The process of security risk assessment aids in understanding what vulnerabilities exist in computer systems and networks along with the likelihood and impact of the exploitation of these vulnerabilities. This process is of great importance to large organizations and individual users as it helps to design and develop cost-effective and efficient security measures. Traditionally, one way of performing risk assessment is by using Bayesian Attack Graphs. However, there are several limitations of this approach such as, scalability, attack backtracking and graphical cycles, tracking and representing multiple attack states, and representing and quantifying colluding and non-colluding attacks.
The objective of this project is to design and develop a risk assessment framework in the growing domain of connected and autonomous vehicles (CAV). Scenarios such as vehicle-to-vehicle and vehicle-to-internet inter-connectivity increase the number of attack surfaces. Further, vehicular infrastructure may not support resource-intensive security measures to prevent attacks. The solution lies in developing lightweight security measures and evaluating their potency, the prerequisite to which is performing security risk assessments. The novelty of this research lies in its proposal of using complex probabilities for Bayesian Attack Graph modeling instead of real positive numbers. Based on initial exploratory research, modeling risk assessment using complex probabilities might be able to address the challenges mentioned in the previous paragraph. The research contributions involve creating a CAV attack repository, modeling Bayesian attack graphs using complex probabilities for CAV, and creating a prototype tool deployed through a web-application.