TY - JOUR
T1 - D-Score
T2 - An expert-based method for assessing the detectability of IoT-related cyber-attacks
AU - Meidan, Yair
AU - Benatar, Daniel
AU - Bitton, Ron
AU - Avraham, Dan
AU - Shabtai, Asaf
N1 - Funding Information:
The authors thank the kind cyber-security experts who completed our questionnaire, thus enabled this research. This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 830927.
Funding Information:
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 830927.
Publisher Copyright:
© 2022 Elsevier Ltd
PY - 2023/3/1
Y1 - 2023/3/1
N2 - IoT devices are known to be vulnerable to various cyber-attacks, such as data exfiltration and the execution of flooding attacks as part of a DDoS attack. When it comes to detecting such attacks using network traffic analysis, it has been shown that some attack scenarios are not always equally easy to detect if they involve different IoT models. That is, when targeted at some IoT models, a given attack can be detected rather accurately, while when targeted at others the same attack may result in too many false alarms. In this research, we attempt to explain this variability of IoT attack detectability and devise a risk assessment method capable of addressing a key question: how easy is it for an anomaly-based network intrusion detection system to detect a given cyber-attack involving a specific IoT model? In the process of addressing this question we (a) investigate the predictability of IoT network traffic, (b) present a novel taxonomy for IoT attack detection which also encapsulates traffic predictability aspects, (c) propose an expert-based attack detectability estimation method which uses this taxonomy to derive a detectability score (termed ‘D-Score’) for a given combination of IoT model and attack scenario, and (d) empirically evaluate our method while comparing it with a data-driven method.
AB - IoT devices are known to be vulnerable to various cyber-attacks, such as data exfiltration and the execution of flooding attacks as part of a DDoS attack. When it comes to detecting such attacks using network traffic analysis, it has been shown that some attack scenarios are not always equally easy to detect if they involve different IoT models. That is, when targeted at some IoT models, a given attack can be detected rather accurately, while when targeted at others the same attack may result in too many false alarms. In this research, we attempt to explain this variability of IoT attack detectability and devise a risk assessment method capable of addressing a key question: how easy is it for an anomaly-based network intrusion detection system to detect a given cyber-attack involving a specific IoT model? In the process of addressing this question we (a) investigate the predictability of IoT network traffic, (b) present a novel taxonomy for IoT attack detection which also encapsulates traffic predictability aspects, (c) propose an expert-based attack detectability estimation method which uses this taxonomy to derive a detectability score (termed ‘D-Score’) for a given combination of IoT model and attack scenario, and (d) empirically evaluate our method while comparing it with a data-driven method.
KW - Analytical hierarchical process (AHP)
KW - Attack detection
KW - Internet of things (IoT) security
KW - Multi-Criteria decision making
KW - Network traffic predictability
UR - http://www.scopus.com/inward/record.url?scp=85144814930&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2022.103073
DO - 10.1016/j.cose.2022.103073
M3 - Article
AN - SCOPUS:85144814930
SN - 0167-4048
VL - 126
JO - Computers and Security
JF - Computers and Security
M1 - 103073
ER -