Security Threat Analysis of In-vehicle Network Using STRIDE-Based Attack Tree and Fuzzy Analytic Hierarchy Process

The development of electrification, industrial intelligence, and interconnectivity has driven the transformation of the automobile from a mechanical to an intelligent product. Automobiles have gradually changed from a closed system to an open environment. Therefore, a variety of security threats and attack surfaces are emerging. Hackers or attackers can illegally access and control vehicles through external interfaces such as Bluetooth, Wi-Fi, and cellular. Automotive cybersecurity issues are becoming more prominent than ever. SAE J3061 and ISO/SAE 21434 being drafted also indicate that automotive cybersecurity has been elevated to a position equal to or more important than functional safety. Security threat analysis helps the development of the early concept phase of automotive cybersecurity. However, the threat analysis based on the traditional attack tree has the disadvantages of multiple subjective factors and low accuracy. In this article, we present an attack tree analysis method based on Microsoft’s threat model and fuzzy analytic hierarchy process (FAHP). First, a hierarchical in-vehicle network model is proposed. Then, with the help of Microsoft’s threat model, we identify the threats corresponding to the assets and construct a more comprehensive attack tree. Finally, for each threat attack sequence of the attack tree, the attack probability is calculated based on the FAHP. Furthermore, FAHP is compared with the analytic hierarchy process (AHP) and traditional methods. The results show that the proposed method plays a certain role in security threat analysis.