Abstract
There is rapid adoption of smart Internet of Things (IoT) devices and systems currently. The use of IoT, however, poses different security implications that require reliable detection systems. This paper attempts to deal with the security issues in IoT by designing an anomaly detection system based on multipurpose honeypot using supervised learning. The system will proactively detect IoT intrusions to assist in preventing feature intrusions. The paper outlines the objectives of designing the system, which are developing a honeypot for IoT to detect anomaly events based on supervised learning and assessing and determining the required features and algorithms for detecting anomalies. The developed system will be implemented in a controlled IoT ecosystem to test its parameters and identify areas of improvement. The methodology used includes surveying anomaly events involved in IoT attacks before designing the detection system to gather anomaly data. The extracted data will be analyzed for useful patterns to be used in machine learning to secure IoT devices before assessing and testing the system to determine its performance in an IoT setting.
Chapter 1: Introduction
Introduction
The IoT has emerged as the next technological revolution given its ability to offer less expensive innovations such as sensors and due to the internet pervasiveness and miniaturizations (Kim et al., 2017). The emergence of the technology has influenced the development of smart technologies such as smart homes, smart cities, smart health, and smart schools among others. The technology supports the interoperability of devices, people, and things (Galinina et al., 2017). Even though this offers benefits, it also poses security issues such as cyber-attacks and threats concerning device heterogeneity. IoT devices are especially vulnerable to botnet attacks as malicious actors subject the connected devices to DDOS attacks (Baloch et al., 2018). Besides, IoT environments generate and transfer massive amounts of data across devices and people, which further increase their vulnerability to these kinds of attacks. Attacks and threats are also increasingly becoming complicated.
Delegate your assignment to our experts and they will do the rest.
It is, therefore, vital to find ways of detecting IoT anomalies using the generated data from IoT devices to understand forms and purposes of attacks. Triggers can then be placed in intrusion detection systems to detect suspicious events in real-time. Honeypots based on supervised learning have are potential techniques for learning about attack patterns and forms to help in understanding how malicious actors exploit vulnerabilities and ways of protecting systems based on the gathered data.
Overview of IoT attacks
There are various types of IoT attacks, but most attacks target the three main security aspects, they are confidentiality, integrity, and availability. Attacks towards the confidentiality aspect focus on interfering with privacy matters. Notable examples include side-channel attacks and brute-force attacks (Sisodia, 2020). Attackers employing side-channel attacks usually aim at identifying keystrokes of victims typing on keyboards. Malicious actors can also use traffic analysis attacks to leak sensitive data. Besides, intruders can also use covert channel attacks through bypassing security measures such as control systems for information flow, traffic monitors, and firewalls in IoT devices. They then use covert channels to route confidential data. Brute-force attacks normally target IoT devices with weak credentials such as default passwords.
Attacks targeting integrity intend to interfere with the need to prevent unauthorized data alteration. Voice-command injection threats and event spoofing attacks are examples of the attacks. Voice-command attacks involve IoT vulnerabilities that allow attackers to inject imperceptible and malicious voice-based commands into speech recognition applications such as Alexa, Google Now, and Siri. Event-spoofing threats target IoT networks and occur when malicious actors develop and spread outwardly legitimate events to home devices to respond in specific ways to the attacker’s advantage.
Attacks against the availability aspect aim to interfere with the timely and consistent access to devices and data. Examples of attacks include selective-forwarding, battery draining, and DDoS attacks. During selective forwarding attacks, malicious actors forward specific packet subsets to a target to launch a DoS attack. Intruders can also forward all subsets and prevent devices from identifying inconsistencies, which also hinders available security measures from detecting the attack. Attackers can also combine selective forwarding with sink-hole attacks to increase the intensity of the attack. Battery-draining threats usually target IoT devices where intruders deplete device battery energy to permanently disable a network using routing protocols. DDoS attacks against IoT devices are the most prevalent threats. They occur when attackers use numerous botnets to launch widespread and coordinated attacks against a large area such as a city or country. The attacks can knock down the power grid or the internet.
IoT botnet attacks have been the most rampant attacks. For instance, in 2016 the Mirai botnet launched a massive DDoS attack that took down a large part of the internet on the Eastern United States (Statt, 2016). The attack targeted Dyn, an internet service provider, which knocked out firms such as Twitter, SoundCloud, Reddit, CNN, Netflix, Guardian, and Spotify among others from the internet. The attackers exploited IoT device vulnerabilities. The botnet enslaved IoT devices such as internet routers, DVRs, and security cameras through infecting them with malware to create a digital army of botnets that were used to launch massive DDoS attacks. Once the Mirai infected a device, the malware searched the internet for other vulnerable IoT devices, used known default login details to enter the devices, and infected them.
Another malware attack based on Lemon_Duck PowerShell variant targeted Window 7 based IoT devices at different global manufacturing plants (TrapX labs, 2020). The self-spreading downloader run a malicious script targeting devices ranging from automated guided vehicles, and smart TVs, to smart printers at specific plants. Once infected, the device malfunctions. The malware works by scanning a network for devices having open MSSQL (1433) or SMB (445) services, running different threads with various functionalities, and brute-forcing the services with login credential to gain access and spread the malware via the services. The malware also runs the invoke-mimkatz through import-module to get the NTLM hashes, obtain access and spread through SMB. If the NTLM hashes or Brute force techniques fail, the malware uses EternalBlue SMB exploit to access a system and act as a service on the targeted device
Hackers have also been discovered hijacking smart home access control systems to use in launching DDoS attacks (Cimpanu, 2020). The systems are usually used in industrial parks, factories, and corporate headquarters for controlling access to rooms and doors based on user credential or smart cards. The malicious actors first scan the internet for exposed systems before remotely exploiting unpatched vulnerabilities related to the command inject flaw. The attackers then take over the systems, install malware, and use them as the basis for launching DDoS attacks. These are examples of the IoT attacks, which demonstrate the importance of early detection.
Background
Even though IoT technology is crucial today because of its importance in real-life applications such as smart health care, smart systems, and smart cities among others, its ubiquity and widespread nature introduces new security issues. Besides, the IoT devices lack the energy and storage resources to implement advanced security measures. The potential for IoT attacks is, therefore, high (Kolias et al., 2017). Users are also unaware of the importance of implementing adequate security measures when using connected devices. Ignoring the IoT security issues can result in harmful effects and increase the vulnerability of the IoT system to threats and attacks. Cyber incidents have been increasing recently and attackers have also become more sophisticated.
The IoT is more susceptible to these threats compared to the conventional computing because of the interdependent and connectedness of the IoT network that exposes it to new attack points (Al-Garadi et al., 2020). Consequently, it is crucial to examine and hinder attacks in real-time to stay ahead of malicious actors and secure IoT devices. Additionally, the IoT requires a new security technique to detect and prevent intrusions and other forms of malicious activities against the system. Anomaly detection systems can address the security challenges of the IoT (Moustafa et al., 2018). These systems can examine attack patterns and modus operandi of the malicious actor to learn new ways of protecting the IoT against future attacks. Analyzing the behavior and mode of operation of attacks is beneficial because it leads to the development of customized solutions for potential attacks. The current paper proposes an IoT anomaly detection system based on honeypot with machine learning to examine irregularities and patterns based on the generated data.
Problem Definition
Generally, the increasing adoption of IoT ecosystems in terms of sensor systems and devices pose security challenges. The main challenge includes identifying the vulnerable points, attacks, and threats as this requires a deeper examination to understand the existence of the events and implement solutions. Malicious actors have become more sophisticated today as they have developed measures to target IoT devices successfully without being detected. The devices, however, are so intertwined with people’s lives through smart systems that it is difficult to just switch them off. It is, therefore, vital to highlight the security and privacy of IoT because intruders can easily manipulate the systems remotely and cause harm or jeopardize their safety. The present paper contributes to solving IoT security challenges using effective techniques that can detect threats in IoT settings and learn the objective or patterns of the threats. The suggested system uses honeypots with machine learning to improve the accuracy of detecting anomalies.
Research Objectives
The paper aims to identify a suitable technique for detecting IoT anomaly events by developing a multipurpose IoT honeypot attack detection system. Supervised learning will be used to enhance the accuracy of the system. The results of the study will add to the IoT intrusion attack detection field. The main objectives of the paper are to:
Develop a honeypot for IoT to detect IoT anomaly events.
Deploy the honeypot to gather data on anomaly events and attacks.
Assess and determine the best set of features and classification algorithms required for detecting anomalies.
Examine the gathered data to extract patterns that can be used in machine learning to protect IoT devices.
The core objective of the paper is to design an IoT anomaly detection system using IoT multipurpose honeypot that captures threat patterns before evaluating the extracted data for suitability concerning intrusion detection.
Research Significance
The current paper proposes a technique for detecting IoT anomalies through developing an anomaly detection system based on honeypots with supervised learning in an IoT setting. The system will be used to examine the generated data by honeypots to determine attacker behavior. The contributions of the project are:
Using honeypots with supervised learning to enhance IoT anomaly detection. In IoT, honeypots offer safe ways of analyzing and understanding attackers. Supervised learning increases the accuracy of the detection system.
Implementing anomaly detection to identify and group threats and enable instantaneous autonomous detection.
Analyzing and understanding threats in a real IoT system and examine the way attackers behave in a simulated setting and gain knowledge from identified behaviors.
Research Limitations
Several limitations must be highlighted. First, validation of the suggested system will pose challenges because of the lack of a standard mechanism for authenticating the involved technique. Besides, the system will be assessed using a synthesized dataset and it deals with a specific anomaly issue, which may not be applicable practically with real data and in the existence of other anomaly issues. An effective anomaly detection system must incorporate existing and new types of threats to enhance adaptation of the SL algorithms so that they can consider the different types of threats. It would be very challenging to design an anomaly detection system that at least addresses the key aspects of an effective intrusion detection system, can be deployed in the real world, is scalable, operates effectively on actual data, and meets the requirements of all stakeholders. It would also be challenging to define evidence of the accuracy and comprehensiveness of the proposed system. In turn, this makes it difficult to develop a broad system that is accurate, scalable, robust, and that acts against all kinds of anomalies.
Roadmap
There are several steps involved in this paper. First, the paper will perform a literature survey to understand the existing IoT environment, its vulnerabilities, IoT architecture, and the involved protocols and technologies. The survey will also include an exploration of honeypots and their operations, machine learning including supervised learning, the anomaly activities of IoT attacks, and the existing anomaly detection systems. The paper will then design a model to understand the working of honeypots before the experimentation stage. The experiment will be developed and implemented through a simulation to collect the required data in a simulated anomaly situation. The data will be analyzed to identify attack behaviors. The paper will achieve its objectives through developing an IoT anomaly detection system, implementing it, and evaluating it through a simulation.
The organization of the paper is as follows: chapter 1 offers the basis of the paper by defining its aims and objectives, chapter two covers the literature review to offer understandings regarding IoT, threats, Honeypots, supervised learning, and detecting anomalies. Chapter three illustrates the proposed system to detect threats in the IoT ecosystem while chapter four presents the system and outcomes. Chapter five discusses the outcomes, their significance, and application. The last chapter summarizes and concludes the paper.
Summary
The widespread adoption of IoT today by homes, companies, and people pose complex security issues. Chapter one has established the basis of the proposed project by identifying the giving examples of IoT attacks, background information about the topics, problem definition, research objectives, research significance, and the limitations of the research. The chapter also offered the contributions of the paper to the wider field of intrusion detection in IoT and the paper layout.
Chapter 2: Literature Review
Numerous research works have explored the topic of IoT anomaly detection. These studies have attempted to offer their contributions regarding effective ways of securing the IoT devices against intrusion and attacks by proposing different kinds of anomaly detection systems, deeply examining the vulnerabilities in the IoT setting and offering suggestions for enhancing security, or investigating existing techniques such as honeypots and machine learning including their application in securing the IoT devices. It is important to examine the basis of the existing security challenges in the IoT field. This chapter, therefore, offers background information about the topic by examining the existing literature regarding various areas related to the IoT, honeypots, machine learning, and anomaly detection. The objective is to gain a deeper understanding of the IoT security issues to inform the development of an effective security measure.
Internet of Things (IoT) and the Involved Challenges
The widespread adoption of IoT across the world in areas such as city automation, industrial automation, and home automation has led to the emergence of numerous devices, sensors, communication protocols, standards, and technologies. Various sectors including commerce, education, energy, agriculture, and security have applied IoT technology. The IoT ecosystem consists of diverse appliances and devices that can sense their surroundings, process data, and share the data through internal networks or the internet (Ali et al., 2019). The system gives simple devices and sensors the computing ability to make intelligent decisions and the communication ability to share information. The IoT also supports remote interaction between devices and sensors (Ali et al., 2019). An example of a typical IoT setting is demonstrated below (Figure 1)
Figure 1: A typical IoT environment
Source: https://www.javatpoint.com/iot-ecosystem
The major components of the IoT architecture include physical things, communication networks, and computation devices. The IoT architecture requires a layered and versatile design to connect billions of varied appliances. The current dominant architectures include a four-layered model consisting of the application layer, the support layer, the network layer, and the perceptual layer (Burhan et al., 2018). These are the functional layers that gather, transmit, and process information in IoT (Figure 2).
Figure 2: IoT architecture with different layers
Sources: (Burhan et al., 2018)
The application layer focuses on presenting real services to users. Examples include applications such as smart living, smart transport, smart cities; web pages; and screens (Woungang et al., 2020). The support layer is a cloud computing platform that connects the application and network components. It manages the transmission type, transmission quality, and destination ports. It ensures that the sensing data is routed to the right location in the application layer for handling (Burhan et al., 2018). The network layer uses diverse communication protocols to transmit data between appliances. The layer transports data from sensor devices and gateways through the internet to the cloud. The major protocols supported for the transmission include the 6LoWPAN, IPv6, and IPv4 (Woungang et al., 2020). The perceptual layer or the device layer collects data from the physical layer and converts it to electronic data using GPS, RFID, sensors, transducers, cameras, and thermostats among others (Ali et al., 2019). This layer has numerous IoT devices including sensors and electricity meters among others. Other components in this layer are gateways that act as collectors and receivers of sensor information within a specified range. They also process data from sensors, translate sensor protocols, and direct sensor data outward or inward (Woungang et al., 2020). Gateways are critical components in the IoT because they interact with many sensors that have different capacities and roles besides being manufactured by different companies.
Sensors in the IoT must detect different inputs such as fire, people, noise, humidity, temperature, and light besides being able to exchange the acquired information with gateways based on various communication protocols (Burhan et al., 2018). Ineffective control and communication in the IoT ecosystem can easily emerge if gateways fail to understand the incoming data from sensing devices based on dissimilar communication protocols. Some sensors also act autonomously or receive instructions from other devices based on specified behaviors. Sensor devices, therefore, may be required to generate extra information before transmitting it to the specified devices to complete physical activities.
The data may require gateways to connect to external entities such as the cloud to gain additional data, which can increase the gateway vitality at the perceptual layer in the IoT architecture. In turn, this requires fault tolerance and protection to prevent gateways from turning into a single failure point (Woungang et al., 2020). The other suggested layers include management and security capabilities. These two layers interact with the functionality of the four main layers. In the IoT network, management capabilities include the tools that focus on remote monitoring and controlling devices or objects.
The protocols used in remote control include VPNs and SSH. They are used to reach distant devices and objects and perform management roles such as configurations, patching, updates, and firmware (Fortino & Trunfio, 2016). Other components of management capabilities are asset management and the attributes of an object in the network for identification purposes. Examples of object attributes are capabilities, required protocols, purchase date, ID, and manufactured date among others (Fortino & Trunfio, 2016). Security capabilities are the measures and tools implemented to protect sensors and the generated data being transported. Measures can be physical or logical. Physical measures include the IoT devices such as CCTV. Logical measures include encryption, identity management, and access control to hinder data and devices from being modified or prevent illegal access (Fortino & Trunfio, 2016). The main protocols that aid communication between IoT devices include Zigbee, Ultra-Wideband, Bluetooth, and Wi-Fi for communication within 10 meters (Burhan et al., 2018). For longer distance such as 100 meters, some devices use the WLAN protocol.
Three unique features define the IoT. They include ubiquitous sensing, a network of networks, and intelligent processing (Abouzaid et al., 2020). The IoT increases the ability of devices to sense different features in the cyber and physical world beyond the sensing ability of people. The intensity and diversity of sensors unify the cyber and physical layer by bridging the gap between people and machines to assist in solving global issues. IoT also includes diverse network types comprising of IP, WCDMA, CDMA, and GSM networks. Additionally, IoT devices have intelligent abilities to process large volumes of sensor information rapidly. In turn, this frees up time that people spend on processing such data and allow them to focus on other tasks. As the literature shows, the IoT network consists of diverse devices, network protocols, and communication protocols. The data generated from this system is large and must be protected from illegal use. Security of the system is, therefore, crucial to ensure the continued usefulness of the IoT technology.
Honeypots
Honeypot is a system that mimics the main system through luring potential intruders seeking to illegally access information systems (Mohammed & Rehman, 2016). Honeypots operate either on hardware or as software with determined implemented attack entry points and vulnerabilities. The honeypot system is usually disguised to appear to be containing crucial data or access that attackers can use to gain unauthorized access into a network or another system. Honeypots, however, appear that way only to draw attackers but in reality, they intend to log all the actions of the intruder (Dagar & Popli, 2018). The logged data can then be examined later to enhance the safety of the real systems and hinder future attacks.
The different types of honeypots include low-interaction honeypots, high interaction honeypots, medium interaction honeypots, and production/research honeypots (Mohammed & Rehman, 2016). Low interaction honeypots comprise of emulated services that limit the extent to which the attacker interacts with the system. An example includes honeyd (Dagar & Popli, 2018). High interaction honeypots comprise fully-fledged operating systems that utilize actual systems to enhance intruder involvement. The main drawback of low interaction honeypots is that attackers can easily detect them due to their simplicity (Dagar & Popli, 2018). The major disadvantage of high interaction honeypots concerns their complexity, the need extended deployments and maintenance, and more risks during deployment (Mohammed & Rehman, 2016). Scientists usually apply data control processes to these honeypots to hinder their abuse through techniques such as rootkit software or full system emulators (Dagar & Popli, 2018). Researchers have also introduced medium interaction honeypots to solve the issues found in the low and high interaction honeypots. The medium interaction honeypots allow the concerned parties to analyze and understand the behavior of the attacker without the need for extra threats and extended honeypot settings (Dagar & Popli, 2018). Additionally, they allow attackers to interact with it more than the low interaction honeypot but with fewer functionalities and options than the high interaction honeypot (Dagar & Popli, 2018). Medium interaction honeypot combines the benefits of these two techniques to offer a high interaction level while remaining less complex during deployment and maintenance. Production honeypots focus on the active protection of actual operating settings in organizations. Organizations implement them besides live systems and they operate 24/7 (Mohammed & Rehman, 2016). Their benefits concern their ability to detect intrusions and function well with implemented security approaches. Research honeypots allow scientists to investigate threats and patterns for educational purposes.
IoT Honeypots
Different honeypot models support the creation of numerous IoT honeypots. Honeyd, Honeyhive, IoTCandyJar, and HoneyIo4 are low interaction IoT honeypots while honeyLab, IoTPOT and IoTBOX, MazeRunner, SIPHON, and multi-purpose IoT honeypot are high interaction IoT honeypots. ThingPot and Conpot are medium interaction IoT honeypots (Nawrocki et al., 2016). Conpot is a medium level honeypot that focuses on creating ICS honeypots (Nawrocki et al., 2016). It offers a set of ICS network protocols and disguises their reactions to mimic the response time of actual systems (Nawrocki et al., 2016). The honeyd model emulates web services for IoT devices to develop interactive and realistic web-based honeypots. As the technique reacts to HTTP requests, it generates web pages by mimicking the HTML information of web transmissions for actual devices.
Honey hive is used for generating signatures automatically based on malicious network traffic identified by the honeyd model. The technique connects to honeyd to track network links, filter received traffic from scans, and use the Longest Common algorithm to produce signatures. Honey hive then formats the generated signatures for network intrusion detection systems. IoTCandyJar uses machine learning to replicate the activities of IoT devices and create actual honeypots that are presented as real devices to intruders. The technique, however, cannot match precise reactions for attacks without sending the attacks to real IoT devices, which is a major drawback. HoneyLab is a distributed model that focuses on the deployment and sharing of honeypots between researchers in the cyber-security domain. It deals with issues such as restricted space for IP addresses, versatility for device deployment, and infrastructure fragmentation. The technique works in a virtualized setting to contain attacks and to increase the interaction level. The drawbacks of the honey lab are that it does not support Ethernet as it only focuses on traffic related to IP. Besides, all traffic must be directed through its main device, which may be overwhelming and block all reverse connections. Attackers can also recognize the honeypot easily given that intruders in the internal network can see that all traffic is forwarded to the honey lab.
SIPHON is a widespread distributed honeynet based on the scalable, high-interaction Physical Honeypot (SIPHON) model. It uses IP addresses from across the world to interconnect with other honeynets through the SSH tunnels. The design allows it to simulate vulnerable devices to attackers. The technique supports high interaction levels and documentation of attack patterns. HoneyIo4 has four Python scripts that match the anticipated Nmap DB scan reactions for IoT devices. It also has a web-based GUI that is used for initiating or halting each honeypot through the implementation of the related Python script. HoneyIo4 is, however, less advanced than honeypots such as Honeyd.
IoTPOT and IoTBOX comprise a frontend Telnet service and a backend sandbox service. The Telnet service alters its reactions to match IoT devices targeted by intruders based on the original Telnet requests. It also logs the traffic including login IDs and attempts. The Telnet service responds to known attack commands based on its known stored reactions but forwards unknown commands to the sandbox service for storage and future reference. IoTBOX operates in a controlled setting with regular image resets to avoid downloading malware. The sandbox service emulates eight different CPU architectures that operate on the Open WRT OS. This allows it to compile malware programs to operate on specific CPUs and deeply analyze malware through CPU emulation. The main drawback of IoTpot is that it is unclear how it will determine the correct response being sought by the attacker from specific IoT devices. Besides, attackers with a scanning tool that records device analysis can easily know that the single IP reacts like different devices and can suspect it to be a honeypot. ThingPot has frontend and backend services. It simulates XMPP, MQTT, and HTTP REST traffic and operates in a virtual setting with docker. Maze runner uses a honeycomb model to support the rapid creation of honeypots, the addition of services and changing of configurations using a GUI. The model manages all created honeypots and offers real-time interaction alerts
Multi-purpose IoT honeypot is a high interaction honeypot. It was developed to address the four common protocols found in IoT devices. They are CPE WAN, HTTP, Telnet, and Secure Shell (SSH). This honeypot applies a frontend proxy based on a Python script to each protocol. The script logs information regarding anomaly events before forwarding it to the backend of the system comprising of two docker tools operating the services (Nawrocki et al., 2016). Even though multi-purpose IoT honeypot runs common services, its reactions are not tailored to mislead Nmap scans that attackers perform. Additionally, attackers often realize that the honeypot is not an IoT device that is linked to any actual network when they connect to a service.
The honeypot field has significantly developed and new types of honeypots are regularly developed. Honeypots are useful in the internet security field and their extensive use demonstrates their growing importance. IoT honeypots are also vital because of their usefulness in the detection of IoT attacks. The different IoT honeypots also demonstrates that researchers are continuously introducing new ways of securing the IoT against attacks.
Supervised Learning
Researchers today use machine learning to optimize performance based on experience or example data. They use ML algorithms to design behavior models based on mathematical methods on large volumes of data sets (Shalev-Shwartz & Ben-David, 2014). ML offers smart devices the ability to learn without the need for a specific software or program. The ML models use input data to predict the future (Al-Garadi et al., 2020). Scientists use ML in dangerous situations such as to navigate unfriendly places where human expertise cannot be used or in contexts where human expertise is not applicable such as speech recognition and robotics. The models also operate in contexts where a solution to specific issues changes regularly such as in computer network routing or when searching for a malicious program in an application or software (Shalev-Shwartz & Ben-David, 2014). IoT systems also use ML models to examine threats against software and for seeking and eliminating malware from infected systems.
Although ML models are effective in numerous domains, challenges such as true negatives and false positives may emerge (Al-Garadi et al., 2020). In such situations, model alteration and guidance may be required when the models produce inaccurate results. While the IoT still uses traditional approaches for diverse needs such as analytics and security, its massive deployment requires reliable, robust, and intelligent methods. Consequently, ML is a favorable model for the IoT network because of the large volume of generated data by IoT devices. ML models can use this data to support intelligence. Besides, ML models are best suited for using the utility of the IoT generated data to allow devices to attain fast and knowledgeable decisions.
The major applications of ML include malware analysis and for detecting attack, privacy, and security issues (Al-Garadi et al., 2020). Examples of practical applications of ML include detection of DDoS attacks based on behavior analysis, identification of malicious code in software and applications, identification of characters during encryption to determine handwriting styles, and face recognition in forensics (Al-Garadi et al., 2020). New challenges, however, emerge regarding the usage of ML models in IoT. For instance, it is difficult to design appropriate models to process information from different IoT applications and devices. Besides, it is burdensome to effectively label input data while the use of minimum labeled data during learning also presents challenges. Moreover, deploying ML models to the IoT poses challenges to the devices with low storage and computing power (Yao et al., 2018). While learning is crucial in ML, it is not the objective. ML mainly focuses on producing systems that can detect meaningful data patterns accurately and automatically (Shalev-Shwartz & Ben-David, 2014). In ML, supervised learning (SL) uses labeled data.
The model in SL acquires data from the system to help it develop a knowledge foundation. The system will use this knowledge to try to identify unlabeled data in the future. The data should first be labeled in terms of meaningful tags, classes, or labels before the SL model can learn. SL defines specific targets as emerging from specific input sets. It is more difficult to obtain labeled data than it is to obtain unlabeled data. Labeled data involve the participation of humans to judge it and generate classes, labels, or tags (Shalev-Shwartz & Ben-David, 2014). SL attempts to determine rules from the presented datasets, define different classes, and predict the place of elements in a certain class automatically. The goal of supervised learning is to solve data analysis issues. SL models learn to map inputs to the anticipated outputs. It uses regression and classification to deal with continuous and discrete outputs respectively (Al-Garadi et al., 2020). The role of classification is to predict and model the existing data sets while regression is used to predict continuous numeric data sets. In IoT, SL is used for issues such as localization, security, adaptive filtering, channel estimation, and spectrum sensing.
Techniques used in SL include K-Nearest Neighbor, Random Forest and Decision Tree, Support Vector Machines (SVM), and Recurrent Neural Networks. Others include polynomial regression, Naïve Bayes, linear regression, and logistic regression (Shalev-Shwartz & Ben-David, 2014). SVM uses kernel processes to differentiate two points of two different classes by modeling non-linear decision limitations. The technique is suitable in cases where classes with large feature categories must be ordered in terms of fewer data sample numbers (Al-Garadi et al., 2020). SVM can be used for detecting anomalies in situations where categorization between abnormal and normal classes is needed. The algorithms are scalable, simple, and can perform roles like real-time anomaly detection. They, however, require more memory and poses challenges when attempting to find an appropriate kernel. The technique also poses challenges when modeling large datasets (Shalev-Shwartz & Ben-David, 2014). Scientists sometimes favor random forests instead of SVM because of these drawbacks. Random forest is a naïve technique with independent input parameters, which makes it suitable for modeling real-life issues.
The algorithm can also be easily implemented and adapted to the volume of the existing data set. Even though it takes a long time to learn compared to naïve Bayes and SVM, the technique offers a higher accuracy level and generates predictions within a short time (Al-Garadi et al., 2020). The random forest technique also focuses on creating graphs with branches to represent decisions and leafs to represent classes. Using a top-down technique to classify events, the algorithm navigates the tree until a class has a decision (Shalev-Shwartz & Ben-David, 2014). Scientists also use Naïve Bayes to model actual issues in the world such as detecting spams and classifying text. Logistic regression and nearest neighbor seek the most similar learning data to offer predictions for each new event (Shalev-Shwartz & Ben-David, 2014). The algorithms, nevertheless, are unsuitable for high dimensional data and consume more memory.
The application of ML in IoT faces several limitations. For instance, the IoT supports diverse devices with variable computation rates, generates large volumes of data, and is characterized by uncertainty. Traditional ML algorithms are ineffective and lack the scalability to deal with IoT data without significant modifications (Qiu et al., 2016). It is also challenging to address the uncertainties in IoT data. Other limitations include processing energy and power and data analytics and management. ML algorithms pose challenges such as a sample, computational, and memory complexity (Qiu et al., 2016). Besides, traditional ML techniques are restricted to low-dimensional issues. Additionally, IoT devices are small and have low computation power (Yao et al., 2018). Applying ML algorithms directly to these devices is inappropriate. Moreover, smart IoT devices must process data in real-time to support real-time use. Conventional ML algorithms cannot deal with real-time regular data streams (Yao et al., 2018). While a potential solution comprises merging the current streaming techniques with ML techniques, the result will be a sophisticated algorithm.
Furthermore, the assumption behind the development of ML models in IoT is that all the data set will be available during the learning stage for processing, which is untrue regarding the IoT data. In turn, this leads to several issues when the traditional ML algorithms must deal with large data volumes. The ability of the algorithms to predict also reduces with increasing data dimensionality (Ouaddah et al., 2017). Another issue concerns data analytics and management where the IoT network generates data using different devices such as communication, sensing, and network devices (Al-Garadi et al., 2020). IoT devices rely on data, which necessitates sufficient examination to obtain relevant information. Managing massive data volumes is a severe issue in the IoT environment because the system generates diverse data in terms of semantics, format, and form. This results in the issue of heterogeneity that poses challenges of unified and efficient generalization because of large data volumes and different datasets that have various attributes (Yao et al., 2018). Most ML algorithms assume that the whole datasets have similar statistical features, which is not true based on real-world data from different devices (Al-Garadi et al., 2020). The formats and attributes of these data sets vary considerably. Various parts of a single data set might also differ, which further make it challenging for ML techniques to deal with the data. These challenges require efficient algorithms to address the heterogeneity issue in the IoT network.
Anomaly issues in IoT
Anomaly issues in IoT can be categorized as physical layer anomalies, link-layer anomalies, network layer anomalies, transport layer anomalies, application layer anomalies, and Cloud-Based IoT anomalies. Intrusions at the physical level involve malicious actors directly accessing IoT devices and manipulating them. Accessing the devices occurs through social engineering attacks in which intruders initiate actual attacks once inside the devices (Burhan et al., 2018). They can, for instance, modify the devices and eavesdrop or establish side-channels (HaddadPajouh & Parizi, 2019). While the IoT architecture is made up of diverse physical layer technologies, social engineering-based intrusion techniques are dominant. Additionally, physical intrusions require malicious actors to be close to the targeted devices. They usually intend to interfere with the energy source, tamper with the communication process, limit the lifetime of the device, or destroy the hardware (HaddadPajouh & Parizi, 2019). Intruders can also use physical layer attacks as the basis for future malicious activities. For instance, they can replace a sensor with their own devices to steal sensitive data.
They can also inject malicious programs into a network to perform man-in-the-middle and other attacks. If attackers succeed in accessing and interfering with hardware, they can modify the security keys and routing tables of the device and tamper with communication with other layers (Finogeev & Finogeev, 2017). Jamming radio frequencies is also another physical layer based attack that focuses on denying IoT devices from communicating, which affects the operations of IoT applications (Bany Salameh et al., 2018). Another IoT anomaly concerns the link-layer intrusion.
The IoT environment uses diverse communication protocols such as NFC, RFID, WiFi, ZigBee, and IEEE 802.15.4 among others to offer a multifaceted heterogeneous connection (Burhan et al., 2018). Each technology has its security problems. Heterogeneous networks function at the physical layer of the IoT architecture while the data link layer involves different modifications to match with the connected network. The different communication protocols at the physical layer pose different security issues (Akram et al., 2018). For instance, in the RFID protocol, unsecured wireless channels are used when the reader communicates with RFID tags, which exposes the transported data to unauthorized readers. RFID also poses issues such as replay attacks, tag disables skimming, tag modification, snooping, reverse engineering, and cloning tags (Akram et al., 2018). Others include Blocker tag attacks, eavesdropping, electromagnetic interference, cryptography decipher attacks, and fake RFID tag queries.
The ZigBee protocol is a low cost, low energy and scalable communication technique in the IoT system. While its design considers security, designers compromised the protocol to reduce its cost and increase its scalability (HaddadPajouh & Parizi, 2019). The developed device cannot implement some standard security techniques, which exposes the protocol to threats such as Replay attacks, ZED sabotage attacks, sniffing, eavesdropping, and obtaining the network or link key. Besides, the pairing processes of the Bluetooth protocol lead to various issues. For instance, intruders can initiate attacks during the process to obtain information for further attacks such as man-in-the-middle attacks. Threats to this protocol include Blue-snarfing, PIN cracking attacks, Blue-Printing, MAC spoofing attacks, and Blue-bugging (Burhan et al., 2018). Others include DoS attacks, Worm attacks, Brute-Force attacks, man-in-the-middle attacks, and fuzzing attacks.
Another protocol, the WiFi, is vulnerable to attacks such as availability or DoS attacks, key retrieval attacks, and key-stream retrieval attacks (Akram et al., 2018). Moreover, while NFC is limited in range, the protocol is also insecure. It is susceptible to attacks such as NFC data exchange format attacks, eavesdropping, data insertion, data corruption, and data modification. Furthermore, the technical standard IEEE 802.15.4 that acts as the basis for protocols such as ZigBee, SNAP, 6LowPAN, and Wireless HART is also vulnerable to several attacks. They are Back-off manipulation, node-specific flooding, radio interference attack, signal overshadowing attacks, back-off countdown omission, steganography attacks, random number generator tempering, and battery life extension pretense (HaddadPajouh & Parizi, 2019). Others are ping pong effect attack, clear channel assessment manipulation, personal area networks identifier conflict attack, and acknowledgement attacks. Steganography attacks, guaranteed time slot attacks, and bootstrapping attacks also affect the standard.
Network-based anomalies focus on traffic and data analysis, routing, spoofing, and initiation of man-in-the-middle malicious activities. Attackers can also create illusions in the network through fake identities (Akram et al., 2018). Besides, any form of intrusion through the network layer can allow intruders to access the entire system and initiate more attacks. Attackers normally target the routing protocol to launch low energy and lossy network attacks. The routing protocol enables various network communications such as point-point, point-multi-point, and multi-point-point. It acts as an IPv6 distance-vector protocol and is found in the DODAG topology (Akram et al., 2018). Intrusions into routing protocols can lead to the failure of communication in the IoT network (Akram et al., 2018). The vulnerabilities increase exponentially given the interconnected nature of the IoT devices to the internet as they are exposed to different attack vectors. The major threats to the routing protocol include black hole attacks, sinkhole attacks, wormhole attacks, and Sybil attacks. Others are hello flooding attacks and selective forward attacks.
The sinkhole attack is particularly harmful in the IoT network because it involves using a compromised node such as a fake node to forward the network. Sinkhole attacks usually target mobile ad hoc networks and sensor networks (HaddadPajouh & Parizi, 2019). Other anomalies concern the IPv6 and 6LoWPAN. 6LoWPAN addresses the communication needs of the connection between low energy and low storage devices and IPv6. The protocol achieves this by using fragmentation at the adaptation layer. In turn, this exposes it to several vulnerabilities such as authentication attacks, fragmentation attacks, and confidentiality attacks. These attacks increase the potential for collaborative DDoS, which can disrupt the entire IoT network (Burhan et al., 2018). Transport anomalies include the intrusion issues that affect the traditional transport layer. DoS attacks are the most harmful attacks against this layer because they can choke the network and deny applications of the required services (Burhan et al., 2018). Given the features of IoT, the conventional UDC and TCP protocols do not scale well with the power and resource-limited devices, which has led to the development of less complex versions of those protocols (HaddadPajouh & Parizi, 2019). These protocols, however, lack the required security measures to prevent potential attacks.
The IoT system is also vulnerable to application anomalies in which threats range from DoS, malware, buffer overflow, and man-in-the-middle to the side channel, cryptographic, and WebApp vulnerabilities. Attackers mostly use buffer overflow attacks to target IoT application. Traditional mitigation measures such as dynamic and static code analysis and symbolic debugging are insufficient in the IoT network because of resource and power limitations. Buffer overflow and other attacks such as object referencing, SQL injection, and cross-site scripting also expose IoT devices to malicious injection of codes (Burhan et al., 2018). The main vulnerabilities that expose the IoT system to application attacks are injection threats, broken authentication, and exposure of sensitive data, external entities of XML, security misconfiguration, and broken access control. Others are inadequate monitoring and logging, cross-site scripting, use of components with acknowledged weaknesses, and insecure deserialization (Burhan et al., 2018). These weaknesses expose applications to different attacks such as privilege escalation, access control, phishing, and malicious code injection among others. Another severe issue concerns intelligent botnets because of their ability to scan and move intelligently through the IoT network to seek known weaknesses and use them to initiate attacks such as DDoS (HaddadPajouh & Parizi, 2019). Besides, IoT devices cannot implement complex cryptographic techniques, which further expose them to potential cryptographic attacks. The application layer in the IoT architecture is the most vulnerable and requires extensive resources to address.
Cloud-Based IoT anomalies also affect the IoT. Cloud computing is a key enabler for the IoT ecosystem because of its ability to process large data volumes produced by IoT devices. Cloud computing and IoT infrastructure are at the extreme ends of the resource availability range and they both complement each other. Ubiquitous access to computing storage and power characterize cloud computing, which addresses the issue of resource limitations of devices in the IoT network (Stergiou et al., 2018). Integration of IoT devices with cloud computing maximizes the potential of the systems through energy conservation and availability of adequate power and storage. The integration, however, exposes the IoT system to different vulnerabilities at different layers. Potential attacks include confidentiality attacks, authorization attacks, compromise of visualization platform, and integrity attacks.
Current Anomaly Detection Systems in IoT
There are various anomaly detection systems for the IoT setting. Some systems use artificial immune for detecting anomalies in IoT networks. They work by adapting to the IoT network and learning new attacks automatically. They use signature-based models based on machine learning where the learning approach is based on artificial immune systems. They focus on increasing the IoT network security by self-adapting to new settings and self-learning new attacks (Liu et al., 2011). Other suggested systems use computational intelligence. For instance, a three-tier architecture based system was proposed for IoT architecture and wireless communications. The intelligent system has three units including the data storage part, the computational intelligence and optimization part, and the unit for clustering and reporting intrusions. The system relies on machine learning for detecting anomalies (Gupta et al., 2013). Another suggested system focuses on protecting the 6LoWPAN networks in IoT. The main components include a Suricata IDS, a DoS security manager, and an IDS probe (Kasinathan et al., 2013). The system was developed based on vulnerabilities in WSNs IP. The IDS operates on a host computer, which allow it to address the issue of power consumption (Kasinathan et al., 2013). A similar but improved system was developed to detect DoS attacks in 6LoWPAN networks (Kasinathan, Costamagna, et al., 2013). It works on a similar DoS detection system with additional features such as an event management part and a frequency agility manager to create a detection system that works in large networks.
NIDS is a proposed system that uses machine learning for signature-based and anomaly-based intrusion detection. The system focuses on detecting anomalies in smart public transport programs using CoAP with features such as the use of lightweight algorithms and appropriateness to CoAP programs (Krimmling & Peter, 2014). Another suggested system integrates complex event processing technology. The technology can determine complex patterns through processing real data. The proposed system is based on event processing architecture with units such as the event filtering part, the event database part, and the complex event processing part. It uses a rule-based strategy to detect anomalies (Jun & Chi, 2014). The system works in real-time and performs highly in detecting IoT anomalies.
Another suggested systems is a WSN based NIDS that uses the rule model strategy and the statistical model strategy (Butun et al., 2015). It is based on downward-IDS and upward-IDS and complies with the categorized WSN framework. The abnormal events in member nodes are detected through the downward-IDS while the abnormal events in cluster heads are detected with upward-IDS. The system can be used in ranked WSNs and uses WSN clustering. A constraint-based IDS with a focus on 6LoWPAN networks in IoT settings is another proposed system to detect sinkhole attacks while maintaining efficiency based on QoS metrics (Surendar & Umamakeswari, 2016). It works by separating malicious nodes and reconstructing the network without the nodes. It relies on behavioral rules while using the protocol model technique.
Other suggested systems combine different features to work as hybrid systems such as a hybrid system targeted at the 6LoWPAN IoT networks to detect different RPL threats. The system relies on specified intrusion detection units in the router nodes that act as the agents of the system (Bostani & Sheikhan, 2017). It also depends on an anomaly detection unit in the root node that acts as the main detection system. The system has a reduced number of communication messages as it does not have extra monitoring nodes in its design and can be applied to widespread networks. Another proposed hybrid system focuses on 6LoWPAN IoT networks to detect different RPL anomalies. The SVELTE IDS has a mapper unit for 6LoWPAN, anomaly detection part, and a mini-firewall part (Raza et al., 2013). The mapper gathers data regarding RPL network while the detection unit focuses on analyzing the data to determine intrusions. The system uses the firewall unit to filter unwanted traffic. The developers created the system for centralized and distributed IDS placement approaches. It is a lightweight system and conserves energy.
Another hybrid system relies on rule-based and signature-based anomaly detection by combining the conventional signature-based method with the snort-rule based approach for detecting intrusions (Danda & Hota, 2016). Unknown attacks can be detected through the SNORT rules while known attacks can be detected through the signature database. The system, nevertheless, faces the challenge of privacy due to its application of deep packet inspection method in detecting intrusions. The system is, however, simple and can self-learn. Another proposed technique focuses on the specification with a focus on 6LoWPAN IoT networks to detect different topology attacks targeting the IPv6 routing technique for low power and lossy networks (Le et al., 2016). Attacks detected included DODAG-DIS, neighbor, and local repair, rank, and sinkhole attacks. The system examines the behavior of the protocol based on trace files to gain knowledge regarding the route formation and maintenance mechanisms for stable topologies. The system is highly efficient in detecting IPv6 based attacks and can be applied to widespread networks. A WSN based NIDS was also proposed (Garcia-Font et al., 2017). It uses a signature framework and a machine learning technique. The signature unit is the main detection approach whereas an anomaly-based unit focuses on enhancing the FPR and the detection rate. The design of the system focuses on assisting smart city stakeholders in detecting anomalies and classifying attacks. The system can be applied to widespread WSNs. Another proposed NIDS relies on protocol and signature-based anomaly detection to detect attacks targeting IoT networks (Fu et al., 2017). The technique is unaffected by the heterogeneity of the network and compares data packet abstraction action flows with three databases through considering the protocol type data for each packet to detect threats. The database has three libraries including the normal action, abnormal action, and standard protocol libraries. The system has a unit to monitor the network, a database for events, a unit to analyze events, and a reaction unit to offer a uniform anomaly detection technique based on automate theory. The system classifies attacks into three groups and develops GUI tools to demonstrate the abstract action flows graphically and detect anomalies.
The anomaly detection system domain has a rich literature with different types of systems. Much can be borrowed from these systems to enhance the effectiveness of the current system to be developed.
Anomaly Detection Systems for IoT based on Honeypot and Supervised Learning
Honeypots have emerged as crucial techniques in the IoT security domain given the proliferation of the IoT technology. Some systems use intelligent honeypot to enhance the security of IoT devices using machine learning. For instance, some systems use IoT scanners to identify accessible devices on the internet and analyze the internet for every malicious interaction to store the reaction of each device. The system is then trained to be available to an intelligent honeypot to optimize a system to react to intruders (Luo et al. 2017). Other systems classify social spam-based ML such as SVM automatically for network communities such as social media platforms with a social honeypot to collect data regarding malicious profiles (Feng et al., 2014). In supervised models, the dataset must be trained using labels to indicate the group of each sample before generating a model to categorize new unlabeled samples into defined groups. Supervised learning has also been used to develop an intrusion system for IoT networks (Krishnaveni et al., 2018). The system works by profiling the behavior of nodes to identify anomalies on the traffic. It can effectively differentiate normal and malicious nodes. Other systems demonstrate the application of machine learning in detecting DDoS attacks in IoT network (Naik & Jenkins, 2018). The system demonstrates the importance of focusing on the specific activities of the IoT network such as constant time interval between packets and a restricted number of endpoints to inform the selection of feature results. In turn, this enhances accurate detection of intrusions in IoT network traffic using machine learning.
Summary
The IoT connects diverse devices spread across different sectors and connected through different protocols. Additionally, the IoT architecture consists of four layers each focused on a specific function but work in combination to ensure the generation and transmission of data. Given the widespread adoption of the IoT technology and the presence of numerous devices, protocols, and standards, the issue of securing the system including the devices and the generated and the transmitted data has emerged as a significant concern over recent years. The question now is how to effectively protect the system given the presence of different connected devices. The entire system ranging from the device layer and the application layer to the support and network layers possesses vulnerabilities that attackers can exploit to compromise the entire system either through damaging it, planting malicious codes, or stealing confidential information. Honeypots are potential solutions that can be used to protect the system. They can lure intruders through simulating a specific valuable target in the IoT system. The literature has presented substantial information regarding different proposed techniques for securing the system based on anomaly detection systems. These systems vary and focus on intrusion or anomaly detection. They also involve learning the patterns of attackers to gain knowledge to implement future countermeasures. The use of machine learning has also been demonstrated as essential in enhancing the learning ability of anomaly detection systems. The literature also demonstrates the possibility of developing anomaly detection systems based on honeypot and machine learning.
Chapter 3: Design the IoT Anomaly Detection System
This chapter will describe the proposed anomaly detection system based on multi-purpose honeypot and supervised learning. The development of the system is based on its ability to achieve the required test outcomes in the simulated environment. The system design will be developed to ensure that the model will be able to replicate specific threats and activities. The chapter will also demonstrate the interaction between different system components in a simulated setting. The implementation part of the next chapter will offer more details regarding the operation of the system. The subsections in this chapter will include the design of the anomaly detection model, a description of the different modules of the model, and a description of the simulated setting. The anomaly detection model will be presented and discussed through a high-level model description with a figure to indicate the respective components followed by a detailed description. The detailed description will offer an in-depth description of the model parts. The modules will also be discussed deeply. Besides, the simulated setting where the honeypot and the supervised learning will be contained will be described in addition to a description of the attack situation.
The objective of the anomaly detection system is to collect real-time threat data, analyze the data, and specify the intent of the malicious activity. This chapter will, therefore, focus on designing the proposed system, describing its components, and describing the simulated setting in which it will operate to test its parameters. The selected multi-purpose honeypot for this study will support channels such as HTTP, SSH, and Telnet to develop instances in which the malicious actor will interact with the simulated settings. Everything that will be expected of the honeypot from the project will be accomplished in this section.
Chapter 4: Implementation and Results
After designing the anomaly detection system, this chapter will demonstrate the implementation of the system and the results. The chapter will also demonstrate the attainment of the objectives of the paper described in the first chapter. Specifically, this chapter will demonstrate how the different modules of the system will communicate over a network. The implementation and the generation of results will be based on the model presented in the previous chapter. The system will be used to generate log files containing data about the interaction of the malicious actor with the system.
The chapter will also demonstrate the establishment of the simulated situation, the included devices, involved networks, and any involved software. Other details in the chapter will include the implementation of the multi-purpose honeypot, where the installation, the involved features, and the involved hardware will be demonstrated. The realized experimental results will also be discussed. The discussion will include the attack scenario used for producing the results, the technical assumptions considered, and the threats scenario. The outcomes about the simulated setting will also be discussed in which the simulated IoT set-up, the involved devices, the network involved, and the protocols used will be discussed. The honeypot log data will also be described. The detected anomalies including the steps involved and how the system performed will also be discussed.
The scope of this chapter will, thus, entail the deployment of the proposed system and the deployment of honeypots to gather data about anomaly events and attacks, the evaluation and determination of the required features and categorization algorithms for detecting anomalies. The collected data will also be analyzed to extract patterns that will be used in supervised learning to protect the IoT system. The suggested subsections include deployment of the anomaly detection system, honeypot implementation, evaluation of the required system parameters, and analysis of experimental results.
Chapter 5: Analysis and Discussion
This chapter will analyze the results from chapter four. The chapter will also discuss the study suggestions and their importance in attaining the objectives of the paper. Besides, the discussion will include a mapping of the propositions to determine their contribution to the wider literature on anomaly detection systems. The paper mainly uses multi-purpose honeypots in an IoT ecosystem to detect possible anomalies. The literature review part in the second chapter explored the existing research about anomaly detection methods, honeypot techniques, and supervised learning. The model will be developed, deployed, and subjected to the attack situation in the third chapter. The outcomes of these activities will be used to support the experimentation part to prove the idea. The simulated threats will come from unknown malicious actors while some attacks will emerge from a moderated and controlled setting. Analyzing the outcomes of chapter four will greatly contribute to this chapter.
The section will present an analysis of the proposals, results, and suggestions that will be presented in the paper. The results to be discussed will be obtained from the implementation phase from chapter four. The chapter will also examine whether the research objectives will be met followed by a discussion of the real results. The discussion about the real results will focus on anomaly events while the discussion about the proposals and statements will focus on the entire system with details about various parts. The performance of the multi-purpose honeypot with supervised learning will also be analyzed to determine if it offered appropriate interaction data to support sufficient analysis in this section and determination of the modus operandi and intent of the attacker. The analysis will offer evidence regarding the usefulness of multi-purpose honeypot with supervised learning in the detection and categorization of anomaly events and patterns in an IoT setting. The results will be compared with existing anomaly detection systems to determine how similar or different they will be. The suggested subsections in this chapter include analysis of results, discussion of actual results, and discussion of the propositions.
Chapter 6: Conclusion
The current paper aims to design an anomaly detection system using multi-purpose honeypot with supervised learning. The system will be tested in a simulated IoT situation in a real-world context to determine its performance. It will also be implemented in the simulated setting to generate data. The data will be collected and explored to examine the attack activities, patterns, and interaction with the system. Attacks will be conducted against the system to determine the functionality of the multi-purpose honeypot based on machine learning. The results will then be analyzed to determine the performance of the various parameters of the system and to determine the usefulness of multi-purpose honeypot with supervised learning in detecting anomalies in an IoT ecosystem. Conclusions will then be drawn from the analyzed results. Limitations of the system will be identified to inform future work on anomaly detection using multi-purpose honeypot with supervised learning. Areas for further research will be identified to improve the usefulness of the system and enhance threat prevention and the development of countermeasures against malicious activities in the IoT setting.
References
Abouzaid, L., Sabir, E., Elbiaze, H., Errami, A., & Benhmammouch, O. (2020). The Meshing of the Sky: Delivering Ubiquitous Connectivity to Ground Internet of Things. IEEE Internet of Things Journal , 1–1. https://doi.org/10.1109/jiot.2020.3026349
Akram, H., Konstantas, D., & Mahyoub, M. (2018). A Comprehensive IoT Attacks Survey based on a Building-blocked Reference Model. International Journal of Advanced Computer Science and Applications , 9 (3). https://doi.org/10.14569/ijacsa.2018.090349
Al-Garadi, M. A., Mohamed, A., Al-Ali, A. K., Du, X., Ali, I., & Guizani, M. (2020). A Survey of Machine and Deep Learning Methods for Internet of Things (IoT) Security. IEEE Communications Surveys & Tutorials , 22 (3), 1646–1685. https://doi.org/10.1109/comst.2020.2988293
Ali, F., Sulaiman Khan, M., & Akhtar, H. (2019). Security Review in Internet of Things. Internet of Things and Cloud Computing , 7 (3), 80. https://doi.org/10.11648/j.iotcc.20190703.14
Amouri, A., Alaparthy, V. T., & Morgera, S. D. (2018). Cross layer-based intrusion detection based on network behavior for IoT. 2018 IEEE 19th Wireless and Microwave Technology Conference (WAMICON) . https://doi.org/10.1109/wamicon.2018.8363921
Baloch, Z., Shaikh, F. K., & Unar, M. A. (2018). A Context-aware Data Fusion Approach for Health-IoT. International Journal of Information Technology , 10 (3), 241–245. https://doi.org/10.1007/s41870-018-0116-1
Bany Salameh, H. A., Almajali, S., Ayyash, M., & Elgala, H. (2018). Spectrum Assignment in Cognitive Radio Networks for Internet-of-Things Delay-Sensitive Applications Under Jamming Attacks. IEEE Internet of Things Journal , 5 (3), 1904–1913. https://doi.org/10.1109/jiot.2018.2817339
Bostani, H., & Sheikhan, M. (2017). Hybrid of anomaly-based and specification-based IDS for Internet of Things using unsupervised OPF based on MapReduce approach. Computer Communications , 98 , 52–71. https://doi.org/10.1016/j.comcom.2016.12.001
Burhan, M., Rehman, R., Khan, B., & Kim, B.-S. (2018). IoT Elements, Layered Architectures and Security Issues: A Comprehensive Survey. Sensors , 18 (9), 2796. https://doi.org/10.3390/s18092796
Butun, I., Ra, I.-H., & Sankar, R. (2015). An Intrusion Detection System Based on Multi-Level Clustering for Hierarchical Wireless Sensor Networks. Sensors , 15 (11), 28960–28978. https://doi.org/10.3390/s151128960
Cimpanu, C. (2020, February 2). Hackers are hijacking smart building access systems to launch DDoS attacks . ZDNet; ZDNet. https://www.zdnet.com/article/hackers-are-hijacking- smart-building-access-systems-to-launch-ddos-attacks/
Dagar, M., & Popli, R. (2018). Honeypots: Virtual Network Intrusion Monitoring System. International Journal of Scientific Research in Network Security and Communication , 6 (2), 45–49. https://doi.org/10.26438/ijsrnsc/v6i2.4549
Danda, J. M. R., & Hota, C. (2016). Attack Identification Framework for IoT Devices. Advances in Intelligent Systems and Computing , 505–513. https://doi.org/10.1007/978-81-322- 2752-6_49
Feng, G., Zhang, C., & Zhang, Q. (2014). A Design of Linkage Security Defense System Based on Honeypot. Trustworthy Computing and Services , 70–77. https://doi.org/10.1007/978- 3-662-43908-1_9
Finogeev, A. G., & Finogeev, A. A. (2017). Information Attacks and Security in Wireless Sensor Networks of Industrial SCADA Systems. Journal of Industrial Information Integration , 5 , 6–16. https://doi.org/10.1016/j.jii.2017.02.002
Fortino, G., & Trunfio, P. (2016). Internet of Things based on Smart Objects : Technology, Middleware and Applications . Springer.
Fu, Y., Yan, Z., Cao, J., Koné, O., & Cao, X. (2017). An Automata Based Intrusion Detection Method for Internet of Things. Mobile Information Systems , 2017 , 1–13. https://doi.org/10.1155/2017/1750637
Galinina, O., Andreev, S., Komarov, M., & Maltseva, S. (2017). Leveraging heterogeneous device connectivity in a converged 5G-IoT ecosystem. Computer Networks , 128 , 123– 132. https://doi.org/10.1016/j.comnet.2017.04.051
Garcia-Font, V., Garrigues, C., & Rifà-Pous, H. (2017). Attack Classification Schema for Smart City WSNs. Sensors , 17 (4), 771. https://doi.org/10.3390/s17040771
Gupta, A., Pandey, O. J., Shukla, M., Dadhich, A., Mathur, S., & Ingle, A. (2013). Computational Intelligence Based Intrusion Detection Systems for Wireless Communication and Pervasive Computing Networks. 2013 IEEE International Conference on Computational Intelligence and Computing Research . https://doi.org/10.1109/iccic.2013.6724156
HaddadPajouh, H., & Parizi, R. (2019). A Survey on Internet of Things Security: Requirements, Challenges, and Solutions. Internet of Things , 100129. https://doi.org/10.1016/j.iot.2019.100129
Jun, C., & Chi, C. (2014). Design of Complex Event-Processing IDS in Internet of Things. 2014 Sixth International Conference on Measuring Technology and Mechatronics Automation . https://doi.org/10.1109/icmtma.2014.57
Kasinathan, P., Costamagna, G., Khaleel, H., Pastrone, C., & Spirito, M. A. (2013). DEMO: An IDS Framework for Internet of Things Empowered by 6LoWPAN. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security - CCS ’13 . https://doi.org/10.1145/2508859.2512494
Kasinathan, P., Pastrone, C., Spirito, M. A., & Vinkovits, M. (2013). Denial-of-Service detection in 6LoWPAN based Internet of Things. 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob) . https://doi.org/10.1109/wimob.2013.6673419
Kim, M., Lee, N., & Park, J. (2017). A Security Generic Service Interface of Internet of Things (IoT) Platforms. Symmetry , 9 (9), 171. https://doi.org/10.3390/sym9090171
Kolias, C., Kambourakis, G., Stavrou, A., & Voas, J. (2017). DDoS in the IoT: Mirai and Other Botnets. Computer , 50 (7), 80–84. https://doi.org/10.1109/mc.2017.201
Krimmling, J., & Peter, S. (2014). Integration and evaluation of intrusion detection for CoAP in smart city applications. 2014 IEEE Conference on Communications and Network Security . https://doi.org/10.1109/cns.2014.6997468
Krishnaveni, S., Prabakaran, S., & Sivamohan, S. (2018). A Survey on Honeypot and Honeynet Systems for Intrusion Detection in Cloud Environment. Journal of Computational and Theoretical Nanoscience , 15 (9), 2949–2953. https://doi.org/10.1166/jctn.2018.7572
Le, A., Loo, J., Chai, K., & Aiash, M. (2016). A Specification-Based IDS for Detecting Attacks on RPL-Based Network Topology. Information , 7 (2), 25. https://doi.org/10.3390/info7020025
Liu, C., Yang, J., Chen, R., Zhang, Y., & Zeng, J. (2011). Research on Immunity-Based Intrusion Detection Technology for the Internet of Things. 2011 Seventh International Conference on Natural Computation . https://doi.org/10.1109/icnc.2011.6022060
Luo, T., Xu, Z., Jin, X., Jia, Y., & Ouyang, X. (2017). Iotcandyjar: Towards an intelligent- interaction honeypot for iot devices. Black Hat .
Mohammed, M., & Rehman, H.-U. (2016). Honeypots and Routers : Collecting Internet Attacks . Auerbach.
Moustafa, N., Misra, G., & Slay, J. (2018). Generalized Outlier Gaussian Mixture technique based on Automated Association Features for Simulating and Detecting Web Application Attacks. IEEE Transactions on Sustainable Computing , 1–1. https://doi.org/10.1109/tsusc.2018.2808430
Naik, N., & Jenkins, P. (2018). A Fuzzy Approach for Detecting and Defending Against Spoofing Attacks on Low Interaction Honeypots. 2018 21st International Conference on Information Fusion (FUSION) . https://doi.org/10.23919/icif.2018.8455555
Nawrocki, M., Wählisch, M., Schmidt, T. C., Keil, C., & Schönfelder, J. (2016). A survey on honeypot software and data analysis. arXiv preprint arXiv:1608.06249 .
Ouaddah, A., Mousannif, H., Abou Elkalam, A., & Ait Ouahman, A. (2017). Access Control in the Internet of Things: Big Challenges and new Opportunities. Computer Networks , 112 , 237–262. https://doi.org/10.1016/j.comnet.2016.11.007
Qiu, J., Wu, Q., Ding, G., Xu, Y., & Feng, S. (2016). A Survey of Machine Learning for Big Data Processing. Journal on Advances in Signal Processing , 2016 (1). https://doi.org/10.1186/s13634-016-0382-7
Raza, S., Wallgren, L., & Voigt, T. (2013). SVELTE: Real-time Intrusion Detection in the Internet of Things. Ad Hoc Networks , 11 (8), 2661–2674. https://doi.org/10.1016/j.adhoc.2013.04.014
Shalev-Shwartz, S., & Ben-David, S. (2014). Understanding Machine Learning : from Foundations to Algorithms . Cambridge University Press.
Sisodia, D. (2020). On the State of Internet of Things Security: Vulnerabilities, Attacks, and Recent Countermeasures. University of Oregon, Tech. Rep .
Statt, N. (2016, October 21). How an army of vulnerable gadgets took down the web today . The Verge. https://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos-attack-cause- outage-status-explained
Stergiou, C., Psannis, K. E., Kim, B.-G., & Gupta, B. (2018). Secure integration of IoT and Cloud Computing. Future Generation Computer Systems , 78 , 964–975. https://doi.org/10.1016/j.future.2016.11.031
Surendar, M., & Umamakeswari, A. (2016). InDReS: An Intrusion Detection and response system for Internet of Things with 6LoWPAN. 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET) . https://doi.org/10.1109/wispnet.2016.7566473
TrapX labs. (2020, February). TrapX Labs Report - Malware Campaign Targets Manufacturing Sites . TrapX Security. https://trapx.com/landing/iot-manufacturing-report/
Woungang, I., Dhurandher, S. K., & Visconti, A. (2020). Internet of Things Design, Architectures and Protocols. Internet of Things , 100267. https://doi.org/10.1016/j.iot.2020.100267
Yao, S., Zhao, Y., Zhang, A., Hu, S., Shao, H., Zhang, C., Su, L., & Abdelzaher, T. (2018). Deep Learning for the Internet of Things. Computer , 51 (5), 32–41. https://doi.org/10.1109/mc.2018.2381131
