Threat Modelling in Internet of Things (IoT) Environment Using Dynamic Attack Graphs
Marwa Salayma
TL;DR
This work tackles threat modelling in dynamic IoT environments by modeling three interconnected graphs: a network topology graph ($G_N$), a reachability graph ($G_R$), and an attack graph ($G_A$), all implemented in Neo4j with Cypher queries. It introduces merging and de-merging operations to handle system-of-systems interconnections and disconnections, enabling rapid updates to reachability and attack-path analysis without reprocessing the entire network. The healthcare use-case demonstrates how devices joining or leaving and Bluetooth/TCP connectivity alter attack paths and risk, and the authors provide queries for shortest-path and path-count risk metrics. The approach offers a scalable, compositional framework for real-time security assessment in dynamic IoT environments, with clear pathways for extending to larger datasets and Bayesian risk integration.
Abstract
This work presents a threat modelling approach to represent changes to the attack paths through an Internet of Things (IoT) environment when the environment changes dynamically, i.e., when new devices are added or removed from the system or when whole sub-systems join or leave. The proposed approach investigates the propagation of threats using attack graphs. However, traditional attack graph approaches have been applied in static environments that do not continuously change such as the Enterprise networks, leading to static and usually very large attack graphs. In contrast, IoT environments are often characterised by dynamic change and interconnections; different topologies for different systems may interconnect with each other dynamically and outside the operator control. Such new interconnections lead to changes in the reachability amongst devices according to which their corresponding attack graphs change. This requires dynamic topology and attack graphs for threat and risk analysis. In this paper, a threat modelling approach is developed that copes with dynamic system changes that may occur in IoT environments and enables identifying attack paths whilst allowing for system dynamics. Dynamic topology and attack graphs were developed that are able to cope with the changes in the IoT environment rapidly by maintaining their associated graphs. To motivate the work and illustrate the proposed approach, an example scenario based on healthcare systems is introduced. The proposed approach is implemented using a Graph Database Management Tool (GDBM)- Neo4j- which is a popular tool for mapping, visualising and querying the graphs of highly connected data, and is efficient in providing a rapid threat modelling mechanism, which makes it suitable for capturing security changes in the dynamic IoT environment.