874 research outputs found
Can Evil IoT Twins Be Identified? Now Yes, a Hardware Behavioral Fingerprinting Methodology
The connectivity and resource-constrained nature of IoT, and in particular
single-board devices, opens up to cybersecurity concerns affecting the
Industrial Internet of Things (IIoT). One of the most important is the presence
of evil IoT twins. Evil IoT twins are malicious devices, with identical
hardware and software configurations to authorized ones, that can provoke
sensitive information leakages, data poisoning, or privilege escalation in
industrial scenarios. Combining behavioral fingerprinting and Machine/Deep
Learning (ML/DL) techniques is a promising solution to identify evil IoT twins
by detecting minor performance differences generated by imperfections in
manufacturing. However, existing solutions are not suitable for single-board
devices because they do not consider their hardware and software limitations,
underestimate critical aspects during the identification performance
evaluation, and do not explore the potential of ML/DL techniques. Moreover,
there is a dramatic lack of work explaining essential aspects to considering
during the identification of identical devices. This work proposes an
ML/DL-oriented methodology that uses behavioral fingerprinting to identify
identical single-board devices. The methodology leverages the different
built-in components of the system, comparing their internal behavior with each
other to detect variations that occurred in manufacturing processes. The
validation has been performed in a real environment composed of identical
Raspberry Pi 4 Model B devices, achieving the identification for all devices by
setting a 50% threshold in the evaluation process. Finally, a discussion
compares the proposed solution with related work and provides important lessons
learned and limitations
IoT Sentinel: Automated Device-Type Identification for Security Enforcement in IoT
With the rapid growth of the Internet-of-Things (IoT), concerns about the
security of IoT devices have become prominent. Several vendors are producing
IP-connected devices for home and small office networks that often suffer from
flawed security designs and implementations. They also tend to lack mechanisms
for firmware updates or patches that can help eliminate security
vulnerabilities. Securing networks where the presence of such vulnerable
devices is given, requires a brownfield approach: applying necessary protection
measures within the network so that potentially vulnerable devices can coexist
without endangering the security of other devices in the same network. In this
paper, we present IOT SENTINEL, a system capable of automatically identifying
the types of devices being connected to an IoT network and enabling enforcement
of rules for constraining the communications of vulnerable devices so as to
minimize damage resulting from their compromise. We show that IOT SENTINEL is
effective in identifying device types and has minimal performance overhead
Your Smart Home Can't Keep a Secret: Towards Automated Fingerprinting of IoT Traffic with Neural Networks
The IoT (Internet of Things) technology has been widely adopted in recent
years and has profoundly changed the people's daily lives. However, in the
meantime, such a fast-growing technology has also introduced new privacy
issues, which need to be better understood and measured. In this work, we look
into how private information can be leaked from network traffic generated in
the smart home network. Although researchers have proposed techniques to infer
IoT device types or user behaviors under clean experiment setup, the
effectiveness of such approaches become questionable in the complex but
realistic network environment, where common techniques like Network Address and
Port Translation (NAPT) and Virtual Private Network (VPN) are enabled. Traffic
analysis using traditional methods (e.g., through classical machine-learning
models) is much less effective under those settings, as the features picked
manually are not distinctive any more. In this work, we propose a traffic
analysis framework based on sequence-learning techniques like LSTM and
leveraged the temporal relations between packets for the attack of device
identification. We evaluated it under different environment settings (e.g.,
pure-IoT and noisy environment with multiple non-IoT devices). The results
showed our framework was able to differentiate device types with a high
accuracy. This result suggests IoT network communications pose prominent
challenges to users' privacy, even when they are protected by encryption and
morphed by the network gateway. As such, new privacy protection methods on IoT
traffic need to be developed towards mitigating this new issue
Intelligent and behavioral-based detection of malware in IoT spectrum sensors
The number of Cyber-Physical Systems (CPS) available in industrial environments is growing mainly due to the evolution of the Internet-of-Things (IoT) paradigm. In such a context, radio frequency spectrum sensing in industrial scenarios is one of the most interesting applications of CPS due to the scarcity of the spectrum. Despite the benefits of operational platforms, IoT spectrum sensors are vulnerable to heterogeneous malware. The usage of behavioral fingerprinting and machine learning has shown merit in detecting cyberattacks. Still, there exist challenges in terms of (i) designing, deploying, and evaluating ML-based fingerprinting solutions able to detect malware attacks affecting real IoT spectrum sensors, (ii) analyzing the suitability of kernel events to create stable and precise fingerprints of spectrum sensors, and (iii) detecting recent malware samples affecting real IoT spectrum sensors of crowdsensing platforms. Thus, this work presents a detection framework that applies device behavioral fingerprinting and machine learning to detect anomalies and classify different botnets, rootkits, backdoors, ransomware and cryptojackers affecting real IoT spectrum sensors. Kernel events from CPU, memory, network,file system, scheduler, drivers, and random number generation have been analyzed, selected, and monitored to create device behavioral fingerprints. During testing, an IoT spectrum sensor of the ElectroSense platform has been infected with ten recent malware samples (two botnets, three rootkits, three backdoors, one ransomware, and one cryptojacker) to measure the detection performance of the framework in two different network configurations. Both supervised and semi-supervised approaches provided promising results when detecting and classifying malicious behaviors from the eight previous malware and seven normal behaviors. In particular, the framework obtained 0.88–0.90 true positive rate when detecting the previous malicious behaviors as unseen or zero-day attacks and 0.94–0.96 F1-score when classifying the
CyberSpec: Intelligent Behavioral Fingerprinting to Detect Attacks on Crowdsensing Spectrum Sensors
Integrated sensing and communication (ISAC) is a novel paradigm using
crowdsensing spectrum sensors to help with the management of spectrum scarcity.
However, well-known vulnerabilities of resource-constrained spectrum sensors
and the possibility of being manipulated by users with physical access
complicate their protection against spectrum sensing data falsification (SSDF)
attacks. Most recent literature suggests using behavioral fingerprinting and
Machine/Deep Learning (ML/DL) for improving similar cybersecurity issues.
Nevertheless, the applicability of these techniques in resource-constrained
devices, the impact of attacks affecting spectrum data integrity, and the
performance and scalability of models suitable for heterogeneous sensors types
are still open challenges. To improve limitations, this work presents seven
SSDF attacks affecting spectrum sensors and introduces CyberSpec, an
ML/DL-oriented framework using device behavioral fingerprinting to detect
anomalies produced by SSDF attacks affecting resource-constrained spectrum
sensors. CyberSpec has been implemented and validated in ElectroSense, a real
crowdsensing RF monitoring platform where several configurations of the
proposed SSDF attacks have been executed in different sensors. A pool of
experiments with different unsupervised ML/DL-based models has demonstrated the
suitability of CyberSpec detecting the previous attacks within an acceptable
timeframe
On-device Security and Privacy Mechanisms for Resource-limited Devices: A Bottom-up Approach
This doctoral dissertation introduces novel mechanisms to provide on-device security and privacy for resource-limited smart devices and their applications. These mechanisms aim to cover five fundamental contributions in the emerging Cyber-Physical Systems (CPS), Internet of Things (IoT), and Industrial IoT (IIoT) fields. First, we present a host-based fingerprinting solution for device identification that is complementary to other security services like device authentication and access control. Then, we design a kernel- and user-level detection framework that aims to discover compromised resource-limited devices based on behavioral analysis. Further we apply dynamic analysis of smart devices’ applications to uncover security and privacy risks in real-time. Then, we describe a solution to enable digital forensics analysis on data extracted from interconnected resource-limited devices that form a smart environment. Finally, we offer to researchers from industry and academia a collection of benchmark solutions for the evaluation of the discussed security mechanisms on different smart domains. For each contribution, this dissertation comprises specific novel tools and techniques that can be applied either independently or combined to enable a broader security services for the CPS, IoT, and IIoT domains
Studying the Robustness of Anti-Adversarial Federated Learning Models Detecting Cyberattacks in IoT Spectrum Sensors
Device fingerprinting combined with Machine and Deep Learning (ML/DL) report promising performance when detecting spectrum sensing data falsification (SSDF) attacks. However, the amount of data needed to train models and the scenario privacy concerns limit the applicability of centralized ML/DL. Federated learning (FL) addresses these drawbacks but is vulnerable to adversarial participants and attacks. The literature has proposed countermeasures, but more effort is required to evaluate the performance of FL detecting SSDF attacks and their robustness against adversaries. Thus, the first contribution of this work is to create an FL-oriented dataset modeling the behavior of resource-constrained spectrum sensors affected by SSDF attacks. The second contribution is a pool of experiments analyzing the robustness of FL models according to i) three families of sensors, ii) eight SSDF attacks, iii) four FL scenarios dealing with anomaly detection and binary classification, iv) up to 33% of participants implementing data and model poisoning attacks, and v) four aggregation functions acting as anti-adversarial mechanisms. In conclusion, FL achieves promising performance when detecting SSDF attacks. Without anti-adversarial mechanisms, FL models are particularly vulnerable with > 16% of adversaries. Coordinate-wise-median is the best mitigation for anomaly detection, but binary classifiers are still affected with > 33% of adversaries
- …