56 research outputs found
Detecting Anomalous Microflows in IoT Volumetric Attacks via Dynamic Monitoring of MUD Activity
IoT networks are increasingly becoming target of sophisticated new
cyber-attacks. Anomaly-based detection methods are promising in finding new
attacks, but there are certain practical challenges like false-positive alarms,
hard to explain, and difficult to scale cost-effectively. The IETF recent
standard called Manufacturer Usage Description (MUD) seems promising to limit
the attack surface on IoT devices by formally specifying their intended network
behavior. In this paper, we use SDN to enforce and monitor the expected
behaviors of each IoT device, and train one-class classifier models to detect
volumetric attacks.
Our specific contributions are fourfold. (1) We develop a multi-level
inferencing model to dynamically detect anomalous patterns in network activity
of MUD-compliant traffic flows via SDN telemetry, followed by packet inspection
of anomalous flows. This provides enhanced fine-grained visibility into
distributed and direct attacks, allowing us to precisely isolate volumetric
attacks with microflow (5-tuple) resolution. (2) We collect traffic traces
(benign and a variety of volumetric attacks) from network behavior of IoT
devices in our lab, generate labeled datasets, and make them available to the
public. (3) We prototype a full working system (modules are released as
open-source), demonstrates its efficacy in detecting volumetric attacks on
several consumer IoT devices with high accuracy while maintaining low false
positives, and provides insights into cost and performance of our system. (4)
We demonstrate how our models scale in environments with a large number of
connected IoTs (with datasets collected from a network of IP cameras in our
university campus) by considering various training strategies (per device unit
versus per device type), and balancing the accuracy of prediction against the
cost of models in terms of size and training time.Comment: 18 pages, 13 figure
Defining the Behavior of IoT Devices through the MUD Standard: Review, Challenges, and Research Directions
With the strong development of the Internet of Things (IoT), the definition of IoT devices' intended behavior is key for an effective detection of potential cybersecurity attacks and threats in an increasingly connected environment. In 2019, the Manufacturer Usage Description (MUD) was standardized within the IETF as a data model and architecture for defining, obtaining and deploying MUD files, which describe the network behavioral profiles of IoT devices. While it has attracted a strong interest from academia, industry, and Standards Developing Organizations (SDOs), MUD is not yet widely deployed in real-world scenarios. In this work, we analyze the current research landscape around this standard, and describe some of the main challenges to be considered in the coming years to foster its adoption and deployment. Based on the literature analysis and our own experience in this area, we further describe potential research directions exploiting the MUD standard to encourage the development of secure IoT-enabled scenarios
Verifying and Monitoring IoTs Network Behavior using MUD Profiles
IoT devices are increasingly being implicated in cyber-attacks, raising
community concern about the risks they pose to critical infrastructure,
corporations, and citizens. In order to reduce this risk, the IETF is pushing
IoT vendors to develop formal specifications of the intended purpose of their
IoT devices, in the form of a Manufacturer Usage Description (MUD), so that
their network behavior in any operating environment can be locked down and
verified rigorously. This paper aims to assist IoT manufacturers in developing
and verifying MUD profiles, while also helping adopters of these devices to
ensure they are compatible with their organizational policies and track devices
network behavior based on their MUD profile. Our first contribution is to
develop a tool that takes the traffic trace of an arbitrary IoT device as input
and automatically generates the MUD profile for it. We contribute our tool as
open source, apply it to 28 consumer IoT devices, and highlight insights and
challenges encountered in the process. Our second contribution is to apply a
formal semantic framework that not only validates a given MUD profile for
consistency, but also checks its compatibility with a given organizational
policy. We apply our framework to representative organizations and selected
devices, to demonstrate how MUD can reduce the effort needed for IoT acceptance
testing. Finally, we show how operators can dynamically identify IoT devices
using known MUD profiles and monitor their behavioral changes on their network.Comment: 17 pages, 17 figures. arXiv admin note: text overlap with
arXiv:1804.0435
Defining the Behavior of IoT Devices through the MUD Standard : Review, Challenges, and Research Directions
With the strong development of the Internet of Things (IoT), the definition of IoT devices' intended behavior is key for an effective detection of potential cybersecurity attacks and threats in an increasingly connected environment. In 2019, the Manufacturer Usage Description (MUD) was standardized within the IETF as a data model and architecture for defining, obtaining and deploying MUD files, which describe the network behavioral profiles of IoT devices. While it has attracted a strong interest from academia, industry, and Standards Developing Organizations (SDOs), MUD is not yet widely deployed in real-world scenarios. In this work, we analyze the current research landscape around this standard, and describe some of the main challenges to be considered in the coming years to foster its adoption and deployment. Based on the literature analysis and our own experience in this area, we further describe potential research directions exploiting the MUD standard to encourage the development of secure IoT-enabled scenarios
Study of Trust Aggregation Authentication Protocol
The main focus of this work is to sense and share the data that are required to be trusted and the solutions are to be provided to the data, as trust management models. Additionally, the elements in the IoT network model are required to communicate with the trusted links, hence the identity services and authorization model are to be defined to develop the trust between the different entities or elements to exchange data in a reliable manner. Moreover, data and the services are to be accessed from the trusted elements, where the access control measures are also to be clearly defined. While considering the whole trust management model, identification, authentication, authorization and access control are to be clearly defined
Optimal Witnessing of Healthcare IoT Data Using Blockchain Logging Contract
Verification of data generated by wearable sensors is increasingly becoming
of concern to health service providers and insurance companies. There is a need
for a verification framework that various authorities can request a
verification service for the local network data of a target IoT device. In this
paper, we leverage blockchain as a distributed platform to realize an on-demand
verification scheme. This allows authorities to automatically transact with
connected devices for witnessing services. A public request is made for witness
statements on the data of a target IoT that is transmitted on its local
network, and subsequently, devices (in close vicinity of the target IoT) offer
witnessing service.
Our contributions are threefold: (1) We develop a system architecture based
on blockchain and smart contract that enables authorities to dynamically avail
a verification service for data of a subject device from a distributed set of
witnesses which are willing to provide (in a privacy-preserving manner) their
local wireless measurement in exchange of monetary return; (2) We then develop
a method to optimally select witnesses in such a way that the verification
error is minimized subject to monetary cost constraints; (3) Lastly, we
evaluate the efficacy of our scheme using real Wi-Fi session traces collected
from a five-storeyed building with more than thirty access points,
representative of a hospital. According to the current pricing schedule of the
Ethereum public blockchain, our scheme enables healthcare authorities to verify
data transmitted from a typical wearable device with the verification error of
the order 0.01% at cost of less than two dollars for one-hour witnessing
service.Comment: 12 pages, 12 figure
- …