Accepted Manuscript

A Survey on Internet of Things Security from Data Perspectives

Jianwei Hou, Leilei Qu, Wenchang Shi

PII: S1389-1286(18)30684-4
DOI: https://doi.org/10.1016/j.comnet.2018.11.026
Reference: COMPNW 6655

To appear in: Computer Networks

Received date: 6 August 2018

Revised date: 31 October 2018
Accepted date: 27 November 2018

Please cite this article as: Jianwei Hou, Leilei Qu, Wenchang Shi, A Survey on In-
ternet of Things Security from Data Perspectives, Computer Networks (2018), doi:
https://doi.org/10.1016/j.comnet.2018.11.026

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service
to our customers we are providing this early version of the manuscript. The manuscript will undergo
copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please
note that during the production process errors may be discovered which could affect the content, and
all legal disclaimers that apply to the journal pertain.
 ACCEPTED MANUSCRIPT

A Survey on Internet of Things Security from Data Perspectives

Jianwei Houa , Leilei Qua , Wenchang Shia,∗

a School of Information, Renmin University of China, Beijing, P.R. China

Abstract

T
As the Internet of Things (IoT) sees an increasing use in the society, the security challenge it faces is becoming more
and more severe. Data collected and shared in the IoT plays an important role in the significance of the IoT. Observing

IP
from a data perspective may be of great help in understanding IoT security. Though a number of surveys on IoT

CR
security have been out there, none of them is from such a perspective. To fill the gap, this paper investigates IoT
security from data perspectives. Combining the concept of typical IoT architectures with data life cycles, the paper
proposes a three-dimensional approach to exploring IoT security, i.e., with the one-stop, multi-stop and end-application

US
dimensions. The one-stop dimension explores IoT security by observing data on an IoT device, the multi-stop dimension
by observing data among a group of IoT entities, and the end-application dimension by observing data used in IoT
applications. While data may flow from IoT end-point devices through the Internet to a cloud or vice versa, the most
AN
demanding IoT-specific issues are in the space from IoT end-point devices to the border of the Internet, therefore the
paper focuses on this space. The one-stop dimension discusses IoT security with respect to data that may flow from and
to an end-point device. The multi-stop dimension works from the angle of data among a group of IoT entities, concerning
M

secure communication, authentication and access control. The end-application dimension acts from the viewpoint of
data usage in IoT applications, covering privacy, forensics, and social or legal challenges of the entire system. The paper
ED

makes an in-depth analysis of the latest development in IoT security by observing from data perspectives, summarizing
open issues and suggesting promising directions for further research and applications of IoT security.
Keywords: Internet of Things, Security, Safety, Privacy, Forensics
PT

1. Introduction pointed out that over the past two years, 90 percent of the
CE

world’s data had been generated at a speed of over 205,000

The Internet of Things (IoT) is a marvel of technology
gigabytes per second, which was approximately equivalent
development, which enhances more and more pervasive
to 150 million books[2]. From healthcare and retail to
AC

connectivity around the world. It expands the com-

15 transportation and manufacturing, IoT provides smart
5 munication capability of information and communication
services by extracting valuable information from various
technologies (ICTs) from “Any TIME” and “Any PLACE”
kinds of data collected by IoT end-point devices, which
to “Any THING” [1]. However, on the other hand, it
has a significant impact on social production and people’s
makes the security situation more and more severe.
life. It is incomplete to discuss IoT without considering
Obviously, the IoT stimulates an explosive growth
20 data.
10 of data. The Norwegian research organization SINTEF
An IoT end-point device is not only a simple data
∗ Correspondingauthor collecting device. Most importantly, it has mandatory
Email address: wenchang@ruc.edu.cn (Wenchang Shi)

Preprint submitted to Journal of LATEX Templates 27th November 2018

 ACCEPTED MANUSCRIPT

which consists of a sensing layer, a networking and data

Retail
Transportation
communication layer and an application layer[15]. Our
Smart home

Cloud 50 framework is consistent with such an architecture. It can

Healthcare
Local G
be divided into three dimensions, which are named as one-
c

network Internet Storage Processing Analytics

b
stop dimension, multi-stop dimension and end-application
G

dimension. These dimensions have their focuses on a

Sensing Networking and data communication Application
single IoT device, IoT entity groups and IoT applications,
a communication via
gateway
G gateway 55 respectively. The paper explores IoT security through
communication

T
b IoT device
c
without gateway
direct communication API
these dimensions. From the one-stop dimension, data

IP
on one IoT device is observed. From the multi-stop
dimension, data moving in a group of IoT entities is

CR
Figure 1: An overall architecture of an IoT system observed. From the end-application dimension, data
60 used in IoT applications is observed. With the one-stop
communication capabilities. It is a kind of data source in
dimension, IoT security is explored based on data that

25
some sense, which may provide data to back-end servers
on the Internet. Standalone devices such as smart watches
or smart meters are counted as IoT devices. However, IoT
US is captured by an end-point device and sent out to the
Internet or that is received by the end-point device from
the Internet. With the multi-stop dimension, IoT security
AN
devices are usually embedded in large systems, such as
65 is discussed in consideration of data flowing among a group
electronic control units (ECU) in networked vehicles[3].
of IoT entities. With the end-application dimension, IoT
A great value of the IoT is that it can capture
security is analyzed according to the usage of data in IoT
M

30 and make use of a variety of data concerning natural

applications. Put together, investigations from the whole
environments as well as human beings. Data makes the
framework may present a holistic landscape of IoT security.
ED

IoT alive. We believe that, similar to that observing blood

70 Observed from its whole life cycle, data may exist
in a human body is useful to have insights into people’s
anywhere in the IoT environment, including on an end-
health, observing data in an IoT environment may help to
point device, on the Internet, or in a cloud. IoT data may
PT

35 understand the security of the IoT.

flow from IoT end-point devices through the Internet to a
A number of researchers have published their surveys
cloud, or vice versa. Undoubtedly, IoT security related to
CE

on IoT security from several different perspectives[4–14].

75 IoT data must be investigated with consideration of the
However, to our knowledge, none of those surveys takes
whole IoT environment. However, the most IoT-specific
data as the main clue. In our opinion, there may be
points of IoT security that call for IoT-specific solutions
AC

40 something missing in the understanding of IoT security

are lying in the space from IoT end-point devices to the
in that case. To fill the gap, this paper probes into IoT
border of the Internet. Therefore, the paper focuses on this
security by observing data playing in the IoT environment.
80 domain, which we call the end-point domain for brevity.
To capture a comprehensive data-driven picture of IoT
It makes an in-depth analysis of the latest development
security, the paper proposes an investigation framework
in IoT security from data perspectives, summarizes open
45 that takes both IoT architectures and data life cycles into
issues, and suggests promising directions for further study
account. As shown in Figure 1, one of the typical IoT
and applications of IoT security.
architectures describes the IoT as a multi-layered network,
85 The rest of the paper is organized as follows. In Section

2
 ACCEPTED MANUSCRIPT

2, we summarize related work of existing IoT security Some surveys focused on security solutions to IoT
surveys. In Section 3, 4 and 5, we present discussions security issues. [10] proposed a taxonomy to classify
of IoT security from each dimension, respectively. Finally,125 IoT security threats into four aspects, which are related
we conclude the paper with Section 6. to application, architecture, communication, and data.
[11]provided an overview of research efforts in terms of
90 2. Related Work access control, confidentiality, authentication, authoriza-
tion, privacy, middleware, and trust in IoT. These surveys
There are a number of surveys discussing IoT security
130 mainly discussed classical security solutions to IoT security
from different perspectives in the literature.

T
based on cryptographic approaches.
[4] explored security-affecting factors in IoT that di-

IP
Some efforts surveyed IoT security from the perspective
vided IoT security into three categories, which are factors
of IoT architectures. Authors in [12] investigated IoT
95 that made security more challenging for IoT, factors that

CR
security challenges by discussing attacks in each layer of an
facilitated security assurance, and factors that made IoT
135 IoT three-tier architecture. Considering that techniques
security different from traditional network security. It
supporting an IoT architecture may have more or less se-
helps understanding the specificity of IoT security.

100
[5] and [6] focused on trust management in an IoT
environment. [6] proposed a research model of trust
US curity problems, authors in [13] and [14] discussed security
issues related to techniques and protocols concerning each
layer of an IoT architecture and introduced corresponding
AN
management in IoT based on IoT system models. Trust
140 solutions. They explored IoT security with regard to each
management in IoT covers not only trust management
layer of an IoT architecture, giving an overview of IoT
in each layer and cross-layers but also user trust in IoT
security. However, it is insufficient to investigate IoT
M

devices and services. [5] focused on trust computation

security according to isolated layers of an IoT architecture.
105 in assessing trustworthiness of services in an IoT environ-
More efforts should be taken to explore the security of an
ment.
ED

145 IoT system in a holistic way.

Since a distributed architecture is a future direction of
The aforementioned contributions from the literature
IoT development, [7] analyzed the features of distributed
have laid a good foundation for understanding IoT security
PT

and centralized IoT systems. And it studied the challenges

from several different perspectives. Nevertheless, data has
110 and promising measures in design and deployment of
not yet been put in a leading position in portraying IoT
distributed IoT security mechanisms, concerning authen-
CE

150 security. We firmly believe that a data-driven observation

tication, access control, protocol and network security,
may reveal some new findings that may not show up in
privacy, trust, and fault tolerance.
other ways. Therefore, we try our best to shed new light
AC

[8] and [9] focused on handling security and safety in

on IoT security in this paper from data perspectives.
115 IoT. Due to the cyber-physical characteristic of IoT, IoT
security needs to have a unified view of security and safety.
3. IoT Security from One-Stop Dimension
Combining a physical system with a network system has
an impact on threat models of IoT and expands attack155 In this section, we explore IoT security by observing
surfaces of IoT. Changes to the physical plant’s behavior, data on an IoT end-point device. Data may be collected
120 whether due to failures or malice, can change the state and sent out to the Internet by an end-point device,
of the computing subsystem while changes to data in the or may be received by the end-point device from the
cyber subsystem can change the plant’s physical state[8]. Internet. Data flowing to and from an end-point device,
3
 ACCEPTED MANUSCRIPT

160 i.e., input data and output data, which has interaction the length of keys and rounds of encryption to maintain
effects between the device and the Internet, should be the security level of the algorithm.
considered for IoT security. The designers of lightweight ciphers must cope with
200 trade-off among security, cost and performance according
3.1. Output Data related Security
to actual requirements of target scenarios[21]. Taking
Massive IoT end-point devices are collecting a large
RFID tags as an example, most of them are used in
165 volume of data and uploading it to the Internet for IoT
low-cost environments of electronic tickets. The security
applications. Some sensory data collected by IoT devices
requirement of this scenario is not high while the de-
is sensitive and highly valuable, which is potential gains

T
205 mands for low power-cost and low latency are stricter[23].
for attackers and commercial competitors. So IoT end-

IP
[24]evaluated 52 block ciphers and 360 implementations
point devices should ensure the confidentiality requirement
based on their security, performance, and cost, classifying
of data provided to the Internet. Additionally, the

CR
170
them with regard to their applicability to different types
authenticity of output data has a direct impact on the
of embedded devices and referring to the cryptanalysis
reliability of services involving industry, economy, and
210 pertaining to these ciphers.

175
social life. Therefore, it is important for IoT devices to
ensure the confidentiality and authenticity of output data
to guarantee the security of IoT applications and services.
US The cryptanalysis has revealed that many lightweight
ciphers are vulnerable to side-channel attacks due to their
relatively simple structures[24]. In general, devices may
AN
inevitably leak information, such as power consumption
3.1.1. Confidentiality
215 and electromagnetic radiation, during the encryption step.
A general method for ensuring data confidentiality is
This leaked information can be used to effectively reduce
M

encryption. IoT devices are usually dedicated devices with

the search space of the key and even to extract the key
limited resources such as low computing power (e.g., 8-bit
directly. Therefore, a side-channel attack is a serious
microcontroller), limited battery supply, small (gate) area,
ED

180

threat to the ciphers applied to many IoT devices, such

and limited storage[16]. General encryption algorithms
220 as smart cards, RFID-based systems.
that consume excessive resources may not be applicable
[25] studied the time-based and fault-based side-channel
PT

to resource-constrained devices. In IoT, the overhead of

attacks on the most widely-used encryption algorithms
encryption algorithms should be reasonable for device per-
(e.g., AES, ECC, and RSA) in IoT and introduced
formance when providing a sufficient level of security[16].
CE

185

some countermeasures to mitigate side-channel attacks.

There is an urgent need for lightweight ciphers to ensure
225 [26]proposed a new general framework to analyze and eval-
the confidentiality of IoT data throughout its life cycle.
uate algebraic fault attacks on lightweight block ciphers.
AC

Plenty of lightweight ciphers have been proposed.

Some researchers put forward the use of physical
The cryptographic structures of these newly designed
features to generate keys. [27] used a unique physical
190 lightweight ciphers mainly include Feistel structure (or its
structure called Physical Unclonable Functions (PUFs)
variant) (e.g., SEA[17], LBlock[18]), SP networks structure
230 to generate keys for identification. Instead of storing
(e.g., PRESENT[19], mCrypton[20]), and other structures
secrets in memory, PUFs derive a secret from the physical
(e.g., KATAN/KTANTAN[21]). Some work simplified the
characteristics of the Integrated Circuit (IC) without the
hardware implementations of standardized block ciphers.
requirement of expensive secure hardware[28]. Therefore,
195 For example, [22] simplified the key generation process of
much research has been done on the applications of PUFs
AES to improve efficiency of the algorithm while increasing
4
 ACCEPTED MANUSCRIPT

235 in key generation. nicates directly with the prover with no intermediate hop
and no cyber attack (e.g., imitation or collusion with other
3.1.2. Authenticity
devices). (2) There is no modification on the hardware of
Data sensed and generated by IoT devices should be275 the prover. However, in a real IoT environment, devices
trustworthy to reflect the real-world environment precisely.
usually communicate through multi-hop networks. And
The authenticity of output data has a significant impact they are usually vulnerable to physical intrusion because
240 on the security of IoT applications. An IoT device is they are unattended.
usually unattended and lacks physical protection. Physical Hybrid methods employ software/hardware co-design
attacks on a device, including node copying, replacement,

T
280 to defend against adversaries in a network setting (i.e.,
and hijacking, may compromise the integrity of the device.

IP
multiple hops between the prover and the verifier), while
Considering the authenticity of output data generated by minimizing hardware changes[45]. Without the support of
an IoT device, it is extremely important to verify the

CR
245
dedicated secure hardware, hybrid methods cannot defend
integrity of the device. Generally, attestation techniques
against the physical intrusion. Main research on hardware-
are widely used to verify the integrity of devices with the285 software hybrid attestation methods includes SMART[34],

250
dedicated hardware(e.g., TPM). Traditional attestation
methods designed for resource-rich devices may not be
suitable for direct application to IoT devices to verify
US
SPM[35], SANCUS[36], TrustLite[37] and TyTAN[38].
Both hybrid and software-based methods cannot de-
fend against physical attacks, since keys on devices can
AN
whether the device has been tampered. IoT devices call be obtained and the prover can be impersonated and/or
for lightweight attestation methods. The detailed related290 cloned[46]. Only hardware-based attestation can defend
work of attestation in IoT is summarized in Table 1. against physical attacks. It relies on explicit, purpose-built
M

Typically, there are two types of attestation meth-

trust anchors(e.g., a TPM or an SGX-capable CPU) which
255 ods, including static attestation and runtime attestation. are usually unlikely equipped on IoT devices. Therefore,
ED

Static attestation verifies the integrity of the static binaries some specific physical hardware characteristics are applic-
on the prover. Especially, swarm attestation is a specific295 able to the attestation in IoT, such as PUFs[39, 40].
type of work in static attestation to verify the integrity of a
Generally, IoT devices are deployed on a large scale. To
PT

group of provers. Runtime attestation verifies the control verify the integrity of a large scale of devices, SEDA[41]
260 flow of programs on the prover at runtime. firstly proposed swarm attestation for embedded devices.
CE

Three main approaches to static attestation on one SANA[42] proposed a novel signature scheme for efficient
device have been identified in the literature, which are
300 swarm attestation. In specific IoT application scenarios,
software-based, hardware-based and hybrid. such as an ad-hoc vehicular network, nodes may join and
AC

Software-based attestation usually exploits side-channel leave the swarm dynamically, which makes it more difficult
265 information to verify the integrity of resource-constrained to attest a device swarm.
embedded devices without special hardware. Software-
Static attestation methods discussed above only verify
based attestation may be devided into two main categories.305 the integrity of binaries and not of their execution[45].
One is time-based, such as SWATT[29], Pioneer[30] and In this respect, C-FLAT[43] and LO-FAT[44] took a
SCUBA[31], and the other is memory-based[32, 33]. All step by exploiting runtime attestation to provide precise
270 software-based methods make strong assumptions about
attestation on the execution path of a program for the case
the capabilities of the adversary: (1) The verifier commu- of embedded devices.

5
 ACCEPTED MANUSCRIPT

Table 1: Summary of related work in lightweight attestation

Type of attestation Object of attestation Representative work

Static Attestation The integrity of static binaries on Software-based Attestation: (1) time-based, SWATT[29],
a prover Pioneer[30]and SCUBA [31] (2) memory-based, [32, 33]
Hybrid Attestation: SMART [34], SPM [35], SANCUS [36],
TrustLite [37] , TyTAN[38]
Hardware-based Attestation: [39, 40]
The integrity of static binaries on SEDA[41],SANA[42]
provers (Swarm Attestation)

T
Runtime Attestation Runtime behaviors of attested C-FLAT [43],LO-FAT[44]

IP
code on a prover

CR
310 3.2. Input Data Related Security and Safety (e.g., Persirai, Satori, Okiru) have been frequent[47]. Mirai

IoT bridges the gap between the cyber world and the leverages the vulnerabilities of default passwords to gain

physical world, so that hacking into a device in the cyber the control of IoT devices by Telnet password brute-

Changes in the physical state of the device can affect its US

world can bring threats to the real-world and vice versa.340 forcing. More and more research is finding technical
and non-technical solutions to deal with Mirai and its
variants[48, 49].
AN
315 computing system, and data changes in the network or
computing system can also affect the physical state of the Reaper – a new kind of botnet, which may be substan-

device[8]. tially more dangerous than Mirai, utilizes a list of known

Safety means “freedom from accidents or losses”[8].345 vulnerabilities to enable an attacker to gain full access to
M

Some devices may execute operations based on data a target device. Mirai and reaper are sizable threats, but

320 received from the Internet – input data, coupling secur- it is even worse that some of IoT security threats may be
ED

ity and safety concerns in IoT. Leveraging input data, small enough to evade detection. Infected devices can be

including the false data generated by the system itself used to steal personal data and mine cryptocurrencies, on

and the malicious data sent by adversaries due to the350 top of traditional DDoS attacks.
PT

vulnerabilities of systems, attackers may compromise the There is no good way to reduce malicious traffic

325 devices. Unsafe and insecure operations on IoT devices produced by these systems except for squelching it at
CE

may result in a real loss of services and even the loss of the source. [50] recommended that device manufacturers

life. For example, adversaries can send malicious control should limit the amout of network traffic that IoT devices

data to medical equipment to speed up the pacemaker or355 can generate to levels reasonably needed to perform their
AC

the drug infusion pumps, endangering user’s life. functions.

330 Most IoT end devices are constantly connected to the On the other hand, some IoT devices are nodes

Internet and are usually with naive security configurations. of infrastructure, including basic sensors for industrial

Leveraging vulnerabilities on a device, adversaries can con- facilities. It is more dangerous that the compromised

trol the device remotely. Mirai is a very famous malware360 node can be an entry point for the attacks on the overall
that can build a botnet with millions of compromised infrastructure, which may cause great life and property

335 smart cameras. Since the advent of Mirai at the end of losses for individuals and nations.

2016, security incidents related to Mirai and its variants There is a rapid expansion in the size of botnets due to

6
 ACCEPTED MANUSCRIPT

the long-term and non-update problems of the target IoT devices updating to support novel standards and meet
365 devices. Vulnerabilities on devices must be fixed in time new requirements. [52] proposed a new software update
to prevent attackers from obtaining control of the devices. mechanism for partial code updates on protocols and
However, most devices cannot be patched conveniently405 applications at runtime. This architecture consists of three
nowadays. Without general automatic update tools, it levels – a static system level, a dynamic component level,
takes plenty of overhead to update massive IoT devices and a kernel level. Authors in [52] implemented their
370 and the updating process itself can be complex for the approach on one of the typical IoT operating systems,
average user. Moreover, vendors may usually not provide Contiki, without major modifications of existing network

T
users with patches or update services after products are410 protocols and applications.

IP
sold. That may cause problems in the future when
3.3. Open Issues
hackers find and exploit vulnerabilities on devices to

CR
375 launch attacks for their own gains. Therefore, update For confidentiality, current research on lightweight

mechanisms should send the latest firmware to devices encryptions achieves a high degree of overhead reduction.

timely and automatically. Now, essential considerations of confidentiality on end

IoT devices. Adversaries may launch rollback attacks on

firmware and exploit vulnerabilities of buggy versions to
US
However, remote updates may also bring new risks to415 devices should be more about practical applications of
algorithms in the real world, including speed optimization
and latency reduction.
AN
380

attack devices. Device vendors or manufacturers should For authenticity, more research on attestation for

encrypt and digitally sign the updated release information a group of devices is expected. Large scale usually

to ensure the integrity and authenticity of the update. 420 implies heterogeneity, which increases the complexity of
M

Moreover, there will be a traffic bottleneck in a attestation. An IoT device can switch from online to offline

385 centralized architecture of updating mechanisms. In order at any time, which makes it dynamic and indeterminable.
ED

to solve the problems of traffic bottleneck, [51]explored It’s difficult to obtain the real status of a device swarm.

a distributed update method using blockchain techniques. The issues about how to improve efficiency, robustness,

Devices broadcasted updating requests to blockchain nodes425 and accuracy of swarm attestation have not been solved
PT

on a peer-to-peer decentralized network. If the firmware well.

390 version of the device was not the latest, the device would Furthermore, IoT devices lack a common update mech-
CE

download the latest version. If the firmware version of anism due to heterogeneous computing systems. It is

the device was already up-to-date, a blockchain node hard to apply timely updates for all end devices. Thus,

would check the integrity of firmware on the requesting430 vulnerabilities exposed for a long time can still be seen
AC

node. However, due to the nature of broadcasting, the on most IoT devices. They are around our daily lives but

395 broadcasted requests may result in useless network traffic quite vulnerable to exploitation, which is both a technical

and unnecessary operations on unrelated nodes. and social concern.

Over-the-Air (OTA) update is a practice of remotely

updating codes on embedded devices. Distributing new 4. IoT Security from Multi-Stop Dimension

firmware through OTA will bring plenty of overhead (e.g.,

435 In this section, we investigate IoT security by observing
400 energy consumption, download time). Therefore, if not
data that may flow among a group of IoT entities. Secure
necessary, a partial code update is a better choice for
communication, authentication and access control related
7
 ACCEPTED MANUSCRIPT

to interactions of IoT entities will be covered. Intercon-475 in IoT networks. The main research on the security issues
nectivity is a fundamental characteristic of IoT entities related to communication falls into three categories: (1)
440 that can directly or indirectly interact with the Internet. designing secure communication protocols for IoT devices;
To ensure the interactions of entities, communication (2) designing efficient malicious node identification sys-
networks transfer data captured by IoT end-point devices tems; (3) designing lightweight trust management schemes
to applications and other devices, as well as instructions480 to evaluate the trust level of nodes in an IoT local network.
from applications to IoT devices[1]. Some traditional IoT routing protocols, such as RPL[58]
designed for 6LowPAN[59], are still facing many security
4.1. Communication Related Security

T
445
problems[55]. SMRP[60] proposed a secure multi-hop
In general, there are three types of communication for

IP
routing protocol with multi-layer parameters. When a
IoT devices to communicate with others: communicat-485 node attempts to join an existing network or to form a new

CR
ing through the Internet via a gateway, communicating network, it must verify multi-layer parameters. Because
through the Internet without a gateway, communicating the creation of multi-layer parameters would bring a lot
450 through a local network (i.e., a network providing local of overhead, so that the protocol could not be directly
connectivity between devices and between devices and a
gateway, such as an ad-hoc network) [1], as shown in490
Figure 1. For the first two types, devices connect to the
US applied to large-scale networks.
DEMEM[61] proposed a Distributed Evidence-driven
Message Exchanging intrusion detection Model that al-
AN
Internet via a variety of available wired or wireless techno- lowed distributed detectors to cooperatively detect routing
455 logies (e.g., WiFi, Bluetooth, NFC). For the security issues attacks with minimal communication overhead. It used
of wireless communication protocols, we point inquisitive finite state machines to specify correct routing behaviors
M

readers to [53, 54]. 495 and used distributed network monitoring to detect run-
As for the last communication type, there are plenty time violations of the specifications. ActiveTrust[62]
ED

of devices in IoT consisting of sensors and actuators proposed an active detection-based secure routing scheme.
460 with routing capabilities. They construct local networks The most important innovation of ActiveTrust is that it
to communicate with each other and use gateways to can actively detect black hole attacks by creating multiple
PT

connect to the Internet. These devices have self-organizing500 detection routes to detect quickly and ensure the secure
capabilities and usually lack protection, so that they can routing. More importantly, it makes full use of energy in
CE

join and leave the local network at any time throughout non-hotspots to create as many detection routes as needed
465 routing and are easily hijacked[55]. To ensure the security to improve energy efficiency.
of communication, secure routing in an IoT local network Trust-based schemes predict future actions of nodes
AC

needs to select the nodes with high trust level to create505 based on past observation of nodes and assist in ef-
a reasonable route. Malicious nodes in a local network fective identification of suspicious nodes. TSRF[63] is
may bring serious security problems[56]. For example, a secure routing framework based on trust derivation.
470 malicious nodes can transmit a large amount of false It was implemented by direct and indirect observation
routing information to its neighbors, causing its neighbor’s of behavioral patterns of sensor nodes with trust values
routing table to overflow and deny the real routes[57]. 510 among nodes represented in a range from 0 to 1. A
Therefore, secure communication capabilities of IoT value of 0 represents a low level of trust of the node
entities need to ensure the security of data transmission and a value of 1 represents a good level of trust of

8
 ACCEPTED MANUSCRIPT

the node. However, due to complex trust computation,550 Authentication. In a decentralized environment, it is ne-
TSRF has a large computational overhead on nodes. cessary to implement the two-way authentication between
515 Therefore, protocol designers must minimize the impact two IoT entities with an absence of a trusted third party.
on network performance while improving the security level While data holders authenticate the data collector, data
of protocols. TERP[64] proposed a new Trust and Energy- collectors also need to identify or authenticate users and
aware Routing Protocol to address the trustworthiness and555 devices as legitimate data holders before collecting data
energy efficiency issues of routing. It uses the weight of from data holders[68]. Some work has investigated the
520 trust, energy, and hop counts to select the nodes that are security issues of RFID technology which is widely used in

T
trustworthy, energy-efficient and have the shortest route IoT, including security and privacy issues of authentication

IP
to the destination. between RFID readers and tags[69]
Moreover, secure communication protocols for IoT560 Some efforts have been made to work on the credentials

CR
devices should have self-healing capabilities, which means used for authentication. Besides the traditional key-
525 that the protocol can automatically recover from failures based credentials, location information and biometric-
within a certain period of time without human inter- characteristics, as well as physical characteristics can also
vention. Local networks may initially be unstable when
US
attackers send plenty of malicious packets to the networks.565
Nonetheless, due to the self-healing capability of protocols,
be credentials for authentication.
PUFs are promising innovative primitives for low-cost
authentication. [70] proposed an obfuscated challenge-
AN
530 the network can recover itself and isolate malicious nodes response authentication protocol for resource-constrained
over time[65]. devices at low cost, based on PUFs. Biometrics-based
authentication needs to obtain users’ biometric charac-
M

4.2. Authentication and Access Control

570 teristics. However, many users may be reluctant to
IoT integrates a large number of physical objects share their personal information for privacy concerns. On
ED

that are uniquely identified, ubiquitously interconnected the other hand, biometric characteristics may not always
535 and accessible through the Internet[66]. Authentication follow the same pattern, and some unpredictable factors
and access control are the main security mechanisms to may have an impact on the results. Thus, the accuracy
PT

ensure the security of interactions among different entities575 of biometrics computation that is closely related to the
(devices or users). Access control and authentication are stability and accuracy of authentication calls for more
CE

the process of determining whether an entity can access research.

540 resources and authentication, a process of identifying an Additionally, under the scenarios of Internet of Vehicles,
entity, is a prerequisite for authorization[67]. With the smart grid, and smart healthcare, anonymity and un-
AC

limitation in computing, energy, storage of devices, the580 linkability of identities need to be considered. And IoT
need for schemes of authentication and access control devices may move from one network to another. How to
applicable to IoT is pressing. solve the issues of cross-domain authentication for devices
545 In various IoT application scenarios, such as smart also requires more research[11].
healthcare, intelligent transportation and smart home, Typical research related to authentication in IoT is
heterogeneous devices and network architecture lead to585 shown in Table 2.
different demands of authentication and access control to
ensure the security of interactions among entities.

9
 ACCEPTED MANUSCRIPT

Table 2: Summary of related work in authentication

Classification of related work Specific Research Direction

Authentication in different scenarios Internet of Vehicles [71, 72],Smart Grid [73, 74], Smart
Healthcare [75], etc.
Authentication credentials Key-based authentication schemes, including symmetric,
asymmetric or hybrid keys.
Physical-characteristics-Based authentication schemes [76];
Location- based authentication schemes [77];
Biometrics-based authentication schemes [78].

T
Functional requirements of authentication Mutual authentication[69, 79]

IP
Anonymity and unlinkability of authentication[80–82]
Cross-Domain authentication [83]

CR
Continuous authentication on data stream[84]

Table 3: Summary of related work in access control

Classification of related work

Models of access control
US
Specific Research Direction
Role-based Access Control (RBAC) Model [85];
AN
Attribute-based Access Control(ABAC) Model [86];
Other models, e.g., Usage Control(UCON) Model [87], Capabilities-
based(Cap-BAC) Model [88]
Functional requirements of access con- Dynamic [85], continuous[89], fine-grained [90, 91] requirements of access
M

trol control
Access control in different scenarios Internet of Vehicles[86], Smart Grid[92], Smart Healthcare [17, 93], etc.
ED

Access Control. In IoT, access control is to assign different as location and time-based attributes, can also be used for
privileges of resources to different actors of a wide IoT dynamic authorization and active authentication. Some
PT

network[11]. Users and devices, as data holders, can only work utilizes Usage Control (UCON) models to deal with
provide specific data to specific data collectors for specific605 the issues of continuous authorization before and during
purposes[68]. Most IoT devices operate automatically the process of accessing. UCON model supports dynamic
CE

590

based on the context of real-time streaming data. IoT changes of attributes. That is, if access attributes change
scenarios are calling for lightweight, continuous, dynamic, during accessing, which causes failure to meet the access
AC

context-based access control schemes. requirements, the access rights will be revoked [87].
Most existing IoT systems adopt traditional access610 Typical research related to access control is shown in
595 control schemes of existing computer systems based on Table 3.
roles[85] and attributes[86]. Most solutions have high com-
4.3. Open Issues
putational complexity and are based on static attributes.
Static attributes are overdependent on user-defined rules, Firstly, because IoT networks are usually self-organizing

so that it may be not applicable to the automation require- and wireless communication technologies are widely used,

600 ment in some IoT scenarios. With the need of automatic615 it is possible for malicious nodes to be introduced into a
operation in IoT, dynamic context-based attributes, such local network easily. However, there is still not any effect-

10
 ACCEPTED MANUSCRIPT

ive and lightweight approach to malicious nodes detection various IoT devices can add up to a total surveillance of our
in IoT. Blockchain technology can build mutual trust at lives[94]. A user can be both a recipient of data or services
low cost in a decentralized environment without a central655 and a subject to data collection by smart things at the
620 manager. It may be a future research direction for the same time[95]. Compared to the Internet where users have
security of data exchange and multi-party collaboration in to take an active role to put their privacy at stake (i.e.,
IoT. query for services), much data about users are collected
As some IoT devices may execute operations automat- and transfered in IoT without their awareness[96]. A large
ically, it will be difficult to manage these devices from a660 volume of data is being generated by IoT automatically

T
625 networking and data management perspective. Therefore, with higher velocity than before, and any breaches in

IP
it is important to carefully evaluate the reliability of security will have a knock-on effect on personal security
authentication and access control methods. The mobility and privacy.

CR
of smart cars or other wearable devices may call for cross- There is an urgent demand for research on privacy
domain authentication. In addition to exploring new665 protection technologies in IoT during data transmission,
630 authentication approaches based on PUFs or biological aggregation, storage, mining, and processing[1]. Moreover,
characteristics, an effective but costless method for au-
thentication in the real world is still a challenging topic.US machine learning and data mining technologies can add
the business context to the raw data automatically without
human intervention, threatening users’ privacy. Under this
AN
5. IoT Security from End-Application Dimension 670 background, more efforts need to be devoted to privacy-
preserving data mining techniques[97] and privacy-preserving
In this section, we explore IoT security by observing
machine learning techniques[98]. For instance, even though
M

635 data used in IoT applications. A large volume of data is

smart home devices are not designed to capture privacy-
collected by IoT devices, transferred over networks and
sensitive activities, such activities may be identified by
ED

used by different IoT applications. Keeping IoT data

675 inference techniques.
life cycles in mind, from the view of data usage in IoT
Because different application scenarios involve differ-
applications, we will investigate privacy, forensics, and
ent devices and architecture and have different security
PT

640 social or legal challenges of the whole IoT system.

requirements, research on privacy concerns in various IoT

5.1. Privacy Concern application scenarios has different focuses, as shown in

CE

680 Table 4.
In real IoT scenarios, different IoT applications lever-
In a smart home, passive attackers can collect raw
age data collected from IoT devices to provide convenient
data closely related to users to infer users’ routines
AC

and smart services for users while introducing potential

by eavesdropping on the communication between smart
645 privacy concerns. Private information may be leaked at
routers and smart devices. For example, when the light
any phase of a data life cycle in IoT environments. There-
685 changes from on to off, it can be inferred that users
fore, privacy concerns must be considered from system
may have left home. Active attackers may pretend to be
perspectives. Besides individual data like fingerprints and
legitimate users to gain access to smart devices and to
heartbeats, which are directly related to a user’s privacy,
extract sensitive information. To address privacy concerns,
650 some environmental information sensed by IoT devices
smart devices need to provide end-to-end encryption of
can be utilized to infer extra information about user’s
690 communication. However, [99] demonstrated that an ISP
preference and trajectory. The aggregated data from
11
 ACCEPTED MANUSCRIPT

Table 4: Summary of related work in privacy in different IoT application scenarios

Typical IoT Application Scenarios Related work in privacy

Smart home Privacy-preservation of traffic [99–101]
Digital healthcare Pseudonym management [102–104]
Anonymous authentication [105–107]
Privacy-preserving access control [108]
Smart grid Privacy-preserving data aggregation [109–111]
Privacy-preservation of smart meter data [112, 113]

T
or other network observers can infer privacy-sensitive in-720 tricity usage information and send the encrypted data to

IP
home activities by analyzing traffic from smart homes gateways. Then the gateways decrypt the data from all
containing commercially-available IoT devices even when smart meters and aggregate it. Gateways encrypt the

CR
devices use encryption. [100] and [101] explored privacy aggregated data and send it to a control center for further
695 preservation of traffic in a smart home. Moreover, the analysis and processing (e.g., balancing electricity load and
over-privilege problem in SmartApp authorization would725 optimizing energy consumption) [118]. Privacy protection
also lead to privacy concerns[114, 115].
In digital healthcare, medical records and healthcare
US must be considered in electricity data aggregation for
residential grids. However, there is a content-oriented
AN
data are more valuable in the black market than credit privacy risk in the case that these intermediate nodes
700 card numbers now[116]. The primary security target for may be compromised by adversaries. Thus, gateways
digital healthcare is to ensure the security of primary730 should not carry out aggregation operations in a plaintext
M

health data and protect identifiable health data from manner. Homomorphic encryption is one of the typical
unwarranted access or disclosure during data acquisition, approaches that allows an aggregator (gateway or control
ED

transmission, and storage. On the other hand, personal center in general) to execute the operation directly on
705 treatment information is often shared by the same patient ciphertext under the same key, without the need of data
group, which helps the exchange of patient conditions735 decryption[118]. Much effort has been devoted to privacy-
PT

and treatment information among doctors and patients preserving aggregation schemes[109–111]. Because in-
from different regions. It is essential to protect security dividual load curves per household in the smart grid
and privacy of personal medical information when sharing can be used to infer personal consumption behaviors or
CE

710 data for public benefit. To solve the above privacy living habits[119]. Therefore, there is an urgent need to
concerns in digital healthcare, there is plenty of research740 guarantee the anonymity and unlinkability of electricity
AC

on pseudonym management of medical data[102–104], an- data to ensure that data cannot be associated with a
onymous authentication[105–107], and privacy-preserving specific user and disclose a user’s trajectory in smart grid
access control to medical data[108]. scenarios.
715 In smart grids, fine-grained data that is collected
5.2. Forensics Challenges
periodically by smart meters to improve the efficiency of
grid operation can easily reveal household activities[117].745 With IoT gradually permeating into our lives, acci-

A smart grid consists of a control center, smart meters, dents and attacks involving IoT services or devices will

and gateways. Smart meters collect primary home elec- happen inevitably. Forensic investigations need to be
conducted in the IoT infrastructure, when IoT is the target
12
 ACCEPTED MANUSCRIPT

of attacks or used to launch an attack. Data collected and 3) The growth in numbers and types of devices. IoT
750 shared by IoT applications introduces both opportunities presents a considerably large number of potential evid-
and challenges into forensics. In the context of IoT, ence sources from personal health devices to connected
there are a diverse range of potential evidence sources,790 vehicles, which may introduce additional complexity
so that the forensics may need to combine multiple digital to identify and find potential IoT evidence sources in
forensic methods and techniques, increasing the difficulty crime scenes. In addition, with the absence of temporal
755 of forensics. Specialized tools and techniques, as well information such as modified, accessed and created
as standardized procedures are required for collecting, time, it is extremely difficult to correlate and sequence

T
preserving and analyzing residual evidence in the IoT795 the digital evidence gathered from different IoT devices,

IP
environment. Traditional digital forensics cannot be some of which may have no clock [122].
directly applied in IoT due to highly heterogeneous and
DFIF-IoT[123] proposed a generic Digital Forensic

CR
760 frequently changing environments. With limited memory
Investigation Framework for IoT to standardize invest-
of most IoT devices, they need to transfer data to a cloud
igation procedures including three processes – proactive
or a local hub before evidence is overwritten. IoT forensics
process, IoT forensics, and reactive process. Proactive

US
800

can be identified as a combination of three digital forensics

process aimed to make the IoT environment forensically
schemes, including cloud forensics, network forensics and
ready. IoT forensics consisted of cloud forensics, network
device level forensics[120]. However, as evidence can be
AN
765
forensics, and device level forensics. Reactive process
modified at any step of data life cycles, it presents chal-
would occur after an incident was identified in an IoT-
lenges to make the chain of evidence secure. Challenges of
805 based environment.
forensics in IoT are summarized as following.
M

FAIoT[120] proposed a centralized trusted evidence re-

1) Resource-limited characteristic of devices. With lim- pository to ease the process of evidence collection and ana-
ited resources (e.g., computing power, memory), it is lyze with logging, preservation and provenance schemes.
ED

770

hard for IoT devices to achieve persistent recording. [124] combined the 1-2-3 Zones approach and Next-
Potential evidence might not be maintained on devices810 Best-Thing Triage (NBT) Model to deal with IoT-related
PT

or just be maintained for a very short period of time digital forensics investigations. 1-2-3 Zones approach can
before being overwritten by the latest data. The energy be used to implement investigations systematically and
limitation in some scenarios, such as solar-powered to identify possible objects of forensic interest effectively.
CE

775

nodes, leads to intermittent and partially incomplete NBT model is useful to identify additional potential
information when devices power down. 815 evidence sources when primary sources are unavailable,
AC

2) Heterogeneous characteristic of devices. Heterogeneous providing a guidance on identification of devices of interest

devices in IoT with proprietary interfaces leads to dif- within the established focus areas.
780 ficulty in accessing stored values, calling for specialized Privacy is another important factor to consider when
information-retrieval tools[121]. Data on heterogen- analyzing and correlating the collected evidence which
eous devices varies in size and format. Different data820 may contain personal information. PRoFIT (Privacy-
formats, protocols and physical interfaces complicate aware IoT-Forensics) [125] integrated privacy properties
the process of evidence extraction. There is an absence with the forensics model adapted to IoT, stimulating the
785 of general tools for collecting, preserving and analyzing cooperation of citizens in digital forensic investigations.
data in IoT. PRoFIT highlights the importance of collaborating with
13
 ACCEPTED MANUSCRIPT

825 nearby devices to gather digital evidence from multiple data collection in IoT makes users vulnerable to social
sources, which helps to fully describe the context of a crime engineering attacks[127]. The best way to deceive a person
scene. is to gather as much information about him as possible.
The existing work on IoT forensics is still insufficient. The emergence of IoT makes data collection easier by
Most current research focuses on extending traditional865 hijacking smart devices such as smart TVs, Fitbits, and
830 forensic methods to forensics in IoT. Although existing Google Glass to monitor and learn voices, habits, and
digital forensic tools can be used in some stages of forensic preferences of the target person.
investigations in IoT, there is still no general and efficient
Legislation Challenges. Although legislation cannot provide

T
framework for forensics in IoT.
guarantees for the security of data usage in IoT applica-

IP
5.3. Social or Legal Challenges 870 tions, it is a way to compensate the damage caused by the

The use of IoT is dramatically changing people’s misuse of data. Perfecting legislation and policy to protect

CR
835

everyday life, introducing not only technical challenges but data usage in IoT applications is pressing. Countries

also social or legal challenges to IoT security. are making efforts to provide more protection for data

bring new responsibility disputes. For example, automated

US
Liability Dispute. Intelligent services provided by IoT may875
applications.
The EU General Data Protection Regulation (GDPR)
was designed to harmonize data privacy laws across Europe,
AN
840 vehicles are gradually put into use. When an accident with reshaping the way organizations across the region ap-
automated vehicles occurs, the judgment of accidental proach the data that are qualified as personal data[128].
responsibility calls for a better legislation for the use
One of the central principles underpinning GDPR is to im-
M

of automated vehicles. Australian National Transport880 prove all EU residents’ awareness surrounding consent for
Commission has drafted new Australian driving laws to data processing and usage[129]. The U.S has issued Health
support automated vehicles[126].
ED

845
Insurance Portability and Accountability Act (HIPAA)

Data Commodification. In IoT, the wide collection and [130] to protect the privacy and security of certain health

usage of a large amount of data make data a commodity information. It has discussed the accessibility, integrity,
PT

and develop asset virtualization, bringing the problems of885 and confidentiality of ePHI (electronic protected health
data ownership. How to standardize the management of information). IoT device manufacturers and IoT App
CE

850 data as a product? Who is the owner of the data? Can developers should provide consumers with a HIPAA level

data be traded? All these questions bring corresponding of security when recording weight, heart rate, blood

responsibility issues. Data holders have the right to pressure, and other health insights. Unsolved questions
AC

authorize and revoke authorization to the collection of890 call for additional legislation to provide guarantee for IoT
their personal data. By fine-grained authorization based services. For example, the life cycle of smart products is

855 on context, data holders can just share the subset of data still modeled as buy-once-own-forever without considering

with the applications that they are willing to share with the security and privacy of productions that may be

in the IoT environment. borrowed and exchanged freely in sharing economy era.

Vulnerabilities of Social Engineering. IoT plays a vital895 5.4. Open Issues

role in human interactions, influencing social contact For privacy protection, as privacy regulations around
860 and people’s everyday life. Fine-grained and ubiquitous the world have been in operation, the transfer and usage
14
 ACCEPTED MANUSCRIPT

of private data ought to be subject to the privacy regu-935 devices, infrastructures, and individuals in the physical
lations. However, there is still not any widely accepted world.
900 technical standard for privacy protection of data storage, Observed from the multi-stop dimension, a group of
transmission, sharing as well as application. Privacy IoT entities are interconnected through local networks or
should be ensured from the whole system perspective. the Internet. They may need to have secure communica-
Privacy protection mechanisms of each product should940 tion with backend services, which are usually provided by
be implemented in accordance with general technical a cloud. The nature of dynamics, mobility and resource
905 standards rather than being implemented arbitrarily by limitation of the IoT calls for efforts to extend existing

T
developers. security techniques, including secure communication, au-

IP
For forensics challenges, there are many fields that thentication and access control, to a new environment.
have not been fully investigated, such as applying block-945 Finally, observed through the end-application dimen-

CR
chain technologies to evidence preservation. Standardized sion, with typical IoT application scenarios such as smart
910 forensic investigation frameworks and efficient synchron- home, digital healthcare and smart grid taken as instances,
ization approaches for evidence in IoT are deserved to the investigation is conducted to cover privacy, forensics,
design.

6. Conclusion
US 950
and social or legal challenges from the whole IoT system
perspective.
In order for the IoT to further improve the quality
AN
of human life, the aforementioned challenges are pressing
Considering that IoT data may reveal a novel clue to
and should be dealt with in a sound way. The paper
915 deal with IoT security and that no existing survey on IoT
carries out an extensive study on the state-of-the-art of
M

security is put in the way guided by IoT data, this paper

955 IoT security from data perspectives, specifying open issues
sheds light on IoT security with IoT data as a leading
and pointing out future research trends. We hope that it
factor. It devises a framework for IoT security observation
ED

may become a valuable reference for future research on

that takes both the typical IoT architecture and the IoT
IoT security.
920 data life cycle into account, which outlines IoT security in
PT

three dimensions, i.e., the one-stop dimension, the multi-

Acknowledgment
stop dimension and the end-application dimension.
As the simplest starting point, the one-stop dimension960
CE

This work was supported in part by the National Nat-

observes data flowing around a single IoT end-point device. ural Science Foundation of China under grant No.61472429,
925 Data may be collected by the end-point device and sent out Beijing Natural Science Foundation under grant No.4122041,
AC

to the Internet, or may be received by the end-point device and National High-Tech Research Development Program
from the Internet. Because of the resource-constrained of China under grant No.2007AA01Z414.
characteristic of an IoT device, lightweight cryptos and
trust execution environments are in urgent demands to965 References
930 ensure the security related to data that may be sent to
References
the Internet. Meanwhile, data received from the Internet
may introduce vulnerabilities of the virtual world into [1] International Telecommunication Union, Overview of the
Internet of things, 2012.
the real world. Compromise of data from the Internet,
including control data, may lead to safety concerns of
15
 ACCEPTED MANUSCRIPT

[2] S. DuBravac, C. Ratti, The internet of things: S. Virtanen, J. Isoaho, H. Tenhunen, SEA: a secure and
970 Evolution or revolution?, <https://www.onr.com/blog/ efficient authentication and authorization architecture for IoT-
health-iot-adoption-hipaa-compliance-landscape/> based healthcare using smart gateways, Procedia Computer
(2015). 1020 Science 52 (2015) 452–459.
[3] Cloud Security Alliance, Security guidance for early adopters [18] W. Wu, L. Zhang, LBlock: a lightweight block cipher,
of the internet of things (iot), 2015. in: International Conference on Applied Cryptography and
975 [4] S. Ray, Y. Jin, A. Raychowdhury, The changing computing Network Security, Springer, 2011, pp. 327–344.
paradigm with internet of things: A tutorial introduction, [19] A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar,
IEEE Design & Test 33 (2) (2016) 76–96. 1025 A. Poschmann, M. J. Robshaw, Y. Seurin, C. Vikkelsoe,
[5] J. Guo, I. Chen, J. J. P. Tsai, A survey of trust computation Present: An ultra-lightweight block cipher (2007) 450–466.

T
models for service management in internet of things systems, [20] C. H. Lim, T. Korkishko, mCryptona lightweight block
980 Computer Communications 97 (2017) 1–14. cipher for security of low-cost RFID tags and sensors, in:

IP
[6] Z. Yan, P. Zhang, A. V. Vasilakos, A survey on trust International Workshop on Information Security Applications,
management for internet of things, Journal of network and1030 Springer, 2005, pp. 243–258.

CR
computer applications 42 (2014) 120–134. [21] C. De Canniere, O. Dunkelman, M. Knežević, KATAN and
[7] R. Roman, J. Zhou, J. Lopez, On the features and challenges KTANTANa family of small and efficient hardware-oriented
985 of security and privacy in distributed internet of things, block ciphers, in: Cryptographic Hardware and Embedded

US
Computer Networks 57 (10) (2013) 2266–2279. Systems-CHES 2009, Springer, 2009, pp. 272–288.
[8] M. Wolf, D. Serpanos, Safety and Security in Cyber-Physical1035 [22] A. Moradi, A. Poschmann, S. Ling, C. Paar, H. Wang, Pushing
Systems and Internet-of-Things Systems, Proceedings of the the limits: a very compact and a threshold implementation of
IEEE 106 (1) (2018) 9–20. AES, in: Annual International Conference on the Theory and
AN
990 [9] A. Banerjee, K. K. Venkatasubramanian, T. Mukherjee, Applications of Cryptographic Techniques, Springer, 2011, pp.
S. K. S. Gupta, Ensuring safety, security, and sustainability 69–88.
of mission-critical cyberphysical systems, Proceedings of the1040 [23] M. A. Orumiehchiha, J. Pieprzyk, R. Steinfeld, Cryptanalysis
M

IEEE 100 (1) (2012) 283–299. of WG-7: a lightweight stream cipher, Cryptography and
[10] F. A. Alaba, M. Othman, I. A. T. Hashem, F. Alotaibi, Communications 4 (3-4) (2012) 277–285.
995 Internet of things security: A survey, Journal of Network and [24] G. Hatzivasilis, K. Fysarakis, I. Papaefstathiou, C. Manifavas,
ED

Computer Applications 88 (2017) 10–28. A review of lightweight block ciphers, Journal of Cryptographic
[11] S. Sicari, A. Rizzardi, L. A. Grieco, A. Coen-Porisini, Security,1045 Engineering (2017) 1–44.
privacy and trust in internet of things: The road ahead, [25] A. T. Lo’ai, T. F. Somani, More secure Internet of Things using
Computer networks 76 (2015) 146–164. robust encryption algorithms against side channel attacks,
PT

1000 [12] J. Lin, W. Yu, N. Zhang, X. Yang, H. Zhang, W. Zhao, in: Computer Systems and Applications (AICCSA), 2016
A survey on internet of things: Architecture, enabling IEEE/ACS 13th International Conference of, IEEE, 2016, pp.
technologies, security and privacy, and applications, IEEE1050 1–6.
CE

Internet of Things Journal 4 (5) (2017) 1125–1142. [26] F. Zhang, S. Guo, X. Zhao, T. Wang, J. Yang, F. X. Standaert,
[13] Q. Jing, A. V. Vasilakos, J. Wan, J. Lu, D. Qiu, Security of D. Gu, A Framework for the Analysis and Evaluation of
1005 the Internet of Things: perspectives and challenges, Wireless Algebraic Fault Attacks on Lightweight Block Ciphers, IEEE
AC

Networks 20 (8) (2014) 2481–2501. Transactions on Information Forensics and Security 11 (5)
[14] Y. Yang, L. Wu, G. Yin, L. Li, H. Zhao, A survey on1055 (2016) 1039–1054.
security and privacy issues in internet-of-things, IEEE Internet [27] M. Majzoobi, M. Rostami, F. Koushanfar, D. S. Wallach,
of Things Journal 4 (5) (2017) 1250–1258. S. Devadas, Slender PUF protocol: A lightweight, robust, and
1010 [15] R. Minerva, A. Biru, D. Rotondi, Towards a definition of the secure authentication by substring matching, Proceedings -
Internet of Things (IoT), IEEE Internet Initative (2015) 1–86. IEEE CS Security and Privacy Workshops, SPW 2012 (2012)
[16] B. J. Mohd, T. Hayajneh, A. V. Vasilakos, A survey on light-1060 33–44.
weight block ciphers for low-resource devices: Comparative [28] C. Herder, M.-D. Yu, F. Koushanfar, S. Devadas, Physical
study and open issues, Journal of Network and Computer unclonable functions and applications: A tutorial, Proceedings
1015 Applications 58 (2015) 73–93. of the IEEE 102 (8) (2014) 1126–1141.
[17] S. R. Moosavi, T. N. Gia, A.-M. Rahmani, E. Nigussie, [29] A. Seshadri, A. Perrig, L. Van Doom, P. Khosla, SWATT:

16
 ACCEPTED MANUSCRIPT

1065 SoftWare-based ATTestation for embedded devices, Proceed- 1–6.

ings - IEEE Symposium on Security and Privacy 2004 (2004) [41] N. Asokan, F. Brasser, A. Ibrahim, A.-R. Sadeghi,
272–282. 1115 M. Schunter, G. Tsudik, C. Wachsmann, SEDA: Scalable
[30] A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, Embedded Device Attestation, Proceedings of the 22nd
P. Khosla, Pioneer: verifying code integrity and enforcing ACM SIGSAC Conference on Computer and Communications
1070 untampered code execution on legacy systems, in: ACM Security - CCS ’15 (2015) 964–975.
SIGOPS Operating Systems Review, Vol. 39, ACM, 2005, pp. [42] M. Ambrosin, M. Conti, A. Ibrahim, G. Neven, A.-R. Sadeghi,
1–16. 1120 M. Schunter, SANA: secure and scalable aggregate network
[31] A. Seshadri, M. Luk, A. Perrig, L. van Doorn, P. Khosla, attestation, in: Proceedings of the 2016 ACM SIGSAC
Scuba: Secure code update by attestation in sensor networks, Conference on Computer and Communications Security, ACM,

T
1075 in: Proceedings of the 5th ACM workshop on Wireless security, 2016, pp. 731–742.
ACM, 2006, pp. 85–94. [43] T. Abera, N. Asokan, L. Davi, J.-E. Ekberg, T. Nyman,

IP
[32] Y. Yang, X. Wang, S. Zhu, G. Cao, Distributed software-based1125 A. Paverd, A.-R. Sadeghi, G. Tsudik, C-FLAT: control-flow
attestation for node compromise detection in sensor networks, attestation for embedded systems software, in: Proceedings

CR
in: Reliable Distributed Systems, 2007. SRDS 2007. 26th IEEE of the 2016 ACM SIGSAC Conference on Computer and
1080 International Symposium on, IEEE, 2007, pp. 219–230. Communications Security, ACM, 2016, pp. 743–754.
[33] T. AbuHmed, N. Nyamaa, D. Nyang, Software-based remote [44] G. Dessouky, S. Zeitouni, T. Nyman, A. Paverd, L. Davi,

US
code attestation in wireless sensor network, in: Global1130 P. Koeberl, N. Asokan, A.-R. Sadeghi, LO-FAT: Low-Overhead
Telecommunications Conference, 2009. GLOBECOM 2009. Control Flow ATtestation in Hardware, in: Design Automa-
IEEE, IEEE, 2009, pp. 1–8. tion Conference (DAC), 2017 54th ACM/EDAC/IEEE, IEEE,
1085 [34] K. Eldefrawy, G. Tsudik, A. Francillon, D. Perito, SMART: 2017, pp. 1–6.
AN
Secure and Minimal Architecture for (Establishing Dynamic) [45] T. Abera, N. Asokan, L. Davi, F. Koushanfar, A. Paverd, A.-R.
Root of Trust., in: NDSS, Vol. 12, 2012, pp. 1–15. 1135 Sadeghi, G. Tsudik, Things, trouble, trust: on building trust
[35] R. Strackx, F. Piessens, B. Preneel, Efficient isolation of in IoT systems, in: Proceedings of the 53rd Annual Design
M

trusted subsystems in embedded systems, in: International Automation Conference, ACM, 2016, p. 121.
1090 Conference on Security and Privacy in Communication [46] T. Abera, N. Asokan, L. Davi, F. Koushanfar, A. Paverd,
Systems, Springer, 2010, pp. 344–361. A.-R. Sadeghi, G. Tsudik, Invited - Things, trouble,
ED

[36] J. Noorman, F. Freiling, J. V. Bulck, J. T. Mühlberg,1140 trust, Proceedings of the 53rd Annual Design Automation
F. Piessens, P. Maene, B. Preneel, I. Verbauwhede, Conference on - DAC ’16 (3) (2016) 1–6.
J. Götzfried, T. Müller, Sancus 2.0: A Low-Cost Security [47] C. Kolias, G. Kambourakis, A. Stavrou, J. M. Voas, Ddos in
1095 Architecture for IoT Devices, ACM Transactions on Privacy the iot: Mirai and other botnets, IEEE Computer 50 (7) (2017)
PT

and Security 20 (3) (2017) 1–33. 80–84.

[37] P. Koeberl, S. Schulz, A.-R. Sadeghi, V. Varadharajan, Trust-1145 [48] M. D. Donno, N. Dragoni, A. Giaretta, A. Spognardi,
Lite: A Security Architecture for Tiny Embedded Devices, Ddos-capable iot malwares: Comparative analysis and mirai
CE

Proceedings of the European Conference on Computer Systems investigation, Security and Communication Networks 2018
1100 (EuroSys) (2014) 1–14. (2018) 7178164:1–7178164:30.
[38] F. Brasser, B. El Mahjoub, A.-R. Sadeghi, C. Wachsmann, [49] M. Antonakakis, T. April, M. Bailey, M. Bernhard,
AC

P. Koeberl, TyTAN: tiny trust anchor for tiny devices,1150 E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman,
in: Design Automation Conference (DAC), 2015 52nd L. Invernizzi, M. Kallitsis, Understanding the mirai botnet,
ACM/EDAC/IEEE, IEEE, 2015, pp. 1–6. in: USENIX Security Symposium, 2017, pp. 1092–1110.
1105 [39] S. Schulz, A.-R. Sadeghi, C. Wachsmann, Short paper: [50] C. George, F. Glenn A., A. Mohammed, B. Jared, R. Nighot,
Lightweight remote attestation using physical functions, in: M. Sukanya, A. Nagender, H. Chris, C. Lucian, INTERNET
Proceedings of the fourth ACM conference on Wireless network1155 OF THINGS (IOT) SECURITY BEST PRACTICES, 2017.
security, ACM, 2011, pp. 109–114. [51] B. Lee, J. H. Lee, Blockchain-based secure firmware update for
[40] J. Kong, F. Koushanfar, P. K. Pendyala, A.-R. Sadeghi, embedded devices in an Internet of Things environment 73 (3)
1110 C. Wachsmann, PUFatt: Embedded platform attestation (2017) 1152–1167.
based on novel processor-based PUFs, in: Proceedings of the [52] P. Ruckebusch, E. De Poorter, C. Fortuna, I. Moerman,
51st Annual Design Automation Conference, ACM, 2014, pp.1160 GITAR: Generic extension for Internet-of-Things ARchitec-

17
 ACCEPTED MANUSCRIPT

tures enabling dynamic updates of network and application Enterprise, Ottawa, Ontario, Canada, May 18-20, 2015, 2015,
modules 36 (2016) 127–151. 1210 p. 17.
[53] J. Granjal, E. Monteiro, J. S. Silva, Security for the internet [66] D. Dragomir, L. Gheorghe, S. Costea, A. Radovici, A Survey
of things: A survey of existing protocols and open research on Secure Communication Protocols for IoT Systems, in:
1165 issues, IEEE Communications Surveys and Tutorials 17 (3) Secure Internet of Things (SIoT), 2016 International Workshop
(2015) 1294–1312. on, IEEE, 2016, pp. 47–62.
[54] A. Burg, A. Chattopadhyay, K. Lam, Wireless communication1215 [67] H. Kim, E. A. Lee, Authentication and Authorization for the
and security issues for cyber-physical systems and the internet- Internet of Things, IT Professional 19 (5) (2017) 27–33.
of-things, Proceedings of the IEEE 106 (1) (2018) 38–60. [68] A. Alcaide, E. Palomar, J. Montero-Castillo, A. Ribagorda,
1170 [55] D. Airehrour, J. A. Gutiérrez, S. K. Ray, Secure routing Anonymous authentication for privacy-preserving iot target-

T
for internet of things: A survey, J. Network and Computer driven applications, Computers & Security 37 (2013) 111–123.
Applications 66 (2016) 198–213. 1220 [69] C. Su, B. Santoso, Y. Li, R. H. Deng, X. Huang, Universally

IP
[56] M. Dohler, T. Watteyne, T. Winter, D. Barthel, Routing Composable RFID Mutual Authentication, IEEE Transactions
requirements for urban low-power and lossy networks, Tech. on Dependable and Secure Computing 14 (1) (2017) 83–94.

CR
1175 rep. (2009). [70] Y. Gao, G. Li, H. Ma, S. F. Al-Sarawi, O. Kavehei,
[57] J. Gubbi, R. Buyya, S. Marusic, M. Palaniswami, Internet D. Abbott, D. C. Ranasinghe, Obfuscated challenge-response:
of Things (IoT): A vision, architectural elements, and future1225 A secure lightweight authentication mechanism for PUF-

US
directions, Future generation computer systems 29 (7) (2013) based pervasive devices, in: Pervasive Computing and
1645–1660. Communication Workshops (PerCom Workshops), 2016 IEEE
1180 [58] T. Winter, P. Thubert, A. Brandt, J. W. Hui, R. Kelsey, International Conference on, IEEE, 2016, pp. 1–6.
P. Levis, K. Pister, R. Struik, J. Vasseur, R. K. Alexander, [71] P. Cirne, A. Zúquete, S. Sargento, TROPHY: Trustworthy
AN
RPL: ipv6 routing protocol for low-power and lossy networks,1230 VANET routing with group authentication keys, Ad Hoc
RFC 6550 (2012) 1–157. Networks 71 (2018) 45–67.
[59] Z. Shelby, C. Bormann, 6LoWPAN: The wireless embedded [72] S. M. Pournaghi, B. Zahednejad, M. Bayat, Y. Farjami,
M

1185 Internet, Vol. 43, John Wiley & Sons, 2011. NECPPA: A novel and efficient conditional privacy-preserving
[60] P. L. R. Chze, K. S. Leong, A secure multi-hop routing for iot authentication scheme for VANET, Computer Networks 134
communication, in: IEEE World Forum on Internet of Things,1235 (2018) 78–92.
ED

WF-IoT 2014, Seoul, South Korea, March 6-8, 2014, IEEE [73] K. Mahmood, S. A. Chaudhry, H. Naqvi, S. Kumari,
Computer Society, 2014, pp. 428–432. X. Li, A. K. Sangaiah, An elliptic curve cryptography
1190 [61] C. H. Tseng, S.-H. Wang, C. Ko, K. Levitt, DEMEM: Dis- based lightweight authentication scheme for smart grid
tributed evidence-driven message exchange intrusion detection communication, Future Generation Computer Systems 81
PT

model for MANET, in: International Workshop on Recent1240 (2018) 557–565.

Advances in Intrusion Detection, Springer, 2006, pp. 249–271. [74] L. Yan, Y. Chang, S. Zhang, A lightweight authentication and
[62] Y. Liu, M. Dong, K. Ota, A. Liu, ActiveTrust: Secure key agreement scheme for smart grid, IJDSN 13 (2).
CE

1195 and Trustable Routing in Wireless Sensor Networks, IEEE [75] A. Zhang, L. Wang, X. Ye, X. Lin, Light-Weight and Robust
Transactions on Information Forensics and Security 11 (9) Security-Aware D2D-Assist Data Transmission Protocol for
(2016) 2013–2027. 1245 Mobile-Health Systems, IEEE Transactions on Information
AC

[63] J. Duan, D. Yang, H. Zhu, S. Zhang, J. Zhao, TSRF: A trust- Forensics and Security 12 (3) (2017) 662–675.
aware secure routing framework in wireless sensor networks, [76] S. Sutar, A. Raha, D. M. Kulkarni, R. Shorey, J. D.
1200 Vol. 10, 2014. Tew, V. Raghunathan, D-PUF: an intrinsically reconfigurable
[64] A. Ahmed, K. A. Bakar, M. I. Channa, K. Haseeb, A. W. DRAM PUF for device authentication and random number
Khan, A trust aware routing protocol for energy constrained1250 generation, ACM Trans. Embedded Comput. Syst. 17 (1)
wireless sensor network, Telecommunication Systems 61 (1) (2018) 17:1–17:31.
(2016) 123–140. [77] L. Wu, J. Fan, Y. Xie, J. Wang, Q. Liu, Efficient location-
1205 [65] D. Airehrour, J. A. Gutiérrez, An analysis of secure MANET based conditional privacy-preserving authentication scheme for
routing features to maintain confidentiality and integrity in iot vehicle ad hoc networks, IJDSN 13 (3).
routing, in: CONF-IRM 2015, The International Conference1255 [78] G. Peng, G. Zhou, D. T. Nguyen, X. Qi, Q. Yang, S. Wang,
on Information Resources Management: Realizing the Digital Continuous authentication with touch behavioral biometrics

18
 ACCEPTED MANUSCRIPT

and voice on wearable glasses, IEEE Transactions on Human-1305 (IE), 2012 8th International Conference on, IEEE, 2012, pp.
Machine Systems 47 (3) (2017) 404–416. 206–213.
[79] S. Ramachandran, V. Shanmugam, A two way authentication [92] N. Saxena, B. J. Choi, R. Lu, Authentication and
1260 using bilinear mapping function for wireless sensor networks, Authorization Scheme for Various User Roles and Devices in
Computers & Electrical Engineering 59 (2017) 242–249. Smart Grid, IEEE Transactions on Information Forensics and
[80] T. Gao, X. Deng, N. Guo, X. Wang, An Anonymous1310 Security 11 (5) (2016) 907–921.
Authentication Scheme based on PMIPv6 for VANETs, IEEE [93] Q. Tasali, C. Chowdhury, E. Y. Vasserman, A Flexible
Access. Authorization Architecture for Systems of Interoperable
1265 [81] Q. Jiang, J. Ma, X. Lu, Y. Tian, An efficient two-factor user Medical Devices, in: Proceedings of the 22nd ACM on
authentication scheme with unlinkability for wireless sensor Symposium on Access Control Models and Technologies,

T
networks, Peer-to-peer Networking and Applications 8 (6)1315 ACM, 2017, pp. 9–20.
(2015) 1070–1081. [94] R. H. Weber, Internet of things: Privacy issues revisited,

IP
[82] P. Gope, R. Amin, S. H. Islam, N. Kumar, V. K. Bhalla, Light- Computer Law & Security Review 31 (5) (2015) 618–627.
1270 weight and privacy-preserving RFID authentication scheme for [95] J. H. Ziegeldorf, O. G. Morchon, K. Wehrle, Privacy in

CR
distributed iot infrastructure with secure localization services the Internet of Things: threats and challenges, Security and
for smart city environment, Future Generation Comp. Syst. 831320 Communication Networks 7 (12) (2014) 2728–2742.
(2018) 629–637. [96] J. López, R. Rios, F. Bao, G. Wang, Evolving privacy: From

US
[83] C. Xu, M. Ma, X. Huang, H. Bao, A cross-domain group sensors to the internet of things, Future Generation Comp.
1275 authentication scheme for LTE-A based vehicular network, in: Syst. 75 (2017) 46–57.
Communication Software and Networks (ICCSN), 2017 IEEE [97] R. Mendes, J. P. Vilela, Privacy-preserving data mining:
9th International Conference on, IEEE, 2017, pp. 595–599. 1325 methods, metrics, and applications, IEEE Access 5 (2017)
AN
[84] B. Carminati, E. Ferrari, K. L. Tan, Enforcing access 10562–10582.
control over data streams, in: Proceedings of the 12th ACM [98] M. Al-Rubaie, J. M. Chang, Privacy Preserving Ma-
1280 symposium on Access control models and technologies, ACM, chine Learning: Threats and Solutions, arXiv preprint
M

2007, pp. 21–30. arXiv:1804.11238.

[85] E. Barka, S. S. Mathew, Y. Atif, Securing the web of things1330 [99] N. Apthorpe, D. Reisman, S. Sundaresan, A. Narayanan,
with role-based access control, in: International Conference on N. Feamster, Spying on the smart home: Privacy attacks
ED

Codes, Cryptology, and Information Security, Springer, 2015, and defenses on encrypted iot traffic, arXiv preprint
1285 pp. 14–26. arXiv:1708.05044.
[86] N. Ye, Y. Zhu, R. C. Wang, R. Malekian, Q. M. Lin, [100] J. Liu, C. Zhang, Y. Fang, EPIC: A Differential Privacy
An efficient authentication and access control scheme for1335 Framework to Defend Smart Homes Against Internet Traffic
PT

perception layer of internet of things, Applied Mathematics Analysis, IEEE Internet of Things Journal 5 (2) (2018) 1206–
and Information Sciences 8 (4) (2014) 1617–1624. 1217.
1290 [87] G. Zhang, W. Gong, The research of access control based on [101] T. Song, R. Li, B. Mei, J. Yu, X. Xing, X. Cheng, A privacy
CE

UCON in the internet of things, JSW 6 (4) (2011) 724–731. preserving communication protocol for IoT applications in
[88] P. N. Mahalle, B. Anggorojati, N. R. Prasad, R. Prasad,1340 smart homes, in: Identification, Information and Knowledge in
Identity authentication and capability based access control the Internet of Things (IIKI), 2016 International Conference
AC

(iacac) for the internet of things, Journal of Cyber Security on, IEEE, 2016, pp. 519–524.
1295 and Mobility 1 (4) (2013) 309–348. [102] B. Riedl, V. Grascher, T. Neubauer, A secure e-health
[89] M. Shahzad, M. P. Singh, Continuous Authentication and architecture based on the appliance of pseudonymization, JSW
Authorization for the Internet of Things, IEEE Internet1345 3 (2) (2008) 23–32.
Computing 21 (2) (2017) 86–90. [103] J. Heurix, S. Fenz, A. Rella, T. Neubauer, Recognition and
[90] R. Neisse, G. Steri, I. N. Fovino, G. Baldini, Seckit: A model- pseudonymisation of medical records for secondary use, Med.
1300 based security toolkit for the internet of things, Computers & Biol. Engineering and Computing 54 (2-3) (2016) 371–383.
Security 54 (2015) 60–76. [104] X. Liu, Y. Li, J. Qu, Y. Ding, A lightweight pseudonym
[91] J. E. Kim, G. Boulos, J. Yackovich, T. Barth, C. Beckel,1350 authentication and key agreement protocol for multi-medical
D. Mosse, Seamless integration of heterogeneous devices and server architecture in TMIS, TIIS 11 (2) (2017) 924–944.
access control in smart homes, in: Intelligent Environments [105] X. Li, M. H. Ibrahim, S. Kumari, A. K. Sangaiah, V. Gupta,

19
 ACCEPTED MANUSCRIPT

K.-K. R. Choo, Anonymous mutual authentication and key (2017) 1–13.

agreement scheme for wearable sensors in wireless body area [119] D. Engel, G. Eibl, Wavelet-based multiresolution smart meter
1355 networks, Computer Networks 129 (2017) 429–443. privacy, IEEE Transactions on Smart Grid 8 (4) (2017) 1710–
[106] S. Wang, N. Yao, LIAP: A local identity-based anonymous 1721.
message authentication protocol in VANETs, Computer1405 [120] S. Zawoad, R. Hasan, Faiot: Towards building a forensics
Communications 112 (2017) 154–164. aware eco system for the internet of things, in: 2015 IEEE
[107] A. M. Koya, P. P. Deepthi, Anonymous hybrid mutual International Conference on Services Computing (SCC), IEEE,
1360 authentication and key agreement scheme for wireless body 2015, pp. 279–284.
area network, Computer Networks 140 (2018) 138–151. [121] L. Caviglione, S. Wendzel, W. Mazurczyk, The Future of
[108] K. Seol, Y.-G. Kim, E. Lee, Y.-D. Seo, D.-K. Baik, Privacy-1410 Digital Forensics: Challenges and the Road Ahead, IEEE

T
Preserving Attribute-Based Access Control Model for XML- Security & Privacy (6) (2017) 12–17.
Based Electronic Health Record System, IEEE Access 6 (2018) [122] M. Conti, A. Dehghantanha, K. Franke, S. Watson, Internet

IP
1365 9114–9128. of things security and forensics: Challenges and opportunities,
[109] C.-I. Fan, S.-Y. Huang, Y.-L. Lai, Privacy-enhanced data Future Generation Computer Systems 78 (2018) 544–546.

CR
aggregation scheme against internal attackers in smart grid,1415 [123] V. R. Kebande, I. Ray, A generic digital forensic investigation
IEEE Transactions on Industrial informatics 10 (1) (2014) 666– framework for internet of things (iot), in: Future Internet of
675. Things and Cloud (FiCloud), 2016 IEEE 4th International

US
1370 [110] H. Shen, M. Zhang, J. Shen, Efficient privacy-preserving cube- Conference on, IEEE, 2016, pp. 356–362.
data aggregation scheme for smart grids, IEEE Transactions [124] E. Oriwoh, D. Jazani, G. Epiphaniou, P. Sant, Internet of
on Information Forensics and Security 12 (6) (2017) 1369–1381.1420 things forensics: Challenges and approaches, in: Collaborative
[111] M. A. Rahman, M. H. Manshaei, E. Al-Shaer, M. Shehab, Computing: Networking, Applications and Worksharing (Col-
AN
Secure and private data aggregation for energy consumption laboratecom), 2013 9th International Conference Conference
1375 scheduling in smart grids, IEEE Transactions on Dependable on, IEEE, 2013, pp. 608–615.
and Secure Computing 14 (2) (2017) 221–234. [125] A. Nieto, R. Rios, J. Lopez, IoT-forensics meets privacy:
M

[112] G. Giaconi, D. Gündüz, H. V. Poor, Privacy-aware smart1425 towards cooperative digital investigations, Sensors 18 (2)
metering: Progress and challenges, CoRR abs/1802.01166. (2018) 492.
[113] G. Giaconi, D. Gündüz, H. V. Poor, Smart meter privacy with [126] Changing driving laws to support automated
ED

1380 renewable energy and an energy storage device, IEEE Trans. vehicles, <http://www.ntc.gov.au/current-projects/
Information Forensics and Security 13 (1) (2018) 129–142. changing-driving-laws-to-support-automated-vehicles/
[114] Y. Tian, N. Zhang, Y. Lin, X. Wang, B. Ur, X. Guo, P. Tague,1430 ?modeId=1064{&}topicId=1166>.
Smartauth: User-centered authorization for the internet of [127] Ian G. Harris, Social Engineering Attacks on the
PT

things, in: E. Kirda, T. Ristenpart (Eds.), 26th USENIX Internet of Things, <https://iot.ieee.org/newsletter/
1385 Security Symposium, USENIX Security 2017, Vancouver, BC, september-2016/social%2Dengineering%2Dattacks%2Don%
Canada, August 16-18, 2017., USENIX Association, 2017, pp. 2Dthe%2Dinternet%2Dof%2Dthings.html>.
CE

361–378. 1435 [128] GDPR Portal: Site Overview, <https://www.eugdpr.org/>.

[115] E. Fernandes, A. Rahmati, J. Jung, A. Prakash, Security [129] Y. O’Connor, W. Rowan, L. Lynch, C. Heavin, Privacy by
implications of permission models in smart-home application Design: Informed Consent and Internet of Things for Smart
AC

1390 frameworks, IEEE Security & Privacy 15 (2) (2017) 24–30. Health, Procedia Computer Science 113 (2017) 653–658.
[116] M. A. Sahi, H. Abbas, K. Saleem, X. Yang, A. Derhab, M. A. [130] Health Insurance Portability and Accountability Act, <https:
Orgun, W. Iqbal, I. Rashid, A. Yaseen, Privacy Preservation1440 //en.wikipedia.org/wiki/Health%7B_%7DInsurance%7B_
in e-Healthcare Environments: State of the Art and Future %7DPortability%7B_%7Dand%7B_%7DAccountability%7B_
Directions, Ieee Access 6 (2018) 464–478. %7DAct>.
1395 [117] C. Rottondi, G. Verticale, A. Capone, Privacy-preserving
smart metering with multiple data consumers, Computer
Networks 57 (7) (2013) 1699–1713.
[118] S. Ge, P. Zeng, R. Lu, K.-K. R. Choo, FGDA: Fine-
grained data analysis in privacy-preserving smart grid
1400 communications, Peer-to-Peer Networking and Applications

20
 ACCEPTED MANUSCRIPT

Jianwei Hou received the B.S. degree in information security from Harbin Engineering University, Harbin,
P.R.China, in 2016. She is currently pursuing the Ph.D. degree at the School of Information, Renmin
University of China, Beijing, P.R.China. Her research interests include system security, software-defined
networking, and IoT security.

Leilei Qu received the B.S. degree in information security from Renmin University of China, Beijing,
P.R.China, in 2017. She is currently working towards the Ph.D. degree at the School of Information, Renmin
University of China. Her research interests include system security, IoT security and human factors in
cybersecurity.

T
Wenchang Shi received his B.S. degree in Computer Science from the Department of Computer Science and
Technology, Peking University, Beijing, P.R.China, and his Ph.D. degree in Computer Science from the Institute

IP
of Software, Chinese Academy of Sciences, Beijing, P.R.China. Currently, he is a Professor at School of
Information, Renmin University of China, Beijing, P.R.China. He is a member of the Steering Committee of

CR
Cybersecurity Education, Ministry of Education, China, the vice president of the China Cyber and Information
Law Society, and the Vice Chair of the Academic Committee, China Cloud Security Alliance. His research
interests include System Security, Trusted Computing and Digital Forensics.

US
AN
M
ED
PT
CE
AC