Toward the automation of threat modeling and risk assessment in IoT systems

Abstract The Internet of Things (IoT) has recently become one of the most relevant emerging technologies in the IT landscape. IoT systems are characterized by the high heterogeneity of involved architectural components (e.g., device platforms, services, networks, architectures) and involve a multiplicity of application domains. In the IoT scenario, the identification of specific security requirements and the security design are very complex and expensive tasks, since they heavily depend on the configuration deployment actually in place and require security experts. In order to overcome these issues, we propose an approach aimed at supporting the security analysis of an IoT system by means of an almost completely automated process for threat modeling and risk assessment, which also helps identify the security controls to implement in order to mitigate existing security risks. We demonstrate the effectiveness of the approach by discussing its application to a home automation system, built on top of commercial IoT products.

[1]  Eleonora Borgia,et al.  The Internet of Things vision: Key features, applications and open issues , 2014, Comput. Commun..

[2]  Daniel Minoli,et al.  IoT security (IoTSec) considerations, requirements, and architectures , 2017, 2017 14th IEEE Annual Consumer Communications & Networking Conference (CCNC).

[3]  Wu He,et al.  Internet of Things in Industries: A Survey , 2014, IEEE Transactions on Industrial Informatics.

[4]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[5]  Robert C. Atkinson,et al.  Threat analysis of IoT networks using artificial neural network intrusion detection system , 2016, 2016 International Symposium on Networks, Computers and Communications (ISNCC).

[6]  Sugata Sanyal,et al.  Survey of Security and Privacy Issues of Internet of Things , 2015, ArXiv.

[7]  Valentina Casola,et al.  Security-by-design in multi-cloud applications: An optimization approach , 2018, Inf. Sci..

[8]  Yacine Challal,et al.  A roadmap for security challenges in the Internet of Things , 2017, Digit. Commun. Networks.

[9]  Valentina Casola,et al.  Automated Risk Analysis for IoT Systems , 2018, 3PGCIC.

[10]  Muhammad Khurram Khan,et al.  Five acts of consumer behavior: A potential security and privacy threat to Internet of Things , 2018, 2018 IEEE International Conference on Consumer Electronics (ICCE).

[11]  Rodrigo Roman,et al.  On the features and challenges of security and privacy in distributed internet of things , 2013, Comput. Networks.

[12]  Luigi Alfredo Grieco,et al.  Security, privacy and trust in Internet of Things: The road ahead , 2015, Comput. Networks.

[13]  Michael Weyrich,et al.  Reference Architectures for the Internet of Things , 2016, IEEE Software.

[14]  Massimiliano Rak,et al.  Security Assurance of (Multi-)Cloud Application with Security SLA Composition , 2017, GPC.

[15]  Longfei Wu,et al.  A Survey on Security and Privacy Issues in Internet-of-Things , 2017, IEEE Internet of Things Journal.

[16]  Kai Zhao,et al.  A Survey on the Internet of Things Security , 2013, 2013 Ninth International Conference on Computational Intelligence and Security.

[17]  Maurizio A. Spirito,et al.  Denial-of-Service detection in 6LoWPAN based Internet of Things , 2013, 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[18]  Antonio Esposito,et al.  Internet of things reference architectures, security and interoperability: A survey , 2018, Internet Things.

[19]  Andrew Kurtz,et al.  Securing the Internet of Things (IoT): A Security Taxonomy for IoT , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[20]  Niraj K. Jha,et al.  A Comprehensive Study of Security of Internet-of-Things , 2017, IEEE Transactions on Emerging Topics in Computing.

[21]  Mazliza Othman,et al.  Internet of Things security: A survey , 2017, J. Netw. Comput. Appl..

[22]  Matt Lewis Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things , 2018, IoT 2018.

[23]  Valentina Casola,et al.  Towards Automated Penetration Testing for Cloud Applications , 2018, 2018 IEEE 27th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE).

[24]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[25]  Mohsen Guizani,et al.  Internet of Things Architecture: Recent Advances, Taxonomy, Requirements, and Open Challenges , 2017, IEEE Wireless Communications.