A Deep Learning-based Penetration Testing Framework for Vulnerability Identification in Internet of Things Environments

The Internet of Things (IoT) paradigm has displayed tremendous growth in recent years, resulting in innovations like Industry 4.0 and smart environments that provide improvements to efficiency, management of assets and facilitate intelligent decision making. However, these benefits are offset by considerable cybersecurity concerns that arise due to inherent vulnerabilities, which hinder IoT-based systems’ Confidentiality, Integrity, and Availability. Security vulnerabilities can be detected through the application of penetration testing, and specifically, a subset of the information-gathering stage, known as vulnerability identification. Yet, existing penetration testing solutions can not discover zero-day vulnerabilities from IoT environments, due to the diversity of generated data, hardware constraints, and environmental complexity. Thus, it is imperative to develop effective penetration testing solutions for the detection of vulnerabilities in smart IoT environments. In this paper, we propose a deep learning-based penetration testing framework, namely Long Short-Term Memory Recurrent Neural NetworkEnabled Vulnerability Identification (LSTM-EVI). We utilize this framework through a novel cybersecurity-oriented testbed, which is a smart airport-based testbed comprised of both physical and virtual elements. The framework was evaluated using this testbed and on real-time data sources. Our results revealed that the proposed framework achieves about 99% detection accuracy for scanning attacks, outperforming other four peer techniques.

[1]  Syed Ali Hassan,et al.  Machine Learning in IoT Security: Current Solutions and Future Challenges , 2019, IEEE Communications Surveys & Tutorials.

[2]  Alexander G. Eustis The Mirai Botnet and the Importance of IoT Device Security , 2019 .

[3]  Abdul Wahab,et al.  FGMC-HADS: Fuzzy Gaussian mixture-based correntropy models for detecting zero-day attacks from linux systems , 2020, Comput. Secur..

[4]  Shashank Gupta,et al.  Future IoT‐enabled threats and vulnerabilities: State of the art, challenges, and future prospects , 2020, Int. J. Commun. Syst..

[5]  Carlos T. Calafate,et al.  The Internet of Things for Smart Environments , 2020, Future Internet.

[6]  Cihan Varol,et al.  Testing IoT Security: The Case Study of an IP Camera , 2020, 2020 8th International Symposium on Digital Forensics and Security (ISDFS).

[7]  Babak D. Beheshti,et al.  A study on penetration testing process and tools , 2018, 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT).

[8]  Hai Jin,et al.  A Comparative Study of Deep Learning-Based Vulnerability Detection System , 2019, IEEE Access.

[9]  Kolin Paul,et al.  IoT-PEN: An E2E Penetration Testing Framework for IoT , 2020, J. Inf. Process..

[10]  Farookh Khadeer Hussain,et al.  DDoS attacks in IoT networks: a comprehensive systematic literature review , 2021, World Wide Web.

[11]  Praveen Gauravaram,et al.  A Holistic Review of Cybersecurity and Reliability Perspectives in Smart Airports , 2020, IEEE Access.

[12]  Rajiv Kumar,et al.  Internal Network Penetration Testing Using Free/Open Source Tools: Network and System Administration Approach , 2018 .

[13]  David Starobinski,et al.  Snout: An Extensible IoT Pen-Testing Tool , 2019, CCS.

[14]  Helge Janicke,et al.  Federated TON_IoT Windows Datasets for Evaluating AI-based Security Applications , 2020, ArXiv.

[15]  Nour Moustafa,et al.  A new distributed architecture for evaluating AI-based security systems at the edge: Network TON_IoT datasets , 2021 .

[16]  Yan Wang,et al.  A systematic review of fuzzing based on machine learning techniques , 2019, PloS one.

[17]  Tooska Dargahi,et al.  A Cyber-Kill-Chain based taxonomy of crypto-ransomware features , 2019, Journal of Computer Virology and Hacking Techniques.

[18]  Kim-Kwang Raymond Choo,et al.  Towards Automation of Vulnerability and Exploitation Identification in IIoT Networks , 2018, 2018 IEEE International Conference on Industrial Internet (ICII).

[19]  Iqbal H. Sarker,et al.  IntruDTree: A Machine Learning Based Cyber Security Intrusion Detection Model , 2020, Symmetry.