Abstract
Software-intensive, modern vehicles comprise about 100 computers, which allow a plethora of attack combinations. This paper proposes an efficient attack forest construction method for a vehicle’s on-board network security evaluation, based on our system model, and predictions about attractiveness, exploitability, and attackers. We compiled various vehicle development databases and documents to a homogeneous system model. Our algorithm implementation can construct attack forests with typically sized system models usually within a few minutes and with an asymptotic, computational complexity of O(n * log(n)). Attack forests are a foundation for further security analysis and evaluation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ablon, L., Libicki, M.C., Golay, A.A.: Markets for cybercrime tools and stolen data. Technical Report RR-610-JNI, RAND National Security Research Divison (2014)
BSI. IT-Grundschutz-Kataloge. 13. Ergänzungslieferung (September 2013)
Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 2011 Usenix Security (2011)
Damm, W., Achatz, R., Beetz, K., Broy, M., Daembkes, H., Grimm, K., Liggesmeyer, P.: Nationale roadmap embedded systems. In: Broy, M. (ed.) Cyber-Physical Systems. acatech DISKUTIERT, pp. 67–136. Springer, Heidelberg (2010)
Evans, S., Wallner, J.: Risk-based security engineering through the eyes of the adversary. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 158–165 (June 2005)
Grunske, L., Joyce, D.: Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles. Journal of Systems and Software 81(8), 1327–1345 (2008)
Hart, P.E., Nilsson, N.J., Raphael, B.: A formal basis for the heuristic determination of minimum cost paths. IEEE Transactions on Systems Science and Cybernetics 4(2), 100–107 (1968)
Juniper Networks, Inc. Juniper networks third annual mobile threats report - March 2012 through March 2013 (June 2013)
Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S.: Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 447–462 (May 2010)
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)
Nicol, D.M., Sanders, W.H., Trivedi, K.S.: Model-based evaluation: from dependability to security. IEEE Transactions on Dependable and Secure Computing 1(1), 48–65 (2004)
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345 (2006)
Roschke, S., Cheng, F., Schuppenies, R., Meinel, C.: Towards unifying vulnerability information for attack graph construction. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 218–233. Springer, Heidelberg (2009)
Schechter, S.E.: Toward econometric models of the security risk from remote attacks. IEEE Security Privacy 3(1), 40–44 (2005)
Schneier, B.: Attack trees. Dr. Dobb’s Journal of Software Tools, 21–22, 24, 26, 28–29 (1999)
Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons (March 2004)
Schneier, B.: The importance of security engineering. IEEE Security Privacy 10(5), 88–88 (2012)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, SP 2002, pp. 273–284. IEEE Computer Society, Washington, DC (2002)
Sheyner, O.M.: Scenario graphs and attack graphs. PhD thesis, Carnegie Mellon University, Pittsburgh, PA, USA, AAI3126929 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Salfer, M., Schweppe, H., Eckert, C. (2014). Efficient Attack Forest Construction for Automotive On-board Networks. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-13257-0_27
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13256-3
Online ISBN: 978-3-319-13257-0
eBook Packages: Computer ScienceComputer Science (R0)