Yinxin Wan,Kuai Xu,Feng Wang,Guoliang Xue

DOI: https://doi.org/10.1109/tnse.2020.3026961

IF: 6.6

2021-01-01

IEEE Transactions on Network Science and Engineering

Abstract:As connected Internet-of-things (IoT) devices in smart homes, smart cities, and smart industries continue to grow in size and complexity, managing and securing them in distributed edge networks have become daunting but crucial tasks. The recent spate of cyber attacks exploiting the vulnerabilities and insufficient security management of IoT devices have highlighted the urgency and challenges for securing billions of IoT devices and applications. As a first step towards understanding and mitigating diverse security threats of IoT devices, this paper develops an IoT traffic measurement framework on programmable and intelligent edge routers to automatically collect incoming, outgoing, and internal network traffic of IoT devices in edge networks, and to build multidimensional behavioral profiles which characterize who, when, what, and why on the behavioral patterns of IoT devices based on continuously collected traffic data. To the best of our knowledge, this paper is the first effort to shed light on the IP-spatial, temporal, entropy, and cloud service patterns of IoT devices in edge networks, and to explore these multidimensional behavioral fingerprints for IoT device classification, anomaly traffic detection, and network security monitoring for vulnerable and resource-constrained IoT devices on the Internet.

Kuai Xu,Yinxin Wan,Guoliang Xue,Feng Wang

DOI: https://doi.org/10.1145/3326285.3329072

2019-01-01

Abstract:The last decade has witnessed research advances and wide deployment of Internet-of-things (IoT) in smart homes and connected industry. However, the recent spate of cyber attacks exploiting the vulnerabilities and insufficient security management of IoT devices have created serious challenges for securing IoT devices and applications. As a first step towards understanding and mitigating diverse security threats of IoT devices, this paper develops a measurement framework to automatically collect network traffic of IoT devices in edge networks, and build multidimensional behavioral profiles of these devices which characterize who, when, what, and why on the behavioral patterns of IoT devices based on continuously collected traffic data. To the best of our knowledge, this paper is the first effort to shed light on the IP-spatial, temporal, and cloud service patterns of IoT devices in edge networks, and to explore these multidimensional behavioral fingerprints for IoT device classification, anomaly traffic detection, and network security monitoring for millions of vulnerable and resource-constrained IoT devices on the Internet.

Marta Moure-Garrido,Carlos Garcia-Rubio,Celeste Campo

DOI: https://doi.org/10.3390/s24092690

IF: 3.9

2024-04-25

Sensors

Abstract:The deployment of Internet of Things (IoT) devices is widespread in different environments, including homes. Although security is incorporated, homes can become targets for cyberattacks because of their vulnerabilities. IoT devices generate Domain Name Server (DNS) traffic primarily for communication with Internet servers. In this paper, we present a detailed analysis of DNS traffic from IoT devices. The queried domains are highly distinctive, enabling attackers to easily identify the IoT device. In addition, we observed an unexpectedly high volume of queries. The analysis reveals that the same domains are repeatedly queried, DNS queries are transmitted in plain text over User Datagram Protocol (UDP) port 53 (Do53), and the excessive generation of traffic poses a security risk by amplifying an attacker's ability to identify IoT devices and execute more precise, targeted attacks, consequently escalating the potential compromise of the entire IoT ecosystem. We propose a simple measure that can be taken to reduce DNS traffic generated by IoT devices, thus preventing it from being used as a vector to identify the types of devices present in the network. This measure is based on the implementation of the DNS cache in the devices; caching few resources increases privacy considerably.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Hang Guo,John Heidemann

DOI: https://doi.org/10.1109/TNET.2020.3009425

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. With our IP-based algorithm, we report detections from a university campus over 4 months and from traffic transiting an IXP over 10 days. We apply our DNS-based algorithm to traffic from 8 root DNS servers from 2013 to 2018 to study AS-level IoT deployment. We find substantial growth (about <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$3.5\times $ </tex-math></inline-formula> ) in AS penetration for 23 types of IoT devices and modest increase in device type density for ASes detected with these device types (at most 2 device types in 80% of these ASes in 2018). DNS also shows substantial growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.

Kuai Xu,Feng Wang,Xiaohua Jia

DOI: https://doi.org/10.1002/sec.1569

2015-01-01

Abstract:These growing threats and broad damages have made it imperative to understand, characterize, filter, and reduce exploit traffic towards millions of home routers and billions of connected devices in the home. This paper presents a bloom-filter based analytic framework to capture persistent threats towards the same home routers and to identify correlated attacks towards distributed home networks. Our experimental results based on network traffic collected from real homes over 18 months have revealed a number of interesting findings on persistent and correlated threats towards home networks, which calls for improved security and management of home networks. To the best of our knowledge, this paper is the first effort to characterize cyber threats towards home networks and to propose a simple and yet effective approach to identify persistent and aggressive attacks towards home networks.

Tasnuva Mahjabin,Yang Xiao,Tieshan Li,C. L. Philip Chen

DOI: https://doi.org/10.1109/jiot.2019.2947659

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:A domain name system (DNS) is one of the most important infrastructures of the Internet communication. It is also a crucial point which is subjected to attacks. The largest distributed denial-of-service (DDoS) attack on October 21, 2016 has targeted a major DNS infrastructure named dynDNS. It was actually the Internet of Things (IoT) DNS flood attack that made more than half of websites in the United States unreachable for a significant amount of time. As we are using the Internet for everything in our life, especially health care and transportation, an attack of this type may cause a major disruption. Therefore, in this article, we are going to analyze the DNS flood attacks and propose two mitigation methods. We propose a load distributed mitigation process which will work as a quick escape route of the legitimate traffic from the attack field. Our solution mainly involves service level changes which can be implemented with collaboration among service providers. Also, our proposed solution is very cost effective as compared to the cost of downtime of the domain names caused by a DNS flood attack. Furthermore, we propose a benign-bot mitigation method and a business model for the method. In the benign-bot mitigation method, a bot program is installed in customers’ DNS local servers to allow IP addresses of a list of paid businesses’ websites to maintain in the caches so that the websites can be accessed even when the DNS servers are down.

Shiqi Tian,Cheng Fang,Jun Liu,Zhenming Lei

DOI: https://doi.org/10.1109/IHMSC.2016.53

2016-01-01

Abstract:DNS (Domain name System) is one of the most prevalent protocols on modern networks and is essential for the correct operation of many network activities including the malicious operation. Monitoring the DNS traffic is an effective method to detect malicious activities. In this paper, we proposed an approach to detect malicious domains by analyzing massive mobile web traffic data. We used multiple features to classify, including the textual features and the traffic statistics features of domains and presented three typical classifiers to compare the classifying effect of each. Spark framework is leveraged to speed up the calculation of a large-scale DNS traffic. The efficiency of our system makes us believe the approach can help a lot in the field of network security.

Yanjiong Wang,Qiaoyan Wen

DOI: https://doi.org/10.1049/cp.2011.0758

2011-01-01

Abstract:In the environment of Internet of Things (IoT), smart devices' privacy protection is a significant issue in several security problems. When a static domain name was assigned to a specified IoT terminal smart device, the risk of the existing privacy will be raised. In this article we proposed a privacy protection enhanced DNS scheme for smart devices, which can authenticate the original user's identity, reject illegal access to the smart device. The scheme is compatible with widely used DNS and DNSSEC protocol.

Zhiwei Yan,Hongtao Li,Sherali Zeadally,Yu Zeng,Guanggang Geng

DOI: https://doi.org/10.1109/access.2019.2901801

IF: 3.9

2019-01-01

IEEE Access

Abstract:The vision of the Internet of Things (IoT) covers not only the well-regulated processes of specific applications in different areas but also includes ubiquitous connectivity of more generic objects (or things and devices) in the physical world and the related information in the virtual world. For example, a typical IoT application, such as a smart city, includes smarter urban transport networks, upgraded water supply, and waste-disposal facilities, along with more efficient ways to light and heat buildings. For smart city applications and others, we require unique naming of every object and a secure, scalable, and efficient name resolution which can provide access to any object's inherent attributes with its name. Based on different motivations, many naming principles and name resolution schemes have been proposed. Some of them are based on the well-known domain name system (DNS), which is the most important infrastructure in the current Internet, while others are based on novel designing principles to evolve the Internet. Although the DNS is evolving in its functionality and performance, it was not originally designed for the IoT applications. Then, a fundamental question that arises is: can current DNS adequately provide the name service support for IoT in the future? To address this question, we analyze the strengths and challenges of DNS when it is used to support ubiquitous IoT. First, we analyze the requirements of the IoT name service by using five characteristics, namely security, mobility, infrastructure independence, localization, and efficiency, which we collectively refer to as SMILE. Then, we discuss the pros and cons of the DNS in satisfying SMILE in the context of the future evolution of the IoT environment.

Liangdong Deng,Yuzhou Feng,Dong Chen,Naphtali Rishe

DOI: https://doi.org/10.1109/milcom47813.2019.9020977

2019-01-01

Abstract:The Internet of Things (IoT) has been erupting the world widely over the decade. Smart home owners and smart building managers are increasingly deploying IoT devices to monitor and control their environments due to the rapid decline in the price of IoT devices. The network traffic data produced by these IoT devices are collected by Internet Service Providers (ISPs) and telecom providers, and often shared with third-parties to maintain and promote user services. Such network traffic data is considered "anonymous" if it is not associated with identifying device information, e.g., MAC address and DHCP negotiation. Extensive prior work has shown that IoT devices are vulnerable to multiple cyber attacks. However, people do not believe that these attacks can be launched successfully without the knowledge of what IoT devices are deployed in their houses. Our key insight is that the network traffic data is not anonymous: IoT devices have unique network traffic patterns, and they embedded detailed device information. To explore the severity and extent of this privacy threat, we design IoTSpot to identify the IoT devices using their "anonymous" network traffic data. We evaluate IoTSpot on publicly-available network traffic data from 3 homes. We find that IoTSpot is able to identify 19 IoT devices with F1 accuracy of 0.984. More importantly, our approach only requires very limited data for training, as few as 40 minutes. IoTSpot paves the way for operators of smart homes and smart buildings to monitor the functionality, security and privacy threat without requiring any additional devices.

Jawad Ahmed

DOI: https://doi.org/10.48550/arXiv.2205.08968

2022-05-18

Cryptography and Security

Abstract:Enterprise Networks are growing in scale and complexity, with heterogeneous connected assets needing to be secured in different ways. Nevertheless, virtually all connected assets use the Domain Name System (DNS) for address resolution, and DNS has thus become a convenient vehicle for attackers to covertly perform Command and Control (C&C) communication, data theft, and service disruption across a wide range of assets. Enterprise security appliances that monitor network traffic typically allow all DNS traffic through as it is vital for accessing any web service; they may at best match against a database of known malicious patterns, and are therefore ineffective against zero-day attacks. This thesis focuses on three high-impact cyber-attacks that leverage DNS, specifically data exfiltration, malware C&C communication, and service disruption. Using big data (over 10B packets) of DNS network traffic collected from a University campus and a Government research organization over a 6-month period, we illustrate the anatomy of these attacks, train machines for automatically detecting such attacks, and evaluate their efficacy in the field.

Oliver Thompson,Anna Maria Mandalari,Hamed Haddadi

DOI: https://doi.org/10.1145/3488659.3493777

2021-12-07

Abstract:Consumer Internet of Things (IoT) devices are increasingly common in everyday homes, from smart speakers to security cameras. Along with their benefits come potential privacy and security threats. To limit these threats we must implement solutions to filter IoT traffic at the edge. To this end the identification of the IoT device is the first natural step. In this paper we demonstrate a novel method of rapid IoT device identification that uses neural networks trained on device DNS traffic that can be captured from a DNS server on the local network. The method identifies devices by fitting a model to the first seconds of DNS second-level-domain traffic following their first connection. Since security and privacy threat detection often operate at a device specific level, rapid identification allows these strategies to be implemented immediately. Through a total of 51,000 rigorous automated experiments, we classify 30 consumer IoT devices from 27 different manufacturers with 82% and 93% accuracy for product type and device manufacturers respectively.

Yousef Amar,Hamed Haddadi,Richard Mortier,Anthony Brown,James Colley,Andy Crabtree

DOI: https://doi.org/10.48550/arXiv.1803.05368

2018-03-14

Abstract:Internet-connected devices are increasingly present in our homes, and privacy breaches, data thefts, and security threats are becoming commonplace. In order to avoid these, we must first understand the behaviour of these devices. In this work, we analyse network traces from a testbed of common IoT devices, and describe general methods for fingerprinting their behavior. We then use the information and insights derived from this data to assess where privacy and security risks manifest themselves, as well as how device behavior affects bandwidth. We demonstrate simple measures that circumvent attempts at securing devices and protecting privacy.

Networking and Internet Architecture

Nan Zhang,Soteris Demetriou,Xianghang Mi,Wenrui Diao,Kan Yuan,Peiyuan Zong,Feng Qian,XiaoFeng Wang,Kai Chen,Yuan Tian,Carl A. Gunter,Kehuan Zhang,Patrick Tague,Yue-Hsun Lin

DOI: https://doi.org/10.48550/arXiv.1703.09809

2017-03-29

Abstract:Inspired by the boom of the consumer IoT market, many device manufacturers, start-up companies and technology giants have jumped into the space. Unfortunately, the exciting utility and rapid marketization of IoT, come at the expense of privacy and security. Industry reports and academic work have revealed many attacks on IoT systems, resulting in privacy leakage, property loss and large-scale availability problems. To mitigate such threats, a few solutions have been proposed. However, it is still less clear what are the impacts they can have on the IoT ecosystem. In this work, we aim to perform a comprehensive study on reported attacks and defenses in the realm of IoT aiming to find out what we know, where the current studies fall short and how to move forward. To this end, we first build a toolkit that searches through massive amount of online data using semantic analysis to identify over 3000 IoT-related articles. Further, by clustering such collected data using machine learning technologies, we are able to compare academic views with the findings from industry and other sources, in an attempt to understand the gaps between them, the trend of the IoT security risks and new problems that need further attention. We systemize this process, by proposing a taxonomy for the IoT ecosystem and organizing IoT security into five problem areas. We use this taxonomy as a beacon to assess each IoT work across a number of properties we define. Our assessment reveals that relevant security and privacy problems are far from solved. We discuss how each proposed solution can be applied to a problem area and highlight their strengths, assumptions and constraints. We stress the need for a security framework for IoT vendors and discuss the trend of shifting security liability to external or centralized entities. We also identify open research problems and provide suggestions towards a secure IoT ecosystem.

Cryptography and Security

Su Wang,Keyang Yu,Qi Li,Dong Chen

2024-06-15

Abstract:The Internet traffic data produced by the Internet of Things (IoT) devices are collected by Internet Service Providers (ISPs) and device manufacturers, and often shared with their third parties to maintain and enhance user services. Unfortunately, on-path adversaries could infer and fingerprint users' sensitive privacy information such as occupancy and user activities by analyzing these network traffic traces. While there's a growing body of literature on defending against this side-channel attack-malicious IoT traffic analytics (TA), there's currently no systematic method to compare and evaluate the comprehensiveness of these existing studies. To address this problem, we design a new low-cost, open-source system framework-IoT Traffic Exposure Monitoring Toolkit (ITEMTK) that enables people to comprehensively examine and validate prior attack models and their defending approaches. In particular, we also design a novel image-based attack capable of inferring sensitive user information, even when users employ the most robust preventative measures in their smart homes. Researchers could leverage our new image-based attack to systematize and understand the existing literature on IoT traffic analysis attacks and preventing studies. Our results show that current defending approaches are not sufficient to protect IoT device user privacy. IoT devices are significantly vulnerable to our new image-based user privacy inference attacks, posing a grave threat to IoT device user privacy. We also highlight potential future improvements to enhance the defending approaches. ITEMTK's flexibility allows other researchers for easy expansion by integrating new TA attack models and prevention methods to benchmark their future work.

Cryptography and Security,Systems and Control

Yuzhou Feng,Liangdong Deng,Dong Chen

DOI: https://doi.org/10.1145/3317549.3326320

2019-01-01

Abstract:The Internet of Things (IoT) has been erupting world widely over the decade. However, the security and privacy leakage issues from IoT devices are surfaced to a major flaw for IoT device operators. An attacker may use network traffic data to identify IoT devices and launch attacks on their target devices. To explore the severity and extent of this privacy threat, we design a hybrid ML-based IoT device identification framework. Our key insight is that typically an IoT device has a unique traffic signature and it is already embedded in its network traffic. Unlike other existing work using complex modeling, we show that the majority of IoT devices can be easily identified using our empirical models, and the other devices can also be correctly classified using our ML-based models. We instrument a smart IoT experiment environment to verify and evaluate our approaches. Our framework paves the way for operators of smart homes to monitor the functionality, security and privacy threat without requiring any additional devices.

Arunan Sivanathan

DOI: https://doi.org/10.48550/arXiv.2001.10632

2020-01-29

Abstract:Smart homes, enterprises, and cities are increasingly being equipped with a plethora of Internet of Things (IoT), ranging from smart-lights to security cameras. While IoT networks have the potential to benefit our lives, they create privacy and security challenges not seen with traditional IT networks. Due to the lack of visibility, operators of such smart environments are not often aware of their IoT assets, let alone whether each IoT device is functioning properly safe from cyber-attacks. This thesis is the culmination of our efforts to develop techniques to profile the network behavioral pattern of IoTs, automate IoT classification, deduce their operating context, and detect anomalous behavior indicative of cyber-attacks. We begin this thesis by surveying IoT ecosystem, while reviewing current approaches to vulnerability assessments, intrusion detection, and behavioral monitoring. For our first contribution, we collect traffic traces and characterize the network behavior of IoT devices via attributes from traffic patterns. We develop a robust machine learning-based inference engine trained with these attributes and demonstrate real-time classification of 28 IoT devices with over 99% accuracy. Our second contribution enhances the classification by reducing the cost of attribute extraction while also identifying IoT device states. Prototype implementation and evaluation demonstrate the ability of our supervised machine learning method to detect behavioral changes for five IoT devices. Our third and final contribution develops a modularized unsupervised inference engine that dynamically accommodates the addition of new IoT devices and/or updates to existing ones, without requiring system-wide retraining of the model. We demonstrate via experiments that our model can automatically detect attacks and firmware changes in ten IoT devices with over 94% accuracy.

Networking and Internet Architecture,Cryptography and Security,Machine Learning

ZHANG Jianwu,AN Yanjun,DENG Huangyan

DOI: https://doi.org/10.11959/j.issn.1000-0801.2022248

2022-01-01

Abstract:With the gradual evolution of the traditional Internet to “Internet+”, the domain name system (DNS) had been continuously expanding from basic address resolution to new models such as comprehensive perception and reliable transmission.Due to the diverse functions and the extensive coverage of DNS in the new scenario, it will cause serious consequences once attacked.Therefore, the research on DNS attack detection and security protection continues and attracts more and more attention.Firstly, several common DNS attacks were introduced, including DNS spoofing, DNS covert channel, DNS distributed denial of service (DDoS) attack, DNS reflection amplification attacks, and malicious DGA domain names.Subsequently, these DNS attack detection technologies were systematically analyzed and summarized from the machine learning perspective.Then, the DNS security protection technologies were sorted out in decentralization, authenticated encryption and limited resolution.Finally, some future research directions were proposed.

Hang Guo,John Heidemann

DOI: https://doi.org/10.1145/3229565.3229572

2018-01-01

Abstract:Recent IoT-based DDoS attacks have exposed how vulnerable the Internet can be to millions of insufficiently secured IoT devices. To understand the risks of these attacks requires learning about these IoT devices---where are they, how many are there, how are they changing? In this paper, we propose a new method to find IoT devices in Internet to begin to assess this threat. Our approach requires observations of flow-level network traffic and knowledge of servers run by the manufacturers of the IoT devices. We have developed our approach with 10 device models by 7 vendors and controlled experiments. We apply our algorithm to observations from 6 days of Internet traffic at a college campus and partial traffic from an IXP to detect IoT devices.

Hongyu Gao,Vinod Yegneswaran,Jian Jiang,Yan Chen,Phillip Porras,Shalini Ghosh,Haixin Duan

DOI: https://doi.org/10.1109/tnet.2014.2358637

2016-01-01

IEEE/ACM Transactions on Networking

Abstract:The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i. e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.