FuzzAGG: A fuzzing-driven attack graph generation framework for industrial robot systems

Abstract

As industrial robot systems (IRS) are increasingly utilized in smart factories, their information security issues have become particularly critical. Attack graphs, an essential system-level risk modeling technique, traditionally rely on predefined risk attributes and exploitation rules for their generation. However, this approach fails to meet the needs for attack graph generation and analysis in environments with missing risk data. To address this issue, this paper proposes a fuzzing-driven attack graph generation framework, FuzzAGG. This framework aims to provide an efficient and accurate method for generating attack graphs under conditions of incomplete risk data, thereby supporting information security analysis and risk assessment of IRS. In this paper, a risk data model (RDM) is constructed using the Meta Attack Language to achieve a structured description of the risk data of IRS. A fuzzing test case generation algorithm based on the MU-SeqGAN model is proposed, which can generate test cases suitable for the state machines of IRS and map them to specific Risk Data Model Objects (RDMOs). Additionally, a conversion unit is designed to integrate all RDMOs into a risk description file, which is then used by the generation unit to construct a graphical attack graph. In performance tests, FuzzAGG is able to achieve automated construction of IRS attack graphs containing 1000 state nodes in 42 min and maintain 88 % risk coverage. Taking the IRS of a PCB automated production line the effectiveness of the FuzzAGG framework is validated. The results demonstrate that FuzzAGG can automatically generate and validate an attack graph containing 184 attribute nodes and atomic attack nodes in 8 min with high operational efficiency, proving the practicality and reliability of this method in automated attack graph generation.