Formal methods for risk analysis

Project Overview

This project focuses on transforming Cyber-Physical System (CPS) models into Fault Trees (FTs) using knowledge graphs (KGs). A methodology exists for this transformation, but it has several limitations. The goal of this project is to explore and improve different aspects of this methodology.

You can choose from one of the following research directions, depending on your interests: 

Project Option 1: Addressing Methodological Limitations

The existing methodology generates FTs from KGs but faces certain challenges. This project will analyze and propose improvements to these limitations:

• Redundancy Inference Issues: The method attempts to infer system redundancy but may overestimate CPS robustness. How can we refine the approach?
• Structural Complexity: Current FTs rely on functional dependency, but real systems have hierarchical component compositions (sub-systems within sub-systems). How can we extend the method to represent these structures more accurately?

Skills & Interests:

• Systems modeling and formal methods
• Algorithm development

Project Option 2: Improving the Python Tool Implementation

A simple Python tool implements this methodology, but it is limited in usability and performance. This project will focus on improving the tool by addressing:

• User-Friendliness: The current implementation is hard-coded and not intuitive. Can we design a better UI/UX or modular software architecture?
• Performance Optimization: The tool is not optimized for speed. Can we implement more efficient algorithms to generate FTs faster?

Skills & Interests:

• Software engineering, UI/UX design
• Performance optimization

Project Option 3: Exploring Alternative Data Representations

The existing tool relies on KGs for FT generation. This project will investigate whether a relational database (SQL) could be a viable alternative:

• Performance Comparison: Would using a relational database improve efficiency?
• Feature Trade-offs: Would moving away from KGs means compromising essential features?

Skills & Interests:

• Data structures and database management
• Comparative analysis of modeling approaches

Expected Outcomes

• A refined methodology for FT generation (Option 1)
• An improved, user-friendly, and optimized tool (Option 2)
• A performance and feasibility study comparing KGs vs. relational databases (Option 3)

Connection to the ZORRO Project

All these options contribute to ongoing research in the Zero Downtime for Cyber-Physical Systems (ZORRO) consortium:

• The already existing methodology will be applied at an industry partner. We expect that it will need to be tweaked to:
• Not over-approximate a CPS's robustness;Be able to handle that company's data volume, and;Align within the company's existing database infrastructure.

Your contribution in any of these directions will help guide the refinement of the methodology.

Supervisors: Stefano Maria Nicoletti, Reza Soltani

The introduction and adoption of new technologies implies the rise of new risks, related both to accidental damage (safety) and to malicious attacks (security). Furthermore, safety and security are often intertwined: passwords protect medical data from unauthorized access but are an obstacle for patients' safety during emergencies, IoT sensors can help to monitor the pressure levels of a pipeline but may provide extended attack surfaces for malicious hackers.
The existence of interdependencies between safety and security calls for a better (formal) understanding of this kind of interactions:

• At what level do safety and security interact? What interacts with what?
• Do these interactions regard requirements, countermeasures, factors (etc.)?

Tasks

The suggested tasks are the following:

• Together with your supervisor, decide on a case study of interest and investigate how safety and security interact in this setting. Case study scenarios can also be provided by your supervisor (e.g., a drone assembly factory).
• Chose a formalism to analyse said case study (by discussing with your supervisors) and understand its modelling capabilities
• Starting from the chosen case study, investigate which of the different interactions between safety and security are captured by the formalism of choice
• Investigate at what level these interactions take place

For this topic, you should have a strong interest in multidisciplinary research.

Supervisor: Milan Lopuhaä-Zwakenberg and Reza Soltani

Attack trees are a popular and useful tool to model a system's vulnerability to attackers. They are used in quantitative security analysis: they can be used to calculate security metrics such as the minimal time or resources an attacker needs to successfully compromise the system. As attack trees can grow quite large in practice, there is an ongoing need for algorithms that can calculate security metrics on a feasible timescale.

In this project, the student adds to this field of research by implementing proposed algorithms, inventing new ones, or analyzing the behaviour of existing methods. Some possible avenues for research are:

• Linear programming: many security metrics can be phrased as optimization problems (such as the minimal cost of a succesful attack). Therefore, a student could create new metric calculation algorithms based on optimization techniques such as linear programming.
• Multi-metric analysis: it often makes sense to consider the interplay between metrics: one attack may be more costly to the attacker than another, but do more damage in return. There are some ideas on how to co-analyze metrics, but these have hardly been implemented, and there is also plenty of room for new ideas.
• Attack tree properties: As the problem of calculating security metrics is NP-hard, many existing algorithms are of worst-case exponential complexity. However, it is unclear how these algorithms fare in practice, and what properties of the attack tree have an impact on algorithm complexity.
• Modular analysis: An underused idea in attack tree analysis is to split up the attack tree into so-called modules and analyze each module separately. This idea can be applied to many different algorithms, and it would be interesting to see what difference this makes on both a theoretical and an experimental level.

Of course, there are many other possibilities, and students are welcome to bring their own ideas to the table.

Supervisors: Milan Lopuhaä-Zwakenberg

Decision trees and fault trees are two models to represent the reliability of complex systems. While the information they contain is mathematically identical, the fact that the models are formed in different ways means that they are used by different people for different reasons. Therefore, it would be interesting to convert decision trees to fault trees, but contrary to the opposite direction this conversion has not been explored so far.

In this project, the student will study and develop algorithms to convert decision trees into fault trees. While it is reasonably straightforward to come up with naïve algorithms, we are particularly interested in how those algorithms can be improved by decreasing their computation time and by outputting smaller fault trees.

Keywords: Vulnerability, CVE, CVSS, Vulnerability Scoring System, Security, Applied research

Topics: Risk in High Tech Systems, Case Studies and Applications, Security

Committee: Jeroen van der Ham, Stefano Maria Nicoletti 

Project Description:

The correct prioritization of actions to take after the discovery of new vulnerabilities is a key step in vulnerability management, analysis, handling and response. For many organizations this translates into using the Common Vulnerability Scoring System (CVSS) as a priority guide, paying particular attention to the technical severity of each vulnerability. Unfortunately, CVSS scores and their re-adaptations share a number of  issues that may undermine the choice of CVSS as the only parameter for actions prioritization: among these, it has been shown [1] that a high CVSS score does not always translate to publicly released exploits for that vulnerability or to high frequency of exploitation.

To address this issue, [2] proposes a testable Stakeholder-Specific Vulnerability Categorization (SSVC) based on decision trees. The authors argue that decisions are a more useful output than severity as different organizations can make different decisions on how to react to vulnerabilities based on their different priorities.

Although promising, this strategy leaves the door open to further refinement, mainly due to its preliminary nature. In particular, more testing is needed in order to assess decision trees' reliability, i.e., “reliable means that two analysts, given the same vulnerability description and decision process description, will reach the same decision.” In order for the decision trees to be reliable, the methodology proposed in [2] should be repeated with different groups, from diverse backgrounds and experiences.

Tasks:

The topic will be developed alongside the student, however suggested tasks are the following:

1. Understand the capabilities of decision trees and the SSVC
2. Get in touch with different analyst groups with a chosen vulnerability description and decision process description
3. Assess the reliability of the proposed framework
4. Highlight possible shortcomings and suggest possible improvements

Requirements:

Interest in cybersecurity, vulnerability management and problem solving.

What will you gain?

You will gain an understanding of the Common Vulnerability Scoring System (CVSS), its flaws and potential solutions to address them.

Curious? Please, feel free to contact us for further discussion, even if you are still undecided.

References:

[1] Allodi, Luca and Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild: The EKITS and SYM Datasets. BADGERS’12, Oct 5, 2012, Raleigh, North Carolina, USA.

[2] Spring, Jonathan M., et al. Prioritizing Vulnerability Response: A Stakeholder Specific Vulnerability Categorization. Carnegie-Mellon University Pittsburgh, Pittsburgh United States, 2019.

Supervisor: Milan Lopuhaä - Zwakenberg

Risk models such as fault trees (FTs) are formalisms typically used in reliability engineering, safety, and risk analysis. A known drawback of FTs is the time-consuming manual construction of these models, making them prone to human errors and incompleteness. Thanks to the ever-increasing availability of inspection and monitoring data, the development of algorithms that take care of this task in a data-driven manner are possible.

In [1] this challenge was tackled using multi-objective evolutionary algorithms, yielding compact and reliable FT models. Building upon this work, several interesting research directions are possible.

Possible research directions

• Boolean circuit design: Circuit designs aims to find circuits with a minimal number of logical gates representing a given Boolean function. FT models can be encoded by Boolean formulas. A possible research direction is to find and apply existing algorithms from circuit design for FT inference.
• Guiding the evolutionary algorithms: The current algorithm [1] takes a long time to converge when randomly applying genetic operators. One possible research direction is therefore to investigate to what extent knowledge about the models can be included to guide the genetic operators.
• Noisy and incomplete data sets: Current approaches only consider noise-free and complete failure data sets, which is of course not representative of real applications. Thus, it is interesting to investigate how to effectively deal and account for noise and incompleteness in failure data sets when inferring FT models in a data-driven manner.

References

[1] Jimenez-Roa, L. A., Heskes, T., Tinga, T., & Stoelinga, M. I. A. (2021). Automatic inference of fault tree models via multi-objective evolutionary algorithms. Preprint available online.

Requirements

Most research directions encompass a prototypical implementation. It is therefore advisable to be familiar with the Python programing language.

Supervisor: Reza Soltani, Stefano Nicoletti

Fault trees are an important formalism to assess the reliability of systems. Typically, they model how failures propagate from component failures to system level failures, via gates like AND and OR.

Fault trees have been very successfully applied to complex hardware systems, like railroads or chemical plants. However, software is getting more and more important. Hence, software fault trees have been developed to account for software failures as well.

Research directions:

The key idea of this project is to find out how Software fault trees work, and how they perform. Possible research directions are:

• Developing methods to estimate the failure rates for software components.
• Developing methods to automatically create fault trees for software, for example by a translation from specification languages such as UML.

For more information, please contact r.soltani@utwente.nl or s.m.nicoletti@utwente.nl.