Papers
Topics
Authors
Recent
Search
2000 character limit reached

QuADTool: Uncertainty-Aware ADT Analysis

Updated 5 June 2026
  • QuADTool is a comprehensive software framework for synthesizing and analyzing attack-defense trees using both exact calculations and PAC-based uncertainty methods.
  • It combines a synthesis engine, bottom-up analysis, and a verification bridge to export models to tools like PRISM, UPPAAL, and MODEST.
  • The tool rigorously handles imprecision by propagating statistical PAC bounds, yielding confidence intervals on key risk metrics for informed security decisions.

QuADTool is a comprehensive software framework for the synthesis, analysis, and verification of attack-defense trees (ADTs) with quantitative metrics. It provides mechanized support for both exact and uncertainty-aware (probably approximately correct, PAC) risk analysis and connects ADT modeling with probabilistic model checking, aligning state-of-the-art research in security engineering and formal verification (Dorfhuber et al., 2024).

1. Objectives and Scope

QuADTool is designed to address gaps in quantitative analysis of attack-defense trees in both academic and industrial security practice. While traditional ADT-based tools focus on simple logical analysis with exact numerical parameters, QuADTool enables practical workflows by accommodating uncertainty in estimates—such as probabilities, costs, or execution times—using PAC-style intervals, which are typical in scenarios where empirical or expert data is imprecise. Its objectives are:

  • Unified graphical and command-line interface for editing, merging, and visualizing ADTs in DOT and ADTool-XML formats.
  • Integrated bottom-up analyses for success probabilities, minimal/maximal costs, and delays, supporting both point-value and PAC uncertainty propagation.
  • Synthesis, import, or random generation of ADT models, including all major operators: AND, OR, NOT, SAND, SOR, TRIGGER, RESET.
  • Bridging models to prominent verification backends (PRISM, MODEST/JANI/STORM, UPPAAL).
  • Rigorous handling of imprecision through PAC analysis, yielding confidence intervals on the global risk metrics.
  • Benchmarking with the ATBEST suite, including 42 real-world and over 600 random ADTs.

2. Architecture and Principal Components

QuADTool’s architecture comprises three primary layers:

A. Synthesis Engine

  • GUI canvas and CLI for model specification (drag-and-drop, DSL-based scripts).
  • Parsers for DOT (Graphviz), ADTool XML, and internal ADT representations (vertices, edges, operator/type maps, PAC parameter maps).
  • Support for combining, grafting, and unioning trees to facilitate large-scale or modular ADT construction.

B. Analysis Engine

  • Implements both exact bottom-up and PAC-extended traversals for quantitative attributes.
  • Tracks (value, error, confidence) triples at each tree node for PAC-aware results.
  • Provides feedback modules that enforce backend compatibility and operator support prior to export.

C. Verification Bridge

  • Exports models to verification tools: PRISM (discrete and stochastic games), MODEST/JANI/STORM (continuous/discrete timed automata), UPPAAL (timed automata), and ADTool XML.
  • Invokable from the GUI with tool-specific feedback.
  • Synchronization of model semantics between ADT operators and backend formalisms.

3. Attack-Defense Tree Synthesis and Representation

QuADTool does not learn trees from data but allows modelers to construct and manipulate ADTs via manual editing, import/export, or recursive random synthesis. The internal DSL allows succinct declarative specification:

  • Grammar: ADT → GateName(ADTList) with GateName ∈ {AND, OR, SAND, SOR, NOT, TR, RE, LEAF(id)}
  • Combination primitives enable hierarchical or modular ADT structures, supporting complex multi-stage attack and defense scenarios.
  • Random tree generator expands trees up to specified node counts using recursive gate selection and subtree synthesis, facilitating benchmarking and stress-testing of algorithms.

4. Quantitative Analysis Algorithms

QuADTool supports numerical domains for:

  • Probabilities: T=[0,1]T = [0,1]
  • Costs and delays: T=R0+T = \mathbb{R}_0^+, with possible tuples to track outcome-specific values (e.g., cost of success vs. failure).

Operator Semantics (Exact Mode):

  • Probability:
    • PAND(x,y)=xyP_{\text{AND}}(x,y) = x\cdot y
    • POR(x,y)=x+yxyP_{\text{OR}}(x,y) = x + y - x\cdot y
    • PNOT(x)=1xP_{\text{NOT}}(x) = 1 - x
  • Costs/Delays:
    • AND: sum for success, min for failure
    • OR: min for success, sum for failure

Bottom-Up Algorithm (Exact):

Nodes are evaluated in topological order, integrating children’s values according to operator-specific recursion.

PAC Extension:

  • Each leaf event’s value is a statistical estimator XeX_e with (ϵe,δe)(\epsilon_e,\delta_e)-PAC guarantee: Pr[Xeμeϵe]1δe\Pr[|X_e-\mu_e| \leq \epsilon_e] \geq 1-\delta_e.
  • Interval arithmetic and union-bound logic propagate error bounds and uncertainties upward:
    • AND: x1x2±(x1ϵ2+x2ϵ1+ϵ1ϵ2)x_1x_2 \pm (x_1\epsilon_2 + x_2\epsilon_1 + \epsilon_1\epsilon_2)
    • OR: (x1+x2x1x2)±(ϵ1+ϵ2+x1ϵ2+x2ϵ1+ϵ1ϵ2)(x_1+x_2-x_1x_2) \pm (\epsilon_1+\epsilon_2+x_1\epsilon_2+x_2\epsilon_1+\epsilon_1\epsilon_2)
    • Confidence: T=R0+T = \mathbb{R}_0^+0
  • The root node yields a global metric with a final confidence interval.

5. Handling Uncertainty: PAC Analysis

PAC analysis propagates statistical uncertainty rigorously through the hierarchical ADT structure, yielding quantitative risk metrics expressed as confidence intervals, rather than point estimates. For instance, if leaves have PAC bounds from sample means or expert intervals, QuADTool’s algorithm computes domain-specific error intervals and overall confidence levels at each internal node, culminating in bounds on root-level risk (e.g., attack success probability or minimum mitigation cost).

This PAC capability distinguishes QuADTool from prior systems, which either assumed exact numeric parameters or ignored uncertainty propagation, and addresses the reality of noisy, sample-derived, or judgment-based input data in security modeling.

6. Verification Backend Integration

QuADTool exports ADT models directly to several verification environments:

  • PRISM-games: Encodes the ADT as a two-player turn-based stochastic game, exposing attacker and defender choices and probabilistic transitions.
  • MODEST/JANI/STORM: Translates the ADT into stochastic timed automata (SPTA), associating numerical parameters to rates or time delays.
  • UPPAAL CorA: For parametric or timed analysis under more restrictive semantics.
  • ADTool 2.x XML: For baseline or statistical workflows within established discrete ADT analysis environments.

The user interface warns of any unsupported operators (e.g., SAND, TRIGGER) in the target backend, facilitating smooth translation and debugging. Shell-invokable hooks streamline launching and collecting results from model checkers.

7. Workflow, Performance, and Example Use

A typical QuADTool session involves:

  1. Constructing or importing an ADT.
  2. Assigning quantitative data—by direct entry, CSV import (which yields PAC intervals), or time-series fitting (e.g., ARIMA) for dynamic rates.
  3. Running both exact and PAC analyses to produce risk metrics and associated confidence intervals.
  4. Exporting models to selected verification tools, optionally visualizing feedback or inspecting state-space or counterexample traces returned by the backend.

Worked Example: For a power-meter ADT, QuADTool can import Bernoulli trial data for leaf events, propagate PAC bounds upward, and deliver final attack probabilities such as T=R0+T = \mathbb{R}_0^+1 with T=R0+T = \mathbb{R}_0^+2 confidence, quantitatively expressing both central risk estimates and residual imprecision induced by input uncertainty.

The tool performs efficiently on the ATBEST benchmark suite (real and random trees, 5–1,000 nodes), maintaining interactive runtimes even when propagating PAC bounds, and completes export-plus-verification tasks in under one second on typical problem sizes.

QuADTool is available, together with ATBEST benchmarks, from the project page (Dorfhuber et al., 2024). It delivers, for the first time, an integrated workflow for quantitative, uncertainty-aware ADT security analysis with direct bridges to formal probabilistic verification environments.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to QuADTool.