The administrator's concern is with attacks that compromise confidentiality, meaning the unauthorized disclosure of sensitive information.

Aggregation is the technique of combining multiple pieces of non-sensitive data to infer sensitive information. For example, combining IoT sensor data on energy usage, water flow, and motion detection could reveal when occupants are home, which is confidential.

Inference is the process of deriving sensitive information from available data through analysis. An attacker could infer a user's health status by analyzing data from a smart appliance and a wearable fitness tracker.

Both attacks directly result in learning sensitive information that was not explicitly provided, thus violating confidentiality.

A. Salami: This is a financial fraud attack involving the theft of small amounts of money from many sources, targeting assets rather than data confidentiality.

C. Data diddling: This attack involves the unauthorized alteration of data, which is a violation of data integrity, not confidentiality.

D. Denial of Service (DoS): This attack aims to make a system or service unavailable to legitimate users, thus violating availability, not confidentiality.

1. Sicari

S.

Rizzardi

A.

Grieco

L. A.

& Coen-Porisini

A. (2015). Security

privacy and trust in Internet of Things: The road ahead. Computer Networks

76

146-164. In Section 3.2

"Privacy

" the paper discusses how data mining techniques can lead to inference and aggregation attacks in IoT

where "sensitive data about users can be inferred by aggregating information collected from different sources

" directly addressing confidentiality breaches. (DOI: https://doi.org/10.1016/j.comnet.2014.11.008)

2. National Institute of Standards and Technology (NIST). (2020). NISTIR 8259A: IoT Device Cybersecurity Capability Core Baseline. Section 2

"How to Use This Document

" defines the security objective of Confidentiality as "Preserving authorized restrictions on information access and disclosure." Aggregation and Inference are methods that bypass these restrictions.

3. Pfleeger

C. P.

Pfleeger

S. L.

& Margulies

J. (2015). Security in Computing (5th ed.). Prentice Hall. Chapter 1

"Introduction

" defines the core security goals. It classifies Denial of Service (DoS) as an attack on availability (p. 8) and unauthorized data modification

such as Data Diddling

as an attack on integrity (p. 7).

4. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE

63(9)

1278-1308. This foundational paper defines Confidentiality (controlling who gets to read information)

Integrity (controlling unauthorized modification of information)

and Availability (ensuring access for authorized parties). DoS and Data Diddling are classic violations of Availability and Integrity

respectively. (DOI: 10.1109/PROC.1975.9939)