Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity

Smart environments equipped with IoT devices are increasingly under threat from an escalating number of sophisticated cyber-attacks. Current security approaches are inaccurate, expensive, or unscalable, as they require static signatures of known attacks, specialized hardware, or full packet inspection. The IETF Manufacturer Usage Description (MUD) framework aims to reduce the attack surface on an IoT device by formally defining its expected network behavior. In this paper, we use SDN to monitor compliance with the MUD behavioral profile, and develop machine learning methods to detect volumetric attacks such as DoS, reflective TCP/UDP/ICMP flooding, and ARP spoofing to IoT devices. Our first contribution develops a machine for detecting anomalous patterns of MUD-compliant network activity via coarse-grained (device-level) and fine-grained (flow-level) SDN telemetry for each IoT device, thereby giving visibility into flows that contribute to a volumetric attack. For our second contribution we measure network behavior of IoT devices by collecting benign and volumetric attacks traffic traces in our lab, label our dataset, and make it available to the public. Our last contribution prototypes a full working system (built with an OpenFlow switch, Faucet SDN controller, and a MUD policy engine), demonstrates its application in detecting volumetric attacks on several consumer IoT devices with high accuracy, and provides insights into cost and performance of our system. Our data and solution modules are released as open source to the community.

[1]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[2]  Charu C. Aggarwal,et al.  On the Surprising Behavior of Distance Metrics in High Dimensional Spaces , 2001, ICDT.

[3]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  Matthew Roughan,et al.  Clear as MUD: Generating, Validating and Applying IoT Behavioral Profiles , 2018, IoT S&P@SIGCOMM.

[5]  A. Azzouz 2011 , 2020, City.

[6]  Vijay Sivaraman,et al.  Quantifying the reflective DDoS attack capability of household IoT devices , 2017, WISEC.

[7]  ZhangZonghua,et al.  Enabling security functions with SDN , 2015 .

[8]  R. Sekar,et al.  Experiences with Specification-Based Intrusion Detection , 2001, Recent Advances in Intrusion Detection.

[9]  Balachander Krishnamurthy,et al.  Piggybacking Network Functions on SDN Reactive Routing: A Feasibility Study , 2017, SOSR.

[10]  David A. Clifton,et al.  A review of novelty detection , 2014, Signal Process..

[11]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[12]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[13]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[14]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[15]  Andrew W. Moore,et al.  X-means: Extending K-means with Efficient Estimation of the Number of Clusters , 2000, ICML.

[16]  Mounir Ghogho,et al.  Deep learning approach for Network Intrusion Detection in Software Defined Networking , 2016, 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM).

[17]  G. Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[18]  Vijay Sivaraman,et al.  Characterizing and classifying IoT traffic in smart cities and campuses , 2017, 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[19]  Matthew Roughan,et al.  Clear as MUD: Generating, Validating and Applying IoT Behaviorial Profiles (Technical Report) , 2018, ArXiv.

[20]  Heng Tao Shen,et al.  Principal Component Analysis , 2009, Encyclopedia of Biometrics.

[21]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[22]  Jian Zhu,et al.  SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks , 2016, J. Netw. Comput. Appl..

[23]  Guangjie Han,et al.  Policy and network-based intrusion detection system for IPv6-enabled wireless sensor networks , 2014, 2014 IEEE International Conference on Communications (ICC).

[24]  Gurusamy Mohan,et al.  Dynamic attack detection and mitigation in IoT using SDN , 2017, 2017 27th International Telecommunication Networks and Applications Conference (ITNAC).

[25]  Nick Feamster,et al.  Machine Learning DDoS Detection for Consumer Internet of Things Devices , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[26]  H. Kaiser The Application of Electronic Computers to Factor Analysis , 1960 .

[27]  M. Cugmas,et al.  On comparing partitions , 2015 .

[28]  Vijay Sivaraman,et al.  Systematically Evaluating Security and Privacy for Consumer IoT Devices , 2017, IoT S&P@CCS.

[29]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[30]  R Core Team,et al.  R: A language and environment for statistical computing. , 2014 .

[31]  Vijay Sivaraman,et al.  Combining MUD Policies with SDN for IoT Intrusion Detection , 2018, IoT S&P@SIGCOMM.