A Safety and Security Co-Analysis and Assessment Method for Intelligent Connected Vehicles Based on Ontology and Attack-Fault Tree

doi:10.3969/j.issn.1671-1122.2025.04.008

Abstract

Abstract:

For the dynamic interaction problem of safety and security in complex cyber-physical systems, the existing S&S co-analysis methods have insufficient depth and accuracy in analyzing the attack-fault interaction at the component level, making it difficult to comprehensively identify integrated risk scenarios and accurately quantify risks. This leads to potential contradictions in subsequent risk mitigation measures, thereby reducing the effectiveness of comprehensive risk assessment. This paper proposed a safety and security co-analysis and assessment method for intelligent connected vehicles based on ontology and attack-fault tree (Onto-AFT). By constructing an ontology model of the hierarchical dependency relationship between business, function, and component, it standardized the representation of the macroscopic functional architecture and microscopic component interaction logic of cyber-physical systems. Using the Datalog language, dynamic interaction rules for system components, functions, attacks, and faults were designed to achieve joint reasoning of attack paths and fault propagation paths and quantification of failure risks. This method combined the systematic knowledge representation ability of ontology with the multi-logic gate expression ability of attack-fault trees, supporting failure path reasoning in complex interaction scenarios (such as attacks triggering faults, redundant components suppressing failures), and integrating CVSS vulnerability scores and failure rate data to achieve dynamic risk calculation. Experimetation on the autonomous emergency braking system of intelligent connected vehicles, experiments prove that compared with traditional safety and security co-analysis and evaluation methods, Onto-AFT significantly improves the comprehensiveness of risk identification and quantification accuracy, and has high scalability with dynamic rule updates.

Key words: cyber-physical system, safety and security, ontology, risk assessment

CLC Number:

TP309

WANG Shun, QIU Han, HE Ying. A Safety and Security Co-Analysis and Assessment Method for Intelligent Connected Vehicles Based on Ontology and Attack-Fault Tree[J]. Netinfo Security, 2025, 25(4): 598-609.

Figures/Tables 10

References 22

[1]	KRIAA S, PIETRE-CAMBACEDES L, BOUISSOU M, et al. A Survey of Approaches Combining Safety and Security for Industrial Control Systems[J]. Reliability Engineering & System Safety, 2015, 139: 156-178.
[2]	SABALIAUSKAITE G, BRYANS J, JADIDBONAB H, et al. TOMSAC-Methodology for Trade-Off Management between Automotive Safety and Cyber Security[EB/OL]. (2024-05-01)[2025-01-07]. https://doi.org/10.1016/j.cose.2024.103798.
[3]	NICOLETTI S M, PEPPELMAN M, KOLB C, et al. Model-Based Joint Analysis of Safety and Security: Survey and Identification of Gaps[EB/OL]. (2023-11-01)[2025-01-07]. https://doi.org/10.48550/arXiv.2106.06272.
[4]	KUMAR R, STOELINGA M. Quantitative Security and Safety Analysis with Attack-Fault Trees[C]// IEEE. 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE). New York: IEEE, 2017: 25-32.
[5]	KRIAA S, BOUISSOU M, COLIN F, et al. Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline[C]// Springer. Computer Safety, Reliability, and Security. Heidelberg: Springer, 2014: 326-341.
[6]	KORNECKI A J, SUBRAMANIAN N, ZALEWSKI J. Studying Interrelationships of Safety and Security for Software Assurance in Cyber-Physical Systems: Approach Based on Bayesian Belief Networks[C]// IEEE. 2013 Federated Conference on Computer Science and Information Systems. New York: IEEE, 2013: 1393-1399.
[7]	JACKSON D. Alloy: A Lightweight Object Modelling Notation[J]. ACM Transactions on Software Engineering and Methodology (TOSEM), 2002, 11(2): 256-290.
[8]	VISTBAKKA I, TROUBITSYNA E, KUISMIN T, et al. Co-Engineering Safety and Security in Industrial Control Systems: A Formal Outlook[C]// Springer. Software Engineering for Resilient Systems (SERENE 2017). Heidelberg: Springer, 2017: 96-114.
[9]	LIEDTKE T. Risk Assessment According to the ISO/SAE 21434: 2021-Rxperiences, Help and Pitfalls[EB/OL]. (2021-09-29)[2025-01-07]. https://hss-opus.ub.ruhr-uni-bochum.de/opus4/frontdoor/index/index/docId/8356.
[10]	STAAB S, STUDER R. Handbook on Ontologies[M]. Heidelberg: Springer, 2013.
[11]	AZIZ A, AHMED S, KHAN F I. An Ontology-Based Methodology for Hazard Identification and Causation Analysis[J]. Process Safety and Environmental Protection, 2019, 123: 87-98.
[12]	RAAD J, CRUZ C. A Survey on Ontology Evaluation Methods[C]// ACM. Proceedings of the 7th International Joint Conference on Knowledge Discovery, Knowledge Engineering and Knowledge Management (IC3K 2015). New York: ACM, 2015: 179-186.
[13]	BHOSALE P, KASTNER W, SAUTER T. Integrated Safety-Security Risk Assessment for Industrial Control System: An Ontology-Based Approach[C]// IEEE. 2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA). New York: IEEE, 2023: 1-8.
[14]	HUANG Ning. Network Reliability and Its Evaluation Technology[M]. Beijing: National Defense Industry Press, 2020.
	黄宁. 网络可靠性及评估技术[M]. 北京: 国防工业出版社, 2020.
[15]	LUO Feng, JIANG Yifan, WANG Jiajia, et al. A Framework for Cybersecurity Requirements Management in the Automotive Domain[EB/OL]. (2023-05-22)[2025-01-07]. https://doi.org/10.3390/s23104979.
[16]	International Electrotechnical Commission. Industrial Communication Networks-Network and System Security-Part 1-1: Terminology, Concepts and Models[EB/OL]. (2009-07-30)[2025-01-07]. https://webstore.iec.ch/publication/7029.
[17]	JING Pengfei, CAI Zhiqiang, CAO Yingjie, et al. Revisiting Automotive Attack Surfaces: A Practitioners’ Perspective[C]// IEEE. 2024 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2024: 2348-2365.
[18]	RICHTER A, WALZ T P, DHANANI M, et al. Components and Their Failure Rates in Autonomous Driving[C]// Wiley. Proceeding of the 33rd European Safety and Reliability Conference. New York: Wiley, 2023: 233-240.
[19]	SCHMITTNER C, MA Zhendong, SMITH P. FMVEA for Safety and Security Analysis of Intelligent and Cooperative Vehicles[C]// Springer. Computer Safety, Reliability, and Security. Heidelberg: Springer, 2014: 282-288.
[20]	SABALIAUSKAITE G, ADEPU S, MATHUR A. A Six-Step Model for Safety and Security Analysis of Cyber-Physical Systems[C]// Springer. Critical Information Infrastructures Security (CRITIS 2016). Heidelberg: Springer, 2017: 189-200.
[21]	LIU Qi, SUN Ke, LIU Wenqi, et al. Quantitative Risk Assessment for Connected Automated Vehicles: Integrating Improved STPA-SafeSec and Bayesian Network[EB/OL]. (2025-01-01)[2025-01-07]. https://doi.org/10.1016/j.ress.2024.110528.
[22]	SABALIAUSKAITE G, LIEW L S, CUI J. Integrating Autonomous Vehicle Safety and Security Analysis Using STPA Method and the Six-Step Model[J]. International Journal on Advances in Security, 2018, 11(1): 160-169.

S&S 视角	本体—本体	关系	描述
宏观	功能安全需求—网络安全需求、功能安全措施—网络安全措施	独立	无交互
		相互强化	功能安全需求（措施）有助于满足网络安全需求（措施），反之亦然
		条件依赖	网络安全是满足功能安全的条件，反之亦然
		对立	同时考虑功能安全需求（措施）和网络安全需求（措施）存在矛盾
微观	组件—组件	独立	组件之间无功能或资源交互
	组件—组件	冗余（相互强化）	组件冗余设计提升整体可靠性
	组件—功能	依赖（条件依赖）	功能依赖组件可用性
	攻击—失效、故障—失效	因果（条件依赖）	攻击或故障直接引起组件失效
	攻击—故障	独立	无交互
		触发（条件依赖）	一方导致另一方发生（例如，攻击导致故障发生）
		抑制（对立）	一方阻断另一方发生（例如，故障阻断攻击传播）

编号	组件	漏洞/故障原因	威胁模式/失效模式	威胁影响 /失效影响	系统状态	系统影响	严重度	系统易感性	威胁属性	攻击/失效可能性	风险值
1	摄像头	被攻击者干扰的图像被摄像头观察到后产生不正确的视觉预测	攻击者对摄像头注入对抗性图像	摄像头输出错误的判断信息	安全关键，系统需要紧急制动	系统失去可靠的视觉预测服务	4	4	3	7	28
2	摄像头	攻击者用额外的光线使摄像头失灵	摄像头致盲	摄像头拒绝服务	安全关键，系统需要紧急制动	系统失去摄像头功能	3	4	3	7	21
3	T-box	攻击者通过蓝牙技术实现缓冲区溢出	攻击者使用已连接的设备并提升其权限	攻击者能在关键ECU上执行代码	连接到受感染的设备	安全关键，攻击者可以控制车辆	6	3	4	7	42
4	T-box	无线连接协议缺乏强身份验证方法	攻击者通过V2I通信发送伪造信息	窃取合法身份并传播伪造信息	连接到受感染的设备	安全关键，运行环境和信息完整性遭受破坏	6	3	2	5	30
5	T-box	无线连接易受干扰	攻击者终端OTA或车载诊断	OTA更新中断或车载诊断终止	OTA升级中或远程车载诊断运行中	无	1	6	4	10	10
6	OBD 端口	攻击者从OBD端口观察到CAN消息	攻击者通过OBD端口传输伪造信息	攻击者能在关键ECU上执行代码	连接到受感染的设备	安全关键，攻击者可以控制车辆	6	3	4	7	42
7	OBD 端口	CAN总线被大量优先级高的消息占用	攻击者通过OBD端口发送大量优先级消息，使CAN拒绝服务	CAN无法处理总线上的其他消息	连接到受感染的设备	安全关键，车内通信网络瘫痪	6	3	1	4	24

维度			FMVEA	Six-Step Model	Improved-STPA-SafeSec-BN	Onto-AFT
风险识别的全面性	S&S需求/措施关系	独立	√	√	√	√
		依赖	×	√	×	√
		强化	×	√	×	√
		对立	×	√	×	√
	组件—组件	独立	√	√	√	√
	组件—组件	冗余	×	√	×	√
	组件—功能	依赖	√	√	√	√
	攻击/故障—失效	因果	√	√	√	√
	攻击—故障	独立	√	√	√	√
		触发	×	×	×	√
		抑制	×	×	×	√
风险量化的准确性	定性/定量分析		定量	定性	定量	定量
风险量化的准确性	数据来源		公共知识，专家评分	公共知识	公共知识，统计概率	公共知识，统计概率，CVSS评分
方法适应性	符合标准		ISO 26262	无特定标准	ISO 26262+ISO/SAE 21434	ISO 26262+ISO/SAE 21434+本体扩展
	工具支持		表格（人工）	关系矩阵（人工）	贝叶斯网络工具（如GeNIe）	开源推理引擎（如XSB）
	动态系统适配性		低	低	中（重构CPT）	高（规则动态更新）