Integrating complex event processing and machine learning: An intelligent architecture for detecting IoT security attacks

The Internet of Things (IoT) is growing globally at a fast pace: people now find themselves surrounded by a variety of IoT devices such as smartphones and wearables in their everyday lives. Additionally, smart environments, such as smart healthcare systems, smart industries and smart cities, benefit from sensors and actuators interconnected through the IoT. However, the increase in IoT devices has brought with it the challenge of promptly detecting and combating the cybersecurity attacks and threats that target them, including malware, privacy breaches and denial of service attacks, among others. To tackle this challenge, this paper proposes an intelligent architecture that integrates Complex Event Processing (CEP) technology and the Machine Learning (ML) paradigm in order to detect different types of IoT security attacks in real time. In particular, such an architecture is capable of easily managing event patterns whose conditions depend on values obtained by ML algorithms. Additionally, a model-driven graphical tool for security attack pattern definition and automatic code generation is provided, hiding all the complexity derived from implementation details from domain experts. The proposed architecture has been applied in the case of a healthcare IoT network to validate its ability to detect attacks made by malicious devices. The results obtained demonstrate that this architecture satisfactorily fulfils its objectives.El Internet de las Cosas (IoT) está creciendo a nivel global a un ritmo acelerado: las personas ahora se encuentran rodeadas de una variedad de dispositivos IoT como smartphones y wearables en su vida cotidiana. Además, los entornos inteligentes, como los sistemas de atención médica inteligentes, las industrias inteligentes y las ciudades inteligentes, se benefician de sensores y actuadores interconectados a través del IoT. Sin embargo, el aumento de los dispositivos IoT ha traído consigo el desafío de detectar y combatir rápidamente los ataques y amenazas de ciberseguridad que los tienen como objetivo, incluyendo malware, violaciones de privacidad y ataques de denegación de servicio, entre otros. Para abordar este desafío, este documento propone una arquitectura inteligente que integra la tecnología de Procesamiento de Eventos Complejos (CEP) y el paradigma de Aprendizaje Automático (ML) con el fin de detectar diferentes tipos de ataques de seguridad en IoT en tiempo real. En particular, dicha arquitectura es capaz de gestionar fácilmente patrones de eventos cuyas condiciones dependen de los valores obtenidos por los algoritmos de ML. Además, se proporciona una herramienta gráfica impulsada por modelos para la definición de patrones de ataque de seguridad y la generación automática de código, ocultando toda la complejidad derivada de los detalles de implementación a los expertos del dominio. La arquitectura propuesta ha sido aplicada en el caso de una red de IoT de atención médica para validar su capacidad para detectar ataques realizados por dispositivos maliciosos. Los resultados obtenidos demuestran que esta arquitectura cumple satisfactoriamente sus objetivos.This work was supported by the Spanish Ministry of Science, Innovation and Universities and the European Union FEDER Funds [grant numbers FPU 17/02007, RTI2018-093608-B-C33, RTI2018- 098156-B-C52 and RED2018-102654-T]. This work was also sup- ported by the JCCM [grant number SB-PLY/17/180501/ 0 0 0353

STL4IoT: A Statechart Template Library for IoT System Design

The engineering of IoT systems brings about various challenges due to the inherent complexities associated with such heterogeneous systems. In this paper, we propose a library of statechart templates, STL4IoT, for designing complex IoT systems. We have developed atomic statechart components modelling the heterogeneous aspects of IoT systems including sensors, actuators, physical entities, network, and controller. Base system units for smart systems have also been designed. A component for calculating power usage is available in the library. Additionally, a smart hub template that controls interactions among multiple IoT systems and manages power consumption has also been proposed. The templates aim to facilitate the modelling and simulation of IoT systems. Our work is demonstrated with a smart home system consisting of a smart hub of lights, a smart microwave, a smart TV, and a smart fire alarm system. We have created a multi statechart with itemis CREATE based on the proposed templates and components. A smart home simulator has been developed by generating controller code from the statechart and integrating it with a user interface

A Framework for Hybrid Intrusion Detection Systems

Web application security is a definite threat to the world’s information technology infrastructure. The Open Web Application Security Project (OWASP), generally defines web application security violations as unauthorized or unintentional exposure, disclosure, or loss of personal information. These breaches occur without the company’s knowledge and it often takes a while before the web application attack is revealed to the public, specifically because the security violations are fixed. Due to the need to protect their reputation, organizations have begun researching solutions to these problems. The most widely accepted solution is the use of an Intrusion Detection System (IDS). Such systems currently rely on either signatures of the attack used for the data breach or changes in the behavior patterns of the system to identify an intruder. These systems, either signature-based or anomaly-based, are readily understood by attackers. Issues arise when attacks are not noticed by an existing IDS because the attack does not fit the pre-defined attack signatures the IDS is implemented to discover. Despite current IDSs capabilities, little research has identified a method to detect all potential attacks on a system. This thesis intends to address this problem. A particular emphasis will be placed on detecting advanced attacks, such as those that take place at the application layer. These types of attacks are able to bypass existing IDSs, increase the potential for a web application security breach to occur and not be detected. In particular, the attacks under study are all web application layer attacks. Those included in this thesis are SQL injection, cross-site scripting, directory traversal and remote file inclusion. This work identifies common and existing data breach detection methods as well as the necessary improvements for IDS models. Ultimately, the proposed approach combines an anomaly detection technique measured by cross entropy and a signature-based attack detection framework utilizing genetic algorithm. The proposed hybrid model for data breach detection benefits organizations by increasing security measures and allowing attacks to be identified in less time and more efficiently

MECInOT: a multi-access edge computing and industrial internet of things emulator for the modelling and study of cybersecurity threats

In recent years, the Industrial Internet of Things (IIoT) has grown rapidly, a fact that has led to an increase in the number of cyberattacks that target this environment and the technologies that it brings together. Unfortunately, when it comes to using tools for stopping such attacks, it can be noticed that there are inherent weaknesses in this paradigm, such as limitations in computational capacity, memory and network bandwidth. Under these circumstances, the solutions used until now in conventional scenarios cannot be directly adopted by the IIoT, and so it is necessary to develop and design new ones that can effectively tackle this problem. Furthermore, these new solutions must be tested in order to verify their performance and viability, which requires testing architectures that are compatible with newly introduced IIoT topologies. With the aim of addressing these issues, this work proposes MECInOT, which is an architecture based on openLEON and capable of generating test scenarios for the IIoT environment. The performance of this architecture is validated by creating an intelligent threat detector based on tree-based algorithms, such as decision tree, random forest and other machine learning techniques. Which allows us to generate an intelligent and to demonstrate, we could generate an intelligent threat detector and demonstrate the suitability of our architecture for testing solutions in IIoT environments. In addition, by using MECInOT, we compare the performance of the different machine learning algorithms in an IIoT network. Firstly, we present the benefits of our proposal, and secondly, we describe the emulation of an IIoT environment while ensuring the repeatability of the experiments

Application Adaptive Bandwidth Management Using Real-Time Network Monitoring.

Application adaptive bandwidth management is a strategy for ensuring secure and reliable network operation in the presence of undesirable applications competing for a network’s crucial bandwidth, covert channels of communication via non-standard traffic on well-known ports, and coordinated Denial of Service attacks. The study undertaken here explored the classification, analysis and management of the network traffic on the basis of ports and protocols used, type of applications, traffic direction and flow rates on the East Tennessee State University’s campus-wide network. Bandwidth measurements over a nine-month period indicated bandwidth abuse of less than 0.0001% of total network bandwidth. The conclusion suggests the use of the defense-in-depth approach in conjunction with the KHYATI (Knowledge, Host hardening, Yauld monitoring, Analysis, Tools and Implementation) paradigm to ensure effective information assurance

A MEC-IIoT intelligent threat detector based on machine learning boosted tree algorithms

In recent years, new management methods have appeared that mark the beginning of a new industrial revolution called Industry 4.0 or the Industrial Internet of Things (IIoT). IIoT brings together new emerging technologies, such as the Internet of Things (IoT), Deep Learning (DL) and Machine Learning (ML), that contribute to new applications, industrial processes and efficiency management in factories. This combination of new technologies and contexts is paired with Multi-access Edge Computing (MEC) to reduce costs through the virtualisation of networks and services. As these new paradigms increase in growth, so does the number of threats and vulnerabilities, making IIoT a very desirable target for cybercriminals. In addition, IIoT devices have certain intrinsic limitations, especially due to their limited resources, and this makes it impossible, in many cases, to detect attacks by using solutions designed for other paradigms. So it is necessary to design, implement and evaluate new solutions or adapt existing ones. Therefore, this paper proposes an intelligent threat detector based on boosted tree algorithms. Such detectors have been implemented and evaluated in an environment specifically designed to test IIoT deployments. In this way, we can learn how these algorithms, which have been successful in multiple contexts, behave in a paradigm with known constraints. The results obtained in the study show that our intelligent threat detector achieves a mean efficiency of between 95%–99% in the F1 Score metric, indicating that it is a good option for implementation in these scenarios