Deployment Optimization of IoT Devices through Attack Graph Analysis Noga Agmon Supervisors: Dr. Rami Puzis, Dr. Asaf Shabtai Dept. of Software and Information Systems Engineering, Ben-Gurion University of the Negev, Israel

Example

Example

Example

Example

Research Goals Investigate the security implications of different IoT deployments. Develop an algorithm to find the deployment with the minimum security risk (optimal deployment).

Example

Example Attack Graph Attack Path

Attack Graph – Background Model of a computer network that encompasses computer connectivity, vulnerabilities, assets, and exploits. Used to represent collections of complex multi-step attack scenarios. Security analyst can assess the risks of potential intrusions and devise effective protective strategies by analyzing the attack graph. Three main stages: (1) network and vulnerabilities scanning, (2) attack graph modeling, and (3) attack graph analysis.

Attack Graph - Structure 𝑯 𝟏 Vul 1 Exp 𝑯 𝟐 Attacker in 𝑨 𝟏 𝑯 𝟐 Vul 2 Exp 𝑯 𝟏 𝑯 𝟑 Vul 3 Exp 𝑯 𝟐 → 𝑯 𝟑 Exp 𝑯 𝟏 → 𝑯 𝟑 Exp 𝑯 𝟑 →𝑮 Attacker Control 𝑯 𝟏 Attacker Control 𝑯 𝟐 Attacker Control 𝑯 𝟑 Attacker Control 𝑮 𝑮 Vul 4 1 2 10 9 8 6 4 5 3 14 13 11 12 7 𝑨 𝟏 𝑯 𝟏 𝑯 𝟐 𝑯 𝟑 𝑮 𝐏𝐫𝐢𝐯𝐢𝐥𝐠𝐞 𝐍𝐨𝐝𝐞𝐬 𝐄𝐱𝐩𝐥𝐨𝐢𝐭 𝐍𝐨𝐝𝐞𝐬 𝐅𝐚𝐜𝐭 𝐍𝐨𝐝𝐞𝐬

Attack Graph - Structure 𝑯 𝟏 Vul 1 Exp 𝑯 𝟐 Attacker in 𝑨 𝟏 𝑯 𝟐 Vul 2 Exp 𝑯 𝟏 𝑯 𝟑 Vul 3 Exp 𝑯 𝟐 → 𝑯 𝟑 Exp 𝑯 𝟏 → 𝑯 𝟑 Exp 𝑯 𝟑 →𝑮 Attacker Control 𝑯 𝟏 Attacker Control 𝑯 𝟐 Attacker Control 𝑯 𝟑 Attacker Control 𝑮 𝑮 Vul 4 1 2 10 9 8 6 4 5 3 14 13 11 12 7 𝑨 𝟏 𝑯 𝟏 𝑯 𝟐 𝑯 𝟑 𝑮 𝐏𝐫𝐢𝐯𝐢𝐥𝐠𝐞 𝐍𝐨𝐝𝐞𝐬 𝐄𝐱𝐩𝐥𝐨𝐢𝐭 𝐍𝐨𝐝𝐞𝐬 𝐅𝐚𝐜𝐭 𝐍𝐨𝐝𝐞𝐬 Attack Path

IoT Attack Graphs IoT devices introduce additional challenges to attack graphs: Diverse physical locations, Variety of short-range communication protocols, Cyber-physical capabilities of the devices, Mobility, etc.

IoT Attack Graphs Short-range communication protocols – The number of protocols in the device can influence the security. An hacker can take advantage of a compromised device and use the other protocols as entry points to the network. Physical location – The location of an IoT device can bridge between networks through short-range communication protocols.

IoT Attack Graphs We augmented the attack graph to model short-range communication protocols. We define possible connectivity between devices based on their locations and supported protocols.  The connection range of IoT device deployed in a location can be estimated based on the radio specification of the device.

Risk Score A way to quantify the security of a network. There are many methods to measure the security risk using an attack graph. For example, likelihood of attack, number of exploits needed, etc.

Our Risk Score The risk increases as the possible attack paths become shorter and as more of the shortest attack paths are added. We choose to calculate the shortest attack paths, taking their length and quantity into consideration. Our method for calculating risk score is sensitive to small changes in different deployments.

Problem Definition We solved two optimization problems. Full Deployment with Minimal Risk (FDMR): all required IoT devices should be deployed with minimal security implications. Maximal Utility without Risk Deterioration (MURD): the maximal number of IoT devices that can be deployed without increasing the security risk of the network.

Heuristic Search Empty Deployment Full Deployment 1 Full Deployment 2 Full Deployment n FDMR: Full Deployment with Minimal Risk. MURD: Maximal Utility without Risk Deterioration. Remainder

Heuristic Search We used depth-first branch and bound (DFBnB). DFBnB prunes subtrees of the search space where there is no point to expand. In order to perform pruning more frequently and thus accelerate the search process, DFBnB uses a heuristic function.

Heuristic Function In an informed way, heuristics help the algorithm guess which child out of all of the node's children will lead to the goal. A heuristic is an estimation of the cost of the path from node 𝑛 to a goal node.

Our Heuristic Function Table of risk scores containing the risk scores for each IoT device in each possible location. For each deployment, we update the table, removing the IoT device that was deployed or not allowed to be deployed. \ … - R

Our Heuristic Function FDMR: Chooses the cell with the highest risk score in the table. MURD: Counts the number of IoT devices with the same risk score as the root state. … - R FDMR: Full Deployment with Minimal Risk. MURD: Maximal Utility without Risk Deterioration. Remainder

Experimental Setup We solved the two problems as optimization problems. Organization Network – We took a real network organization consisting of 24 hosts. Simulations – We simulated the IoT devices and the physical locations of the hosts.

Experimental Setup Number of Executions – We executed the experiments forty times, simulating different physical locations each time. All results are the average results of all executions. Random Deployment – For comparison, we also ran both problems randomly as a baseline. FDMR – Randomly deployed all required IoT devices. MURD – Added a device randomly and computed the risk score. We started with no IoT devices deployed and continued until full deployment. This random baseline was executed the same number of times as our algorithm (forty times). FDMR: Full Deployment with Minimal Risk. MURD: Maximal Utility without Risk Deterioration. Remainder

Devices Deployed (std) Results Problem DFBnB Random Deployment Time (min) Risk Score (std) Devices Deployed (std) FDMR 36.20 1229 (239.41) 6 (0) 1494.46 (370.82) MURD 3.88 1032 (0) 4.40 (1.13) 1538.95 (364.74) 4 (0) The risk score of the initial state (with no IoT devices) is 1032. FDMR: Full Deployment with Minimal Risk. MURD: Maximal Utility without Risk Deterioration. Remainder

Devices Deployed (std) Results Problem DFBnB Random Deployment Time (min) Risk Score (std) Devices Deployed (std) FDMR 36.20 1229 (239.41) 6 (0) 1494.46 (370.82) MURD 3.88 1032 (0) 4.40 (1.13) 1538.95 (364.74) 4 (0) The risk score of the initial state (with no IoT devices) is 1032. FDMR problem - an increase of 19% compared to initial state. In the random deployment the increase was 44%. FDMR: Full Deployment with Minimal Risk. MURD: Maximal Utility without Risk Deterioration. Remainder

Devices Deployed (std) Results Problem DFBnB Random Deployment Time (min) Risk Score (std) Devices Deployed (std) FDMR 36.20 1229 (239.41) 6 (0) 1494.46 (370.82) MURD 3.88 1032 (0) 4.40 (1.13) 1538.95 (364.74) 4 (0) The risk score of the initial state (with no IoT devices) is 1032. FDMR problem - an increase of 19% compared to initial state. In the random deployment the increase was 44%. MURD problem - on average, four to five devices can be deployed without any change in the risk score. When deploying four devices randomly the risk score is 1539 (increase of 49%). FDMR: Full Deployment with Minimal Risk. MURD: Maximal Utility without Risk Deterioration. Remainder

Additional Results Trade-off between the allowed risk of the IoT deployment and the maximal number of IoT devices that can be deployed.

Conclusion Planning the deployment of IoT devices is important. Randomly deploying devices can greatly affect the security of the organization's network. Novel method for suggesting the optimal deployment (in terms of the security risk) of a set of IoT devices within an organization.

Future Work Develop heuristic functions for additional risk scores. Add cyber-physical capabilities and unique functionalities to the IoT devices.

Discussion / Questions Thank You