Audit d'un système IoT par test d'intrusion

National audienceL'explosion du secteur de l'Internet des Objets, reposant majoritairement sur des technologies de communication sans fil, soulève de nombreuses problématiques de sécurité. Ceci est notamment dû à leur caractère hétérogène, à leurs réseaux peu cloisonnés et une mise sur le marché hâtive. Nous proposons dans le cadre de cette thèse une méthode permettant d'évaluer la sécurité d'un système d'objets connectés utilisant des modes de communication sans fil, ceci afin de renforcer la sécurité du système d'information dans son ensemble. Notre méthodologie se base sur une approche éprouvée dans l'IT classique : le test d'intrusion

Can a Strictly Defined Security Configuration for IoT Devices Mitigate the Risk of Exploitation by Botnet Malware?

The internet that we know and use every day is the internet of people, a collection of knowledge and data that can be accessed anywhere is the world anytime from many devices. The internet of the future is the Internet of Things. The Internet of Things is a collection of automated technology that is designed to be run autonomously, but on devices designed for humans to use. In 2016 the Mirai malware has shown there are underlying vulnerabilities in devices connected to the internet of things. Mirai is specifically designed to recognise and exploit IoT devices and it has been used in record breaking attacks since 2016. The overall aim of the research is to explore the Mirai malware and it\u27s security impact on IoT devices to research if there are security controls that can mitigate against it. The final purpose is to create a set of security controls based on best practice and industry standards. These controls will then be applied to the devices to see if the malware is as effective when the controls are in place. The study presents an experiment and research as a theoretical framework for understanding how Mirai and the IoT devices are structured. Furthermore, an experiment will be performed exposing the devices to the malware to define the attack vectors used as well as designing security controls to mitigate the effect of the malware and then repeated when the controls have been implemented on the devices to comprehend their validity

Correlation-Aware Neural Networks for DDoS Attack Detection In IoT Systems

We present a comprehensive study on applying machine learning to detect distributed Denial of service (DDoS) attacks using large-scale Internet of Things (IoT) systems. While prior works and existing DDoS attacks have largely focused on individual nodes transmitting packets at a high volume, we investigate more sophisticated futuristic attacks that use large numbers of IoT devices and camouflage their attack by having each node transmit at a volume typical of benign traffic. We introduce new correlation-aware architectures that take into account the correlation of traffic across IoT nodes, and we also compare the effectiveness of centralized and distributed detection models. We extensively analyze the proposed architectures by evaluating five different neural network models trained on a dataset derived from a 4060-node real-world IoT system. We observe that long short-term memory (LSTM) and a transformer-based model, in conjunction with the architectures that use correlation information of the IoT nodes, provide higher performance (in terms of F1 score and binary accuracy) than the other models and architectures, especially when the attacker camouflages itself by following benign traffic distribution on each transmitting node. For instance, by using the LSTM model, the distributed correlation-aware architecture gives 81% F1 score for the attacker that camouflages their attack with benign traffic as compared to 35% for the architecture that does not use correlation information. We also investigate the performance of heuristics for selecting a subset of nodes to share their data for correlation-aware architectures to meet resource constraints.Comment: 16 pages, 17 figures, journa

Feature Space Modeling for Accurate and Efficient Learning From Non-Stationary Data

A non-stationary dataset is one whose statistical properties such as the mean, variance, correlation, probability distribution, etc. change over a specific interval of time. On the contrary, a stationary dataset is one whose statistical properties remain constant over time. Apart from the volatile statistical properties, non-stationary data poses other challenges such as time and memory management due to the limitation of computational resources mostly caused by the recent advancements in data collection technologies which generate a variety of data at an alarming pace and volume. Additionally, when the collected data is complex, managing data complexity, emerging from its dimensionality and heterogeneity, can pose another challenge for effective computational learning. The problem is to enable accurate and efficient learning from non-stationary data in a continuous fashion over time while facing and managing the critical challenges of time, memory, concept change, and complexity simultaneously. Feature space modeling is one of the most effective solutions to address this problem. For non-stationary data, selecting relevant features is even more critical than stationary data due to the reduction of feature dimension which can ensure the best use a computational resource to produce higher accuracy and efficiency by data mining algorithms. In this dissertation, we investigated a variety of feature space modeling techniques to improve the overall performance of data mining algorithms. In particular, we built Relief based feature sub selection method in combination with data complexity iv analysis to improve the classification performance using ovarian cancer image data collected in a non-stationary batch mode. We also collected time series health sensor data in a streaming environment and deployed feature space transformation using Singular Value Decomposition (SVD). This led to reduced dimensionality of feature space resulting in better accuracy and efficiency produced by Density Ration Estimation Method in identifying potential change points in data over time. We have also built an unsupervised feature space modeling using matrix factorization and Lasso Regression which was successfully deployed in conjugate with Relative Density Ratio Estimation to address the botnet attacks in a non-stationary environment. Relief based feature model improved 16% accuracy of Fuzzy Forest classifier. For change detection framework, we observed 9% improvement in accuracy for PCA feature transformation. Due to the unsupervised feature selection model, for 2% and 5% malicious traffic ratio, the proposed botnet detection framework exhibited average 20% better accuracy than One Class Support Vector Machine (OSVM) and average 25% better accuracy than Autoencoder. All these results successfully demonstrate the effectives of these feature space models. The fundamental theme that repeats itself in this dissertation is about modeling efficient feature space to improve both accuracy and efficiency of selected data mining models. Every contribution in this dissertation has been subsequently and successfully employed to capitalize on those advantages to solve real-world problems. Our work bridges the concepts from multiple disciplines ineffective and surprising ways, leading to new insights, new frameworks, and ultimately to a cross-production of diverse fields like mathematics, statistics, and data mining

A survey of IoT protocols and their security issues through the lens of a generic IoT stack

International audienceThe Internet of things (IoT) is rapidly growing, and many security issues relate to its wireless technology. These security issues are challenging because IoT protocols are heterogeneous, suit different needs, and are used in different application domains. From this assessment, we identify the need to provide a homogeneous formalism applying to every IoT protocols. In this survey, we describe a generic approach with twofold challenges. The first challenge we tackle is the identification of common principles to define a generic approach to compare IoT protocol stack. We base the comparison on five different criteria: the range, the openness of the protocol, the interoperability, the topology and the security practices of these IoT protocols. The second challenge we consider is to find a generic way to describe fundamental IoT attacks regardless of the protocol used. This approach exposes similar attacks amongst different IoT protocols and is divided into three parts: attacks focusing on packets (passive and active cryptographic attacks), attacks focusing on the protocol (MITM, Flooding, Sybil, Spoofing, Wormhole attacks) and attacks focusing on the whole system (Sinkhole, Selective forwarding attacks). It also highlights which mechanisms are different between two protocols to make both of them vulnerable to an attack. Finally, we draw some lessons and perspectives from this transversal study

Context and communication profiling for IoT security and privacy: techniques and applications

During the last decade, two major technological changes have profoundly changed the way in which users consume and interact with on-line services and applications. The first of these has been the success of mobile computing, in particular that of smartphones, the primary end device used by many users for access to the Internet and various applications. The other change is the emergence of the so-called Internet-of-Things (IoT), denoting a technological transition in which everyday objects like household appliances that traditionally have been seen as stand-alone devices, are given network connectivity by introducing digital communication capabilities to those devices. The topic of this dissertation is related to a core challenge that the emergence of these technologies is introducing: how to effectively manage the security and privacy settings of users and devices in a user-friendly manner in an environment in which an ever-growing number of heterogeneous devices live and co-exist with each other? In particular we study approaches for utilising profiling of contextual parameters and device communications in order to make autonomous security decisions with the goal of striking a better balance between a system's security on one hand, and, its usability on the other. We introduce four distinct novel approaches utilising profiling for this end. First, we introduce ConXsense, a system demonstrating the use of user-specific longitudinal profiling of contextual information for modelling the usage context of mobile computing devices. Based on this ConXsense can probabilistically automate security policy decisions affecting security settings of the device. Further we develop an approach utilising the similarity of contextual parameters observed with on-board sensors of co-located devices to construct proofs of presence that are resilient to context-guessing attacks by adversaries that seek to fool a device into believing the adversary is co-located with it, even though it is in reality not. We then extend this approach to a context-based key evolution approach that allows IoT devices that are co-present in the same physical environment like the same room to use passively observed context measurements to iteratively authenticate their co-presence and thus gradually establish confidence in the other device being part of the same trust domain, e.g., the set of IoT devices in a user's home. We further analyse the relevant constraints that need to be taken into account to ensure security and usability of context-based authentication. In the final part of this dissertation we extend the profiling approach to network communications of IoT devices and utilise it to realise the design of the IoTSentinel system for autonomous security policy adaptation in IoT device networks. We show that by monitoring the inherent network traffic of IoT devices during their initial set-up, we can automatically identify the type of device newly added to the network. The device-type information is then used by IoTSentinel to adapt traffic filtering rules automatically to provide isolation of devices that are potentially vulnerable to known attacks, thereby protecting the device itself and the rest of the network from threats arising from possible compromise of vulnerable devices