research-article

Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity

Authors:

Hassan Habibi Gharakheili,

Theophilus A. Benson,

Vijay SivaramanAuthors Info & Claims

SOSR '19: Proceedings of the 2019 ACM Symposium on SDN Research

Pages 36 - 48

https://doi.org/10.1145/3314148.3314352

Published: 03 April 2019 Publication History

Abstract

Smart environments equipped with IoT devices are increasingly under threat from an escalating number of sophisticated cyber-attacks. Current security approaches are inaccurate, expensive, or unscalable, as they require static signatures of known attacks, specialized hardware, or full packet inspection. The IETF Manufacturer Usage Description (MUD) framework aims to reduce the attack surface on an IoT device by formally defining its expected network behavior. In this paper, we use SDN to monitor compliance with the MUD behavioral profile, and develop machine learning methods to detect volumetric attacks such as DoS, reflective TCP/UDP/ICMP flooding, and ARP spoofing to IoT devices.

Our first contribution develops a machine for detecting anomalous patterns of MUD-compliant network activity via coarse-grained (device-level) and fine-grained (flow-level) SDN telemetry for each IoT device, thereby giving visibility into flows that contribute to a volumetric attack. For our second contribution we measure network behavior of IoT devices by collecting benign and volumetric attacks traffic traces in our lab, label our dataset, and make it available to the public. Our last contribution prototypes a full working system (built with an OpenFlow switch, Faucet SDN controller, and a MUD policy engine), demonstrates its application in detecting volumetric attacks on several consumer IoT devices with high accuracy, and provides insights into cost and performance of our system. Our data and solution modules are released as open source to the community.

References

[1]

2018. AbuseIPDB. (2018). https://www.abuseipdb.com Accessed: 2018-06-05.

[2]

2018. Manufacturer Usage Description. (2018). https://developer.cisco.com/site/mud/

[3]

2018. Snort. (2018). https://snort.org/

[4]

2018. UNSW MUD repository. (2018). https://iotanalytics.unsw.edu.au/mudprofiles

[5]

Cisco. 2018. Cisco 2018 Annual Cybersecurity Report. Technical Report.

[6]

daq 2018. Device Automated Qualification for IoT Devices. (2018).https://github.com/faucetsdn/daq

[7]

A. Hamza et al. 2018. Clear as MUD: Generating, Validating and Applying IoT Behaviorial Profiles. In Proc. ACM Sigcomm workshop on IoT S&P. Budapest, Hungary.

Digital Library

[8]

A. Hamza et al. 2018. Combining MUD Policies with SDN for IoT Intrusion Detection. In Proc. ACM Sigcomm workshop on IoT S&P. Budapest, Hungary.

Digital Library

[9]

A. Sivanathan et al. 2017. Characterizing and classifying IoT traffic in smart cities and campuses. In Proc. IEEE INFOCOM workshop on SmartCity. Atlanta, Georgia, USA.

[10]

C. C Aggarwal et al. 2001. On the surprising behavior of distance metrics in high dimensional spaces. In Proc ICDT. Springer, Berlin, Heidelberg.

Digital Library

[11]

C. Liu et al. 2017. Piggybacking Network Functions on SDN Reactive Routing: A Feasibility Study. In Proc. ACM SOSR. Santa Clara, CA, USA.

Digital Library

[12]

D. Pelleg et al. 2000. X-means: Extending K-means with Efficient Estimation of the Number of Clusters. In Proc ICML. San Francisco, CA, USA.

Digital Library

[13]

E. Frank et al. 2016. The WEKA Workbench. Online Appendix for Data Mining: Practical Machine Learning Tools and Techniques, 4th edn. Morgan Kaufman, Burlington (2016).

Digital Library

[14]

E. Lear et al. 2018. Manufacturer Usage Description Specification (work in progress). Internet-Draft draft-ietf-opsawg-mud-25. IETF Secretariat.

[15]

H.F Kaiser et al. 1960. The application of electronic computers to factor analysis. Educational and psychological measurement 20, 1 (1960), 141--151.

[16]

H. Lawrence et al. 1985. Comparing partitions. Journal of classification 2, 1 (1985), 193--218.

[17]

J. P. Amaral et al. 2014. Policy and network-based intrusion detection system for IPv6-enabled wireless sensor networks. In Proc. IEEE International Conference on Communications (ICC). Sydney, NSW, Australia, 1796--1801.

[18]

M. Pimentel et al. 2014. A review of novelty detection. Signal Processing 99 (2014), 215--249.

Digital Library

[19]

P. Garcia-Teodoro et al. 2009. Anomaly-based network intrusion detection: Techniques, systems and challenges. computers & security 28, 1-2 (2009), 18--28.

Digital Library

[20]

P. Uppuluri et al. 2001. Experiences with Specification-Based Intrusion Detection. In Proc. RAID. Davis, USA.

Digital Library

[21]

R. Braga et al. 2010. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In Proc. IEEE LCN. Denver, CO, USA, 408--415.

Digital Library

[22]

R. Doshi et al. 2018. Machine Learning DDoS Detection for Consumer Internet of Things Devices. In Proc. IEEE S&P workshop on Deep Learning and Security. San Francisco, USA.

[23]

R Sommer et al. 2010. Outside the closed world: On using machine learning for network intrusion detection. In Proc. IEEE Security and Privacy (SP). Berkeley, CA, USA.

Digital Library

[24]

S. Bhunia et al. 2017. Dynamic attack detection and mitigation in IoT using SDN. In Telecommunication Networks and Applications Conference (ITNAC), 2017 27th International. IEEE, 1--6.

[25]

S. Boddy et al. 2017. The Hunt for IoT: The Rise of Thingbots. Technical Report. F5 Labs.

[26]

F. Loi et al. 2017. Systematically Evaluating Security and Privacy for Consumer IoT Devices. In Proc. ACM CCS workshop on IoT S&P. Dallas, Texas, USA.

Digital Library

[27]

faucet 2018. Faucet. (2018). https://faucet.nz/

[28]

P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez. 2009. Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges. Comput. Secur. 28, 1-2 (Feb. 2009), 18--28.

Digital Library

[29]

H. Abdi et al. 2010. Principal component analysis. Wiley interdisciplinary reviews: computational statistics 2, 4 (2010), 433--459.

Digital Library

[30]

h2 2018. H2 Database. (2018). http://www.h2database.com

[31]

A. Hamza. 2018. Attack Data. (2018). https://iotanalytics.unsw.edu.au/attack-data

[32]

A. Hamza. 2018. MUD-ie. (2018). https://github.com/ayyoob/mud-ie

[33]

Cisco Systems Inc. 2017. Midyear Cybersecurity Report. Technical Report.

[34]

K. Giotis et al. 2014. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Computer Networks 62 (2014), 122--136.

Digital Library

[35]

M. Lyu et al. 2017. Quantifying the Reflective DDoS Attack Capability of Household IoT Devices. In Proc. ACM WiSec. Boston, Massachusetts.

Digital Library

[36]

netty 2018. Netty. (2018). https://netty.io/

[37]

Vern Paxson. 1999. Bro: A System for Detecting Network Intruders in Real-time. Comput. Netw. 31, 23-24 (Dec. 1999), 2435--2463.

Digital Library

[38]

F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research 12 (2011), 2825--2830.

Digital Library

[39]

R Core Team. 2017. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria. https://www.R-project.org/

[40]

Martin Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In Proc. USENIX Conference on System Administration. Seattle, Washington.

Digital Library

[41]

M. Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In Proc USENIX Conference on System Administration. Seattle, Washington.

Digital Library

[42]

S. A. Mehdi et al. 2011. Revisiting traffic anomaly detection using software defined networking. In Proc. Springer RAID. Berlin, Heidelberg.

Digital Library

[43]

T. Tang et al. 2016. Deep Learning Approach for Network Intrusion Detection in Software Defined Networking. In Proc. IEEE WINCOM. Fez, Morocco.

[44]

Y. Cui et al. 2016. SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks. Journal of Network and Computer Applications 68 (2016), 65--79.

Digital Library

[45]

Changhoon Yoon, Taejune Park, Seungsoo Lee, Heedo Kang, Seung-won Shin, and Zonghua Zhang. 2015. Enabling Security Functions with SDN. Comput. Netw. 85, C (July 2015), 19--35.

Digital Library

Cited By

Zhong YPan MChen YXu W(2024)Res-DFNN: An NN-Based Device Fingerprint Extraction Method Using Network Packet DataSymmetry10.3390/sym1604044316:4(443)Online publication date: 6-Apr-2024
https://doi.org/10.3390/sym16040443
Almasre MSubahi A(2024)Create a Realistic IoT Dataset Using Conditional Generative Adversarial NetworkJournal of Sensor and Actuator Networks10.3390/jsan1305006213:5(62)Online publication date: 3-Oct-2024
https://doi.org/10.3390/jsan13050062
Khazane HRidouani MSalahdine FKaabouch N(2024)A Holistic Review of Machine Learning Adversarial Attacks in IoT NetworksFuture Internet10.3390/fi1601003216:1(32)Online publication date: 19-Jan-2024
https://doi.org/10.3390/fi16010032
Show More Cited By

Index Terms

Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity
1. Networks
  1. Network services
    1. Programmable networks
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Network security
    1. Denial-of-service attacks

Recommendations

SENSS Against Volumetric DDoS Attacks
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Volumetric distributed denial-of-service (DDoS) attacks can bring any network to a halt. Because of their distributed nature and high volume, the victim often cannot handle these attacks alone and needs help from upstream ISPs. Today's Internet has no ...
Detecting SYN flooding attacks based on traffic prediction

SYN flooding attacks are a common type of distributed denial-of-service attacks. Up to now, many defense schemes have been proposed against SYN flooding attacks. Traditional defense schemes rely on passively sniffing an attacking signature and are ...
Detecting ddos attacks in stub domains

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SOSR '19: Proceedings of the 2019 ACM Symposium on SDN Research

April 2019

166 pages

ISBN:9781450367103

DOI:10.1145/3314148

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 April 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

SOSR '19

Sponsor:

SIGCOMM

SOSR '19: Symposium on SDN Research

April 3 - 4, 2019

CA, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 7 of 43 submissions, 16%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

118
Total Citations
View Citations
1,315
Total Downloads

Downloads (Last 12 months)170
Downloads (Last 6 weeks)11

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhong YPan MChen YXu W(2024)Res-DFNN: An NN-Based Device Fingerprint Extraction Method Using Network Packet DataSymmetry10.3390/sym1604044316:4(443)Online publication date: 6-Apr-2024
https://doi.org/10.3390/sym16040443
Almasre MSubahi A(2024)Create a Realistic IoT Dataset Using Conditional Generative Adversarial NetworkJournal of Sensor and Actuator Networks10.3390/jsan1305006213:5(62)Online publication date: 3-Oct-2024
https://doi.org/10.3390/jsan13050062
Khazane HRidouani MSalahdine FKaabouch N(2024)A Holistic Review of Machine Learning Adversarial Attacks in IoT NetworksFuture Internet10.3390/fi1601003216:1(32)Online publication date: 19-Jan-2024
https://doi.org/10.3390/fi16010032
Azizi SOkui NNakahara MKubota ABatista GGharakheili HSekar VYu MSeneviratne AVeitch D(2024)Poster: Understanding and Managing Changes in IoT Device Behaviors for Reliable Network Traffic InferenceProceedings of the ACM SIGCOMM 2024 Conference: Posters and Demos10.1145/3672202.3673723(25-27)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3672202.3673723
Feraudo APopescu DYadav PMortier RBellavista P(2024)Mitigating IoT Botnet DDoS Attacks through MUD and eBPF based Traffic FilteringProceedings of the 25th International Conference on Distributed Computing and Networking10.1145/3631461.3631549(164-173)Online publication date: 4-Jan-2024
https://dl.acm.org/doi/10.1145/3631461.3631549
Wang YSu P(2024)Collaborative Defense Against Hybrid Network Attacks by SDN Controllers and P4 SwitchesIEEE Transactions on Network Science and Engineering10.1109/TNSE.2023.332432911:2(1480-1495)Online publication date: Mar-2024
https://doi.org/10.1109/TNSE.2023.3324329
Duan CLi SLin HChen WSong GLi CYang JWang Z(2024)IoTa: Fine-Grained Traffic Monitoring for IoT Devices via Fully Packet-Level ModelsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334056321:4(3931-3947)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3340563
Mashnoor NCharyyev B(2024)Network Traffic Analysis of Medical Devices2024 International Conference on Smart Applications, Communications and Networking (SmartNets)10.1109/SmartNets61466.2024.10577713(1-6)Online publication date: 28-May-2024
https://doi.org/10.1109/SmartNets61466.2024.10577713
Guo SLyu MGharakheili H(2024)Realizing Open and Decentralized Marketplace for Exchanging Data of Expected IoT BehaviorsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575272(1-5)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575272
Zahan HAl Azad MAli IMastorakis S(2024)IoT-AD: A Framework to Detect Anomalies Among Interconnected IoT DevicesIEEE Internet of Things Journal10.1109/JIOT.2023.328571411:1(478-489)Online publication date: 1-Jan-2024
https://doi.org/10.1109/JIOT.2023.3285714
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents