A new method for vulnerability and risk assessment of IoT

In this paper, we propose a generic vulnerability and risk assessment method for IoT-enabled systems. The main aim is to provide risk detection and vulnerability assessment for IoT-based systems. We present three phases of risk assessment methodology: graph construction, attack path detection, and attack path filtering for high-level attack paths. We give attack path detection, risk level computing, and attack path removing procedures to validate these phases. We represent the IoT-based network as a graphical structure. Then, we construct the topology for a given IoT-based system. The smart home system is considered as a case scenario to present a realistic instance. The National Vulnerability Database (NVD), Common Vulnerability Scoring System (CVSS), and Common Vulnerability Exposures (CVE) metrics are used to assign vulnerabilities to devices. We formulate risk factors to compute risk levels for each node, attack path, and entire graph. We use the modified Depth First Algorithm (DFS) to find all attack paths for a source and target nodes. In addition, we compute risk levels using computing procedures. Further, we filter detected attack paths considering dominance level using computational metrics. We perform the simulation on a custom Python simulator considering the designed IoT-based smart home system. We compare our proposed methods with the previous ones. According to the experimental results, the proposed methods outperform existing vulnerability-based risk assessment models regarding running time complexity and operational cost.