# Security Analysis of IoT Systems Using Attack Trees

## Abstract

Attack trees are graphical representations of the different scenarios that can lead to a security failure. In combination with model checking, attack trees are useful to quantitatively analyse the security of a system. Such analysis can help in the design phase of a system to decide how and where to modify the system in order to meet some security specifications.

In this paper we propose a security-based framework for modeling IoT systems where attack trees are defined alongside the model. A malicious entity uses the attack tree to exploit the vulnerabilities of the system. Successful attacks can be *rare events* in the system’s execution, in which case they are hard to detect with usual model checking techniques. Hence, we use *importance splitting* as a statistical model checking technique for rare events. This technique requires a decomposition of an attack into sub parts, similarly to an attack tree. We argue that therefore, importance splitting is well suited, and benefits, from our modeling framework. We implemented our approach in a tool-set and verified its effectiveness by running a set of experiments over a real-word example.

## Keywords

Attack tree IoT Rare events Importance splitting## Notes

### Acknowledgements

We would like to thank Axel Legay for his helpfull suggestions on importance splitting, and Jean Quilbeuf for his technical help in the tool implementation.

## References

- 1.Basu, A., Bozga, M., Sifakis, J.: Modeling heterogeneous real-time components in BIP. In: SEFM (2006). https://doi.org/10.1109/SEFM.2006.27
- 2.Beaulaton, D., et al.: A language for analyzing security of IoT systems. In: SoSE (2018). https://doi.org/10.1109/SYSOSE.2018.8428704
- 3.Bensalem, S., Bozga, M., Delahaye, B., Jegourel, C., Legay, A., Nouri, A.: Statistical model checking QoS properties of systems with SBIP. In: Margaria, T., Steffen, B. (eds.) ISoLA 2012. LNCS, vol. 7609, pp. 327–341. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34026-0_25CrossRefGoogle Scholar
- 4.Boyer, B., Corre, K., Legay, A., Sedwards, S.: PLASMA-lab: a flexible, distributable statistical model checking library. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 160–164. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40196-1_12CrossRefGoogle Scholar
- 5.ENISA: Smart hospitals, security and resilience for smart health service and infrastructures. Technical report, ENISA (2016)Google Scholar
- 6.Gadyatskaya, O., Hansen, R.R., Larsen, K.G., Legay, A., Olesen, M.C., Poulsen, D.B.: Modelling attack-defense trees using timed automata. In: Fränzle, M., Markey, N. (eds.) FORMATS 2016. LNCS, vol. 9884, pp. 35–50. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44878-7_3CrossRefzbMATHGoogle Scholar
- 7.Dalton, G.C., Mills, R.F., Colombi, J.M., Raines, R.A.: Analyzing attack trees using generalized stochastic Petri nets. In: 2006 IEEE Information Assurance Workshop (2006). https://doi.org/10.1109/IAW.2006.1652085
- 8.Jegourel, C., Legay, A., Sedwards, S.: Importance splitting for statistical model checking rare properties. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 576–591. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_38CrossRefGoogle Scholar
- 9.Kordy, B., Pouly, M., Schweitzer, P.: Computational aspects of attack–defense trees. In: Bouvry, P., Kłopotek, M.A., Leprévost, F., Marciniak, M., Mykowiecka, A., Rybiński, H. (eds.) SIIS 2011. LNCS, vol. 7053, pp. 103–116. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-25261-7_8CrossRefGoogle Scholar
- 10.Kumar, R., et al.: Effective analysis of attack trees: a model-driven approach. In: Russo, A., Schürr, A. (eds.) FASE 2018. LNCS, vol. 10802, pp. 56–73. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89363-1_4CrossRefGoogle Scholar
- 11.TrapX LAbs: Anatomy of an attack, medjack (medical device attack). Technical report, TrapX Security Inc. (2015)Google Scholar
- 12.Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_17CrossRefGoogle Scholar
- 13.Ouchani, S.: Ensuring the functional correctness of IoT through formal modeling and verification. In: Abdelwahed, E.H., Bellatreche, L., Golfarelli, M., Méry, D., Ordonez, C. (eds.) MEDI 2018. LNCS, vol. 11163, pp. 401–417. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00856-7_27CrossRefGoogle Scholar
- 14.Ruijters, E., Reijsbergen, D., de Boer, P.-T., Stoelinga, M.: Rare event simulation for dynamic fault trees. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10488, pp. 20–35. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66266-4_2CrossRefGoogle Scholar
- 15.Schneier, B.: Secrets & Lies: Digital Security in a Networked World. Wiley, Hoboken (2000)Google Scholar
- 16.Tidwell, T., Larson, R., Fitch, K., Hale, J.: Modeling internet attacks. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, IA (2001)Google Scholar
- 17.Vanglabbeek, R., Smolka, S., Steffen, B.: Reactive, generative, and stratified models of probabilistic processes. Inf. Comput.
**121**(1995). https://doi.org/10.1006/inco.1995.1123MathSciNetCrossRefGoogle Scholar