collaborative detection framework for security attacks on the internet of things 266572
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (13.49 MB, 168 trang )
Department of Computer Science and Information Engineering
College of Engineering
National Chung Cheng University
Doctoral dissertation
Collaborative detection framework for security
attacks on the Internet of Things
Nguyen Van Linh
Advisor: Prof. Po-Ching Lin, Ph.D.
Co-advisor: Prof. Ren-Hung Hwang, Ph.D.
Taiwan, R.O.C, Fall 2019
博碩士論文電子檔案上網授權書
本聯請隨論文繳回學校圖書館,供國家圖書館做為授權管理用 ) ID:106CCU00392111
(
本授權書所授權之論文為授權人在 國立中正 大學(學院) 資訊工程研究所 系所 _______ 組 108
學年度第 一 學期取得 博 士學位之論文。
論文題目: Collaborative detection framework for security attacks on the Internet
of Things
指導教授: 林柏青,Po-Ching Lin
茲同意將授權人擁有著作權之上列論文全文 ( 含摘要 ) ,提供讀者基於個人非營利性質之線上
檢索、閱覽、下載或列印,此項授權係非專屬、無償授權國家圖書館及本人畢業學校之圖書
館,不限地域、時間與次數,以微縮、光碟或數位化方式將上列論文進行重製,並同意公開傳
輸數位檔案。
校內外立即開放
□ 校內立即開放,校外於 年 月 日後開放
□ 校內於 年 月 日;校外於 年 月 日後開放
□ 其他
授權人:阮文齡
簽 名 : _____________________
日期: ______年 ______月 ______日
Acknowledgements
The road to scientific research has never been a flat one, especially to me. After three
years of fighting for my dream, being a cybersecurity scientist, finally, I also have a chance
to express my sincere gratitude to the people who have given me passion and strength
in this fight. I would like to sincerely express the deepest appreciation to my beloved
supervisors, Prof. Po-Ching Lin and Prof. Ren-Hung Hwang, who both have encouraged
me to surpass the critical points of this research. I could not have imagined, without
their valuable assistance and timely encouragement, whether I was on the right track. To
me, their insightful comments, tough questions, and particularly thoughtful reviews have
certainly motivated me a lot to finish this extremely hard work on time.
I’d like to sincerely thank National Chung Cheng University (CCU) for offering me a full
scholarship. Also, the precious and constant sponsorship from Prof.Lin and Prof.Hwang,
Department of Computer Science and Information Engineering (CSIE@CCU), and Taiwan
Information Security Center in National Sun Yat-sen University (TWISC@NSYSU) is
extremely vital for my research and living in Taiwan.
Also, a thank you to my professors at CCU/NSYSU who taught me great courses or
worked with me in meaningful projects. A thank you to Ms. Huang and Ms. Chen who
have given me exciting Chinese courses, that certainly helped me to forget all tiredness
at work and keep fighting. I would like to thank the staff of CSIE@CCU for their great
support in the document procedure. Thank all members of Network and System Security
Lab, my beloved friends in CCU, Karate club, and Badminton team who are always
willing to encourage and cheer with me at the memorable time of my Ph.D. journey.
Finally, thanks to my parents, my darling, and all my friends for their unconditional
support and patience during the courses of this work. Last but not least, I would like to
thank my life partner, Lan-Huong, for her constant encouragement, sacrifices and endless
love in me, that motivated me a lot to firmly pursue the doctoral program till the end. I
believe that, without the encouragement and supports, I could never be strong enough to
overcome the difficulties and finish this research successfully.
i
Abstract
A connected world of Internet of Things (IoT) has become a visible reality closer than ever
and that is now being fueled by the appearance of 5G and beyond 5G (B5G) connectivity
technologies. However, besides bringing up the hope of a better life for the human being
through promising applications, at the same time, the complicated structure of IoT and
the diversity of the stakeholders in accessing the networks also raises grave concerns that
our life may be extremely vulnerable than ever with daily threats of security attacks,
disinformation, and privacy violation. The objective of the research presented in this
dissertation is to detect the attacks targeting the network availability (e.g., the volume
attacks) and data authenticity (e.g., data forgery dissemination attacks) in the perception
layer and the network layer of IoT networks. Further, our research targets to exclude
responsible attackers, misbehavior nodes and unreliable stakeholders from active network
participation or even mitigate the magnitude of such attacks significantly at the edge of
the networks in a timely fashion.
While most existing solutions in the context of security detection in IoT are based on datadriven learning and plausibility checks on the traffic near the victim or a single network
hop, we propose in this dissertation a collaborative security defense framework, so-called
TrioSys, which primarily relies on three main approaches. First, the system evaluates the
behavior of traffic/nodes based on learning cooperatively accumulated information, e.g.,
traffic request distribution targeting a specific address over a time interval, and fusing the
trustworthiness of post-detection results from multiple layer trusted engines such as the
edge-based(regional)/cloud-based (global) detection systems. Second, by largely targeting
at filtering malicious traffic/bogus messages directly at/near the source/nodes/edge, our
system provides an extremely effect protection approach with low latency response to
the attacks, particularly before their malicious traffic have a chance to pour into the
networks or affect to the decision of the unsuspecting nodes such as the control system of
an autonomous vehicle. Finally, in each specific case of the application deployment, i.e.,
in IoT eMBB or IoT uRRLC, we propose a proper strategy to implement the detection
mechanisms for the platform. For example, in the autonomous driving case (IoT uRRLC),
we propose a novel method to exploit passive source localization techniques from physical
signals of multi-array beamforming antennas in V2X-supported vehicles and motion
prediction to verify the truthfulness of the claimed GPS location in V2X messages without
ii
requiring the availability of many dedicated anchors or a strong assumption of the honest
majority rule as in conventional approaches.
In summary, this work has been developed that consists of two main contributions: (1)
TrioSys, a robust and effective platform for detecting and filtering the attacks in IoT,
particularly compatible with 5G applications and network models; (2) a novel near-source
detection for DDoS defense in IoT eMBB slice and two physical signal-driven verification
schemes for V2X (i.e., IoT uRLLC). Also, besides our comprehensive survey on the
state-of-the-art attacks against network availability/data authenticity and countermeasure
approaches, our findings on relevant security issues can certainly provide useful suggestions
for future work.
Keywords – Internet of Things Security, 5G/B5G Security, Distributed Denial-of-service
defense, Misbehavior Detection in 5G V2X
iii
Overview of publication
The following articles are peer-reviewed and accepted publications with results included
in/achieved during this dissertation:
Journal Papers
1. Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “Multi-array relative
positioning for verifying the truthfulness of V2X messages,” IEEE Communication
Letter, Vol. 23 , No. 10, pp. 1704-1707, Oct. 2019.
2. Van-Linh Nguyen, Po-Ching Lin, and Ren-Hung Hwang, “Energy depletion attacks
in Low Power Wireless networks,” IEEE Access, Vol.7, Apr. 2019.
3. Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “MECPASS: Distributed
Denial of Service Defense Architecture for Mobile Networks,” IEEE Network, Vol
32, No 1, pp. 118-124, Jan.-Feb. 2018.
4. Van-Linh Nguyen, Po-Ching Lin, and Ren-Hung Hwang, “Web Attacks: beating
monetisation attempts,” Network Security Journal (Elsevier), No.5, pp. 1-20, May
2019.
5. Ren-Hung Hwang, Min-Chun Peng, Van-Linh Nguyen, and Yu-Lun Chang, “An
LSTM-Based Deep Learning Approach for Classifying Malicious Traffic at the Packet
Level,” Applied Sciences, Vol. 9, No. 16, pp.3414-3428 , Aug. 2019.
6. Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “Enhancing misbehavior
detection in 5G Vehicle-to-Vehicle communications,” submitted to IEEE Transactions
on Vehicular Technology (major revision).
7. Ren-Hung Hwang, Min-Chun Peng, Chien-Wei Huang, Po-Ching Lin and
Van-Linh Nguyen, “PartPack: An unsupervised deep learning model for early
anomaly detection in network traffic,” submitted in Aug. 2019 to IEEE Transactions
on Emerging Topics in Computational Intelligence.
Conference Papers
1. Ren-Hung Hwang, Van-Linh Nguyen, and Po-Ching Lin, “StateFit: A security
framework for SDN programmable data plane model,” The 15th International
Symposium on Pervasive Systems, Algorithms and Networks (ISPAN), Yichang,
iv
China, Oct 2018.
2. Po-Ching Lin, Ping-Chung Li, and Van-Linh Nguyen,“Inferring OpenFlow rules by
active probing in software-defined networks,” The 19th International Conference on
Advanced Communications Technology (ICACT), Pyongchang, South Korea, Jan.
2017.
3. Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “Physical signal-driven
fusion for V2X misbehavior detection,” IEEE Vehicular Networking Conference, Los
Angeles, USA, 2019.
Projects that I have contributions on
1. Po-Ching Lin and Van-Linh Nguyen “Security protection system for V2X in 5G
networks,” a three-year granted MOST project, 2019/08/01 - 2022/07/31.
v
vi
Contents
Acknowledgements
i
Abstract
ii
List of Figures
ix
List of Tables
xii
Acronyms
xiii
1 Introduction
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 The featured security attacks on IoT . . . . . . . . . . .
1.3 The collaborative security defense approach . . . . . . .
1.4 Problem statement, challenges and our research position
1.5 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6 Contributions . . . . . . . . . . . . . . . . . . . . . . . .
1.7 Structure of the Dissertation . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
. . . . . . . 1
. . . . . .
3
. . . . . .
5
. . . . . .
6
. . . . . .
10
. . . . . . . 11
. . . . . . . 11
2 Background
2.1 Internet of Things and existing security issues: A glance . . . . . . . . .
2.2 Enabling technologies promoting the changes to IoT security research . .
2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
13
16
22
3 TrioSys: A collaborative security attack detection
3.1 Related work . . . . . . . . . . . . . . . . . . . . .
3.2 Assumption and Adversary model . . . . . . . . . .
3.2.1 Assumption . . . . . . . . . . . . . . . . . .
3.2.2 Adversary model . . . . . . . . . . . . . . .
3.3 Generic architecture . . . . . . . . . . . . . . . . .
3.4 System description . . . . . . . . . . . . . . . . . .
3.5 Detection and filtering . . . . . . . . . . . . . . . .
3.6 Data sharing and update management . . . . . . .
3.7 Data fusion . . . . . . . . . . . . . . . . . . . . . .
3.8 Summary . . . . . . . . . . . . . . . . . . . . . . .
25
25
27
27
28
30
32
35
37
38
39
system for
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
IoT
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4 TrioSys implementation for enhanced mobile broadband networks
41
4.1 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1.1 Overview of DDoS attacks . . . . . . . . . . . . . . . . . . . . . . . 41
vii
4.2
4.3
4.4
4.5
4.1.2 State-of-the-art DDoS defense . . . . . . .
TrioSys for filtering DDoS attacks . . . . . . . . .
4.2.1 Local detectors . . . . . . . . . . . . . . .
4.2.2 The central detectors . . . . . . . . . . . .
Evaluation . . . . . . . . . . . . . . . . . . . . . .
4.3.1 Simulated traffic . . . . . . . . . . . . . .
4.3.2 Performance evaluation . . . . . . . . . . .
System core and filtering rule updates . . . . . . .
4.4.1 Proposal model for updating security rules
4.4.2 Performance evaluation . . . . . . . . . . .
Conclusion . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5 TrioSys implementation for ultra reliable low latency networks
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3 Assumption and Attack model . . . . . . . . . . . . . . . . . . . .
5.3.1 Vehicle configuration & source information . . . . . . . . .
5.3.2 Assumption . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3.3 Attack model . . . . . . . . . . . . . . . . . . . . . . . . .
5.4 System model . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5 TrioSys for detecting location forgery attacks . . . . . . . . . . . .
5.5.1 Verifying the truthfulness of V2X messages . . . . . . . . .
5.5.2 Calibration methods to improve the detection precision . .
5.5.3 Vehicle maneuver prediction for misbehavior detection . .
5.5.4 Assistive signal-based verification . . . . . . . . . . . . . .
5.6 Evaluation results . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6.1 Overall performance . . . . . . . . . . . . . . . . . . . . .
5.6.2 System parameter influence . . . . . . . . . . . . . . . . .
5.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
44
.
47
.
48
.
54
.
56
.
56
.
57
. . 61
.
62
.
66
.
70
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
71
. 71
75
76
77
77
78
79
84
84
90
94
. 101
104
105
107
117
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
6 Conclusion & future work
119
6.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.2 Research discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
6.3 Challenges and Future work . . . . . . . . . . . . . . . . . . . . . . . . . 124
Appendices
129
Illustration of 5G Authentication and 5G beamforming analysis
131
References
131
Author information
145
viii
List of Figures
1.2.1 The overview of IoT Attack types. At our most motivation on the practical
attacks, without a loss of generality, we address two typical types of
attacks in this work: (1) DDoS attacks in cellular networks; (2) false data
dissemination attacks in V2X . . . . . . . . . . . . . . . . . . . . . . . .
1.4.1 The general network model and the security attacks.
From the
communication perspective, this model also reveals a common scheme:
IoT devices are supposed to connect to the Internet through a cellular
infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
7
2.1.1 IoT conceptual architecture and layer classification by the coverage and
relevant business sectors. Low-power wireless networks support connectivity
for massive IoT constrained devices with the communication range at 1050km and latency > 1s at best. IoT uRLLC offers the connectivity to
high-end applications such as V2X or remote surgery that often require a
very low latency ( < 1s). . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.1.2 A glance of IoT devices. The IoT devices can be categorized into two types:
the constrained or unconstrained ones. The constraints may refer to energy,
computation and cost. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.1.3 The relationship of low-power personal networks (LPAN)/low-power
wide area networks (LPWAN) and IP-based protocol stacks (Internet
domain). Most protocols in both domains are changed to satisfy the energy
consumption requirement and the simplicity of LPW devices. . . . . . . .
2.2.1 The architecture of 5G network and the position of our proposal (bold/red
text). Our system primarily located at MEC (5G LA/DN). . . . . . . . .
2.2.2 The abstract of multi-access edge computing system [23] and the position
of our proposal (bold/red color). Our system accommodates in MEC VNFs.
2.2.3 The abstract of SECaaS-based security architecture with the support of
SDN and the programmable model. We structure major detection and
filtering engines as configurable components embedded into programmable
facilities such as switches/MEC-based servers. . . . . . . . . . . . . . . .
22
3.2.1 The position of the attacks in the structure of three layers (Things/Devices,
Edge and Cloud). Most of the broadcast false data come from the
Things/Devices layer or physical/MAClayer, while the spoofing and volume
attacks such as DoS/DDoS target the network layer or application layer.
29
ix
14
15
17
18
19
3.3.1 Structure of the TrioSys system, in which D-TrioSys means the detector
is embedded in the device; M-TrioSys denotes the detector deployed at
MEC-based servers; C-TrioSys is the detector located at the cloud center.
In practice, the core and cloud can belong to a layer, e.g., regional data
center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.4.1 Illustration of the collaboration in the connection of TrioSys instances.
M-TrioSys and C-TrioSys for different applications can be located on the
same server but support a chain of different detection engines, according to
the traffic classification in the slices. . . . . . . . . . . . . . . . . . . . . .
34
4.1.1 Illustration of the DDoS attacks targeting to exceed the network bandwidth
of the perimeter networks near the remote server (victim). . . . . . . . .
42
4.1.2 Classification of the DDoS defense mechanisms based on their deployment
location. The closer the defense is to the target, the more accurately the
defense can detect the attack traffic but the less they satisfy the ultimate
goal of DDoS defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46
4.1.3 The conceptual MEC architecture, in which MEC servers collect the raw
data streams from registered IoT and mobile devices, classify them into
different groups on the basis of the data type. . . . . . . . . . . . . . . .
48
4.2.1 The architecture of MECPASS DDoS defense system, where the local nodes
are M-TrioSys detectors and the central nodes are C-TrioSys. The antispoofing and anti-DDoS are sequentially grouped into a chain of detection
engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
4.2.2 The illustration of the anti-spoofing mechanism, in which the TEID value
must be the same in both the GTP-C packets and the GTP-U packets. .
50
4.2.3 The illustration of the ON/OFF model. ON cycle means packet transmission
exists for an interval of time (Ton ), after which the element is idle for another
time interval (Tof f ); this alternation of communication and idleness repeats
over time (per Tobservation ). . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2.4 The central nodes handle handover process, where they will fuse the data
from the location nodes’ aggregation for further analysis. . . . . . . . . .
55
4.3.1 The simulated traffic with three scenarios: (1) UDP spoofing packets; (2)
high-rate (TCP sending bytes > 100kB per 10s) and low-rate (TCP sending
bytes ∼ 30kB per 10s); (3) benign traffic (using ON-OFF model). . . . .
57
4.3.2 The evaluation results of the system in various attack cases. . . . . . . .
59
4.4.1 The proposed architecture for updating the DDoS detection engines, namely
StateFit, and the work flow of the system. . . . . . . . . . . . . . . . . .
63
4.4.2 The system log of the testing workflow. . . . . . . . . . . . . . . . . . . .
68
4.4.3 Latency of consistent updates in ONOS 1.11 [84]. . . . . . . . . . . . . .
69
5.1.1 Flow chart of the verification model, in which we only verify the authorized
messages signed by legitimate identities, i.e., to reduce the computation
overhead for validating unnecessary messages. . . . . . . . . . . . . . . .
x
73
5.3.1 The illustration of the attack cases and consequences in V2V
communications. Two attackers (Tx1, Tx2) and many benign vehicles are
on two roads (Road 1, Road 2). An attacker (Tx1) broadcasts BSM/CAM
to claim it is braking (marker 1) or suddenly stops (marker 4), but in fact,
it stops at the side of LANE 2 of Road 1. Another attacker (Tx2) on Road 2
broadcasts that it is moving to the street junction at high speed (90km/h),
but it actually stops at the roadside. . . . . . . . . . . . . . . . . . . . .
5.4.1 Geometric model of 2D multi-array antenna configuration and the
illustration of a false location claim (the spot at the right side) of the
attacker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5.1 Performance results of the proposal in various conditions: a) selection of α
b) distance between Tx-Rx (α = 5) c) noise variance d) number of vehicles
under verification (exchange data with the Rx). . . . . . . . . . . . . . .
5.5.2 The abstract architecture of the TrioSys-based misbehavior detection
system: (1) Path prediction on vehicle (leader); (2) Platoon control plan
on MEC-based system. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5.3 Illustration of the vehicle movement behaviors: the vehicle is supposed to
keep constant velocity at the straight road segment (first segment), turn at
the bend and change the speed (second segment), and then accelerate after
moving into the straight area (third segment). In practice, depending to
the road condition, the motion model of the vehicle may vary. By applying
the motion model to our prediction, we can estimate the next location of
the vehicle (state k) from the state of the previous step, i.e., k − 1 ( as the
coordinate illustration at the top left of the figure). . . . . . . . . . . . .
5.5.4 Illustration of the threat zone in front of the Rx. Depending on the Tx’s
location, the priority of the system can be at three levels: Emergency,
PotentialThreat, InNotice. . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6.1 Performance of this work in various conditions: a) ROC curve of false data
detection b) Accuracy of the system with variances of the distance between
Tx-Rx. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6.2 Performance of the system for different threshold value of α (a) and Motion
model probabilities (b) for the prediction according to the road shape (as
illustrated in Fig. 5.5.3) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6.3 The estimation performance with two motion model selections (CV and
IMM) in the prediction compared to the threshold to report the attack.
The combination of UKF and IMM gives higher accuracy than that of UKF
and CV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6.4 A comparison of the average error of UKF and EKF with the
position/velocity/acceleration estimation. . . . . . . . . . . . . . . . . . .
5.6.5 Performance of this work in various conditions: a) Accuracy of the system
in various cases of fading inference (Rician factor κ = 10 and κ =100) b)
Detection delay for multiple vehicle verification where the system can track
hundreds of vehicles (although it is not common) with a low latency, e.g.,
200ms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6.6 A comparison of the performance of multi-array localization-based
verification (MLV) [98] and our trajectory-based verification (TRV). . . .
xi
80
. 81
88
. 91
97
100
106
108
109
110
112
115
5.6.7 A comparison of the performance of multi-array localization-based
verification (MLV) [98] and our trajectory-based verification (TRV) in
the case of receiving multiple vehicles. . . . . . . . . . . . . . . . . . . .
116
A.1 The same usage of uplink TEID in control data and uplink packets in
the initial stage of 5G authentication reinforces our theory to verify the
spoofing sources in 5G networks. . . . . . . . . . . . . . . . . . . . . . . . . 131
A.2 Channel beamspace in 5G with multiple path interference existence. . . . 132
xii
List of Tables
2.1.1 Security modes in IEEE 802.15.4 . . . . . . . . . . . . . . . . . . . . . .
15
4.1.1 Overview of several surveys about non-spoofing DDoS attacks in recent years.
4.1.2 Overview of several featured works on the collaborative DDoS defense
approach in recent years and the position of our work . . . . . . . . . . .
4.3.1 Performance evaluation of the our DDoS defense proposal for mobile IoT
devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4.1 Overview of addressing security updates in the next-generation networks,
e.g., SDN, and our research position . . . . . . . . . . . . . . . . . . . . .
4.4.2 The hardware and tool requirements . . . . . . . . . . . . . . . . . . . .
4.4.3 Response time to update the detectors on the programmable switches in
various scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
47
58
62
67
68
5.4.1 Notations to be used in this research . . . . . . . . . . . . . . . . . . . . . 81
5.5.1 Tracking variable values of the system used for checking the consistency
between the claimed value of a given message source and the estimate of
the actual state of the vehicle (illustration with location information). . .
99
5.5.2 Data fusion in our misbehavior detection . . . . . . . . . . . . . . . . . . 103
xiii
xiv
Acronyms
5G 5th generation of the networking technology. 1
ADAS Advanced Driver-Assistance Systems. 72
AMF Access and Mobility Function. 18
BSM Basic-safety messages. 9
CACC Cooperative Adaptive Cruise Control. 72
CCTV Closed Circuit Television. 3
DDoS Distributed denial-of-service. 8
DNS Domain Name System. 2
EDA Energy depletion attacks. 16
eMBB enhanced Mobile Broad Band. 10
FOV Field of View. 99
GTP General Packet Radio Service tunneling protocol. 49
GTP-C GPRS Tunnelling Protocol – Control. 49
GTP-U GPRS Tunnelling Protocol – User. 49
HD High-resolution Dynamic. 90
ICMP Internet Control Message Protocol. 42, 43
IDS Intrusion Detection System. 26
IMSI International Mobile Subscriber Identity. 49
IoT Internet of Things. 1
LADN Local Area Data Network. 18
LIDAR LIght Detection and Ranging. 77
xv
LOS Light-of-Sight. 9, 73, 76
LPW Low-power Wireless. 14
LTE Long-term Evolution. 47
MEC Multi-access Edge Computing. 1, 6
MIMO Multiple-input and Multiple-output. 18
MME Mobility Management Entity. 48
MSISDN Mobile Station International Subscriber Directory Number. 49
NFV Network Function Virtualization. 5
NIES Normalised Innovation Error Squared. 98
NLOS non-Light-of-Sight. 9, 76
NRF Network Repository Function. 17
NSSF Network Slice Selection Function. 17
NTP Network Transfer Protocol. 43
OFDMA orthogonal frequency division multiple access. 80
ONOS Open Network Operating System. 20
PCF Policy Control Function. 17
PDP Packet Data Protocol. 49
PEB Position Error Bound. 86
PGW Packet Gateway. 49
PISA Protocol-Independent Switch Architecture. 20
PKI public key infrastructure. 29, 72
RAN Radio Access Network. 7
RSU Road-side Unit. 10
SDA Service-defined Architecture. 6
SDN Software defined Networking. 5
SECaaS Security as a service. 21
SFC Service function chaining. 20
SGW Serving Gateway. 49
SMF Session Management Function. 18
xvi
TEID Tunnel Endpoint Identifier. 49
UDM Unified Data Management. 17, 18
UDM User Plane Function. 18
UDP User Diagram Protocol. 42
UE User Equippment. 42
UKF Unscented Kalman Filter. 90
ULA Uniform Linear Array. 80
uRLLC Ultra-Reliable Low-Latency Communication. 10
V2I Vehicle-to-Infrastructure. 4
V2V Vehicle-to-Vehicle. 4
V2X Vehicle-to-everything. 2
VLC visible light communication. 77
WSMP Wave Short Message Protocol. 27
xvii
Chapter 1
Introduction
The heterogeneous, distributed, and dynamically evolving nature of the Internet of Things
(IoT) introduce new and unexpected risks that cannot be solved by state-of-the-art security
solutions [1]. In this sense, protecting such a gigantic connected world is extremely hard
and potentially requires the joint efforts of many stakeholders and further novel approaches.
This chapter serves as an introduction to the principles of the attacks, along with a broad
overview of existing defense approaches in this area. Moreover, through the lens of 5th
generation of the networking technology (5G) and emerging enabling technologies, we
target to highlight our contributions in solving the remaining challenges that are still under
scrutiny so far. Specifically, the motives are presented in Section 1.1. To clarify our position
in the research map and the genesis of our work, we cover an overview of closely related
state-of-the-art attack and defense research in Section 1.2 and Section 1.3 respectively.
After that, we define the problems and research issues in Section 1.4. Subsequently,
Section 1.5 presents the goals of our work. Finally, a discussion of our contributions for
each addressed problem is shown in Section 1.6.
1.1
Motivation
The improvement and evolution of technology potentially bring up both the opportunities
and challenges for the security field, particularly in the IoT era. Several enabling
technologies such as network slicing [2], service chaining [3], virtualization, and Multi-access
Edge Computing (MEC) [4] have created a tide of proposing novel security protection
1
approaches 1 , from the deployment placement to the defense model [5]. Unfortunately, the
approaches based on these emerging network models are still at the day-one. Besides, at
the same time, the advent of IoT also brings many significant risks and leaves the door for
the attacker to improve their evasion ability against the security system and exploit new
vulnerabilities. For example, by exploiting hundreds of thousands of IoT cameras, the
attacker launched one of the biggest DDoS attacks in history targeting systems operated
by Domain Name System (DNS) provider Dyn in 2016 [6]. With the availability of billions
of IoT devices, now launching such a powerful DDoS is no longer uncommon or out of
hand of smart attackers.
Also, a vital challenge is that the diversity of applications and interoperability
2
requirements for billions of connected devices in IoT are creating tremendous difficulties
for building a robust security protection model. The reasons are many. First, the massive
traffic and data types from IoT devices introduce new challenges not only in profiling
a well-represented pattern of a benign entity but also in optimizing the resources for
data processing of hundreds of thousands of connections per second. Second, due to the
cost, various IoT applications may have different interests of protection requirements,
including preventing the attacks in a timely fashion. For example, constrained IoT devices
may favor securing their networks with an acceptable delay, while Vehicle-to-everything
(V2X) requires that the security system comes with not only the highly accurate detection
ability but also timely processing. As a result, there may have heterogeneous security
configuration running on the networks and that means the weak network nodes, e.g.,
outdated devices3 , can accidentally be the doors for the attacker to hack into the network
infrastructure. Besides, in the connected world owned by hundreds of stakeholders, the
privacy leak-related issues also complicate the attempts to create such a robust security
system. These obstacles all contribute to motivating us to pursue a novel approach to
protect the network infrastructure against the attacks and threats, particularly address
for IoT.
Due to the broad scope of IoT security research, in this work, we primarily prefer to find
the answers that grouped into the following fundamental issues:
1
These technologies are proposed in mind to enhance the security. For example, network slicing
promises to isolate the network into multiple classes and each of them can be applied a separate security
treatment. This model incredibly helps since, to enhance the performance and save the cost, the future
networks such as 5G may accommodate many tenants and applications.
2
Different device types with various technologies and security protection levels connect each other
under the same network infrastructure.
3
E.g., the devices are mount to the body of street lights/buildings and selfdom/never updated with
security patches
2
1. Dealing with the existing security threats and attacks, an interesting question is
“what kind of security attacks are IoT networks most vulnerable to so far?” Therefore,
analyzing existing vulnerabilities and attack approaches and then finding the new
variants of the attacks if any are the first part of our core research.
2. Given a potential deployment of the enabling technologies, e.g., MEC and network
slicing, what is the preferable security protection architecture and where to place it
to prevent/mitigate featured attacks effectively? What are the significant changes
in the design compared with the conventional models?
3. How to mitigate/prevent the existing attacks but still maintain high efficiency,
affordable cost, high readiness for a potential deployment and compatibility with
the next-generation networking technologies, e.g., 5G?
To address each issue, in the following section, we first overview the featured security
attacks along with the state-of-the-art defense approaches and then clarify our research
position.
1.2
The featured security attacks on IoT
The security attacks on IoT are diverse, involving many types (e.g., network attacks) and
coming from various sources (e.g., hardware/software). Fig. 1.2.1 covers an overview of
prominent attacks in IoT. Unsurprisingly, most of the attacks on the list are also common in
legacy networks, e.g., wired and IP-based networks [7]. This is possible because nowadays,
due to the cost, network providers still maintain various types of network infrastructure
and technologies in parallel. Moreover, the potentially insecure sources may come from a
significant number of Internet-connected devices, which have not yet been updated for
years, e.g., public CCTV cameras. Lack of using strong cryptographic schemes in the
IoT devices in a heterogeneous network [8] also contributes to weaken the protection
capabilities of the whole network and leave the door for new variants of the attacks.
While the attacks are diverse, due to the interests and motivation, the attacker may tend
to focus on several attractive targets, e.g., crucial servers or payment gateway. Therefore,
several attacks listed in Fig. 1.2.1 may only appear in academical research. At our most
motivation on the practical attacks, without a loss of generality, we address two typical
types of attacks in this work. The first is DDoS attacks, which are one of the most common
in the current network environments (IHS report, 2018 [9]) and are often merited as the
3
IoT Security attacks
Physical attacks
Network attacks
Software attacks
Encryption attacks
Node tampering
Traffic injection
Malicious script
Side channel attacks
RF inference
RFID cloning
Phishing attacks
Cryptoanalysis
attacks
Malicious node
injection
IP spoofing/DDoS
Virus, Worm, Trojian,
and Adware
Man-in-middle
Physical damage
Sinkhole attacks
DoS/DDoS attacks
Sleep deprivation
Routing attacks
Jamming
Man-in-middle
Social engineering
Sybil attacks
Figure 1.2.1: The overview of IoT Attack types. At our most motivation on the practical
attacks, without a loss of generality, we address two typical types of attacks in this work:
(1) DDoS attacks in cellular networks; (2) false data dissemination attacks in V2X
top notorious threats in cybersecurity reports [10]. The second is false data dissemination
attacks to the vehicle in the platoon or driverless cars [11], and it may significantly impact
on the safety of human life in the next years. These two attacks cover two different
strategies of the attacker to damage the featured IoT applications. For example, DDoS
attacks can clog a network by flooding it with a large volume of redundant/meaningless
traffic, thus threatening the availability of the relevant services or the working applications.
The damage can be amplified and even interrupt part of the Internet in a large scale,
if the victim is the provider of core Internet functions, e.g., Dyn DNS services [6]. In
contrast, in the near future, cars with drivers may be partly replaced by autonomous
vehicles. This trend promises to provide more safety and fuel savings. Such autonomous
vehicles are expected to increasingly use wireless connectivity such as Vehicle-to-Vehicle
(V2V) and Vehicle-to-Infrastructure (V2I) for sharing data with the nearby vehicles or
merely to improve the coverage, particularly in the intersections where a vehicle’s camera
or radar is ineffective 4 . Here, an insider attacker is intently engaged in exploiting the
sharing to disseminate false information to the surrounding receivers. Trusting the data,
an automatic control system may be trapped to change to a wrong lane, or accelerate
4
The camera/LIDAR/radar can be disabled by a simple attack, e.g., use LED/reflector or poorly
performed under heavy fog [12]
4
unexpectedly and then potentially lead to a crash.
Note that, in practice, particularly in the current network environment, the ransomware
or phishing attacks are raging that may also be considered as variants of two attack types
above. However, due to the difference of the defense architecture, we will not address
5
such the attacks in this dissertation.
In summary, given many security attacks on IoT, we address two typical attacks towards
two typical targets in this work: the network availability in mobile networks and data
authenticity in autonomous driving/V2X. The detail of the attacks and assumption will
be clarified in the specific cases in later chapters.
1.3
The collaborative security defense approach
Recently, several attempts have been proposed to catch up with the trend of designing
security protection architecture for large-scale inter-connected networks such as IoT.
Notably, ANASTACIA, SecurityIoT[14], [15] and 5G Ensure [16] of the huge H2020
project [1] have been leading the efforts. They target to propose a trustworthy-by-design
security framework, which will address self-protection, self-healing and self-configurable
capabilities. They also aim to automate the security protection decisions through the
use of new enabling networking technologies such as Software defined Networking (SDN)
and Network Function Virtualization (NFV). However, the projects are still under heavyworking and the lack of proposals for specific applications and attack cases is a visible
shortcoming. Moreover, the collaboration architecture of multiple protection instances
over distributed geographic areas has not yet mentioned. On the other hand, the technical
specification from 3GPP [11] reveals the first abstract of 5G security architecture, including
the novel authentication mechanisms; however, major parts of it do not address specific
attacks as well. In an effort of conducting a comprehensive IoT system architecture with
the awareness of enabling technologies, the authors [17] cover an extensive survey on
the topics. The outstanding contribution in that work is to clarify the benefit of using
a software-oriented security architecture in cyber-physical systems and IoT, along with
identifying the security challenges/attacks on three layers of the IoT networks (application
layer, network layer, and perception layer). In another attempt, the authors [18] present a
comprehensive end-to-end security approach with the target to integrate trust mechanisms
5
However, we have still done the work related to this problem during my Ph.D. time. For more
information, the readers may like checking our solution in our published technical paper[13].
5
