Is this IoT Device Likely to be Secure? Risk Score Prediction for IoT Devices Using Gradient Boosting Machines

TL;DR

This paper introduces a machine learning approach using Gradient Boosting Machines to predict the security risk of IoT devices based on publicly available data, aiding organizations in risk assessment.

Contribution

It presents a novel, systematic dataset and applies gradient boosting models to accurately predict IoT device vulnerability severity, enhancing risk management practices.

Findings

Achieved 71% accuracy in vulnerability severity prediction.

Created a balanced dataset from NVD records for IoT devices.

Demonstrated cost-effective risk prediction method for enterprises.

Abstract

Security risk assessment and prediction are critical for organisations deploying Internet of Things (IoT) devices. An absolute minimum requirement for enterprises is to verify the security risk of IoT devices for the reported vulnerabilities in the National Vulnerability Database (NVD). This paper proposes a novel risk prediction for IoT devices based on publicly available information about them. Our solution provides an easy and cost-efficient solution for enterprises of all sizes to predict the security risk of deploying new IoT devices. After an extensive analysis of the NVD records over the past eight years, we have created a unique, systematic, and balanced dataset for vulnerable IoT devices, including key technical features complemented with functional and descriptive features available from public resources. We then use machine learning classification models such as Gradient Boosting Decision Trees (GBDT) over this dataset and achieve 71% prediction accuracy in classifying the severity of device vulnerability score.