%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'fontSize': '12px'}}}%%
graph LR
subgraph ESP32["ESP32 DevKit V1"]
G2[GPIO 2]
G4[GPIO 4]
G5[GPIO 5]
G18[GPIO 18]
G15[GPIO 15]
G16[GPIO 16]
G17[GPIO 17]
G19[GPIO 19]
GND[GND]
end
subgraph LEDs["Threat Level LEDs"]
GL[Green LED<br/>Normal]
YL[Yellow LED<br/>Warning]
RL[Red LED<br/>Critical]
BL[Blue LED<br/>Lockout]
end
subgraph Attacks["Attack Simulation Buttons"]
B1[Button 1<br/>Brute Force]
B2[Button 2<br/>Replay]
B3[Button 3<br/>Injection]
B4[Button 4<br/>Reset]
end
G2 --> GL --> GND
G4 --> YL --> GND
G5 --> RL --> GND
G18 --> BL --> GND
G15 --> B1 --> GND
G16 --> B2 --> GND
G17 --> B3 --> GND
G19 --> B4 --> GND
style ESP32 fill:#2C3E50,color:#fff
style GL fill:#16A085,color:#fff
style YL fill:#F1C40F,color:#000
style RL fill:#E74C3C,color:#fff
style BL fill:#3498DB,color:#fff
1398 Threat Detection and Risk Assessment Lab
1398.1 Learning Objectives
By the end of this lab, you will be able to:
- Detect Threats in Real-Time: Use a threat detection simulator to identify attacks
- Apply DREAD Scoring: Calculate risk scores for detected vulnerabilities
- Analyze Attack Patterns: Recognize common IoT attack signatures
- Configure Detection Thresholds: Tune security controls to balance false positives and detection
- Implement Lockout Policies: Design account lockout and recovery mechanisms
NoteRelated Chapters
Threat Modeling Series: - Introduction & Fundamentals - Threat modeling basics - STRIDE Framework - Systematic threat identification - Attack Scenarios - Real-world attacks - Assessments - Quizzes and knowledge checks
Security Implementation: - Device Security - Device hardening - Encryption - Cryptographic protection
TipFor Beginners: Threat Detection Lab
What is this lab about? This interactive simulator teaches you to detect and respond to security threats in real-time. You’ll analyze login attempts, identify brute-force attacks, calculate risk scores using DREAD, and tune detection thresholds to catch attackers without blocking legitimate users.
Why does this matter? Threat modeling isn’t just theory - you need to implement detection systems that catch real attacks. This lab gives you hands-on experience with the trade-offs: set thresholds too low and you miss attacks; set them too high and you block legitimate users.
What you’ll learn: - How to spot brute-force password attacks - When to lock accounts vs reset passwords - How to calculate DREAD risk scores - How to tune detection sensitivity - How to recover from false positives
TipMVU: Threat Detection Systems
Core Concept: Threat detection systems monitor activity patterns to identify attacks (failed logins, unusual traffic, privilege escalation attempts) and trigger automated responses (account lockout, alerts, blocking). Why It Matters: Threats must be detected before they succeed; the average data breach takes 207 days to detect - automated systems reduce this to minutes. Key Takeaway: Balance false positives (blocking legitimate users) with false negatives (missing real attacks) by tuning thresholds based on risk tolerance.
1398.2 Lab: Threat Detection and Risk Assessment Simulator
NoteLearning Objectives
By completing this interactive hardware lab, you will be able to:
- Detect simulated attack patterns including brute force, replay, and injection attacks
- Implement security event logging with timestamped attack records and threat categorization
- Configure alert thresholds that trigger responses based on attack frequency and severity
- Calculate risk scores using DREAD-inspired methodology in real-time
- Visualize threat levels through LED indicators representing different security states
- Respond to security incidents with automated lockout and escalation mechanisms
- Analyze attack patterns through serial console threat reports
Prerequisites: Basic Arduino/C++ syntax, understanding of STRIDE/DREAD from this chapter
Estimated Time: 75-90 minutes
This hands-on lab simulates an IoT security monitoring system that demonstrates core threat modeling concepts. You will build a device that detects, logs, and responds to simulated attacks while calculating real-time risk scores based on the DREAD methodology covered in this chapter.
1398.2.1 Why This Lab Matters
In production IoT systems, threat detection happens at multiple layers:
- Device level: Detecting abnormal access patterns, failed authentications, firmware tampering
- Network level: Identifying malicious traffic, port scans, protocol violations
- Application level: Catching injection attacks, unauthorized API calls, data exfiltration
This lab simulates device-level threat detection, giving you hands-on experience with:
- Attack pattern recognition - How systems identify malicious behavior
- Threshold-based alerting - When to escalate vs. ignore security events
- Risk quantification - Converting qualitative threats to actionable scores
- Automated response - Implementing lockouts and countermeasures
1398.2.2 Components
| Component | Purpose | Wokwi Element |
|---|---|---|
| ESP32 DevKit | Main controller running threat detection algorithms | esp32:devkit-v1 |
| Green LED | System normal / secure state indicator | led:green |
| Yellow LED | Warning state / elevated threat level | led:yellow |
| Red LED | Critical alert / attack in progress | led:red |
| Blue LED | Lockout active / system recovery mode | led:blue |
| Push Button 1 | Simulate brute force attack (rapid authentication failures) | button |
| Push Button 2 | Simulate replay attack (repeated command injection) | button |
| Push Button 3 | Simulate injection attack (malformed data packets) | button |
| Push Button 4 | Reset security state / clear lockout | button |
| Resistors (4x 220 ohm) | Current limiting for LEDs | resistor |
1398.2.3 Interactive Wokwi Simulator
Use the embedded simulator below to build and test your threat detection system. Wire the circuit as shown, paste the code, and click “Start Simulation”.
TipSimulator Tips
- Wire first: Connect all components before pasting code
- Paste code: Copy the complete code into the editor (replacing existing code)
- Run: Click the green “Play” button to compile and run
- Serial Monitor: View threat logs and risk scores in the Serial Monitor panel (115200 baud)
- Simulate attacks: Press buttons rapidly to trigger different attack patterns
- Observe LEDs: Watch threat level changes reflected in LED states
- Save: Create a free Wokwi account to save your projects
1398.2.4 Circuit Connections
Wire the circuit in Wokwi before entering the code:
ESP32 Pin Connections:
----------------------
GPIO 2 --> Green LED (+) --> 220 ohm Resistor --> GND (Normal/Secure)
GPIO 4 --> Yellow LED (+) --> 220 ohm Resistor --> GND (Warning)
GPIO 5 --> Red LED (+) --> 220 ohm Resistor --> GND (Critical)
GPIO 18 --> Blue LED (+) --> 220 ohm Resistor --> GND (Lockout)
GPIO 15 --> Button 1 --> GND (Brute Force Attack)
GPIO 16 --> Button 2 --> GND (Replay Attack)
GPIO 17 --> Button 3 --> GND (Injection Attack)
GPIO 19 --> Button 4 --> GND (Reset/Recovery)1398.2.5 Complete Arduino Code
Copy and paste this complete code into the Wokwi simulator:
NoteThreat Detection and Risk Assessment Lab Code
// =====================================================================
// THREAT DETECTION AND RISK ASSESSMENT SIMULATOR
// IoT Security Monitoring Lab - ESP32
// =====================================================================
//
// This lab simulates an IoT security monitoring system that:
// - Detects simulated attack patterns (brute force, replay, injection)
// - Logs security events with timestamps and severity levels
// - Calculates real-time risk scores using DREAD methodology
// - Triggers automated responses based on threat thresholds
// - Visualizes threat levels through LED indicators
//
// Educational purposes - demonstrates threat modeling concepts
// NOT for production security implementations
// =====================================================================
#include <Arduino.h>
// =====================================================================
// PIN DEFINITIONS
// =====================================================================
// LED Indicators - Threat Level Visualization
#define LED_NORMAL 2 // Green LED - System secure, no active threats
#define LED_WARNING 4 // Yellow LED - Elevated threat, monitoring
#define LED_CRITICAL 5 // Red LED - Active attack, immediate response
#define LED_LOCKOUT 18 // Blue LED - System locked, recovery mode
// Attack Simulation Buttons
#define BTN_BRUTE_FORCE 15 // Button 1 - Simulate brute force attack
#define BTN_REPLAY 16 // Button 2 - Simulate replay attack
#define BTN_INJECTION 17 // Button 3 - Simulate injection attack
#define BTN_RESET 19 // Button 4 - Reset security state
// =====================================================================
// THREAT MODELING CONSTANTS
// =====================================================================
// STRIDE Threat Categories (mapped to attack types)
enum STRIDECategory {
STRIDE_SPOOFING, // Identity spoofing attacks
STRIDE_TAMPERING, // Data/code tampering
STRIDE_REPUDIATION, // Action denial
STRIDE_INFORMATION_DISCLOSURE, // Data leaks
STRIDE_DENIAL_OF_SERVICE, // Availability attacks
STRIDE_ELEVATION_OF_PRIVILEGE // Unauthorized access
};
// Attack Types we simulate
enum AttackType {
ATTACK_NONE = 0,
ATTACK_BRUTE_FORCE, // STRIDE: Spoofing + Elevation of Privilege
ATTACK_REPLAY, // STRIDE: Spoofing + Repudiation
ATTACK_INJECTION, // STRIDE: Tampering + Elevation of Privilege
ATTACK_TYPE_COUNT
};
// Threat Levels
enum ThreatLevel {
THREAT_NORMAL = 0, // Green - No active threats
THREAT_LOW, // Green - Minor anomalies
THREAT_MEDIUM, // Yellow - Suspicious activity
THREAT_HIGH, // Yellow - Likely attack
THREAT_CRITICAL, // Red - Confirmed attack
THREAT_LOCKOUT // Blue - System locked down
};
// =====================================================================
// DREAD RISK SCORING STRUCTURE
// Each factor scored 0-10, total risk = average
// =====================================================================
struct DREADScore {
uint8_t damage; // D: Potential damage (0-10)
uint8_t reproducibility; // R: How easy to reproduce (0-10)
uint8_t exploitability; // E: Skill level required (0-10)
uint8_t affectedUsers; // A: Scope of impact (0-10)
uint8_t discoverability; // D: How easy to find (0-10)
// Calculate overall DREAD score (0-10 scale)
float calculate() {
return (damage + reproducibility + exploitability +
affectedUsers + discoverability) / 5.0;
}
// Get risk level string
const char* getRiskLevel() {
float score = calculate();
if (score >= 8.0) return "CRITICAL";
if (score >= 6.0) return "HIGH";
if (score >= 4.0) return "MEDIUM";
return "LOW";
}
};
// =====================================================================
// SECURITY EVENT STRUCTURE
// =====================================================================
struct SecurityEvent {
unsigned long timestamp; // Milliseconds since boot
AttackType attackType; // Type of attack detected
STRIDECategory strideType; // STRIDE classification
uint8_t severity; // 1-5 severity scale
DREADScore dreadScore; // DREAD risk assessment
bool mitigated; // Was the attack blocked?
char description[64]; // Human-readable description
};
// =====================================================================
// ATTACK PATTERN DETECTOR
// Tracks attack frequency and patterns over time windows
// =====================================================================
struct AttackPattern {
AttackType type;
uint16_t count; // Total attacks detected
uint16_t windowCount; // Attacks in current time window
unsigned long firstSeen; // First attack timestamp
unsigned long lastSeen; // Most recent attack
unsigned long windowStart; // Current window start time
uint16_t threshold; // Alert threshold
bool alertActive; // Currently alerting?
};
// =====================================================================
// GLOBAL STATE VARIABLES
// =====================================================================
// Current system state
ThreatLevel currentThreatLevel = THREAT_NORMAL;
bool systemLocked = false;
unsigned long lockoutEndTime = 0;
const unsigned long LOCKOUT_DURATION = 30000; // 30 second lockout
// Attack patterns for each type
AttackPattern attackPatterns[ATTACK_TYPE_COUNT];
// Security event log (circular buffer)
#define EVENT_LOG_SIZE 50
SecurityEvent eventLog[EVENT_LOG_SIZE];
int eventLogIndex = 0;
int eventLogCount = 0;
// Timing constants
const unsigned long WINDOW_SIZE = 10000; // 10 second detection window
const unsigned long DEBOUNCE_DELAY = 150; // Button debounce
const unsigned long THREAT_DECAY_INTERVAL = 5000; // Threat level decay time
unsigned long lastDebounce = 0;
unsigned long lastThreatDecay = 0;
unsigned long lastStatusReport = 0;
// Overall risk score (running average)
float overallRiskScore = 0.0;
// Attack statistics
unsigned long totalAttacksDetected = 0;
unsigned long totalAttacksMitigated = 0;
// =====================================================================
// DREAD SCORING PROFILES FOR EACH ATTACK TYPE
// Pre-defined scores based on attack characteristics
// =====================================================================
DREADScore getBruteForceDREAD(int attemptCount) {
DREADScore score;
// Damage: High if successful (account compromise)
score.damage = 8;
// Reproducibility: Very high (automated tools)
score.reproducibility = min(10, 5 + attemptCount / 2);
// Exploitability: Medium (requires weak passwords)
score.exploitability = 6;
// Affected Users: Single account initially, could spread
score.affectedUsers = min(10, 3 + attemptCount / 5);
// Discoverability: Low (needs enumeration)
score.discoverability = 4;
return score;
}
DREADScore getReplayDREAD(int attemptCount) {
DREADScore score;
// Damage: High (unauthorized actions)
score.damage = 7;
// Reproducibility: Very high (just replay captured data)
score.reproducibility = 9;
// Exploitability: Medium (need to capture valid session)
score.exploitability = 5;
// Affected Users: Depends on captured session scope
score.affectedUsers = min(10, 4 + attemptCount / 3);
// Discoverability: Medium (traffic analysis)
score.discoverability = 6;
return score;
}
DREADScore getInjectionDREAD(int attemptCount) {
DREADScore score;
// Damage: Critical (code execution, data breach)
score.damage = 9;
// Reproducibility: High once vulnerability found
score.reproducibility = 8;
// Exploitability: High (well-known techniques)
score.exploitability = 7;
// Affected Users: Potentially all users
score.affectedUsers = min(10, 6 + attemptCount / 2);
// Discoverability: Medium (requires probing)
score.discoverability = 5;
return score;
}
// =====================================================================
// SETUP FUNCTION
// =====================================================================
void setup() {
Serial.begin(115200);
delay(1000); // Allow serial to initialize
// Configure LED pins as outputs
pinMode(LED_NORMAL, OUTPUT);
pinMode(LED_WARNING, OUTPUT);
pinMode(LED_CRITICAL, OUTPUT);
pinMode(LED_LOCKOUT, OUTPUT);
// Configure button pins with internal pull-ups
pinMode(BTN_BRUTE_FORCE, INPUT_PULLUP);
pinMode(BTN_REPLAY, INPUT_PULLUP);
pinMode(BTN_INJECTION, INPUT_PULLUP);
pinMode(BTN_RESET, INPUT_PULLUP);
// Initialize attack pattern tracking
initializeAttackPatterns();
// LED startup sequence
performStartupSequence();
// Print welcome banner
printWelcomeBanner();
// Set initial LED state
updateThreatLEDs();
lastThreatDecay = millis();
lastStatusReport = millis();
}
// =====================================================================
// MAIN LOOP
// =====================================================================
void loop() {
unsigned long currentTime = millis();
// Check for system lockout state
if (systemLocked) {
handleLockoutState(currentTime);
return;
}
// Process button inputs with debouncing
if (currentTime - lastDebounce > DEBOUNCE_DELAY) {
processButtonInputs(currentTime);
}
// Update attack pattern windows
updateAttackWindows(currentTime);
// Decay threat level over time (recovery)
if (currentTime - lastThreatDecay > THREAT_DECAY_INTERVAL) {
decayThreatLevel();
lastThreatDecay = currentTime;
}
// Periodic status report
if (currentTime - lastStatusReport > 15000) {
printStatusReport();
lastStatusReport = currentTime;
}
// Update LED indicators
updateThreatLEDs();
// Small delay for stability
delay(10);
}
// =====================================================================
// INITIALIZATION FUNCTIONS
// =====================================================================
void initializeAttackPatterns() {
// Initialize brute force pattern
attackPatterns[ATTACK_BRUTE_FORCE].type = ATTACK_BRUTE_FORCE;
attackPatterns[ATTACK_BRUTE_FORCE].count = 0;
attackPatterns[ATTACK_BRUTE_FORCE].windowCount = 0;
attackPatterns[ATTACK_BRUTE_FORCE].firstSeen = 0;
attackPatterns[ATTACK_BRUTE_FORCE].lastSeen = 0;
attackPatterns[ATTACK_BRUTE_FORCE].windowStart = 0;
attackPatterns[ATTACK_BRUTE_FORCE].threshold = 5; // 5 attempts = alert
attackPatterns[ATTACK_BRUTE_FORCE].alertActive = false;
// Initialize replay attack pattern
attackPatterns[ATTACK_REPLAY].type = ATTACK_REPLAY;
attackPatterns[ATTACK_REPLAY].count = 0;
attackPatterns[ATTACK_REPLAY].windowCount = 0;
attackPatterns[ATTACK_REPLAY].firstSeen = 0;
attackPatterns[ATTACK_REPLAY].lastSeen = 0;
attackPatterns[ATTACK_REPLAY].windowStart = 0;
attackPatterns[ATTACK_REPLAY].threshold = 3; // 3 replays = alert
attackPatterns[ATTACK_REPLAY].alertActive = false;
// Initialize injection attack pattern
attackPatterns[ATTACK_INJECTION].type = ATTACK_INJECTION;
attackPatterns[ATTACK_INJECTION].count = 0;
attackPatterns[ATTACK_INJECTION].windowCount = 0;
attackPatterns[ATTACK_INJECTION].firstSeen = 0;
attackPatterns[ATTACK_INJECTION].lastSeen = 0;
attackPatterns[ATTACK_INJECTION].windowStart = 0;
attackPatterns[ATTACK_INJECTION].threshold = 2; // 2 injections = immediate alert
attackPatterns[ATTACK_INJECTION].alertActive = false;
}
void performStartupSequence() {
int leds[] = {LED_NORMAL, LED_WARNING, LED_CRITICAL, LED_LOCKOUT};
// Sequential LED test
for (int i = 0; i < 4; i++) {
digitalWrite(leds[i], HIGH);
delay(200);
digitalWrite(leds[i], LOW);
}
// Flash all LEDs
for (int j = 0; j < 2; j++) {
for (int i = 0; i < 4; i++) {
digitalWrite(leds[i], HIGH);
}
delay(150);
for (int i = 0; i < 4; i++) {
digitalWrite(leds[i], LOW);
}
delay(150);
}
}
void printWelcomeBanner() {
Serial.println();
Serial.println("================================================================");
Serial.println(" THREAT DETECTION AND RISK ASSESSMENT SIMULATOR");
Serial.println(" IoT Security Monitoring Lab - ESP32");
Serial.println("================================================================");
Serial.println();
Serial.println("This lab demonstrates core threat modeling concepts:");
Serial.println(" - Attack pattern detection (brute force, replay, injection)");
Serial.println(" - STRIDE threat classification");
Serial.println(" - DREAD risk scoring methodology");
Serial.println(" - Threshold-based alerting and automated lockout");
Serial.println();
Serial.println("ATTACK SIMULATION CONTROLS:");
Serial.println(" Button 1 (GPIO 15): Brute Force Attack");
Serial.println(" Simulates failed authentication attempts");
Serial.println(" Button 2 (GPIO 16): Replay Attack");
Serial.println(" Simulates replayed command tokens");
Serial.println(" Button 3 (GPIO 17): Injection Attack");
Serial.println(" Simulates malformed data injection");
Serial.println(" Button 4 (GPIO 19): Reset / Recovery");
Serial.println(" Clears lockout and resets threat level");
Serial.println();
Serial.println("THREAT LEVEL INDICATORS:");
Serial.println(" Green LED: NORMAL - System secure, no active threats");
Serial.println(" Yellow LED: WARNING - Elevated threat, increased monitoring");
Serial.println(" Red LED: CRITICAL - Active attack, countermeasures active");
Serial.println(" Blue LED: LOCKOUT - System locked, recovery required");
Serial.println();
Serial.println("THRESHOLDS (within 10-second window):");
Serial.println(" Brute Force: 5 attempts -> HIGH threat");
Serial.println(" Replay: 3 attempts -> HIGH threat");
Serial.println(" Injection: 2 attempts -> CRITICAL + LOCKOUT");
Serial.println();
Serial.println("Press any attack button to simulate threats...");
Serial.println("================================================================");
Serial.println();
}
// =====================================================================
// BUTTON INPUT PROCESSING
// =====================================================================
void processButtonInputs(unsigned long currentTime) {
bool inputProcessed = false;
// Check Brute Force button
if (digitalRead(BTN_BRUTE_FORCE) == LOW) {
handleBruteForceAttack(currentTime);
inputProcessed = true;
}
// Check Replay Attack button
if (digitalRead(BTN_REPLAY) == LOW) {
handleReplayAttack(currentTime);
inputProcessed = true;
}
// Check Injection Attack button
if (digitalRead(BTN_INJECTION) == LOW) {
handleInjectionAttack(currentTime);
inputProcessed = true;
}
// Check Reset button
if (digitalRead(BTN_RESET) == LOW) {
handleSecurityReset(currentTime);
inputProcessed = true;
}
if (inputProcessed) {
lastDebounce = currentTime;
}
}
// =====================================================================
// ATTACK HANDLERS
// =====================================================================
void handleBruteForceAttack(unsigned long currentTime) {
AttackPattern* pattern = &attackPatterns[ATTACK_BRUTE_FORCE];
// Update pattern statistics
pattern->count++;
pattern->windowCount++;
pattern->lastSeen = currentTime;
if (pattern->firstSeen == 0) {
pattern->firstSeen = currentTime;
}
// Get DREAD score for this attack
DREADScore dread = getBruteForceDREAD(pattern->windowCount);
float riskScore = dread.calculate();
// Create security event
SecurityEvent event;
event.timestamp = currentTime;
event.attackType = ATTACK_BRUTE_FORCE;
event.strideType = STRIDE_SPOOFING; // Primary STRIDE category
event.severity = min(5, 1 + pattern->windowCount / 2);
event.dreadScore = dread;
event.mitigated = false;
// Generate description
snprintf(event.description, sizeof(event.description),
"Brute force attempt #%d (window: %d)",
pattern->count, pattern->windowCount);
// Log the event
logSecurityEvent(event);
// Print attack detection
Serial.println();
Serial.println("========================================");
Serial.println("! ATTACK DETECTED: BRUTE FORCE");
Serial.println("========================================");
Serial.printf(" Timestamp: %lu ms\n", currentTime);
Serial.printf(" Total Count: %d\n", pattern->count);
Serial.printf(" Window Count: %d / %d threshold\n",
pattern->windowCount, pattern->threshold);
Serial.println();
Serial.println(" STRIDE Classification:");
Serial.println(" Primary: Spoofing (identity impersonation)");
Serial.println(" Secondary: Elevation of Privilege (if successful)");
Serial.println();
Serial.println(" DREAD Risk Assessment:");
Serial.printf(" Damage: %d/10 (account compromise risk)\n", dread.damage);
Serial.printf(" Reproducibility: %d/10 (automated tools available)\n", dread.reproducibility);
Serial.printf(" Exploitability: %d/10 (weak password dependency)\n", dread.exploitability);
Serial.printf(" Affected Users: %d/10 (scope of impact)\n", dread.affectedUsers);
Serial.printf(" Discoverability: %d/10 (enumeration required)\n", dread.discoverability);
Serial.println(" --------------------------------");
Serial.printf(" OVERALL SCORE: %.1f/10 [%s]\n", riskScore, dread.getRiskLevel());
Serial.println();
// Check threshold
if (pattern->windowCount >= pattern->threshold) {
pattern->alertActive = true;
escalateThreatLevel(THREAT_HIGH);
event.mitigated = true;
Serial.println(" >> THRESHOLD EXCEEDED <<");
Serial.println(" Response: Escalating to HIGH threat level");
Serial.println(" Mitigation: Rate limiting activated");
Serial.println(" Recommendation: Implement account lockout after 3 failures");
totalAttacksMitigated++;
} else {
Serial.printf(" Status: Monitoring (%d more attempts trigger alert)\n",
pattern->threshold - pattern->windowCount);
}
Serial.println("========================================");
Serial.println();
// Update overall risk
updateOverallRisk(riskScore);
totalAttacksDetected++;
}
void handleReplayAttack(unsigned long currentTime) {
AttackPattern* pattern = &attackPatterns[ATTACK_REPLAY];
// Update pattern statistics
pattern->count++;
pattern->windowCount++;
pattern->lastSeen = currentTime;
if (pattern->firstSeen == 0) {
pattern->firstSeen = currentTime;
}
// Get DREAD score
DREADScore dread = getReplayDREAD(pattern->windowCount);
float riskScore = dread.calculate();
// Create security event
SecurityEvent event;
event.timestamp = currentTime;
event.attackType = ATTACK_REPLAY;
event.strideType = STRIDE_SPOOFING;
event.severity = min(5, 2 + pattern->windowCount);
event.dreadScore = dread;
event.mitigated = false;
snprintf(event.description, sizeof(event.description),
"Replay attack #%d - duplicate token detected", pattern->count);
logSecurityEvent(event);
// Print attack detection
Serial.println();
Serial.println("========================================");
Serial.println("! ATTACK DETECTED: REPLAY ATTACK");
Serial.println("========================================");
Serial.printf(" Timestamp: %lu ms\n", currentTime);
Serial.printf(" Total Count: %d\n", pattern->count);
Serial.printf(" Window Count: %d / %d threshold\n",
pattern->windowCount, pattern->threshold);
Serial.println();
Serial.println(" STRIDE Classification:");
Serial.println(" Primary: Spoofing (session impersonation)");
Serial.println(" Secondary: Repudiation (action attribution)");
Serial.println();
Serial.println(" Attack Vector Analysis:");
Serial.println(" - Captured valid authentication token");
Serial.println(" - Replaying to bypass authentication");
Serial.println(" - No timestamp/nonce validation detected");
Serial.println();
Serial.println(" DREAD Risk Assessment:");
Serial.printf(" Damage: %d/10 (unauthorized actions)\n", dread.damage);
Serial.printf(" Reproducibility: %d/10 (trivial to replay)\n", dread.reproducibility);
Serial.printf(" Exploitability: %d/10 (traffic capture needed)\n", dread.exploitability);
Serial.printf(" Affected Users: %d/10 (captured session scope)\n", dread.affectedUsers);
Serial.printf(" Discoverability: %d/10 (network sniffing)\n", dread.discoverability);
Serial.println(" --------------------------------");
Serial.printf(" OVERALL SCORE: %.1f/10 [%s]\n", riskScore, dread.getRiskLevel());
Serial.println();
// Check threshold
if (pattern->windowCount >= pattern->threshold) {
pattern->alertActive = true;
escalateThreatLevel(THREAT_HIGH);
event.mitigated = true;
Serial.println(" >> THRESHOLD EXCEEDED <<");
Serial.println(" Response: Escalating to HIGH threat level");
Serial.println(" Mitigation: Invalidating suspected tokens");
Serial.println(" Recommendation: Implement nonce/timestamp in tokens");
Serial.println(" Recommendation: Use short-lived session tokens");
totalAttacksMitigated++;
} else {
Serial.printf(" Status: Monitoring (%d more replays trigger alert)\n",
pattern->threshold - pattern->windowCount);
}
Serial.println("========================================");
Serial.println();
updateOverallRisk(riskScore);
totalAttacksDetected++;
}
void handleInjectionAttack(unsigned long currentTime) {
AttackPattern* pattern = &attackPatterns[ATTACK_INJECTION];
// Update pattern statistics
pattern->count++;
pattern->windowCount++;
pattern->lastSeen = currentTime;
if (pattern->firstSeen == 0) {
pattern->firstSeen = currentTime;
}
// Get DREAD score - injection is highest severity
DREADScore dread = getInjectionDREAD(pattern->windowCount);
float riskScore = dread.calculate();
// Create security event
SecurityEvent event;
event.timestamp = currentTime;
event.attackType = ATTACK_INJECTION;
event.strideType = STRIDE_TAMPERING;
event.severity = 5; // Always maximum severity
event.dreadScore = dread;
event.mitigated = false;
snprintf(event.description, sizeof(event.description),
"Injection attack #%d - malformed payload detected", pattern->count);
logSecurityEvent(event);
// Print attack detection
Serial.println();
Serial.println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
Serial.println("!!! CRITICAL: INJECTION ATTACK !!!");
Serial.println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
Serial.printf(" Timestamp: %lu ms\n", currentTime);
Serial.printf(" Total Count: %d\n", pattern->count);
Serial.printf(" Window Count: %d / %d threshold\n",
pattern->windowCount, pattern->threshold);
Serial.println();
Serial.println(" STRIDE Classification:");
Serial.println(" Primary: Tampering (data manipulation)");
Serial.println(" Secondary: Elevation of Privilege (code execution)");
Serial.println(" Tertiary: Information Disclosure (data exfiltration)");
Serial.println();
Serial.println(" Attack Payload Analysis:");
Serial.println(" - Detected: SQL injection pattern");
Serial.println(" - Detected: Command injection markers");
Serial.println(" - Detected: Buffer overflow attempt");
Serial.println(" - Risk: Remote code execution possible");
Serial.println();
Serial.println(" DREAD Risk Assessment:");
Serial.printf(" Damage: %d/10 (code execution, data breach)\n", dread.damage);
Serial.printf(" Reproducibility: %d/10 (exploit is reliable)\n", dread.reproducibility);
Serial.printf(" Exploitability: %d/10 (known techniques)\n", dread.exploitability);
Serial.printf(" Affected Users: %d/10 (all system users)\n", dread.affectedUsers);
Serial.printf(" Discoverability: %d/10 (active probing)\n", dread.discoverability);
Serial.println(" --------------------------------");
Serial.printf(" OVERALL SCORE: %.1f/10 [%s]\n", riskScore, dread.getRiskLevel());
Serial.println();
// Injection attacks ALWAYS trigger immediate response
pattern->alertActive = true;
event.mitigated = true;
totalAttacksMitigated++;
Serial.println(" >> IMMEDIATE LOCKOUT TRIGGERED <<");
Serial.println();
Serial.println(" Automated Response:");
Serial.println(" 1. Blocking source IP address");
Serial.println(" 2. Terminating active session");
Serial.println(" 3. Logging forensic data");
Serial.println(" 4. Alerting security team");
Serial.println(" 5. Initiating system lockout");
Serial.println();
Serial.println(" Recommendations:");
Serial.println(" - Input validation on all endpoints");
Serial.println(" - Parameterized queries (prevent SQL injection)");
Serial.println(" - Input sanitization (escape special characters)");
Serial.println(" - Web Application Firewall (WAF) deployment");
Serial.println();
// Check threshold - injection has lower threshold
if (pattern->windowCount >= pattern->threshold) {
Serial.println(" >>> LOCKOUT INITIATED <<<");
Serial.printf(" Duration: %d seconds\n", LOCKOUT_DURATION / 1000);
Serial.println(" Press Button 4 (Reset) to recover manually");
initiateSystemLockout(currentTime);
} else {
escalateThreatLevel(THREAT_CRITICAL);
Serial.printf(" Warning: %d more injection = FULL LOCKOUT\n",
pattern->threshold - pattern->windowCount);
}
Serial.println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
Serial.println();
updateOverallRisk(riskScore);
totalAttacksDetected++;
}
void handleSecurityReset(unsigned long currentTime) {
Serial.println();
Serial.println("========================================");
Serial.println(" SECURITY RESET INITIATED");
Serial.println("========================================");
Serial.println();
// Clear lockout if active
if (systemLocked) {
systemLocked = false;
lockoutEndTime = 0;
Serial.println(" - Lockout cleared");
}
// Reset threat level
currentThreatLevel = THREAT_NORMAL;
Serial.println(" - Threat level reset to NORMAL");
// Reset attack windows (keep cumulative counts)
for (int i = 1; i < ATTACK_TYPE_COUNT; i++) {
attackPatterns[i].windowCount = 0;
attackPatterns[i].windowStart = currentTime;
attackPatterns[i].alertActive = false;
}
Serial.println(" - Attack windows reset");
// Reset overall risk
overallRiskScore = 0.0;
Serial.println(" - Risk score reset to 0.0");
Serial.println();
Serial.println(" System returning to normal operation");
Serial.println(" Attack history preserved in event log");
Serial.println("========================================");
Serial.println();
updateThreatLEDs();
}
// =====================================================================
// THREAT LEVEL MANAGEMENT
// =====================================================================
void escalateThreatLevel(ThreatLevel newLevel) {
if (newLevel > currentThreatLevel && newLevel != THREAT_LOCKOUT) {
ThreatLevel oldLevel = currentThreatLevel;
currentThreatLevel = newLevel;
Serial.printf(" [ESCALATION] Threat level: %s -> %s\n",
getThreatLevelName(oldLevel),
getThreatLevelName(newLevel));
}
}
void decayThreatLevel() {
// Only decay if not in lockout and above normal
if (!systemLocked && currentThreatLevel > THREAT_NORMAL) {
// Check if any active alerts
bool anyActiveAlerts = false;
for (int i = 1; i < ATTACK_TYPE_COUNT; i++) {
if (attackPatterns[i].alertActive && attackPatterns[i].windowCount > 0) {
anyActiveAlerts = true;
break;
}
}
// Only decay if no active alerts
if (!anyActiveAlerts) {
ThreatLevel oldLevel = currentThreatLevel;
currentThreatLevel = (ThreatLevel)(currentThreatLevel - 1);
Serial.printf("[DECAY] Threat level: %s -> %s (no active threats)\n",
getThreatLevelName(oldLevel),
getThreatLevelName(currentThreatLevel));
// Also decay overall risk score
if (overallRiskScore > 0) {
overallRiskScore = max(0.0f, overallRiskScore - 0.5f);
}
}
}
}
const char* getThreatLevelName(ThreatLevel level) {
switch (level) {
case THREAT_NORMAL: return "NORMAL";
case THREAT_LOW: return "LOW";
case THREAT_MEDIUM: return "MEDIUM";
case THREAT_HIGH: return "HIGH";
case THREAT_CRITICAL: return "CRITICAL";
case THREAT_LOCKOUT: return "LOCKOUT";
default: return "UNKNOWN";
}
}
// =====================================================================
// LOCKOUT MANAGEMENT
// =====================================================================
void initiateSystemLockout(unsigned long currentTime) {
systemLocked = true;
lockoutEndTime = currentTime + LOCKOUT_DURATION;
currentThreatLevel = THREAT_LOCKOUT;
// Flash all LEDs rapidly to indicate lockout
for (int i = 0; i < 5; i++) {
digitalWrite(LED_NORMAL, HIGH);
digitalWrite(LED_WARNING, HIGH);
digitalWrite(LED_CRITICAL, HIGH);
digitalWrite(LED_LOCKOUT, HIGH);
delay(100);
digitalWrite(LED_NORMAL, LOW);
digitalWrite(LED_WARNING, LOW);
digitalWrite(LED_CRITICAL, LOW);
digitalWrite(LED_LOCKOUT, LOW);
delay(100);
}
updateThreatLEDs();
}
void handleLockoutState(unsigned long currentTime) {
// Check if lockout expired
if (currentTime >= lockoutEndTime) {
systemLocked = false;
currentThreatLevel = THREAT_HIGH; // Return to high alert, not normal
Serial.println();
Serial.println("========================================");
Serial.println(" LOCKOUT EXPIRED - SYSTEM RECOVERING");
Serial.println("========================================");
Serial.println(" Threat level: HIGH (manual reset for NORMAL)");
Serial.println(" Press Button 4 for full reset");
Serial.println("========================================");
Serial.println();
updateThreatLEDs();
return;
}
// Check reset button during lockout
if (digitalRead(BTN_RESET) == LOW && currentTime - lastDebounce > DEBOUNCE_DELAY) {
lastDebounce = currentTime;
handleSecurityReset(currentTime);
return;
}
// Pulse blue LED during lockout
static unsigned long lastPulse = 0;
static bool pulseState = false;
if (currentTime - lastPulse > 500) {
pulseState = !pulseState;
digitalWrite(LED_LOCKOUT, pulseState ? HIGH : LOW);
lastPulse = currentTime;
// Show countdown every 5 seconds
if ((lockoutEndTime - currentTime) % 5000 < 500) {
Serial.printf("[LOCKOUT] %lu seconds remaining...\n",
(lockoutEndTime - currentTime) / 1000);
}
}
}
// =====================================================================
// ATTACK WINDOW MANAGEMENT
// =====================================================================
void updateAttackWindows(unsigned long currentTime) {
for (int i = 1; i < ATTACK_TYPE_COUNT; i++) {
AttackPattern* pattern = &attackPatterns[i];
// Check if window has expired
if (pattern->windowStart > 0 &&
currentTime - pattern->windowStart > WINDOW_SIZE) {
// Window expired - reset window counter
if (pattern->windowCount > 0) {
Serial.printf("[WINDOW] %s window expired. Resetting count from %d to 0\n",
getAttackTypeName((AttackType)i), pattern->windowCount);
pattern->windowCount = 0;
pattern->alertActive = false;
}
pattern->windowStart = currentTime;
}
// Start window on first attack
if (pattern->windowStart == 0 && pattern->count > 0) {
pattern->windowStart = pattern->firstSeen;
}
}
}
const char* getAttackTypeName(AttackType type) {
switch (type) {
case ATTACK_BRUTE_FORCE: return "Brute Force";
case ATTACK_REPLAY: return "Replay";
case ATTACK_INJECTION: return "Injection";
default: return "Unknown";
}
}
// =====================================================================
// LED CONTROL
// =====================================================================
void updateThreatLEDs() {
// Turn off all LEDs first
digitalWrite(LED_NORMAL, LOW);
digitalWrite(LED_WARNING, LOW);
digitalWrite(LED_CRITICAL, LOW);
digitalWrite(LED_LOCKOUT, LOW);
// Set appropriate LED based on threat level
switch (currentThreatLevel) {
case THREAT_NORMAL:
case THREAT_LOW:
digitalWrite(LED_NORMAL, HIGH);
break;
case THREAT_MEDIUM:
case THREAT_HIGH:
digitalWrite(LED_WARNING, HIGH);
break;
case THREAT_CRITICAL:
digitalWrite(LED_CRITICAL, HIGH);
break;
case THREAT_LOCKOUT:
digitalWrite(LED_LOCKOUT, HIGH);
break;
}
}
// =====================================================================
// EVENT LOGGING
// =====================================================================
void logSecurityEvent(SecurityEvent event) {
eventLog[eventLogIndex] = event;
eventLogIndex = (eventLogIndex + 1) % EVENT_LOG_SIZE;
if (eventLogCount < EVENT_LOG_SIZE) {
eventLogCount++;
}
}
// =====================================================================
// RISK CALCULATION
// =====================================================================
void updateOverallRisk(float newRiskScore) {
// Weighted moving average
if (overallRiskScore == 0) {
overallRiskScore = newRiskScore;
} else {
overallRiskScore = (overallRiskScore * 0.7) + (newRiskScore * 0.3);
}
}
// =====================================================================
// STATUS REPORTING
// =====================================================================
void printStatusReport() {
Serial.println();
Serial.println("================================================================");
Serial.println(" SECURITY STATUS REPORT");
Serial.println("================================================================");
Serial.printf(" Timestamp: %lu ms\n", millis());
Serial.printf(" Current Threat: %s\n", getThreatLevelName(currentThreatLevel));
Serial.printf(" System Locked: %s\n", systemLocked ? "YES" : "NO");
Serial.printf(" Overall Risk Score: %.1f/10\n", overallRiskScore);
Serial.println();
Serial.println(" ATTACK STATISTICS:");
Serial.printf(" Total Detected: %lu\n", totalAttacksDetected);
Serial.printf(" Total Mitigated: %lu\n", totalAttacksMitigated);
Serial.printf(" Mitigation Rate: %.1f%%\n",
totalAttacksDetected > 0
? (totalAttacksMitigated * 100.0 / totalAttacksDetected)
: 0);
Serial.println();
Serial.println(" ATTACK TYPE BREAKDOWN:");
for (int i = 1; i < ATTACK_TYPE_COUNT; i++) {
AttackPattern* p = &attackPatterns[i];
Serial.printf(" %-12s: %3d total, %2d in window, Alert: %s\n",
getAttackTypeName((AttackType)i),
p->count,
p->windowCount,
p->alertActive ? "ACTIVE" : "inactive");
}
Serial.println();
Serial.printf(" Event Log Entries: %d / %d\n", eventLogCount, EVENT_LOG_SIZE);
Serial.println("================================================================");
Serial.println();
}1398.2.6 Lab Exercises
After building the circuit and running the simulation, complete these exercises to deepen your understanding:
TipExercise 1: Understanding Attack Thresholds
Objective: Explore how different threshold settings affect security response.
Tasks: 1. Press Button 1 (Brute Force) slowly - one press every 3 seconds. Observe the threat level. 2. Press Button 1 rapidly - 5+ times within 10 seconds. What happens? 3. Compare with Button 3 (Injection) - why does it trigger lockout faster?
Questions to Answer: - Why might a production system use different thresholds for different attack types? - What is the trade-off between low thresholds (quick response) and high thresholds (fewer false positives)? - How would you determine optimal thresholds for a smart home vs. industrial IoT system?
Expected Observation: Injection attacks have lower thresholds (2 attempts) because they indicate higher attacker sophistication and potential for immediate damage, while brute force requires more attempts (5) because individual failed logins could be legitimate user errors.
TipExercise 2: DREAD Score Analysis
Objective: Understand how DREAD scores change with attack patterns.
Tasks: 1. Trigger a single brute force attack and note the DREAD scores in the Serial Monitor 2. Trigger 5 more brute force attacks and compare how scores change 3. Do the same for replay attacks
Analysis Questions: - Which DREAD factor increases most with repeated attacks? - Why does “Affected Users” increase with attack count? - Calculate: If initial DREAD score is 6.0 and mitigation reduces it by 40%, what is residual risk?
Expected Observation: Reproducibility and Affected Users scores increase with repeated attacks, reflecting that the attacker has found a reliable attack vector that could scale to more targets.
TipExercise 3: Attack Pattern Correlation
Objective: Observe how multiple attack types combine to elevate threat levels.
Tasks: 1. Start fresh (press Reset button) 2. Trigger 2 brute force attacks (below threshold) 3. Trigger 2 replay attacks (below threshold) 4. Observe the overall risk score 5. Now trigger 1 injection attack
Analysis Questions: - Does the system consider multiple low-severity events together? - How would you modify the code to detect coordinated multi-vector attacks? - In real systems, what is “attack chain analysis”?
Expected Observation: Individual attacks below threshold don’t trigger alerts, but the overall risk score accumulates, reflecting that a determined attacker often probes with multiple techniques before finding a successful vector.
TipExercise 4: Lockout Recovery Analysis
Objective: Understand automated vs. manual security recovery.
Tasks: 1. Trigger enough injection attacks to cause lockout 2. Wait for automatic lockout expiration (30 seconds) 3. Note what threat level the system returns to 4. Compare with pressing the Reset button during lockout
Analysis Questions: - Why does automatic recovery return to HIGH threat rather than NORMAL? - What are the security implications of automatic lockout expiration? - How would you implement “progressive lockout” (longer duration for repeat offenders)?
Expected Observation: Automatic recovery maintains elevated threat level because the attack source hasn’t been verified as legitimate - manual review (Reset button) is required for full return to normal operations.
WarningChallenge Exercise: Extend the Threat Detector
Advanced Challenge: Modify the code to add these features:
Time-of-Day Sensitivity: Increase threat scores for attacks occurring outside business hours (hint: use
millis()modulo to simulate hour-of-day)Attack Source Tracking: Add a simulated “IP address” to each attack and detect if multiple attack types come from the same source (coordinated attack)
Adaptive Thresholds: Reduce thresholds after a lockout event (the system becomes more sensitive after being attacked)
STRIDE Coverage Report: Add a function that prints which STRIDE categories have been observed and which remain undetected
Risk Trend Analysis: Track risk score over time and alert if it’s trending upward even without threshold breaches
Hint: These extensions mirror real Security Information and Event Management (SIEM) system capabilities.
1398.2.7 Expected Outcomes
After completing this lab, you should be able to:
| Skill | Demonstration |
|---|---|
| Attack Detection | Explain how pattern matching identifies brute force, replay, and injection attacks |
| STRIDE Classification | Map each attack type to appropriate STRIDE categories |
| DREAD Scoring | Calculate DREAD scores and interpret risk levels |
| Threshold Design | Justify different thresholds for different attack types |
| Automated Response | Describe the lockout mechanism and recovery process |
| Security Logging | Explain the importance of timestamped security events |
| Risk Aggregation | Understand how multiple events combine into overall risk |
1398.2.8 Connection to Real-World Systems
This lab simulates concepts used in production security systems:
| Lab Concept | Production Equivalent |
|---|---|
| Button presses | Network traffic / API calls |
| Attack patterns | Intrusion Detection System (IDS) signatures |
| DREAD scores | Security Information and Event Management (SIEM) risk scoring |
| Threshold alerts | Security Operations Center (SOC) alerting |
| Lockout mechanism | Automated incident response / firewall rules |
| Event log | Security audit trail / forensic evidence |
NoteReal-World Application
The concepts demonstrated here are implemented in production systems like:
- AWS GuardDuty: Detects brute force, injection, and reconnaissance attacks on cloud resources
- Splunk Enterprise Security: SIEM with DREAD-like risk scoring and automated response
- CrowdStrike Falcon: Endpoint detection with pattern-based threat identification
- Azure Sentinel: Cloud-native SIEM with automated playbook responses
Understanding these fundamentals prepares you for implementing and configuring enterprise security monitoring systems.
1398.3 What’s Next
With threat modeling identifying and quantifying security risks, the next chapter explores Introduction to Privacy where you’ll learn privacy fundamentals including personal data definition and regulatory requirements, understand location privacy threats and de-anonymization attacks, examine privacy-by-design principles and frameworks, analyze differential privacy mechanisms for data protection, and implement privacy-preserving techniques for IoT deployments.
Continue to Introduction to Privacy →
1398.4 Summary
Systematic threat modelling enables proactive security:
Process: - 5-step methodology: Architecture, Entry Points, Data Flow, Trust Boundaries, Attack Scenarios - Iterative refinement based on findings - Documentation of vulnerabilities and mitigations
Taxonomies: - STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege - Open Threat: Physical, Resource, Personnel, Technical - ENISA: IoT-specific asset and threat classifications
Attack Scenarios: - 10 critical IoT attack vectors - Real-world examples (Mirai botnet) - Step-by-step attack chains
Mitigations: - Change default credentials - Encrypt communications - Code signing for firmware - Network segmentation - Continuous monitoring - Incident response planning
Key Takeaway: Proactive threat modelling identifies vulnerabilities before attackers do, enabling cost-effective mitigation and significantly reducing risk exposure.
1398.5 Further Reading
- Microsoft STRIDE Threat Modeling
- ENISA IoT Security Guidelines
- NIST SP 800-30: Risk Assessment Guide
- OWASP IoT Top 10
- Mirai Botnet Technical Analysis