IoT Sentinel: Automated Device-Type Identification for Security Enforcement in IoT

With the rapid growth of the Internet-of-Things (IoT), concerns about the security of IoT devices have become prominent. Several vendors are producing IP-connected devices for home and small office networks that often suffer from flawed security designs and implementations. They also tend to lack mechanisms for firmware updates or patches that can help eliminate security vulnerabilities. Securing networks where the presence of such vulnerable devices is given, requires a brownfield approach: applying necessary protection measures within the network so that potentially vulnerable devices can coexist without endangering the security of other devices in the same network. In this paper, we present IOT SENTINEL, a system capable of automatically identifying the types of devices being connected to an IoT network and enabling enforcement of rules for constraining the communications of vulnerable devices so as to minimize damage resulting from their compromise. We show that IOT SENTINEL is effective in identifying device types and has minimal performance overhead

IoT Security Evolution: Challenges and Countermeasures Review

Internet of Things (IoT) architecture, technologies, applications and security have been recently addressed by a number of researchers. Basically, IoT adds internet connectivity to a system of intelligent devices, machines, objects and/or people. Devices are allowed to automatically collect and transmit data over the Internet, which exposes them to serious attacks and threats. This paper provides an intensive review of IoT evolution with primary focusing on security issues together with the proposed countermeasures. Thus, it outlines the IoT security challenges as a future roadmap of research for new researchers in this domain

DeviceRadar: Online IoT Device Fingerprinting in ISPs Using Programmable Switches

Device fingerprinting can be used by Internet Service Providers (ISPs) to identify vulnerable IoT devices for early prevention of threats. However, due to the wide deployment of middleboxes in ISP networks, some important data, e.g., 5-tuples and flow statistics, are often obscured, rendering many existing approaches invalid. It is further challenged by the high-speed traffic of hundreds of terabytes per day in ISP networks. This paper proposes DeviceRadar, an online IoT device fingerprinting framework that achieves accurate, real-time processing in ISPs using programmable switches. We innovatively exploit “key packets” as a basis of fingerprints only using packet sizes and directions, which appear periodically while exhibiting differences across different IoT devices. To utilize them, we propose a packet size embedding model to discover the spatial relationships between packets. Meanwhile, we design an algorithm to extract the “key packets” of each device, and propose an approach that jointly considers the spatial relationships and the key packets to produce a neighboring key packet distribution, which can serve as a feature vector for machine learning models for inference. Last, we design a model transformation method and a feature extraction process to deploy the model on a programmable data plane within its constrained arithmetic operations and memory to achieve line-speed processing. Our experiments show that DeviceRadar can achieve state-of-the-art accuracy across 77 IoT devices with 40 Gbps throughput, and requires only 1.3% of the processing time compared to GPU-accelerated approaches

Fingerprinting Software Defined Networks and Controllers

SDN transforms a network from a calcified collection of hardware into a logically centralized and programmable method of interconnectivity. Changing the networking paradigm shifts a networks security posture. Changes visible to a host connected to the network include small latency differences between a traditional network environment and an SDN environment. This thesis aims to reliably distinguish SDN environments from traditional environments by observing latency behavior. Additionally, this thesis determines whether latency information contributes to the unique fingerprint of SDN controllers. Identifying the controller software gives an adversary information contributing to a network attack. An SDN and traditional network environment consisting of two hosts, one switch, and one controller are created. Within both environments, packet RTT values are compared between SDN and traditional environments to determine if both sets differ. Latency analysis is used to observe features of an SDN controller. Collected features contribute to a table of information used to uniquely fingerprint an SDN controller. Results show that packet RTTs within a traditional network environment significantly (p-value less than 1:0 10(-15)) differ from SDN environments. The predicted controller inactivity timeout within the simulated environment differs from the true timeout by a mean value of 0.44956 seconds. The emulated environment shows that the observed inactivity timeout depends on the network switch implementation of the controllers set value, leading to incorrect observed timeouts. Within the SDN environment, the host is not able to directly communicate with the SDN controller, leading to an inability to collect the number of features needed to uniquely identify the SDN controller