Data-Driven Vulnerability Exploration for Design Phase System Analysis

Applying security as a lifecycle practice is becoming increasingly important to combat targeted attacks in safety-critical systems. Among others, there are two significant challenges in this area: the need for models that can characterize a realistic system in the absence of an implementation and an automated way to associate attack vector information, that is, historical data, to such system models. We propose the cybersecurity body of knowledge (CYBOK), which takes in sufficiently characteristic models of systems and acts as a search engine for potential attack vectors. CYBOK is fundamentally an algorithmic approach to vulnerability exploration, which is a significant extension to the body of knowledge it builds upon. By using CYBOK, security analysts and system designers can work together to assess the overall security posture of systems early in their lifecycle, during major design decisions and before final product designs, consequently, assisting in applying security earlier and throughout the systems lifecycle.