# Formal methods for risk analysis

Would it not be great to live in a world where computers never crash, trains always ride and banks are never hacked?

This is the ultimate goal of risk management. In FMT, we work on the risk analysis phase, where one identifies, evaluates and prioritizes risks, to come up with (cost-)effective countermeasures. By using mathematical models, we can not only reason about risk, but quantify risk as well. As risk models from industry become very large very quickly, creating algorithms that analyze risk models efficiently is an important area of research.

Prominent mathematical models include graph models such as fault trees (for safety), attack trees (for security), binary decision diagrams, and Bayesian networks. Application areas we have considered so far include cybersecurity, medical devices, and robotics, but we are interested in many applications: if you have one of your own, please come to us.

Projects for Formal methods for risk analysis roughly fall within some or more of the following categories:

• Modeling techniques: What types of risk can we model, and what do we want our models to express? For example, how do we model the interplay between safety and security?
• Model analyis: Can we find new ways to efficiently calculate risk parameters from models, such as the likelihood and impact of adverse events?
• Big data: How do we get from a large dataset to a risk model that is easy to analyze, yet retains as much relevant information as possible?
• Industrial case studies: Do one or more of the above for real-world data, in collaboration with companies, government bodies or risk consultancy firms.

Some of the research in Formal methods for risk analysis is closely related to that of quantitative analysis, as it relies on stochastic model-checking techniques. Conversely, many examples and case studies for quantitative analysis come from risk management.

• Attack tree metrics

Supervisor: Milan Lopuhaä-Zwakenberg and Reza Soltani

Attack trees are a popular and useful tool to model a system's vulnerability to attackers. They are used in quantitative security analysis: they can be used to calculate security metrics such as the minimal time or resources an attacker needs to successfully compromise the system. As attack trees can grow quite large in practice, there is an ongoing need for algorithms that can calculate security metrics on a feasible timescale.

In this project, the student adds to this field of research by implementing proposed algorithms, inventing new ones, or analyzing the behaviour of existing methods. Some possible avenues for research are:

• Linear programming: many security metrics can be phrased as optimization problems (such as the minimal cost of a succesful attack). Therefore, a student could create new metric calculation algorithms based on optimization techniques such as linear programming.
• Multi-metric analysis: it often makes sense to consider the interplay between metrics: one attack may be more costly to the attacker than another, but do more damage in return. There are some ideas on how to co-analyze metrics, but these have hardly been implemented, and there is also plenty of room for new ideas.
• Attack tree properties: As the problem of calculating security metrics is NP-hard, many existing algorithms are of worst-case exponential complexity. However, it is unclear how these algorithms fare in practice, and what properties of the attack tree have an impact on algorithm complexity.
• Modular analysis: An underused idea in attack tree analysis is to split up the attack tree into so-called modules and analyze each module separately. This idea can be applied to many different algorithms, and it would be interesting to see what difference this makes on both a theoretical and an experimental level.

Of course, there are many other possibilities, and students are welcome to bring their own ideas to the table.

• Converting AFT to game automata

Supervisor: Reza SoltaniMilan Lopuhaä-Zwakenberg

In the cyber-physical domain, safety and security have a complex relationship that entails trade-offs. Specifically, taking steps to improve safety may weaken security, and vice versa. Security and safety are frequently looked into separately in different studies.

When it comes to safety, Fault Trees (FT) analysis is frequently used to identify potential problems, such as component failures that propagate throughout a system. From a security perspective, we use Attack Trees (AT) to understand how attackers might break things down into smaller steps and elements to achieve their goals.

Attack-Fault Trees (AFT) are utilized for a thorough study that considers elements related to safety and security. AFTs have limitations; for example, it is not possible to fully show the effect of safety and security on each other. One of the solutions is to convert AFTs into game automata.

In earlier work, we have modeled FTs as a 1.5-player game [1]. One could use an analogous approach to model an AFT as a 2-player game. Such a time-game automaton could then be subject to comprehensive quantitative safety-security analysis using model checkers.

Some research questions:

• If the attacker knows about the safety failures, how does this affect the cost and probability of the attack?
• Can attacks increase safety failure?

Reference:

1.        Soltani, R., Volk, M., Diamonte, L., Lopuhaä-Zwakenberg, M., Stoelinga, M. (2023). Optimal Spare Management via Statistical Model Checking: A Case Study in Research Reactors. In: Cimatti, A., Titolo, L. (eds) Formal Methods for Industrial Critical Systems. FMICS 2023. Lecture Notes in Computer Science, vol 14290. Springer, Cham. https://doi.org/10.1007/978-3-031-43681-9_12

• Converting decision trees into fault trees

Supervisors: Lisandro Jimenez Roa, Milan Lopuhaä-Zwakenberg

Decision trees and fault trees are two models to represent the reliability of complex systems. While the information they contain is mathematically identical, the fact that the models are formed in different ways means that they are used by different people for different reasons. Therefore, it would be interesting to convert decision trees to fault trees, but contrary to the opposite direction this conversion has not been explored so far.

In this project, the student will study and develop algorithms to convert decision trees into fault trees. While it is reasonably straightforward to come up with naïve algorithms, we are particularly interested in how those algorithms can be improved by decreasing their computation time and by outputting smaller fault trees.

• Improving the inference of risk models

Supervisors: Matthias Volk, Lisandro A. Jimenez-Roa, Marijn Peppelman

Risk models such as fault trees (FTs) are formalisms typically used in reliability engineering, safety, and risk analysis. A known drawback of FTs is the time-consuming manual construction of these models, making them prone to human errors and incompleteness. Thanks to the ever-increasing availability of inspection and monitoring data, the development of algorithms that take care of this task in a data-driven manner are possible.

In [1] this challenge was tackled using multi-objective evolutionary algorithms, yielding compact and reliable FT models. Building upon this work, several interesting research directions are possible.

#### Possible research directions

• Boolean circuit design: Circuit designs aims to find circuits with a minimal number of logical gates representing a given Boolean function. FT models can be encoded by Boolean formulas. A possible research direction is to find and apply existing algorithms from circuit design for FT inference.
• Guiding the evolutionary algorithms: The current algorithm [1] takes a long time to converge when randomly applying genetic operators. One possible research direction is therefore to investigate to what extent knowledge about the models can be included to guide the genetic operators.
• Noisy and incomplete data sets: Current approaches only consider noise-free and complete failure data sets, which is of course not representative of real applications. Thus, it is interesting to investigate how to effectively deal and account for noise and incompleteness in failure data sets when inferring FT models in a data-driven manner.

#### References

[1] Jimenez-Roa, L. A., Heskes, T., Tinga, T., & Stoelinga, M. I. A. (2021). Automatic inference of fault tree models via multi-objective evolutionary algorithms. Preprint available online.

#### Requirements

Most research directions encompass a prototypical implementation. It is therefore advisable to be familiar with the Python programing language.

• A long awaited marriage: investigating safety/security interactions in real-world scenarios

Supervisors: Stefano Maria Nicoletti, Reza Soltani

The introduction and adoption of new technologies implies the rise of new risks, related both to accidental damage (safety) and to malicious attacks (security). Furthermore, safety and security are often intertwined: passwords protect medical data from unauthorized access but are an obstacle for patients' safety during emergencies, IoT sensors can help to monitor the pressure levels of a pipeline but may provide extended attack surfaces for malicious hackers.
The existence of interdependencies between safety and security calls for a better (formal) understanding of this kind of interactions:

• At what level do safety and security interact? What interacts with what?
• Do these interactions regard requirements, countermeasures, factors (etc.)?

The suggested tasks are the following:

• Together with your supervisor, decide on a case study of interest and investigate how safety and security interact in this setting. Case study scenarios can also be provided by your supervisor (e.g., a drone assembly factory).
• Chose a formalism to analyse said case study (by discussing with your supervisors) and understand its modelling capabilities
• Starting from the chosen case study, investigate which of the different interactions between safety and security are captured by the formalism of choice
• Investigate at what level these interactions take place

For this topic, you should have a strong interest in multidisciplinary research.

• Improving the Common Vulnerability Scoring System (CVSS): Prioritizing Vulnerability Response

Keywords: Vulnerability, CVE, CVSS, Vulnerability Scoring System, Security, Applied research

Topics: Risk in High Tech Systems, Case Studies and Applications, Security

### Project Description:

The correct prioritization of actions to take after the discovery of new vulnerabilities is a key step in vulnerability management, analysis, handling and response. For many organizations this translates into using the Common Vulnerability Scoring System (CVSS) as a priority guide, paying particular attention to the technical severity of each vulnerability. Unfortunately, CVSS scores and their re-adaptations share a number of  issues that may undermine the choice of CVSS as the only parameter for actions prioritization: among these, it has been shown [1] that a high CVSS score does not always translate to publicly released exploits for that vulnerability or to high frequency of exploitation.

To address this issue, [2] proposes a testable Stakeholder-Specific Vulnerability Categorization (SSVC) based on decision trees. The authors argue that decisions are a more useful output than severity as different organizations can make different decisions on how to react to vulnerabilities based on their different priorities.

Although promising, this strategy leaves the door open to further refinement, mainly due to its preliminary nature. In particular, more testing is needed in order to assess decision trees' reliability, i.e., “reliable means that two analysts, given the same vulnerability description and decision process description, will reach the same decision.” In order for the decision trees to be reliable, the methodology proposed in [2] should be repeated with different groups, from diverse backgrounds and experiences.

The topic will be developed alongside the student, however suggested tasks are the following:

1. Understand the capabilities of decision trees and the SSVC
2. Get in touch with different analyst groups with a chosen vulnerability description and decision process description
3. Assess the reliability of the proposed framework
4. Highlight possible shortcomings and suggest possible improvements

### Requirements:

Interest in cybersecurity, vulnerability management and problem solving.

### What will you gain?

You will gain an understanding of the Common Vulnerability Scoring System (CVSS), its flaws and potential solutions to address them.

References:

[1] Allodi, Luca and Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild: The EKITS and SYM Datasets. BADGERS’12, Oct 5, 2012, Raleigh, North Carolina, USA.

[2] Spring, Jonathan M., et al. Prioritizing Vulnerability Response: A Stakeholder Specific Vulnerability Categorization. Carnegie-Mellon University Pittsburgh, Pittsburgh United States, 2019.

• Software fault trees

Supervisor: Reza SoltaniStefano Nicoletti

Fault trees are an important formalism to assess the reliability of systems. Typically, they model how failures propagate from component failures to system level failures, via gates like AND and OR.

Fault trees have been very successfully applied to complex hardware systems, like railroads or chemical plants. However, software is getting more and more important. Hence, software fault trees have been developed to account for software failures as well.

#### Research directions:

The key idea of this project is to find out how Software fault trees work, and how they perform. Possible research directions are:

• Developing methods to estimate the failure rates for software components.
• Developing methods to automatically create fault trees for software, for example by a translation from specification languages such as UML.

• Visualization of risks

Supervisor: Mariëlle Stoelinga

Fault trees are a popular model in risk analysis: they describe how failures propagate from components to system level: system components are modelled as leaves of the tree, and gates (like AND, OR, priority-AND) in a fault tree model how failures propagate to the top of the tree, which represents that the system has failed.
A wide number of techniques is available to analyse fault trees, both in a qualitative and in a quantitative way: cut sets, BDDs, probabilistic analysis, etc.
The goal of this project is to visualize the outcomes of such analyses: while standard GUIs exist to draw fault trees, and to add the information needed for the analysis, this is not true for the outcomes of the analysis: presentation of the results is usually done via simple plots. This can be done much better and nicer!
Hence, we would like to develop more sophisticated and interactive means to visualize a fault tree: various visualization tools and frameworks can be deployed here --- making fault tree analysis a joy to look at.