Vulnerability and Attack Repository for IoT (VARIoT)
The goal of the VARIoT (Vulnerability and Attack Repository for IoT) project was to create a service that provides actionable information in the context of IoT security.
The Internet of Things has transitioned from a theoretical notion on the future evolution of the global network to an actual reality. “Smart” objects with the ability to communicate with the network are ubiquitous, however, the security problems associated with their proliferation, although recognized long ago, are still not solved. In addition to the technical aspects, the maturity of security management methods in the Internet of Things is also significantly lower than in the traditional IT world. This is caused by the shorter history of IoT, but also the potentially greater complexity and often completely different problems IoT generates. Accordingly, the goal of the VARIoT (Vulnerability and Attack Repository for IoT) project was to create a service providing actionable information in the context of Internet of Things security. This project was developed to address selected IoT security issues.
What we did
Our main tasks focused on creating a repository of information on vulnerabilities and exploits (i.e., programs that exploit software bugs) relating to Internet of Things devices. Based on information from multiple sources and using a variety of mechanisms to aggregate, correlate, analyze and automatically assess the reliability of information, we have created a database of vulnerabilities and exploits. The repository is publicly available on a dedicated website, through the European Data Portal and national Data Portals (such as the Polish Open Data Portal), as well as other sources such as the Malware Information Sharing Platform (MISP).
The inclusion of a wide spectrum of information sources, with different structures and different reliability, encouraged us to use a variety of mechanisms for information management, automatic correlation, detection of semantically consistent fragments, as well as advanced mechanisms for managing trust in both the information source and the information itself. In addition to information found in structured databases, a lot of information on vulnerabilities and exploits of IoT devices can be found in other sources of information, such as websites, reports or posts on various blogs. That’s why we have created a search engine that allows to search the Internet for information on vulnerabilities and exploits. The main challenge in relation to unstructured sources is the problem of extracting particular information – this applies in particular to the types of vulnerabilities, their criticalities, as well as models and manufacturers of the vulnerable devices. In order to solve these problems, we used machine learning and natural language processing methods, appropriately adapted to these specific needs.
An important research achievement, as well as a technical one, was the creation of a database of Internet of Things devices, as well as the development of a mechanism that resolves whether a given vulnerability or exploit relates to an IoT device or to a different type of IT asset. Both of these mechanisms (IoT device base and filtering mechanism) were based on natural language, keyword search mechanisms, full-text search and trust management. It is noteworthy that no large databases of Internet of Things devices have existed so far.
More information about the project can be found on its website.