Modelling fraud detection by attack trees and Choquet integral

Abstract

Modelling an attack tree is basically a matter of associating a logical ÒndÓand a logical ÒrÓ but in most of real world applications related to fraud management the Ònd/orÓlogic is not adequate to effectively represent the relationship between a parent node and its children, most of all when information about attributes is associated to the nodes and the main problem to solve is how to promulgate attribute values up the tree through recursive aggregation operations occurring at the Ònd/orÓnodes. OWA-based aggregations have been introduced to generalize ÒndÓand ÒrÓoperators starting from the observation that in between the extremes Òor allÓ(and) and Òor anyÓ(or), terms (quantifiers) like ÒeveralÓ ÒostÓ ÒewÓ ÒomeÓ etc. can be introduced to represent the different weights associated to the nodes in the aggregation. The aggregation process taking place at an OWA node depends on the ordered position of the child nodes but it doesnÕ take care of the possible interactions between the nodes. In this paper, we propose to overcome this drawback introducing the Choquet integral whose distinguished feature is to be able to take into account the interaction between nodes. At first, the attack tree is valuated recursively through a bottom-up algorithm whose complexity is linear versus the number of nodes and exponential for every node. Then, the algorithm is extended assuming that the attribute values in the leaves are unimodal LR fuzzy numbers and the calculation of Choquet integral is carried out using the alpha-cuts.Fraud detection; attack tree; ordered weighted averaging (OWA) operator; Choquet integral; fuzzy numbers.