Abstract
This paper presents an Internet of Things (IoT) architecture and associated attack taxonomy, along with a tool named Attack Trees in IoT (ATIoT), which was designed to generate attack trees from a description of a system. The tool obtains the description via a series of questions about the IoT system. The proposed IoT architecture was developed with security into consideration, allowing to define security requirements that each component may need to fulfill with more granularity. The associated attack taxonomy provides a comprehensive overview of the different types of attacks that an IoT system may face, categorized from the components of the proposed architecture. The ATIoT tool leverages the IoT architecture and attack taxonomy to generate attack trees that can be used to identify potential attack vectors, and therefore aids in prioritizing security controls for an IoT system. The tool asks a series of questions about the IoT system, including its functionalities and characteristics, and generates an attack tree based on the responses. The tool is designed to be accessible to developers with little to no security expertise, providing a user-friendly interface and automated attack tree generation. Using the tool, developers can gain a better understanding of the security risks associated with their IoT systems and implement appropriate security controls to mitigate those risks.
References
Al-Qaseemi, S.A., Almulhim, H.A., Almulhim, M.F., Chaudhry, S.R.: IoT architecture challenges and issues: lack of standardization. In: 2016 Future Technologies Conference (FTC), pp. 731–738 (2016). https://doi.org/10.1109/FTC.2016.7821686
Al-Qaseemi, S.A., Almulhim, H.A., Almulhim, M.F., Chaudhry, S.R.: IoT architecture challenges and issues: lack of standardization. In: 2016 Future Technologies Conference (FTC), pp. 731–738. IEEE (2016)
Caltagirone, S., Pendergast, A., Betz, C.: The diamond model of intrusion analysis. Technical report, Center For Cyber Intelligence Analysis and Threat Research Hanover Md (2013)
Cisco: IoT reference model (2014). http://cdn.iotwf.com/resources/72/IoT_Reference_Model_04_June_2014.pdf
ENISA: Good practices for security of IoT: secure software development lifecycle. Technical report (2019)
ETSI: M2M architecture (2011). https://docbox.etsi.org/workshop/2011/201110_m2mworkshop/02_m2m_standard/m2mwg2_architecture_pareglio.pdf
Hassan, R., Qamar, F., Hasan, M.K., Aman, A.H.M., Ahmed, A.S.: Internet of things and its applications: a comprehensive survey. Symmetry 12(10), 1674 (2020)
Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40196-1_15
Mishra, N., Pandya, S.: Internet of things applications, security challenges, attacks, intrusion detection, and future visions: a systematic review. IEEE Access 9, 59353–59377 (2021). https://doi.org/10.1109/ACCESS.2021.3073408
Mohsin, M., Anwar, Z., Husari, G., Al-Shaer, E., Rahman, M.A.: IoTSAT: a formal framework for security analysis of the internet of things (IoT). In: 2016 IEEE Conference on Communications and Network Security (CNS), pp. 180–188. IEEE (2016)
Samaila, M.G., José, M.Z., Sequeiros, J.B., Freire, M.M., Inácio, P.R.: IoT-HarPSecA: a framework for facilitating the design and development of secure IoT devices. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–7 (2019)
Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)
Sequeiros, J.B., Chimuco, F.T., Samaila, M.G., Freire, M.M., Inácio, P.R.: Attack and system modeling applied to IoT, cloud, and mobile ecosystems: embedding security by design. ACM Comput. Surv. (CSUR) 53(2), 1–32 (2020)
Instituto de Telecomunicações: Securiotesign (2022). https://lx.it.pt/securIoTesign/
Yadav, T., Rao, A.M.: Technical aspects of cyber kill chain. In: Abawajy, J.H., Mukherjea, S., Thampi, S.M., Ruiz-Martínez, A. (eds.) SSCC 2015. CCIS, vol. 536, pp. 438–452. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22915-7_40
Yathuvaran, A.: AT-AT (attack tree analysis tool) (2022). https://github.com/yathuvaran/AT-AT
Acknowledgements
This work was performed under the scope of Project SECURIoTESIGN, with funding from FCT/COMPETE/FEDER (projects with reference numbers UIDB/50008/2020 and POCI-01-0145-FEDER-030657), and FCT research and doctoral grants BIM/n\(^{\circ }\)32/2018-B00582 and SFRH/BD/133838/2017, respectively, and also supported by operation Centro-01-0145-FEDER-000019 - C4 - Centro de Competências em Cloud Computing, co-financed by the European Regional Development Fund (ERDF) through the Programa Operacional Regional do Centro (Centro 2020), in the scope of the Sistema de Apoio à Investigação Científica e Tecnológica - Programas Integrados de IC &DT.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sequeiros, J.B.F., Chimuco, F.T., Simões, T.M.C., Freire, M.M., Inácio, P.R.M. (2024). An Approach to Attack Modeling for the IoT: Creating Attack Trees from System Descriptions. In: Barolli, L. (eds) Advanced Information Networking and Applications. AINA 2024. Lecture Notes on Data Engineering and Communications Technologies, vol 200. Springer, Cham. https://doi.org/10.1007/978-3-031-57853-3_36
Download citation
DOI: https://doi.org/10.1007/978-3-031-57853-3_36
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57852-6
Online ISBN: 978-3-031-57853-3
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)