: A design and analysis security framework for IoT systems

  • Orestis Mavropoulos

    Student thesis: Doctoral Thesis


    Internet of Things (IoT) systems are ubiquitous, highly complex and dynamic eventbased systems. These characteristics make their security analysis challenging. One of the most significant concerns about IoT is that it is not secure. Prominent attacks,
    such as WannaCry and the Mirai botnets, have only stoked these fears and raised questions about the security of IoT. This thesis aims to develop a framework to facilitate design and security analysis in IoT systems. The proposed framework is composed of the following components: (1) a modeling language to represent IoT systems; (2) a modeling methodology to create models; (3) processes to assess the security of the models and (4) propose countermeasures to increase the security of the models. The modeling language provides components to create IoT system models that capture the information needed by a security engineer to design and perform security analysis on an IoT system. The modeling methodology provides instructions as well
    as restrictions on how models are created using the modeling language. It provides a structured approach to transition models between the engineering phases. Then, automated and semi-automated processes are used to identify existing vulnerabilities
    and configurations that increase the attack surface in the models. Finally, a report of the countermeasures is generated based on the attributes of the models to mitigate the identified threats and vulnerabilities. To evaluate the framework, it was applied to case studies. Each case study assessed specific aspects of the framework. One case study was performed to assess the processes of eliciting security requirements from the existing
    hardware architecture of a system. The feedback from the case study was used to refine the modeling language. A case study was performed to evaluate the automated and semi-automated analysis processes that are part of the framework. The processes were measured regarding resources, error rate, and additional information when compared to the same task undertaken by a human engineer. This case study was performed on a real-life infrastructure of a security organization. The organization’s infrastructure was modeled and analyzed using the framework to measure the attack surface of their system and improve its security mechanisms with the use of the analysis processes of
    the framework. Another case study was performed to model the infrastructure of a smart city. This was made to assess the scalability of the framework when designing and analyzing large-scale systems.
    Date of AwardOct 2019
    Original languageEnglish
    Awarding Institution
    • University of Brighton
    SupervisorHaralambos Mouratidis (Supervisor), Andrew Fish (Supervisor) & Manos Panaousis (Supervisor)

    Cite this