research-article

Security Monitoring of IoT Communication Using Flows

Authors:

Petr Matoušek,

Ondřej Ryšavý,

Matěj GrégrAuthors Info & Claims

ECBS '19: Proceedings of the 6th Conference on the Engineering of Computer Based Systems

Article No.: 18, Pages 1 - 9

https://doi.org/10.1145/3352700.3352718

Published: 02 September 2019 Publication History

Abstract

Network monitoring is an important part of network management that collects valuable metadata describing active communication protocols, network transmissions, bandwidth utilization, and the most communicating nodes. Traditional IP network monitoring techniques include the SNMP system, flow monitoring, or system logging. The environment of the Internet of Things (IoT) networks, however, shows that these approaches do not provide sufficient visibility of IoT communication which would allow network administrators to identify possible attacks on IoT nodes. The reason is obvious: IoT devices lack sufficient computational resources to fully implement monitoring agents, LAN IoT data communication is often directly over data link layers rather than IP, and IoT sensors produce an endless flow of small packets which can be difficult to process in real-time. To tackle these limitations we propose a new IoT monitoring model based on extended IPFIX records. The model employs a passive monitoring probe that observes IoT traffic and collects metadata from IoT protocols. Using extended IPFIX protocol, flow records with IoT metadata are sent to the collector where they are analyzed and used to provide a global view on the whole IoT network and its communication. We also present two statistical approaches that analyze IoT flows data in order to detect security incidents or malfunctioning of a device. The proof-of-concept implementation is demonstrated for Constrained Application Protocol (CoAP) traffic in the smart home environment.

References

[1]

Mohiuddin Ahmed, Abdun Naser Mahmood, and Jiankun Hu. 2016. A Survey of Network Anomaly Detection Techniques. J. Netw. Comput. Appl. 60, C (Jan. 2016), 19--31.

Digital Library

[2]

Pedram Amini, Reza Azmi, and MuhammadAmin Araghizadeh. 2014. Botnet Detection using NetFlow and Clustering. Advances in Computer Science: an International Journal 3, 2 (2014), 139--149. http://www.acsij.org/acsij/article/view/224

[3]

Manos Antonakakis et al. 2017. Understanding the Mirai Botnet. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1093--1110.

Digital Library

[4]

R. R. R. Barbosa, R. Sadre, and A. Pras. 2012. A first look into SCADA network traffic. In 2012 IEEE Network Operations and Management Symposium. 518--521.

[5]

Rafael Ramos Regis Barbosa, Ramin Sadre, and Aiko Pras. 2013. Flow whitelisting in SCADA networks. International Journal of Critical Infrastructure Protection 6, 3 (2013), 150--158.

[6]

Rafael Ramos Regis Barbosa, Ramin Sadre, and Aiko Pras. 2016. Exploiting traffic periodicity in industrial control networks. International Journal of Critical Infrastructure Protection (2016).

Digital Library

[7]

Václav Bartoš. 2015. Using Application-Aware Flow Monitoring for SIP Fraud Detection. In Intelligent Mechanisms for Network Configuration and Security (LNCS 9122). Springer International Publishing, 87--99.

[8]

E. Bertino and N. Islam. 2017. Botnets and Internet of Things Security. Computer 50, 2 (Feb 2017), 76--79.

Digital Library

[9]

J. Case, M. Fedor, M. Schoffstall, and J. Davin. 1990. A Simple Network Management Protocol (SNMP). IETF RFC 1157.

Digital Library

[10]

B. Claise. 2004. Cisco Systems NetFlow Services Export Version 9. IETF RFC 3954.

[11]

B. Claise and B. Trammel. 2013. Information Model for IP Flow Information Export (IPFIX). IETF RFC 7012.

[12]

B. Claise, B. Trammel, and P. Aitken. 2013. Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. IETF RFC 7011.

[13]

B. Copos, K. Levitt, M. Bishop, and J. Rowe. 2016. Is Anybody Home? Inferring Activity From Smart Home Network Traffic. In 2016 IEEE Security and Privacy Workshops (SPW). 245--251.

[14]

Manuel Crotti, Maurizio Dusi, Francesco Gringoli, and Luca Salgarelli. 2007. Traffic Classification Through Simple Statistical Fingerprinting. SIGCOMM Comput. Commun. Rev. 37, 1 (Jan. 2007), 5--16.

Digital Library

[15]

A.P. P. Dempster, N.M. Laird, D.B. Rubin, and D.B. Rubin. 1977. Maximum Likelihood from Incomplete Data via the EM Algorithm. arXiv:0710.5696v2

[16]

Luca Deri, Maurizio Martinelli, and Alfredo Cardigliano. 2014. Realtime High-Speed Network Traffic Monitoring Using ntopng. In 28th Large Installation System Administration Conference (LISA14). USENIX Association, Seattle, WA, 78--88. https://www.usenix.org/conference/lisa14/conference-program/presentation/deri-luca

Digital Library

[17]

Eleazar Eskin. 2000. Anomaly Detection over Noisy Data using Learned Probability Distributions. In In Proceedings of the International Conference on Machine Learning.

Digital Library

[18]

Godred Fairhurst, Mirja Kuehlewind, Brian Trammell, and Tobias Buehler. 2018. Challenges in Network Management of Encrypted Traffic. WorkingPaper. ArXiv.

[19]

R. Gerhards. 2009. The Syslog Protocol. IETF RFC 5424.

[20]

Niv Goldenberg and Avishai Wool. 2013. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. International Journal of Critical Infrastructure Protection (2013).

[21]

Mark Graham, Adrian Winckles, and Erika Sanchez-Velazquez. 2015. Practical Experiences of Building an IPFIX Based Open Source Botnet Detector. The Journal on CyberCrime & Digital Investigations (12 2015), 21--28.

[22]

Jorge Granjal, João M. Silva, and Nuno Lourenço. 2018. Intrusion detection and prevention in CoAP wireless sensor networks using anomaly detection. Sensors (Switzerland) 18, 8 (2018).

[23]

Jiawei Han, Micheline Kamber, and Jian Pei. 2011. Data Mining: Concepts and Techniques (3rd ed.). Morgan Kaufmann Publishers Inc., San Francisco, CA, USA.

Digital Library

[24]

David Hanes, Gonzalo Salqueiro, Patrick Grossetete, Rob Barton, and Jereme Henry. 2017. IoT Fundamentals. Networking Technologies, Protocol and Use Cases for the Internet of Things. Cisco Press.

Digital Library

[25]

R. Hofstede, V. BartoÂź, A. Sperotto, and A. Pras. 2013. Towards real-time intrusion detection for NetFlow and IPFIX. In Proceedings of the 9th International Conference on Network and Service Management (CNSM 2013). 227--234.

[26]

Rick Hofstede, Pavel Čeleda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto, and Aiko Pras. 2014. Flow monitoring explained: From packet capture to data analysis with NetFlow and IPFIX. IEEE Communications Surveys and Tutorials (2014).

[27]

Rick Hofstede, Pavel Čeleda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto, and Aiko Pras. 2014. Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX. IEEE COMMUNICATIONS SURVEYS AND TUTORIALS 16 (2014).

[28]

IEC. 2016. Information technology -- Message Queuing Telemetry Transport (MQTT). Standard ISO/IEC 20922:2016. International Organization for Standardization.

[29]

S. S. Jung, D. Formby, C. Day, and R. Beyah. 2014. A first look at machine-to-machine power grid network traffic. In 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm). 884--889.

[30]

Eric D. Knapp and Joel Thomas Langill. 2015. Industrial Network Security. Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems. Syngress.

Digital Library

[31]

Federico Maggi and Rainer Vosseler. 2018. The Fragility of Industrial IoT's Data Backbone. Security and Privacy Issues in MQTT and CoAP Protocols. Technical Report. Trend Micro. https://documents.trendmicro.com/assets/white_papers/wp-the-fragility-of-industrial-IoTs-data-backbone.pdf

[32]

Constantine Manikopoulos and Symeon Papavassiliou. 2002. Network intrusion and fault detection: A statistical anomaly approach. IEEE Communications Magazine (2002).

Digital Library

[33]

Omar Santos. 2016. Network Security with NetFlow and IPFIX. Big Data Analytics for Information Security. Cisco Press.

[34]

Adam Sedgewick, Murugiah Souppaya, and Karen Scarfone. 2015. Guide to Application Whitelisting. Technical Report NIST SP-800-167. National Institute of Standards and Technology.

[35]

Z. Shelby, K. Hartke, and C. Bromann. 2014. The Constrained Application Protocol (CoAP). IETF RFC 7252.

[36]

Federico Simmross-Wattenberg, Juan Ignacio Asensio-Pérez, Pablo Casaseca-De-La-Higuera, Marcos Martín-Fernandez, Ioannis A. Dimitriadis, and Carlos Alberola-López. 2011. Anomaly detection in network traffic based on statistical inference and α-stable modeling. IEEE Transactions on Dependable and Secure Computing 8, 4 (2011), 494--509.

Digital Library

[37]

V. Sivaraman, H. H. Gharakheili, A. Vishwanath, R. Boreli, and O. Mehani. 2015. Network-level security and privacy control for smart-home IoT devices. In 2015 IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob). 163--167.

[38]

B. Trammel and B. Claise. 2013. Guidelines for Authors and Reviewers of IP Flow Information Export (IPFIX) Information Elements. IETF RFC 7013.

[39]

B. Trammell and E. Boschi. 2011. An introduction to IP flow information export (IPFIX). IEEE Communications Magazine 49, 4 (April 2011), 89--95.

[40]

D. Van der Steeg, R. Hofstede, A. Sperotto, and A. Pras. 2015. Real-time DDoS attack detection for Cisco IOS using NetFlow. In 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM). 972--977.

[41]

Petr Velan, Milan Čermák, Pavel Čeleda, and Martin Drašar. 2015. A Survey of Methods for Encrypted Traffic Classification and Analysis. Netw. 25, 5 (Sept. 2015), 355--374.

Digital Library

Cited By

Empl PBöhm FPernul GVilela JSchulmann HLi N(2024)Process-Aware Intrusion Detection in MQTT NetworksProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653271(91-102)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653271
Lee ESeo YOh SKim Y(2021)A Survey on Standards for Interoperability and Security in the Internet of ThingsIEEE Communications Surveys & Tutorials10.1109/COMST.2021.306735423:2(1020-1047)Online publication date: Oct-2022
https://doi.org/10.1109/COMST.2021.3067354

Index Terms

Security Monitoring of IoT Communication Using Flows

Recommendations

A Survey on IoT Privacy Issues and Mitigation Techniques
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies

Internet of Things (IoT) has emerged as a global network, which intelligently connects different devices or systems which are having self-configuring capabilities. The key idea is to bind or to connect miscellaneous devices or objects via wireless or ...
Security threats and countermeasures on the internet of things

Internet of things (IoT) refers to intelligent technologies and services that connect all objects based on the internet to communicate information between people and things, things and systems. However, these IoT-based devices are exposed to many security ...
SecureSense

Constrained Application Protocol (CoAP) has become the de-facto web standard for the IoT. Unlike traditional wireless sensor networks, Internet-connected smart thing deployments require security. CoAP mandates the use of the Datagram TLS (DTLS) protocol ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ECBS '19: Proceedings of the 6th Conference on the Engineering of Computer Based Systems

September 2019

182 pages

ISBN:9781450376365

DOI:10.1145/3352700

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 September 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ECBS '19

ECBS '19: 6th Conference on the Engineering of Computer Based Systems

September 2 - 3, 2019

Bucharest, Romania

Acceptance Rates

ECBS '19 Paper Acceptance Rate 25 of 49 submissions, 51%;

Overall Acceptance Rate 25 of 49 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
257
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Empl PBöhm FPernul GVilela JSchulmann HLi N(2024)Process-Aware Intrusion Detection in MQTT NetworksProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653271(91-102)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653271
Lee ESeo YOh SKim Y(2021)A Survey on Standards for Interoperability and Security in the Internet of ThingsIEEE Communications Surveys & Tutorials10.1109/COMST.2021.306735423:2(1020-1047)Online publication date: Oct-2022
https://doi.org/10.1109/COMST.2021.3067354

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents