面向智能汽车的信息安全漏洞评分模型

随着汽车智能化、网联化的发展,汽车中集成了越来越多的电子器件,数量庞大的硬件、固件和软件中隐藏着各种设计缺陷和漏洞,这从根本上导致了智能汽车信息安全问题.大量汽车漏洞的披露,严重影响了汽车安全,制约了智能汽车的广泛应用.漏洞管理是降低漏洞危害、改善汽车安全的有效手段.在漏洞管理流程中,漏洞评估是决定漏洞处置优先级的重要...

Information security vulnerability scoring model for intelligent vehicles

More and more electronic devices are integrated into the modern vehicles with the development of intelligent vehicles.There are various design flaws and vulnerabilities hidden in a large number of hardware, firmware and software.Therefore, the vulnerabilities of intelligent vehicles have become the most important factor affecting the vehicle safety.The safety of vehicles is seriously affected by the disclosure of a large number of vulnerabilities, and the wide application of smart cars is also restricted.Vulnerability management is an effective method to reduce the risk of vulnerabilities and improve vehicle security.And vulnerability scoring is one the important step in vulnerability management procedure.However, current method have no capability assessing automotive vulnerabilities reasonably.In order to handle this problem, a vulnerability scoring model for intelligent vehicles was proposed, which was based on CVSS.The attack vector and attack complexity were optimized, and property security, privacy security, functional safety and life safety were added to characterize the possible impact of the vulnerabilities according to the characteristics of intelligent vehicles.With the machine learning method, the parameters in CVSS scoring formula were optimized to describe the characteristics of intelligent vehicle vulnerabilities and adapt to the adjusted and new added weights.It is found in case study and statistics that the diversity and distribution of the model are better than CVSS, which means the model can better score different vulnerabilities.And then AHP is used to evaluate the vulnerability of the whole vehicle based on the vulnerability score of the model, a score is given representing the risk level of whole vehicle.The proposed model can be used to evaluate the severity of information security vulnerabilities in intelligent vehicles and assess the security risks of the entire vehicle or part of the system reasonably, which can provide an evidence for fixing the vulnerabilities or reinforcing the entire vehicle.