-by":"publisher","unstructured":"Ruijters, E., Stoelinga, M.: Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools. Computer Science Review 15-16, 29\u201362 (2015). https:\/\/doi.org\/10.1016\/j.cosrev.2015.03.001","DOI":"10.1016\/j.cosrev.2015.03.001"},{"key":"10_CR32","unstructured":"Schneier, B.: Modeling security threats. Dr. Dobb\u2019s journal 24(12) (1999)"},{"key":"10_CR33","doi-asserted-by":"publisher","unstructured":"Singer, D.: A fuzzy set approach to fault tree and reliability analysis. Fuzzy Sets and Systems 34(2), 145\u2013155 (1990). https:\/\/doi.org\/10.1016\/0165-0114(90)90154-X","DOI":"10.1016\/0165-0114(90)90154-X"},{"key":"10_CR34","doi-asserted-by":"publisher","unstructured":"Tanaka, H., Fan, L.T., Lai, F.S., Toguchi, K.: Fault-tree analysis by fuzzy probability. IEEE Transactions on Reliability R-32(5), 453\u2013457 (1983). https:\/\/doi.org\/10.1109\/TR.1983.5221727","DOI":"10.1109\/TR.1983.5221727"},{"key":"10_CR35","doi-asserted-by":"publisher","unstructured":"Wang, S., Ding, L., Sui, H., Gu, Z.: Cybersecurity risk assessment method of ICS based on attack-defense tree model. J. Intell. Fuzzy Syst. 40(6), 10475-10488 (jan 2021). https:\/\/doi.org\/10.3233\/JIFS-201126","DOI":"10.3233\/JIFS-201126"},{"key":"10_CR36","doi-asserted-by":"publisher","unstructured":"Wen, B., Li, P.: Risk assessment of security and stability control system against cyber attacks. In: 2021 IEEE 2nd China International Youth Conference on Electrical Engineering (CIYCEE). pp.\u00a01\u20135 (2021). https:\/\/doi.org\/10.1109\/CIYCEE53554.2021.9676799","DOI":"10.1109\/CIYCEE53554.2021.9676799"},{"key":"10_CR37","doi-asserted-by":"publisher","unstructured":"Yazdi, M., Mohammadpour, J., Li, H., Huang, H.Z., Zarei, E., Pirbalouti, R.G., Adumene, S.: Fault tree analysis improvements: A bibliometric analysis and literature review. Quality and Reliability Engineering International 39(5), 1639\u20131659 (2023). https:\/\/doi.org\/10.1002\/qre.3271","DOI":"10.1002\/qre.3271"},{"key":"10_CR38","doi-asserted-by":"publisher","unstructured":"Zadeh, L.: Fuzzy sets. Information and Control 8(3), 338\u2013353 (1965). https:\/\/doi.org\/10.1016\/S0019-9958(65)90241-X","DOI":"10.1016\/S0019-9958(65)90241-X"},{"key":"10_CR39","doi-asserted-by":"publisher","unstructured":"Zadeh, L.: The concept of a linguistic variable and its application to approximate reasoning-iii. Information Sciences 9(1), 43\u201380 (1975). https:\/\/doi.org\/10.1016\/0020-0255(75)90017-1","DOI":"10.1016\/0020-0255(75)90017-1"},{"key":"10_CR40","doi-asserted-by":"publisher","unstructured":"Zadeh, L.: The concept of a linguistic variable and its application to approximate reasoning-i. Information Sciences 8(3), 199\u2013249 (1975). https:\/\/doi.org\/10.1016\/0020-0255(75)90036-5","DOI":"10.1016\/0020-0255(75)90036-5"},{"key":"10_CR41","doi-asserted-by":"publisher","unstructured":"Zadeh, L.: The concept of a linguistic variable and its application to approximate reasoning-ii. Information Sciences 8(4), 301\u2013357 (1975). https:\/\/doi.org\/10.1016\/0020-0255(75)90046-8","DOI":"10.1016\/0020-0255(75)90046-8"}],"container-title":["Lecture Notes in Computer Science","Fundamental Approaches to Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-57259-3_10","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,4,5]],"date-time":"2024-04-05T13:04:09Z","timestamp":1712322249000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-57259-3_10"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"ISBN":["9783031572586","9783031572593"],"references-count":41,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-57259-3_10","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024]]},"assertion":[{"value":"6 April 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"The authors have no competing interests to declare that are relevant to the content of this article.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Disclosure of Interests"}},{"value":"FASE","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Fundamental Approaches to Software Engineering","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Luxembourg City","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Luxembourg","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"6 April 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 April 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"fase2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/etaps.org\/2024\/conferences\/fase\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"41","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"14","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"5","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"34% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3-4","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"4","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}