Despite the growing spread of Internet of Things (IoT) ecosystems, their security assessment is still an open issue. Identifying threats, vulnerabilities, and attacks is a costly and time-consuming process, incompatible with their time-to-market. Undoubtedly, the introduction of automated security assessment techniques would increase the security level of many IoT products, while containing the costs. In this article, we introduce ESSecA, an Expert System for Security Assessment that guides penetration testers during the assessment of IoT systems, in a threat-intelligence-driven perspective. ESSecA bases its analysis on different knowledge-bases, some maintained by MITRE. Starting from the system model, ESSecA produces a Threat Model and a list of Attack Plans for each identified threat. This information can be used by penetration testers to perform a systematic security test of the target IoT infrastructure. We applied the technique to a typical home automation system, the Open Energy Monitor, providing some attack patterns for its security evaluation.
ESSecA: An automated expert system for threat modelling and penetration testing for IoT ecosystems / Rak, M.; Salzillo, G.; Granata, D.. - In: COMPUTERS & ELECTRICAL ENGINEERING. - ISSN 0045-7906. - 99:(2022), p. 107721. [10.1016/j.compeleceng.2022.107721]
ESSecA: An automated expert system for threat modelling and penetration testing for IoT ecosystems
Rak M.;Granata D.
2022
Abstract
Despite the growing spread of Internet of Things (IoT) ecosystems, their security assessment is still an open issue. Identifying threats, vulnerabilities, and attacks is a costly and time-consuming process, incompatible with their time-to-market. Undoubtedly, the introduction of automated security assessment techniques would increase the security level of many IoT products, while containing the costs. In this article, we introduce ESSecA, an Expert System for Security Assessment that guides penetration testers during the assessment of IoT systems, in a threat-intelligence-driven perspective. ESSecA bases its analysis on different knowledge-bases, some maintained by MITRE. Starting from the system model, ESSecA produces a Threat Model and a list of Attack Plans for each identified threat. This information can be used by penetration testers to perform a systematic security test of the target IoT infrastructure. We applied the technique to a typical home automation system, the Open Energy Monitor, providing some attack patterns for its security evaluation.| File | Dimensione | Formato | |
|---|---|---|---|
|
1-s2.0-S0045790622000350-main.pdf
non disponibili
Licenza:
Non specificato
Dimensione
1.15 MB
Formato
Adobe PDF
|
1.15 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
