4 research outputs found
Ethical Hacking for IoT Security: A First Look into Bug Bounty Programs and Responsible Disclosure
The security of the Internet of Things (IoT) has attracted much attention due
to the growing number of IoT-oriented security incidents. IoT hardware and
software security vulnerabilities are exploited affecting many companies and
persons. Since the causes of vulnerabilities go beyond pure technical measures,
there is a pressing demand nowadays to demystify IoT "security complex" and
develop practical guidelines for both companies, consumers, and regulators. In
this paper, we present an initial study targeting an unexplored sphere in IoT
by illuminating the potential of crowdsource ethical hacking approaches for
enhancing IoT vulnerability management. We focus on Bug Bounty Programs (BBP)
and Responsible Disclosure (RD), which stimulate hackers to report
vulnerability in exchange for monetary rewards. We carried out a qualitative
investigation supported by literature survey and expert interviews to explore
how BBP and RD can facilitate the practice of identifying, classifying,
prioritizing, remediating, and mitigating IoT vulnerabilities in an effective
and cost-efficient manner. Besides deriving tangible guidelines for IoT
stakeholders, our study also sheds light on a systematic integration path to
combine BBP and RD with existing security practices (e.g., penetration test) to
further boost overall IoT security.Comment: Pre-print version for conference publication at ICTRS 201
Real-time IoT Device Activity Detection in Edge Networks
The growing popularity of Internet-of-Things (IoT) has created the need for network-based traffic anomaly detection systems that could identify misbehaving devices. In this work, we propose a lightweight technique, IoTguard, for identifying malicious traffic flows. IoTguard uses semi-supervised learning to distinguish between malicious and benign device behaviours using the network traffic generated by devices. In order to achieve this, we extracted 39 features from network logs and discard any features containing redundant information. After feature selection, fuzzy C-Mean (FCM) algorithm was trained to obtain clusters discriminating benign traffic from malicious traffic. We studied the feature scores in these clusters and use this information to predict the type of new traffic flows. IoTguard was evaluated using a real-world testbed with more than 30 devices. The results show that IoTguard achieves high accuracy (>98%), in differentiating various types of malicious and benign traffic, with low false positive rates. Furthermore, it has low resource footprint and can operate on OpenWRT enabled access points and COTS computing boards.Information and Communication Technolog