Integrating complex event processing and machine learning: An intelligent architecture for detecting IoT security attacks

The Internet of Things (IoT) is growing globally at a fast pace: people now find themselves surrounded by a variety of IoT devices such as smartphones and wearables in their everyday lives. Additionally, smart environments, such as smart healthcare systems, smart industries and smart cities, benefit from sensors and actuators interconnected through the IoT. However, the increase in IoT devices has brought with it the challenge of promptly detecting and combating the cybersecurity attacks and threats that target them, including malware, privacy breaches and denial of service attacks, among others. To tackle this challenge, this paper proposes an intelligent architecture that integrates Complex Event Processing (CEP) technology and the Machine Learning (ML) paradigm in order to detect different types of IoT security attacks in real time. In particular, such an architecture is capable of easily managing event patterns whose conditions depend on values obtained by ML algorithms. Additionally, a model-driven graphical tool for security attack pattern definition and automatic code generation is provided, hiding all the complexity derived from implementation details from domain experts. The proposed architecture has been applied in the case of a healthcare IoT network to validate its ability to detect attacks made by malicious devices. The results obtained demonstrate that this architecture satisfactorily fulfils its objectives.El Internet de las Cosas (IoT) está creciendo a nivel global a un ritmo acelerado: las personas ahora se encuentran rodeadas de una variedad de dispositivos IoT como smartphones y wearables en su vida cotidiana. Además, los entornos inteligentes, como los sistemas de atención médica inteligentes, las industrias inteligentes y las ciudades inteligentes, se benefician de sensores y actuadores interconectados a través del IoT. Sin embargo, el aumento de los dispositivos IoT ha traído consigo el desafío de detectar y combatir rápidamente los ataques y amenazas de ciberseguridad que los tienen como objetivo, incluyendo malware, violaciones de privacidad y ataques de denegación de servicio, entre otros. Para abordar este desafío, este documento propone una arquitectura inteligente que integra la tecnología de Procesamiento de Eventos Complejos (CEP) y el paradigma de Aprendizaje Automático (ML) con el fin de detectar diferentes tipos de ataques de seguridad en IoT en tiempo real. En particular, dicha arquitectura es capaz de gestionar fácilmente patrones de eventos cuyas condiciones dependen de los valores obtenidos por los algoritmos de ML. Además, se proporciona una herramienta gráfica impulsada por modelos para la definición de patrones de ataque de seguridad y la generación automática de código, ocultando toda la complejidad derivada de los detalles de implementación a los expertos del dominio. La arquitectura propuesta ha sido aplicada en el caso de una red de IoT de atención médica para validar su capacidad para detectar ataques realizados por dispositivos maliciosos. Los resultados obtenidos demuestran que esta arquitectura cumple satisfactoriamente sus objetivos.This work was supported by the Spanish Ministry of Science, Innovation and Universities and the European Union FEDER Funds [grant numbers FPU 17/02007, RTI2018-093608-B-C33, RTI2018- 098156-B-C52 and RED2018-102654-T]. This work was also sup- ported by the JCCM [grant number SB-PLY/17/180501/ 0 0 0353

Modélisation formelle des systèmes de détection d'intrusions

L’écosystème de la cybersécurité évolue en permanence en termes du nombre, de la diversité, et de la complexité des attaques. De ce fait, les outils de détection deviennent inefficaces face à certaines attaques. On distingue généralement trois types de systèmes de détection d’intrusions : détection par anomalies, détection par signatures et détection hybride. La détection par anomalies est fondée sur la caractérisation du comportement habituel du système, typiquement de manière statistique. Elle permet de détecter des attaques connues ou inconnues, mais génère aussi un très grand nombre de faux positifs. La détection par signatures permet de détecter des attaques connues en définissant des règles qui décrivent le comportement connu d’un attaquant. Cela demande une bonne connaissance du comportement de l’attaquant. La détection hybride repose sur plusieurs méthodes de détection incluant celles sus-citées. Elle présente l’avantage d’être plus précise pendant la détection. Des outils tels que Snort et Zeek offrent des langages de bas niveau pour l’expression de règles de reconnaissance d’attaques. Le nombre d’attaques potentielles étant très grand, ces bases de règles deviennent rapidement difficiles à gérer et à maintenir. De plus, l’expression de règles avec état dit stateful est particulièrement ardue pour reconnaître une séquence d’événements. Dans cette thèse, nous proposons une approche stateful basée sur les diagrammes d’état-transition algébriques (ASTDs) afin d’identifier des attaques complexes. Les ASTDs permettent de représenter de façon graphique et modulaire une spécification, ce qui facilite la maintenance et la compréhension des règles. Nous étendons la notation ASTD avec de nouvelles fonctionnalités pour représenter des attaques complexes. Ensuite, nous spécifions plusieurs attaques avec la notation étendue et exécutons les spécifications obtenues sur des flots d’événements à l’aide d’un interpréteur pour identifier des attaques. Nous évaluons aussi les performances de l’interpréteur avec des outils industriels tels que Snort et Zeek. Puis, nous réalisons un compilateur afin de générer du code exécutable à partir d’une spécification ASTD, capable d’identifier de façon efficiente les séquences d’événements.Abstract : The cybersecurity ecosystem continuously evolves with the number, the diversity, and the complexity of cyber attacks. Generally, we have three types of Intrusion Detection System (IDS) : anomaly-based detection, signature-based detection, and hybrid detection. Anomaly detection is based on the usual behavior description of the system, typically in a static manner. It enables detecting known or unknown attacks but also generating a large number of false positives. Signature based detection enables detecting known attacks by defining rules that describe known attacker’s behavior. It needs a good knowledge of attacker behavior. Hybrid detection relies on several detection methods including the previous ones. It has the advantage of being more precise during detection. Tools like Snort and Zeek offer low level languages to represent rules for detecting attacks. The number of potential attacks being large, these rule bases become quickly hard to manage and maintain. Moreover, the representation of stateful rules to recognize a sequence of events is particularly arduous. In this thesis, we propose a stateful approach based on algebraic state-transition diagrams (ASTDs) to identify complex attacks. ASTDs allow a graphical and modular representation of a specification, that facilitates maintenance and understanding of rules. We extend the ASTD notation with new features to represent complex attacks. Next, we specify several attacks with the extended notation and run the resulting specifications on event streams using an interpreter to identify attacks. We also evaluate the performance of the interpreter with industrial tools such as Snort and Zeek. Then, we build a compiler in order to generate executable code from an ASTD specification, able to efficiently identify sequences of events

Machine Learning und Complex Event Processing: Effiziente Echtzeitauswertung am Beispiel Smart Factory

Durch die Verbindung zwischen physischen Maschinenteilen unddigitalen Services werden mit Cyber-physischen Systemen in Smart Factoriesviele datenbasierte Optimierungen möglich. Ein wichtiger Bestandteil diesersogenannten Smart Factories kann die Technologie Complex Event Processing(CEP) sein. CEP erlaubt Echtzeitauswertungen komplexer Events, i. S. v.kombinierten Datenwerten aus unterschiedlichen Quellen. Damit können u. a.anomale Prozessabläufe identifiziert und lokalisiert werden. Eine aktuelleBeschränkung der Wirkungsfähigkeit ist die hauptsächlich deklarative undreaktive Implementierung von CEP. Eine Erweiterung um Ansätze aus demMachine Learning (ML) ist daher vielversprechend. Es fehlt jedoch an eineraktuellen Übersicht zu Verbindungen von CEP und ML innerhalb der Forschungsowie deren Transferfähigkeit auf Smart Factories. Unser Beitrag liefert (1) eineSynthese der bislang erforschten CEP-ML-Kombinationen, wobei sichSupervised Learning als überwiegender Kombinationsansatz zeigt, und (2) eineÜbertragung der Potenziale für die Verwendung in Smart Factories. Hier zeigtensich reaktive Maßnahmen als bisheriger Forschungsschwerpunkt

Secure Communication in Disaster Scenarios

Während Naturkatastrophen oder terroristischer Anschläge ist die bestehende Kommunikationsinfrastruktur häufig überlastet oder fällt komplett aus. In diesen Situationen können mobile Geräte mithilfe von drahtloser ad-hoc- und unterbrechungstoleranter Vernetzung miteinander verbunden werden, um ein Notfall-Kommunikationssystem für Zivilisten und Rettungsdienste einzurichten. Falls verfügbar, kann eine Verbindung zu Cloud-Diensten im Internet eine wertvolle Hilfe im Krisen- und Katastrophenmanagement sein. Solche Kommunikationssysteme bergen jedoch ernsthafte Sicherheitsrisiken, da Angreifer versuchen könnten, vertrauliche Daten zu stehlen, gefälschte Benachrichtigungen von Notfalldiensten einzuspeisen oder Denial-of-Service (DoS) Angriffe durchzuführen. Diese Dissertation schlägt neue Ansätze zur Kommunikation in Notfallnetzen von mobilen Geräten vor, die von der Kommunikation zwischen Mobilfunkgeräten bis zu Cloud-Diensten auf Servern im Internet reichen. Durch die Nutzung dieser Ansätze werden die Sicherheit der Geräte-zu-Geräte-Kommunikation, die Sicherheit von Notfall-Apps auf mobilen Geräten und die Sicherheit von Server-Systemen für Cloud-Dienste verbessert

Intrusion detection in IPv6-enabled sensor networks.

In this research, we study efficient and lightweight Intrusion Detection Systems (IDS) for ad-hoc networks through the lens of IPv6-enabled Wireless Sensor Actuator Networks. These networks consist of highly constrained devices able to communicate wirelessly in an ad-hoc fashion, thus following the architecture of ad-hoc networks. Current state of the art IDS in IoT and WSNs have been developed considering the architecture of conventional computer networks, and as such they do not efficiently address the paradigm of ad-hoc networks, which is highly relevant in emerging network paradigms, such as the Internet of Things (IoT). In this context, the network properties of resilience and redundancy have not been extensively studied. In this thesis, we first identify a trade-off between the communication and energy overheads of an IDS (as captured by the number of active IDS agents in the network) and the performance of the system in terms of successfully identifying attacks. In order to fine-tune this trade-off, we model networks as Random Geometric Graphs; these are a rigorous approach that allows us to capture underlying structural properties of the network. We then introduce a novel IDS architectural approach that consists of a central IDS agent and set of distributed IDS agents deployed uniformly at random over the network area. These nodes are able to efficiently detect attacks at the networking layer in a collaborative manner by monitoring locally available network information provided by IoT routing protocols, such as RPL. The detailed experimental evaluation conducted in this research demonstrates significant performance gains in terms of communication overhead and energy dissipation while maintaining high detection rates. We also show that the performance of our IDS in ad-hoc networks does not rely on the size of the network but on fundamental underling network properties, such as the network topology and the average degree of the nodes. The experiments show that our proposed IDS architecture is resilient against frequent topology changes due to node failures

Security techniques for sensor systems and the Internet of Things

Sensor systems are becoming pervasive in many domains, and are recently being generalized by the Internet of Things (IoT). This wide deployment, however, presents significant security issues. We develop security techniques for sensor systems and IoT, addressing all security management phases. Prior to deployment, the nodes need to be hardened. We develop nesCheck, a novel approach that combines static analysis and dynamic checking to efficiently enforce memory safety on TinyOS applications. As security guarantees come at a cost, determining which resources to protect becomes important. Our solution, OptAll, leverages game-theoretic techniques to determine the optimal allocation of security resources in IoT networks, taking into account fixed and variable costs, criticality of different portions of the network, and risk metrics related to a specified security goal. Monitoring IoT devices and sensors during operation is necessary to detect incidents. We design Kalis, a knowledge-driven intrusion detection technique for IoT that does not target a single protocol or application, and adapts the detection strategy to the network features. As the scale of IoT makes the devices good targets for botnets, we design Heimdall, a whitelist-based anomaly detection technique for detecting and protecting against IoT-based denial of service attacks. Once our monitoring tools detect an attack, determining its actual cause is crucial to an effective reaction. We design a fine-grained analysis tool for sensor networks that leverages resident packet parameters to determine whether a packet loss attack is node- or link-related and, in the second case, locate the attack source. Moreover, we design a statistical model for determining optimal system thresholds by exploiting packet parameters variances. With our techniques\u27 diagnosis information, we develop Kinesis, a security incident response system for sensor networks designed to recover from attacks without significant interruption, dynamically selecting response actions while being lightweight in communication and energy overhead

Energy-efficient Transitional Near-* Computing

Studies have shown that communication networks, devices accessing the Internet, and data centers account for 4.6% of the worldwide electricity consumption. Although data centers, core network equipment, and mobile devices are getting more energy-efficient, the amount of data that is being processed, transferred, and stored is vastly increasing. Recent computer paradigms, such as fog and edge computing, try to improve this situation by processing data near the user, the network, the devices, and the data itself. In this thesis, these trends are summarized under the new term near-* or near-everything computing. Furthermore, a novel paradigm designed to increase the energy efficiency of near-* computing is proposed: transitional computing. It transfers multi-mechanism transitions, a recently developed paradigm for a highly adaptable future Internet, from the field of communication systems to computing systems. Moreover, three types of novel transitions are introduced to achieve gains in energy efficiency in near-* environments, spanning from private Infrastructure-as-a-Service (IaaS) clouds, Software-defined Wireless Networks (SDWNs) at the edge of the network, Disruption-Tolerant Information-Centric Networks (DTN-ICNs) involving mobile devices, sensors, edge devices as well as programmable components on a mobile System-on-a-Chip (SoC). Finally, the novel idea of transitional near-* computing for emergency response applications is presented to assist rescuers and affected persons during an emergency event or a disaster, although connections to cloud services and social networks might be disturbed by network outages, and network bandwidth and battery power of mobile devices might be limited

Privacy-Aware and Reliable Complex Event Processing in the Internet of Things - Trust-Based and Flexible Execution of Event Processing Operators in Dynamic Distributed Environments

The Internet of Things (IoT) promises to be an enhanced platform for supporting a heterogeneous range of context-aware applications in the fields of traffic monitoring, healthcare, and home automation, to name a few. The essence of the IoT is in the inter-networking of distributed information sources and the analysis of their data to understand the interactions between the physical objects, their users, and their environment. Complex Event Processing (CEP) is a cogent paradigm to infer higher-level information from atomic event streams (e.g., sensor data in the IoT). Using functional computing modules called operators (e.g., filters, aggregates, sequencers), CEP provides for an efficient and low-latency processing environment. Privacy and mobility support for context processing is gaining immense importance in the age of the IoT. However, new mobile communication paradigms - like Device-to-Device (D2D) communication - that are inherent to the IoT, must be enhanced to support a privacy-aware and reliable execution of CEP operators on mobile devices. It is crucial to preserve the differing privacy constraints of mobile users, while allowing for flexible and collaborative processing. Distributed mobile environments are also susceptible to adversary attacks, given the lack of sufficient control over the processing environment. Lastly, ensuring reliable and accurate CEP becomes a serious challenge due to the resource-constrained and dynamic nature of the IoT. In this thesis, we design and implement a privacy-aware and reliable CEP system that supports distributed processing of context data, by flexibly adapting to the dynamic conditions of a D2D environment. To this end, the main contributions, which form the key components of the proposed system, are three-fold: 1) We develop a method to analyze the communication characteristics of the users and derive the type and strength of their relationships. By doing so, we utilize the behavioral aspects of user relationships to automatically derive differing privacy constraints of the individual users. 2) We employ the derived privacy constraints as trust relations between users to execute CEP operators on mobile devices in a privacy-aware manner. In turn, we develop a trust management model called TrustCEP that incorporates a robust trust recommendation scheme to prevent adversary attacks and allow for trust evolution. 3) Finally, to account for reliability, we propose FlexCEP, a fine-grained flexible approach for CEP operator migration, such that the CEP system adapts to the dynamic nature of the environment. By extracting intermediate operator state and by leveraging device mobility and instantaneous characteristics, FlexCEP provides a flexible CEP execution model under varying network conditions. Overall, with the help of thorough evaluations of the above three contributions, we show how the proposed distributed CEP system can satisfy the requirements established above for a privacy-aware and reliable IoT environment

Mobility-awareness in complex event processing systems

The proliferation and vast deployment of mobile devices and sensors over the last couple of years enables a huge number of Mobile Situation Awareness (MSA) applications. These applications need to react in near real-time to situations in the environment of mobile objects like vehicles, pedestrians, or cargo. To this end, Complex Event Processing (CEP) is becoming increasingly important as it allows to scalably detect situations “on-the-fly” by continously processing distributed sensor data streams. Furthermore, recent trends in communication networks promise high real-time conformance to CEP systems by processing sensor data streams on distributed computing resources at the edge of the network, where low network latencies can be achieved. Yet, supporting MSA applications with a CEP middleware that utilizes distributed computing resources proves to be challenging due to the dynamics of mobile devices and sensors. In particular, situations need to be efficiently, scalably, and consistently detected with respect to ever-changing sensors in the environment of a mobile object. Moreover, the computing resources that provide low latencies change with the access points of mobile devices and sensors. The goal of this thesis is to provide concepts and algorithms to i) continuously detect situations that recently occurred close to a mobile object, ii) support bandwidth and computational efficient detections of such situations on distributed computing resources, and iii) support consistent, low latency, and high quality detections of such situations. To this end, we introduce the distributed Mobile CEP (MCEP) system which automatically adapts the processing of sensor data streams according to a mobile object’s location. MCEP provides an expressive, location-aware query model for situations that recently occurred at a location close to a mobile object. MCEP significantly reduces latency, bandwidth, and processing overhead by providing on-demand and opportunistic adaptation algorithms to dynamically assign event streams to queries of the MCEP system. Moreover, MCEP incorporates algorithms to adapt the deployment of MCEP queries in a network of computing resources. This way, MCEP supports latency-sensitive, large-scale deployments of MSA applications and ensures a low network utilization while mobile objects change their access points to the system. MCEP also provides methods to increase the scalability in terms of deployed MCEP queries by reusing event streams and computations for detecting common situations for several mobile objects