基于本体与攻击—故障树的智能网联汽车功能安全和网络安全联合分析评估方法

doi:10.3969/j.issn.1671-1122.2025.04.008

摘要/Abstract

摘要：

针对复杂网络物理系统中功能安全和网络安全的动态交互问题，现有S&S联合分析方法由于对组件层的攻击—故障交互作用分析深度与精度不足，难以全面识别综合风险场景并准确量化风险，导致后续风险缓解措施可能存在潜在矛盾，从而削弱综合风险评估的有效性。文章提出一种基于本体与攻击—故障树的智能网联汽车功能安全和网络安全联合分析评估方法（Onto-AFT），通过构建业务—功能—组件分层依赖关系的本体模型，规范化表征网络物理系统的宏观功能架构与微观组件交互逻辑。同时，利用Datalog语言设计系统的组件、功能、攻击和故障等要素的动态交互规则，实现攻击路径与故障传播路径的联合推理与失效风险量化。该方法将本体论的系统化知识表示能力与攻击—故障树的多逻辑门表达能力相结合，支持复杂交互场景（如攻击触发故障、冗余组件抑制失效）的失效路径推理，并融合通用漏洞评分系统的漏洞评分与故障率数据实现动态风险计算。在智能网联汽车自动紧急制动系统上进行实验，实验结果表明，与传统智能网联汽车联合分析评估方法相比，Onto-AFT在风险识别的全面性与量化精度上均有显著提升，同时具备规则动态更新的高扩展性。

关键词: 网络物理系统, 功能安全和网络安全, 本体论, 风险评估

Abstract:

For the dynamic interaction problem of safety and security in complex cyber-physical systems, the existing S&S co-analysis methods have insufficient depth and accuracy in analyzing the attack-fault interaction at the component level, making it difficult to comprehensively identify integrated risk scenarios and accurately quantify risks. This leads to potential contradictions in subsequent risk mitigation measures, thereby reducing the effectiveness of comprehensive risk assessment. This paper proposed a safety and security co-analysis and assessment method for intelligent connected vehicles based on ontology and attack-fault tree (Onto-AFT). By constructing an ontology model of the hierarchical dependency relationship between business, function, and component, it standardized the representation of the macroscopic functional architecture and microscopic component interaction logic of cyber-physical systems. Using the Datalog language, dynamic interaction rules for system components, functions, attacks, and faults were designed to achieve joint reasoning of attack paths and fault propagation paths and quantification of failure risks. This method combined the systematic knowledge representation ability of ontology with the multi-logic gate expression ability of attack-fault trees, supporting failure path reasoning in complex interaction scenarios (such as attacks triggering faults, redundant components suppressing failures), and integrating CVSS vulnerability scores and failure rate data to achieve dynamic risk calculation. Experimetation on the autonomous emergency braking system of intelligent connected vehicles, experiments prove that compared with traditional safety and security co-analysis and evaluation methods, Onto-AFT significantly improves the comprehensiveness of risk identification and quantification accuracy, and has high scalability with dynamic rule updates.

Key words: cyber-physical system, safety and security, ontology, risk assessment

中图分类号:

TP309

王舜, 邱菡, 何英. 基于本体与攻击—故障树的智能网联汽车功能安全和网络安全联合分析评估方法[J]. 信息网络安全, 2025, 25(4): 598-609.

WANG Shun, QIU Han, HE Ying. A Safety and Security Co-Analysis and Assessment Method for Intelligent Connected Vehicles Based on Ontology and Attack-Fault Tree[J]. Netinfo Security, 2025, 25(4): 598-609.

图/表 10

表1

图1

图2

图3

图4

图5

图6

图7

表2

表3

参考文献 22

[1]	KRIAA S, PIETRE-CAMBACEDES L, BOUISSOU M, et al. A Survey of Approaches Combining Safety and Security for Industrial Control Systems[J]. Reliability Engineering & System Safety, 2015, 139: 156-178.
[2]	SABALIAUSKAITE G, BRYANS J, JADIDBONAB H, et al. TOMSAC-Methodology for Trade-Off Management between Automotive Safety and Cyber Security[EB/OL]. (2024-05-01)[2025-01-07]. https://doi.org/10.1016/j.cose.2024.103798.
[3]	NICOLETTI S M, PEPPELMAN M, KOLB C, et al. Model-Based Joint Analysis of Safety and Security: Survey and Identification of Gaps[EB/OL]. (2023-11-01)[2025-01-07]. https://doi.org/10.48550/arXiv.2106.06272.
[4]	KUMAR R, STOELINGA M. Quantitative Security and Safety Analysis with Attack-Fault Trees[C]// IEEE. 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE). New York: IEEE, 2017: 25-32.
[5]	KRIAA S, BOUISSOU M, COLIN F, et al. Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline[C]// Springer. Computer Safety, Reliability, and Security. Heidelberg: Springer, 2014: 326-341.
[6]	KORNECKI A J, SUBRAMANIAN N, ZALEWSKI J. Studying Interrelationships of Safety and Security for Software Assurance in Cyber-Physical Systems: Approach Based on Bayesian Belief Networks[C]// IEEE. 2013 Federated Conference on Computer Science and Information Systems. New York: IEEE, 2013: 1393-1399.
[7]	JACKSON D. Alloy: A Lightweight Object Modelling Notation[J]. ACM Transactions on Software Engineering and Methodology (TOSEM), 2002, 11(2): 256-290.
[8]	VISTBAKKA I, TROUBITSYNA E, KUISMIN T, et al. Co-Engineering Safety and Security in Industrial Control Systems: A Formal Outlook[C]// Springer. Software Engineering for Resilient Systems (SERENE 2017). Heidelberg: Springer, 2017: 96-114.
[9]	LIEDTKE T. Risk Assessment According to the ISO/SAE 21434: 2021-Rxperiences, Help and Pitfalls[EB/OL]. (2021-09-29)[2025-01-07]. https://hss-opus.ub.ruhr-uni-bochum.de/opus4/frontdoor/index/index/docId/8356.
[10]	STAAB S, STUDER R. Handbook on Ontologies[M]. Heidelberg: Springer, 2013.
[11]	AZIZ A, AHMED S, KHAN F I. An Ontology-Based Methodology for Hazard Identification and Causation Analysis[J]. Process Safety and Environmental Protection, 2019, 123: 87-98.
[12]	RAAD J, CRUZ C. A Survey on Ontology Evaluation Methods[C]// ACM. Proceedings of the 7th International Joint Conference on Knowledge Discovery, Knowledge Engineering and Knowledge Management (IC3K 2015). New York: ACM, 2015: 179-186.
[13]	BHOSALE P, KASTNER W, SAUTER T. Integrated Safety-Security Risk Assessment for Industrial Control System: An Ontology-Based Approach[C]// IEEE. 2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA). New York: IEEE, 2023: 1-8.
[14]	HUANG Ning. Network Reliability and Its Evaluation Technology[M]. Beijing: National Defense Industry Press, 2020.
	黄宁. 网络可靠性及评估技术[M]. 北京: 国防工业出版社, 2020.
[15]	LUO Feng, JIANG Yifan, WANG Jiajia, et al. A Framework for Cybersecurity Requirements Management in the Automotive Domain[EB/OL]. (2023-05-22)[2025-01-07]. https://doi.org/10.3390/s23104979.
[16]	International Electrotechnical Commission. Industrial Communication Networks-Network and System Security-Part 1-1: Terminology, Concepts and Models[EB/OL]. (2009-07-30)[2025-01-07]. https://webstore.iec.ch/publication/7029.
[17]	JING Pengfei, CAI Zhiqiang, CAO Yingjie, et al. Revisiting Automotive Attack Surfaces: A Practitioners’ Perspective[C]// IEEE. 2024 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2024: 2348-2365.
[18]	RICHTER A, WALZ T P, DHANANI M, et al. Components and Their Failure Rates in Autonomous Driving[C]// Wiley. Proceeding of the 33rd European Safety and Reliability Conference. New York: Wiley, 2023: 233-240.
[19]	SCHMITTNER C, MA Zhendong, SMITH P. FMVEA for Safety and Security Analysis of Intelligent and Cooperative Vehicles[C]// Springer. Computer Safety, Reliability, and Security. Heidelberg: Springer, 2014: 282-288.
[20]	SABALIAUSKAITE G, ADEPU S, MATHUR A. A Six-Step Model for Safety and Security Analysis of Cyber-Physical Systems[C]// Springer. Critical Information Infrastructures Security (CRITIS 2016). Heidelberg: Springer, 2017: 189-200.
[21]	LIU Qi, SUN Ke, LIU Wenqi, et al. Quantitative Risk Assessment for Connected Automated Vehicles: Integrating Improved STPA-SafeSec and Bayesian Network[EB/OL]. (2025-01-01)[2025-01-07]. https://doi.org/10.1016/j.ress.2024.110528.
[22]	SABALIAUSKAITE G, LIEW L S, CUI J. Integrating Autonomous Vehicle Safety and Security Analysis Using STPA Method and the Six-Step Model[J]. International Journal on Advances in Security, 2018, 11(1): 160-169.

S&S 视角	本体—本体	关系	描述
宏观	功能安全需求—网络安全需求、功能安全措施—网络安全措施	独立	无交互
		相互强化	功能安全需求（措施）有助于满足网络安全需求（措施），反之亦然
		条件依赖	网络安全是满足功能安全的条件，反之亦然
		对立	同时考虑功能安全需求（措施）和网络安全需求（措施）存在矛盾
微观	组件—组件	独立	组件之间无功能或资源交互
	组件—组件	冗余（相互强化）	组件冗余设计提升整体可靠性
	组件—功能	依赖（条件依赖）	功能依赖组件可用性
	攻击—失效、故障—失效	因果（条件依赖）	攻击或故障直接引起组件失效
	攻击—故障	独立	无交互
		触发（条件依赖）	一方导致另一方发生（例如，攻击导致故障发生）
		抑制（对立）	一方阻断另一方发生（例如，故障阻断攻击传播）

编号	组件	漏洞/故障原因	威胁模式/失效模式	威胁影响 /失效影响	系统状态	系统影响	严重度	系统易感性	威胁属性	攻击/失效可能性	风险值
1	摄像头	被攻击者干扰的图像被摄像头观察到后产生不正确的视觉预测	攻击者对摄像头注入对抗性图像	摄像头输出错误的判断信息	安全关键，系统需要紧急制动	系统失去可靠的视觉预测服务	4	4	3	7	28
2	摄像头	攻击者用额外的光线使摄像头失灵	摄像头致盲	摄像头拒绝服务	安全关键，系统需要紧急制动	系统失去摄像头功能	3	4	3	7	21
3	T-box	攻击者通过蓝牙技术实现缓冲区溢出	攻击者使用已连接的设备并提升其权限	攻击者能在关键ECU上执行代码	连接到受感染的设备	安全关键，攻击者可以控制车辆	6	3	4	7	42
4	T-box	无线连接协议缺乏强身份验证方法	攻击者通过V2I通信发送伪造信息	窃取合法身份并传播伪造信息	连接到受感染的设备	安全关键，运行环境和信息完整性遭受破坏	6	3	2	5	30
5	T-box	无线连接易受干扰	攻击者终端OTA或车载诊断	OTA更新中断或车载诊断终止	OTA升级中或远程车载诊断运行中	无	1	6	4	10	10
6	OBD 端口	攻击者从OBD端口观察到CAN消息	攻击者通过OBD端口传输伪造信息	攻击者能在关键ECU上执行代码	连接到受感染的设备	安全关键，攻击者可以控制车辆	6	3	4	7	42
7	OBD 端口	CAN总线被大量优先级高的消息占用	攻击者通过OBD端口发送大量优先级消息，使CAN拒绝服务	CAN无法处理总线上的其他消息	连接到受感染的设备	安全关键，车内通信网络瘫痪	6	3	1	4	24

维度			FMVEA	Six-Step Model	Improved-STPA-SafeSec-BN	Onto-AFT
风险识别的全面性	S&S需求/措施关系	独立	√	√	√	√
		依赖	×	√	×	√
		强化	×	√	×	√
		对立	×	√	×	√
	组件—组件	独立	√	√	√	√
	组件—组件	冗余	×	√	×	√
	组件—功能	依赖	√	√	√	√
	攻击/故障—失效	因果	√	√	√	√
	攻击—故障	独立	√	√	√	√
		触发	×	×	×	√
		抑制	×	×	×	√
风险量化的准确性	定性/定量分析		定量	定性	定量	定量
风险量化的准确性	数据来源		公共知识，专家评分	公共知识	公共知识，统计概率	公共知识，统计概率，CVSS评分
方法适应性	符合标准		ISO 26262	无特定标准	ISO 26262+ISO/SAE 21434	ISO 26262+ISO/SAE 21434+本体扩展
	工具支持		表格（人工）	关系矩阵（人工）	贝叶斯网络工具（如GeNIe）	开源推理引擎（如XSB）
	动态系统适配性		低	低	中（重构CPT）	高（规则动态更新）