An autonomous vehicle in a connected environment: case study of cyber-resilience

Hutzler, Guillaume; Klaudel, Hanna; Klaudel, Witold; Pommereau, Franck; Rataj, Artur

doi:10.15439/2024F8797

Artykuł - szczegóły

Tytuł artykułu

An autonomous vehicle in a connected environment: case study of cyber-resilience

Autorzy

Hutzler Guillaume , Klaudel Hanna , Klaudel Witold , Pommereau Franck , Rataj Artur

Wybrane pełne teksty z tego czasopisma

http://annals-csis.org

Identyfikatory

DOI

10.15439/2024F8797

Warianty tytułu

Konferencja

Federated Conference on Computer Science and Information Systems (19 ; 08-11.09.2024 ; Belgrade, Serbia)

Języki publikacji

Abstrakty

As vehicles are being increasingly connected to the Internet and equipped with autonomous driving features, this increases the potential of cyberattacks and requires sophisticated implementations of resilience capable to detect attacks and react to them. Therefore, threat analysis and risk assessment including careful modelling of resilience are essential to prepare against cybersecurity risks. In this context, we extend by complementary monitoring/fallback mechanism our framework devoted to automatically discover complex cyberattack scenarios using abstract cost criteria. We then show that this extension allows analysing a realistic resilient model of cybersecurity aspects of a level 2 autonomous connected vehicle.

Słowa kluczowe

security evaluation formal modelling

ocena bezpieczeństwa modelowanie formalne

Wydawca

Polskie Towarzystwo Informatyczne

Czasopismo

Annals of Computer Science and Information Systems

Rocznik

2024

Tom

Vol. 39

Strony

363–--373

Opis fizyczny

Bibliogr. 32 poz., il., tab.

Twórcy

autor

Hutzler Guillaume

guillaume.hutzler@univ-evry.fr

IBISC, Univ. Evry, Université Paris-Saclay, France

autor

Klaudel Hanna

hanna.klaudel@univ-evry.fr

IBISC, Univ. Evry, Université Paris-Saclay, France

autor

Klaudel Witold

witold.klaudel@outlook.fr

SafeTech Cybernetics, Palaiseau, France
IRT SystemX, Palaiseau, France

autor

Pommereau Franck

franck.pommereau@univ-evry.fr

IBISC, Univ. Evry, Université Paris-Saclay, France

autor

Rataj Artur

artur.rataj@irt-systemx.fr

IRT SystemX, Palaiseau, France

Bibliografia

1. A. Clark and S. Zonouz, “Cyber-physical resilience: Definition and assessment metric,” IEEE Transactions on Smart Grid, vol. 10, no. 2, pp. 1671–1684, 2017. http://dx.doi.org/10.1109/TSG.2017.2776279
2. N. Leveson, N. Dulac, D. Zipkin, J. Cutcher-Gershenfeld, J. Carroll, and B. Barrett, “Engineering resilience into safety-critical systems,” in Resilience engineering. CRC Press, 2017. http://dx.doi.org/10.1201/9781315605685-12 pp. 95–123.
3. G. Hutzler, H. Klaudel, W. Klaudel, F. Pommereau, and A. Rataj, “Automatic discovery of cyberattacks,” in IEEE CSR, 2024, to appear.
4. S. Quinn, N. Ivy, M. Barrett, L. Feldman, G. Witte, and R. Gardner, “Identifying and estimating cybersecurity risk for enterprise risk management,” 2021. http://dx.doi.org/10.6028/NIST.IR.8286A https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8286A.pdf.
5. “Digital risk management,” French Cybersecurity Agency, 2024, https://cyber.gouv.fr/en/digital-risk-management.
6. S. Gupta Bhol, J. Mohanty, and P. Kumar Pattnaik, “Taxonomy of cyber security metrics to measure strength of cyber security,” Materials Today: Proceedings, vol. 80, pp. 2274–2279, 2023. http://dx.doi.org/10.1016/j.matpr.2021.06.228 SI:5 NANO 2021. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2214785321046009
7. S. Mauw and M. Oostdijk, “Foundations of attack trees,” in Information Security and Cryptology-ICISC 2005. Springer, 2006. doi: 10.1007/11734 pp. 186–198.
8. J. Arias, C. E. Budde, W. Penczek, L. Petrucci, T. Sidoruk, and M. Stoelinga, “Hackers vs. security: attack-defence trees as asynchronous multi-agent systems,” in International Conference on Formal Engineering Methods. Springer, 2020. http://dx.doi.org/10.1007/978-3-030-63406-3_1 pp. 3–19.
9. R. Ritchey and P. Ammann, “Using model checking to analyze network vulnerabilities,” in IEEE Symposium on Security and Privacy, 2000. http://dx.doi.org/10.1109/SECPRI.2000.848453 pp. 156–165.
10. S. Jajodia, S. Noel, and B. O’berry, “Topological analysis of network attack vulnerability,” Managing Cyber Threats: Issues, Approaches, and Challenges, pp. 247–266, 2005. http://dx.doi.org/10.1145/1229285.1229288
11. M. Ge, J. B. Hong, W. Guttmann, and D. S. Kim, “A framework for automating security analysis of the internet of things,” Journal of Network and Computer Applications, vol. 83, pp. 12–27, 2017. http://dx.doi.org/10.1016/j.jnca.2017.01.033
12. C. Hankin, P. Malacaria et al., “Attack dynamics: an automatic attack graph generation framework based on system topology, capec, cwe, and cve databases,” Computers & Security, vol. 123, p. 102938, 2022. http://dx.doi.org/10.1016/j.cose.2022.102938
13. O. Sheyner and J. Wing, “Tools for generating and analyzing attack graphs,” in International symposium on formal methods for components and objects. Springer, 2003. http://dx.doi.org/10.1007/978-3-540-30101-1_17 pp. 344–371.
14. K. Piwowarski, K. Ingols, and R. Lippmann, “Practical attack graph generation for network defense,” in Computer Security Applications Conference. IEEE Computer Society, 2006. http://dx.doi.org/10.1109/ACSAC.2006.39. ISSN 1063-9527 pp. 121–130. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/ACSAC.2006.39
15. B. Schneier, “Attack trees,” Dr. Dobb’s journal, vol. 24, no. 12, pp. 21–29, 1999.
16. B. Kordy, S. Mauw, S. Radomirović, and P. Schweitzer, “Attack–defense trees,” Journal of Logic and Computation, vol. 24, no. 1, pp. 55–87, 06 2012. http://dx.doi.org/10.1093/logcom/exs029. [Online]. Available: https://doi.org/10.1093/logcom/exs029
17. D. M. Kienzle and W. A. Wulf, “A practical approach to security assessment,” in Proceedings of the 1997 workshop on New security paradigms, 1998. http://dx.doi.org/10.1145/283699.283731, pp. 5–16.
18. M. S. Barik, A. Sengupta, and C. Mazumdar, “Attack graph generation and analysis techniques,” Defence Science Journal, vol. 66, no. 6, p. 559, 2016. http://dx.doi.org/10.14429/dsj.66.10795
19. H. S. Lallie, K. Debattista, and J. Bal, “A review of attack graph and attack tree visual syntax in cyber security,” Computer Science Review, vol. 35, p. 100219, 2020. http://dx.doi.org/10.1016/j.cosrev.2019.100219. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1574013719300772
20. K. Kaynar, “A taxonomy for attack graph generation and usage in network security,” Journal of Information Security and Applications, vol. 29, pp. 27–56, 2016. http://dx.doi.org/10.1016/j.jisa.2016.02.001. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2214212616300011
21. MITRE, “Common weakness enumeration,” 2023, https://cwe.mitre.org/ data/index.html.
22. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing, “Automated generation and analysis of attack graphs,” in IEEE Symposium on Security and Privacy, 2002. http://dx.doi.org/10.1109/SECPRI.2002.1004377, pp. 273–284.
23. I. Chokshi, N. Ghosh, and S. K. Ghosh, “Efficient generation of exploit dependency graph by customized attack modeling technique,” in Advanced Computing and Communications. IEEE Computer Society, 2012. http://dx.doi.org/10.1109/ADCOM.2012.6563582, pp. 39–45. [Online]. Available: https://doi.ieeecomputersociety.org/10.1109/ADCOM.2012.6563582
24. Z. B. Celik, P. McDaniel, and G. Tan, “Soteria: Automated {IoT} safety and security analysis,” in USENIX Annual Technical Conference, 2018. http://dx.doi.org/10.48550/arXiv.1805.08876, pp. 147–158.
25. J. Hong and D.-S. Kim, “Harms: Hierarchical attack representation models for network security analysis,” 2012. http://dx.doi.org/10.4225/75/57b559a3cd8da
26. J. B. Hong and D. S. Kim, “Towards scalable security analysis using multi-layered security models,” Journal of Network and Computer Applications, vol. 75, pp. 156–168, 2016. http://dx.doi.org/10.1016/j.jnca.2016.08.024,
27. P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph-based network vulnerability analysis,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002. doi: 10.1145/586110.586140, pp. 217–224.
28. R. E. Bryant, “Graph-based algorithms for boolean function manipulation,” Computers, IEEE Transactions on, vol. 100, no. 8, pp. 677–691, 1986. http://dx.doi.org/10.1109/TC.1986.1676819
29. G. Behrmann, A. David, and K. G. Larsen, “A tutorial on UPPAAL,” in LNCS, vol. 3185. Springer, 2004. http://dx.doi.org/10.1007/978-3-540-30080-9_7, pp. 200–236.
30. “Road vehicles, Cybersecurity engineering,” International Organization for Standardization, Geneva, CH, Standard, 2021.
31. “Ebios risk manager,” French Cybersecurity Agency, 2024, https://www.ssi.gouv.fr/uploads/2019/11/anssi-guide-ebios_risk_manager-en-v1.0.pdf.
32. “Common vulnerabilities and exposures,” MITRE, 2024. [Online]. Available: http://cve.mitre.org

Uwagi

1. This work was supported by the French government as part of the “France 2030” program, within the framework of the SystemX Technological Research Institute.

2. Thematic Sessions: Regular Papers

3. Opracowanie rekordu ze środków MNiSW, umowa nr POPUL/SP/0154/2024/02 w ramach programu "Społeczna odpowiedzialność nauki II" - moduł: Popularyzacja nauki (2025).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-dc6ec9a1-c245-4fa0-9b12-03f37414c277