Passive Inference of User Actions through IoT Gateway Encrypted Traffic Analysis

International audienceInternet of Things (IoT) devices become widely used and their control is often provided through a cloud-based web service that interacts with an IoT gateway, in particular for individual users and home automation. In this paper, we propose a technique to infer private user information, i.e., actions performed, by considering a vantage point outside the end-user local IoT network. By learning the relationships between the user actions and the traffic sent by the web service to the gateway, we have been able to establish elementary signatures, one for each possible action, which can be then composed to discover compound actions in encrypted traffic. We evaluated the efficiency of our approach on one IoT gateway interacting with up to 16 IoT devices and showed that a passive attacker can infer user activities with an accuracy above 90%

Passive Inference of User Actions through IoT Gateway Encrypted Traffic Analysis

International audienceInternet of Things (IoT) devices become widely used and their control is often provided through a cloud-based web service that interacts with an IoT gateway, in particular for individual users and home automation. In this paper, we propose a technique to infer private user information, i.e., actions performed, by considering a vantage point outside the end-user local IoT network. By learning the relationships between the user actions and the traffic sent by the web service to the gateway, we have been able to establish elementary signatures, one for each possible action, which can be then composed to discover compound actions in encrypted traffic. We evaluated the efficiency of our approach on one IoT gateway interacting with up to 16 IoT devices and showed that a passive attacker can infer user activities with an accuracy above 90%

Detecting Rogue Manipulation of Smart Home Device Settings

Smart home devices control a home’s environmental and security settings. This includes devices that control home thermostats, sprinkler systems, light bulbs, and home appliances. Malicious manipulation of the settings of these devices by an outside adversary has caused emotional distress and could even cause physical harm. For example, researchers have reported that there is a rise in domestic abuse perpetrated via smart home devices; victims have reported their thermostat settings being unwittingly manipulated and being locked out of their house due to their smart lock code being changed. Rapid adoption of smart home devices by consumers has led to an urgent need to research mitigation strategies to protect consumers from device takeover. Currently there is not an easy way for home users to detect that a malicious actor is making unwanted changes to their smart home devices. Change requests to smart home devices travel across the network in the form of network packets. Most of time the payloads of the packets are encrypted using strong encryption methods, so it is not possible to simply read the contents of the packet to learn if the packet contains instructions for the smart device to change states. Previous research has successfully trained machine learning algorithms to identify unique network traffic patterns indicative of state change requests sent to smart home devices. This research extends previous research by identifying state change requests of smart home devices made by residents via a smart home device app on their smart phones or tablets. This research identified 13 key attributes of 3,178 encrypted network traffic connections. The attributes were used as features to train three machine learning algorithms to recognize state change requests. Four smart home devices were used chosen from the following categories: 1) devices with simple behaviors (turns on and off), 2) devices with complex behaviors (can be turned on for a set amount of time), and 3) devices that send a large amount of data (i.e. video camera). The success of identifying state change requests over encrypted traffic from a mobile app, combined with previous research that identified state changes sent to the smart home device, allows for the development of a system that could block unwanted state changes that originate from a malicious user located outside of the house. Therefore, this research contributes to the body of knowledge of smart home device security and could be extended to the identification of other networking patterns based on encrypted traffic

Encrypted Web Traffic Classification Using Deep Learning

Traffic classification is essential in network management for operations ranging from capacity planning, performance monitoring, volumetry, and resource provisioning, to anomaly detection and security. Recently, it has become increasingly challenging with the widespread adoption of encryption in the Internet, e.g., as a de-facto in HTTP/2 and QUIC protocols. In the current state of encrypted traffic classification using Deep Learning (DL), we identify fundamental issues in the way it is typically approached. For instance, although complex DL models with millions of parameters are being used, these models implement a relatively simple logic based on certain header fields of the TLS handshake, limiting model robustness to future versions of encrypted protocols. Furthermore, encrypted traffic is often treated as any other raw input for DL, while crucial domain-specific considerations exist that are commonly ignored. In this thesis, we design a novel feature engineering approach that generalizes well for encrypted web protocols, and develop a neural network architecture based on Stacked Long Short-Term Memory (LSTM) layers and Convolutional Neural Networks (CNN) that works very well with our feature design. We evaluate our approach on a real-world traffic dataset from a major ISP and Mobile Network Operator. We achieve an accuracy of 95% in service-level classification with less raw traffic and smaller number of parameters, out-performing a state-of-the-art method by nearly 50% fewer false classifications. We show that our DL model generalizes for different classification objectives and encrypted web protocols. We also evaluate our approach on a public QUIC dataset with finer and application-level granularity in labeling, achieving an overall accuracy of 99%