Forensic Data Analytics for Anomaly Detection in Evolving Networks

In the prevailing convergence of traditional infrastructure-based deployment (i.e., Telco and industry operational networks) towards evolving deployments enabled by 5G and virtualization, there is a keen interest in elaborating effective security controls to protect these deployments in-depth. By considering key enabling technologies like 5G and virtualization, evolving networks are democratized, facilitating the establishment of point presences integrating different business models ranging from media, dynamic web content, gaming, and a plethora of IoT use cases. Despite the increasing services provided by evolving networks, many cybercrimes and attacks have been launched in evolving networks to perform malicious activities. Due to the limitations of traditional security artifacts (e.g., firewalls and intrusion detection systems), the research on digital forensic data analytics has attracted more attention. Digital forensic analytics enables people to derive detailed information and comprehensive conclusions from different perspectives of cybercrimes to assist in convicting criminals and preventing future crimes. This chapter presents a digital analytics framework for network anomaly detection, including multi-perspective feature engineering, unsupervised anomaly detection, and comprehensive result correction procedures. Experiments on real-world evolving network data show the effectiveness of the proposed forensic data analytics solution.Comment: Electronic version of an article published as [Book Series: World Scientific Series in Digital Forensics and Cybersecurity, Volume 2, Innovations in Digital Forensics, 2023, Pages 99-137] [DOI:10.1142/9789811273209_0004] \c{opyright} copyright World Scientific Publishing Company [https://doi.org/10.1142/9789811273209_0004

The Security of IP-based Video Surveillance Systems

IP-based Surveillance systems protect industrial facilities, railways, gas stations, and even one's own home. Therefore, unauthorized access to these systems has serious security implications. In this survey, we analyze the system's (1) threat agents, (2) attack goals, (3) practical attacks, (4) possible attack outcomes, and (5) provide example attack vectors

Models versus Datasets: Reducing Bias through Building a Comprehensive IDS Benchmark

Today, deep learning approaches are widely used to build Intrusion Detection Systems for securing IoT environments. However, the models’ hidden and complex nature raises various concerns, such as trusting the model output and understanding why the model made certain decisions. Researchers generally publish their proposed model’s settings and performance results based on a specific dataset and a classification model but do not report the proposed model’s output and findings. Similarly, many researchers suggest an IDS solution by focusing only on a single benchmark dataset and classifier. Such solutions are prone to generating inaccurate and biased results. This paper overcomes these limitations in previous work by analyzing various benchmark datasets and various individual and hybrid deep learning classifiers towards finding the best IDS solution for IoT that is efficient, lightweight, and comprehensive in detecting network anomalies. We also showed the model’s localized predictions and analyzed the top contributing features impacting the global performance of deep learning models. This paper aims to extract the aggregate knowledge from various datasets and classifiers and analyze the commonalities to avoid any possible bias in results and increase the trust and transparency of deep learning models. We believe this paper’s findings will help future researchers build a comprehensive IDS based on well-performing classifiers and utilize the aggregated knowledge and the minimum set of significantly contributing features

Smart Home or Smart Hell?: Modeling Smart Home IoT-Facilitated Abuse as a Cybersecurity Threat

Smart homes are just one application of IoT or the “Internet of Things.” As a solution to create a more automated “smart home” experience, users have the ability to control the temperature, or turn off their lights with a single command. However, smart home technology is vulnerable to unique cybersecurity and privacy issues due to the personal nature of user-device interactions. In addition, the multi-user environments in which IoT has been implemented has considerable social nuances which play a factor in interpersonal cybersecurity threats. Smart Home-IoT Facilitated Abuse (SH-IoTFA) is an alarming phenomenon of users weaponizing smart home technology as a tool to perpetrate “Intimate Partner Violence” (IPV) using the built-in, convenient features. Despite the emergence of research on SH-IoTFA, there is a need to implement greater consideration for potentially abusive affordances in the development process through an attacker-centric threat model framework. This thesis explores how Sh-IoTFA has emerged and evolved from traditional Technology- Facilitated Abuse (TFA) and demonstrates, through a thematic review of the current literature, how attacker motivations influence their relationship with a device, and in turn, transform seemingly innocuous convenience features into tools for surveillance, power exertion, and harassment. Furthermore, this thesis breaks down the relational aspect between the attacker’s motivations, the device features, and the assets at risk for a victim. Utilizing the threat scenario, the Google Nest Hub was then analyzed to identify how an abuse perpetrator may potentially misuse the device. Overall, through an integration of interdisciplinary perspectives, this research highlighted interpersonal threats as a cybersecurity concern and proposed a threat model that may reduce inadvertent harm to consumers

IoT Crawler with Behavior Analyzer at Fog layer for Detecting Malicious Nodes

The limitations in terms of power and processing in IoT (Internet of Things) nodes make nodes an easy prey for malicious attacks, thus threatening business and industry. Detecting malicious nodes before they trigger an attack is highly recommended. The paper introduces a special purpose IoT crawler that works as an inspector to catch malicious nodes. This crawler is deployed in the Fog layer to inherit its capabilities, and to be an intermediate connection between the things and the cloud computing nodes. The crawler collects data streams from IoT nodes, upon a priority criterion. A behavior analyzer, with a machine learning core, detects malicious nodes according to the extracted node behavior from the crawler collected data streams. The performance of the behavior analyzer was investigated using three machine learning algorithms: Adaboost, Random forest and Extra tree. The behavior analyzer produces better testing accuracy, for the tested data, when using Extra tree compared to Adaboost and Random forest; it achieved 98.3% testing accuracy with Extra tree

An IoT Architecture Leveraging Digital Twins: Compromised Node Detection Scenario

Modern IoT (Internet of Things) environments with thousands of low-end and diverse IoT nodes with complex interactions among them and often deployed in remote and/or wild locations present some unique challenges that make traditional node compromise detection services less effective. This paper presents the design, implementation and evaluation of a fog-based architecture that utilizes the concept of a digital-twin to detect compromised IoT nodes exhibiting malicious behaviors by either producing erroneous data and/or being used to launch network intrusion attacks to hijack other nodes eventually causing service disruption. By defining a digital twin of an IoT infrastructure at a fog server, the architecture is focused on monitoring relevant information to save energy and storage space. The paper presents a prototype implementation for the architecture utilizing malicious behavior datasets to perform misbehaving node classification. An extensive accuracy and system performance evaluation was conducted based on this prototype. Results show good accuracy and negligible overhead especially when employing deep learning techniques such as MLP (multilayer perceptron).Comment: This work has been submitted to the IEEE for possible publicatio

Adversarial machine learning in IoT from an insider point of view

With the rapid progress and significant successes in various applications, machine learning has been considered a crucial component in the Internet of Things ecosystem. However, machine learning models have recently been vulnerable to carefully crafted perturbations, so-called adversarial attacks. A capable insider adversary can subvert the machine learning model at either the training or testing phase, causing them to behave differently. The vulnerability of machine learning to adversarial attacks becomes one of the significant risks. Therefore, there is a need to secure machine learning models enabling the safe adoption in malicious insider cases. This paper reviews and organizes the body of knowledge in adversarial attacks and defense presented in IoT literature from an insider adversary point of view. We proposed a taxonomy of adversarial methods against machine learning models that an insider can exploit. Under the taxonomy, we discuss how these methods can be applied in real-life IoT applications. Finally, we explore defensive methods against adversarial attacks. We believe this can draw a comprehensive overview of the scattered research works to raise awareness of the existing insider threats landscape and encourages others to safeguard machine learning models against insider threats in the IoT ecosystem