Can a Strictly Defined Security Configuration for IoT Devices Mitigate the Risk of Exploitation by Botnet Malware?

The internet that we know and use every day is the internet of people, a collection of knowledge and data that can be accessed anywhere is the world anytime from many devices. The internet of the future is the Internet of Things. The Internet of Things is a collection of automated technology that is designed to be run autonomously, but on devices designed for humans to use. In 2016 the Mirai malware has shown there are underlying vulnerabilities in devices connected to the internet of things. Mirai is specifically designed to recognise and exploit IoT devices and it has been used in record breaking attacks since 2016. The overall aim of the research is to explore the Mirai malware and it\u27s security impact on IoT devices to research if there are security controls that can mitigate against it. The final purpose is to create a set of security controls based on best practice and industry standards. These controls will then be applied to the devices to see if the malware is as effective when the controls are in place. The study presents an experiment and research as a theoretical framework for understanding how Mirai and the IoT devices are structured. Furthermore, an experiment will be performed exposing the devices to the malware to define the attack vectors used as well as designing security controls to mitigate the effect of the malware and then repeated when the controls have been implemented on the devices to comprehend their validity

A principled approach to measuring the IoT ecosystem

Internet of Things (IoT) devices combine network connectivity, cheap hardware, and actuation to provide new ways to interface with the world. In spite of this growth, little work has been done to measure the network properties of IoT devices. Such measurements can help to inform systems designers and security researchers of IoT networking behavior in practice to guide future research. Unfortunately, properly measuring the IoT ecosystem is not trivial. Devices may have different capabilities and behaviors, which require both active measurements and passive observation to quantify. Furthermore, the IoT devices that are connected to the public Internet may vary from those connected inside home networks, requiring both an external and internal vantage point to draw measurements from. In this thesis, we demonstrate how IoT measurements drawn from a single vantage point or mesaurement technique lead to a biased view of the network services in the IoT ecosystem. To do this, we conduct several real-world IoT measurements, drawn from both inside and outside home networks using active and passive monitoring. First, we leverage active scanning and passive observation in understanding the Mirai botnet---chiefly, we report on the devices it infected, the command and control infrastructure behind the botnet, and how the malware evolved over time. We then conduct active measurements from inside 16M home networks spanning 83M devices from 11~geographic regions to survey the IoT devices installed around the world. We demonstrate how these measurements can uncover the device types that are most at risk and the vendors who manufacture the weakest devices. We compare our measurements with passive external observation by detecting compromised scanning behavior from smart homes. We find that while passive external observation can drive insight about compromised networks, it offers little by way of concrete device attribution. We next compare our results from active external scanning with active internal scanning and show how relying solely on external scanning for IoT measurements under-reports security important IoT protocols, potentially skewing the services investigated by the security community. Finally, we conduct passive measurements of 275~smart home networks to investigate IoT behavior. We find that IoT device behavior varies by type and devices regularly communicate over a myriad of bespoke ports, in many cases to speak standard protocols (e.g., HTTP). Finally, we observe that devices regularly offer active services (e.g., Telnet, rpcbind) that are rarely, if ever, used in actual communication, demonstrating the need for both active and passive measurements to properly compare device capabilities and behaviors. Our results highlight the need for a confluence of measurement perspectives to comprehensively understand IoT ecosystem. We conclude with recommendations for future measurements of IoT devices as well as directions for the systems and security community informed by our work

Towards a Virtual Machine Introspection Based Multi-Service, Multi-Architecture, High-Interaction Honeypot for IOT Devices

Internet of Things (IoT) devices are quickly growing in adoption. The use case for IoT devices runs the gamut from household applications (such as toasters, lighting, and thermostats) to medical, battlefield, or Industrial Control System (ICS) applications that are used in life or death situations. A disturbing trend for IoT devices is that they are not developed with security in mind. This lack of security has led to the creation of massive botnets that are used for nefarious acts. To address these issues, it’s important to have a good understanding of the threat landscape that IoT devices face. A commonly used security control to monitor and gain insight into threats is a honeypot. This research explores the creation of a VMI-based high-interaction honeypot for IoT devices that is capable of monitoring multiple services simultaneously

Mirai Bot Scanner Summation Prototype

The Mirai botnet deploys a distributed mechanism with each Bot continually scanning for a potential new Bot Victim. A Bot continually generates a random IP address to scan the network for discovering a potential new Bot Victim. The Bot establishes a connection with the potential new Bot Victim with a Transmission Control Protocol (TCP) handshake. The Mirai botnet has recruited hundreds of thousands of Bots. With 100,000 Bots, Mirai Distributed Denial of Service (DDoS) attacks on service provider Dyn in October 2016 triggered the inaccessibility to hundreds of websites in Europe and North America (Sinanović & Mrdovic, 2017). A month before the Dyn attack, the source code was released publicly on the Internet and Mirai spread to half a million bots. Hackers offered Mirai botnets for rent with 400,000 Bots. Recent research has suggested network signatures for Mirai detection. Network signatures are suggested to detect a Bot brute forcing a new Bot Victim with a factory default user-id and password. Research has not been focused on the Bot scanning mechanism. The focus of this research is performing experimentation to analyze the Bot scanning mechanism for when a Bot attempts to establish a connection to a potential new Bot Victim with a TCP handshake. The thesis is presented: it is possible to develop a solution that can analyze network traffic to identify a Bot scanning for a potential new Bot Victim. The three research questions are (a) Can the Bots be identified for summation? (b) Can the potential new Bot Victims be identified for summation? (c) Is it possible to monitor the Bot scanning mechanism over time? The research questions support the thesis. The Design Science Research (DSR) methodology is followed for designing and evaluating the solution presented in this study. The original Mirai Bot code is used as a research data source to perform a Bot scanner code review. A dataset containing Bot scanning network activity, recorded by the University of Southern California (USC), is utilized as the research data source for experimentation performed with the Mirai Bot Scanner Summation Prototype solution. The Bot scanner code review is performed to identify the Bot scanning functionality and network communications with a potential new Bot Victim. A sampling from the Bot scanning dataset is confirmed from the analysis performed by the code review. The solution created in this study, the Mirai Bot Scanner Summation Prototype, evaluates a Bot scanning dataset. Researchers can use the prototype to tabulate the number of Mirai Bots, the number of potential new Bot Victims, as well as the number of network packet types associated with a Bot attempting to connect to a potential new Bot Victim. Using a database, permanent storage is utilized for counting Bots, potential new Bot Victims, and network packet types. Reporting as well as line-graphs is provided for assessing the Bot scanning mechanism over a time period. Single case experimentation performed with the Mirai Bot Scanner Summation Prototype provides answers to the research questions (a) Bots are identified for summation; (b) Potential new Bot Victims are identified for summation; (c) the Bot scanner is monitored over time. A comparison to a NIDS solution highlights the advantages of the prototype for summating and assessing the Bot scanning dataset. Experimentation with the Mirai Bot Scanner Summation Prototype and NIDS verifies it is possible to develop a solution that can analyze network traffic to identify a Bot scanning for a potential new Bot Victim. Future research could include adding the additional functionality to the Bot Scanner Summation Prototype for evaluating a Bot scanner dataset for non-potential Bot Victims

Security Assessment and Hardening of Fog Computing Systems

In recent years, there has been a shift in computing architectures, moving away from centralized cloud computing towards decentralized edge and fog computing. This shift is driven by factors such as the increasing volume of data generated at the edge, the growing demand for real-time processing and low-latency applications, and the need for improved privacy and data locality. Although this new paradigm offers numerous advantages, it also introduces significant security and reliability challenges. This paper aims to review the architectures and technologies employed in fog computing and identify opportunities for developing novel security assessment and security hardening techniques. These techniques include secure configuration and debloating to enhance the security of middleware, testing techniques to assess secure communication mechanisms, and automated rehosting to speed up the security testing of embedded firmware.Comment: 4 pages, Accepted for publication at The 34th IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW

Clustered Federated Learning Architecture for Network Anomaly Detection in Large Scale Heterogeneous IoT Networks

There is a growing trend of cyberattacks against Internet of Things (IoT) devices; moreover, the sophistication and motivation of those attacks is increasing. The vast scale of IoT, diverse hardware and software, and being typically placed in uncontrolled environments make traditional IT security mechanisms such as signature-based intrusion detection and prevention systems challenging to integrate. They also struggle to cope with the rapidly evolving IoT threat landscape due to long delays between the analysis and publication of the detection rules. Machine learning methods have shown faster response to emerging threats; however, model training architectures like cloud or edge computing face multiple drawbacks in IoT settings, including network overhead and data isolation arising from the large scale and heterogeneity that characterizes these networks. This work presents an architecture for training unsupervised models for network intrusion detection in large, distributed IoT and Industrial IoT (IIoT) deployments. We leverage Federated Learning (FL) to collaboratively train between peers and reduce isolation and network overhead problems. We build upon it to include an unsupervised device clustering algorithm fully integrated into the FL pipeline to address the heterogeneity issues that arise in FL settings. The architecture is implemented and evaluated using a testbed that includes various emulated IoT/IIoT devices and attackers interacting in a complex network topology comprising 100 emulated devices, 30 switches and 10 routers. The anomaly detection models are evaluated on real attacks performed by the testbed's threat actors, including the entire Mirai malware lifecycle, an additional botnet based on the Merlin command and control server and other red-teaming tools performing scanning activities and multiple attacks targeting the emulated devices

Security Technologies and Methods for Advanced Cyber Threat Intelligence, Detection and Mitigation

The rapid growth of the Internet interconnectivity and complexity of communication systems has led us to a significant growth of cyberattacks globally often with severe and disastrous consequences. The swift development of more innovative and effective (cyber)security solutions and approaches are vital which can detect, mitigate and prevent from these serious consequences. Cybersecurity is gaining momentum and is scaling up in very many areas. This book builds on the experience of the Cyber-Trust EU project’s methods, use cases, technology development, testing and validation and extends into a broader science, lead IT industry market and applied research with practical cases. It offers new perspectives on advanced (cyber) security innovation (eco) systems covering key different perspectives. The book provides insights on new security technologies and methods for advanced cyber threat intelligence, detection and mitigation. We cover topics such as cyber-security and AI, cyber-threat intelligence, digital forensics, moving target defense, intrusion detection systems, post-quantum security, privacy and data protection, security visualization, smart contracts security, software security, blockchain, security architectures, system and data integrity, trust management systems, distributed systems security, dynamic risk management, privacy and ethics

The digital harms of smart home devices:a systematic literature review

The connection of home electronic devices to the internet allows remote control of physical devices and involves the collection of large volumes of data. With the increase in the uptake of Internet-of-Things home devices, it becomes critical to understand the digital harms of smart homes. We present a systematic literature review on the security and privacy harms of smart homes. PRISMA methodology is used to systematically review 63 studies published between January 2011 and October 2021; and a review of known cases is undertaken to illustrate the literature review findings with real-world scenarios. Published literature identifies that smart homes may pose threats to confidentiality (unwanted release of information), authentication (sensing information being falsified) and unauthorised access to system controls. Most existing studies focus on privacy intrusions as a prevalent form of harm against smart homes. Other types of harms that are less common in the literature include hacking, malware and DoS attacks. Digital harms, and data associated with these harms, may vary extensively across smart devices. Most studies propose technical measures to mitigate digital harms, while fewer consider social prevention mechanisms. We also identify salient gaps in research, and argue that these should be addressed in future crossdisciplinary research initiatives