Integrating complex event processing and machine learning: An intelligent architecture for detecting IoT security attacks

The Internet of Things (IoT) is growing globally at a fast pace: people now find themselves surrounded by a variety of IoT devices such as smartphones and wearables in their everyday lives. Additionally, smart environments, such as smart healthcare systems, smart industries and smart cities, benefit from sensors and actuators interconnected through the IoT. However, the increase in IoT devices has brought with it the challenge of promptly detecting and combating the cybersecurity attacks and threats that target them, including malware, privacy breaches and denial of service attacks, among others. To tackle this challenge, this paper proposes an intelligent architecture that integrates Complex Event Processing (CEP) technology and the Machine Learning (ML) paradigm in order to detect different types of IoT security attacks in real time. In particular, such an architecture is capable of easily managing event patterns whose conditions depend on values obtained by ML algorithms. Additionally, a model-driven graphical tool for security attack pattern definition and automatic code generation is provided, hiding all the complexity derived from implementation details from domain experts. The proposed architecture has been applied in the case of a healthcare IoT network to validate its ability to detect attacks made by malicious devices. The results obtained demonstrate that this architecture satisfactorily fulfils its objectives.El Internet de las Cosas (IoT) está creciendo a nivel global a un ritmo acelerado: las personas ahora se encuentran rodeadas de una variedad de dispositivos IoT como smartphones y wearables en su vida cotidiana. Además, los entornos inteligentes, como los sistemas de atención médica inteligentes, las industrias inteligentes y las ciudades inteligentes, se benefician de sensores y actuadores interconectados a través del IoT. Sin embargo, el aumento de los dispositivos IoT ha traído consigo el desafío de detectar y combatir rápidamente los ataques y amenazas de ciberseguridad que los tienen como objetivo, incluyendo malware, violaciones de privacidad y ataques de denegación de servicio, entre otros. Para abordar este desafío, este documento propone una arquitectura inteligente que integra la tecnología de Procesamiento de Eventos Complejos (CEP) y el paradigma de Aprendizaje Automático (ML) con el fin de detectar diferentes tipos de ataques de seguridad en IoT en tiempo real. En particular, dicha arquitectura es capaz de gestionar fácilmente patrones de eventos cuyas condiciones dependen de los valores obtenidos por los algoritmos de ML. Además, se proporciona una herramienta gráfica impulsada por modelos para la definición de patrones de ataque de seguridad y la generación automática de código, ocultando toda la complejidad derivada de los detalles de implementación a los expertos del dominio. La arquitectura propuesta ha sido aplicada en el caso de una red de IoT de atención médica para validar su capacidad para detectar ataques realizados por dispositivos maliciosos. Los resultados obtenidos demuestran que esta arquitectura cumple satisfactoriamente sus objetivos.This work was supported by the Spanish Ministry of Science, Innovation and Universities and the European Union FEDER Funds [grant numbers FPU 17/02007, RTI2018-093608-B-C33, RTI2018- 098156-B-C52 and RED2018-102654-T]. This work was also sup- ported by the JCCM [grant number SB-PLY/17/180501/ 0 0 0353

ProvLight: Efficient Workflow Provenance Capture on the Edge-to-Cloud Continuum

Modern scientific workflows require hybrid infrastructures combining numerous decentralized resources on the IoT/Edge interconnected to Cloud/HPC systems (aka the Computing Continuum) to enable their optimized execution. Understanding and optimizing the performance of such complex Edge-to-Cloud workflows is challenging. Capturing the provenance of key performance indicators, with their related data and processes, may assist in understanding and optimizing workflow executions. However, the capture overhead can be prohibitive, particularly in resource-constrained devices, such as the ones on the IoT/Edge.To address this challenge, based on a performance analysis of existing systems, we propose ProvLight, a tool to enable efficient provenance capture on the IoT/Edge. We leverage simplified data models, data compression and grouping, and lightweight transmission protocols to reduce overheads. We further integrate ProvLight into the E2Clab framework to enable workflow provenance capture across the Edge-to-Cloud Continuum. This integration makes E2Clab a promising platform for the performance optimization of applications through reproducible experiments.We validate ProvLight at a large scale with synthetic workloads on 64 real-life IoT/Edge devices in the FIT IoT LAB testbed. Evaluations show that ProvLight outperforms state-of-the-art systems like ProvLake and DfAnalyzer in resource-constrained devices. ProvLight is 26 -- 37x faster to capture and transmit provenance data; uses 5 -- 7x less CPU; 2x less memory; transmits 2x less data; and consumes 2 -- 2.5x less energy. ProvLight and E2Clab are available as open-source tools