research-article

Free access

Combining MUD Policies with SDN for IoT Intrusion Detection

Authors:

Hassan Habibi Gharakheili,

Vijay SivaramanAuthors Info & Claims

IoT S&P '18: Proceedings of the 2018 Workshop on IoT Security and Privacy

Pages 1 - 7

https://doi.org/10.1145/3229565.3229571

Published: 07 August 2018 Publication History

Abstract

The IETF's push towards standardizing the Manufacturer Usage Description (MUD) grammar and mechanism for specifying IoT device behavior is gaining increasing interest from industry. The ability to control inappropriate communication between devices in the form of access control lists (ACLs) is expected to limit the attack surface on IoT devices; however, little is known about how MUD policies will get enforced in operational networks, and how they will interact with current and future intrusion detection systems (IDS). We believe this paper is the first attempt to translate MUD policies into flow rules that can be enforced using SDN, and in relating exception behavior to attacks that can be detected via off-the-shelf IDS. Our first contribution develops and implements a system that translates MUD policies to flow rules that are proactively configured into network switches, as well as reactively inserted based on run-time bindings of DNS. We use traces of 28 consumer IoT devices taken over several months to evaluate the performance of our system in terms of switch flow-table size and fraction of exception traffic that needs software inspection. Our second contribution identifies the limitations of flow-rules derived from MUD in protecting IoT devices from internal and external network attacks, and we show how our system is able to detect such volumetric attacks (including port scanning, TCP/UDP/ICMP flooding, ARP spoofing, and TCP/SSDP/SNMP reflection) by sending only a very small fraction of exception packets to off-the-shelf IDS.

References

[1]

2018. Insecam. http://www.insecam.org/

[2]

2018. Shodan. https://www.shodan.io/.

[3]

2018. Snort. https://snort.org/

[4]

J. P. Amaral, L. M. Oliveira, J. J. Rodrigues, G. Han, and L. Shu. 2014. Policy and network-based intrusion detection system for IPv6-enabled wireless sensor networks. In Proc. IEEE International Conference on Communications (ICC). Sydney, NSW, Australia, 1796--1801.

[5]

S. Boddy and J. Shattuck. 2017. The Hunt for IoT: The Rise of Thingbots. Technical Report. F5 Labs.

[6]

S. Demetriou, N. Zhang, Y. Lee, X. Wang, C. A. Gunter, X. Zhou, and M. Grace. 2017. HanGuard: SDN-driven protection of smart home WiFi devices from malicious mobile apps. In Proc. ACM Conference on Security and Privacy in Wireless and Mobile Networks. Boston, Massachusetts.

Digital Library

[7]

A. Hamza. 2018. MUDgee. https://github.com/ayyoob/mudgee

[8]

A. Hamza. 2018. SDN pcap simulator. https://github.com/ayyoob/sdn-pcap-simulator

[9]

A. Hamza, D. Ranathunga, H. Habibi Gharkheili, M. Roughan, and V. Sivaraman. 2018. Clear as MUD: Generating, Validating and Applying IoT Behaviorial Profiles. In Proc. ACM workshop on IoT S&P. Budapest, Hungary.

Digital Library

[10]

Cisco Systems Inc. 2017. Midyear Cybersecurity Report. Technical Report.

[11]

Cisco Systems Inc. 2018. Annual Cybersecurity Report. Technical Report.

[12]

E. Lear, R. Droms, and D. Romascanu. 2018. Manufacturer Usage Description Specification (work in progress). Internet-Draft draft-ietf-opsawg-mud-18. IETF Secretariat. http://www.ietf.org/internet-drafts/draft-ietf-opsawg-mud-18.txt

[13]

F. Loi, A. Sivanathan, H. Habibi Gharakheili, A. Radford, and V. Sivaraman. 2017. Systematically Evaluating Security and Privacy for Consumer IoT Devices. In Proc. ACM workshop on IoT S&P. Dallas, Texas, USA.

Digital Library

[14]

M. Lyu, D. Sherratt, A. Sivanathan, H. Habibi Gharakheili, A. Radford, and V. Sivaraman. 2017. Quantifying the Reflective DDoS Attack Capability of Household IoT Devices. In Proc. ACM WiSec. Boston, Massachusetts.

Digital Library

[15]

M. Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In Proc USENIX Conference on System Administration. Seattle, Washington.

Digital Library

[16]

A. Sivanathan, D. Sherratt, H. Habibi Gharakheili, Adam Radford, C. Wijenayake, A. Vishwanath, and V. Sivaraman. 2017. Characterizing and classifying IoT traffic in smart cities and campuses. In Proc. IEEE INFOCOM workshop on SmartCity. Atlanta, Georgia, USA.

[17]

V. Sivaraman, D. Chan, D. Earl, and R. Boreli. 2016. Smart-phones attacking smart-homes. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, 195--200.

Digital Library

[18]

R. Sommer and V. Paxson. 2010. Outside the closed world: On using machine learning for network intrusion detection. In Proc. IEEE Security and Privacy (SP). Berkeley, CA, USA.

Digital Library

[19]

T. Yu, V. Sekar, S. Seshan, Y. Agarwal, and C. Xu. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In Proc ACM Workshop on HotNets. Philadelphia, PA, USA.

Digital Library

Cited By

Nketia IYaokumah WAppati J(2024)A Comprehensive Review of Internet-of-Things (IoT) Botnet Detection TechniquesSmart and Agile Cybersecurity for IoT and IIoT Environments10.4018/979-8-3693-3451-5.ch003(50-81)Online publication date: 30-Jun-2024
https://doi.org/10.4018/979-8-3693-3451-5.ch003
De Keersmaeker FSadre RPelsser C(2024)Supervising Smart Home Device Interactions: A Profile-Based Firewall Approach2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619760(413-422)Online publication date: 3-Jun-2024
https://doi.org/10.23919/IFIPNetworking62109.2024.10619760
Sánchez PCeldrán ASchenk TIten ABovet GPérez GStiller B(2024)Studying the Robustness of Anti-Adversarial Federated Learning Models Detecting Cyberattacks in IoT Spectrum SensorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.320453521:2(573-584)Online publication date: Mar-2024
https://doi.org/10.1109/TDSC.2022.3204535
Show More Cited By

Index Terms

Combining MUD Policies with SDN for IoT Intrusion Detection
1. Networks
  1. Network services
    1. Programmable networks
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Rule generalisation in intrusion detection systems using SNORT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion

In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Syntax vs. semantics: competing approaches to dynamic network intrusion detection

Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IoT S&P '18: Proceedings of the 2018 Workshop on IoT Security and Privacy

August 2018

61 pages

ISBN:9781450359054

DOI:10.1145/3229565

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Australian Research Council (ARC)

Conference

SIGCOMM '18

Sponsor:

SIGCOMM

SIGCOMM '18: ACM SIGCOMM 2018 Conference

August 20, 2018

Budapest, Hungary

Acceptance Rates

Overall Acceptance Rate 12 of 30 submissions, 40%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

62
Total Citations
View Citations
1,994
Total Downloads

Downloads (Last 12 months)221
Downloads (Last 6 weeks)35

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nketia IYaokumah WAppati J(2024)A Comprehensive Review of Internet-of-Things (IoT) Botnet Detection TechniquesSmart and Agile Cybersecurity for IoT and IIoT Environments10.4018/979-8-3693-3451-5.ch003(50-81)Online publication date: 30-Jun-2024
https://doi.org/10.4018/979-8-3693-3451-5.ch003
De Keersmaeker FSadre RPelsser C(2024)Supervising Smart Home Device Interactions: A Profile-Based Firewall Approach2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619760(413-422)Online publication date: 3-Jun-2024
https://doi.org/10.23919/IFIPNetworking62109.2024.10619760
Sánchez PCeldrán ASchenk TIten ABovet GPérez GStiller B(2024)Studying the Robustness of Anti-Adversarial Federated Learning Models Detecting Cyberattacks in IoT Spectrum SensorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.320453521:2(573-584)Online publication date: Mar-2024
https://doi.org/10.1109/TDSC.2022.3204535
Guo SLyu MGharakheili H(2024)Realizing Open and Decentralized Marketplace for Exchanging Data of Expected IoT BehaviorsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575272(1-5)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575272
Josbert NWei MWang PRafiq A(2024)A look into smart factory for Industrial IoT driven by SDN technology: A comprehensive survey of taxonomy, architectures, issues and future research orientationsJournal of King Saud University - Computer and Information Sciences10.1016/j.jksuci.2024.10206936:5(102069)Online publication date: Jun-2024
https://doi.org/10.1016/j.jksuci.2024.102069
Hu WCao QDarbandi MJafari Navimipour N(2024)A deep analysis of nature-inspired and meta-heuristic algorithms for designing intrusion detection systems in cloud/edge and IoT: state-of-the-art techniques, challenges, and future directionsCluster Computing10.1007/s10586-024-04385-827:7(8789-8815)Online publication date: 26-Apr-2024
https://doi.org/10.1007/s10586-024-04385-8
Wijesekara PGunawardena S(2023)A Comprehensive Survey on Knowledge-Defined NetworkingTelecom10.3390/telecom40300254:3(477-596)Online publication date: 2-Aug-2023
https://doi.org/10.3390/telecom4030025
Pashamokhtari ABatista GGharakheili H(2023)Efficient IoT Traffic Inference: From Multi-view Classification to Progressive MonitoringACM Transactions on Internet of Things10.1145/36253065:1(1-30)Online publication date: 16-Dec-2023
https://dl.acm.org/doi/10.1145/3625306
Baksi RNalka VUpadhyaya S(2023)Apt Detection of Ransomware - An Approach to Detect Advanced Persistent Threats Using System Call Information2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00221(1621-1630)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00221
Sullivan HSivanathan AHamza AGharakheili H(2023)Programmable Active Scans Controlled by Passive Traffic Inference for IoT Asset CharacterizationNOMS 2023-2023 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS56928.2023.10154292(1-6)Online publication date: 8-May-2023
https://doi.org/10.1109/NOMS56928.2023.10154292
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents