Cooperative and Autonomous Intrusion Detection Survey of DoS/DDoS attacks against IoT ... •...
Transcript of Cooperative and Autonomous Intrusion Detection Survey of DoS/DDoS attacks against IoT ... •...
April 2017
Cooperative and Autonomous Intrusion
Detection Systems for Internet of Things:
Smart-home Case Study
Ahmet Arış, Sema F. Oktuğ
Faculty of Computer & Informatics
Istanbul Technical University, Istanbul, Turkey
{arisahmet,oktug}@itu.edu.tr
1. STSM Granted Student: Ahmet Arış
2. SICS Networked Embedded Systems (NES) Group
3. Meeting Point with SICS NES
4. Case Study: Smart-home
5. Future Work
6. Acknowledgments
2
OUTLINE
3
STSM Granted Student: Ahmet Arış
• PhD candidate in Computer Engineering, Istanbul Technical University,• Thesis title: Detection and mitigation of denial of service attacks in
Internet of Things (IoT) networks,
• Research & teaching assistant,
• Contributions within the thesis:
• Survey of DoS/DDoS attacks against IoT networks (SIU2015),
• Analysis of version number attacks against IoT routing protocol RPL (NOMS2016),
• Lightweight mitigation of RPL version number attacks (preprint),
• Cooperative and autonomous intrusion detection system design for IoT (EWSN2017).
IEEE NOMS 2016
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
4
SICS Networked Embedded Systems (NES) Group
• A part of the SICS Computer Systems Lab in Swedish ICT,
• Group leader: Thiemo Voigt,
• Main research areas:• Wireless Sensor Networks,• IoT,• Programming and development support for IoT
(abstractions and tools),• IoT security: intrusion detection and attacks, lightweight
crypto-based solutions.
• Key technologies:
• Contiki: an operating system for IoT devices,• Cooja IoT network simulator,• uIP stack: open source TCP/IP stack implementation for IoT.
Thiemo Voigt1
• 1. Image source: https://www.sics.se/groups/networked-embedded-systems-group-nes
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
5
Meeting Point with NES – I
• One of the first Intrusion Detection System (IDS) specific to IoT was proposed by Raza et al. from the NES group,
• Hybrid placement of IDS modules:• Lightweight monitoring modules => constrained nodes,• Main IDS engine => border router.
• Checking and verifying the network state with respect to RPL routing parameters and rules,
• Considering the lossy environment when setting the thresholds for malicious activity detection,
• Filtering the outsider attackers by means of a distributed firewall.
S. Raza, L. Wallgren, and T. Voigt, “Svelte: Real-time intrusion
detection in the internet of things,” Ad Hoc Networks, vol. 11,
no. 8, pp. 2661 – 2674, 2013.
SVELTE IDS Block Diagram1
• 1. S. Raza, L. Wallgren, and T. Voigt, “Svelte: Real-time intrusion detection in the internet of things,” Ad Hoc Networks, vol. 11, no. 8, pp. 2661 – 2674, 2013. 2
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
6
Meeting Point with NES – II
• Cooperating Autonomous Detection Systems (CATS) was proposed by Dressler et al.,
• Each detection system consists of two parts:• Monitoring part:
• Samples the packets,• Performs statistical measurements,• Generates flow information,• Outputs the monitoring data.
• Detection part:• Anomaly + knowledge-based detection,• Uses local monitoring data and incoming monitoring &
event data,• Outputs suspicious events data.
F. Dressler, G. Münz and G. Carle, "Attack Detection using Cooperating
Autonomous Detection Systems (CATS)," Proceedings of 1st IFIP
International Workshop on Autonomic Communication, Poster Session,
Berlin, Germany, October 2004
CATS Block Diagram
Detection Part
Monitoring Part
• Detection systems:• Cooperate and share monitoring and suspicious events
information,• Autonomously work and make independent attack decisions.
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
7
Meeting Point with NES – III: A Novel Intrusion Detection System for IoT
• We proposed a new IDS design which benefits from SVELTE and CATS,• SVELTE: location of the IDS modules,• CATS: cooperating but autonomous IDSes.
• Detection systems work autonomously, but share attack events information,
• Each detection system consists of two parts:• Monitoring part @ nodes:
• Monitoring of RPL routing and node-resources,• Periodic transmission of monitoring data to main IDS,• Obtaining white-list information from the detection part.
• Detection part @ BR:• Obtains monitoring information from nodes,• Analyzes incoming and outgoing Internet traffic,• Gets attack events data from other detection systems,• Anomaly-based detection,• Creates and shares white-list and attack events data.
Our Novel IDS Design Block Diagram1
1. A. Aris and S. F. Oktug, “State of the Art IDS Design for IoT,” accepted as a poster to the International Conference on Embedded Wireless Systems and Networks (EWSN 2017), February 20 – 22, 2017, Uppsala, Sweden.
SS
S
SS
S
BR
S
BR
SS
S
SS
S
BR
S
SS
S
SS
S
BR
SAttack Events Import/Export Module
Attack Detection Module
IoT Network
Monitoring
Internet Traffic
Monitoring
Network
State
Module
Node
Resources
Module
White List Module
Border
RouterS IoT Node
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
8
Meeting Point with NES – IV: Short Term Research at NES
• SVELTE was proposed by Raza et al. from NES,
• Contiki OS, Cooja and RPL were implemented by NES group,
• Cooperation with NES would be promising for an efficient IDS design and implementation,
• Short-term research at NES SICS (February 1st – April 30th)
• Determination of a use-case scenario,
• Analysis and implementation of the use-case,
• Implementation and analysis of the attacks,
• Implementation of our new IDS,
• Evaluations.
Image rource: http://www.freeiconspng.com/free-images/cooperation-png-10331
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
9
Case Study: Smart-home – I
• In the future, home environments will be smarter:• Seamless integration of dozens of wireless devices at home,
• Smarter house appliances providing more comfortable environments,• Easy control of home appliances,• Efficient energy usage and reduced costs,• Increased security and safety.
• Low-cost and reliable remote health monitoring,• Aging population and insufficient hospital resources,• More comfort for patients, more data for doctors.
• Smart-home applications:• Health-reporting and monitoring,• Alarm systems,• Lighting applications,• Energy conservation and optimization of energy
consumption,
• Advanced remote control,• Controlling battery operated
window shades,• Remote video surveilance.
• Image Source: http://www.kasalis.com/blog/wp-content/uploads/2015/12/smarthome.jpg
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
10
Smart-home – II
WS
WSWS
WS
WS
GS
GS
GS
GS
GS
GS
DWSDWS
DWS
DWS
DWSDWS
PB
PB
PB
PB
PB
WL
WL
MS
MS
MS
MS
MS
MS
MS
MS
RSRS
TS
TS
TS TS
C
C
C
SR
C
BR SP
SP
SP
SP SP
SP
LD
LD
LD
LD
LD
BRBorder
Router
C ControllerWS Wall Switch
GS Gas Sensor
DWSDoor/Window
Sensor
TSTemperature
Sensor
PB Panic Button
WL Water Leak
MS Motion Sensor
RS Rain Sensor
SP Smart Plug
LD Light Dimmer
SR
C
Smart Remote
Controller
BPBG BT HR
PR
RR
EEG
EMGEMG
ECG
C
C
IP PM
BP Blood Pressure
BG Blood Glucose
BT Body Temperature
HR Heart Rate
PR Pulse Rate
RR Respiratory Rate
EEG EEG
EMG EMG
ECG ECG
IP Insulin Pump
PM Pacemaker
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
11
Smart-home – III: Characteristics
Characteristics of the Smart-home Environment• Environment: dynamic (e.g., people moving, opening/closing doors/windows, turning on the microwave owen),
• Nodes (sensors, actuators, controllers):• Static nodes + mobile nodes,• Most of the nodes are resource-constrained and
battery-powered,• Mains-powered nodes exist,• Routing through mains-powered devices is preferable.
• Traffic properties:• Direct communication between nodes may be required,• Multicast-like operation may be needed.
• Traffic types: point-to-point, multipoint-to-point, point-to-multipoint.
• QoS requirements:• Priority routing with short delays and high reliability
(patient monitoring, alert reporting),• Some apps can tolerate acceptable amount of delays,• Convergence of the routing protocol even in the case of
mobile nodes is necessary.
• Challenges:• Mobile nodes change the topology often. Routing
algorithm converging in an acceptable time is important,
• Priority routing of specific data with low delay and high reliability is an issue,
• Network consists of heterogeneous nodes and varying QoS requirements.
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
12
Smart-home – IV: Network Topology
S/A
S
S
S S
BR
AS
Internet
S Sensor
BRBorder
Router
S/ASensor/
Actuator
Actuator
C Controller
C
C
S
S
S
S
S/A S
IEEE 802.3
(Ethernet)
IEEE
802.15.4
IEEE 802.1
(Bluetooth)
A
A
A
A
CController of
Bluetooth Network
Smart-home network: IEEE 802.15.4 +
Bluetooth
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
13
Smart-home – IV: Network Topology
S/A
S
S
S S
BR
AS
Internet
S Sensor
BRBorder
Router
S/ASensor/
Actuator
Actuator
C Controller
C
C
S
S
S
S
S/A S
IEEE 802.3
(Ethernet)
IEEE
802.15.4
IEEE 802.1
(Bluetooth)
A
A
A
A
CController of
Bluetooth Network
Smart-home network: IEEE 802.15.4 +
Bluetooth
Can we not use just Bluetooth?
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
14
Smart-home – V: Bluetooth Issues for Smart-home (i.e., WSN-based IoT)
• Advantages of Bluetooth:+ Range, security and bit rate seem promising,+ Support for smart-phones, etc. eliminates the need of
border routers.
• Disadvantages of Bluetooth:- Scalability: networks with more than 8 devices cause
issues:• Park state: Long delays, difficult to manage, no more
support with Bluetooth 5!• Multiple separate piconets: no interference management,
not scalable!• Scatternet:
+ Makes multi-hop communication possible,- Hardware on the market does not support,- Specification does not guarantee that a slave can be part of
two piconets whenever it wants,- Slots are lost whenever a device switches between piconets,- Scheduling and synchronization with respect to two clocks are
very difficult.
• Switching piconets at the application layer.
- Currently IPv6 packets are not carried in Bluetooth packets. But in the near future Bluetooth will support it,
- Bluetooth does not support CoAP,- Co-existence of multiple piconets may cause interference
problems,- Firmware libraries are closed-source.
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
15
Smart-home – VI: Existing Cryptography-based Security Mechanisms
CoAP
UDP
IPv6 RPL
6LoWPAN
IEEE 802.15.4
CBOR
» Object Security of CoAP (OSCoAP)
» Datagram Transport Layer Security (DTLS)
» IPSec and Secure RPL
» IEEE 802.15.4 PHY and Link Layer Security → Hop-by-Hop Security
→ End-to-End Security
» CBOR Object Signing and Encryption (COSE), OSCoAP and Ephemeral Diffie Hellman over COSE (EDHOC)
Protocol Stack
→ Security for UDP-based applications
→ Security for CoAP objects
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
16
Smart-home – VI: Existing Cryptography-based Security Mechanisms
» Object Security of CoAP (OSCoAP)
» Datagram Transport Layer Security (DTLS)
» IPSec and Secure RPL
» IEEE 802.15.4 PHY and Link Layer Security → Hop-by-Hop Security
→ End-to-End Security
» CBOR Object Signing and Encryption (COSE), OSCoAP and Ephemeral Diffie Hellman over COSE (EDHOC)
Protocol Stack
→ Security for UDP-based applications
→ Security for CoAP objects
Cryptography is costly for resource-constrained devices,
Most of the implementations have security flaws1,
Although cryptography is used, networks are still vulnerable to Denial of Service attacks!
1. http://cybersecurity.ieee.org/blog/2017/01/27/dr-jonathan-katz-at-ieee-secdev-2016/
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
17
Smart-Home – VII: Compromise Scenarios
• Can smart-home environments be compromised?
• Outsider people can come for various reasons and do actions:• Replace the original nodes with compromised nodes,• Placing/leaving a new node which joins the network and apply attacks.
• People who don’t have security-awareness (e.g., patients, kids, visitors) may unintentionally bring malicious/compromised devices,
• If the walls are not thick, then neighbors’ devices can apply attacks,
• Attackers can apply DDoS from the Internet.
• Physical security of the network is better than the outdoor environments,
• Still, invasions are possible!
• Image Source: https://blog.kaspersky.com/files/2014/05/smart.jpg
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
18
Smart-Home – VIII: Which threats are suitable for the attacker(s)?
• Characteristics of the threats that the attacker may choose to implement:
• Threats which cause denial of services,
• Threats which misuse the resources,
• Threats which result in outcomes that users cannot determine the source of the problem:• Sensors are malfunctioning,• Nodes were affected by interference or other effects,• There is an attacker.
• Threats which result in outcomes that show their effects indirectly (privacy-related threats, or others).
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
19
Smart-Home – IX: Selected Threats
• Malicious routing,• Routing through battery-constrained devices
instead of mains powered devices,• Routing packets over inefficient paths with more
number of hops or longer delays or lower ETX,• RPL DODAG reconstructions, • Delaying the packets.
• Maliciously causing retransmissions,• Dropping packets (randomly, selectively) to cause
retransmissions,• Intelligent jamming,• Forcing max. retransmissions.
• Malicious communication :• Malicious requests when there is no need to request,
• Malicious actuations:• Actuation of home actuators,
• Increased energy usage and cost,• Improper device operations
• Actuation of patient’s actuators.
• Bypassing the BR via wormhole:• Injecting packets to smart-home network,• Using smart-home nodes as attack sources,• Causing a host on the Internet to be the target for
DDoS attack.
Threats that may help the attacker being unnoticed but affect the performance of the system:
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
20
What is Next?
• Literature review for the selected threats,
• Generation of the attacker model,
• Implementation of the smart-home environment,
• Implementation of attacks and analysis of their effects,
• Implementation of the cooperative and autonomous IDS for smart-home environment,
• Evaluation of the performance.
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
21
Acknowledgments
• We would like to thank COST for the financial support,
• We would like to thank NES group for their cooperation and support,
• We also would like to thank Istanbul Technical University and 2211C - Domestic Doctoral Scholarship Program Intended for Priority Areas, No. 1649B031503218 of the Scientific and Technological Research Council of Turkey (TUBITAK) for the financial support.
4. Case Study: Smart-home5. Future Work6. Ackowledgments
1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES
22
Thank you for your time.
Any questions?