Abstract
In this paper we address the problem of lack of knowledge management systems for Internet of Things (IoT)-specific vulnerabilities and attacks. This data has been published in disparate sources including news articles, blogs, white papers and social media but not in a centralised form. In addition, while comprehensive vulnerability databases do exist, a significant portion of their listings may not apply to IoT devices since these devices tend to run on unique software, hardware and networking protocols. We present the design and implementation of a community-driven, IoT-specific database which documents the vulnerabilities and attacks on IoT infrastructures. Our database supports the integration with other vulnerability databases such as National Vulnerability Database (NVD) and provides a suite of data access APIs for integration with other applications, such as Integrated Development Environment (IDE) or security tools. The database can serve as a knowledge base for IoT application developers, and security researchers as well as contribute to the cyber situational awareness in an enterprise and improve general security awareness for the public over IoT security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Throughout the paper, we use the term attacks and exploits interchangeably.
- 2.
Shodan, https://www.shodan.io.
- 3.
Tenable: Nessus, http://www.tenable.com/products/nessus.
- 4.
IBM X-force Exchange, http://www.exchange.xforce.ibmcloud.com.
References
Alladi, T., Chamola, V., Sikdar, B., Choo, K.R.: Consumer IoT: security vulnerability case studies and solutions. IEEE Consum. Electron. Mag. 9(2), 17–25 (2020)
Blythe, J., Johnson, S.: The consumer security index for IoT: a protocol for developing an index to improve consumer decision making and to incentivize greater security provision in IoT devices. IET Conference Proceedings, pp. 4–7, January 2018
Common Weakness Enumeration: About CWE (2019). http://cwe.mitre.org/about/index.html. Accessed 16 Aug 2019
Delorenzo, M.: Keyword Extractor. https://github.com/michaeldelorenzo/keyword-extractor. Accessed 22 Jul 2020
Fedorchenko, A., Kotenko, I., Chechulin, A.: Integrated repository of security information for network security evaluation. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. 6, 41–57 (2015)
FIRST: Common Vulnerability Scoring System SIG. http://cwe.mitre.org/about/index.html. Accessed July 2020
Jing, Q., Vasilakos, A.V., Wan, J., Lu, J., Qiu, D.: Security of the internet of things: perspectives and challenges. Wireless Netw. 20(8), 2481–2501 (2014). https://doi.org/10.1007/s11276-014-0761-7
Markowsky, L., Markowsky, G.: Scanning for vulnerable devices in the Internet of Things. In: IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), pp. 463–467 (2015)
McMahon, E., Williams, R., El, M., Samtani, S., Patton, M., Chen, H.: Assessing medical device vulnerabilities on the internet of things. In: IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 176–178 (2017)
National Vulnerability Database: General information. https://nvd.nist.gov/general. Accessed Oct 2020
National Vulnerability Database: NVD Data Feeds. https://nvd.nist.gov/vuln/data-feeds. Accessed 16 Aug 2019
Su, Y., Li, X., Wang, S., Yi, J., He, H.: Vulnerability scanning system used in the internet of things for intelligent devices. In: DEStech Transactions on Computer Science and Engineering cimns (2017)
Shoel, H., Jaatun, M.G., Boyd, C.: OWASP top 10 - do startups care? In: 2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–8 (2018)
Tierney, S.: Knowledge discovery in cyber vulnerability databases. Master’s thesis, Computing and Software Systems, University of Washington (2005)
Yamanishi, J., Maruyama, Y.: Data mining for security. NEC J. Adv. Technol. 2(1), 63–69 (2005)
Yun-hua, G., Pei, L.: Design and research on vulnerability database. In: 3rd International Conference on Information and Computing, pp. 209–212 (2010)
Acknowledgement
The work has been supported by the Cyber Security Research Centre Limited whose activities are partially funded by the Australian Government’s Cooperative Research Centres Programme. We also would like to thank Tata Consultancy Services Limited (TCS) and Data61, the industry partners of the program.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Nerwich, M., Gauravaram, P., Paik, Hy., Nepal, S. (2020). Vulnerability Database as a Service for IoT. In: Batina, L., Li, G. (eds) Applications and Techniques in Information Security. ATIS 2020. Communications in Computer and Information Science, vol 1338. Springer, Singapore. https://doi.org/10.1007/978-981-33-4706-9_7
Download citation
DOI: https://doi.org/10.1007/978-981-33-4706-9_7
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-33-4705-2
Online ISBN: 978-981-33-4706-9
eBook Packages: Computer ScienceComputer Science (R0)