Login | Register

On Reducing Underutilization of Security Standards by Deriving Actionable Rules: An Application to IoT

Title:

On Reducing Underutilization of Security Standards by Deriving Actionable Rules: An Application to IoT

Md Wasiuddin Pathan, Shuvo (2023) On Reducing Underutilization of Security Standards by Deriving Actionable Rules: An Application to IoT. Masters thesis, Concordia University.

[thumbnail of Shuvo_MASc_F2023.pdf]
Preview
Text (application/pdf)
Shuvo_MASc_F2023.pdf - Accepted Version
Available under License Spectrum Terms of Access.
889kB

Abstract

Even though there exist a number of security guidelines and recommendations from various worldwide standardization authorities (e.g., NIST, ISO, ENISA), it is evident from many of the recent attacks that these standards are not strictly followed in the implementation of real-world products. Furthermore, most security applications (e.g., monitoring and auditing) do not consider those standards as the basis of their security check. Therefore, regardless of continuous efforts in publishing security standards, they are still under-utilized in practice. Such under-utilization might be caused by the fact that existing security standards are intended more for high-level recommendations than for being readily adopted to automated security applications on the system-level data. Bridging this gap between high-level recommendations and low-level system implementations becomes extremely difficult, as a fully automated solution might suffer from high inaccuracy, whereas a fully manual approach might require tedious efforts. Therefore, in this thesis, we aim for a more practical solution by proposing a partially automated approach, where it automates the tedious tasks (e.g., summarizing long standard documents, and extracting device specifications) and relies on manual efforts from security experts to avoid mistakes in finalizing security rules. We apply our solution to IoT by implementing it with IoT-specific standards (NISTIR 8228) and smart home networks. We further demonstrate the actionability of our derived rules in three major applications: security auditing, Intrusion Detection systems (IDS), and secure application development.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Md Wasiuddin Pathan, Shuvo
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:16 May 2023
Thesis Supervisor(s):Suryadipta, Majumdar
Keywords:IoT, Auditing, Security Standards
ID Code:992243
Deposited By: Md Wasiuddin Pathan Shuvo
Deposited On:16 Nov 2023 19:38
Last Modified:16 Nov 2023 19:38
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top