A Quantitative Approach for the Likelihood of Exploits of System Vulnerabilities

  • Siddhartha VermaEmail author
  • Thomas GruberEmail author
  • Peter PuschnerEmail author
  • Christoph SchmittnerEmail author
  • Erwin SchoitschEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11094)


Modern systems’ transition towards more connected, information and communication technologies (ICT) has increased the safety, capacity and reliability of systems such as transport systems (railways, automotive) and industrial systems but it has also exposed a big additional surface for cyber attackers which makes it necessary to take in consideration general IT security concerns. Cyber-physical systems need more effort to consider safety critical IT security concerns. The safety impact of security compromises is evaluated in a semiquantitative manner because it is a relatively new area so there is not enough real data available to analyse attack rates quantitatively and the attack-vulnerability scenario is constantly changing because of adversary intelligence. This paper proposes an approach for the quantification of vulnerabilities based on learning from data obtained by concrete pattern implementations in safety-critical systems. This will allow combined analysis of safety and security.


Security patterns Co-analysis Colored petri nets Security and dependability 



The work published here is based on research in the AMASS project that has been funded by the ECSEL Joint Undertaking under Grant Agreement number 692474.


  1. 1.
    Schmittner, C., Gruber, T., Puschner, P., Schoitsch, E.: Security application of failure mode and effect analysis (FMEA). In: Bondavalli, A., Di Giandomenico, F. (eds.) SAFECOMP 2014. LNCS, vol. 8666, pp. 310–325. Springer, Cham (2014). Scholar
  2. 2.
    Whitt, W.: Continuous Time Markov Chains, Department of Industrial Engineering and Operations Research, Columbia University (2013)Google Scholar
  3. 3.
    Morant, A., Gustafson, A., Söderholm, P., Larsson-Kråik, P.O., Kumar, U.: Safety and availability evaluation of railway operation based on the state of signaling systems. Proc. Inst. Mech. Eng. Part F J. Rail Rapid Transit 231, 226–238 (2017)CrossRefGoogle Scholar
  4. 4.
    Ryoo, J., Kazman, R., Anand, P.: Architectural analysis for security. IEEE Secur. Priv. 13(6), 52–59 (2015)CrossRefGoogle Scholar
  5. 5.
    Bunke, M., Koschke, R., Sohr, K.: Organizing security patterns related to security and pattern recognition requirements. Int. J. Adv. Secur. 5, 46–67 (2012)Google Scholar
  6. 6.
    Satty, T.L.: The Analytical Hierarchy and Analytical Network Measurement Process: Applications to Decisions under Risk (2008)Google Scholar
  7. 7.
    Macher, G., Sporer, H., Armengaud, E., Kreiner, C.: SAHARA: A Security-Aware Hazard and Risk Analysis Method (2015)Google Scholar
  8. 8.
    Liu, Z., Liu, Y., Cai, B., Liu, X., Li, J., Tian, X., Ji, R.: RAMS Analysis of Hybrid Redundancy System of Subsea Blowout Preventer Based on Stochastic Petri Nets (2013)Google Scholar
  9. 9.
    Mustafiz, S., Sun, X., Kienzle, J., Vangheluwe, H.: Model-driven assessment of system dependability. Softw. Syst. Model. 7, 487–502 (2008)CrossRefGoogle Scholar
  10. 10.
    Schumacher, M., Fernandez, E.B., Hybertson, D., Buscmann, F., Sommerlad, P.: Security Patterns : Integrating Security and System Engineering. Software Design Patterns. Wiley, Hoboken (2006)Google Scholar
  11. 11.
    Haldikis, S., Chatzigeorigou, A., Stephanides, G.: A practical evaluation of security patterns (2006)Google Scholar
  12. 12.
    Steel, C., Nagappan, R., Lai, R.: Core Security Patterns : Best Practices and strategies for J2EE : Web Services and Identity Management (2014)Google Scholar
  13. 13.
    Kienzle, D.M., Elder, M.C., Tyree, D., Edwards-Hewitt, J.: Security Patterns repository version 1.0 (2002)Google Scholar
  14. 14.
    Dougherty, C., Sayre, K., Seacord, R.C., Svoboda, D., Togashi, K.: Security Design Patterns (2009)Google Scholar
  15. 15.
    Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M.: Pattern-Oriented Software Architecture: A System of Patterns. Wiley, New York (1996)Google Scholar
  16. 16.
    Shi, N., Olsson, R.A.: Reverse engineering of design patterns from Java source code (2006)Google Scholar
  17. 17.
    Konrad, S., Cheng, B.H., Campbell, L.A., Wasserman, R.: Using security patterns to model and analyse security requirements (2003)Google Scholar
  18. 18.
    Rosado, D.G., Gutierrez, C., Fernandez-Medina, E., Piattini, M.: Security patterns related to security requirements (2006)Google Scholar
  19. 19.
    Washizaki, H., Fernandez, E.B., Maruyama, K., Kubo, A., Yoshioka, N.: Improving the classification of security patterns (2009)Google Scholar
  20. 20.
    Saridakis, T.: A system of patterns for fault tolerance. In: Proceedings of the EuroPLoP Conference (2002)Google Scholar
  21. 21.
    Buckley, I.A., Fernandez, E.B., Larrondo-Petrie, M.M.: Patterns combining reliability and security (2011)Google Scholar
  22. 22.
    Hamid, B.: Modelling of secure and dependable applications based on a repository of patterns : The SEMCO approachGoogle Scholar
  23. 23.
    Charlwood, M., Turner, S., Worsell, N.: A methodology for the assignment of SILs to safety-related control functions implemented by safety-related electrical, electronic and programmable electronic control system of machines : prepared by Innovation Electronics UK Ltd and Health and Safety Laboratory HSL (2004)Google Scholar
  24. 24.
    Stolte, T., Bagschik, G., Reschka, A., Maurer, M.: Hazard Analysis and Risk Assessment for an Automated Unmanned Protective Vehicle (2017)Google Scholar
  25. 25.
    Microsoft Corporation : The stride threat model (2005)Google Scholar
  26. 26.
    Reifer, D.J.: Software Failure Modes and Effects Analysis (1979)Google Scholar
  27. 27.
    Haapanen, P., Helminen, A.: Failure mode and effect analysis of software-based automation systems (2002)Google Scholar
  28. 28.
    ISO - International Organization for Standarization: ISO 26262 Road vehicles Functional Safety (2011)Google Scholar
  29. 29.
    Zhan, Z., Xu, M., Xu, S.: Predicting cyber attack rates with extreme values (2015)Google Scholar
  30. 30.
    IEC 62443 : Industrial communication networks - Network and system security (2010)Google Scholar
  31. 31. Common weakness enumeration view : Architectural Concepts (2018)Google Scholar
  32. 32.
    TimeNET : A software tool for the performability evaluation with stochastic and colored petri nets.
  33. 33.
    Mell, P., Scarfone, K., Romanosky, S.: A Complete Guide to the Common Vulnerability Scoring System (2007)Google Scholar
  34. 34.
    IEC- International Standards and Conformity Assessment for all electrical, electronic and related technologies.
  35. 35.
    Flammini, F., Marrone, S., Valeria, V.: Petri Net Modelling of Physical Vulnerability (2013)Google Scholar
  36. 36.
    Pinna, B., Babykina, G., Brinzei, N., Petin, J-.F.: Using Coloured Petri Nets for integrated reliability and safety evaluations (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.AIT Austrian Institute of TechnologyViennaAustria

Personalised recommendations