Relevant Affect Factors of Smartphone Mobile Data Traffic

Smartphones are used to access a wide range of different information and communication services and perform functions based on data transfer. A number of subscription contracts for smartphones is rapidly increasing, and the development of mobile communications network provides higher speed of data transfer. The continuous increase in the average amount of data traffic per one subscriber contract leads to an increase in the total Mobile Data Traffic (MDT), globally. This research represents a summary of factors that affect the amount of smartphone MDT. Previous literature shows only a few of the factors individually that affect the realization of smartphone MDT. The results of the research clarify the ways which influence the amount of MDT generated by a smartphone. This paper increases the awareness of the users of the methods of generating smartphone MDT. The research also allows users to specify parameters that affect the prediction of generated MDT of a smartphone

Relevant Affect Factors of Smartphone Mobile Data Traffic

Smartphones are used to access a wide range of different information and communication services and perform functions based on data transfer. A number of subscription contracts for smartphones is rapidly increasing, and the development of mobile communications network provides higher speed of data transfer. The continuous increase in the average amount of data traffic per one subscriber contract leads to an increase in the total Mobile Data Traffic (MDT), globally. This research represents a summary of factors that affect the amount of smartphone MDT. Previous literature shows only a few of the factors individually that affect the realization of smartphone MDT. The results of the research clarify the ways which influence the amount of MDT generated by a smartphone. This paper increases the awareness of the users of the methods of generating smartphone MDT. The research also allows users to specify parameters that affect the prediction of generated MDT of a smartphone

An Overview of Distributed Denial of Service Traffic Detection Approaches

The availability of information and communication (IC) resources is a growing problem caused by the increase in the number of users, IC services, and the capacity constraints. IC resources need to be available to legitimate users at the required time. The availability is of crucial importance in IC environments such as smart city, autonomous vehicle, or critical infrastructure management systems. In the mentioned and similar environments the unavailability of resources can also have negative consequences on people\u27s safety. The distributed denial of service (DDoS) attacks and traffic that such attacks generate, represent a growing problem in the last decade. Their goal is to disable access to the resources for legitimate users. This paper analyses the trends of such traffic which indicates the importance of its detection methods research. The paper also provides an overview of the currently used approaches used in detection system and model development. Based on the analysis of the previous research, the disadvantages of the used approaches have been identified which opens the space and gives the direction for future research. Besides the mentioned this paper highlights a DDoS traffic generated through Internet of things (IoT) devices as an evolving threat that needs to be taken into consideration in the future studies.</p

Beacon technology for real-time informing the traffic network users about the environment

Informing the users about their environment is of extreme importance for their full and independent functioning in the traffic system. Today’s development of technology provides the user the access to information about their environment by using the smartphone device at any moment if there is a defined applicative solution. For this, it is necessary to define the user’s environment according to the Ambient Assisted Living (AAL) concept, which understands adequate technology of gathering, processing and distribution of information. This paper presents the proposal of the solution for informing the traffic network users about the environment for the defined group of users based on the beacon technology. The mentioned solution is based on the results of two separate studies about the needs of users who move along a part of the traffic network. The aim of the proposed solution is to provide the user with precise and real-time information and to raise the level of safety during movement

Deploying an Inter‐European Quantum Network

Around 40 years have passed since the first pioneering works introduced the possibility of using quantum physics to enhance communications safety. Nowadays, quantum key distribution (QKD) exited the physics laboratories to become a mature technology, triggering the attention of States, military forces, banks, and private corporations. This work takes on the challenge of bringing QKD closer to a consumer technology: deployed optical fibers by telecommunication companies of different States have been used to realize a quantum network, the first-ever connecting three different countries. This work also emphasizes the necessity of networks where QKD can come up besides classical communications, whose coexistence currently represents the main limitation of this technology. This network connects Trieste to Rijeka and Ljubljana via a trusted node in Postojna. A key rate of over 3 kbps in the shortest link and a 7-hour-long measurement demonstrate the system's stability and reliability. The network has been used to present the QKD at the G20 Digital Ministers' Meeting in Trieste. The experimental results, together with the interest that one of the most important events of international politics has attracted, showcase the maturity of the QKD technology bundle, placing it in the spotlight for consumer applications in the near term

Network Traffic Anomaly Detection Based on Traffic Characteristics and Device Class Affiliation

Cilj zaštite informacijsko-komunikacijskog (IK) sustava podrazumijeva postizanje i održavanje zahtijevane razine osnovnih načela sigurnosti. Osnovna načela sigurnosti predstavljena su CIA (engl. confidentiality, integrity, availability) modelom koji obuhvaća cjelovitost, povjerljivost i dostupnost IK resursa. Jedan od čimbenika koji negativno utječu na načelo dostupnosti, a čiji trend je u kontinuiranom porastu posljednjih deset godina, mrežno je orijentirani distribuirani napad uskraćivanja usluge (engl. Distributed Denial of Service, DDoS), odnosno DDoS promet kao sredstvo provođenja napada. DDoS promet kao produkt DDoS napada predstavlja anomaliju u mrežnom prometu. Pojavom koncepta internet stvari (engl. Internet of Things, IoT) kao novog pravca tehnološkog razvoja i nove komunikacijske paradigme koja objedinjuje milijarde novih uređaja povezanih na internetsku mrežu, stvara se novi prostor sigurnosnih ranjivosti koje je moguće iskoristiti za neovlaštene i maliciozne aktivnosti. Predmet istraživanja u okviru ovog doktorskog rada je karakterističnost prometa generiranog IoT uređajima u okruženju pametnog doma kao osnove za detekciju anomalija koje nastaju kao rezultat provedbe DDoS napada. Ovim doktorskim radom prikazano je definiranje klasa unutar kojih je moguće dodijeliti IoT uređaje u okruženju pametnog doma. Klase se temelje na koeficijentu varijacije odnosa primljenog i poslanog prometa pojedinog uređaja. Jednako tako prikazan je i razvoj višeklasnog klasifikacijskog modela temeljen na boosoting metodi strojnog učenja koji uz visoku točnost (99,79 %) može klasificirati uređaje po osnovi karakteristika generiranog prometnog toka koristeći 13 značajki. Klasifikacijski model pruža mogućnost stvaranja profila legitimnog prometa pojedine klase uređaja nužnog u razvoju klasifikacijskog modela koji će omogućiti detekciju anomalija mrežnoga prometa. Radom je prikazan i razvoj modela detekcije anomalija mrežnoga prometa temeljenog na značajkama prometa i klasnoj pripadnosti uređaja. Model je razvijen uz korištenje metode logističkih stabala odluke pri čemu se za svaku klasu uređaja primjenjuje drugačija inačica modela koja se razlikuje u broju korištenih značajki i graničnim vrijednostima grananja stabla odluke. Prema rezultatima, visoka je točnost modela za sve četiri klase uređaja, od 99,92 % do 99,99 %. Navedeni pristup detekciji anomalija mrežnoga prometa predstavlja iskorak u istraživanju ovog problemskog područja jer se po prvi put koriste klase uređaja u svrhu detekcije DDoS prometa. Razvijeni model ima potencijal prepoznati do sada neviđene uređaje te ih dodijeliti pripadajućoj klasi za koju je poznat profil legitimnog prometa pri čemu postoji učinkovit model koji može prepoznati anomalije na temelju vrijednosti značajki prometnog toka koji takav uređaj generira.The development of a public, packet-oriented, communication network (Internet network), accompanied by an increase in the number of users and information and communication (IC) services, has also resulted in an increase in the amount of data transferred. Data stored, processed and transmitted through the IC system is often the target of illegitimate users whose goal is to gain unauthorized access or to prevent legitimate users from accessing IC system resources. This results in an increase in the need for research in the field of IC protection in recent decades. The goal of protecting an IC system is to achieve and maintain the required level of basic security principles. The basic principles of security are presented by the CIA (confidentiality, integrity, availability) model, which embraces the integrity, confidentiality and availability of IC resources. The availability principle is defined as the probability that the requested service (or other IC system resource) will be available to a legitimate user at the required time. There are several factors to negatively impact the availability of IC resources. They can be classified according to the source of action (internal and external) and the executor (human, environment and technology). One of these factors with the steadily increasing trend over the last ten years is network-oriented Distributed Denial of Service (DDoS) attack, or DDoS traffic as a means of conducting attacks. The traffic generated by the DDoS attack is aimed at exploiting the deficiencies of the elements of the IC system in charge of processing and transmitting data such as communication links, active network equipment (routers, switches, firewalls, etc.) and devices intended for processing user requests and delivery of services (servers). The primary disadvantage that a DDoS attack exploits is the limitation of the capacity of the communication link, network equipment, or server. Congestion can result from an increase in the intensity of legitimate inbound traffic that exceeds the total server and queue capacity, which negatively affects the quality of service (QoS). In doing so, it is necessary to apply traffic flow control methods which, between traffic flows of equal importance, will determine those that will be processed first. Another way of creating congestion in a communications network may be the result of deliberately generating DDoS traffic. Such traffic has the characteristics of a legitimate user, and its primary objective is to exploit the previously identified shortcomings of the IC resources and to cause congestion resulting in degradation of quality or complete inaccessibility of the IC resources to the legitimate user. Using traffic flow control and congestion management methods to solve DDoS traffic problems is not appropriate. The reason is that traffic flows are not of equal importance and it is therefore necessary to detect illegitimate traffic, which is an anomaly of network traffic at the level of individual network packets or traffic flow. Network traffic anomaly detection is a dynamic and broad area of research. Any network traffic pattern that deviates from the sample of a previously defined profile of legitimate (normal) traffic and has the potential to disrupt the normal operation of the IC is considered an anomaly. The legitimate traffic profile is defined by the values of traffic features recorded over a period of time in which the traffic generating terminal device is not security compromised and operates in the manner defined by the manufacturer. The root causes of network traffic anomalies may be related to performance or IC system security. One of the growing causes of security-related network traffic anomalies is DDoS attacks. This type of attack utilizes a number of compromised terminal devices to generate legitimate, DDoS traffic to the destination. The consequences of DDoS attacks are degradation of quality or complete unavailability of IC services to legitimate users. The emergence of the Internet of Things (IoT) concept as a new direction of technological development and a new communication paradigm that brings together billions of new devices connected to the Internet, creates a new space of security vulnerabilities that can be exploited for unauthorized and malicious activities. The continuous growth in the number of such devices, their inadequate protection and the ability to generate traffic on the network, makes them ideal candidates for the creation of a botnet network for the purpose of generating DDoS traffic of unprecedented traffic intensity. The concept of smart home as one of the fastest growing application areas of the IoT concept is becoming one of the most heterogeneous application areas in terms of number of IoT devices manufacturers. Such devices are often delivered with minimal or no protection, and the security of such devices is also reduced by the ease of use required by end users, who often do not have the adequate level of knowledge required to install and operate such devices. All of the above listed smart home devices are among the most vulnerable to a number of security threats, emphasizing the use of such devices to generate DDoS traffic. The subject of this doctoral research is the traffic characteristics generated by IoT devices in a smart home environment as a basis for detecting anomalies resulting from DDoS attacks. Based on the research problems and the existing shortcomings, the following scientific hypotheses of the research were put forward: (1) Based on the traffic features generated by IoT devices in a smart home environment, it is possible to define classes of IoT devices and associated profiles of legitimate traffic. (2) Based on the defined profile of legitimate traffic of a particular class of IoT devices in a smart home environment, it is possible to detect with high accuracy the illegitimate traffic generated by such devices. The concept of IoT offers numerous benefits in different fields of application, but from the point of security view, it also highlights a number of challenges that need to be adequately addressed. Research within this doctoral thesis considers the smart home environment as one of the fastest growing application areas within the IoT concept. Devices within this environment have many limitations and disadvantages that make them potential generators of DDoS traffic. Despite the identified shortcomings, the communication of such devices generates traffic that possesses specific features and differences with respect to conventional devices. This research seeks to analyze the possibilities of applying such features for the purpose of classifying devices, regardless of their functionality or purpose. This kind of classification is necessary in a dynamic and heterogeneous environment such as a smart home where the number and types of devices grow daily, as it depends solely on the traffic features such devices generate. Device classification allows defining the legitimate traffic profile of a particular class, based on which it is possible to determine deviations in the form of anomalies caused by the DDoS traffic generation of an individual device. Consequently, the aim of this research is to develop a model for detecting illegitimate DDoS traffic generated by IoT devices in a smart home environment based on specific traffic features and class affiliation of IoT devices. Based on the above, the scientific contributions of the doctoral research are as follows: (1) Identification of traffic features by which it is possible to classify IoT devices in a smart home environment for the purpose of detecting illegitimate DDoS traffic. (2) Defining legitimate traffic profiles for each class of IoT device in a smart home environment. (3) DDoS traffic detection model based on traffic features and class affiliation of IoT devices. Despite the high accuracy of detection and the advantages shown by the methods used, there are some shortcomings in the research of DDoS traffic detection problems to date. The first drawback is reflected in the datasets used, that is, in traffic records, which are the basis for the development of the detection model. Datasets containing traffic are often outdated, which reduces the accuracy of detection because they do not reflect the characteristics of current traffic that are changing as technological developments in new IK devices, concepts and services change. The previous research implies DDoS traffic generated solely through conventional terminal devices without considering devices for which human communication is not necessary for communication. The latter devices are unified under the IoT paradigm. According to predictions, by the end of 2020, approximately 31 billion IoT devices will exist globally, and till 2025 75 billion. In this case, 41%, or 12.86 billion IoT devices will be installed within the concept of smart home (SH). The limitations of IoT devices in general, and thus SHIoT (smart home IoT) devices, are described in the previous researches, covering hardware constraints, high autonomy requirements and low cost of production, which reduces the ability to implement advanced security methods and increases the risk of numerous threats. Traffic generated by SHIoT devices or MTC (Machine Type Communication) traffic is different from traffic generated through conventional devices, HTC (Human Type Communication) traffic. Although SHIoT devices are characterized by heterogeneity, MTC traffic is homogeneous in contrast to HTC traffic, which means that devices of the same or similar purpose behave approximately equally, that is, generate traffic of similar characteristics. The identified shortcomings of previous research, such as taking into account of SHIoT traffic features when detecting DDoS traffic, the consideration of classes of SHIoT devices that generate roughly equal values of traffic features, and the number of devices used in the study, will be sought to be remedied by planned research. The importance of this research is also evident through the increasing number of research and projects in this field. An example of this is the project called Mitigating IoT-Based Distributed Denial Of Service (DDoS), implemented by NIST (National Institute of Standards and Technology) and NCCoE (National Cybersecurity Center of Exellence), which addresses the issue of generating DDoS traffic through an IoT device. The research within this doctoral thesis formed the laboratory environment of the smart home. Such an environment is comprised of a variety of SHIoT devices, along with an accompanying communications infrastructure and software-hardware platform that enables traffic collection and data set to be applied in later stages of research and development of network traffic anomaly detection models. In addition to the primary data collected through the process described above, the research also included secondary data, encompassing a greater variety of SHIoT devices. The reason for this is the heterogeneity of devices that can exist in the observed environment. A total of 41 devices in a smart home environment were used for this doctoral research. According to statistics, there are differences in the estimation of the average number of SHIoT devices per household that has a certain form of smart home implemented. These estimates range from 6.53 to 14 SHoT devices per household. In the Republic of Croatia, smart home representation is still low, and telecom operators are assuming the role of smart home provider through the offering of end-user SHIoT devices. For example, Iskon Internet service provider offers customers the option of purchasing a smart home package that makes four SHIoT devices, while telecom operator A1 provides users with the ability to deploy a total of five SHIoT devices in a smart home environment. Despite mentioned, this research sought to achieve the greatest possible variety of SHIoT devices due to the need to define device classes based on the characteristics of the traffic generated. Therefore, the number of devices used is higher than the current statistical estimate of the average value of SHIoT devices per smart home in the Republic of Croatia and worldwide. Predictability of IoT device behavior is a phenomenon that has been the result of communication activities of IoT devices observed in numerous studies. Given that SHIoT devices have a limited number of functionalities, certain devices will behave approximately the same in time according to the values of the observed traffic features. Unlike IoT devices, conventional devices (smartphones, desktops, laptops, etc.) support the installation of a large number of applications, where the communication activity of such devices depends on the end users and how the device is used. Accordingly, the index of the predictability level of the behavior of an IoT device, expressed by the coefficient of variation of the received and sent amount of data (Cu index), is a measure on the basis of which it is possible to determine the behavior of an SHIoT device over a period of time. The closer the index (Cu) to 0, the observed device has a smaller deviation with respect to the amount of data received and sent, and it is considered that the level of predictability of the behavior of such device is higher than the device whose index Cu is greater than 0. For the purpose of developing a classification model based on the logistic regression method enhanced by the concept of supervised machine learning, a data set was created containing the values of extracted features of traffic flows of SHIoT devices and belonging to the class of individual device for each traffic flow in the set. Model development, testing and validation were performed using the WEKA software tool with the support of MS Excel 2016 during the preparation of the model development dataset. Since a total of 59 features were selected using the information gain method, during model development, the number of features was gradually reduced when the validation measures for each model were compared. The aim of this procedure is to develop a model that will use the least possible number of independent features that will not significantly affect its performance. Each model was validated by k-fold cross-validation at k = 10. This method is used to evaluate the behavior of the model over data not used in the learning phase. In doing so, the model is applied iteratively k times over the dataset. In each iteration, the data set is divided into k parts. One part of the set is used to validate the model while the remaining k-1 parts of the set are combined into a model learning subset. In order to develop DDoS traffic detection models based on predefined classes of SHIoT devices, it is necessary to define the legitimate traffic profile of each device class. When developing any anomaly detection model based on supervised machine learning methods, it is necessary to have a data set that will represent legitimate traffic and a data set that will represent illegitimate traffic. The defined classes of SHIoT devices allow the establishment of a legitimate traffic profile for each class of device, which is important in the later development of anomaly detection models. In doing so, the SHIoT device traffic feature values become part of the legitimate profile of the observed device class. The legitimate traffic profile of a particular class of SHIoT device is defined by the values of the features of those traffic flows that are assigned to a particular class of SHIoT device by the classification model. The Logistic Model Trees (LMT) method was used to develop a model for detecting illegitimate DDoS network traffic. The WEKA software tool was used to implement the method and process the data, and datasets that represent the profiles of normal traffic resulting from the SHIoT device classification model and illegitimate DDoS traffic datasets. The work of the developed model of detection of illegitimate DDoS traffic takes place in two stages. The first phase is a prerequisite for the later detection of DDoS traffic in the second phase of operation and implies the classification of the SHIoT device based on the generated traffic flow. One of the basic metrics that indicate model performance is classification accuracy and kappa statistics. According to the classification accuracy, all models show high performance, which means that based on the observed flow, they can determine with high accuracy whether the traffic flow is the result of legitimate device communication or the device generates DDoS traffic. Thus, the LMT model for the C1 device class shows an accuracy of 99.9216%, or 56092 accurately classified traffic flows, as DDoS or traffic flow that legitimately belongs to a SHIoT device in class C1. A total of 44 traffic flows were misclassified, or 0.0784% in the total set of 56136. In addition to high accuracy, the LMT model for the C1 device class also exhibits a kappa coefficient (κ = 0.9984) indicating high model performance. The LMT model version developed for the C2 class shows high accuracy (99.9966%). This implies 59660 accurately classified traffic flows in a set consisting of 59662 traffic flows. The classification error is 0.0034%, or two traffic flows. The kappa coefficient is 0.9999, which indicates the high performance of these LMT models. The LMT classification model developed for the C3 class provides 99.9744% accuracy. Therefore, out of a total of 58661 traffic flows, 15 were misclassified, or 0.0256% while accurately classified, 58646. The kappa coefficient of 0.9995, as in previous versions of the LMT model, indicates its high performance. The latest version of the LMT model, developed for the C4 class, shows an accuracy of 99.9583% which implies 59879 correctly classified traffic flows. Accordingly, a total of 25 traffic flows were misclassified. The success of the model as measured by the kappa coefficient is 0.9992. Research has shown that it is possible to define device classes based on the variation of the received and sent traffic ratio, and it is possible to classify devices into defined classes based on the traffic flow features such devices generate. Finally, depending on the affiliation of an individual device to a defined class, it is possible to determine whether the traffic flow that the device generates is an anomaly in the form of DDoS traffic or legitimate traffic

Network Traffic Anomaly Detection Based on Traffic Characteristics and Device Class Affiliation

Cilj zaštite informacijsko-komunikacijskog (IK) sustava podrazumijeva postizanje i održavanje zahtijevane razine osnovnih načela sigurnosti. Osnovna načela sigurnosti predstavljena su CIA (engl. confidentiality, integrity, availability) modelom koji obuhvaća cjelovitost, povjerljivost i dostupnost IK resursa. Jedan od čimbenika koji negativno utječu na načelo dostupnosti, a čiji trend je u kontinuiranom porastu posljednjih deset godina, mrežno je orijentirani distribuirani napad uskraćivanja usluge (engl. Distributed Denial of Service, DDoS), odnosno DDoS promet kao sredstvo provođenja napada. DDoS promet kao produkt DDoS napada predstavlja anomaliju u mrežnom prometu. Pojavom koncepta internet stvari (engl. Internet of Things, IoT) kao novog pravca tehnološkog razvoja i nove komunikacijske paradigme koja objedinjuje milijarde novih uređaja povezanih na internetsku mrežu, stvara se novi prostor sigurnosnih ranjivosti koje je moguće iskoristiti za neovlaštene i maliciozne aktivnosti. Predmet istraživanja u okviru ovog doktorskog rada je karakterističnost prometa generiranog IoT uređajima u okruženju pametnog doma kao osnove za detekciju anomalija koje nastaju kao rezultat provedbe DDoS napada. Ovim doktorskim radom prikazano je definiranje klasa unutar kojih je moguće dodijeliti IoT uređaje u okruženju pametnog doma. Klase se temelje na koeficijentu varijacije odnosa primljenog i poslanog prometa pojedinog uređaja. Jednako tako prikazan je i razvoj višeklasnog klasifikacijskog modela temeljen na boosoting metodi strojnog učenja koji uz visoku točnost (99,79 %) može klasificirati uređaje po osnovi karakteristika generiranog prometnog toka koristeći 13 značajki. Klasifikacijski model pruža mogućnost stvaranja profila legitimnog prometa pojedine klase uređaja nužnog u razvoju klasifikacijskog modela koji će omogućiti detekciju anomalija mrežnoga prometa. Radom je prikazan i razvoj modela detekcije anomalija mrežnoga prometa temeljenog na značajkama prometa i klasnoj pripadnosti uređaja. Model je razvijen uz korištenje metode logističkih stabala odluke pri čemu se za svaku klasu uređaja primjenjuje drugačija inačica modela koja se razlikuje u broju korištenih značajki i graničnim vrijednostima grananja stabla odluke. Prema rezultatima, visoka je točnost modela za sve četiri klase uređaja, od 99,92 % do 99,99 %. Navedeni pristup detekciji anomalija mrežnoga prometa predstavlja iskorak u istraživanju ovog problemskog područja jer se po prvi put koriste klase uređaja u svrhu detekcije DDoS prometa. Razvijeni model ima potencijal prepoznati do sada neviđene uređaje te ih dodijeliti pripadajućoj klasi za koju je poznat profil legitimnog prometa pri čemu postoji učinkovit model koji može prepoznati anomalije na temelju vrijednosti značajki prometnog toka koji takav uređaj generira.The development of a public, packet-oriented, communication network (Internet network), accompanied by an increase in the number of users and information and communication (IC) services, has also resulted in an increase in the amount of data transferred. Data stored, processed and transmitted through the IC system is often the target of illegitimate users whose goal is to gain unauthorized access or to prevent legitimate users from accessing IC system resources. This results in an increase in the need for research in the field of IC protection in recent decades. The goal of protecting an IC system is to achieve and maintain the required level of basic security principles. The basic principles of security are presented by the CIA (confidentiality, integrity, availability) model, which embraces the integrity, confidentiality and availability of IC resources. The availability principle is defined as the probability that the requested service (or other IC system resource) will be available to a legitimate user at the required time. There are several factors to negatively impact the availability of IC resources. They can be classified according to the source of action (internal and external) and the executor (human, environment and technology). One of these factors with the steadily increasing trend over the last ten years is network-oriented Distributed Denial of Service (DDoS) attack, or DDoS traffic as a means of conducting attacks. The traffic generated by the DDoS attack is aimed at exploiting the deficiencies of the elements of the IC system in charge of processing and transmitting data such as communication links, active network equipment (routers, switches, firewalls, etc.) and devices intended for processing user requests and delivery of services (servers). The primary disadvantage that a DDoS attack exploits is the limitation of the capacity of the communication link, network equipment, or server. Congestion can result from an increase in the intensity of legitimate inbound traffic that exceeds the total server and queue capacity, which negatively affects the quality of service (QoS). In doing so, it is necessary to apply traffic flow control methods which, between traffic flows of equal importance, will determine those that will be processed first. Another way of creating congestion in a communications network may be the result of deliberately generating DDoS traffic. Such traffic has the characteristics of a legitimate user, and its primary objective is to exploit the previously identified shortcomings of the IC resources and to cause congestion resulting in degradation of quality or complete inaccessibility of the IC resources to the legitimate user. Using traffic flow control and congestion management methods to solve DDoS traffic problems is not appropriate. The reason is that traffic flows are not of equal importance and it is therefore necessary to detect illegitimate traffic, which is an anomaly of network traffic at the level of individual network packets or traffic flow. Network traffic anomaly detection is a dynamic and broad area of research. Any network traffic pattern that deviates from the sample of a previously defined profile of legitimate (normal) traffic and has the potential to disrupt the normal operation of the IC is considered an anomaly. The legitimate traffic profile is defined by the values of traffic features recorded over a period of time in which the traffic generating terminal device is not security compromised and operates in the manner defined by the manufacturer. The root causes of network traffic anomalies may be related to performance or IC system security. One of the growing causes of security-related network traffic anomalies is DDoS attacks. This type of attack utilizes a number of compromised terminal devices to generate legitimate, DDoS traffic to the destination. The consequences of DDoS attacks are degradation of quality or complete unavailability of IC services to legitimate users. The emergence of the Internet of Things (IoT) concept as a new direction of technological development and a new communication paradigm that brings together billions of new devices connected to the Internet, creates a new space of security vulnerabilities that can be exploited for unauthorized and malicious activities. The continuous growth in the number of such devices, their inadequate protection and the ability to generate traffic on the network, makes them ideal candidates for the creation of a botnet network for the purpose of generating DDoS traffic of unprecedented traffic intensity. The concept of smart home as one of the fastest growing application areas of the IoT concept is becoming one of the most heterogeneous application areas in terms of number of IoT devices manufacturers. Such devices are often delivered with minimal or no protection, and the security of such devices is also reduced by the ease of use required by end users, who often do not have the adequate level of knowledge required to install and operate such devices. All of the above listed smart home devices are among the most vulnerable to a number of security threats, emphasizing the use of such devices to generate DDoS traffic. The subject of this doctoral research is the traffic characteristics generated by IoT devices in a smart home environment as a basis for detecting anomalies resulting from DDoS attacks. Based on the research problems and the existing shortcomings, the following scientific hypotheses of the research were put forward: (1) Based on the traffic features generated by IoT devices in a smart home environment, it is possible to define classes of IoT devices and associated profiles of legitimate traffic. (2) Based on the defined profile of legitimate traffic of a particular class of IoT devices in a smart home environment, it is possible to detect with high accuracy the illegitimate traffic generated by such devices. The concept of IoT offers numerous benefits in different fields of application, but from the point of security view, it also highlights a number of challenges that need to be adequately addressed. Research within this doctoral thesis considers the smart home environment as one of the fastest growing application areas within the IoT concept. Devices within this environment have many limitations and disadvantages that make them potential generators of DDoS traffic. Despite the identified shortcomings, the communication of such devices generates traffic that possesses specific features and differences with respect to conventional devices. This research seeks to analyze the possibilities of applying such features for the purpose of classifying devices, regardless of their functionality or purpose. This kind of classification is necessary in a dynamic and heterogeneous environment such as a smart home where the number and types of devices grow daily, as it depends solely on the traffic features such devices generate. Device classification allows defining the legitimate traffic profile of a particular class, based on which it is possible to determine deviations in the form of anomalies caused by the DDoS traffic generation of an individual device. Consequently, the aim of this research is to develop a model for detecting illegitimate DDoS traffic generated by IoT devices in a smart home environment based on specific traffic features and class affiliation of IoT devices. Based on the above, the scientific contributions of the doctoral research are as follows: (1) Identification of traffic features by which it is possible to classify IoT devices in a smart home environment for the purpose of detecting illegitimate DDoS traffic. (2) Defining legitimate traffic profiles for each class of IoT device in a smart home environment. (3) DDoS traffic detection model based on traffic features and class affiliation of IoT devices. Despite the high accuracy of detection and the advantages shown by the methods used, there are some shortcomings in the research of DDoS traffic detection problems to date. The first drawback is reflected in the datasets used, that is, in traffic records, which are the basis for the development of the detection model. Datasets containing traffic are often outdated, which reduces the accuracy of detection because they do not reflect the characteristics of current traffic that are changing as technological developments in new IK devices, concepts and services change. The previous research implies DDoS traffic generated solely through conventional terminal devices without considering devices for which human communication is not necessary for communication. The latter devices are unified under the IoT paradigm. According to predictions, by the end of 2020, approximately 31 billion IoT devices will exist globally, and till 2025 75 billion. In this case, 41%, or 12.86 billion IoT devices will be installed within the concept of smart home (SH). The limitations of IoT devices in general, and thus SHIoT (smart home IoT) devices, are described in the previous researches, covering hardware constraints, high autonomy requirements and low cost of production, which reduces the ability to implement advanced security methods and increases the risk of numerous threats. Traffic generated by SHIoT devices or MTC (Machine Type Communication) traffic is different from traffic generated through conventional devices, HTC (Human Type Communication) traffic. Although SHIoT devices are characterized by heterogeneity, MTC traffic is homogeneous in contrast to HTC traffic, which means that devices of the same or similar purpose behave approximately equally, that is, generate traffic of similar characteristics. The identified shortcomings of previous research, such as taking into account of SHIoT traffic features when detecting DDoS traffic, the consideration of classes of SHIoT devices that generate roughly equal values of traffic features, and the number of devices used in the study, will be sought to be remedied by planned research. The importance of this research is also evident through the increasing number of research and projects in this field. An example of this is the project called Mitigating IoT-Based Distributed Denial Of Service (DDoS), implemented by NIST (National Institute of Standards and Technology) and NCCoE (National Cybersecurity Center of Exellence), which addresses the issue of generating DDoS traffic through an IoT device. The research within this doctoral thesis formed the laboratory environment of the smart home. Such an environment is comprised of a variety of SHIoT devices, along with an accompanying communications infrastructure and software-hardware platform that enables traffic collection and data set to be applied in later stages of research and development of network traffic anomaly detection models. In addition to the primary data collected through the process described above, the research also included secondary data, encompassing a greater variety of SHIoT devices. The reason for this is the heterogeneity of devices that can exist in the observed environment. A total of 41 devices in a smart home environment were used for this doctoral research. According to statistics, there are differences in the estimation of the average number of SHIoT devices per household that has a certain form of smart home implemented. These estimates range from 6.53 to 14 SHoT devices per household. In the Republic of Croatia, smart home representation is still low, and telecom operators are assuming the role of smart home provider through the offering of end-user SHIoT devices. For example, Iskon Internet service provider offers customers the option of purchasing a smart home package that makes four SHIoT devices, while telecom operator A1 provides users with the ability to deploy a total of five SHIoT devices in a smart home environment. Despite mentioned, this research sought to achieve the greatest possible variety of SHIoT devices due to the need to define device classes based on the characteristics of the traffic generated. Therefore, the number of devices used is higher than the current statistical estimate of the average value of SHIoT devices per smart home in the Republic of Croatia and worldwide. Predictability of IoT device behavior is a phenomenon that has been the result of communication activities of IoT devices observed in numerous studies. Given that SHIoT devices have a limited number of functionalities, certain devices will behave approximately the same in time according to the values of the observed traffic features. Unlike IoT devices, conventional devices (smartphones, desktops, laptops, etc.) support the installation of a large number of applications, where the communication activity of such devices depends on the end users and how the device is used. Accordingly, the index of the predictability level of the behavior of an IoT device, expressed by the coefficient of variation of the received and sent amount of data (Cu index), is a measure on the basis of which it is possible to determine the behavior of an SHIoT device over a period of time. The closer the index (Cu) to 0, the observed device has a smaller deviation with respect to the amount of data received and sent, and it is considered that the level of predictability of the behavior of such device is higher than the device whose index Cu is greater than 0. For the purpose of developing a classification model based on the logistic regression method enhanced by the concept of supervised machine learning, a data set was created containing the values of extracted features of traffic flows of SHIoT devices and belonging to the class of individual device for each traffic flow in the set. Model development, testing and validation were performed using the WEKA software tool with the support of MS Excel 2016 during the preparation of the model development dataset. Since a total of 59 features were selected using the information gain method, during model development, the number of features was gradually reduced when the validation measures for each model were compared. The aim of this procedure is to develop a model that will use the least possible number of independent features that will not significantly affect its performance. Each model was validated by k-fold cross-validation at k = 10. This method is used to evaluate the behavior of the model over data not used in the learning phase. In doing so, the model is applied iteratively k times over the dataset. In each iteration, the data set is divided into k parts. One part of the set is used to validate the model while the remaining k-1 parts of the set are combined into a model learning subset. In order to develop DDoS traffic detection models based on predefined classes of SHIoT devices, it is necessary to define the legitimate traffic profile of each device class. When developing any anomaly detection model based on supervised machine learning methods, it is necessary to have a data set that will represent legitimate traffic and a data set that will represent illegitimate traffic. The defined classes of SHIoT devices allow the establishment of a legitimate traffic profile for each class of device, which is important in the later development of anomaly detection models. In doing so, the SHIoT device traffic feature values become part of the legitimate profile of the observed device class. The legitimate traffic profile of a particular class of SHIoT device is defined by the values of the features of those traffic flows that are assigned to a particular class of SHIoT device by the classification model. The Logistic Model Trees (LMT) method was used to develop a model for detecting illegitimate DDoS network traffic. The WEKA software tool was used to implement the method and process the data, and datasets that represent the profiles of normal traffic resulting from the SHIoT device classification model and illegitimate DDoS traffic datasets. The work of the developed model of detection of illegitimate DDoS traffic takes place in two stages. The first phase is a prerequisite for the later detection of DDoS traffic in the second phase of operation and implies the classification of the SHIoT device based on the generated traffic flow. One of the basic metrics that indicate model performance is classification accuracy and kappa statistics. According to the classification accuracy, all models show high performance, which means that based on the observed flow, they can determine with high accuracy whether the traffic flow is the result of legitimate device communication or the device generates DDoS traffic. Thus, the LMT model for the C1 device class shows an accuracy of 99.9216%, or 56092 accurately classified traffic flows, as DDoS or traffic flow that legitimately belongs to a SHIoT device in class C1. A total of 44 traffic flows were misclassified, or 0.0784% in the total set of 56136. In addition to high accuracy, the LMT model for the C1 device class also exhibits a kappa coefficient (κ = 0.9984) indicating high model performance. The LMT model version developed for the C2 class shows high accuracy (99.9966%). This implies 59660 accurately classified traffic flows in a set consisting of 59662 traffic flows. The classification error is 0.0034%, or two traffic flows. The kappa coefficient is 0.9999, which indicates the high performance of these LMT models. The LMT classification model developed for the C3 class provides 99.9744% accuracy. Therefore, out of a total of 58661 traffic flows, 15 were misclassified, or 0.0256% while accurately classified, 58646. The kappa coefficient of 0.9995, as in previous versions of the LMT model, indicates its high performance. The latest version of the LMT model, developed for the C4 class, shows an accuracy of 99.9583% which implies 59879 correctly classified traffic flows. Accordingly, a total of 25 traffic flows were misclassified. The success of the model as measured by the kappa coefficient is 0.9992. Research has shown that it is possible to define device classes based on the variation of the received and sent traffic ratio, and it is possible to classify devices into defined classes based on the traffic flow features such devices generate. Finally, depending on the affiliation of an individual device to a defined class, it is possible to determine whether the traffic flow that the device generates is an anomaly in the form of DDoS traffic or legitimate traffic

Network Traffic Anomaly Detection Based on Traffic Characteristics and Device Class Affiliation

Cilj zaštite informacijsko-komunikacijskog (IK) sustava podrazumijeva postizanje i održavanje zahtijevane razine osnovnih načela sigurnosti. Osnovna načela sigurnosti predstavljena su CIA (engl. confidentiality, integrity, availability) modelom koji obuhvaća cjelovitost, povjerljivost i dostupnost IK resursa. Jedan od čimbenika koji negativno utječu na načelo dostupnosti, a čiji trend je u kontinuiranom porastu posljednjih deset godina, mrežno je orijentirani distribuirani napad uskraćivanja usluge (engl. Distributed Denial of Service, DDoS), odnosno DDoS promet kao sredstvo provođenja napada. DDoS promet kao produkt DDoS napada predstavlja anomaliju u mrežnom prometu. Pojavom koncepta internet stvari (engl. Internet of Things, IoT) kao novog pravca tehnološkog razvoja i nove komunikacijske paradigme koja objedinjuje milijarde novih uređaja povezanih na internetsku mrežu, stvara se novi prostor sigurnosnih ranjivosti koje je moguće iskoristiti za neovlaštene i maliciozne aktivnosti. Predmet istraživanja u okviru ovog doktorskog rada je karakterističnost prometa generiranog IoT uređajima u okruženju pametnog doma kao osnove za detekciju anomalija koje nastaju kao rezultat provedbe DDoS napada. Ovim doktorskim radom prikazano je definiranje klasa unutar kojih je moguće dodijeliti IoT uređaje u okruženju pametnog doma. Klase se temelje na koeficijentu varijacije odnosa primljenog i poslanog prometa pojedinog uređaja. Jednako tako prikazan je i razvoj višeklasnog klasifikacijskog modela temeljen na boosoting metodi strojnog učenja koji uz visoku točnost (99,79 %) može klasificirati uređaje po osnovi karakteristika generiranog prometnog toka koristeći 13 značajki. Klasifikacijski model pruža mogućnost stvaranja profila legitimnog prometa pojedine klase uređaja nužnog u razvoju klasifikacijskog modela koji će omogućiti detekciju anomalija mrežnoga prometa. Radom je prikazan i razvoj modela detekcije anomalija mrežnoga prometa temeljenog na značajkama prometa i klasnoj pripadnosti uređaja. Model je razvijen uz korištenje metode logističkih stabala odluke pri čemu se za svaku klasu uređaja primjenjuje drugačija inačica modela koja se razlikuje u broju korištenih značajki i graničnim vrijednostima grananja stabla odluke. Prema rezultatima, visoka je točnost modela za sve četiri klase uređaja, od 99,92 % do 99,99 %. Navedeni pristup detekciji anomalija mrežnoga prometa predstavlja iskorak u istraživanju ovog problemskog područja jer se po prvi put koriste klase uređaja u svrhu detekcije DDoS prometa. Razvijeni model ima potencijal prepoznati do sada neviđene uređaje te ih dodijeliti pripadajućoj klasi za koju je poznat profil legitimnog prometa pri čemu postoji učinkovit model koji može prepoznati anomalije na temelju vrijednosti značajki prometnog toka koji takav uređaj generira.The development of a public, packet-oriented, communication network (Internet network), accompanied by an increase in the number of users and information and communication (IC) services, has also resulted in an increase in the amount of data transferred. Data stored, processed and transmitted through the IC system is often the target of illegitimate users whose goal is to gain unauthorized access or to prevent legitimate users from accessing IC system resources. This results in an increase in the need for research in the field of IC protection in recent decades. The goal of protecting an IC system is to achieve and maintain the required level of basic security principles. The basic principles of security are presented by the CIA (confidentiality, integrity, availability) model, which embraces the integrity, confidentiality and availability of IC resources. The availability principle is defined as the probability that the requested service (or other IC system resource) will be available to a legitimate user at the required time. There are several factors to negatively impact the availability of IC resources. They can be classified according to the source of action (internal and external) and the executor (human, environment and technology). One of these factors with the steadily increasing trend over the last ten years is network-oriented Distributed Denial of Service (DDoS) attack, or DDoS traffic as a means of conducting attacks. The traffic generated by the DDoS attack is aimed at exploiting the deficiencies of the elements of the IC system in charge of processing and transmitting data such as communication links, active network equipment (routers, switches, firewalls, etc.) and devices intended for processing user requests and delivery of services (servers). The primary disadvantage that a DDoS attack exploits is the limitation of the capacity of the communication link, network equipment, or server. Congestion can result from an increase in the intensity of legitimate inbound traffic that exceeds the total server and queue capacity, which negatively affects the quality of service (QoS). In doing so, it is necessary to apply traffic flow control methods which, between traffic flows of equal importance, will determine those that will be processed first. Another way of creating congestion in a communications network may be the result of deliberately generating DDoS traffic. Such traffic has the characteristics of a legitimate user, and its primary objective is to exploit the previously identified shortcomings of the IC resources and to cause congestion resulting in degradation of quality or complete inaccessibility of the IC resources to the legitimate user. Using traffic flow control and congestion management methods to solve DDoS traffic problems is not appropriate. The reason is that traffic flows are not of equal importance and it is therefore necessary to detect illegitimate traffic, which is an anomaly of network traffic at the level of individual network packets or traffic flow. Network traffic anomaly detection is a dynamic and broad area of research. Any network traffic pattern that deviates from the sample of a previously defined profile of legitimate (normal) traffic and has the potential to disrupt the normal operation of the IC is considered an anomaly. The legitimate traffic profile is defined by the values of traffic features recorded over a period of time in which the traffic generating terminal device is not security compromised and operates in the manner defined by the manufacturer. The root causes of network traffic anomalies may be related to performance or IC system security. One of the growing causes of security-related network traffic anomalies is DDoS attacks. This type of attack utilizes a number of compromised terminal devices to generate legitimate, DDoS traffic to the destination. The consequences of DDoS attacks are degradation of quality or complete unavailability of IC services to legitimate users. The emergence of the Internet of Things (IoT) concept as a new direction of technological development and a new communication paradigm that brings together billions of new devices connected to the Internet, creates a new space of security vulnerabilities that can be exploited for unauthorized and malicious activities. The continuous growth in the number of such devices, their inadequate protection and the ability to generate traffic on the network, makes them ideal candidates for the creation of a botnet network for the purpose of generating DDoS traffic of unprecedented traffic intensity. The concept of smart home as one of the fastest growing application areas of the IoT concept is becoming one of the most heterogeneous application areas in terms of number of IoT devices manufacturers. Such devices are often delivered with minimal or no protection, and the security of such devices is also reduced by the ease of use required by end users, who often do not have the adequate level of knowledge required to install and operate such devices. All of the above listed smart home devices are among the most vulnerable to a number of security threats, emphasizing the use of such devices to generate DDoS traffic. The subject of this doctoral research is the traffic characteristics generated by IoT devices in a smart home environment as a basis for detecting anomalies resulting from DDoS attacks. Based on the research problems and the existing shortcomings, the following scientific hypotheses of the research were put forward: (1) Based on the traffic features generated by IoT devices in a smart home environment, it is possible to define classes of IoT devices and associated profiles of legitimate traffic. (2) Based on the defined profile of legitimate traffic of a particular class of IoT devices in a smart home environment, it is possible to detect with high accuracy the illegitimate traffic generated by such devices. The concept of IoT offers numerous benefits in different fields of application, but from the point of security view, it also highlights a number of challenges that need to be adequately addressed. Research within this doctoral thesis considers the smart home environment as one of the fastest growing application areas within the IoT concept. Devices within this environment have many limitations and disadvantages that make them potential generators of DDoS traffic. Despite the identified shortcomings, the communication of such devices generates traffic that possesses specific features and differences with respect to conventional devices. This research seeks to analyze the possibilities of applying such features for the purpose of classifying devices, regardless of their functionality or purpose. This kind of classification is necessary in a dynamic and heterogeneous environment such as a smart home where the number and types of devices grow daily, as it depends solely on the traffic features such devices generate. Device classification allows defining the legitimate traffic profile of a particular class, based on which it is possible to determine deviations in the form of anomalies caused by the DDoS traffic generation of an individual device. Consequently, the aim of this research is to develop a model for detecting illegitimate DDoS traffic generated by IoT devices in a smart home environment based on specific traffic features and class affiliation of IoT devices. Based on the above, the scientific contributions of the doctoral research are as follows: (1) Identification of traffic features by which it is possible to classify IoT devices in a smart home environment for the purpose of detecting illegitimate DDoS traffic. (2) Defining legitimate traffic profiles for each class of IoT device in a smart home environment. (3) DDoS traffic detection model based on traffic features and class affiliation of IoT devices. Despite the high accuracy of detection and the advantages shown by the methods used, there are some shortcomings in the research of DDoS traffic detection problems to date. The first drawback is reflected in the datasets used, that is, in traffic records, which are the basis for the development of the detection model. Datasets containing traffic are often outdated, which reduces the accuracy of detection because they do not reflect the characteristics of current traffic that are changing as technological developments in new IK devices, concepts and services change. The previous research implies DDoS traffic generated solely through conventional terminal devices without considering devices for which human communication is not necessary for communication. The latter devices are unified under the IoT paradigm. According to predictions, by the end of 2020, approximately 31 billion IoT devices will exist globally, and till 2025 75 billion. In this case, 41%, or 12.86 billion IoT devices will be installed within the concept of smart home (SH). The limitations of IoT devices in general, and thus SHIoT (smart home IoT) devices, are described in the previous researches, covering hardware constraints, high autonomy requirements and low cost of production, which reduces the ability to implement advanced security methods and increases the risk of numerous threats. Traffic generated by SHIoT devices or MTC (Machine Type Communication) traffic is different from traffic generated through conventional devices, HTC (Human Type Communication) traffic. Although SHIoT devices are characterized by heterogeneity, MTC traffic is homogeneous in contrast to HTC traffic, which means that devices of the same or similar purpose behave approximately equally, that is, generate traffic of similar characteristics. The identified shortcomings of previous research, such as taking into account of SHIoT traffic features when detecting DDoS traffic, the consideration of classes of SHIoT devices that generate roughly equal values of traffic features, and the number of devices used in the study, will be sought to be remedied by planned research. The importance of this research is also evident through the increasing number of research and projects in this field. An example of this is the project called Mitigating IoT-Based Distributed Denial Of Service (DDoS), implemented by NIST (National Institute of Standards and Technology) and NCCoE (National Cybersecurity Center of Exellence), which addresses the issue of generating DDoS traffic through an IoT device. The research within this doctoral thesis formed the laboratory environment of the smart home. Such an environment is comprised of a variety of SHIoT devices, along with an accompanying communications infrastructure and software-hardware platform that enables traffic collection and data set to be applied in later stages of research and development of network traffic anomaly detection models. In addition to the primary data collected through the process described above, the research also included secondary data, encompassing a greater variety of SHIoT devices. The reason for this is the heterogeneity of devices that can exist in the observed environment. A total of 41 devices in a smart home environment were used for this doctoral research. According to statistics, there are differences in the estimation of the average number of SHIoT devices per household that has a certain form of smart home implemented. These estimates range from 6.53 to 14 SHoT devices per household. In the Republic of Croatia, smart home representation is still low, and telecom operators are assuming the role of smart home provider through the offering of end-user SHIoT devices. For example, Iskon Internet service provider offers customers the option of purchasing a smart home package that makes four SHIoT devices, while telecom operator A1 provides users with the ability to deploy a total of five SHIoT devices in a smart home environment. Despite mentioned, this research sought to achieve the greatest possible variety of SHIoT devices due to the need to define device classes based on the characteristics of the traffic generated. Therefore, the number of devices used is higher than the current statistical estimate of the average value of SHIoT devices per smart home in the Republic of Croatia and worldwide. Predictability of IoT device behavior is a phenomenon that has been the result of communication activities of IoT devices observed in numerous studies. Given that SHIoT devices have a limited number of functionalities, certain devices will behave approximately the same in time according to the values of the observed traffic features. Unlike IoT devices, conventional devices (smartphones, desktops, laptops, etc.) support the installation of a large number of applications, where the communication activity of such devices depends on the end users and how the device is used. Accordingly, the index of the predictability level of the behavior of an IoT device, expressed by the coefficient of variation of the received and sent amount of data (Cu index), is a measure on the basis of which it is possible to determine the behavior of an SHIoT device over a period of time. The closer the index (Cu) to 0, the observed device has a smaller deviation with respect to the amount of data received and sent, and it is considered that the level of predictability of the behavior of such device is higher than the device whose index Cu is greater than 0. For the purpose of developing a classification model based on the logistic regression method enhanced by the concept of supervised machine learning, a data set was created containing the values of extracted features of traffic flows of SHIoT devices and belonging to the class of individual device for each traffic flow in the set. Model development, testing and validation were performed using the WEKA software tool with the support of MS Excel 2016 during the preparation of the model development dataset. Since a total of 59 features were selected using the information gain method, during model development, the number of features was gradually reduced when the validation measures for each model were compared. The aim of this procedure is to develop a model that will use the least possible number of independent features that will not significantly affect its performance. Each model was validated by k-fold cross-validation at k = 10. This method is used to evaluate the behavior of the model over data not used in the learning phase. In doing so, the model is applied iteratively k times over the dataset. In each iteration, the data set is divided into k parts. One part of the set is used to validate the model while the remaining k-1 parts of the set are combined into a model learning subset. In order to develop DDoS traffic detection models based on predefined classes of SHIoT devices, it is necessary to define the legitimate traffic profile of each device class. When developing any anomaly detection model based on supervised machine learning methods, it is necessary to have a data set that will represent legitimate traffic and a data set that will represent illegitimate traffic. The defined classes of SHIoT devices allow the establishment of a legitimate traffic profile for each class of device, which is important in the later development of anomaly detection models. In doing so, the SHIoT device traffic feature values become part of the legitimate profile of the observed device class. The legitimate traffic profile of a particular class of SHIoT device is defined by the values of the features of those traffic flows that are assigned to a particular class of SHIoT device by the classification model. The Logistic Model Trees (LMT) method was used to develop a model for detecting illegitimate DDoS network traffic. The WEKA software tool was used to implement the method and process the data, and datasets that represent the profiles of normal traffic resulting from the SHIoT device classification model and illegitimate DDoS traffic datasets. The work of the developed model of detection of illegitimate DDoS traffic takes place in two stages. The first phase is a prerequisite for the later detection of DDoS traffic in the second phase of operation and implies the classification of the SHIoT device based on the generated traffic flow. One of the basic metrics that indicate model performance is classification accuracy and kappa statistics. According to the classification accuracy, all models show high performance, which means that based on the observed flow, they can determine with high accuracy whether the traffic flow is the result of legitimate device communication or the device generates DDoS traffic. Thus, the LMT model for the C1 device class shows an accuracy of 99.9216%, or 56092 accurately classified traffic flows, as DDoS or traffic flow that legitimately belongs to a SHIoT device in class C1. A total of 44 traffic flows were misclassified, or 0.0784% in the total set of 56136. In addition to high accuracy, the LMT model for the C1 device class also exhibits a kappa coefficient (κ = 0.9984) indicating high model performance. The LMT model version developed for the C2 class shows high accuracy (99.9966%). This implies 59660 accurately classified traffic flows in a set consisting of 59662 traffic flows. The classification error is 0.0034%, or two traffic flows. The kappa coefficient is 0.9999, which indicates the high performance of these LMT models. The LMT classification model developed for the C3 class provides 99.9744% accuracy. Therefore, out of a total of 58661 traffic flows, 15 were misclassified, or 0.0256% while accurately classified, 58646. The kappa coefficient of 0.9995, as in previous versions of the LMT model, indicates its high performance. The latest version of the LMT model, developed for the C4 class, shows an accuracy of 99.9583% which implies 59879 correctly classified traffic flows. Accordingly, a total of 25 traffic flows were misclassified. The success of the model as measured by the kappa coefficient is 0.9992. Research has shown that it is possible to define device classes based on the variation of the received and sent traffic ratio, and it is possible to classify devices into defined classes based on the traffic flow features such devices generate. Finally, depending on the affiliation of an individual device to a defined class, it is possible to determine whether the traffic flow that the device generates is an anomaly in the form of DDoS traffic or legitimate traffic

Application possibilities of digital forensic procedures in vehicle telematics systems

Technological development has resulted in the possibility of implementing a large number of telematics systems and subsystems within the vehicle. Their purpose is to collect data through a number of sensors on the state of the vehicle as well as its environment. The result of the collected data processing is information that can be used to increase the passengers' safety insi de the vehicle, but also to other participants of traffic network, and to optimize the desired resources such as fuel consumption, travel time etc. The use ofvehicle telematics systems and collected data can be of great importance when an unwanted event occurs in which the vehicle is involved. The aim of this research is to identifyvehicle systems that store data, data types and the possibility of their extraction using a digital forensic framework, for the purpose of timely reaction to the negative event occurrence

Enhancing Industrial IoT Network Security through Blockchain Integration

In the rapidly evolving landscape of industrial ecosystems, Industrial IoT networks face increasing security challenges. Traditional security methods often struggle to protect these networks adequately, posing risks to data integrity, confidentiality, and access control. Our research introduces a methodology that leverages blockchain technology to enhance the security and trustworthiness of IoT networks. This approach starts with sensor nodes collecting and compressing data, followed by encryption using the ChaCha20-Poly1305 algorithm and transmission to local aggregators. A crucial element of our system is the private blockchain gateway, which processes and classifies data based on confidentiality levels, determining their storage in cloud servers or the Interplanetary File System for enhanced security. The system’s integrity and authenticity are further reinforced through the proof of authority consensus mechanism. This system employs Zero Knowledge Proof challenges for device authorization, optimizing data retrieval while maintaining a delicate balance between security and accessibility. Our methodology contributes to mitigating vulnerabilities in Industrial IoT networks and is part of a broader effort to advance the security and operational efficiency of these systems. It reflects an understanding of the diverse and evolving challenges in IoT security, emphasizing the need for continuous innovation and adaptation in this dynamic field