SCIBORG: Secure Configurations for the IoT Based on optimization and Reasoning on Graphs

Addressing security misconfiguration in complex distributed systems, such as networked Industrial Control Systems (ICS) and Internet of Things (IoT) is challenging. Owners and operators must go beyond tuning parameters of individual components and consider the security implications of configuration changes on entire systems. Given the growing scale of cyber systems, this task must be highly automated. Unfortunately, prior work on configuration errors has largely ignored the security impact of configurations of connected components. To address this gap, we present SCIBORG, a framework that improves the security posture of distributed systems by examining the impact of configuration changes across interdependent components using a graph-based model of the system and its vulnerabilities. It formulates a Constraint Satisfaction Problem from the graph-based model and uses an SMT solver to find optimal configuration parameter values that minimize the impact of attacks while preserving system functionality. SCIBORG also provides supporting evidence for the proposed configuration changes. We evaluate SCIBORG on an IoT testbed.

[1]  Francesco Bonchi,et al.  Scalable Online Betweenness Centrality in Evolving Graphs , 2014, IEEE Transactions on Knowledge and Data Engineering.

[2]  Sushil Jajodia,et al.  NSDMiner: Automated discovery of Network Service Dependencies , 2012, 2012 Proceedings IEEE INFOCOM.

[3]  Sushil Jajodia,et al.  A Graphical Model to Assess the Impact of Multi-Step Attacks , 2018 .

[4]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[5]  V. S. Subrahmanian,et al.  Fast Activity Detection: Indexing for Temporal Stochastic Automaton-Based Activity Models , 2013, IEEE Transactions on Knowledge and Data Engineering.

[6]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Barbara G. Ryder,et al.  Constructing the Call Graph of a Program , 1979, IEEE Transactions on Software Engineering.

[8]  Jeffrey C. Carver,et al.  Attack surface definitions: A systematic literature review , 2018, Inf. Softw. Technol..

[9]  Steven M. Bellovin Attack Surfaces , 2016, IEEE Secur. Priv..

[10]  Paramvir Bahl,et al.  Discovering Dependencies for Network Management , 2006, HotNets.

[11]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[12]  Tianyin Xu,et al.  Systems Approaches to Tackling Configuration Errors , 2015, ACM Comput. Surv..

[13]  Sushil Jajodia,et al.  Disrupting stealthy botnets through strategic placement of detectors , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).