4860
Classification For Iot Threats Based On The
Analytic Hierarchy Process
Islam Abdalla Mohamed, Anis Ben Aissa, Loay F. Hussein
Abstract: The Internet of Things technology make us depending on a machine to control a massive part of our life by collecting more personal information. The data collected and stored with these devices such as your name, age, health data, location and more can aid cyberattack activity. The first step to face these threats is to classify it and determine the risk according to different classes of users. This paper introduces classification to IoT threats from a user perspective. The classification is done by collecting the opinion of 80 users divided into three classes. Our proposed classification is done by AHP algorithm to calculate the weigh and determine the risk of each threat according to users classes. The result will contribute to create more secure and reliable IoT services and systems.
Index Terms : analytic hierarchy process, Internet of Things, Quality of service, security risk, Threat.
—————————— ——————————
1
INTRODUCTION
A new chapter in the future of humanity started when the Internet of Things (IoT) technology invaded our life. We live in an era that guided by computers, which collect data from our surrounded environment and then serve us according to it. Nowadays, most devices such as televisions, thermostats, sensors in your car, and medical devices are finding their way online without our help. Many refer to this as the "Internet of Things". The concept behind IoT idea involves a variety of objects that can be connected using either wireless or wired networks. These objects have a unique addressing scheme that allows them to interact and cooperate to create novel applications and services [1]. According to IoT security report in 2018 from National Institute of Standers and Technology (NIST) 25% firms reported security issues in IoT which lead to damages cost of at least 34 million dollars in the last couple of years. This number will increase with more security threats arising every day, which led to different classification and complex security measures [2].Ideally, one would like to have a single classification for these threats. However, different systems have different use and users. Also, most classification is focused on threats nature but not the system users. It will be unpractical to add more security layers to IoT massive system without gaining the user trust to use the system. The core of this study is to classifies IoT threats by determining the risk according to the opinions of different users. To do that First, we describe the IoT security threat and classify them. Then, we collect the data needed for calculation using two questionnaires. After that, the AHP algorithm is applied to find the risk for every threat. Finally, a conclusion is presented to summarise the main outcomes of this research.2
RELATED
WORK
The Internet of Things is one of the fastest-growing industry and technology in the world of wireless Network Telecommunication. The main objective of this technology is to provide connectivity between heterogeneous network devices [3]. Tuhin Borgohain,
Uday Kumar, and Sugata Sanyal have surveyed all security flaws, along with an analysis of the privacy issues that an end-user may face. They concluded that more security measures should have existed before implementing IoT systems in our daily life [4]. In [5] Jyoti Deogirikar and Amarsinh Vidhate discuss the problem of building a secure IoT system. Implementing different security measures could consume more power, which is not practical, because of that, there is a need for a security mechanism that handles maximum security problems and be lightweight for robust IoT. In [6] Yang Lu, and Li Da Xu Discuss what people need from IoT technology and IoT cybersecurity. The complex structure of IoT led to comprise data model, interfaces and protocol. In fact, we do not have a standardised framework that can integrate data models, ontology, and data formats with IoT protocols, applications, and services. As a result, QoS (Quality of service) research is needed to support the development of IoT Data privacy and integrity. In [7] Mirza Abdur, Sajid Habib, Muhammad Ali and Saleem Ullah have categorised twelve threats to low-level attacks, medium-level attacks, high-level attacks, and extremely high-level attacks according to their effect and behaviour. The suggested solution will be difficult to apply due to the different behaviour of threats and the complexity of IoT. In [8] Se-Ra Oh and Young-Gab Kim analysed three essential characteristics heterogeneity, resource constraint and dynamic environment to find out basic IoT security requirements. Based on six elements IoT network, cloud, user, attacker, service and security requirements evaluation is performed to be used as a guide to design secure IoT systems. In [9], Peter Aufner discuss the gap between threat modelling and frameworks in IoT security. By quantitative three threats modelling framework STRIDE, LINDDUN and CORAS three gaps in security research founded. The first gap is between threats modelling frameworks and IoT because frameworks developed during a time when software could examine regard of hardware. The second gap is between threats modelling frameworks and common security research. Here, most research focuses on frameworks without having a deep explanation of threats modelling and possible attacks, which led to weakness and confusing standards for IoT security. The third gap is between security research and IoT itself. Most research focuses on IoT software and network regards of the attacks that rise with new devices deployed in IoT systems. In [10] Keon Chul Park and Dong-Hee Shin proposed a new framework that integrates fuzzy DEMATEL and fuzzy ANP to reflect dependence and ____________________________________
• Islam Abdalla Mohamed, Department of Computer Science, Jouf University, Saudi Arabia, [email protected].
• Anis Ben Aissa, Department of Computer Science, Jouf University, Saudi Arabia, [email protected].
feedback interrelations among security criteria. This framework investigates internal relations among various security criteria that effect IoT from the judgments of 38 security experts. As a result, security expert should put more importance on the service layer, especially to ensure availability and trust. That means future research should focus on attacks type that targets availability and trust in IoT.
3
IOT
MAIN
CHARACTERS
IoT is a combination of different heterogeneity devices connected together. There are a set of standard features, which include the following:
3.1 Intelligence
Combining sophisticated software algorithms with hardware that allows IoT devices to become smart. Ambient intelligence in IoT boosts its ability which eases the things to reply in an intelligent way to a particular case and supports them in carrying out certain tasks.
3.2 Sensing
IoT would not be conceivable without sensors, which will discover or measure any alteration in the environment to generate data that can report on their condition or even react with the environment. The sensing input is simply the analogue input from the tangible world, but it can supply the massive realising of our complex world.
3.3 Connectivity
One of the essential features of the IoT systems is the ability to connect various devices with different characteristics. With this connectivity, we can share information to provide services, which will open new market opportunities for smart things device and applications.
3.4 Dynamic nature
The principal purpose of the Internet of Things is to gather data from the environment; this is done with the dynamic changes that happen around the hardware. Also, IoT devices can run and adjusted dynamically based on a variety of conditions and cases a Massive Amount of Data: As IoT devices are in billions. These devices sense their surroundings and generate a considerable amount of data, which make it one of the sources of what is called Big Data.
3.5 Heterogeneity
The IoT system involves many devices with heterogeneous features. IoT architecture and design should support direct network connectivity between heterogeneous networks. The key design requirements for heterogeneous things and their environments in IoT are scalabilities, modularity, extensibility and interoperability.
3.6 Limited Energy
IoT devices work with minimal energy because they are small. This could be a big challenge if these devices are working in dangers environment like volcanos, or an attacker target the power source.
3.7 Security
There are wide varieties of technologies that are associated with the Internet of Things. This technology involves different kind of devices, operating systems, and a huge network
system. Security matter will be challenging because it involves hardware, software and network as an example: configure and update devices to protect them against malicious software will be complicated. Also, there is a high level of transparency and privacy issues with IoT [12].
4
IOT
SECURITY
THREATS
While the Internet of Things has helped to revolutionise the way that people interact with technology, there still exist serious threats that emerge from these technologies. KPMG International Cooperative report in 2017 machined Among 3,100 companies surveyed globally, just over half have implemented IoT, and 84% have already experienced a security breach in 2016, as shown in Fig. 2. At the same time among more than 5,000 enterprises surveyed around the world, 85% are, or will be, deploying IoT devices, yet just 10% feel confident about securing those devices against hackers [16].
Fig. 2. A security breach in 2016. 4.1 Physical threats
These types of attacks are concentrating on hardware devices in the system. These attacks can be difficult and require the attackers to have fully understood how the device is working. Physical attacks can take different forms like:
Node tempering: attacker attacks the sensor node by replacing the entire node or part of it, which can lead to obtaining sensitive information such as encryption key [12].
RF interference: The attacker starts this attack by sending radio frequency using Radio Frequency Identification (RFID) which Cause Denial of service (DOS).
Node Jamming: This is similar to the RF interference. The attacker tries to interfere with the radio frequencies of the wireless sensor nodes, jamming the signals and denying communication to the nodes. If the attacker manages to jam key sensor nodes, he can successfully perform a denial of service [12].
Physical Damage: The attacker tries to damage the IoT system by damaging the IoT devices directly. Side-channel attack: This attack poses a significant
threat to systems because attackers target Encryption mechanisms by focusing on microarchitectures of processors, their power consumption, and electromagnetic emanation which reveal sensitive information [13].
4862 can penetrate any security defensives because of its
focus on the human factor [14].
Sleep Deprivation Attack: Most sensors in the IoT system use batteries to get power. The attacker keeps nodes running at all times, so to use more power and consumes the battery energy [11].
Malicious Code Attacks Injection on the Node: An adversary, in this type of attack, could insert a malicious code physically into an IoT object. The main goal of such injection is to gain full control of the IoT system [13][15].
4.2 Network threats
These attacks are focus on the IoT network system and do not need to be close to the network because most IoT device works on a wireless network [5].
Traffic Analysis Attacks: The attacker tries to intercepts the packet and exam analysis it obtains network information [5].
RFID Spoofing and Cloning: The main goal of this attack is to spoofs RFID signals by sending data with the original tag ID, so to make it valid and get full access to the system [12][5]. Sinkhole Attack: the attacker focuses on compromises a node and uses it to send fake update routing information to the nearest node. This may cause denies of service by dropping all the packets instead of sending them to the desired destination [12][5].
Man in the Middle Attack: The goal of the attack is to obtain sensitive information by trying to intercepts packets between two nodes.
Routing Information Attacks: That attacker spoofing, altering or sending wrong routing information, which will make the network complex, or causing routing loops. This will lead to drop traffic, sending false error message or even partitioning the network.
Sybil Attack: In this attack, a malicious node takes the identities of multiple nodes and acts as them. This kind of attack leads to accepting false information which affects the data integrity [12][5].
4.3 Software threats
This type of attack is performed by using malware and phishing attack, which will cause a denial of service, data steal and system crash.
Malware: An attacker infects the system with malicious code. These codes are spreads through email attachments, downloading files from the Internet. A worm is different for a virus because it can replicate itself without any human action. Trojan can be combined with a legitimate application of file to get in the system [5].
Phishing Attacks: The attacker sends spoofing email, which leads to a fake website then extracts sensitive information like username and password form the user. This attack can combine with social engineering techniques to be more effective by manipulating the victim [14].
Denial of Service and Disrupted denial of service: Attacker attempt to make an online service unavailable by blocks the users from the application this is done by overwhelming it with traffic from multiple sources [5].
Cryptanalysis Attacks: The goal of this attack is to obtain the encryption key. The attacker can do this by many ways like Known-plaintext attack, Chosen-plaintext attack Chosen Ciphertext attack, and Cipher text-only attack [5].
5
SECURITY
CRITERIA
OF
IOT
In order for IoT services to be beneficial to industry and end-users, data and service security is an essential requirement. If system security (confidentiality, integrity, Availability, Fault tolerance, Accountability, and Trust) is not ensured, IoT applications will not be adopted on a large scale by the relevant stakeholders. Table 1 represents a description of each security element according to literature on security. It is essential to understand the role of each security element to determine the relation between them. To do that we divide security threats to three main criteria (physical, network and software). Each criteria have it sub-criteria that represent the security element, which will be affected by the IoT threat, as shown in Fig. 3. It is important to descript security element so to determine their importance to each other in the AHP matrix.
TABLE 1. MAIN SECURITY ELEMENT IN IOT.
Security Element Description Literature
Confidentiality It is important to ensure that data is secure and can be read-only by the communication endpoints.
[18][19]23]
Integrity Received data trustworthy and not manipulated during the transmission.
[18][19]
Availability The users should have all the data and services whenever they need it and cannot be made inaccessible.
[18][19][23]
Fault tolerance The Service provided and network system will work even if an unexpected complication occurs.
[21]
Accountability Referring to holding user response for its action. On the other hand, users might need providers to take responsibility for the services they provide, as relying on such services is critical for them.
[10][20]
System Trust Trust is viewed as a measurable belief that utilizes experience to make decisions. User has to trust the system after an attack occurs.
Fig. 3. Security criteria and sub-criteria to considered in IoT.
6
AHP
ALGORITHM
AHP its multi-criteria decision-making way things like weight, price, shortest path, colour, or even feel like sadness, happiness, angry, satisfactions, can be converted into numbers as a numeric relation. It is a way for measuring intangible factors through paired comparisons using judgments from which priorities are derived that give the relative dominance of these factors. The important concepts of the AHP and its generalization to structures with dependence and feedback. Saaty had developed this tool in 1980; he developed this tool to help manage multi-criteria elements involving decision making and capable of applying sensitivity analysis on several of things and making judgment and calculations, and it has considered the most inclusive system nowadays [17]. AHP theory is based on the matrix; both eigenvectors and eigenvalues are very important in how the AHP works. AHP can be implemented through four steps:
Step 1: Define the problem and Establishment descending Hierarchy complex decision structural: The overall goal of the decision is represented at the top level of the hierarchy. After defining the problem and determine its goal, we can organize it as a hierarchy. The main criteria and the sub-criteria, which contribute to the decision, are represented at the intermediate levels.
Step 2: Computing the vector of criteria weights: To compute the weights for different criteria, we must build a pairwise comparison matrix A. It is an n×n real matrix, where n represent the number of evaluation criteria considered. Each entry aij represents the importance of the ith criterion relative to the jth criterion. If two criteria have the same importance, then the entry aij is 1. if aij < 1, then the ith criterion is less important than the jth criterion, while If aij > 1, then the ith
criterion is more important than the jth criterion [26]. The entries aij and aji can represent as in (1):
aij×aji =1 (1
The relative importance between the two criteria is measured according to a numerical scale from 1 to 9. Where 1 represents equally important and 9 represents the highest or the superior value that can be given to each criterion. Usually, decision criteria have different units of measure and different range of values, so any comparisons among those criteria are not logically acceptable.
Step 3: Normalized collected data: after building matrix A, it is possible to derive from A the normalised pairwise matrix by making equal to 1 the sum of the entries on each column. Each entry aij of the matrix is computed as in (2).
1
i j i j n
n j i
a X
a
By using (3), the criteria weight vector W (that is an n-dimensional column vector) is built by averaging the entries on each row of Xij [25][27].
1
n
i j j i j
X
W
n
Step 4: Consistency analysis: The last step is to calculate the consistency ratio and check its value. The purpose of doing this is to make sure that the original preference ratings were consistent by following these steps:
1) Multiply each column of the pairwise comparison matrix by the corresponding weight.
2) Divide the sum of the row entries by the corresponding weight.
3) Compute λmax to calculate the average of the values from (2).
4) Calculate the consistency index (CI) by (4).
m a x
1
n C I
n
5) Calculate the consistency Ratio (CR) as in (5) by the Random inconsistency indices (RI) that has determined by (Saaty, 1980) (Table 2) [24].
C I C R
R I
TABLE 2. RANDOM INCONSISTENCY INDICES.
NO 2 3 4 5 6 7 8 9 10
IR 0 0.58 0.90 1.12 1.24 1.32 1.41 1.45 1.49
7
ILLUSTRATION
This study applied the AHP approach to propose a security classification for IoT threats. AHP offer more precise and accurate analysis by determining the relations among sub-criteria in every main sub-criteria. We have divided 80 users into three classes (G1, G2 and G3):
The first class (G1) is 50 college students who are using IoT devices and have simple information about Main Criteria
Physical Network Software
Sub-Criteria
Sub-Criteria Network (C2)
Sub-Criteria Physical (C1)
(C11) Confidentiality (C12) Availability (C13) Integrity (C14) Fault Tolerance (C15) Accountability (C16) System Trust
(C21) Confidentiality (C22) Availability (C23) Integrity (C24) System Trust
Software (C3)
(C31) Confidentiality (C32) Availability (C33) Integrity (C34) Accountability (C35) System Trust
Sub-Criteria Goal
4864 attributes of security such as confidentiality, availability
and integrity.
The second class (G2) is 17 PhD holder who are using IoT devices, but they haven't experience in information security.
The third class (G3) is 13 PhD holder who had over five years of experience in cybersecurity, wireless network, IoT and had lots of publications in these subjects.
Before starting the survey, profound explanation to the participants has been done about each criteria, sub-criteria and IoT threats. This will prevent having miss leading data in our study. To collect the data needed, we have done two questionnaires. The goal of the first is to collect data that represent the relation about the sub-criteria, which will be used to calculate the weight using AHP algorithm. This is done by (G3) to maintain data accurate as possible in calculating the weight. The scale used is from 1-9 which representing the range from "Equally Important" to "Extremely Important", as seen in Table 3.
TABLE 3. FIRST QUESTIONNAIRE SCALE.
Importance Scale
Definition of Importance Scale
1 Equally Important
2 Equally to Moderately Important 3 Moderately Important
4 Moderately to Strongly Important 5 Strongly Important
6 Strongly to Very Strongly Important 7 Very Strongly Important
8 Very Strongly to Extremely Impotent 9 Extremely Important
Consistency of judgements is checked, and the CR value was less than 0.10, which demonstrates that all judgements are acceptable to use. The relative weights of elements obtained by using (2) and (3) as seen in Table 4, Table 5 and Table 6.
TABLE 4. AHP RELATION MATRIX FOR PHYSICAL THREATS.
C1 C11 C12 C13 C14 C15 C16 C1
weight s C11 0.389
6 0.360 0 0.461 5 0.272 7 0.187 5 0.378 8 0.3417 C1 2 0.129 9 0.120 0 0.076 9 0.272 7 0.125 0 0.151 5 0.1460 C1 3 0.194 8 0.360 0 0.230 8 0.272 7 0.187 5 0.227 3 0.2455 C1 4 0.129 9 0.040 0 0.076 9 0.090 9 0.125 0 0.151 5 0.1024 C1 5 0.077 9 0.060 0 0.076 9 0.045 5 0.062 5 0.015 2 0.0563 C1 6 0.077 9 0.060 0 0.076 9 0.045 5 0.312 5 0.075 8 0.1081
TABLE 5. AHP RELATION MATRIX FOR NETWORK THREATS.
C2 C21 C22 C23 C24 C2 weight
C21 0.4545 0.5660 0.3077 0.4545 0.4457
C22 0.2273 0.2830 0.4615 0.2727 0.3111
C23 0.2273 0.0566 0.1538 0.1818 0.1549
C24 0.0909 0.0943 0.0769 0.0909 0.0883
TABLE 6. AHP RELATION MATRIX FOR SOFTWARE THREATS.
C3 C31 C32 C33 C34 C35 C3 weight
C31 0.460 0.463 0.506 0.250 0.452 0.426
C32 0.153 0.154 0.127 0.350 0.194 0.196
C33 0.230 0.309 0.253 0.250 0.258 0.260
C34 0.092 0.022 0.051 0.050 0.032 0.049
C35 0.066 0.051 0.063 0.100 0.065 0.069 The second questionnaire represents the relations between the threats and the element of security, which will effect system trust. This is done by the 80 users. The scale used is from 0-5, which represent the risk value from no effect to very high effect, as shown in Table 7. All the scale used is a positive integer for simplicity to the surveyed people. The participants in (G1) represent the users of IoT devices in the future, so IoT service providers should consider their opinion to gain their trust. As seen, in Table 8, Table 9, and Table 10 Social Engineering (0.903), Malware (0.927), Malicious Code Attacks Injection on the Node (0.918), and Sinkhole Attack (0.956) are their most concern. They focus on threats that affect confidentiality and integrity but do not care a lot about Availability according to the result of Denial of Service attack as seen in Fig. 4. Table 11, Table 12, and Table 13 present the judgements of the (G2) users. Although they do not have deep knowledge about IoT threats, they use IoT devices and may look to security threats from a different perspective. From their judgements in Fig.5 we can conclude that they fear threats that they can not control as node tempering (0.869), sinkhole attack (0.928). Also, they considered phishing attack (0.934) is risky because they use email service in their work. In Table 14, Table 15, and Table 16 (G3) classify the DOS/DDOS (0.957), social engineering (0.885), malware (0.835), malicious code attacks injection on the node (0.877), and sinkhole attack (0.808) as the riskiest threats as seen in Fig. 6. DOS/DDOS threat can be very serious to IoT services, mainly if it targets service in smart hospitals, smart vehicles, and security alarms. In addition, malware can spread very fast in the IoT network and impact confidentiality and integrity. According to this result, the IoT environment should provide different security countermeasures and different security resources based on the IoT context and users.
TABLE 7. SECOND QUESTIONNAIRE SCALE.
Risk Scale Definition of Risk Scale
0 No Effect
1 Very Low Effect 2 Low Effect 3 Medium Effect 4 High Effect 5 Very high Effect
TABLE 8. STUDENT JUDGEMENTS ABOUT NETWORK THREATS.
Network threats C21 C22 C23 C24
Traffic Analysis Attacks 2.579 2.50 2.778 3.460
RFID Spoofing and Cloning
2.500 2.976 3.294 3.698
Sinkhole Attack 2.897 2.778 3.33 3.024
Man in the Middle Attack 2.381 2.778 3.294 2.825
Routing Information Attacks
Sybil Attacks 3.016 2.460 2.778 2.905
TABLE 9. STAUDTE JUDGEMENTS ABOUT SOFTWARE THREATS.
Software threats C31 C32 C33 C34 C35
Malware 3.016 2.579 3.413 2.857 2.825
Phishing Attacks 3.016 2.143 3.016 3.175 2.786
DOS and DDOS 1.230 3.373 2.22 2.937 2.865
Cryptanalysis Attacks 3.175 2.262 2.897 2.738 3.421
TABLE 10. STUDENT JUDGEMENTS ABOUT PHYSICAL THREATS.
Physical threats C11 C12 C13 C14 C15 C16
Node Tempering
2.778 2.976 2.897 3.532 1.984 3.175
RF Interference 1.508 3.33 2.024 2.50 1.905 2.937
Node Jamming 2.976 3.452 2.024 2.738 1.905 2.778
Physical Damage
1.310 2.540 1.230 2.778 3.492 3.095
Side-Channel Attack
3.016 2.22 3.254 2.937 2.103 2.897
Social Engineering
3.571 2.857 3.095 2.421 3.770 1.984
Sleep Deprivation Attack
1.786 2.857 1.706 2.22 1.627 2.500
Malicious Code Attacks Injection on the Node
3.294 2.976 3.571 3.889 3.175 2.619
TABLE 11. TEACHER JUDGEMENTS ABOUT PHYSICAL THREATS.
Physical threats C11 C12 C13 C14 C15 C16
Node Tempering
3.33 3.33 2.778 3.33 4.0 3.556
RF Interference 2.778 3.556 2.33 3.33 3.0 2.22
Node Jamming 2.22 3.33 1.667 2.556 2.22 2.22
Physical Damage
2.778 3.444 1.33 2.11 3.0 2.778
Side-Channel Attack
2.778 2.22 3.33 3.22 2.11 3.22
Social Engineering
3.778 1.889 2.222 2.444 3.444 3.778
Sleep Deprivation Attack
2.33 2.889 1.889 2.667 3.11 3.11
Malicious Code Attacks Injection on the Node
3.33 3.0 2.44 2.11 1.889 2.556
TABLE 12. TEACHER JUDGEMENTS ABOUT NETWORK THREATS.
Network threats C21 C22 C23 C24
Traffic Analysis Attacks 1.78 1.89 1.67 2.33
RFID Spoofing and Cloning
2.11 2.11 2.22 2.00
Sinkhole Attack 2.22 2.22 2.78 1.44
Man in the Middle Attack 1.89 1.67 2.22 2.22
Routing Information Attacks
2.00 2.89 1.33 2.22
TABLE 13. TEACHER JUDGEMENTS ABOUT SOFTWARE THREATS.
Software threats C31 C32 C33 C34 C35
Malware 3.667 2.22 2.889 3.0 3.22
Phishing Attacks 2.33 2.22 2.889 3.556 3.0
DOS and DDOS 2.22 4.44 2.22 2.22 1.33
Cryptanalysis Attacks 3.0 3.44 2.22 4.22 3.556
TABLE 14. EXPERT JUDGEMENTS ABOUT PHYSICAL THREATS.
Physical threats
C11 C12 C13 C14 C15 C16
Node Tempering
4.04 8
1.984 0.31 7
2.381 2.143 3.81 0
RF
Interference
0 2.778 0 1.508 2.302 3.49 2
Node Jamming 0 2.937 0 1.984 2.302 3.57
1
Physical Damage
3.17 5
0.794 0 1.667 2.778 3.17 5
Side Channel Attack
3.17 5
0 0.39 7
2.460 2.778 3.25 4
Social Engineering
4.36 5
2.381 2.93 7
2.381 3.810 2.85 7
Sleep Deprivation Attack
0 2.540 0 3.175 2.619 4.12 7
Malicious Code Attacks Injection on the Node
3.17 5
3.175 3.96 8
3.175 3.175 3.96 8
TABLE 15. EXPERT JUDGEMENTS ABOUT NETWORK THREATS.
Network Threats C21 C22 C23 C24
Traffic Analysis Attacks 2.619 0 0.476 4.44
RFID Spoofing and Cloning 1.984 2.778 1.587 3.175
Sinkhole Attack 3.175 1.270 3.175 3.254
Man in the Middle Attack 3.333 0 1.190 4.365
Routing Information Attacks 3.254 0.952 2.698 3.571
Sybil Attacks 3.333 1.349 1.349 3.33
TABLE 16. EXPERT JUDGEMENTS ABOUT SOFTWARE THREATS
.
Software threats C31 C32 C33 C34 C35
Malware 2.778 1.984 1.587 1.984 2.063
Phishing Attacks 2.778 0 1.587 2.778 3.175
DOS and DDOS 0 4.762 3.968 2.381 0.952
Cryptanalysis Attacks
2.381 0 1.984 0.794 3.571
4866
Fig. 5. IoT Threats Classification According to PHD, Holder with low Experience in Security.
Figure 6. IoT Threats Classification According to PHD Holder with High Experience in Security.
8
CONCLUSION
In this paper, an overview of the most critical IoT security threats was discussed, and a new classification based on the AHP approach was proposed. The new model depends on the stakes of the three users classes. Decision-makers in IoT service should focus on gaining user trust as well as protecting the system. To do that, precise security measures combine the expert's knowledge, and regular users' needs can be applied to IoT systems, which will reduce cost and complexity. We think this study can be used to develop more suitable framework security for IoT environment in the future.
REFERENCES
[1] Mohamed Abomhara, and Geir M. Koien, “Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks”, Journal of Cyber Security and Mobility, 2015.
[2] Kaitlin Boecket et al., “Considerations for managing internet of things (IoT) cybersecurity and privacy risks”, National Institute of Standards and Technology, 2018. [3] Supriya Nagarkar, and Vikas Prasad, “Evaluating Privacy
and Security Threats in IoT based Smart Home Environment”, International Journal of Applied Engineering Research, 2019.
[4] Tuhin Borgohain, Uday Kumar, and Sugata Sanyal, “Survey of Security and Privacy Issues of Internet of Things”, arXiv preprint, 2015.
[5] Jyoti Deogirikar and Amarsinh Vidhate, “Security Attacks in IoT: A Survey”, International conference on I-SMAC, 2017.
[6] Yang Lu, and Li Da Xu, “Internet of Things (IoT) Cybersecurity Research: A Review of Current Research
Topics”, “IEEE Internet of
Things Journal”2019.
[7] Mirza Abdur, Sajid Habib, Muhammad Ali and Saleem Ullah, “Security Issues in the Internet of Things (IoT): A Comprehensive Study”, International Journal of Advanced Computer Science and Applications, 2017. [8] Se-Ra Oh, and Young-Gab Kim, “Security Requirements
Analysis for the IoT”, International Conference on Platform Technology and Service (PlatCon), 2017. [9] Peter Aufner, “The IoT security gap: a look down into the
valley between threat models and their implementation”, International Journal of Information Security, 2019. [10] Keon Chul Park and Dong-Hee Shin, “Security
assessment framework for IoT service”, Telecommun Systems, 2017.
[11] Hany F. Atlam and Gray B. Wills, “IoT security, privacy, safety and Ethics ", Springer Nature Switzerland AG, 2020.
[12] Diksha Sopori, Tanaya Pawar, Manjiri Patil, and Roopkala Ravindran, “Internet of Things: Security Threats”, International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) Volume 6, Issue 3, March 2017.
[13] Inayat Ali, Sonia Sabir, and Zahid Ullah, “Internet of Things Security, Device Authentication and access control: A review”, International Journal of Computer Science and Information Security, 2016.
[14] Islam Abdalla, “Social Engineering Threat and Defense: A Literature Survey”, Journal of Information Security, 2018.
[15] Hezam Akram Abdul,Ghani, Dimitri Konstantas, and Mohammed Mahyoub, “A Comprehensive IoT Attacks Survey based on a Building-blocked Reference Model”, International Journal of Advanced Computer Science and Applications, 2018.
[16] Tim Zanni, Greg Bell, and Danny Le, “risk or reward: What lurks within you IoT?”, 2017.
[18] Sarfraz Alam, Mohammad M.R. Chomdhury and Josef Noll, “Interoperability of security-enabled Internet of things”. Wireless Personal Communications, 2011. [19] Simone Cirani, Gianluigi Ferrari and Luca Veltri,
“Enforcing security mechanisms in the IP-based Internet of things: an algorithmic overview”, Algorithms 6, 2013. [20] Zhifeng Xiao, Nandhakumar Kathiresshan and Yang
Xiao, “A survey of accountability in computer networks and distributed systems”, security and communication networks, 2016.
[21] Arvind Kumar, Rama Shankar, Ranvijay, and Anjali Jain, “Fault Tolerance in Real Time Distributed System”, International Journal on Computer Science and Engineering, 2011.
[22] Dawei Sun, Guiran Chang, Lina Sun and Xingwei Wang, “Surveying and analyzing security, privacy and trust issues in cloud computing environments”, Procedia Engineering, 2011.
[23] R.Vignesh and A.Samydurai, “Security on Internet of Things (IOT) with Challenges and Countermeasures”, International Journal of Ecology and Development Research, 2017.
[24] Jiri Franek and Ales Kresta, “Judgment scales and consistency measure in AHP”, Procedia Economics and Finance, 2014.
[25] Roseanna W.Saaty, “The analytic hierarchy process— what it is and how it is used”, Mathematical modelling, 1987.
[26] G. Marimuthu and Dr. G. Ramesh, “On Moderate Analytic Hierarchy Process Pairwise Comparison Model (Model II)”, International Journal of Science and Research, 2013.
