TY - GEN
T1 - Fuzzy Attack Tree
T2 - 3rd IEEE International Conference on ICT in Business Industry and Government, ICTBIG 2023
AU - Naik, Nitin
AU - Jenkins, Paul
AU - Grace, Paul
AU - Naik, Dishita
AU - Song, Jingping
AU - Prajapat, Shaligram
AU - Mishra, Durgesh
AU - Yang, Longzhi
AU - Boongoen, Tossapon
AU - Iam-On, Natthakan
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023/12/8
Y1 - 2023/12/8
N2 - Organisations and users have been experiencing significant rises in cyberattacks and their severity, which means that they require a greater awareness and understanding of the anatomy of cyberattacks, to prevent and mitigate their effects. In analysing cyberattacks, there are a number of different approaches that may be used to assess their potential risks and effects. However, these are utilised in specific types of cyberattacks and their analysis, which means they cannot be applied in every situation or cyberattack. Moreover, several other factors may influence the decision to use these approaches, such as cost, complexity, skills and adaptability. As a result, continuous research to design and enhance these approaches is undertaken to produce a generic, cost-effective, easy and adaptable approach. This paper presents one such approach to assess the risk of cyberattacks utilising an attack tree and fuzzy logic. An attack tree is a systematic and illustrative method for describing an attack on a system and analysing its taxonomy and other aspects. Subsequently, the probability and risk of each leaf node in the attack tree are calculated using the proposed formulas. Finally, fuzzy logic enables decision making based on imprecise data and heuristics to obtain the overall risk of attack. This proposed approach comprises systematic steps to accomplish an assessment of any cyberattack and its associated risks in an uncomplicated and effective manner, enabling its prevention and mitigation to be determined. The paper illustrates an application of the proposed approach to assess the risk of an information theft attack on an organisation, which can then be utilised to assess the risk of other cyberattacks.
AB - Organisations and users have been experiencing significant rises in cyberattacks and their severity, which means that they require a greater awareness and understanding of the anatomy of cyberattacks, to prevent and mitigate their effects. In analysing cyberattacks, there are a number of different approaches that may be used to assess their potential risks and effects. However, these are utilised in specific types of cyberattacks and their analysis, which means they cannot be applied in every situation or cyberattack. Moreover, several other factors may influence the decision to use these approaches, such as cost, complexity, skills and adaptability. As a result, continuous research to design and enhance these approaches is undertaken to produce a generic, cost-effective, easy and adaptable approach. This paper presents one such approach to assess the risk of cyberattacks utilising an attack tree and fuzzy logic. An attack tree is a systematic and illustrative method for describing an attack on a system and analysing its taxonomy and other aspects. Subsequently, the probability and risk of each leaf node in the attack tree are calculated using the proposed formulas. Finally, fuzzy logic enables decision making based on imprecise data and heuristics to obtain the overall risk of attack. This proposed approach comprises systematic steps to accomplish an assessment of any cyberattack and its associated risks in an uncomplicated and effective manner, enabling its prevention and mitigation to be determined. The paper illustrates an application of the proposed approach to assess the risk of an information theft attack on an organisation, which can then be utilised to assess the risk of other cyberattacks.
KW - Attack Tree
KW - Attack Vector
KW - Cyberattack
KW - Fuzzy Logic
KW - Fuzzy Rules
KW - Information Theft Attack
KW - IT Assets
KW - Probability of Attack
KW - Risk of Attack
KW - Severity of Attack
UR - http://www.scopus.com/inward/record.url?scp=85189243834&partnerID=8YFLogxK
U2 - 10.1109/ictbig59752.2023.10456309
DO - 10.1109/ictbig59752.2023.10456309
M3 - Conference contribution
SN - 979-8-3503-4328-1
T3 - 3rd IEEE International Conference on ICT in Business Industry and Government, ICTBIG 2023
BT - 2023 IEEE International Conference on ICT in Business Industry & Government (ICTBIG)
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 8 December 2023 through 9 December 2023
ER -