Threat Modelling in Internet of Things (IoT) Environment Using Dynamic Attack Graphs

from arxiv, Updates: this article has only one auther, i.e. Marwa Salayma, also 1st paragraph of the Conclusion (Section IX) is modified. This work was supported by PETRAS National Centre of Excellence for IoT Systems Cybersecurity (PETRAS 2/RACE Project). Grant number is EP/S035362/1

We present a threat modelling approach to represent changes to the attack paths through an Internet of Things (IoT) environment when the environment changes dynamically, i.e., when new devices are added or removed from the system or when whole sub-systems join or leave. The proposed approach investigates the propagation of threats using attack graphs. However, traditional attack graph approaches have been applied in static environments that do not continuously change such as the Enterprise networks, leading to static and usually very large attack graphs. In contrast, IoT environments are often characterised by dynamic change and interconnections; different topologies for different systems may interconnect with each other dynamically and outside the operator control. Such new interconnections lead to changes in the reachability amongst devices according to which their corresponding attack graphs change. This requires dynamic topology and attack graphs for threat and risk analysis. In this paper, we develop a threat modelling approach that cope with dynamic system changes that may occur in IoT environments and enables identifying attack paths whilst allowing for system dynamics. We develop dynamic topology and attack graphs that are able to cope with the changes in the IoT environment rapidly by maintaining their associated graphs. To motivate the work and illustrate our approach we introduce an example scenario based on healthcare systems. Our approach is implemented using a Graph Database Management Tool (GDBM) -- Neo4j -- which is a popular tool for mapping, visualising and querying the graphs of highly connected data, and is efficient in providing a rapid threat modelling mechanism, which makes it suitable for capturing security changes in the dynamic IoT environment.

翻译：我们提出一种威胁建模方法，用于表征物联网环境动态变化时攻击路径的演变，即系统新增或移除设备、子系统加入或脱离时的安全态势变化。该方法利用攻击图研究威胁传播机制，但传统攻击图方法通常应用于企业网络等静态环境，生成的攻击图不仅固定不变且规模庞大。相比之下，物联网环境具有动态变化与互联特性：不同系统拓扑结构可能在操作者控制范围外动态互联，这种新型互联关系会改变设备间的可达性，进而引发攻击图的相应变化。因此，威胁与风险分析需要动态拓扑与动态攻击图的支持。本文开发了一种能够应对物联网环境动态系统变化的威胁建模方法，通过维持关联图快速适应环境变化，同时支持系统动态特性下的攻击路径识别。为验证研究工作并阐释方法原理，我们基于医疗系统构建了示例场景。该方法采用图数据库管理工具Neo4j实现，该工具作为高连接数据映射、可视化与查询的成熟平台，可提供高效的威胁建模机制，适用于捕获动态物联网环境中的安全变迁。