Attack Tree Construction and Its Application to the Connected Vehicle

  • Khaled KarrayEmail author
  • Jean-Luc Danger
  • Sylvain Guilley
  • M. Abdelaziz Elaabid


Remote connectivity of today’s and future cars increases their capabilities of autonomy and safety, but also their attack surface, as reported by several research papers. In the automotive domain, the security has a direct impact on the user’s safety. Thus, the management of risk is becoming the main concern of automotive manufacturers, especially for the future fully connected and autonomous cars. A possible way to quantify the overall risk of a system is the systematic construction of attack graphs and attack trees. These formalisms are presented as one of the possible solutions in the new Cybersecurity Guidebook for Cyber-Physical Vehicle Systems (SAE-J3061). In this chapter we propose to use graph transformation to formally model the car architecture and its state evolution in order to study cyber-physical attacks against it. The resulting attacks are converted into attack trees which are used to estimate the overall risk of the system. Consequently, it becomes possible to study improvements while building a more secure architecture. The proposed method is designed to support the conceptual phase of the vehicle’s cyber-physical system. We illustrate the method on a small pedagogical example to show how it is possible to prove its efficiency.


  1. 1.
    P. Ammann, D. Wijesekera, S. Kaushik, Scalable, graph-based network vulnerability analysis, in Proceedings of the 9th ACM Conference on Computer and Communications Security (ACM, New York, 2002), pp. 217–224Google Scholar
  2. 2.
    L. Apvrille, Y. Roudier, Sysml-sec attack graphs: compact representations for complex attacks, in International Workshop on Graphical Models for Security (Springer, Berlin, 2015), pp. 35–49Google Scholar
  3. 3.
    L. Apvrille, L. Li, Y. Roudier, Model-driven engineering for designing safe and secure embedded systems, in Architecture-Centric Virtual Integration (ACVI), 2016 (IEEE, Piscataway, 2016), pp. 4–7Google Scholar
  4. 4.
    S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, T. Kohno, et al., Comprehensive experimental analyses of automotive attack surfaces, in USENIX Security Symposium, San Francisco (2011)Google Scholar
  5. 5.
    T. Dimkov, W. Pieters, P. Hartel, Portunes: representing attack scenarios spanning through the physical, digital and social domain, in Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (Springer, Berlin, 2010), pp. 112–129Google Scholar
  6. 6.
    I.D. Foster, A. Prudhomme, K. Koscher, S. Savage, Fast and vulnerable: a story of telematic failures, in WOOT’15 Proceedings of the 9th USENIX Conference on Offensive Technologies (2015)Google Scholar
  7. 7.
    Groove: graphs for object-oriented verification.
  8. 8.
    T. Hoppe, S. Kiltz, J. Dittmann, Security threats to automotive can networks–practical examples and selected short-term countermeasures, in International Conference on Computer Safety, Reliability, and Security (Springer, Berlin, 2008), pp. 235–248Google Scholar
  9. 9.
    K. Ingols, R. Lippmann, K. Piwowarski, Practical attack graph generation for network defense, in 22nd Annual Computer Security Applications Conference, 2006. ACSAC’06 (IEEE, Piscataway, 2006), pp. 121–130Google Scholar
  10. 10.
    M.G. Ivanova, C.W. Probst, R.R. Hansen, F. Kammüller, Transforming graphical system models to graphical attack models, in International Workshop on Graphical Models for Security (Springer, Berlin, 2015), pp. 82–96Google Scholar
  11. 11.
    S. Jajodia, S. Noel, Topological vulnerability analysis, in Cyber Situational Awareness (Springer, Berlin, 2010), pp. 139–154Google Scholar
  12. 12.
    K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, et al., Experimental security analysis of a modern automobile, in 2010 IEEE Symposium on Security and Privacy (SP) (IEEE, Piscataway, 2010), pp. 447–462CrossRefGoogle Scholar
  13. 13.
    R. Kumar, E. Ruijters, M. Stoelinga, Quantitative attack tree analysis via priced timed automata, in International Conference on Formal Modeling and Analysis of Timed Systems (Springer, Berlin, 2015), pp. 156–171zbMATHGoogle Scholar
  14. 14.
    F. Lugou, L.W. Li, L. Apvrille, R. Ameur-Boulifa, Sysml models and model transformation for security, in Conferénce on Model-Driven Engineering and Software Development (Modelsward’2016) (2016)Google Scholar
  15. 15.
    C. Miller, C. Valasek, Remote exploitation of an unaltered passenger vehicle. Black Hat USA (2015)Google Scholar
  16. 16.
    X. Ou, S. Govindavajhala, A.W. Appel, Mulval: a logic-based network security analyzer, in USENIX Security (2005)Google Scholar
  17. 17.
    C. Phillips, L.P. Swiler, A graph-based system for network-vulnerability analysis, in Proceedings of the 1998 Workshop on New Security Paradigms (ACM, New York, 1998), pp. 71–79Google Scholar
  18. 18.
    R.W. Ritchey, P. Ammann, Using model checking to analyze network vulnerabilities, in SP’00 Proceedings of the 2000 IEEE Symposium on Security and Privacy (IEEE, Piscataway, 2000), pp. 156–165Google Scholar
  19. 19.
    M. Salfer, C. Eckert, Attack surface and vulnerability assessment of automotive electronic control units, in 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE), vol. 4 (IEEE, Piscataway, 2015), pp. 317–326Google Scholar
  20. 20.
    M. Salfer, H. Schweppe, C. Eckert, Efficient attack forest construction for automotive on-board networks, in International Conference on Information Security (Springer, Berlin, 2014), pp. 442–453Google Scholar
  21. 21.
    B. Schneier, Attack trees. Dr. Dobbâs J. 24(12), 21–29 (1999)Google Scholar
  22. 22.
    O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs, in 2002 Proceedings IEEE Symposium on Security and Privacy (IEEE, Piscataway, 2002), pp. 273–284Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Khaled Karray
    • 1
    Email author
  • Jean-Luc Danger
    • 1
    • 2
  • Sylvain Guilley
    • 1
    • 3
    • 4
  • M. Abdelaziz Elaabid
    • 5
  1. 1.Télécom ParisTechParisFrance
  2. 2.Secure-IC S.A.S.Cesson-SévignéFrance
  3. 3.Secure-ICParisFrance
  4. 4.École normale supérieureParisFrance
  5. 5.PSA-GROUPEParisFrance

Personalised recommendations