PlumeWalk: Towards Threat Provenance Localization for IoT Networks

IoT network security is generally viewed from the perspective of a single, or few attack surfaces. A general characterization of attack source threat provenance (origin) under multiple concurrently prevailing attacks can be useful for mitigating origins of attacks and studying the profile of propagating threats. This paper proposes a novel graph theoretic threat provenance identification framework for IoT networks called PlumeWalk. Our framework helps in securing large-sized networks by providing fast and accurate topological characterization of threat provenance as implied by the network traffic, and the network configuration. PlumeWalk is efficiently computable on computationally constrained IoT devices. We simulate attacks on confidentiality, integrity and availability of IoT sensors with different transport reliabilities to evaluate the accuracy and compute time savings of PlumeWalk. We show that PlumeWalk outperforms a measure called “Betweenness Centrality” for flagging threat presence, by using lesser compute time and providing better characterization of attack origin / impact. Finally, we compare PlumeWalk with relevant contemporary solutions for modeling IoT network attack characterization and threat propagation.