Modelling and evaluation of the security of cyber-physical systems using stochastic Petri nets

This study proposes a stochastic Petri net model for evaluating the security and resilience of cyber-physical systems (CPSs) in the face of malicious attacks. The basic idea behind the proposed model is to evaluate the security of control loops equipped with intrusion detection systems (IDSs) faced with security attacks. The quantitative analysis is performed in terms of system-focused quantitative security measures, such as mean time-to-failure and availability. By using this model, one can investigate the effects of some attacks and defensive parameters, including the detection interval, the time to physical disruption, and the false-positive probability of IDSs. This evaluation results can help to improve the security countermeasures of CPSs.


Introduction
Cyber-physical systems (CPSs) are characterised by computational and communication elements monitoring and controlling physical entities [1].These systems, by using distributed sensing, a set of controllers, actuators and communication media, control the effects in the physical world.Smart grids, power plants, chemical and water plants, aircrafts, and robots are examples of CPSs.
The need to have a proper understanding of the control principles and failure conditions of the system for attackers [2] and the potential consequence of attacks on CPSs put the security of these systems apart from the security of Information Technology (IT) systems.To achieve a realistic physical disruption, attackers have to focus on the system control [3][4][5].Otherwise, the outcome of the attack is very limited.
An attack on these systems may violate some safety limitations, damage or overstress equipment, damage products or may lead to environmental pollution [6].For these reasons, security analysis of CPSs has a significant importance.
This paper proposes a model for evaluating the security of CPSs.The proposed model is based on stochastic Petri nets (SPNs) [7,8].The main focus of the paper is on CPSs in which the system has a certain deadline to detect and respond to the conducted attack.If the system strategies for detecting and removing an attack in a certain time fail, the conducted attack can lead to physical shut-down or failure.
The aim of this paper is to model CPSs equipped with intrusion detection systems (IDSs) to quantify their resilience to the adversarial attacks.Our objective is to investigate how the detection interval, the false-positive probability, and the time to physical disruption parameters may affect the system availability and mean time-to-failure (MTTF).Furthermore, we examine how properties of physical processes including, the speed limitation of valves and the application period of control input may influence the outcomes of attacks.The investigation results can lead to extend the system MTTF and increase its availability.
The remaining of the paper is organised as follows.In Section 2, the system model is provided and some security attacks against CPSs are discussed.In Section 3, the proposed model is described.In Section 4, an illustrative example is provided and numerical results are demonstrated.Finally, in Section 5, some conclusions are explained.

Related work
This section presents some previous work on modelling and evaluating the security of CPSs.With respect to the existing literature, modelling and evaluating CPSs can be done through two different approaches.The first approach is to utilise the formal modelling methods, formalise the functional requirements of the system, and then, verify the constructed model [8,9].The second approach is to provide an analytical model for estimating the system behaviour under attacks [10,11].
For instance, Ni et al. [12] proposed a formal model for the risk assessment of real-time embedded systems.Their goal was to build a formal model to analyse the risk level of each system component.
Mitchell and Chen [13] proposed an approach for modelling and evaluating attacks and defensive actions for CPSs.They considered three types of failures, including attrition, pervasion, and exfiltration failures.In the case of attrition failure, the modernised electrical grid does not have enough actuators or control nodes to accomplish its intended functions.In the case of pervasion failure, the density of attacked actuators or control nodes is too high.In this situation, attacked nodes collude to overwhelm the other nodes.In exfiltration failure, the aggressor secretes enough modernised electrical grid data to achieve an intelligence victory or leaks enough surveillance data to instrument a devastating attack.In their paper, they primarily focused on determining the optimal situation in which one can use redundant components in CPSs.
Krotofil et al. [14] studied how the time of an attack can affect its results.Their investigation results reveal that if a denial of service (DoS) attack is conducted at a correct time, it can drive the physical process to an undesired state.Genge et al. [15] studied how network parameters such as packet losses, communication delays and the network background traffics can influence the impacts of attacks.
Zhu and Başar [16] have presented a dynamic game-theoretic method to model the interactions between the cyber level policy making and the physical level robust control design.The presented model captures the cascading failures in which one harmful event propagates failures in the system.Finally, a set of coupled optimality conditions is provided to characterise the pure strategy equilibrium of robust control design and cyber defence policy.
Marin et al. [17] have focused on SPNs in which there are special transitions the firings of which act in a similar way to signals in G-networks, but which may be generated by synchronised firings and may affect several places simultaneously.They have shown that SPNs with signals are strict generalisations of G-networks with negative customers, triggers and catastrophes.
In [18] stochastic state classes are extended with a supplementary timer that enables the symbolic derivation of the distribution of time at which a class can be entered.The proposed approach is amenable to efficient implementation when model timings are given by expolynomial distributions, and it can be applied to perform transient analysis of generalised semi Markov processes (GSMPs) within any given time bound.
Gallina et al. [19] have concentrated on the analysis of connectivity and the evaluation of interference in mobile networks and have proposed a probabilistic formal method, based on a process algebraic approach.They have considered the jamming attacks and have applied their framework for the analysis of an indoor wireless communication scenario.
In [20], we have proposed a method for evaluating the impact propagation of security attacks on CPSs.By using this method, the direct and indirect consequences of attacks against these systems can be estimated.
Compared with the discussed approaches, our objective is to examine the effect of some IDS design conditions on the security and resilience of CPSs to attacks with targets of physical disruptions.In short, we first discuss some important issues raised in the security of CPSs.Then, we show how these issues are considered in the proposed model aimed at analysing the security of CPS.The investigation results can lead to extend the system MTTF and increase its availability.

System model
In CPSs, the physical process is continually sensed, monitored and controlled by embedded computing devices.An abstraction of a control loop in CPSs is depicted in Fig. 1.An IDS in CPSs monitors the physical process under control and hence deals with laws of physics [3].It receives the measured and the generated signals and monitors data flows between the control loop components.Any difference in the process values will represent an attack.
Depending on the characteristics of their applications, CPSs can be categorised into fail-safe and fail-operational cases [21].In the fail-safe case, the system must be made to stop functioning to limit the damage that may be caused by conducted attacks.In the failoperational case, the system enters the recovery state aimed at maintaining essential services.In this case, the best possible situation is when there are enough redundant components to enable the delivery of correct service.
As the first type of attacks on CPSs, we can refer to the integrity attack on sensor measurements transferred to controllers and control signals transferred to actuators.The second type of attacks is the DoS attacks on sensor readings and control signals.In scan cycle architecture, programmable logic controllers (PLCs) often use the sensor readings that were last saved in the input buffers.By conducting a jamming attack, the attacker deceives the controller about the state of the system.
In order to identify the attacker's intrusions and the abnormal behaviour of the physical process under control, CPSs apply anomaly based and signature based IDS algorithms [22].The quality of IDSs is determined by their false-negative and false-positive probabilities.An intrusion detection system investigates continuously the presence of any security penetration in sensors, actuators and control devices.

Proposed model
In this section, the proposed model is described.An SPN [7] is a tuple: SPN = P, T, F, M 0 , R, H , where P is a set of places, T is a set of transitions, F is a set of arcs from places to transitions or from transitions to places, M 0 : P → N is the initial marking associating with each place a non-negative number, R is the set of firing rates associated with the transitions and H is a set of inhibitor arcs.The firing times are random variables whose parameters are real numbers identified by the firing rates.Indeed, SPNs are defined as a type of Petri nets where transitions fire after random times [23].
The advantages of using a SPN are as follows [7,23]: (i) by utilising the SPN structure, we can model and study the simultaneous behaviour of the system, attacker, and IDS; (ii) by using probabilities along with the time distributions, we can capture the probabilistic and temporal behaviour of the system and attacker; (iii) we can refer to the straightforward correspondence between the reachability graph of the SPN and the state-transition diagram of the Markovian process it generated.
As generally distributed transition times can be employed as firing time, the underlying model would be a semi-Markov model.The feasibility of obtaining closed-form analytical solutions is one of the considerable advantages of the semi-Markov model [7].Another important advantage of the semi-Markov model is the possibility of assigning general probability distribution functions to its transitions.

Model description
The graphical representation of the security model for CPSs is depicted in Fig. 2a.The meanings of places and transitions in the model are described in Tables 1 and 2, respectively.The dynamic behaviour of the system under attack described by an SPN is illustrated by the evolution of the markings.The state vector representation [P_Normal, P_NoAttack, P_Detecting, P_Failure, P_Attack, P_FalsePositive, P_TruePositive] is used for describing the dynamics of the system.In this representation, seven variables are used for representing the number of tokens in the places.Initially, the system is in the secure state and continues to its normal operation.In this state, the places P_Normal, P_ NoAttack and P_Detecting have one token.Therefore, the initial marking that represents the normal state of the system is equal to [1, 1, 1, 0, 0, 0, 0].
The transition T_Controlling models the application period of control input (T S ).Firing the transition T_Controlling shows that the control command is transmitted to actuators by the controller.The continuous physical operation of the system in this transition is characterised by a system of ordinary differential equations as follows: where X is the set of the system variable and X ˙ is the set of the first-order derivation of the variables in this set.Indeed the state changes are divided into two kinds of changes: discrete transitions occur instantaneously (no need to spend time) and continuous flow transitions occur when time elapses (need to spend some time).The transition T_Attack models the situation in which the attacker conducts an attack against the system aimed at causing a physical disruption.Firing the transition T_Attack represents that an attack is initiated and a token is added to the place P_Attack and a token is removed from the place P_NoAttack.Thus, the resulting state is [1, 0, 1, 0, 1, 0, 0].It is assumed that signature or anomaly based IDSs are used in CPSs to continuously monitor the behaviour of the system and detect any abnormal behaviour or any suspicious elements in the system [22].
If there is no attack, an IDS may falsely detect an intrusion.In this case, there is no token in the place P_Attack, and the transition T_TruePositive is disabled, but the transition T_FalsePositive is enabled.
By firing the transition T_FalsePositive, one token will be removed from the place P_Detecting and will be added to the place P_ FalsePositive.In this situation, the resulting state will be [1, 1, 0, 0, 0, 1, 0].The transition T_ FalsePositive models the situation in which the system responds to the generated false-positive alarm.In the fail-safe case, the system is suspended to limit the potential damage.In the fail-operational case, the system continues its operation aimed at maintaining essential services and responds to the generated alarm.The other possibility is that no attack has taken place and no detection is made by the IDS.In this situation, the system continues its operation in the initial normal state [1, 1, 1, 0, 0, 0, 0].
As stated earlier, the place P_Attack, if holding a token, represents an attack is conducted against the system.If the intrusion is detected by the IDS before disrupting the physical process, the transition T_TruePositive is fired and a token is put to the place P_TruePositive.In this state, a legitimate attack triggers an IDS to produce an alarm and the resulting state is [1, 0, 0, 0, 0, 0, 1].In this case, the system enters the recovery state aimed at maintaining essential services (in the fail-operational case) or suspending the system to limit the probable damages (in the failsafe case).The transition T_TruePositive models the recovery actions in these cases.In both cases, the system returns to the initial normal state after performing suitable recovery actions.
If the strategies for detecting and responding to an attack fail, the transition T_Failure is fired and the token in the place P_Normal is taken out and a token will deposit in the place P_Failure (i.e.[0, 0, 1, 1, 0, 0, 0]).Here, the attacker achieves to the goal of disrupting the behaviour of the system and a physical disruption is occurred.The underlying semi-Markov model of the SPN-based model is depicted in Fig. 2b.

Model parameterisation
This section focuses on parameterising the SPN model.Table 3 lists the input parameters to the model.The value of these parameters should be determined by security professionals.We now explain how to compute the introduced transition rates.The attack rate (λ attack ) can be calculated as follows: in which P a is the probability of launching an attack and T a is the attack initiation interval.The next transition rate is the IDS falsepositive rate (λ fp ), which can be derived using the following formulation: where P fp is the false-positive probability, and T d is the IDS detection interval.
The IDS detection rate (λ tp ) can also be calculated using the following equation: where P tp is the true-positive probability, and T d is the IDS detection interval.The failure rate of the system (λ failure ) can be derived using the following equation:   in which T f is the time needed for a carried out attack to bring the system to the failure state (time to physical disruption).λ RTP , which is the recovery rate from the true-positive state, can be derived using the following formulation: where T RTP is the duration of time required for recovering the system from the attacked state back to the normal state.In the failsafe case, this parameter represents the suspending time of the system for performing recovery actions.Finally, the recovery rate from the false-positive state (λ RFP ) can be derived using the formulation: where T RFP is the time needed to respond to a false alarm.So far, the SPN model has been described and parameterised.Now, we concentrate on determining and computing the parameters of the underlying semi-Markov model.To analyse the underlying semi-Markov model dealing with two sets of quantitative parameters is necessary: (i) the mean holding time in each state and (ii) the transition probabilities which must be assigned to the arcs (transitions).Let U i,j be the transition rate between the state i and the state j.The mean holding time in the state i (h i ) can be computed using the following formula [7]: where M is the set of markings (states) in the underlying semi-Markov model.The probability of the transition between the state i and the state j (P i,j ) can be derived using the following formula [7]: We now explain how to obtain the parameter values.P tp , P fp are related to intrusion detection systems and can be determined by using historical data.T x parameters are time parameters and can be estimated by using the process model.In the illustrative example section, it is described the different kinds of attacks against the considered system and the value of different time parameters.In general, in order to have a good estimation, we assign values to some parameters to isolate out their effects, while others parameters are changed.

Model evaluation
We now describe how to evaluate the model and estimate the security measures i. MTTF: This measure represents the time required to reach one of the absorbing (failure) states [24].We can refer to MTTF as an essential measure to reveal the resiliency of a CPS.The MTTF can be derived using the following formula [24]: where v i is the average visit count of the transient state i before reaching the model to one of the absorbing states and h i is the mean sojourn time in state i.The visit count parameters (v i ) can be can be derived using the following system of equations [24]: where the quantity q i is the probability that the model starts in state i.Since it is assumed that the system initially is in the secure state (S), we will have q = q i = 1 0 0⋯0 (12) ii.Availability: This measure represents the proportion of time a system is in a functioning condition.To estimate the availability metric, we need to study the behaviour of the system in a steady state and consider all states of the model as transient states.Hence, we need to add the transition T_Restoration to the SPN model from the state P_failure to the state P_Normal.The firing rate of this transition is considered as 1/T r where T r denotes the time needed to bring the failed system back to the normal state.It is assumed that the failed system can be returned to the initial normal state by restoration and reconfiguration actions.Accordingly, the underlining semi-Markov model will have a transition from the failure state to the normal state.Based on the proposed model, for the availability of a fail-operation CPS, we have where π i is the steady-state probability that the proposed stochastic model is in state i.Since the system is suspended in the false-positive and detected states, the availability of a failsafe CPS can be computed as: Since the proposed model is a semi-Markov model, its steadystate probabilities can be calculated in terms of the mean sojourn times (h i 's) and the embedded DTMC steady-state probabilities (q i 's) as follows [24,25]: in which the embedded DTMC steady-state probabilities can be calculated as [24,25] q = q ⋅ P (16) where P is the transition probability matrix.
For the underlying semi-Markov model, the transition probability matrix can be represented as follows:  where N, FP, A, D, F are the normal, false-positive, attacked, detected and failure states, respectively.

Illustrative example
This section provides an illustrative example to represent how the proposed model can be utilised to quantify the security level of a CPS.

System specification
For illustrative purpose, we use a laboratory plant consisting of two connected tanks which are situated on different levels (see Fig. 3) [26].The height of both tanks is 100 cm and the diameters of tank 1 and tank 2 are 12 and 5 cm, respectively.The plant consists of three valves: the incoming water flow valve (V in ), the intermediate valve (V 1 ) and the output valve (V 2 ).It is assumed that the incoming flow valve has only two positions, opened or closed, and its input flow in the opened position is V ˙in = 400 l/h and in the closed position is V ˙in = 0 l/h.The two other valves (V 1 and V 2 ) may have any position (P i ) between 0 and 80, representing the completely open and closed positions.The valves V 1 and V 2 have the speed limitations given as P ˙1 = P ˙2 = 1/s.It means that opening and closing these valves takes 80 s.The dynamics of the water level in two tanks (h 1 and h 2 ) can be given by in which A 1 and A 2 are the base areas of tank 1 and tank 2, respectively.V ˙1 is the dynamics of the valve V 1 and can be derived using the following formula: where H is a determined threshold.The dynamics of the valve V 2 is given by K 1 and K 2 are the coefficients and represent the dependencies between the flows and the valve positions.These coefficients can be derived as follows [26]: The plant has two operation phases including, the start-up and the stationary-operation phases.The start-up phase includes two steps.
In step 1, the V in valve is opened while V 1 is kept closed.After the period Time 1, step 2 is started.In this step, V 1 will be opened and the flow goes into tank 2. After the period Time 2, the stationaryoperation phase begins.In this phase, the plant based on the situation is either in step 3 or step 4.
During step 3, the output valve V 2 is opened.As long as the water level in tank 2 remains above the lower threshold L min , the controller remains in step 3.As soon as the water level in tank 2 drops below the determined lower limit L min , the controller moves to step 4 until the level rises above the determined upper threshold L max .
When step 4 becomes active, V 2 is closed.Two requirements are determined for this plant.First, no overflow may occur, and second, the water level in tank 2 must not swing periodically between two determined lower and upper limits (L min and L max ).Fig. 4a depicts the water level inside tank 1 and tank 2 in both phases.

Attacks against the plant
We consider an attacker with a high level of knowledge that is able to send malicious commands to V 2 to keep it in the closed position.As the first attack, we assume that the attack is initiated in the startup phase, before reaching the process to the stationary-operation phase.To do so, the attacker tries to keep V 2 in the closed position and bring the water level inside tank 2 into an undesired state (see Fig. 4b).
The attack is initiated at T = 101 s and the level inside the tank is derived to the undesired state at T = 255 s (after 154 s from initiating the attack).
In the next attack, we assume that the attacker launches the attack at T = 600 s when the system operates in the stationaryoperation phase.In this case, the water level inside tank 2 rises above 100 cm at T = 719 s (Fig. 4c).Fig. 4d shows that the process returns back to the normal state after 270 s from terminating the attack.

Numerical results
To evaluate the model, we first need to estimate its parameters.Table 4 presents the default values of the input parameters to the model and their corresponding confidence intervals.The time parameters in this table are the time of the SPN model transitions represented in Fig. 2a.
First, by using ( 8) and ( 9), the parameters of the underlying semi-Markov model are calculated.Then, the evaluation process is done according to (10), (13) and (14).In each scenario, we set the value of all needed parameters to their default values and change the value of the parameter under investigation to show its effects.i.Effect of the application period of control input: we first examine how the outcome of attacks is influenced by the control logic scheduling time.To this end, we measure the impact of the application period of control input every 1 and 0.2 s on the attack outcome.In the first case (period of control input every 1 s), the water level inside tank 2 reaches the undesired state after 119 s from starting the attack (Fig. 4c).In the second case, the water level inside the tank cannot reach the undesired state (Fig. 5a).Indeed, by decreasing the scheduling time to 0.2 s, the process can react more efficiently to the conducted attack.ii.Effect of speed limitation of valves: we now compared the time to physical disruption parameter, when the speed of V 2 is 1/s and 2/s.Fig. 4c shows that for the speed limitation of 1/s, after 119 s from starting the attack the water level inside tank 2 reaches the critical state.By increasing the speed limitation to 2/s, the water level inside tank 2 reaches the undesired state after 104 s from launching the attack (Fig. 5b).These results reveal that properties of physical processes such as the speed limitation of valves have important effects on the attack outcomes in CPSs.iii.Effect of attack probability and detection interval: Here, we investigate how the attack probability can influence the system availability and MTTF.For this purpose, we assume that the plant works in the fail-operation mode.Figs.6a and b show the system MTTF versus the attack probability (P a ).As expected, the results demonstrate that the system availability MTTF decreases as the attack probability increases.Besides, increasing the detection interval can lead to decreasing the system availability and MTTF.iv.Effect of time to physical disruption: Fig. 7 shows the availability (and MTTF) versus time to physical disruption with varying detection interval T d .We first observe that the system availability and MTTF drastically increase when time to physical disruption increases.This happens because, as a time to physical disruption increases, there is a higher opportunity for the system to detect the abnormal behaviour of the system.Therefore, there is a higher probability of detecting the attack.Furthermore, we observe that availability and MTTF increase as the detection interval decrease.v. Effect of false-positive probability P fp : In this investigation, the plant is considered as a fail-safe system.Fig. 8 represents the availability versus T d with varying false-positive probability (P fp ) for P a = 0.5 and T f = 50 (Fig. 8a), P a = 0.9 and T f = 50 (Fig. 8b) and P a = 0.5 and T f = 150 (Fig. 8c).
An important observation is that, for each false-positive probability, there is an optimal T d value under which the system availability is maximised.In the first experiment (Fig. 8a), the optimal T d values for T fp = 0.01, 0.1 and 0.2 are 50, 300 and 400, respectively.In the second examination (see Fig. 8b), the optimal T d values for T fp = 0.01, 0.1 and 0.2 are 50, 150 and 250, respectively.In comparison with the first examination (P a = 0.5), we observe that the optimal T d value decreases as the attack probability increases.Finally, in the third examination, the optimal T d values for T fp = 0.01, 0.1 and 0.2 are 100, 400 and 500, respectively (see Fig. 8c).In comparison with the previous examinations, it is observable in the third examination that the optimal T d value increases as the time to physical disruption increases.Besides, the system availability decreases as the false-positive probability increases.Furthermore, when the false-positive probability is high, the large T d value can enhance the system availability.
In general, some quantitative and qualitative discussions about the security analysis are provided.
• The control logic scheduling time has a very important role in the security of CPSs.By decreasing the scheduling time, the process can react more efficiently to the conducted attack.• When the false-positive probability is high, the large detection interval value can enhance the system availability.
• The properties of physical processes such as the speed limitation of valves have important effects on the attack outcomes in CPSs.• With a small detection interval, we can detect the conducted attack with higher probability.• There is an optimal value for detection interval under which the system availability is maximised.• For the considered system as an illustrative example, conducted attack when the system operates in the stationary-operation phase is more dangerous than the other case.

Conclusion
This paper modelled the attacker and defender behaviours to analyse the security of CPSs.To this end, we proposed a SPN model.The security analysis is accomplished in terms of systemfocused quantitative measures, such as MTTF and availability.Furthermore, the effects of attack factors and countermeasures in terms of the detection interval, the time to physical disruption, and the false-positive probability of intrusion detection systems on the system availability and MTTF are investigated.The proposed method can be utilised for the security quantification of CPSs that (i) an attack against them can lead to physical failure, and (ii) we have their process model representing the evaluation process of the system.The security evaluation results revealed that to achieve a realistic physical disruption, an attacker needs to focus on the control level, understand the attack outcomes, find out the control principles and failure conditions of the system.Furthermore, we observed that the timing aspects of attacks, the properties of physical processes (such as the speed limitation of valves), the application period of control input, the false-positive probability of IDSs and intrusion detection interval have significant impacts on the attack outcomes and therefore on the physical process resiliency.As a future work, we plan to extend the proposed model and apply it to large-scale CPSs.

Fig. 1
Fig. 1 Abstraction of a control loop in CPSs with IDS

Fig. 2
Fig. 2 The proposed model and its underlining semi-Markov model (a) Proposed SPN model, (b) Underlying semi-Markov model of the proposed SPN model

P
A, N P A, FP P A, A P A, D P A, F P D, N P D, FP P D, A P D, D P D, F P F, N P F, FP P F, A P F, D P F, F = P N, N P N, FP P N,

Fig. 3
Fig. 3 Graphical representation of the plant considered as a case study

Fig. 4
Fig. 4 Behaviour of the system (a) Water level inside tank 1 and tank 2 in both start-up and stationary-operation phases, (b) Level inside tank 1 and tank 2 as a result of the first attack against the plant, (c) Level inside tank 2 in normal and attacked states, (d) Process returns back to the normal state after 270 s from terminating the attack

Fig. 5 Fig. 6 Fig. 7
Fig. 5 Water level in tank 2 (a) Under attack for 0.2 s control scheduling time, (b) Water level in tank 2 for the valve speed limitation of 2/s

Table 1
Places in the presented SPN model Place Meaning P_Normal system continues to its normal operation P_NoAttack no attack takes place P_Detecting IDS tries to detect suspicious behaviours P_Failure system fails P_Attack attack takes place P_FalsePositive false alarm is produced by IDS when no attack has taken place P_TruePositive attack is detected by IDS

Table 2
Places in the presented SPN model Transition Meaning T_Attack attacker conducts an attack T_FalsePositive IDS falsely detects an attack T_TruePositive IDS correctly detects an attack T_RecoveryFP produced false-positive alert is identified by the system as a false alarm T_RecoveryTP system recovers from a compromising attack T_Failure system enters to the failure state as a result of an attack T_Controlling application period of control input 52 IET Cyber-Phys.Syst., Theory Appl., 2019, Vol. 4 Iss. 1, pp. 50-57 This is an open access article published by the IET under the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0/)

Table 3
Input parameters to the presented SPN model Parameter Meaning IET Cyber-Phys.Syst., Theory Appl., 2019, Vol. 4 Iss. 1, pp. 50-57 This is an open access article published by the IET under the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0/)P N, N P N, FP P N, A P N, D P N, F P FP, N P FP, FP P FP, A P FP, D P FP, F