Cost-aware securing of IoT systems using attack graphs

The Internet of Things (IoT) contains a diverse set of sensors, actuators and other Internet-connected devices communicating, processing data and performing a multitude of functions. It is emerging as an integral part of societal infrastructure enabling smart services. However, these connected objects might have various vulnerabilities that can lead to serious security compromises and breaches. Securing and hardening of IoT systems is thus of vital importance. In that regard, attack graphs provide analytical support to prevent multistep network attacks by showing all possible sequences of vulnerabilities and their interactions. Since attack graphs generally consist of a very large number of nodes, it is computationally challenging to analyze them for network hardening. In this paper, we propose a greedy algorithm using compact attack graphs to find a cost-effective solution to protect IoT systems. First, we extract all possible attack paths which reach predetermined critical resources embedded in the network. Then, exploit or initial condition with minimum effective cost is selected to be removed. This cost is calculated as a function of contribution to attack paths (the higher, the better) and removal cost (the lower, the better). This process continues iteratively until the total cost exceeds the allocated budget. The experimental results show that our algorithm scales almost linearly with the network size and it can be applied to large-scale graphs with a very large number of IoT nodes. In addition to network-hardening, our proposal measures the security level of the network in every step to demonstrate the vulnerability grade of the system. (C) 2018 Elsevier B.V. All rights reserved.