In the last several years progress toward securing Internet of Things (IoT) devices has been made on several fronts. There are now mature specifications for IoT devices that require with encryption, authentication and authorization for every device. Governments and industry have released baselines that provide guidance on what should constitute a secure device. There is even recent legislation at the state level aimed at enforcing security in IoT.
None of this will guarantee secure devices. There will always be devices that are exposed, unpatched and vulnerable. Even companies and manufacturers that prioritize security will inevitably find themselves with vulnerabilities inherited in the supply chain from decades old code like Ripple20. Combine this with malware like Mirai that is constantly being updated to take advantage of these newly discovered vulnerabilities and it becomes clear that building strong security into individual devices is simply not enough. The question that now needs to be answered is, can secure systems be built from networks of potentially insecure devices? The question posed above is not a mere hypothetical one. Today's subscriber networks consist of not just a heterogenous mix of devices, but also the implicit mix of vulnerabilities and attack surfaces inherent in today's complex home networks. To address this problem in a comprehensive and systematic way, intelligence must be added to the network so as to give the network the ability to know the devices running on it, learn how those devices behave and be capable of actively and surgically blocking traffic that is outside the bounds of what is deemed normal.
This research presents a method whereby a centralized router/gateway can learn a device's behavior on the network and based on that behavior, determine normal and abnormal behavior from that device. The model presented in this paper takes advantage of the predictability of an IoT device's network footprint by developing a formalized measurement of complexity for each device. Low complex and simple devices are more accurately modeled and thus can be more confidently managed autonomously by the network.
After describing the framework necessary to measure the complexity of network devices, this work then uses this complexity measure to inform and tune an anomaly detection algorithm to construct a behavioral model for each device. This tuned model represents the behavior footprint of each device learned from its network traffic and forms the basis for differentiating normal traffic from abnormal.
To demonstrate the efficacy of this model, this work analyzes boundary of each device's learned behavior against seven common types of malware traffic from infected IoT devices. Finally, to illustrate that the model can be effectively applied to a broad spectrum of devices, four different IoT datasets were analyzed: one residential dataset, two lab datasets, and a dataset based on commercial IoT devices. The results show that this model can be an effective way to actively block Distributed Denial of Service (DDoS) attacks and malware traffic especially on low complex devices.