Simulation-Based Attack Injection at System-level with additional attack models valid for multiple IVC layers

'Simulation-based Attack Injection at System-level with additional attack models valid for multiple IVC layers' provides an opportunity of injecting attacks on the system level. Different parts of the system and its interconnections can be verified and validated by using this technique. The complete system behavior can be analyzed when a certain sub-system is under the influence of attacks. While conducting field tests could be costly and sometimes life-threatening, simulation-based tests provide a wide range of advantages, such as lower testing costs, adaptation of tests to a variety of traffic scenarios, and avoiding the life-threatening situations. This method could span over various tools such as SUMO (Simulation of Urban Mobility), VEINS (vehicular network simulator) and INET allowing different aspects of the system to be evaluated.

Method Purpose Short description of the method's purpose and main benefits

To evaluate the system’s cybersecurity properties by injecting attacks, e.g., by using simulator control commands during target system simulations. This improved method allows injecting attacks on multiple layers of a vehicular communication system, such as Application, MAC and PHY layers. Moreover, this method provides the capability to the user to perform pre- and post-injection analysis based on the previous attack injection test results. This way, the attack space of every upcoming test campaign can be reduced, which leads to reduced time, cost, and effort of overall V&V effort.

Method description A detailed description of the method

System-level simulation is comprised of hardware and software models of a cyber physical system (CPS). The attack injection could be performed on different abstraction layers such as logical, functional, hardware, software, or system level. In this case, we focus on the simulation-based attack injectionat the system level.

The simulation-based attack injection at system level using simulators may be used for security testing of automated systems such as autonomous vehicles [SAI1].

Multiple attack models valid for multi-layer vehicular communication in the simulation-based attack injection at system level is done through injection of attacks on the vehicular communication system modelled in Veins (Vehicles in Network Simulation). The communication layers that are modelled in the veins framework are MAC and PHY layers INET [SAI3]. A couple of wireless channel models are also implemented in the veins framework, which is built on top of the OMNet++ simulator [SAI9] .

Our V&V method allows to add simulators and simulation frameworks to perform the overall system simulations as per test requirements. Some simulators and simulation frameworks that can be added to perform complete system simulations are the SUMO vehicle simulator [SAI2], Veins framework [SAI3], which simulates vehicular communications, and Veins-INET framework, which also simulates vehicular communication with additional communication protocols. A high-level diagram of different simulators and simulation frameworks that can be added to the base simulator (i.e., the OMNeT++ simulator) together with the attack simulation engine is numbered in the figure below.

Figure ‎2.8: Simulation-Based Attack Injection at System-level simulation environment.

Incorporating pre- and post-injection analyses [SAI5] [SAI6] [SAI7] [SAI8] into simulation-based attack injection to reduce the attack space. This will reduce the time, cost and effort needed to perform simulation-based attack injection at system level. The pre-injection analysis is done before any attack injection experiments are performed while post-injection uses the results of previous attack injection experiments. These techniques require detailed knowledge of the target system for efficient implementation.

Pre-injection analysis in simulation-based attack injection at the system level can be done by investigating the system and its environment before running any attack injection experiment. The purpose is to design an effective test campaign (i.e., a set of test experiments) in advance. In case of an automated vehicle system, some factors that are imperative to perform pre-injection analysis are scenario (actions, events, goals), scene (dynamics elements and scenery) and situation (intersections, highways) etc. By analysing the above-mentioned factors, it can be possible to reduce the number of test cases without affecting the validity of the results. For example, in the intersection scenarios, the low-speed ones are the most interesting, while in the highway driving scenarios the higher speed ones are the more relevant.

Post-injection analysis in simulation-based attack injection is performed on previous attack injection results, resulting in reduced campaigns for subsequent attack injection rounds. The purpose is to run fewer experiments and still achieve equivalent results. For example, the results connected to the repeating driving patterns of the vehicles in a scenario might be the same, and for subsequent attack injection campaigns, the number of experiments might be reduced based on the result analysis of the first test campaign focusing on a single repeat of the driving patterns.

Method Strengths A listof the strengths of the method

This method inherits, and further improves, the strengths from the base-method i.e., Simulation-Based Attack Injection at System-level.

Method Limitations The limitations of the method

The method inherits the limitations from the base-method i.e., Simulation-Based Attack Injection at System-level.

Method References Bibliography references to papers about the method.

[SAI1] Eduardo dos Santos et al., “Towards a Simulation-based Framework for the Security Testing of Autonomous Vehicles”
[SAI2] Michael Behrisch, Laura Bieker et al., “SUMO – Simulation of Urban Mobility, An Overview”, Institute of Transportation Systems, German Aerospace Center, Rutherfordstr. 2, 12489 Berlin, Germany
[SAI3] D. Eckhoff and C. Sommer, “A Multi-channel IEEE 1609.4 and 802.11p EDCA model for the Veins framework,” in Proceedings of 5^th ACM/ICST international conference on simulation tools and techniques for communications, networks and systems: 5th ACM/ICST international workshop on OMNet++.(Desenzano, Italy, 19-23 March, 2012). OMNeT, 2012.
[SAI4] Software-in-the-loop testing applications, https://www.add2.co.uk/applications/sil/#:~:text=The%20term%20'software%2Din%2D,prove%20or%20test%20the%20software, 2022-03-23.
[SAI5] J. Grinschgl, A. Krieg, C. Steger, R. Weiss, H. Bock and J. Haid, "," 2012 IEEE International SOC Conference, Niagara Falls, NY, 2012, pp. 277-282. DOI: 10.1109/SOCC.2012.6398361
[SAI6] B. Sangchoolie, F. Ayatolahi, R. Johansson and J. Karlsson, "A Comparison of Inject-on-Read and Inject-on-Write in ISA-Level Fault Injection," 2015 11th European Dependable Computing Conference (EDCC), Paris, 2015, pp. 178-189. DOI: 10.1109/EDCC.2015.24
[SAI7] Czeck, Edward W. and Daniel P. Siewiorek. “Observations on the Effects of Fault Manifestation as a Function of Workload.” IEEE Trans. Computers 41 (1992): 559-566. DOI: 10.1109/12.142682
[SAI8] Folkesson P., Karlsson J. (1999) Considering Workload Input Variations in Error Coverage Estimation. In: Hlavička J., Maehle E., Pataricza A. (eds) Dependable Computing — EDCC-3. EDCC 1999. Lecture Notes in Computer Science, vol 1667. Springer, Berlin, Heidelberg.
[SAI9] Varga, András. "Discrete event simulation system." Proc. of the European Simulation Multiconference (ESM’2001). 2001.

Method Dimensions

Evaluation Environment Type Type of environment where the method is applied. It can be more than one type of environment. (Dimension 1)

Evaluation Type Type of evaluation performed with that method. If a method is hybrid, more than one type can be selected. (Dimension 2)

Type of Component Under Evaluation Type of components that can be evaluated with that method. It can be more than one type. (Dimension 3)

Evaluation Stage The evaluation stage where the method is used. (Dimension 5)

Purpose of the Component Under Evaluation The type of purpose that can be evaluated by a method. It can be more than one type. (Dimension 6)

Type of Requirement Under Evaluation The type of requirements that a method is able to evaluate. It can be more than one type. (Dimension 7)

Evaluation Performance Indicator The type of evaluation criteria or KPI that a method is able to improve. It can be more than one type. (Dimension 8)

Relations

Related Methods A method could be related to other methods.

Tools A method can use zero or more tools.

Part Method A method (when it is a combination: Combination of method artefact that is a specialization of a V&V Method) could be composed of a set of V&V Methods.

Test Case or Verification and Validation activity Test Case or V&V activity performed in a Use Case. We will link to the method to the test cases where the method is used.

Standards A method can be linked with standards.

Context

Workflow

Contents

There are currently no items in this folder.