Defining the Behavior of IoT Devices through the MUD Standard: Review, Challenges, and Research Directions

With the strong development of the Internet of Things (IoT), the definition of IoT devices' intended behavior is key for an effective detection of potential cybersecurity attacks and threats in an increasingly connected environment. In 2019, the Manufacturer Usage Description (MUD) was standardized within the IETF as a data model and architecture for defining, obtaining and deploying MUD files, which describe the network behavioral profiles of IoT devices. While it has attracted a strong interest from academia, industry, and Standards Developing Organizations (SDOs), MUD is not yet widely deployed in real-world scenarios. In this work, we analyze the current research landscape around this standard, and describe some of the main challenges to be considered in the coming years to foster its adoption and deployment. Based on the literature analysis and our own experience in this area, we further describe potential research directions exploiting the MUD standard to encourage the development of secure IoT-enabled scenarios

Defining the Behavior of IoT Devices through the MUD Standard : Review, Challenges, and Research Directions

With the strong development of the Internet of Things (IoT), the definition of IoT devices' intended behavior is key for an effective detection of potential cybersecurity attacks and threats in an increasingly connected environment. In 2019, the Manufacturer Usage Description (MUD) was standardized within the IETF as a data model and architecture for defining, obtaining and deploying MUD files, which describe the network behavioral profiles of IoT devices. While it has attracted a strong interest from academia, industry, and Standards Developing Organizations (SDOs), MUD is not yet widely deployed in real-world scenarios. In this work, we analyze the current research landscape around this standard, and describe some of the main challenges to be considered in the coming years to foster its adoption and deployment. Based on the literature analysis and our own experience in this area, we further describe potential research directions exploiting the MUD standard to encourage the development of secure IoT-enabled scenarios

Securing IP Mobility Management for Vehicular Ad Hoc Networks

The proliferation of Intelligent Transportation Systems (ITSs) applications, such as Internet access and Infotainment, highlights the requirements for improving the underlying mobility management protocols for Vehicular Ad Hoc Networks (VANETs). Mobility management protocols in VANETs are envisioned to support mobile nodes (MNs), i.e., vehicles, with seamless communications, in which service continuity is guaranteed while vehicles are roaming through different RoadSide Units (RSUs) with heterogeneous wireless technologies. Due to its standardization and widely deployment, IP mobility (also called Mobile IP (MIP)) is the most popular mobility management protocol used for mobile networks including VANETs. In addition, because of the diversity of possible applications, the Internet Engineering Task Force (IETF) issues many MIP's standardizations, such as MIPv6 and NEMO for global mobility, and Proxy MIP (PMIPv6) for localized mobility. However, many challenges have been posed for integrating IP mobility with VANETs, including the vehicle's high speeds, multi-hop communications, scalability, and ef ficiency. From a security perspective, we observe three main challenges: 1) each vehicle's anonymity and location privacy, 2) authenticating vehicles in multi-hop communications, and 3) physical-layer location privacy. In transmitting mobile IPv6 binding update signaling messages, the mobile node's Home Address (HoA) and Care-of Address (CoA) are transmitted as plain-text, hence they can be revealed by other network entities and attackers. The mobile node's HoA and CoA represent its identity and its current location, respectively, therefore revealing an MN's HoA means breaking its anonymity while revealing an MN's CoA means breaking its location privacy. On one hand, some existing anonymity and location privacy schemes require intensive computations, which means they cannot be used in such time-restricted seamless communications. On the other hand, some schemes only achieve seamless communication through low anonymity and location privacy levels. Therefore, the trade-off between the network performance, on one side, and the MN's anonymity and location privacy, on the other side, makes preservation of privacy a challenging issue. In addition, for PMIPv6 to provide IP mobility in an infrastructure-connected multi-hop VANET, an MN uses a relay node (RN) for communicating with its Mobile Access Gateway (MAG). Therefore, a mutual authentication between the MN and RN is required to thwart authentication attacks early in such scenarios. Furthermore, for a NEMO-based VANET infrastructure, which is used in public hotspots installed inside moving vehicles, protecting physical-layer location privacy is a prerequisite for achieving privacy in upper-layers such as the IP-layer. Due to the open nature of the wireless environment, a physical-layer attacker can easily localize users by employing signals transmitted from these users. In this dissertation, we address those security challenges by proposing three security schemes to be employed for different mobility management scenarios in VANETs, namely, the MIPv6, PMIPv6, and Network Mobility (NEMO) protocols. First, for MIPv6 protocol and based on the onion routing and anonymizer, we propose an anonymous and location privacy-preserving scheme (ALPP) that involves two complementary sub-schemes: anonymous home binding update (AHBU) and anonymous return routability (ARR). In addition, anonymous mutual authentication and key establishment schemes have been proposed, to authenticate a mobile node to its foreign gateway and create a shared key between them. Unlike existing schemes, ALPP alleviates the tradeoff between the networking performance and the achieved privacy level. Combining onion routing and the anonymizer in the ALPP scheme increases the achieved location privacy level, in which no entity in the network except the mobile node itself can identify this node's location. Using the entropy model, we show that ALPP achieves a higher degree of anonymity than that achieved by the mix-based scheme. Compared to existing schemes, the AHBU and ARR sub-schemes achieve smaller computation overheads and thwart both internal and external adversaries. Simulation results demonstrate that our sub-schemes have low control-packets routing delays, and are suitable for seamless communications. Second, for the multi-hop authentication problem in PMIPv6-based VANET, we propose EM3A, a novel mutual authentication scheme that guarantees the authenticity of both MN and RN. EM3A thwarts authentication attacks, including Denial of service (DoS), collusion, impersonation, replay, and man-in-the-middle attacks. EM3A works in conjunction with a proposed scheme for key establishment based on symmetric polynomials, to generate a shared secret key between an MN and an RN. This scheme achieves lower revocation overhead than that achieved by existing symmetric polynomial-based schemes. For a PMIP domain with n points of attachment and a symmetric polynomial of degree t, our scheme achieves t x 2^n-secrecy, whereas the existing symmetric polynomial-based authentication schemes achieve only t-secrecy. Computation and communication overhead analysis as well as simulation results show that EM3A achieves low authentication delay and is suitable for seamless multi-hop IP communications. Furthermore, we present a case study of a multi-hop authentication PMIP (MA-PMIP) implemented in vehicular networks. EM3A represents the multi-hop authentication in MA-PMIP to mutually authenticate the roaming vehicle and its relay vehicle. Compared to other authentication schemes, we show that our MA-PMIP protocol with EM3A achieves 99.6% and 96.8% reductions in authentication delay and communication overhead, respectively. Finally, we consider the physical-layer location privacy attacks in the NEMO-based VANETs scenario, such as would be presented by a public hotspot installed inside a moving vehicle. We modify the obfuscation, i.e., concealment, and power variability ideas and propose a new physical-layer location privacy scheme, the fake point-cluster based scheme, to prevent attackers from localizing users inside NEMO-based VANET hotspots. Involving the fake point and cluster based sub-schemes, the proposed scheme can: 1) confuse the attackers by increasing the estimation errors of their Received Signal Strength (RSSs) measurements, and 2) prevent attackers' monitoring devices from detecting the user's transmitted signals. We show that our scheme not only achieves higher location privacy, but also increases the overall network performance. Employing correctness, accuracy, and certainty as three different metrics, we analytically measure the location privacy achieved by our proposed scheme. In addition, using extensive simulations, we demonstrate that the fake point-cluster based scheme can be practically implemented in high-speed VANETs' scenarios

Esquema de controlo para redes multicast baseadas com classes

Doutoramento em Engenharia ElectrotécnicaThe expectations of citizens from the Information Technologies (ITs) are increasing as the ITs have become integral part of our society, serving all kinds of activities whether professional, leisure, safety-critical applications or business. Hence, the limitations of the traditional network designs to provide innovative and enhanced services and applications motivated a consensus to integrate all services over packet switching infrastructures, using the Internet Protocol, so as to leverage flexible control and economical benefits in the Next Generation Networks (NGNs). However, the Internet is not capable of treating services differently while each service has its own requirements (e.g., Quality of Service - QoS). Therefore, the need for more evolved forms of communications has driven to radical changes of architectural and layering designs which demand appropriate solutions for service admission and network resources control. This Thesis addresses QoS and network control issues, aiming to improve overall control performance in current and future networks which classify services into classes. The Thesis is divided into three parts. In the first part, we propose two resource over-reservation algorithms, a Class-based bandwidth Over-Reservation (COR) and an Enhanced COR (ECOR). The over-reservation means reserving more bandwidth than a Class of Service (CoS) needs, so the QoS reservation signalling rate is reduced. COR and ECOR allow for dynamically defining over-reservation parameters for CoSs based on network interfaces resource conditions; they aim to reduce QoS signalling and related overhead without incurring CoS starvation or waste of bandwidth. ECOR differs from COR by allowing for optimizing control overhead minimization. Further, we propose a centralized control mechanism called Advanced Centralization Architecture (ACA), that uses a single state-full Control Decision Point (CDP) which maintains a good view of its underlying network topology and the related links resource statistics on real-time basis to control the overall network. It is very important to mention that, in this Thesis, we use multicast trees as the basis for session transport, not only for group communication purposes, but mainly to pin packets of a session mapped to a tree to follow the desired tree. Our simulation results prove a drastic reduction of QoS control signalling and the related overhead without QoS violation or waste of resources. Besides, we provide a generic-purpose analytical model to assess the impact of various parameters (e.g., link capacity, session dynamics, etc.) that generally challenge resource overprovisioning control. In the second part of this Thesis, we propose a decentralization control mechanism called Advanced Class-based resource OverpRovisioning (ACOR), that aims to achieve better scalability than the ACA approach. ACOR enables multiple CDPs, distributed at network edge, to cooperate and exchange appropriate control data (e.g., trees and bandwidth usage information) such that each CDP is able to maintain a good knowledge of the network topology and the related links resource statistics on real-time basis. From scalability perspective, ACOR cooperation is selective, meaning that control information is exchanged dynamically among only the CDPs which are concerned (correlated). Moreover, the synchronization is carried out through our proposed concept of Virtual Over-Provisioned Resource (VOPR), which is a share of over-reservations of each interface to each tree that uses the interface. Thus, each CDP can process several session requests over a tree without requiring synchronization between the correlated CDPs as long as the VOPR of the tree is not exhausted. Analytical and simulation results demonstrate that aggregate over-reservation control in decentralized scenarios keep low signalling without QoS violations or waste of resources. We also introduced a control signalling protocol called ACOR Protocol (ACOR-P) to support the centralization and decentralization designs in this Thesis. Further, we propose an Extended ACOR (E-ACOR) which aggregates the VOPR of all trees that originate at the same CDP, and more session requests can be processed without synchronization when compared with ACOR. In addition, E-ACOR introduces a mechanism to efficiently track network congestion information to prevent unnecessary synchronization during congestion time when VOPRs would exhaust upon every session request. The performance evaluation through analytical and simulation results proves the superiority of E-ACOR in minimizing overall control signalling overhead while keeping all advantages of ACOR, that is, without incurring QoS violations or waste of resources. The last part of this Thesis includes the Survivable ACOR (SACOR) proposal to support stable operations of the QoS and network control mechanisms in case of failures and recoveries (e.g., of links and nodes). The performance results show flexible survivability characterized by fast convergence time and differentiation of traffic re-routing under efficient resource utilization i.e. without wasting bandwidth. In summary, the QoS and architectural control mechanisms proposed in this Thesis provide efficient and scalable support for network control key sub-systems (e.g., QoS and resource control, traffic engineering, multicasting, etc.), and thus allow for optimizing network overall control performance.À medida que as Tecnologias de Informação (TIs) se tornaram parte integrante da nossa sociedade, a expectativa dos cidadãos relativamente ao uso desses serviços também demonstrou um aumento, seja no âmbito das atividades profissionais, de lazer, aplicações de segurança crítica ou negócios. Portanto, as limitações dos projetos de rede tradicionais quanto ao fornecimento de serviços inovadores e aplicações avançadas motivaram um consenso quanto à integração de todos os serviços e infra-estruturas de comutação de pacotes, utilizando o IP, de modo a extrair benefícios económicos e um controlo mais flexível nas Redes de Nova Geração (RNG). Entretanto, tendo em vista que a Internet não apresenta capacidade de diferenciação de serviços, e sabendo que cada serviço apresenta as suas necessidades próprias, como por exemplo, a Qualidade de Serviço - QoS, a necessidade de formas mais evoluídas de comunicação tem-se tornado cada vez mais visível, levando a mudanças radicais na arquitectura das redes, que exigem soluções adequadas para a admissão de serviços e controlo de recursos de rede. Sendo assim, este trabalho aborda questões de controlo de QoS e rede com o objetivo de melhorar o desempenho do controlo de recursos total em redes atuais e futuras, através da análise dos serviços de acordo com as suas classes de serviço. Esta Tese encontra-se dividida em três partes. Na primeira parte são propostos dois algoritmos de sobre-reserva, o Class-based bandwidth Over-Reservation (COR) e uma extensão melhorada do COR denominado de Enhanced COR (ECOR). A sobre-reserva significa a reserva de uma largura de banda maior para o serviço em questão do que uma classe de serviço (CoS) necessita e, portanto, a quantidade de sinalização para reserva de recursos é reduzida. COR e ECOR consideram uma definição dinâmica de sobre-reserva de parâmetros para CoSs com base nas condições da rede, com vista à redução da sobrecarga de sinalização em QoS sem que ocorra desperdício de largura de banda. O ECOR, por sua vez, difere do COR por permitir a otimização com minimização de controlo de overhead. Além disso, nesta Tese é proposto também um mecanismo de controlo centralizado chamado Advanced Centralization Architecture (ACA) , usando um único Ponto de Controlo de Decisão (CDP) que mantém uma visão ampla da topologia de rede e de análise dos recursos ocupados em tempo real como base de controlo para a rede global. Nesta Tese são utilizadas árvores multicast como base para o transporte de sessão, não só para fins de comunicação em grupo, mas principalmente para que os pacotes que pertençam a uma sessão que é mapeada numa determinada árvore sigam o seu caminho. Os resultados obtidos nas simulações dos mecanismos mostram uma redução significativa da sobrecarga da sinalização de controlo, sem a violação dos requisitos de QoS ou desperdício de recursos. Além disso, foi proposto um modelo analítico no sentido de avaliar o impacto provocado por diversos parâmetros (como por exemplo, a capacidade da ligação, a dinâmica das sessões, etc), no sobre-provisionamento dos recursos. Na segunda parte desta tese propôe-se um mecanismo para controlo descentralizado de recursos denominado de Advanced Class-based resource OverprRovisioning (ACOR), que permite obter uma melhor escalabilidade do que o obtido pelo ACA. O ACOR permite que os pontos de decisão e controlo da rede, os CDPs, sejam distribuídos na periferia da rede, cooperem entre si, através da troca de dados e controlo adequados (por exemplo, localização das árvores e informações sobre o uso da largura de banda), de tal forma que cada CDP seja capaz de manter um bom conhecimento da topologia da rede, bem como das suas ligações. Do ponto de vista de escalabilidade, a cooperação do ACOR é seletiva, o que significa que as informações de controlo são trocadas de forma dinâmica apenas entre os CDPs analisados. Além disso, a sincronização é feita através do conceito proposto de Recursos Virtuais Sobre-Provisionado (VOPR), que partilha as reservas de cada interface para cada árvore que usa a interface. Assim, cada CDP pode processar pedidos de sessão numa ou mais árvores, sem a necessidade de sincronização entre os CDPs correlacionados, enquanto o VOPR da árvore não estiver esgotado. Os resultados analíticos e de simulação demonstram que o controlo de sobre-reserva é agregado em cenários descentralizados, mantendo a sinalização de QoS baixa sem perda de largura de banda. Também é desenvolvido um protocolo de controlo de sinalização chamado ACOR Protocol (ACOR-P) para suportar as arquitecturas de centralização e descentralização deste trabalho. O ACOR Estendido (E-ACOR) agrega a VOPR de todas as árvores que se originam no mesmo CDP, e mais pedidos de sessão podem ser processados sem a necessidade de sincronização quando comparado com ACOR. Além disso, E-ACOR introduz um mecanismo para controlar as informações àcerca do congestionamento da rede, e impede a sincronização desnecessária durante o tempo de congestionamento quando os VOPRs esgotam consoante cada pedido de sessão. A avaliação de desempenho, através de resultados analíticos e de simulação, mostra a superioridade do E-ACOR em minimizar o controlo geral da carga da sinalização, mantendo todas as vantagens do ACOR, sem apresentar violações de QoS ou desperdício de recursos. A última parte desta Tese inclui a proposta para recuperação a falhas, o Survivability ACOR (SACOR), o qual permite ter QoS estável em caso de falhas de ligações e nós. Os resultados de desempenho analisados mostram uma capacidade flexível de sobrevivência caracterizada por um tempo de convergência rápido e diferenciação de tráfego com uma utilização eficiente dos recursos. Em resumo, os mecanismos de controlo de recursos propostos nesta Tese fornecem um suporte eficiente e escalável para controlo da rede, como também para os seus principais sub-sistemas (por exemplo, QoS, controlo de recursos, engenharia de tráfego, multicast, etc) e, assim, permitir a otimização do desempenho da rede a nível do controlo global