Cooperative and Autonomous Intrusion Detection Survey of DoS/DDoS attacks against IoT ... • Cooperative and autonomous intrusion detection system ... detection in the internet of

April 2017

Cooperative and Autonomous Intrusion

Detection Systems for Internet of Things:

Smart-home Case Study

Ahmet Arış, Sema F. Oktuğ

Faculty of Computer & Informatics

Istanbul Technical University, Istanbul, Turkey

{arisahmet,oktug}@itu.edu.tr

1. STSM Granted Student: Ahmet Arış

2. SICS Networked Embedded Systems (NES) Group

3. Meeting Point with SICS NES

4. Case Study: Smart-home

5. Future Work

6. Acknowledgments

2

OUTLINE

3

STSM Granted Student: Ahmet Arış

• PhD candidate in Computer Engineering, Istanbul Technical University,• Thesis title: Detection and mitigation of denial of service attacks in

Internet of Things (IoT) networks,

• Research & teaching assistant,

• Contributions within the thesis:

• Survey of DoS/DDoS attacks against IoT networks (SIU2015),

• Analysis of version number attacks against IoT routing protocol RPL (NOMS2016),

• Lightweight mitigation of RPL version number attacks (preprint),

• Cooperative and autonomous intrusion detection system design for IoT (EWSN2017).

IEEE NOMS 2016

4. Case Study: Smart-home5. Future Work6. Ackowledgments

1. STSM Granted Student: Ahmet Arış2. SICS NES3. Meeting Point with SICS NES

4

SICS Networked Embedded Systems (NES) Group

• A part of the SICS Computer Systems Lab in Swedish ICT,

• Group leader: Thiemo Voigt,

• Main research areas:• Wireless Sensor Networks,• IoT,• Programming and development support for IoT

(abstractions and tools),• IoT security: intrusion detection and attacks, lightweight

crypto-based solutions.

• Key technologies:

• Contiki: an operating system for IoT devices,• Cooja IoT network simulator,• uIP stack: open source TCP/IP stack implementation for IoT.

Thiemo Voigt1

• 1. Image source: https://www.sics.se/groups/networked-embedded-systems-group-nes



5

Meeting Point with NES – I

• One of the first Intrusion Detection System (IDS) specific to IoT was proposed by Raza et al. from the NES group,

• Hybrid placement of IDS modules:• Lightweight monitoring modules => constrained nodes,• Main IDS engine => border router.

• Checking and verifying the network state with respect to RPL routing parameters and rules,

• Considering the lossy environment when setting the thresholds for malicious activity detection,

• Filtering the outsider attackers by means of a distributed firewall.

S. Raza, L. Wallgren, and T. Voigt, “Svelte: Real-time intrusion

detection in the internet of things,” Ad Hoc Networks, vol. 11,

no. 8, pp. 2661 – 2674, 2013.

SVELTE IDS Block Diagram1

• 1. S. Raza, L. Wallgren, and T. Voigt, “Svelte: Real-time intrusion detection in the internet of things,” Ad Hoc Networks, vol. 11, no. 8, pp. 2661 – 2674, 2013. 2



6

Meeting Point with NES – II

• Cooperating Autonomous Detection Systems (CATS) was proposed by Dressler et al.,

• Each detection system consists of two parts:• Monitoring part:

• Samples the packets,• Performs statistical measurements,• Generates flow information,• Outputs the monitoring data.

• Detection part:• Anomaly + knowledge-based detection,• Uses local monitoring data and incoming monitoring &

event data,• Outputs suspicious events data.

F. Dressler, G. Münz and G. Carle, "Attack Detection using Cooperating

Autonomous Detection Systems (CATS)," Proceedings of 1st IFIP

International Workshop on Autonomic Communication, Poster Session,

Berlin, Germany, October 2004

CATS Block Diagram

Detection Part

Monitoring Part

• Detection systems:• Cooperate and share monitoring and suspicious events

information,• Autonomously work and make independent attack decisions.



7

Meeting Point with NES – III: A Novel Intrusion Detection System for IoT

• We proposed a new IDS design which benefits from SVELTE and CATS,• SVELTE: location of the IDS modules,• CATS: cooperating but autonomous IDSes.

• Detection systems work autonomously, but share attack events information,

• Each detection system consists of two parts:• Monitoring part @ nodes:

• Monitoring of RPL routing and node-resources,• Periodic transmission of monitoring data to main IDS,• Obtaining white-list information from the detection part.

• Detection part @ BR:• Obtains monitoring information from nodes,• Analyzes incoming and outgoing Internet traffic,• Gets attack events data from other detection systems,• Anomaly-based detection,• Creates and shares white-list and attack events data.

Our Novel IDS Design Block Diagram1

1. A. Aris and S. F. Oktug, “State of the Art IDS Design for IoT,” accepted as a poster to the International Conference on Embedded Wireless Systems and Networks (EWSN 2017), February 20 – 22, 2017, Uppsala, Sweden.

SS

S

SS

S

BR

S

BR

SS

S

SS

S

BR

S

SS

S

SS

S

BR

SAttack Events Import/Export Module

Attack Detection Module

IoT Network

Monitoring

Internet Traffic

Monitoring

Network

State

Module

Node

Resources

Module

White List Module

Border

RouterS IoT Node



8

Meeting Point with NES – IV: Short Term Research at NES

• SVELTE was proposed by Raza et al. from NES,

• Contiki OS, Cooja and RPL were implemented by NES group,

• Cooperation with NES would be promising for an efficient IDS design and implementation,

• Short-term research at NES SICS (February 1st – April 30th)

• Determination of a use-case scenario,

• Analysis and implementation of the use-case,

• Implementation and analysis of the attacks,

• Implementation of our new IDS,

• Evaluations.

Image rource: http://www.freeiconspng.com/free-images/cooperation-png-10331



9

Case Study: Smart-home – I

• In the future, home environments will be smarter:• Seamless integration of dozens of wireless devices at home,

• Smarter house appliances providing more comfortable environments,• Easy control of home appliances,• Efficient energy usage and reduced costs,• Increased security and safety.

• Low-cost and reliable remote health monitoring,• Aging population and insufficient hospital resources,• More comfort for patients, more data for doctors.

• Smart-home applications:• Health-reporting and monitoring,• Alarm systems,• Lighting applications,• Energy conservation and optimization of energy

consumption,

• Advanced remote control,• Controlling battery operated

window shades,• Remote video surveilance.

• Image Source: http://www.kasalis.com/blog/wp-content/uploads/2015/12/smarthome.jpg



10

Smart-home – II

WS

WSWS

WS

WS

GS

GS

GS

GS

GS

GS

DWSDWS

DWS

DWS

DWSDWS

PB

PB

PB

PB

PB

WL

WL

MS

MS

MS

MS

MS

MS

MS

MS

RSRS

TS

TS

TS TS

C

C

C

SR

C

BR SP

SP

SP

SP SP

SP

LD

LD

LD

LD

LD

BRBorder

Router

C ControllerWS Wall Switch

GS Gas Sensor

DWSDoor/Window

Sensor

TSTemperature

Sensor

PB Panic Button

WL Water Leak

MS Motion Sensor

RS Rain Sensor

SP Smart Plug

LD Light Dimmer

SR

C

Smart Remote

Controller

BPBG BT HR

PR

RR

EEG

EMGEMG

ECG

C

C

IP PM

BP Blood Pressure

BG Blood Glucose

BT Body Temperature

HR Heart Rate

PR Pulse Rate

RR Respiratory Rate

EEG EEG

EMG EMG

ECG ECG

IP Insulin Pump

PM Pacemaker



11

Smart-home – III: Characteristics

Characteristics of the Smart-home Environment• Environment: dynamic (e.g., people moving, opening/closing doors/windows, turning on the microwave owen),

• Nodes (sensors, actuators, controllers):• Static nodes + mobile nodes,• Most of the nodes are resource-constrained and

battery-powered,• Mains-powered nodes exist,• Routing through mains-powered devices is preferable.

• Traffic properties:• Direct communication between nodes may be required,• Multicast-like operation may be needed.

• Traffic types: point-to-point, multipoint-to-point, point-to-multipoint.

• QoS requirements:• Priority routing with short delays and high reliability

(patient monitoring, alert reporting),• Some apps can tolerate acceptable amount of delays,• Convergence of the routing protocol even in the case of

mobile nodes is necessary.

• Challenges:• Mobile nodes change the topology often. Routing

algorithm converging in an acceptable time is important,

• Priority routing of specific data with low delay and high reliability is an issue,

• Network consists of heterogeneous nodes and varying QoS requirements.



12

Smart-home – IV: Network Topology

S/A

S

S

S S

BR

AS

Internet

S Sensor

BRBorder

Router

S/ASensor/

Actuator

Actuator

C Controller

C

C

S

S

S

S

S/A S

IEEE 802.3

(Ethernet)

IEEE

802.15.4

IEEE 802.1

(Bluetooth)

A

A

A

A

CController of

Bluetooth Network

Smart-home network: IEEE 802.15.4 +

Bluetooth



13

Smart-home – IV: Network Topology

S/A

S

S

S S

BR

AS

Internet

S Sensor

BRBorder

Router

S/ASensor/

Actuator

Actuator

C Controller

C

C

S

S

S

S

S/A S

IEEE 802.3

(Ethernet)

IEEE

802.15.4

IEEE 802.1

(Bluetooth)

A

A

A

A

CController of

Bluetooth Network

Smart-home network: IEEE 802.15.4 +

Bluetooth

Can we not use just Bluetooth?



14

Smart-home – V: Bluetooth Issues for Smart-home (i.e., WSN-based IoT)

• Advantages of Bluetooth:+ Range, security and bit rate seem promising,+ Support for smart-phones, etc. eliminates the need of

border routers.

• Disadvantages of Bluetooth:- Scalability: networks with more than 8 devices cause

issues:• Park state: Long delays, difficult to manage, no more

support with Bluetooth 5!• Multiple separate piconets: no interference management,

not scalable!• Scatternet:

+ Makes multi-hop communication possible,- Hardware on the market does not support,- Specification does not guarantee that a slave can be part of

two piconets whenever it wants,- Slots are lost whenever a device switches between piconets,- Scheduling and synchronization with respect to two clocks are

very difficult.

• Switching piconets at the application layer.

- Currently IPv6 packets are not carried in Bluetooth packets. But in the near future Bluetooth will support it,

- Bluetooth does not support CoAP,- Co-existence of multiple piconets may cause interference

problems,- Firmware libraries are closed-source.



15

Smart-home – VI: Existing Cryptography-based Security Mechanisms

CoAP

UDP

IPv6 RPL

6LoWPAN

IEEE 802.15.4

CBOR

» Object Security of CoAP (OSCoAP)

» Datagram Transport Layer Security (DTLS)

» IPSec and Secure RPL

» IEEE 802.15.4 PHY and Link Layer Security → Hop-by-Hop Security

→ End-to-End Security

» CBOR Object Signing and Encryption (COSE), OSCoAP and Ephemeral Diffie Hellman over COSE (EDHOC)

Protocol Stack

→ Security for UDP-based applications

→ Security for CoAP objects



16

Smart-home – VI: Existing Cryptography-based Security Mechanisms

» Object Security of CoAP (OSCoAP)

» Datagram Transport Layer Security (DTLS)

» IPSec and Secure RPL

» IEEE 802.15.4 PHY and Link Layer Security → Hop-by-Hop Security

→ End-to-End Security

» CBOR Object Signing and Encryption (COSE), OSCoAP and Ephemeral Diffie Hellman over COSE (EDHOC)

Protocol Stack

→ Security for UDP-based applications

→ Security for CoAP objects

Cryptography is costly for resource-constrained devices,

Most of the implementations have security flaws1,

Although cryptography is used, networks are still vulnerable to Denial of Service attacks!

1. http://cybersecurity.ieee.org/blog/2017/01/27/dr-jonathan-katz-at-ieee-secdev-2016/



17

Smart-Home – VII: Compromise Scenarios

• Can smart-home environments be compromised?

• Outsider people can come for various reasons and do actions:• Replace the original nodes with compromised nodes,• Placing/leaving a new node which joins the network and apply attacks.

• People who don’t have security-awareness (e.g., patients, kids, visitors) may unintentionally bring malicious/compromised devices,

• If the walls are not thick, then neighbors’ devices can apply attacks,

• Attackers can apply DDoS from the Internet.

• Physical security of the network is better than the outdoor environments,

• Still, invasions are possible!

• Image Source: https://blog.kaspersky.com/files/2014/05/smart.jpg



18

Smart-Home – VIII: Which threats are suitable for the attacker(s)?

• Characteristics of the threats that the attacker may choose to implement:

• Threats which cause denial of services,

• Threats which misuse the resources,

• Threats which result in outcomes that users cannot determine the source of the problem:• Sensors are malfunctioning,• Nodes were affected by interference or other effects,• There is an attacker.

• Threats which result in outcomes that show their effects indirectly (privacy-related threats, or others).



19

Smart-Home – IX: Selected Threats

• Malicious routing,• Routing through battery-constrained devices

instead of mains powered devices,• Routing packets over inefficient paths with more

number of hops or longer delays or lower ETX,• RPL DODAG reconstructions, • Delaying the packets.

• Maliciously causing retransmissions,• Dropping packets (randomly, selectively) to cause

retransmissions,• Intelligent jamming,• Forcing max. retransmissions.

• Malicious communication :• Malicious requests when there is no need to request,

• Malicious actuations:• Actuation of home actuators,

• Increased energy usage and cost,• Improper device operations

• Actuation of patient’s actuators.

• Bypassing the BR via wormhole:• Injecting packets to smart-home network,• Using smart-home nodes as attack sources,• Causing a host on the Internet to be the target for

DDoS attack.

Threats that may help the attacker being unnoticed but affect the performance of the system:



20

What is Next?

• Literature review for the selected threats,

• Generation of the attacker model,

• Implementation of the smart-home environment,

• Implementation of attacks and analysis of their effects,

• Implementation of the cooperative and autonomous IDS for smart-home environment,

• Evaluation of the performance.



21

Acknowledgments

• We would like to thank COST for the financial support,

• We would like to thank NES group for their cooperation and support,

• We also would like to thank Istanbul Technical University and 2211C - Domestic Doctoral Scholarship Program Intended for Priority Areas, No. 1649B031503218 of the Scientific and Technological Research Council of Turkey (TUBITAK) for the financial support.



22

Thank you for your time.

Any questions?

Documents

Cooperative and Autonomous Intrusion Detection Survey of DoS/DDoS attacks against IoT ... • Cooperative and autonomous intrusion detection system ... detection in the internet of