Internet of Things (IoT) defines a communication network that consist of highly interconnected heterogeneous devices . IoT comes from the expansion of the Internet, which is destined to inherit most the security issues of the Internet. At the same time, new security issues occur to the IoT due to the numerous devices act as sensors . IoT is still in the stage of development with no uniform standards for the hardware, software and communication protocols . A variety of smart scenarios is also heterogeneous, which makes the defense of IoT extremely complicated. In order to perform a more effective and active defense as well as making defense decisions quickly when attacks happen, we are in expectation of real-time SSA of IoT-based environment.
Compared with the traditional SSA in the Internet, modeling SSA in IoT confronts the following challenges: (1) The SSA models in the Internet rely on the static network topology. However, the devices in IoT are ambulatory, which tend to a dynamic topology. (2) A SSA model in the Internet always has a unified communication protocol while various communication protocols exist in IoT system simultaneously and the devices communicate with others through their own protocols. (3) The SSA models in the Internet fail to consider the susceptibility of devices such as battery power consumption, while in IoT system the susceptibility should be stressed because some passive attacks caused by low power consumption often occur such as automatic sleep.
Due to the challenges mentioned above, using the existing cyber security models  to achieve the purpose of real-time SSA in IoT is impossible. Several papers focus on developing security model for the IoT. Some of these papers [5-7] consider the vulnerabilities existence in IoT devices and propose a framework based on the network topology, but ignore the interaction between attackers and defenders caused by the offensive and defensive strategies changes in the process. Others [8,9] construct game-based security models for the IoT. However, their scope always address on some related issues in specific fields such as power consumption and consumer choice. Previous researches do not form a global, systematic and complete model for SSA, but instead mainly considers the security of IoT from certain domains.
This paper defines a SCPN for IoT-based smart environment by extending the basic Petri Net. Then proposes a Markov Game model for SSA in the defined SCPN. Smart home environment is used to test the proposed model and two attack scenarios in the smart home are taken into consideration. The proposed model can simulate the curve of overall security situation. From the comparison of the curves under the two attack scenarios, we can find vulnerable devices and the potential attack paths related to them and mitigate the impact of attacks through modifying defense strategy.
The contributions of this paper are summarized as follows:
- We define a SCPN for IoT-based smart environment where colored tokens represent different types of threats. Threats propagation between IoT devices are captured by transitions, making the attack scenarios better exhibited, especially for collaborative attacks caused by various threats.
- We considered the interaction of strategy changes between the attackers and defenders in the attack-defense process, which makes the proposed model more applicable to the real smart environment.
- To the best of our knowledge, this is the first attempt to use Markov Game Theory in IoT-based SCPN to establish a SSA model for a complex smart environment.
The rest of the paper is organized as follows. Section 2 introduces methodology to develop the model. Section 3 describes a smart home environment with two attack scenarios in detail, provides experimental results and evaluates the performance of our model. Section 4 discusses some relevant issues of our approach. Section 5 concludes the paper.
This section provides a methodological and theoretical basis for the concepts used in the paper.
2.1. Stochastic Colored Petri Nets
Stochastic Petri Nets (SPN) is suitable for modeling the dynamic behavior of any complex system . CPN has colored tokens, which can describe various types of data and operations . In IoT-based smart environment, attackers usually use synergistic attacks to achieve attack goals, which makes various threats propagate in the IoT. In this paper, we add colored tokens (represent different threats) to the SPN to expand it to a SCPN. Figure 1 shows a typical SCPN.
SCPN is defined as 6-tuple:
The components of SCPN are:
-Assets () are valuable resources in the smart environment, such as IoT devices and routers. Several vulnerabilities may be in these assets.
-Colored Tokens () represent different types of threats. There may be multiple tokens in one place. More tokens indicate that the corresponding node has been subjected to a more serious attack, and the node is more likely to affect other nodes. denotes one of the threats in the smart environment.
-Places () are all the possible locations of IoT nodes in the net. IoT nodes affected by a threat include nodes that have been attacked or may be attacked, expressed as .
-Directed Connections () are located between places and transitions, indicating the directions of threat propagation. The propagation path of a threat is expressed as .
-Threat subnet () contains all the affected nodes and propagation paths associated with these nodes. The threat subnet of is expressed as .
-Transitions () indicate the propagation of threats. When a transition occurs, the token moves from a node to another.
denotes the probability of threats propagating between two nodes successfully.
2.2. Markov Game Model
Game Theory (GT) captures the nature of conflicts: determination of the attacking-force strategies is tightly coupled to determination of the defense-force strategies . Markov Decision Process (MDP) refers to the process that a decision-maker selects the behavior from the available behavior set based on the present state at each moment [14,15]. Markov Game is a combination of GT and MDP. The state at the next moment is only relevant to the current moment, so the threat transition has Markov properties. We establish a Markov Game model in the defined SCPN.
The proposed model is defined as 5-tuple:
The components of the model are:
- Players () set contains an attacker and a defender in this game. The attacker () spreads for damaging the performance of the system and the defender () cuts off the propagation paths of to keep the whole system stable.
- State Space () consists of all the possible states of . The system states are determined by previous states and the current actions. The state of the node at time is . The state of the propagation path at time is . The overall state of at time is .
- Action Space () includes all the possible combinations of actions in the game. At every time step, each player chooses strategies with associated actions. The attacker’s action () is propagating threat with a certain probability. The defender’s action () is to perform the strategy such as fixing a vulnerability, cutting off a propagation path, or removing a IoT node.
-Transition Rules (). The purpose of
is to calculate the probability distribution over the state space (). The variation of the state is described by:
where denotes the action of the attacker at time , denotes the action of the defender at time .
-Reward function (). Since the purpose of the attacker is to maximize damage of the SCPN, its reward function is in relation to the damage. The purpose of the defender is to minimize the damage of the SCPN, its reward function is in relation to the reduced damage.
2.3. Game Process
Game Process involves how players make decisions under the interaction of each other and selects strategies from according to the current state, and then get the one-step reward.
For the attacker, damages node and its associated propagation paths. The one-step reward function at time is expressed as:
where, is the nodes affected by , is the propagation paths related to node . denotes the damage of the node , denotes the damage of the propagation paths related to node .
For the defender, taking security strategy will bring two effects: reducing the damage produced by and affecting network performance inevitably. denotes the variation of the node after taking security strategy. denotes the variation of paths related node . The one-step reward function at time is expressed as:
The threat propagates to the uninfected node through the , the reward function is expressed as:
where is discount factor.
2.4. Security Situational Awareness
The proposed model considers the worst situation and evaluates the maximum damage of the system. The goal of the defense strategy is to maximize the defender’s reward function for the maximum damage. The reward function for can be expressed as:
The security situational situation of IoT system at time can be obtained by summing up the reward functions of all the threats, which can expressed as:
where, is the radix.
3. Experiment and Results
The IoT has been widely applied in various fields [16-19], including smart home, healthcare, transport, environment monitoring, etc. We use smart home environment as a case to test the proposed model for SSA experimentally. We divide the devices into different regional subnets according to the communication protocols and model the heterogeneous subnets independently, then integrate these submodules together.
3.1. Network description
Fig. 2 shows the IoT-enabled smart home environment, which includes a ZigBee subnet and a Wi-Fi subnet. A smart home hub is used to support the communications of Wi-Fi, ZigBee and Internet, which provides users a control panel to access IoT devices and control them remotely. The smart hub establishes a ZigBee subnet that allows home devices (such as smart meters, thermostats, temperature) to communicate with each other by using the ZigBee wireless protocol. Android tablet connects to both Wi-Fi network and ZigBee network. Smart TV connects to the Wi-Fi subnet. Both tablet and TV have access to the Internet through the smart hub.
3.2. Attack scenario
We assume the ultimate goal of an attacker is to damage the smart lock. Because the lock is isolated, an attacker cannot access it directly and only tries to perform infiltration attacks from other home devices. Two attack scenarios are taken into consideration in the smart home.
Scenario 1: We take the TV as a gateway to attack the smart home. Assuming that TV uses FFmpeg5.0. Attackers can exploit two types of vulnerabilities [20,21] in media file formats supported by FFmpeg5.0 to run attack code and gain the root privilege of the TV. Table 1 shows the information about the two vulnerabilities in the Common Vulnerabilities and Exposures (CVE) and their CVSS base scores. After getting root privileges, they can use the TV as a portal to exploit vulnerabilities in other devices such as Android Tablet.
|Vul||CVE ID||CVSS Base Score||Impact|
Scenario 2: We take Android Tablet as a portal to attack the smart home. Assuming that attackers can write a malware to get the root permission of Android Tablet through utilizing three bugs  in the software and operating system. Table 2 shows the information about the three vulnerabilities of the Android Tablet. After getting root privileges, they use the tablet to launch other attacks targeting the ZigBee subnet.
|Disrupt the conversion of Java bytecode||2|
|Modify the AndroidManifest.xml file||2|
|Obtain extended Device privileges||10|
|Automatic sleep caused by low power||5|
3.3. Experimental results and Analysis
We create an asset list for the smart home environment to construct the SCPN, and establish the Markov Game Model in SCPN, then evaluate the security situational of the smart home environment under the two attack scenarios mentioned in section 3.2, respectively. Table 3 shows the states of nodes at time for . AssLevel denotes the importance of a asset in the SCPN and have 5 levels. ThrOR denotes whether the node is infected by . VulOR denotes whether a vulnerability exists in the node that can be exploited by . Specifically, denotes that the Tablet’s value level is very high and vulnerabilities exist in the Tablet and can be exploited by .
Table 4 shows the state of propagation paths at time for . PathLevel denotes the importance of a path in the SCPN and also have 5 levels. Exploitability denotes the probability of a threat transmission through the path. Specifically, denotes that the propagation path between smart hub and Tablet is very important and utilizability of the path is medium. Fig.3 shows the parts of constructed SCPN in the smart environment for .
In order to facilitate the analysis of security situational value, we normalize the security situational values according to the min-max standardization. The results generated by the proposed model in the two attack scenarios are shown in Fig.4. The curves reveal the security situation trend overall, which provide a macro perspective of security situation in the smart home environment.
Furthermore, according to the comparison in Fig.4, we can find that attacking the TV has faster attack effect but lower impact than attacking the tablet. Thus, the attacker is more likely to choose the TV as the entry point. The defender should protect the TV at first in order to prevent the attacker from breaking into the network. Moreover, they can take TV as an origin and find the potential attack paths from the SCPN, then decide which IoT devices included in the paths should be protected at the same time.
In this section, we clarify some relevant issues of our approach and discuss the limitation of this approach.
In this paper, we establish a SSA model in a complex IoT-based smart environment. The proposed model can form a macroscopic trend curve of security situation and help administrators make effective defense decisions to mitigate the impact of potential attacks.
Compared with the previous models, (1) We chose SCPN to describe the IoT, because SCPN will be created dynamically which will make IoT-based smart environments highly interoperable and scalable, and provide IoT system a dynamical topology. (2) We divide the IoT devices into different regional subnets according to the communication protocols and model the heterogeneous subnets independently, then integrate these submodules together thus solving the problem about heterogeneity of IoT devices. (3) We stress the susceptibility of devices in this approach, for example, passive attacks caused by low power consumption are taken into consideration.
It is worth mentioning that although we validate the proposed model via two attack scenarios in the smart home environment, our approach is portable that applies to other IoT environments through modifying the parameters of the model.
On the other hand, our approach considers the behaviors of both player and the dual effects of propagation nodes and propagation paths in the attack-defense process, so the state space would be large when players making decisions. Especially in complex IoT environment with numerous IoT nodes and propagation paths, the resources consume is huge. Hence, we will focus on reducing resources consume through combining the IoT vision with cloud computing.
Internet of Things (IoT) is enabling innovative applications in various domains. Due to its heterogeneous and wide-scale structure, it brings many new security issues. In this paper, a SCPN is constructed for a IoT-based smart home environment, and a Markov Game model is proposed for SSA in the defined SCPN. All possible attack paths are computed by the SCPN, and antagonistic behavior of both attackers and defenders are dynamically taken into consideration according to Markov Game Theory. We evaluated the proposed model in two attack scenarios in a smart home environment. The proposed model can form a macroscopic trend curve of security situation. According to the analysis of the results, we can find the vulnerable devices and the potential attack paths related to them in the SCPN, and then choose effective strategies to protect the devices and mitigate the impact of potential attacks.
This work is supported in part by National Key R&D Program of China (2016YFB0800700), the National Natural Science Foundation of China (61272481, 61303239,61572460), the National Information Security Special Projects of National Development and Reform Commission of China [(2012)1424], open Project Program of the State Key Laboratory of Information Security(2016-MS-02).
- (1) Miorandi D, Sicari S, De Pellegrini F, et al. Internet of things: Vision, applications and research challenges[J]. Ad Hoc Networks, 2012, 10(7): 1497-1516.
- (2) Yoon S, Park H, Yoo H S. Security issues on smart home in IoT environment[M]//Computer Science and its Applications. Springer, Berlin, Heidelberg, 2015: 691-696.
- (3) Radomirovic S. Towards a Model for Security and Privacy in the Internet of Things[C]//Proc. First Int’l Workshop on Security of the Internet of Things. 2010.
- (4) Franke U, Brynielsson J. Cyber situational awareness–a systematic review of the literature[J]. Computers & Security, 2014, 46: 18-31.
- (5) Stepanova T, Zegzhda D. Applying large-scale adaptive graphs to modeling internet of things security[C]//Proceedings of the 7th International Conference on Security of Information and Networks. ACM, 2014: 479.
- (6) Jacobsson A, Boldt M, Carlsson B. A risk analysis of a smart home automation system[J]. Future Generation Computer Systems, 2016, 56: 719-733.
- (7) Luckett P, McDonald J, Glisson W. Attack-Graph Threat Modeling Assessment of Ambulatory Medical Devices[C]//Proceedings of the 50th Hawaii International Conference on System Sciences. 2017.
- (8) Ge M, Hong J B, Guttmann W, et al. A framework for automating security analysis of the internet of things[J]. Journal of Network and Computer Applications, 2017, 83: 12-27.
- (9) Hamdi M, Abie H. Game-based adaptive security in the Internet of Things for eHealth[C]//Communications (ICC), 2014 IEEE International Conference on. IEEE, 2014: 920-925.
- (10) Rontidis G, Panaousis E, Laszka A, et al. A game-theoretic approach for minimizing security risks in the Internet-of-Things[C]// IEEE International Conference on Communication Workshop. IEEE, 2015:2639-2644.
- (11) Petri nets: fundamental models, verification and applications[M]. John Wiley & Sons, 2013.
- (12) High-level Petri nets: theory and application[M]. Springer Science & Business Media, 2012.
- (13) Sandhu R, Sood S K. A stochastic game net-based model for effective decision-making in smart environments[J]. Concurrency and Computation: Practice and Experience, 2016.
- (14) Abdalzaher M S, Seddik K, Elsabrouty M, et al. Game Theory Meets Wireless Sensor Networks Security Requirements and Threats Mitigation: A Survey[J]. Sensors, 2016, 16(7): 1003.
- (15) Tunc C, Akar N. Markov fluid queue model of an energy harvesting IoT device with adaptive sensing[J]. Performance Evaluation, 2017, 111: 1-16.
- (16) Orojloo H, Azgomi M A. A game-theoretic approach to model and quantify the security of cyber-physical systems[J]. Computers in Industry, 2017, 88: 44-57.
- (17) Stojkoska B L R, Trivodaliev K V. A review of Internet of Things for smart home: Challenges and solutions[J]. Journal of Cleaner Production, 2017, 140: 1454-1464.
- (18) Hamdi M, Abie H. Game-based adaptive security in the Internet of Things for eHealth[C]//Communications (ICC), 2014 IEEE International Conference on. IEEE, 2014: 920-925.
- (19) Golden M. Methods and systems for managing, controlling and monitoring medical devices via one or more software applications functioning in a secure environment: U.S. Patent 9,656,092[P]. 2017-5-23.
- (20) Michéle B, Karpow A. Watch and be watched: Compromising all Smart TV generations[C]// IEEE, Consumer Communications and NETWORKING Conference. IEEE, 2014:351-356.
- (21) Bachy Y, Basse F, Nicomette V, et al. Smart-TV Security Analysis: Practical Experiments[C]// Ieee/ifip International Conference on Dependable Systems and Networks. IEEE, 2015:497-504.
- (22) Unuchek, R., 2016. Obad.a Trojan now being distributed via mobile botnets, https://securelist.com/obad-a-trojan-now-being-distributed-via-mobile-botnets/57453/