Modified graph-based algorithm to analyze security threats in IoT

In recent years, the growing and widespread usage of Internet of Things (IoT) systems has led to the emergence of customized structures dependent on these systems. Industrial IoT (IIoT) is a subset of IoT in terms of applications and usage areas. IIoT presents many participants in various domains, such as healthcare, transportation, agriculture, and manufacturing. Besides the daily life benefits, IIoT technology provides major contributions via the Industrial Control System (ICS) and intelligent systems. The convergence of IoT and IIoT systems brings some integration and interoperability problems. In IIoT systems, devices interact with each other using information technologies (IT) and network space. However, these common usages and interoperability led to some security risks. To avoid security risks and vulnerabilities, different systems and protocols have been designed and published. Various public databases and programs identify and provide some of the security threats to make it easier for system administrators' missions. However, effective and long-term security detection mechanisms are needed. In the literature, there are numerous approaches to detecting security threats in IoT-based systems. This article presents two major contributions: First, a graph-based threat detection approach for IoT-based network systems is proposed. Threat path detection is one of the most critical steps in the security of IoT-based systems. To represent vulnerabilities, a directed acyclic graph (DAG) structure is constructed using threat weights. General threats are identified using Common Vulnerabilities and Exposures (CVE). The proposed threat pathfinding algorithm uses the depth first search (DFS) idea and discovers threat paths from the root to all leaf nodes. Therefore, all possible threat paths are detected in the threat graph. Second, threat path-reducing algorithms are proposed considering the total threat weight, hop length, and hot spot thresholds. In terms of available threat pathfinding and hot spot detecting procedures, the proposed reducing algorithms provide better running times. Therefore, all possible threat paths are founded and reduced by the constructed IoT-based DAG structure. Finally, simulation results are compared, and remarkable complexity performances are obtained.


INTRODUCTION
The rise of Internet of Things (IoT) technologies has drawn significant attention from different organizations, industries, and fields.When considering real-time benefits, acyclic graph (DAG)-based solutions were presented for IoT networks.DAG is a graph type that does not contain any directed cycles.In general, a directed graph structure refers to a structure consisting of edges and vertices.DAG structure does not allow for the formation of a cycle by the same vertex and edge connections.It is impossible to begin at one point in the graph and traverse the entire graph.Each edge is directed from a previous edge to the next edge.Contrary to existing intrusion detection and prevention schemes, we propose a DAG-based representation of security attacks and identify all attack paths from source to target, taking into account IIoT systems.In conventional network systems, fixed protocols and standards provide comprehensive solutions most of the time.Unlike these conventional systems, IoT and IIoT systems are quite different in terms of device features and network range.In IIoT systems, there can be a huge number of connected devices.Therefore, it is almost impossible to change the device structure and address vulnerability issues.To mitigate risk and attack scenarios, alternative and effective models are needed.The designed and proposed models should work for all attack types and scenarios.

Motivation
In George & Thampi (2018), a graph-based security framework was presented for IIoT networks.The security issues in the IIoT network were defined as related to vulnerabilities in the IIoT devices.In addition, the threat and vulnerability relations were represented as a directed graph.According to the designed graph, some attack types in devices were weighted using the Common Vulnerability Scoring System (CVSS), and threat calculations were made via the weighted graph.The main motivation of this article is to propose a graphical model that represents attacks on IIoT networks and depending on attacks and threats, to find attack paths on graphs and reduce these paths according to varying metrics.
There are many studies in the literature that represent attacks and vulnerabilities in IoT and IIoT network systems.Some of the related studies that are investigating and designing threat graphs were highlighted in "Related Works".In general, it is seen that various approaches were proposed to represent attacks on IoT and IIoT networks.However, the number of articles to find attack paths on IoT-based networks is very limited.In addition, very few studies focus on threat path reductions, considering threat path weights and path length.This study represents threats to the general IoT networks via their graph structure.Using the graph structure, each of the threats on the network can be represented as a node.In addition, the graph structure shows the relationship between the nodes clearly and with low complexity.With graph structure, all neighborhoods, weight values, and paths between the source and the destination can be shown in an organized manner.Therefore, the relationship between the threats is shown in the proposed structure as a graph.When a graph structure is generated, the DFS algorithm is used to traverse the graph and find the paths from the source to the destination.The DFS algorithm works by deeply visiting the neighbors of the visited nodes.When the visited node does not contain any child nodes, graph traversing is completed.Since the DFS algorithm works using a stack structure, it has less time and space complexity than the Breadth First Search (BFS) algorithm.Therefore, the DFS algorithm is used in the proposed procedure to find all possible threat paths.This article brings to our attention two significant advantages.First, the proposed threat graph works regardless of the threat types that were identified by the Common Vulnerabilities and Exposures (CVE) or any other threat identification programs and databases.The second is that threat finding and reducing algorithms perform better in terms of running time, and algorithm complexity compared to George & Thampi (2018).In addition, we compare our study with Arat & Akleylek (2023a) in terms of threat pathreducing procedure.

Our contribution
The main contributions of the study can be summarized as follows: This study presents a new graph-based approach to represent general threat types in IoT-based networks.The graph-based approach to analyze security threats given in George & Thampi (2018) is modified by considering the threat detection method.This modification includes the DFS algorithm, which is traversing or searching graph algorithm, finding threat paths.In addition, path-reducing algorithms are merged into a compact algorithm.The modified algorithms reduce threat paths considering thresholds and compute varying values such as cumulative threat, hop length, and hot spot values on the threat path.Finally, the time complexity for hot spot detection on the threat graph is decreased by the proposed hot spot detection method.The proposed approach is compared to another graph-based threat assessment model given in Arat & Akleylek (2023a) in terms of threat path-reducing methods.According to the experimental results, the proposed idea gives better running time output in terms of threat pathfinding and hot spot detection procedures.

Organization
The article is organized as follows: In 'Preliminaries', we give preliminaries of the study supporting graph-based approaches in the literature and some of the device threats defined in CVE and other databases.In 'The Proposed Idea', general details of the proposed approaches are presented in terms of graph structure and related procedures.In 'Experiments', proposed procedures are explained and implemented for experiments, and experimental results are highlighted.Finally, we conclude the presented study, and we give future works in 'Conclusion and Future Works'.

PRELIMINARIES
In this section, we present the preliminaries of the study.In 'Attack graph' we give the selected attack types and their base scores using CVE and CVSS.In addition, we investigate graph-based security approaches on IoT and IIoT networks in 'Related works'.Table 1 illustrates abbreviations and variables used throughout the article.

Attack graph
In this subsection, some IoT-based vulnerabilities are presented.In our assumptions, these vulnerabilities are used to generate a threat graph.There are many presented vulnerabilities in IoT-based networks.These attacks and threats are defined and classified in various databases.CVE is a database that identifies and classifies cyber security vulnerabilities (CVE, 2023).Various vulnerabilities and threats are discovered by organizations, and CVE publishes these vulnerabilities.In this work, we define some of these vulnerabilities, which are related to our assumptions.For example, CVE-2014-2360 is a vulnerability that allows malicious users to execute arbitrary codes.It exists in wireless sensor I/O modules.CVE-2022-25359 is another vulnerability that exists in SCADA controllers.It allows unauthenticated users to change system files.CVE-2022-0162 exists in some wireless router types, and an attacker may intercept router credentials and perform management operations via the wireless router interface.CVE-2011-2688 is a SQL injection vulnerability that exists on web servers.Through CVE-2019-2776, an attacker may cause intrusions into the Oracle database.CVE-2021-4045 vulnerability exists on IP cameras and allows attackers to control all camera activities.CVE-2021-30353 vulnerability may cause improper validation in Snapdragon IIoT.Table 2 shows some published vulnerabilities and their Version 2 Base Scores (BS) in the CVE program and the National Vulnerability Database (NVD), which exist in IoT-based systems.

Related works
In this subsection, we investigate proposed security models.There are several works for IIoT and IoT systems.Therefore, we consider graph-based intrusion and threat detection models in the literature in the investigation.The main differences between the literature and our study are we consider graph-based threat modeling approaches to present an approach.We also use algorithmic methods to detect, compute, and reduce risks, and we improve the literature in terms of complexity and running time using varying existing and customized algorithms.In addition, we propose a generic vulnerability assessment method to apply for each platform.Table 3 summarizes graph-based security approaches in the literature.
In Wang et al. (2018), the vulnerability assessment model was designed in IIoT.The designed model works graph-based and considers the maximum flows of the path.In an attack graph, nodes represent the host property, and edges represent attacks or vulnerabilities.The method considers node and edge relationships to identify maximum flows.The attack risk was calculated by graph weight, and the maximum loss flow represents the attack path.In addition, evaluation results were demonstrated under various nodes.
In Qureshi et al. (2020), a routing protocol for low-power and lossy networks (RPL)based threat detection model was proposed.The proposed model performs by detecting the different types of attacks, such as Sinkhole attacks, HELLO-Flood attacks, and Blackhole attacks, in an IIoT environment.With the rank structure of RPL messages, the message transmitting time was considered as a determining factor of malicious nodes.The idea relied on threshold values.The experimental results were compared by a standard RPL algorithm.
In Sun et al. (2021), a malware detection scheme was proposed.The proposed scheme considers malware behavior graphs.Graph optimizations and malware classification were made on malware types such as Delf, Obfuscated, etc.The experimental results were evaluated in terms of true positive rate accuracy.
In Nguyen et al. (2022), a supervised machine learning classification method was proposed.A graph-based hybrid analysis method, which contains static and dynamic methods, was used in IoT botnet detection.Malware classification was made using printable string information graph (PSI) features via machine learning-based algorithms such as decision tree (DT) and k-nearest neighbor (kNN).The graph generation is Oðn 2 Þ, Computational complexity of prior or posterior cases is Oð2 n Þ.

General network system
Proposed model is not scalable for large networks.No method was proposed to reduce the attack path.

Wang et al. (2018)
Finds maximum loss flow in graph.
Nodes represent hop and edges represent threats.Works on a directed graph.

Vulnerability detection is
Oðn:pÞ, Maximum loss flow is OðnÞ, Path seeking is IIoT No methods were proposed to reduce attack paths or edges.

George & Thampi (2018)
Finds and reduces attack paths in graph.Vertices represent the vulnerabilities, edges represent relations between vulnerabilities.Works on a directed graph.

IIoT
Final results were calculated manually.The graph was designed for IIoT networks.In generating subgraphs, separated procedures were used.

Polatidis, Pavlidis & Mouratidis (2018)
Proposed attack path identification approach.Attack graph approach was used.Attack paths were identified using the DFS algorithm.
The complexity of algorithms were not analyzed.

General network system
Real time data was used.Threat weights were not considered.

Mouratidis & Diamantopoulou (2018b)
Proposed security analysis method for IIoT.The proposed method includes two phases.Each IIoT component was represented as an actor.
The complexity of algorithms were not analyzed.

IIoT
Real time data was used.Potential attack paths were identified and categorized considering importance.Attack paths were not filtered, considering their importance.

Qureshi et al. (2020)
Detects different type of attacks using RPL.Genetic algorithm was used to detect presence of security threats.Nodes represent devices.Works on DODAG.
The complexity of algorithms were not analyzed.

Smart home IIoT
Proposed algorithms work only detects vulnerabilities different type of attacks.Threat weights were not considered.

Sun et al. (2021)
Proposed graph-based malware detection architecture.Malware detection scheme works based on classification.
The complexity of algorithms were not analyzed.

IIoT
Proposed methods only detect malware considering behavior graph.Threats and path weights were not considered.

Stellios, Kotzanikolaou & Grigoriadis (2021)
Proposed graph-based attack path identification and risk assessment method.Interaction modeling was performed to define device relations.
For the graph construction phase, computational cost is OðD n Þ where Dis set of all the devices, and n is the number of interactions.
IoT Proposed methods works using pre-defined interactions.Some devices can interacts with each others without predefined connections.In Jing & Wang (2022), a graph theory-based DDoS attack detection method was proposed for IP ports from source to destination.Edge and vertex structures were generated to extract traffic data characteristics.Next, clustering and classifying were done via principal component analysis (PCA) and Fuzzy C-means (FCM) clustering methods.The proposed model works in IP-connected topologies, considering traffic flows.
In Poolsappasit, Dewri & Ray (2012), a Bayesian network-based risk assessment framework was proposed.The designed model incorporates different relationship models such as attack graphs and attack trees.The initial test vulnerabilities were generated using CVSS, and network attacks were modeled as a Bayesian attack graph (BAG).To manage network risks, the graph was generated considering the probabilities of attributes.With the spot detection is OðVÞ.

General network system
Running time for path detection is reduced.Hot spot detection complexity is reduced.The final results are calculated inside the procedures.
BAG structure, pre-conditions and post-conditions were highlighted in terms of vulnerability exploitation.

THE PROPOSED IDEA
In this section, we present the details of the proposed idea.We also explain the designed and modified algorithms via separated subsections.The main differences from George & Thampi (2018) are vulnerability path detection methods and path reduction procedures.In George & Thampi (2018), the authors used a recursive pathfinding algorithm.In our approach, the graph searching and traversing method, which is known as DFS, is used to detect vulnerabilities in graphs.In addition, subgraph-generating algorithms are merged without any additional procedures.
An attack graph is a network security application of graph theory that can be used to detect an attack or vulnerability route, with the node representing the hosts' state or properties (Szwed & Skrzyński, 2014).In this definition, an attack or vulnerability graph can be represented according to host and attack types, pre or post-threat conditions, and host and attack relations, considering attack weights.Therefore, possible threat paths can be detected using the graph theory.For this reason, this article uses attack attributes and weights representing general IoT-based network topology to analyze threat paths and network vulnerabilities.
In Fig. 1, the proposed threat detection model is demonstrated with three basic tasks.The main tasks of the proposed model include the following tasks: Considering IoT-based device connections, network elements are represented as a vulnerability or threat.Since each network element has a vulnerability defined in CVE or other databases.To generate graph topology, nodes, and connection links are connected in a DAG structure.Using the CVSS scores, communication links are weighted, and vertices are referred to as attack types.According to the generated graph structure, all possible attack paths from source to destination are detected using a DFS-based discovery algorithm.Considering attack paths, weighted links and the number of paths are reduced using hop count, threat threshold, and hot spot threshold values.

Representation of threat graph
In this section, we give the general threat graph representation notations.During the graph construction phase, we assume that the configured attack graph works independently from threats or vulnerabilities.In other words, the designed graph works similarly when the attack or vulnerability characteristics are changed.We construct a general graph model to define our proposed procedures.It can be a conventional network or an IoT-based network.In the representation of TDG, we assume that each node in the graph represents an IoT-based network device such as a sensor, router, or IP-based component.As explained in 'Attack graph', these devices have vulnerabilities that have the potential to affect other devices and systems.In addition, IoT-based network devices have predefined CVSS scores in CVE to determine vulnerability levels.We assign these CVSS scores to edges.In general, each edge is a connection between vertices.Firstly, a device affects a connected device or path depending on its vulnerability.CVSS values consist of base scores provided by the National Vulnerability Database (NVD).These scores represent the unique characteristics of each vulnerability.Since the weighted graph structure is used, we created the weight assignments to the edges in the graph by directly considering the CVSS values between 0 and 10, to be simple and understandable.Due to a representative threat value calculation being used, a different calculation metric or formulation is not used.We focused on calculating the threat value and reducing it according to the threshold value.Therefore, we assign these scores to the links to generate a weighted graph.Then, we compute the path risk level after identifying a communication path using CVSS scores.First, we identify the exploitable threats and elements in the IoT-based network.We define the IoT-based Threat Directed Graph (TDG) formally as follows: 1) ðV; EÞ is a directed acyclic graph, which consists of vertices and edges.
2) N represents the set of nodes in TDG.As the algorithm parameter, each node stores a threat in an IoT-based network.
3) src is the source node that initializes the attack path.It acts as a root node in a graph.
4) dest is the destination node that directly acts as a sink node in a graph.It can be named as a target node.
5) T t represents the set of threats in a graph.
6) k is the threat weight, which is defined in CVSS.
7) E w represents the link of the graph.It is constructed considering CVSS scores and stores k values between two nodes in a graph.
We considered some general network types to realize our graph.In our scenario, there are nodes and their interactions.We defined these pairs as vertices and edges ðV; EÞ.In our assumptions, nodes represent the IoT-based devices that have vulnerabilities and corresponding scores.We also have some edges, which represent dependencies between nodes and vulnerabilities.These dependencies are randomly generated by the custom Python simulator.After the network graph is generated, it can be paired with any device and link, such as an IP-based sensor and network router.For instance, we explain it using a case scenario as shown in Fig. 2.
Figures 3A and 3B illustrates an example representation for TDG.According to the figure, src is the source node, and dest is the destination node.In addition, communication link values between nodes are represented by k which is defined as a threat weight.Additionally, Figs.4-6 in the following sections, show the change of the main graph (Fig. 3B) as a result of the parameters included in the TDG definition and the proposed algorithms.Thus, the current graph structure that is updated due to the performing of the relevant algorithms is visualized.

Detecting of all threat paths
In this subsection, a threat pathfinding algorithm is proposed.A DFS-based traversing graph algorithm is used to find all possible attack paths from source to destination.There can be many paths in a directed graph.Finding all paths that will be used by attackers while calculating the total threat amount is a very heavy load for system administrators.Since detected attacks can be prevented in this way, Algorithm 1 has seven inputs.The inputs are as follows, respectively: Algorithm 1 demonstrates the main steps of threat path detection.To find possible threat paths from src to dest in the given as a parameter TDG graph, GETALLPATHSBYDFS (graph, src, dest, visited, path, pathList, hop) is called.The proposed method works using the DFS algorithm, and the complexity depends on the total number of vertices.
When all possible threat paths are found via Algorithm 1, the total amount of numberof-hop and threats are calculated via Algorithm 2. The algorithm takes two parameters.In the given graph, the number-of-hop is calculated according to the table listOfPath.Since the number of path values is not stored in a parameter, it is calculated considering the length of each path list in the table listOfPath.The algorithm time complexity is OðP ij Þ where the P ij is the number of the path between source i and destination j.Since the algorithm runs for each path in the listOfPath.

Path reduction with threat threshold
In this subsection, we give the path reduction procedure, which works based on threat threshold metrics.A threat path with a high threat amount is more desirable for an attacker in IoT-based TAG.In addition, it will be easier for system administrators to focus on critical nodes and points with high threat value instead of nodes with low threat value in terms of ensuring system security and reliability.Therefore, reducing attack paths with high total threats is essential for security mechanisms.To reduce these types of attack paths, a threat threshold value is used.Algorithm 3 demonstrates a threat path-reducing procedure.The algorithm takes three inputs.listOfPathThreat table stores paths and their total threat values.The algorithm gives a subgraph of TDG ¼ ðV; EÞ which includes removed and remaining paths.The remaining path list is generated considering if the total threat of the path is greater than the threat threshold threatThreshold value.The time complexity of the procedure is given by OðP ij Þ where P ij is the number of paths from source i to destination j.
Figure 4 illustrates the remaining TDG after reducing the path by maximum cumulative threat threshold, and dashed lines represent reduced path fsrc À j À r À destg.

Path reduction with hop length
In this subsection, we give a path reduction procedure that works based on hop length threshold metrics.In vulnerable network topology, more hop counts state is not desired by an attacker since increasing the number of hop counts increases the attack detecting probability.When an attacker wants to reach a destination or target device, it needs to pass through more security mechanisms or a detection strategy.Additionally, considering the Input: A TDG graph, source node src, destination node dest, visited boolean variable visited, path lists, and hop length variable hop.
Output A table listOfPath containing the threat paths from src to dest.overall system, a higher number of hops means more time and protection mechanisms.In this way, it will be difficult for malicious users or threats to damage the device and the network.Therefore, threat paths with a high number of hops are reduced in common conventional threat-based mechanisms.Algorithm 4 demonstrates a path path-reducing procedure which considers the number of hop counts.The algorithm performs using three inputs and produces a subgraph of ðV; EÞ which includes removed and remaining paths.The hop threshold determines the maximum desired path length in pathList.Finally, REDUCEPATHBYHOP(graph, listOfPath, hopThreshold) procedure consists of two tables as a output.The time complexity of the algorithm is given by OðP ij Þ where P ij is the number of paths from source i to destination j.

Detection of hot-spots
In this subsection, we give the hot spot detection procedure, which works based on hot spot threshold metrics.High relations between network devices with each other can be considered a vulnerability in traditional and IoT-based networks.Connections can pose a threat to devices.For example, the IoT-based device, which has many connections as input and output, acts as a HUB device, which provides many uncontrolled connections.Therefore, heavy connected node loads must be detected and reduced.In Algorithm 5, we propose a procedure to detect nodes that have a high connection.
The procedure FINDHotspots (graph, adjDict, alpha) performs using alpha hot-spot threshold value and returns a hash object.The hash object ensures an efficient, convenient structure to quick data storage and retrieval.The hash object stores and retrieves data based on lookup keys.Therefore, it provides time efficiency and prevents data duplication.The hash object hotSpotDict contains key and value pairs that are formed by nodes and hot-spot degrees.In this algorithm, key and value pairs represent nodes and their individual hot spot degrees.In this way, we access the high and low connected nodes and paths quickly due to the average time complexity of the hash data structure in Oð1Þ time.High-connected IoT-based network nodes can be reduced using the returned hash object.The time complexity of the algorithm is given by OðVÞ where V is the number of vertices.
Figure 6 illustrates the remaining TDG after path reduction by hot spot threshold, and dashed lines represent reduced path fsrc À k À r À destg.As seen in the figure, node k has the highest number of connections; therefore, node k can be considered as a hot spot maximum node.

Comparison
In this subsection, we compare our study with George & Thampi (2018) in terms of algorithmic approaches and complexity.According to the comparison, our modified threat-finding algorithm works based on DFS.Therefore, it works recursively.Also, in Algorithm 2, the hop length variable is generated using the length of the path in the list.In addition, remaining and reduced path lists are generated using a single and compact procedure.In George & Thampi (2018), pathfinding algorithm complexity is related to the number of paths and path length.In our approach, the time complexity depends on the Algorithm 5 Algorithm to find hot spots.
Input: A TDG graph, hash object adjDict, and hot spot threshold value alpha.
Output A hash object hotSpotDict containing nodes and hot spots.

2:
adjDict object contains all nodes and their connections as key and value pairs.

Example scenario
In this subsection, we present an example IoT-based threat graph scenario.In this scenario, a threat graph was generated using nine threat nodes.Node connections and locations were randomly distributed.In addition, the threat weights were set using CVSS metrics.In general, we propose an attack or threat path detection approach using graph theory.We use the DFS algorithm to traverse the graph and identify all paths from source to destination.In addition, we propose threat path-reducing procedures to assess and mitigate risk in the IoT network topology to provide a more secure communication structure.Tables 5 and 6 summarize the computation results of the example scenario.In these tables, we give the results of the example running using Fig. 7.For instance, in Table 5, we give the results of the path detection and threat computing procedures.We also determine the hop length of the identified paths.Likewise, Table 6 summarizes the focused points in terms of the number of hops, average threat value, and some maximum and minimum values, using the results in Table 5.

Performance analysis
In this subsection, we present the simulation results and performance evaluations.To investigate the behaviors of proposed methods under various parameters, we change the number of nodes, the number of edges, the threat threshold, the hop threshold, and the hot spot threshold values.Therefore, the proposed algorithms run over various scalable network sizes, and we present a comprehensive performance analysis.The simulation results are presented considering average values of 1,000 iterations.Figure 8 demonstrates the number of nodes to be removed against a varying number of nodes.In an IoT-based network graph, the hop threshold is set at 6, the threat threshold at 0.1, and the hot spot index at 3. According to Fig. 8, the number of removed paths decreases as the depending on the number of nodes increases.When new nodes are joined to the IoT-based network topology, the number of paths between the source and destination increases.The total threat value decreases when the path length and the total number of nodes are considered.This is because the desired metric is to reduce threat paths that have high total threat values and less hop count.
Figure 9 depicts the number of nodes to be removed against the number of edges.The hop threshold in an IoT-based network graph is set to 6, the threat threshold to 0.1, and the hot-spot index to 3. According to the figure, the number of nodes to be removed increases as the number of nodes increases.Since the number of paths between source and destination increases as the number of edges increases.Path length and the total number of edges are considered the overall threat value increases.If the cumulative threat value of the path exceeds the threat threshold value, the path is removed.Since the main goal of the procedure is to reduce threat paths with high cumulative threat values.Figure 10 demonstrates the number of nodes to be removed against varying hop thresholds.In an IoT-based network graph, the number of nodes is set at 20, the threat threshold at 0.1, and the hot-spot index at 3. According to the figure, the number of paths to be removed decreases as the hop threshold increases.Since, considering the fixed number of nodes, edges, and threat threshold, the number of paths from the source to the destination is constant.Accordingly, the total threat value and hop count of paths do not change.The increasing number of hops reduces the number of reduced paths due to the fixed path length.
Figure 11 shows the number of nodes to be removed under varying threat thresholds.The number of nodes is set at 20, the hop threshold at 6, and the hot-spot index at 3 for this running.It is clear that the number of paths to be removed decreases as the threat threshold increases.Since, the number of paths from the source to the destination is constant considering the fixed number of nodes, edges, and hop threshold.In addition, the Figure 12 demonstrates the running time results between Arat & Akleylek (2023a) and our studies in terms of threat path-reducing algorithms.According to the results, our proposed procedure performs better under an increased number of nodes.The pathreducing algorithm given in Arat & Akleylek (2023a) calls threat computing procedure and it works Oðn 3 Þ time complexity due to the Floyd-Warshall algorithm.Our proposed reducing procedure takes the threat amount as a parameter which is computed in the Algorithm 2, and it works linearly due to accessing the threat amount.
For the hot spot detection, according to Fig. 13, it is obvious that the number of hot spots detected for a fixed number of nodes decreases as the cut-off index increases.In addition, the number of detected hot spots decreases as the number of nodes increases for Figure 14 highlights comparison results between George & Thampi (2018) and our studies in terms of running time due to threat path detection procedures.The comparison is made under various numbers of nodes and it is obvious that our proposed threat path detection procedure outperforms (George & Thampi, 2018).Since the proposed procedure works using the DFS algorithm, any additional variable is not used to store visited nodes on the traversed graph.
Figure 15 compares George & Thampi (2018) and our study in terms of running time due to hot spot finding procedures.As seen in the figure, the proposed hot spot detecting procedure outperforms (George & Thampi, 2018) under the varying number of nodes.The main difference between the studies is that our proposed procedure uses hash objects to store node data, labels, and hot spot values.Therefore, the procedure can access the stored data quickly.In addition, the proposed method performs linear and OðnÞ time complexity.

CONCLUSION AND FUTURE WORKS
Detection and prevention of potential threat paths in network systems is a key issue for network and system administrators.Especially in IoT-based systems, which have high interaction and connections among devices, security vulnerability detection is essential.This study focuses on vulnerability and threat detection in IoT-based systems.Considering the existing graph-based assessment methods, threat paths are represented as a DAG.A weighted graph structure is generated using the CVSS base scores to help calculation of several parameters and metrics.In addition, the threat pathfinding method is modified using the DFS algorithm.All possible threat paths are detected by the DFS algorithm.Therefore, the existing attack pathfinding procedure was improved in terms of the running time period.Using hop length and cumulative threat values, detected vulnerability paths are reduced considering the determined threshold values.As a final, a hot spot detection algorithm, which is used to compute node connections, is designed.Also, the hot spot detecting algorithm was improved in terms of running time complexity.The performance evaluation is made using a custom simulator, which is designed in the Python programming language.According to the evaluation results, the obtained performance outputs were presented.Proposed and modified algorithms provide detection and removal of threat paths on networks.Time complexities of existing threat paths and hot spot detecting procedures were reduced by proposed methods.We improved the previous study in terms of algorithmic approaches, complexity, and time efficiency.This means that we proposed compact and complete procedures in a different way in terms of pathfinding and threat computing.We also concatenated graph-reducing procedures according to a previous study.In future studies, attack tree modeling for other platforms such as avionics will be studied.

Figure 1
Figure 1 Main steps of the proposed idea.Full-size  DOI: 10.7717/peerj-cs.1743/fig-1 IoT-based network graph TDG, Source node src, Destination node dest, Boolean value to determine visited nodes, List of detected attack nodes, List of all detected attack path, Hop count parameter.

Figure 5
Figure5illustrates the remaining TDG after reducing the path by hop length threshold, and dashed lines represent reduced path fsrc À i À t À m À destg.

Figure 8 Figure 9
Figure 8 Number of paths to be removed under various numbers of nodes.Full-size  DOI: 10.7717/peerj-cs.1743/fig-8

Table 1
Abbreviations and variables used through the article.

Table 2
Some of IoT-based vulnerabilities.

Table 3
Highlights of the related works.

Table 3
Algorithm 2 Algorithm to compute hop and threat values.Input: A TDG graph, path list listOfPath.
Algorithm 3 Algorithm to reduce paths by threat.Input: A TDG graph, path lists listOfPath, and threat threshold value threatThreshold Output Tables remainingPath and removedPath containing removed and remaining paths.
Input: A TDG graph, path lists listOfPath, and hop threshold value hopThreshold Output Tables remainingPath and removedPath containing removed and remaining paths.Arat and Akleylek (2023), PeerJ Comput.Sci., DOI 10.7717/peerj-cs.1743 Arat and Akleylek (2023), PeerJ Comput.Sci., DOI 10.7717/peerj-cs.174318/28anIoT-based network threat graph.The graph topology is designed to support all threat types.In other words, the proposed algorithms run considering general threat and attack types that were defined in CVE.The simulation is performed on the same machine, which has an Intel Core i5 10300H CPU, 16 GB of RAM, and a GTX 1650 GPU.

Table 5
General results of example scenario.Table 6 Computation results of example scenario.