Title: Cost-aware securing of IoT systems using attack graphs
Authors : Yiğit, Beytüllah
Gür, Gürkan
Alagöz, Fatih
Tellenbach, Bernhard
Published in : Ad hoc Networks
Volume(Issue) : 86
Pages : 23
Pages to: 35
Publisher / Ed. Institution : Elsevier
Issue Date: 2019
License (according to publishing contract) : Licence according to publishing contract
Type of review: Peer review (publication)
Language : English
Subject (DDC) : 004: Computer science
Abstract: The Internet of Things (IoT) contains a diverse set of sensors, actuators and other Internet-connected devices communicating, processing data and performing a multitude of functions. It is emerging as an integral part of societal infrastructure enabling smart services. However, these connected objects might have various vulnerabilities that can lead to serious security compromises and breaches. Securing and hardening of IoT systems is thus of vital importance. In that regard, attack graphs provide analytical support to prevent multistep network attacks by showing all possible sequences of vulnerabilities and their interactions. Since attack graphs generally consist of a very large number of nodes, it is computationally challenging to analyze them for network hardening. In this paper, we propose a greedy algorithm using compact attack graphs to find a cost-effective solution to protect IoT systems. First, we extract all possible attack paths which reach predetermined critical resources embedded in the network. Then, exploit or initial condition with minimum effective cost is selected to be removed. This cost is calculated as a function of contribution to attack paths (the higher, the better) and removal cost (the lower, the better). This process continues iteratively until the total cost exceeds the allocated budget. The experimental results show that our algorithm scales almost linearly with the network size and it can be applied to large-scale graphs with a very large number of IoT nodes. In addition to network-hardening, our proposal measures the security level of the network in every step to demonstrate the vulnerability grade of the system.
Departement: School of Engineering
Organisational Unit: Institute of Applied Information Technology (InIT)
Publication type: Article in scientific journal
DOI : 10.1016/j.adhoc.2018.10.024
ISSN: 1570-8705
1570-8713
URI: https://digitalcollection.zhaw.ch/handle/11475/15675
Appears in Collections:Publikationen School of Engineering

Files in This Item:
There are no files associated with this item.


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.