Md Wasiuddin Pathan, Shuvo (2023) On Reducing Underutilization of Security Standards by Deriving Actionable Rules: An Application to IoT. Masters thesis, Concordia University.
Preview |
Text (application/pdf)
889kBShuvo_MASc_F2023.pdf - Accepted Version Available under License Spectrum Terms of Access. |
Abstract
Even though there exist a number of security guidelines and recommendations from various worldwide standardization authorities (e.g., NIST, ISO, ENISA), it is evident from many of the recent attacks that these standards are not strictly followed in the implementation of real-world products. Furthermore, most security applications (e.g., monitoring and auditing) do not consider those standards as the basis of their security check. Therefore, regardless of continuous efforts in publishing security standards, they are still under-utilized in practice. Such under-utilization might be caused by the fact that existing security standards are intended more for high-level recommendations than for being readily adopted to automated security applications on the system-level data. Bridging this gap between high-level recommendations and low-level system implementations becomes extremely difficult, as a fully automated solution might suffer from high inaccuracy, whereas a fully manual approach might require tedious efforts. Therefore, in this thesis, we aim for a more practical solution by proposing a partially automated approach, where it automates the tedious tasks (e.g., summarizing long standard documents, and extracting device specifications) and relies on manual efforts from security experts to avoid mistakes in finalizing security rules. We apply our solution to IoT by implementing it with IoT-specific standards (NISTIR 8228) and smart home networks. We further demonstrate the actionability of our derived rules in three major applications: security auditing, Intrusion Detection systems (IDS), and secure application development.
Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering |
---|---|
Item Type: | Thesis (Masters) |
Authors: | Md Wasiuddin Pathan, Shuvo |
Institution: | Concordia University |
Degree Name: | M.A. Sc. |
Program: | Information Systems Security |
Date: | 16 May 2023 |
Thesis Supervisor(s): | Suryadipta, Majumdar |
Keywords: | IoT, Auditing, Security Standards |
ID Code: | 992243 |
Deposited By: | Md Wasiuddin Pathan Shuvo |
Deposited On: | 16 Nov 2023 19:38 |
Last Modified: | 16 Nov 2023 19:38 |
Repository Staff Only: item control page