Logo PTI Logo FedCSIS

Proceedings of the 19th Conference on Computer Science and Intelligence Systems (FedCSIS)

Annals of Computer Science and Information Systems, Volume 39

An autonomous vehicle in a connected environment: case study of cyber-resilience

, , , ,

DOI: http://dx.doi.org/10.15439/2024F8797

Citation: Proceedings of the 19th Conference on Computer Science and Intelligence Systems (FedCSIS), M. Bolanowski, M. Ganzha, L. Maciaszek, M. Paprzycki, D. Ślęzak (eds). ACSIS, Vol. 39, pages 363373 ()

Full text

Abstract. As vehicles are being increasingly connected to the Internet and equipped with autonomous driving features, this increases the potential of cyberattacks and requires sophisticated implementations of resilience capable to detect attacks and react to them. Therefore, threat analysis and risk assessment including careful modelling of resilience are essential to prepare against cybersecurity risks. In this context, we extend by complementary monitoring/fallback mechanism our framework devoted to automatically discover complex cyberattack scenarios using abstract cost criteria. We then show that this extension allows analysing a realistic resilient model of cybersecurity aspects of a level 2 autonomous connected vehicle.

References

  1. A. Clark and S. Zonouz, “Cyber-physical resilience: Definition and assessment metric,” IEEE Transactions on Smart Grid, vol. 10, no. 2, pp. 1671–1684, 2017. http://dx.doi.org/10.1109/TSG.2017.2776279
  2. N. Leveson, N. Dulac, D. Zipkin, J. Cutcher-Gershenfeld, J. Carroll, and B. Barrett, “Engineering resilience into safety-critical systems,” in Resilience engineering. CRC Press, 2017. http://dx.doi.org/10.1201/9781315605685-12 pp. 95–123.
  3. G. Hutzler, H. Klaudel, W. Klaudel, F. Pommereau, and A. Rataj, “Automatic discovery of cyberattacks,” in IEEE CSR, 2024, to appear.
  4. S. Quinn, N. Ivy, M. Barrett, L. Feldman, G. Witte, and R. Gardner, “Identifying and estimating cybersecurity risk for enterprise risk management,” 2021. http://dx.doi.org/10.6028/NIST.IR.8286A https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8286A.pdf.
  5. “Digital risk management,” French Cybersecurity Agency, 2024, https://cyber.gouv.fr/en/digital-risk-management.
  6. S. Gupta Bhol, J. Mohanty, and P. Kumar Pattnaik, “Taxonomy of cyber security metrics to measure strength of cyber security,” Materials Today: Proceedings, vol. 80, pp. 2274–2279, 2023. http://dx.doi.org/10.1016/j.matpr.2021.06.228 SI:5 NANO 2021. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2214785321046009
  7. S. Mauw and M. Oostdijk, “Foundations of attack trees,” in Information Security and Cryptology-ICISC 2005. Springer, 2006. doi: 10.1007/11734 pp. 186–198.
  8. J. Arias, C. E. Budde, W. Penczek, L. Petrucci, T. Sidoruk, and M. Stoelinga, “Hackers vs. security: attack-defence trees as asynchronous multi-agent systems,” in International Conference on Formal Engineering Methods. Springer, 2020. http://dx.doi.org/10.1007/978-3-030-63406-3_1 pp. 3–19.
  9. R. Ritchey and P. Ammann, “Using model checking to analyze network vulnerabilities,” in IEEE Symposium on Security and Privacy, 2000. http://dx.doi.org/10.1109/SECPRI.2000.848453 pp. 156–165.
  10. S. Jajodia, S. Noel, and B. O’berry, “Topological analysis of network attack vulnerability,” Managing Cyber Threats: Issues, Approaches, and Challenges, pp. 247–266, 2005. http://dx.doi.org/10.1145/1229285.1229288
  11. M. Ge, J. B. Hong, W. Guttmann, and D. S. Kim, “A framework for automating security analysis of the internet of things,” Journal of Network and Computer Applications, vol. 83, pp. 12–27, 2017. http://dx.doi.org/10.1016/j.jnca.2017.01.033
  12. C. Hankin, P. Malacaria et al., “Attack dynamics: an automatic attack graph generation framework based on system topology, capec, cwe, and cve databases,” Computers & Security, vol. 123, p. 102938, 2022. http://dx.doi.org/10.1016/j.cose.2022.102938
  13. O. Sheyner and J. Wing, “Tools for generating and analyzing attack graphs,” in International symposium on formal methods for components and objects. Springer, 2003. http://dx.doi.org/10.1007/978-3-540-30101-1_17 pp. 344–371.
  14. K. Piwowarski, K. Ingols, and R. Lippmann, “Practical attack graph generation for network defense,” in Computer Security Applications Conference. IEEE Computer Society, 2006. http://dx.doi.org/10.1109/ACSAC.2006.39. ISSN 1063-9527 pp. 121–130. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/ACSAC.2006.39
  15. B. Schneier, “Attack trees,” Dr. Dobb’s journal, vol. 24, no. 12, pp. 21–29, 1999.
  16. B. Kordy, S. Mauw, S. Radomirović, and P. Schweitzer, “Attack–defense trees,” Journal of Logic and Computation, vol. 24, no. 1, pp. 55–87, 06 2012. http://dx.doi.org/10.1093/logcom/exs029. [Online]. Available: https://doi.org/10.1093/logcom/exs029
  17. D. M. Kienzle and W. A. Wulf, “A practical approach to security assessment,” in Proceedings of the 1997 workshop on New security paradigms, 1998. http://dx.doi.org/10.1145/283699.283731, pp. 5–16.
  18. M. S. Barik, A. Sengupta, and C. Mazumdar, “Attack graph generation and analysis techniques,” Defence Science Journal, vol. 66, no. 6, p. 559, 2016. http://dx.doi.org/10.14429/dsj.66.10795
  19. H. S. Lallie, K. Debattista, and J. Bal, “A review of attack graph and attack tree visual syntax in cyber security,” Computer Science Review, vol. 35, p. 100219, 2020. http://dx.doi.org/10.1016/j.cosrev.2019.100219. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1574013719300772
  20. K. Kaynar, “A taxonomy for attack graph generation and usage in network security,” Journal of Information Security and Applications, vol. 29, pp. 27–56, 2016. http://dx.doi.org/10.1016/j.jisa.2016.02.001. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2214212616300011
  21. MITRE, “Common weakness enumeration,” 2023, https://cwe.mitre.org/ data/index.html.
  22. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing, “Automated generation and analysis of attack graphs,” in IEEE Symposium on Security and Privacy, 2002. http://dx.doi.org/10.1109/SECPRI.2002.1004377, pp. 273–284.
  23. I. Chokshi, N. Ghosh, and S. K. Ghosh, “Efficient generation of exploit dependency graph by customized attack modeling technique,” in Advanced Computing and Communications. IEEE Computer Society, 2012. http://dx.doi.org/10.1109/ADCOM.2012.6563582, pp. 39–45. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/ADCOM.2012.6563582
  24. Z. B. Celik, P. McDaniel, and G. Tan, “Soteria: Automated {IoT} safety and security analysis,” in USENIX Annual Technical Conference, 2018. http://dx.doi.org/10.48550/arXiv.1805.08876, pp. 147–158.
  25. J. Hong and D.-S. Kim, “Harms: Hierarchical attack representation models for network security analysis,” 2012. http://dx.doi.org/10.4225/75/57b559a3cd8da
  26. J. B. Hong and D. S. Kim, “Towards scalable security analysis using multi-layered security models,” Journal of Network and Computer Applications, vol. 75, pp. 156–168, 2016. http://dx.doi.org/10.1016/j.jnca.2016.08.024,
  27. P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph-based network vulnerability analysis,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002. doi: 10.1145/586110.586140, pp. 217–224.
  28. R. E. Bryant, “Graph-based algorithms for boolean function manipulation,” Computers, IEEE Transactions on, vol. 100, no. 8, pp. 677–691, 1986. http://dx.doi.org/10.1109/TC.1986.1676819
  29. G. Behrmann, A. David, and K. G. Larsen, “A tutorial on UPPAAL,” in LNCS, vol. 3185. Springer, 2004. http://dx.doi.org/10.1007/978-3-540-30080-9_7, pp. 200–236.
  30. “Road vehicles, Cybersecurity engineering,” International Organization for Standardization, Geneva, CH, Standard, 2021.
  31. “Ebios risk manager,” French Cybersecurity Agency, 2024, https://www.ssi.gouv.fr/uploads/2019/11/anssi-guide-ebios_risk_manager-en-v1.0.pdf.
  32. “Common vulnerabilities and exposures,” MITRE, 2024. [Online]. Available: http://cve.mitre.org