The impressive growth of the IoT we witnessed in the recent years came together with a surge in cyber attacks that target it. Factories adhering to digital transformation programs are quickly adopting the IoT paradigm and are thus increasingly exposed to a large number of cyber threats that need to be detected, analyzed and appropriately mitigated. In this scenario, a common approach that is used in large organizations is to setup an attack triage system. In this setting, security operators can cherry-pick new attack patterns requiring further in-depth investigation from a mass of known attacks that can be managed automatically. In this paper, we propose an attack triage system that helps operators to quickly identify attacks with unknown behaviors, and later analyze them in detail. The novelty introduced by our solution is in the usage of process mining techniques to model known attacks and identify new variants. We demonstrate the feasibility of our approach through an evaluation based on three well-known IoT botnets, BASHLITE, LIGHTAIDRA and MIRAI, and on real current attack patterns collected through an IoT honeypot.

Triage of IoT Attacks Through Process Mining / Coltellese, Simone; Maria Maggi, Fabrizio; Marrella, Andrea; Massarelli, Luca; Querzoni, Leonardo. - 11877:(2019), pp. 326-344. (Intervento presentato al convegno On the Move to Meaningful Internet Systems: OTM 2019 Conferences tenutosi a Rhodes; Greece) [10.1007/978-3-030-33246-4_22].

Triage of IoT Attacks Through Process Mining

Andrea Marrella
;
Luca Massarelli;Leonardo Querzoni
2019

Abstract

The impressive growth of the IoT we witnessed in the recent years came together with a surge in cyber attacks that target it. Factories adhering to digital transformation programs are quickly adopting the IoT paradigm and are thus increasingly exposed to a large number of cyber threats that need to be detected, analyzed and appropriately mitigated. In this scenario, a common approach that is used in large organizations is to setup an attack triage system. In this setting, security operators can cherry-pick new attack patterns requiring further in-depth investigation from a mass of known attacks that can be managed automatically. In this paper, we propose an attack triage system that helps operators to quickly identify attacks with unknown behaviors, and later analyze them in detail. The novelty introduced by our solution is in the usage of process mining techniques to model known attacks and identify new variants. We demonstrate the feasibility of our approach through an evaluation based on three well-known IoT botnets, BASHLITE, LIGHTAIDRA and MIRAI, and on real current attack patterns collected through an IoT honeypot.
2019
On the Move to Meaningful Internet Systems: OTM 2019 Conferences
botnet; internet of things; iot; process mining; malware triage
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Triage of IoT Attacks Through Process Mining / Coltellese, Simone; Maria Maggi, Fabrizio; Marrella, Andrea; Massarelli, Luca; Querzoni, Leonardo. - 11877:(2019), pp. 326-344. (Intervento presentato al convegno On the Move to Meaningful Internet Systems: OTM 2019 Conferences tenutosi a Rhodes; Greece) [10.1007/978-3-030-33246-4_22].
File allegati a questo prodotto
File Dimensione Formato  
Coltellese_Postprint_Triage_2019.pdf

accesso aperto

Tipologia: Documento in Post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 1.11 MB
Formato Adobe PDF
1.11 MB Adobe PDF
Coltellese_Triage_2019.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 5.63 MB
Formato Adobe PDF
5.63 MB Adobe PDF   Contatta l'autore

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1321763
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 12
  • ???jsp.display-item.citation.isi??? 8
social impact