A Risk Assessment Framework Based on Fuzzy Logic for Automotive Systems
Abstract
:1. Introduction
2. Background
2.1. Risk Assessment in Automotive
- 15.3 Asset identification: Identify the assets, i.e., objects that have value and whose security properties must be protected along with their damage scenarios, i.e., adverse consequences involving a vehicle or vehicle function and affecting a road user;
- 15.4 Threat scenarios: Identify threat scenarios, defined as potential causes of compromise of cybersecurity properties of one or more assets to realize a damage scenario;
- 15.5 Impact rating: Determine the impact rating of damage scenarios, that is, the magnitude of damage or physical harm that can be caused by the scenario itself. According to the standard, the impact rating should be evaluated on a discrete scale composed of four classes (negligible, moderate, major, and severe) and can be categorized as safety, privacy, operational, or financial, depending on the type of potential damage;
- 15.6 Attack path analysis: Identify the attack paths related to threat scenarios. An attack path is defined as a specific set of deliberate actions that the attacker can perform to realize the threat scenario itself;
- 15.7 Attack feasibility rating: For each attack path, determine the ease with which it can be exploited. The standard recommends several techniques to perform this step and suggests mapping the result on a discrete scale composed of four classes (very low, low, medium, and high);
- 15.8 Risk value determination: Determine the risk values of threat scenarios based on the impact and feasibility rating of each. This step is performed using a risk matrix similar to the one shown in Table 1 (where 1 is the lowest and 5 is the highest risk);
- 15.9 Risk treatment decision: Select appropriate risk treatment options for threat scenarios. The following risk treatment options are determined: avoiding the risk (removing risk sources), reducing the risk, sharing the risk (through contracts or transferring risk by buying insurance), and retaining the risk.
2.2. Fuzzy Logic
- IF Temperature is Average AND Humidity is Low THEN Fan Speed is Average
- IF Temperature is High OR Humidity is High THEN Fan Speed is High
- IF Temperature is Low AND Humidity is Low THEN Fan Speed is Low
- FiringStrengthRule1 = min [0.75, 0.5] = 0.5
- FiringStrengthRule2 = max [0.25, 0] = 0.25
- FiringStrengthRule3 = min [0, 0.5] = 0
3. Related Work
4. Proposed Methodology
4.1. Input Factors
Factor | Description | Possible Values | |
---|---|---|---|
Numerical | Metric | ||
Attack Vector (V) | Reflects the context in which the vulnerability is exploitable. | 0.2 | Physical |
0.55 | Local | ||
0.62 | Adjacent | ||
0.85 | Network | ||
Attack Complexity (C) | Describes the conditions beyond the attacker’s control that must exist to exploit the vulnerability. | 0.44 | High |
0.77 | Low | ||
Privileges Required (P) | Describes the level of privileges an attacker must possess to exploit the vulnerability. | 0.27 | High |
0.62 | Low | ||
0.85 | None | ||
User Interaction (U) | Captures the requirement for another user, other than the attacker, to participate in the successful exploitation of the vulnerability. | 0.62 | Required |
0.85 | None |
4.2. Definition of Fuzzy Logic-Based Risk Assessment Framework
Feasibility Rating | |||||
---|---|---|---|---|---|
Very Low | Low | Medium | High | ||
Impact Rating | Severe | Low | Medium | High | Very High |
Major | Very Low | Low | Medium | High | |
Moderate | Very Low | Low | Low | Medium | |
Negligible | Very Low | Very Low | Very Low | Very Low |
4.3. Risk Assessment Procedure
AFeasibility(x) = {µVeryLow(x), µLow(x), µMedium(x), µHigh(x)}
- Every rule is fired to a degree that depends on the degree to which its antecedent matches the inputs. The firing strength of each rule is equal to the minimum (due to the AND operator) truth value among the fuzzy sets contained in its antecedent;
- Rules having the same consequent (and firing strength higher than 0) are aggregated (by using the max operator) in order to obtain a single truth value for each output fuzzy set.
5. A Case Study
6. Discussion and Conclusions
- Granularity of the risk value: As pointed out in previous sections, traditionally, the numerical input ranges are discretized into a certain number of disjoint subintervals, each associated with a (human-understandable) linguistic label and are finally used to extrapolate the risk value, usually with the support of domain experts. This, however, leads to a loss of information, since it does not fully capture the uncertainty deriving from the fact that such values are intrinsically imprecise, as they are the result of a qualitative assessment made by humans. Fuzzy logic is designed to explicitly model such uncertainties while retaining the ability to work with linguistic variables. The output of the process is, therefore, richer in information, as it can be represented by a linguistic variable or numerically, in a way that it also measures the scatter and dispersion around the calculated value, indicating the risk trend.Differently from the risk assessment methodologies proposed by the reference domain standards, the fuzzy inference system provides the output on a continuous scale rather than a discrete one. Figure 6 provides a graphical representation of the risk values calculated with the fuzzy-logic-based methodology described in this paper (Figure 6b) and the risk values calculated according to the methodologies proposed by the domain reference standards (Figure 6a). The surface representing the possible risk values provided by the fuzzy-logic-based methodology is continuous and smooth, while the one resulting from the risk assessment methodologies proposed by the domain reference standards has a stepped surface, showing a rougher risk calculation. This means that the risk assessment methodology we proposed allows for fine-grain output values, while the traditional approaches give coarse-grain output values.This allows for a finer level of granularity that can be crucial to the overall risk management process when the output of the risk assessment process must be used for prioritization of risks related to cyber threats. In fact, with reference to the results of the case study provided in Table 10, it can be noticed that several risk values that would have had the same value according to the standard methodology actually have significantly different values using the methodology based on fuzzy logic. Let us take, for example, the damage scenarios 3 and 5 of the threat scenario 2. The related risks would be both rated 3 according to the methodology proposed by the standards, while they are rated 3.44 and 2.50, respectively, according to the methodology proposed in this paper.
- Automatic tools support the mitigation of the increased computational and structural complexity of the proposed methodology with respect to the complexity of the methodologies proposed by the domain reference standards.The methodology we propose in this paper is more complex than those proposed by the domain reference standards for risk assessment. In fact, the latter are easily applicable as they do not require significant computational effort, being based on simple tables. The methodology proposed in this paper presents a higher level of computational complexity (e.g., the defuzzification phase), and it also requires the construction and graphical representation of the membership functions.Nevertheless, such an overhead of complexity is strongly mitigated by the availability of ready-to-use automatic tools supporting the methodology for both the computation of the risks and the definition and representation of the membership functions (the use of tools is described in Section 5).
- The results provided by our method are numerically similar to those obtained by applying the traditional methodology suggested by the reference domain standards (e.g., ISO/SAE 21434 and ISO 26262). In some instances, the output is the same; in others, there is a difference, which, however, is never greater than 0.5. We cannot state that our methodology is conservative in risk calculation (in the sense that risks are always greater or equal) with respect to the methodologies suggested by the domain reference standards. Our methodology is not to assess risks more severely, but to increase the accuracy of the risk assessment. Consequently, it reduces overestimated risks and increases underestimated risks. From the observation of Figure 6, we can derive that, as the surface of Figure 6b represents basically a non-decreasing monotonic function, the linear ordering among the risks calculated according to the risk assessment methodologies proposed in this paper is maintained. In other words, given that the risk R is calculated as Rf,I = F(f, I) (where f is the feasibility rating and I the impact rating), increasing values of f and I correspond to non-decreasing values of R. This allows the outcomes of this methodology to be effectively used in risk management and risk prioritization, and can be compared with the results derived according to the risk assessment methodologies suggested by the reference domain standards.
- The application of a Mamdani fuzzy logic inference system preserves the explainability of the process. The rule base and the labels associated with input and output fuzzy sets are expressed in natural language and are therefore interpretable for a human. The calculation process that the system enacts to correlate input and output is also transparent, and it is possible to trace back the steps that led to a certain conclusion given a certain set of inputs (see Figure 5). This is a crucial property, especially in a safety-critical domain, as it allows one to have full insight into the risk assessment process and, therefore, on the decisions that are taken based on it.
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Chen, L.; Li, Y.; Huang, C.; Li, B.; Xing, Y.; Tian, D.; Li, L.; Hu, Z.; Na, X.; Li, Z.; et al. Milestones in autonomous driving and intelligent vehicles: Survey of surveys. IEEE Trans. Intell. Veh. 2022, 8, 1046–1056. [Google Scholar] [CrossRef]
- Sun, F.R.; Zhang, P. A survey on cyber-security of connected and autonomous vehicles (CAVs). IEEE Trans. Intell. Transp. Syst. 2021, 23, 6240–6259. [Google Scholar] [CrossRef]
- Checkoway, S.; McCoy, D.; Kantor, B.; Anderson, D.; Shacham, H.; Savage, S.; Koscher, K.; Czeskis, A.; Roesner, F.; Kohno, T. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In Proceedings of the 20th USENIX Security Symposium (USENIX Security 11), San Francisco, CA, USA, 8–12 August 2011; Available online: https://www.usenix.org/conference/usenix-security-11/comprehensive-experimental-analyses-automotive-attack-surfaces (accessed on 6 January 2024).
- Wang, Z.; Wei, H.; Wang, J.; Zeng, X.; Chang, Y. Security Issues and Solutions for Connected and Autonomous Vehicles in a Sustainable City: A Survey. Sustainability 2022, 14, 12409. [Google Scholar] [CrossRef]
- Tesla in Autopilot Mode Crashes into Fire Truck. Available online: https://money.cnn.com/2018/01/23/technology/tesla-fire-truck-crash/index.html (accessed on 6 January 2024).
- Uber Self-Driving Car Operator Pleads Guilty to Endangerment in Pedestrian Death Case|CNN Business. Available online: https://www.cnn.com/2023/07/29/business/uber-self-driving-car-death-guilty/index.html (accessed on 6 January 2024).
- ISO/SAE 21434; Road Vehicles—Cybersecurity Engineering. International Organization of Standardization, Society of Automotive Engineers: Geneva, Switzerland; Warrendale, PA, USA, 2021.
- Macher, G.; Sporer, H.; Berlach, R.; Armengaud, E.; Kreiner, C. SAHARA: A security-aware hazard and risk analysis method. In Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, Grenoble, France, 9–13 March 2015; pp. 621–624. [Google Scholar] [CrossRef]
- IEC 61508; Functional Safety of Electrical/Electronic/Programmable Electronic Safety Related Systems. IEC: Geneva, Switzerland, 2000.
- ISO 26262; Road Vehicles—Functional Safety. International Organization of Standardization: Geneva, Switzerland, 2018.
- IEC 61511; Functional Safety—Safety Instrumented Systems for the Process Industry Sector. IEC: Geneva, Switzerland, 2016.
- Gennarelli, T.A.; Wodzin, E. AIS 2005: A contemporary injury scale. Injury 2006, 37, 1083–1091. [Google Scholar] [CrossRef] [PubMed]
- Baker, S.P.; O’neill, B.; Haddon, W.J.; Long, W.B. The injury severity score: A method for describing patients with multiple injuries and evaluating emergency care. J. Trauma Acute Care Surg. 1974, 14, 187. [Google Scholar] [CrossRef]
- Brenneman, F.D.; Boulanger, B.R.; McLellan, B.A.; Redelmeier, D.A. Measuring Injury Severity: Time for a Change. J. Trauma Acute Care Surg. 1988, 44, 580. [Google Scholar] [CrossRef]
- ISO 21448; Road Vehicles—Safety of the Intended Functionality. International Organization of Standardization: Geneva, Switzerland, 2022.
- Zadeh, L.A. Fuzzy sets. Inf. Control 1965, 8, 338–353. [Google Scholar] [CrossRef]
- Mamdani, E.H.; Assilian, S. An experiment in linguistic synthesis with a fuzzy logic controller. Int. J. Man-Mach. Stud. 1975, 7, 1–13. [Google Scholar] [CrossRef]
- Lee, C.C. Fuzzy logic in control systems: Fuzzy logic controller. I. IEEE Trans. Syst. Man Cybern. 1990, 20, 404–418. [Google Scholar] [CrossRef]
- Sharma, S.; Obaid, A.J. Mathematical modelling, analysis and design of fuzzy logic controller for the control of ventilation systems using MATLAB fuzzy logic toolbox. J. Interdiscip. Math. 2020, 23, 843–849. [Google Scholar] [CrossRef]
- Uzunsoy, E.; Erkilic, V. Development of a trajectory following vehicle control model. Adv. Mech. Eng. 2016, 8. [Google Scholar] [CrossRef]
- Jang, J.-S.R.; Sun, C.-T. Neuro-fuzzy modeling and control. Proc. IEEE 1995, 83, 378–406. [Google Scholar] [CrossRef]
- Chakraverty, S.; Sahoo, D.M.; Mahato, N.R. Defuzzification. In Concepts of Soft Computing: Fuzzy and ANN with Programming; Springer: Singapore, 2019; pp. 117–127. [Google Scholar] [CrossRef]
- Shang, K.; Hossen, Z. Applying Fuzzy Logic to Risk Assessment and Decision-Making; Casualty Actuarial Society; Canadian Institute of Actuaries, Society of Actuaries: Ottawa, ON, Canada, 2013. [Google Scholar]
- Ramirez, R.; Martí, V.; Darbra, R.M. Environmental risk assessment of silver nanoparticles in aquatic ecosystems using fuzzy logic. Water 2022, 14, 1885. [Google Scholar] [CrossRef]
- Petrović, D.V.; Tanasijević, M.; Milić, V.; Lilić, N.; Stojadinović, S.; Svrkota, I. Risk assessment model of mining equipment failure based on fuzzy logic. Expert Syst. Appl. 2014, 41, 8157–8164. [Google Scholar] [CrossRef]
- Gallab, M.; Bouloiz, H.; Alaoui, Y.L.; Tkiouat, M. Risk Assessment of Maintenance activities using Fuzzy Logic. Procedia Comput. Sci. 2019, 148, 226–235. [Google Scholar] [CrossRef]
- Bowles, J.B.; Peláez, C. Fuzzy logic prioritization of failures in a system failure mode, effects and criticality analysis. Reliab. Eng. Syst. Saf. 1995, 50, 203–213. [Google Scholar] [CrossRef]
- Gargama, H.; Chaturvedi, S.K. Criticality Assessment Models for Failure Mode Effects and Criticality Analysis Using Fuzzy Logic. IEEE Trans. Reliab. 2011, 60, 102–110. [Google Scholar] [CrossRef]
- Yang, Z.; Bonsall, S.; Wang, J. Fuzzy Rule-Based Bayesian Reasoning Approach for Prioritization of Failures in FMEA. IEEE Trans. Reliab. 2008, 57, 517–528. [Google Scholar] [CrossRef]
- Zalewski, P. Risk assessment of LNG carrier systems failure using fuzzy logic. Zesz. Nauk. Akad. Morskiej Szczecinie 2011, 25, 77–85. [Google Scholar]
- Guimarães, A.C.F.; Lapa, C.M.F. Fuzzy inference to risk assessment on nuclear engineering systems. Appl. Soft Comput. 2007, 7, 17–28. [Google Scholar] [CrossRef]
- Grassi, A.; Gamberini, R.; Mora, C.; Rimini, B. A fuzzy multi-attribute model for risk evaluation in workplaces. Saf. Sci. 2009, 47, 707–716. [Google Scholar] [CrossRef]
- Cheng, W.-Y.; Su, E.; Li, S.-J. A financial distress pre-warning study by fuzzy regression model of TSE-listed companies. Asian Acad. Manag. J. Account. Financ. 2006, 2, 75–93. [Google Scholar]
- Yu, L.; Wang, S.; Lai, K.K. An intelligent-agent-based fuzzy group decision making model for financial multicriteria decision support: The case of credit scoring. Eur. J. Oper. Res. 2009, 195, 942–959. [Google Scholar] [CrossRef]
- Alali, M.; Almogren, A.; Hassan, M.M.; Rassan, I.A.L.; Bhuiyan, M.Z.A. Improving risk assessment model of cyber security using fuzzy logic inference system. Comput. Secur. 2018, 74, 323–339. [Google Scholar] [CrossRef]
- Al-Ali, M. Fuzzy logic methodology for cyber security risk mitigation approach. J. Netw. Technol. 2017, 8, 83–90. [Google Scholar]
- Saulaiman, M.; Takacs, M.; Kozlovszky, M.; Csilling, A. Fuzzy Model for Common Vulnerability Scoring System. In Proceedings of the 2021 IEEE 15th International Symposium on Applied Computational Intelligence and Informatics (SACI), Timisoara, Romania, 19–21 May 2021; pp. 419–424. [Google Scholar] [CrossRef]
- Kerimkhulle, S.; Dildebayeva, Z.; Tokhmetov, A.; Amirova, A.; Tussupov, J.; Makhazhanova, U.; Adalbek, A.; Taberkhan, R.; Zakirova, A.; Salykbayeva, A. Fuzzy Logic and Its Application in the Assessment of Information Security Risk of Industrial Internet of Things. Symmetry 2023, 15, 1958. [Google Scholar] [CrossRef]
- Common Vulnerability Scoring System v3.1: Specification Document. Available online: https://www.first.org/cvss/v3.1/specification-document (accessed on 3 April 2024).
- Pedrycz, W. Why triangular membership functions? Fuzzy Sets Syst. 1994, 64, 21–30. [Google Scholar] [CrossRef]
- Design, Test, and Tune Fuzzy Inference Systems—MATLAB. Available online: https://www.mathworks.com/help/fuzzy/fuzzylogicdesigner-app.html (accessed on 6 January 2024).
- Lin, H.; Yan, Y.; Cheng, Q. Future role of artificial intelligence in advancing transportation electrification. J. Intell. Connect. Veh. 2023, 6, 183–186. [Google Scholar] [CrossRef]
Feasibility Rating | |||||
---|---|---|---|---|---|
Very Low | Low | Medium | High | ||
Impact Rating | Severe | 2 | 3 | 4 | 5 |
Major | 1 | 2 | 3 | 4 | |
Moderate | 1 | 2 | 2 | 3 | |
Negligible | 1 | 1 | 1 | 1 |
0 | 1 | 2 | 3 |
---|---|---|---|
No injuries | Light and moderate injuries | Severe and life-threatening injuries | Fatal injuries |
0 | 1 | 2 | 3 |
---|---|---|---|
Controllable in general | Simply controllable | Normally controllable | Difficult to control or uncontrollable |
Label | Input Interval |
---|---|
High | 2.96–3.89 |
Medium | 2.00–2.95 |
Low | 1.06–1.99 |
Very Low | 0.12–1.05 |
ID | Damage Scenario | Severity | Controllability | Impact |
---|---|---|---|---|
1 | Front collision with a narrow stationary object (e.g., a tree) caused by unintended turning off of headlamp during night driving at medium speed | 3 | 3 | 3 |
2 | Front collision with a narrow stationary object (e.g., a tree) caused by unintended turning off of headlamp during night driving at low speed (<30 km/h) | 2 | 2 | 2 |
3 | Front collision with a narrow stationary object (e.g., a tree) caused by unintended turning off of headlamp during night driving at low speed (<30 km/h) and on an icy road surface | 2 | 3 | 2.5 |
4 | Front collision with a pedestrian caused by unintended turning off of headlamp during night driving in dimly lit parking lot, at very low speed (<15 km/h) and on an icy road surface. | 2 | 3 | 2.5 |
5 | Front collision with a pedestrian caused by unintended turning off of headlamp during night driving in dimly lit parking lot, at very low speed (<15 km/h) | 2 | 1 | 1.5 |
ID | Threat Scenario |
---|---|
1 | Spoofing of a signal leads to a loss of integrity of the data communication of the “LampRequest” signal to the power switch actuator ECU, potentially causing the headlamp to turn off unintentionally. |
2 | Tampering with a signal sent by body control ECU leads to a loss of integrity of the data communication of the “Lamp Request” signal to the power switch actuator ECU, potentially causing the headlamp to turn off unintentionally. |
Threat Scenario | Attack Path | Feasibility Rating | ||||
---|---|---|---|---|---|---|
V | C | P | U | Value | ||
1 | Attack Path (A):
| 0.85 | 0.77 | 0.85 | 0.85 | 3.89 |
Attack Path (B):
| 0.62 | 0.77 | 0.85 | 0.85 | 2.84 | |
Attack Path (C):
| 0.2 | 0.77 | 0.85 | 0.85 | 0.91 | |
2 | Attack Path (A):
| 0.85 | 0.44 | 0.85 | 0.85 | 2.22 |
Attack Path (B):
| 0.2 | 0.44 | 0.85 | 0.85 | 0.52 |
Threat Scenario | Damage Scenario | FIS Result | ISO/SAE 21434 Result |
---|---|---|---|
1 | 1 | 5.00 | 5 |
2 | 4.00 | 4 | |
3 | 4.41 | 4 | |
4 | 4.41 | 4 | |
5 | 3.50 | 4 | |
2 | 1 | 3.94 | 4 |
2 | 2.94 | 3 | |
3 | 3.44 | 3 | |
4 | 3.44 | 3 | |
5 | 2.50 | 3 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Merola, F.; Bernardeschi, C.; Lami, G. A Risk Assessment Framework Based on Fuzzy Logic for Automotive Systems. Safety 2024, 10, 41. https://doi.org/10.3390/safety10020041
Merola F, Bernardeschi C, Lami G. A Risk Assessment Framework Based on Fuzzy Logic for Automotive Systems. Safety. 2024; 10(2):41. https://doi.org/10.3390/safety10020041
Chicago/Turabian StyleMerola, Francesco, Cinzia Bernardeschi, and Giuseppe Lami. 2024. "A Risk Assessment Framework Based on Fuzzy Logic for Automotive Systems" Safety 10, no. 2: 41. https://doi.org/10.3390/safety10020041