GRAVITAS: Graphical Reticulated Attack Vectors for Internet-of-Things Aggregate Security

  title={GRAVITAS: Graphical Reticulated Attack Vectors for Internet-of-Things Aggregate Security},
  author={Jacob Brown and Tanujay Saha and Niraj Kumar Jha},
Internet-of-Things (IoT) and cyber-physical systems (CPSs) may consist of thousands of devices connected in a complex network topology. The diversity and complexity of these components present an enormous attack surface, allowing an adversary to exploit security vulnerabilities of different devices to execute a potent attack. Though significant efforts have been made to improve the security of individual devices in these systems, little attention has been paid to security at the aggregate level… Expand
Machine Learning Assisted Security Analysis of 5G-Network-Connected Systems
This article presents a comprehensive security analysis framework for the 5GCN and combines the attacks at the network, protocol, and the application layers to generate complex attack vectors that are used to find four novel security loopholes in WhatsApp running on a 5G network. Expand


SHARKS: Smart Hacking Approaches for RisK Scanning in Internet-of-Things and Cyber-Physical Systems based on Machine Learning
This article presents an innovative technique for detecting unknown system vulnerabilities, manage associated vulnerabilities, and improve incident response when such vulnerabilities are exploited, and demonstrates the application of this method to the hacking of the in-vehicle network of a connected car. Expand
Measuring Security Risk of Networks Using Attack Graphs
The exible model can be used to quantify overall security of networked systems, and to study cost/benet tradeos for analyzing return on security investment. Expand
A Comprehensive Study of Security of Internet-of-Things
  • A. Mosenia, N. Jha
  • Computer Science
  • IEEE Transactions on Emerging Topics in Computing
  • 2017
This survey attempts to provide a comprehensive list of vulnerabilities and countermeasures against them on the edge-side layer of IoT, which consists of three levels: (i) edge nodes, (ii) communication, and (iii) edge computing. Expand
A2G2V: Automatic Attack Graph Generation and Visualization and Its Applications to Computer and SCADA Networks
The proposed A2G2V algorithm uses existing model-checking tools, an architecture description tool, and the own code to generate an attack graph that enumerates the set of all possible sequences in which atomic-level vulnerabilities can be exploited to compromise system security. Expand
TAG: Topological Attack Graph Analysis Tool
Attack graphs are a relatively new – at least, from the point of view of a practical usage – method for modeling multistage cyber-attacks. They allow to understand how seemingly unrelatedExpand
MulVAL: A Logic-based Network Security Analyzer
MulVAL is an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network and can reason about 84% of the Red Hat bugs reported in OVAL, a formal vulnerability definition language. Expand
Topological Vulnerability Analysis
A Topological Vulnerability Analysis (TVA) approach that analyzes vulnerability dependencies and shows all possible attack paths into a network, identifying key vulnerabilities and providing strategies for protection of critical network assets. Expand
A quantitative CVSS-based cyber security risk assessment methodology for IT systems
This paper defines a novel risk assessment methodology specific to IT systems that is quantitative, both asset and vulnerability centric and defines low and high level risk metrics. Expand
Validating and Restoring Defense in Depth Using Attack Graphs
Defense in depth is a common strategy that uses layers of firewalls to protect supervisory control and data acquisition (SCADA) subnets and other critical resources on enterprise networks. A toolExpand
Vulnerability Modelling for Hybrid IT Systems
The proposed framework, named CVSSIoT, is applied to a realistic IT supply chain system and the results are compared with the actual vulnerabilities from the national vulnerability database, which validates the proposed model. Expand