Statistical Security For IoT - Abia Amin

so today I will introduce to you my work in statistical security for Internet of Things actually I'm a first year PhD student and this is my work so far so first we will introduce the IOT security problem and after that we will introduce the motivation behind our work and then we will introduce what we we did so far so as we can see the IOT security problem is an emerging problem nowadays because of first the total number of active IOT devices connected worldwide is expected to increase by 22 billions by 2025 so what's the problem of that the problem that we have a very poor IOT security measures especially in the IOT devices we use in the high-density

applications so as we can see we have 90% of the devices collects 90% of the devices collected at least one piece of personal information and also 70% of devices used and encrypted natural service 70% of the devices along with their cloud and their apps enable an attacker to Untied enta phi a valid user accounts and 80 % of the devices along with their cloud and mobile applications fail to require password of sufficient complexity and also a recent research showed us that there is 25 vulnerabilities in the most 10 used IOT devices in the world so all these vulnerabilities ly lead to a lot of IOT security incidents in the recent years as we can see from the

chart developed by the cyber threat report in 2019 that in 2018 the cyber attacks increased by 200% than the cyber attacks in 2017 which is a really very big number we can remember the ransomware attack happened in the NHS and cause the NHS to lose like 63 billion pounds in order to fix and to install high security devices are along the NHS and the funny thing that third of the devices infected by the ransomware where IOT devices used in the health sector and also we can remember the famous Mirai attack which is which happened in 2016 and led to most of the East Coast most of the East Coast in the u.s. lost its connectivity to the most

popular internet service providers like Amazon and Facebook so the me right button it was a distributed denial of service attack and it used along with routers it used CCTV cameras which the problem with CCTV cameras it it has a default password and user name used with it so as we can see from this chart that the traffic this is one of the the traffic in the affected companies with Mirai in 2016 and we can see here we can see here the normal behavior we can see here a low traffic and there are several attacks and there is several attacks up to two hundred and fifty gigabit per second so if we had a mechanism to in the IOT device itself in

order to know that this device is behaving abnormal is not behaving in a normal way so we can and then we have a mechanism to block this device then we can we could save we could save like millions or yeah so what is the solution the solution one of the solution for this is not the only solution of course one of the solution is anomaly detection and as we can see the an animal detection is to find the anomalous behavior at to find the anomalous behavior of of one dimension at some points and then to the key to declare anomaly so so to to have the anomaly detection we should know the normal behavior and then we

could know if there is anything go wrong with in anytime after that so what is that challenges for IOT for anomaly detection in the IOT set up so the f-101 challenge is the anomaly detection in the high-density IOT in our networks in the massive IOT because we are using low cost and low energy and massive numbers of IOT devices so what happens that we have low cost and low energy devices so we could not do very complicated security measures at the device end and also we have a very high number of devices used massive numbers so this mean a very huge data we should process in order to know the normal and then the anomalous behavior so in order to make

the sorry in order to make this problem simple we want to develop a distributed IOT IOT anomaly detection method that is not complicated not computation computational complicated and also it can be done in the device and so it can use the device data only and it doesn't need to use the other devices in the network data so the problem with that is the modeling of the normal and anomalous behavior of the IOT device we can see from the charts here we have the normal behavior and the anomalous behavior on the other side the normal behavior we described the number of packets per second in one day for this device is a motion sensor we took this data from we

have them we have the the data source downside so

as we can see here the volume of the traffic is is not high in the first in the first chart and it is very high in the second chart but it is very bursty that means we have the number of packets sent per second by the motion sensor is from 0 up to 80 packets per second and in the other side in the normal behavior it is from 0 to 20 packet packets per per second and as we can see we cannot if we want a real-time detection for for this scenario we cannot fix like I mean and said if it is above this mean then we have anomalous behavior or rum if it is down this mean we have a normal

behavior so we should characterize as as well the inter arrival time and also the the number of packets sent per second that together so as we can see from the two challenge challenges we described we described before we need a real-time and a distributed algorithm which is not very complicated and we need also to use oh we don't have we need to use we we need to use not a high volume of data so the IT security suggested scheme the first we so this is our word is a statistical solution this the first so this is done this is the number of packets sent to each IP this is the number of packets sent to each IP

address in the first chart we can see the IP address here is the IP address of the gateway which has the highest number of packets sent and in the second chart where where is the attacked traffic we have lots of other IP addresses and you can see that this is not the normal behavior from this chart so what what is our solution our suggested solution is

so our suggested solution is do the Q modeling for the income traffic first we get we cluster their income traffic into different packet sizes and each packet size we have a stream of traffic we enter it into a queue that have a service time which is greater than the the mean Araya mean arrival time of the packet and then from this we can model the delay or the queue size you can see the chart down you have the queue size per second as and as you can see it is coming up and going down depending on the number of packets sent per second so we can see the difference between the normal behavior and the animal's

behavior when we use our methods so in the normal behavior you can see that the keel is building up and emptying and within a certain range and for the for this type of attack this view is building up infinitely and as you can see we set up a threshold so after this threshold we assume that every point after exceed this threshold is is regarded anomalous point and so an attack can be declared how we can choose the throw shot becomes to the threshold off from the complimentary CDF the delay will be modeled earlier so what we did is for for 30 days we have a complimentary CDF for each day and from this complimentary CDF we set up a

reasonable threshold and then we have the mean for 30 days and as you can see when we set up the threshold it was in this case 1 1250 we declared an anomaly in 700 7000 seconds and it was 2,000 seconds later than the actual attack so we can we can always reduce the threshold so we have an early detection but there is a trade-off between the early detection and a false positive alarm still in some cases yeah so the future work is to develop simultaneous fuse for different package sizes so in our analysis we used just one stream of packet size which was the for the TCP protocol in for our IOT device and also

reducing the difference between the detection and the actual attacks are by selecting optimum threshold updating threshold to his time so because we know that the behavior of IOT devices is not uniform in most cases like for example in the motion sensor or in the IP cameras or so we have a normally heavier that changes with this time slightly and also we are starting to develop our own testbed and assess the real-time application of our algorithm thank you