Search papers, labs, and topics across Lattice.
This study develops a data-driven probabilistic security framework for IoT-based safety-critical systems by integrating Model-Based Systems Engineering (MBSE) with Attack Tree Analysis (ATA) and empirical vulnerability data. The framework utilizes SysML models to derive attack trees, mapping vulnerabilities as Basic Attack Steps with exploitation probabilities derived from the Exploit Prediction Scoring System (EPSS), and represents these trees as Bayesian Networks for enhanced probabilistic reasoning. The key finding reveals that this approach significantly improves the quantification of system compromise probabilities and prioritizes effective mitigation strategies, addressing the challenges posed by heterogeneous architectures and evolving threats in IoT environments.
A novel framework combines real-world vulnerability intelligence with structured attack modeling, transforming how we assess cybersecurity risks in IoT systems.
The Internet of Things (IoT) is integral to modern cyber-physical systems. Quantitative cybersecurity assessment in IoT environments remains challenging due to heterogeneous system architectures, evolving threat landscapes, and the limited availability of reliable probabilistic exploitability data. Although Attack Tree Analysis (ATA) provides a structured framework for modelling potential attack paths leading to system compromise, conventional ATA quantification often relies on subjective expert judgement or heuristic scoring schemes, which can introduce uncertainty and reduce analytical reproducibility. This study introduces a data-driven probabilistic security framework for IoT-based safety-critical systems by integrating Model-Based Systems Engineering (MBSE), ATA, and empirical vulnerability data. In the proposed framework, SysML models capture system architecture, from which attack trees are derived. Vulnerabilities are mapped as Basic Attack Steps and assigned exploitation probabilities using the Exploit Prediction Scoring System (EPSS). The attack tree is then represented as a Bayesian Network, enabling probabilistic reasoning, diagnostic inference, and vulnerability criticality analysis. The framework quantifies system compromise probabilities, identifies likely causes of attacks, and prioritises mitigation strategies. By combining architecture-driven modelling with real-world vulnerability intelligence, it provides a rigorous, reproducible approach for cybersecurity risk assessment in complex IoT environments.