Realizing a security framework for the internet of things
IoT products and services will collect a large amount of data including those related to users. This collected data are stored either locally on the smart devices or on the cloud. Although IoT expansions promise enormous benefits in productivity and efficiency, these devices often lack the security requirements we become used to in the domain of desktops and server computing. Therefore, processing such large-scale IoT data can also lead to many security issues such as intrusion attacks, data leakage, user privacy and traceability. The lack of robust security measures in defending IoT systems can compromise the IoT infrastructures and their data. Moreover, since IoT devices usually operate under tight resource constraints, IoT devices are a fruitful target for adversaries' exploitation.
This thesis presents substantial contributions to research on building a scalable, real-time IoT security framework. This thesis provides several novel strategies for identifying and authenticating devices, detecting network-known and zero-day attacks against IoT devices, and detecting malware executables targeting IoT and embedded systems. In this thesis we consider three security aspects: IoT device identification and authentication, network traffic intrusion detection, and executable malware files detection.
The first key contribution is constructing a comprehensive survey that focuses on all security aspects and challenges facing IoT systems, including outsourcing techniques for partial computations on edge or cloud, while presenting case studies to map security challenges and requirements in real IoT case scenarios.
The second main contribution is proposing a security framework named BehaviouralNetwork Traffic Identification and Novelty Anomaly Detection for the IoT Infrastructures (BIN-IoT) that enables rules to constrain the IoT device communications as per their given privileges. Based on our proposed novel IoT network traffic fingerprinting solution, BIN-IoT can passively selects essential features from a sequence of network packets to construct a legitimate profile for each IoT device's network communications. This profile can help in identifying and authenticating devices within infrastructures. Moreover, any significant network traffic deviation can indicate an attack or a compromised IoT device within an IoT infrastructure.
An efficient near eal-time IoT device identification and authorization system named Behavioural IoT Network Traffic Identification (BI-IoT) as one of the building blocks of the BIN-IoT framework is developed. BI-IoT combines the previously mentioned fingerprinting solution with machine learning (ML) techniques to authenticate devices connecting to a network. The proposed approach can automatically identify whitelisted device types and individual device instances connected to a network. The proposed system improves the average device prediction F1-score up to 90.3%, which is a 9.3% increase compared with the state-of-the-art technique. Moreover, individual device instances sharing the same model and vendor as well as unknown devices are correctly identified with minimal performance overhead.
The third major contribution is developing another building block for the BINIoT framework, a near real-time IoT network traffic anomaly detection system named Behavioural Novelty Detection for IoT Network Traffic (BND-IoT). The BND-IoT system's goal is to detect compromised IoT devices and malicious traffic within IoT infrastructures in real-time using novelty detection algorithms. The BND-IoT anomaly detection system can detect anomalous traffic from unseen attacks and malware traffic when the network model is trained with behavioral features extracted from the normal traffic only. The aim is to detect known attack patterns and zero-day attacks with high detection rates (DRs) and low false-positive rates (FPRs).
The fourth significant contribution is proposing a near real-time malware detection solution tailored for embedded systems, named DeepWare. It identifies malware by examining the binary file's executable operation codes (OpCodes) sequence representations. We use Bidirectional Encoder Representations from Transformers (BERT) embedding, the state-of-the-art natural language processing (NLP) method, to extract contextual information within an executable file's OpCode sequence. The BERTgenerated sentence embedding is fed into a hybrid multi-head CNN-BiLSTM-LocAtt deep learning (DL) model. The hybrid CNN-BiLSTM-LocAtt model combines the advantages of the convolutional neural network (CNN) and bidirectional long short-term memory (BiLSTM) with the benefits from the local attention mechanism (LocAtt) to detect malware. DeepWare extracts the semantic and contextual features and captures long-term dependencies between OpCode sequences, improving the detection performance.