A DDoS attack mitigation framework for IoT networks using fog computing

The advent of 5G which strives to connect more devices with high speed and low latencies has aided the growth IoT network. Despite the benefits of IoT, its applications in several facets of our lives such as smart health, smart homes, smart cities, etc. have raised several security concerns such as Distributed Denial of Service (DDoS) attacks. In this paper, we propose a DDoS mitigation framework for IoT using fog computing to ensure fast and accurate attack detection. The fog provides resources for effective deployment of the mitigation framework, this solves the deficits in resources of the resource-constrained IoT devices. The mitigation framework uses an anomaly-based intrusion detection method and a database. The database stores signatures of previously detected attacks while the anomaly-based detection scheme utilizes k-NN classification algorithm for detecting the DDoS attacks. By using a database containing the attack signatures, attacks can be detected faster when the same type of attack is executed again. The evaluations using a DDoS based dataset show that the k-NN classification algorithm proposed for our framework achieves a satisfactory accuracy in detecting DDoS attacks

Applying distance metrics for anomaly detection of energy-based attacks in IoT sensors / Aplicação de métricas de distancias para detecção por anomalia de ataques baseados em energia em sensores IoT

Internet of Things (IoT) has gained significant mindshare in academia and industry over the years. It is usually composed of tiny devices/sensors with low processing, memory, and energy available. As an emerging technology, many open challenges about the security of those devices are described in the literature. In this context, some attacks aim to drain the energy of IoT sensors. They are called energy-based attacks or energy exhausting attacks. Detecting such attacks with minimal resources has become a challenge. Several intrusion detection proposals require exchange information among sensors and base station, demanding data transmission and increasing the energy consumption of sensors. Aware of this problem, we propose a lightweight statistical model of anomaly detection that uses energy consumption analysis for the intrusion detection task. Our main contribution is an energy-efficient detection algorithm that is deployed directly at sensors. It applies statistical distance metrics to discriminate between normal and anomaly energy consumption and does not require data transmission in the network. In this work, we compare three distance metrics to evaluate the best of them for the discrimination phase: Sibson, Euclidian, and Hellinger. Thus, we simulate the detection algorithm and assess the results applying the F-measure approach on detection data. The results show an efficient intrusion detection model, with high F-score values and low energy expenditure on the detection task.

Employing a Machine Learning Approach to Detect Combined Internet of Things Attacks Against Two Objective Functions Using a Novel Dataset

One of the important features of Routing Protocol for Low-Power and Lossy Networks (RPL) is Objective Function (OF). OF influences an IoT network in terms of routing strategies and network topology. On the other hand, detecting a combination of attacks against OFs is a cutting-edge technology that will become a necessity as next generation low-power wireless networks continue to be exploited as they grow rapidly. However, current literature lacks study on vulnerability analysis of OFs particularly in terms of combined attacks. Furthermore, machine learning is a promising solution for the global networks of IoT devices in terms of analysing their ever-growing generated data and predicting cyber-attacks against such devices. Therefore, in this paper, we study the vulnerability analysis of two popular OFs of RPL to detect combined attacks against them using machine-learning algorithms through different simulated scenarios. For this, we created a novel IoT dataset based on power and network metrics, which is deployed as part of an RPL IDS/IPS solution to enhance information security. Addressing the captured results, our machine learning approach is successful in detecting combined attacks against two popular OFs of RPL based on the power and network metrics in which MLP and RF algorithms are the most successful classifier deployment for single and ensemble models

Cybersecurity in Internet of Things

Um sistema Internet of Things (IoT) tem um largo leque de aplicações e de ambientes de utilização, isto é, desde uma rede doméstica a uma rede industrial, ou desde uma rede com alguns dispositivos IoT a uma rede com milhares de dispositivos IoT. Os dispositivos que estão presentes nos sistemas IoT podem ter características diversas, por exemplo, diferentes versões de sistemas operativos instalados e diferentes capacidades e recursos disponíveis. Em suma, um sistema IoT pode apresentar um elevando nível de heterogeneidade. De forma a facilitar e a normalizar a operação dos sistemas IoT, existem vários tipos de standards e de protocolos que podem ser utilizados, tais como, o Message Queuing Telemetry Transport (MQTT), que não é específico para um sistema IoT mas que pela sua simplicidade é bastante utilizado, e a sua variante segura o Message Queuing Telemetry Transport over TLS (MQTTS). As utilizações do MQTT e do MQTTS facilitam a uniformização e a comunicação entre os vários dispositivos IoT. Estes sistemas IoT, são compostos por vários dispositivos IoT. Estes caracterizam-se por terem fracos recursos de hardware, nomeadamente ao nível da capacidade de memória Random-Access Memory (RAM) ou Read-Only Memory (ROM), de processamento e de armazenamento em disco. Estes dispositivos estão frequentemente expostos a ambientes exteriores e, por isso, estão mais vulneráveis a ataques à sua integridade e disponibilidade, bem como, à informação por si recolhida e transmitida. A monitorização do tráfego e a deteção das anomalias podem dar um forte contributo para a mitigação destas ameaças, podendo ser efetuadas através de soluções do tipo Intrusion Detection System (IDS). Estas soluções são caracterizadas por causar um baixo impacto no desempenho dos sistemas IoT e, por isso, representam uma solução interessante de integração neste tipo de sistemas. No entanto, é essencial que os sistemas de IDS tenham na sua base de dados interna as especificações, as regras e os comportamentos necessários para analisar o tráfego que flui num sistema IoT. É neste âmbito que se enquadra este trabalho, nomeadamente na análise, na caracterização e na avaliação das especificações do tráfego gerado pelos aplicativos MQTT e MQTTS, tendo-se determinado os Information Elements (IE) mais relevantes a considerado e criado um cenário de testes capaz de capturar esses IE. Posteriormente, esses IE foram analisados com o intuito de caracterizar de forma generalista o tráfego MQTT e o tráfego MQTTS

Detection of Anomalous Behavior of IoT/CPS Devices Using Their Power Signals

Embedded computing devices, in the Internet of Things (IoT) or Cyber-Physical Systems (CPS), are becoming pervasive in many domains around the world. Their wide deployment in simple applications (e.g., smart buildings, fleet management, and smart agriculture) or in more critical operations (e.g., industrial control, smart power grids, and self-driving cars) creates significant market potential ($ 4-11 trillion in annual revenue is expected by 2025). A main requirement for the success of such systems and applications is the capacity to ensure the performance of these devices. This task includes equipping them to be resilient against security threats and failures. Globally, several critical infrastructure applications have been the target of cyber attacks. These recent incidents, as well as the rich applicable literature, confirm that more research is needed to overcome such challenges. Consequently, the need for robust approaches that detect anomalous behaving devices in security and safety-critical applications has become paramount. Solving such a problem minimizes different kinds of losses (e.g., confidential data theft, financial loss, service access restriction, or even casualties). In light of the aforementioned motivation and discussion, this thesis focuses on the problem of detecting the anomalous behavior of IoT/CPS devices by considering their side-channel information. Solving such a problem is extremely important in maintaining the security and dependability of critical systems and applications. Although several side-channel based approaches are found in the literature, there are still important research gaps that need to be addressed. First, the intrusive nature of the monitoring in some of the proposed techniques results in resources overhead and requires instrumentation of the internal components of a device, which makes them impractical. It also raises a data integrity flag. Second, the lack of realistic experimental power consumption datasets that reflect the normal and anomalous behaviors of IoT and CPS devices has prevented fair and coherent comparisons with the state of the art in this domain. Finally, most of the research to date has concentrated on the accuracy of detection and not the novelty of detecting new anomalies. Such a direction relies on: (i) the availability of labeled datasets; (ii) the complexity of the extracted features; and (iii) the available compute resources. These assumptions and requirements are usually unrealistic and unrepresentative. This research aims to bridge these gaps as follows. First, this study extends the state of the art that adopts the idea of leveraging the power consumption of devices as a signal and the concept of decoupling the monitoring system and the devices to be monitored to detect and classify the "operational health'' of the devices. Second, this thesis provides and builds power consumption-based datasets that can be utilized by AI as well as security research communities to validate newly developed detection techniques. The collected datasets cover a wide range of anomalous device behavior due to the main aspects of device security (i.e., confidentiality, integrity, and availability) and partial system failures. The extensive experiments include: a wide spectrum of various emulated malware scenarios; five real malware applications taken from the well-known Drebin dataset; distributed denial of service attack (DDOS) where an IoT device is treated as: (1) a victim of a DDOS attack, and (2) the source of a DDOS attack; cryptomining malware where the resources of an IoT device are being hijacked to be used to advantage of the attacker’s wish and desire; and faulty CPU cores. This level of extensive validation has not yet been reported in any study in the literature. Third, this research presents a novel supervised technique to detect anomalous device behavior based on transforming the problem into an image classification problem. The main aim of this methodology is to improve the detection performance. In order to achieve the goals of this study, the methodology combines two powerful computer vision tools, namely Histograms of Oriented Gradients (HOG) and a Convolutional Neural Network (CNN). Such a detection technique is not only useful in this present case but can contribute to most time-series classification (TSC) problems. Finally, this thesis proposes a novel unsupervised detection technique that requires only the normal behavior of a device in the training phase. Therefore, this methodology aims at detecting new/unseen anomalous behavior. The methodology leverages the power consumption of a device and Restricted Boltzmann Machine (RBM) AutoEncoders (AE) to build a model that makes them more robust to the presence of security threats. The methodology makes use of stacked RBM AE and Principal Component Analysis (PCA) to extract feature vector based on AE's reconstruction errors. A One-Class Support Vector Machine (OC-SVM) classifier is then trained to perform the detection task. Across 18 different datasets, both of our proposed detection techniques demonstrated high detection performance with at least ~ 88% accuracy and 85% F-Score on average. The empirical results indicate the effectiveness of the proposed techniques and demonstrated improved detection performance gain of 9% - 17% over results reported in other methods