Hybrid Model for Threat Analysis Enhanced by LLM: Integrating MITRE ATT&CK for Cyber-Physical System Security = AI-Augmented TAMELESS: Integrating MITRE ATT&CK and System Enhancements for Threat Analysis in Cyber-Physical Systems

In an era in which smart systems intrinsically integrate cyber, physical, and human components, threat analysis requires an approach that overcomes the limitations of traditional models, not by considering purely cyber threats but by focusing on the interaction between these domains. Based on the hybrid model described in “A Hybrid Threat Model for Smart Systems” and on the TAMELESS tool, an automatic tool that, through formal rules, derives the security state of complex systems, this thesis aims to enhance TAMELESS to make it more exhaustive, efficient, and accessible. Initially, the study focused on analyzing real cases involving interactions between cyber, physical, and human elements, verifying the applicability of TAMELESS rules to these scenarios. Subsequently, an analysis was conducted on the nature of the properties and relationships, which highlighted the coherence of the relationships defined in the model. This analysis extended to the formal verification of the rules using the PRISM tool, a model checker for the formal modeling and analysis of systems that exhibit random or probabilistic behavior, used to verify the activation, correctness, and consistency of the derivation system. In parallel, a modification was made to the TAMELESS system by implementing a graphical interface that allows for an intuitive visualization of the graph representing the system to be analyzed and the resulting attack graph. An update was made to the original TAMELESS code, enabling communication with the new versions of the Neo4J graph database. Furthermore, during the study it was decided to make the tool more exhaustive in interpreting the results; for this reason, a change was made to the vulnerability analysis workflow, integrating a module based on LLAMA 3.1 with RAG technology that, leveraging the MITRE ATT&CK dataset, extracts and subsequently verifies the applicability of attack techniques to the individual nodes of the system. The analysis performed in parallel by the Large Language Model allows for the merging of the results derived from TAMELESS with the information coming from MITRE ATT&CK, not only partially reducing the graph and facilitating the identification of attack paths, but also suggesting specific detection and mitigation methods and calculating the probability and risk associated with each node. The use of LLMs, increasingly impactful nowadays, allows for a significant improvement in understanding the results and compromise processes in hybrid smart systems, without distorting the formal nature of the system. Moreover, it makes TAMELESS accessible to a wider audience of users, alongside well-known and established methodologies such as MITRE ATT&CK.