Download (4MB)
Total Page:16
File Type:pdf, Size:1020Kb
Establishing trusted Machine-to-Machine communications in the Internet of Things through the use of behavioural tests Thesis submitted in accordance with the requirements of the University of Liverpool for the degree of Doctor in Philosophy by Valerio Selis April 2018 \Be less curious about people and more curious about ideas." Marie Curie Abstract Today, the Internet of Things (IoT) is one of the most important emerging technolo- gies. Applicable to several fields, it has the potential to strongly influence people's lives. \Things" are mostly embedded machines, and Machine-to-Machine (M2M) communica- tions are used to exchange information. The main aspect of this type of communication is that a \thing" needs a mechanism to uniquely identify other \things" without human intervention. For this purpose, trust plays a key role. Trust can be incorporated in the smartness of \things" by using mobile \agents". From the study of the IoT ecosystem, a new threat against M2M communications has been identified. This relates to the opportunity for an attacker to employ several forged IoT-embedded machines that can be used to launch attacks. Two \things-aware" detection mechanisms have been proposed and evaluated in this work for incorporation into IoT mobile trust agents. These new mechanisms are based on observing specific thing-related behaviour obtained by using a characterisation algorithm. The first mechanism uses a range of behaviours obtained from real embedded ma- chines, such as threshold values, to detect whether a target machine is forged. This detection mechanism is called machine emulation detection algorithm (MEDA). MEDA takes around 3 minutes to achieve a detection accuracy of 79.21%, with 44.55% of real embedded machines labelled as belonging to forged embedded machines. These results indicated a need to develop a more accurate and faster detection method. Therefore, a second mechanism was created and evaluated. A dataset composed of behaviours from real, virtual and emulated embedded systems that can be part of the IoT was created. This was used for both training and testing classification methods. The results iden- tified Random Forest (RF) as the most efficient method, recognising forged embedded machines in only 5 seconds with a detection rate of around 99.5%. It follows that this solution can be applied in real IoT scenarios with critical conditions. In the final part of this thesis, an attack against these new mechanisms has been proposed. This consists of using a modified kernel of a powerful machine to mimic the behaviour of a real IoT-embedded machine, referred to as a fake timing attack (FTA). Two metrics, mode and median from ping response time, have been found to effectively detect this attack. The final detection method involves combining RF and k-Nearest Neighbour to successfully detect forged embedded machines and FTA in only 40 seconds, with an overall detection performance (ODP) of 99.9% and 93.70% respec- tively. This method also was evaluated using behaviours from embedded machines that were not present in the training set. The results from that evaluation demonstrate that the proposed solution can detect embedded machines unknown to the method, both real and virtual, with an ODP of 99.96% and 99.92% respectively. In summary, a new algorithm able to detect forged embedded machines easily, quickly and with very high accuracy has been developed. The proposed method ad- dresses the challenge of securing present and future M2M-embedded machines with power-constrained resources and can be applied to real IoT scenarios. v Contents Abstract v Illustrations xi Abbreviations xvii Preface xxiii Acknowledgements xxv 1 Introduction1 1.1 Internet-connected Things...........................1 1.2 Real-Life Scenarios...............................4 1.2.1 Intelligent Transportation Systems..................4 1.2.2 Intelligent Healthcare Systems....................5 1.2.3 Intelligent Building Systems......................6 1.3 Threats Against Things and the Internet of Things.............7 1.4 Motivation, Aims and Objectives.......................8 1.5 Contributions and Outline of the Thesis................... 11 1.6 Publication List................................. 13 2 Background and Related Work 15 2.1 Internet of Things............................... 15 2.2 Machine-to-Machine Communications.................... 18 2.3 Emerging Trends in the IoT.......................... 19 2.3.1 Social Internet of Things (SIoT)................... 19 2.3.2 Virtualisation Continuum (VC).................... 21 2.3.3 Fog Computing (FC).......................... 22 2.4 Information Security and Trust........................ 23 2.4.1 Encryption Techniques in the Internet of Things.......... 26 2.4.2 Definition of Trust........................... 29 2.4.3 Trust Management Frameworks.................... 31 2.4.4 Attacks against Trust Management Frameworks.......... 34 2.4.5 Trust Models for IoT.......................... 35 vii 2.5 Limitations of Current Solutions....................... 36 2.6 Summary.................................... 38 3 A New Threat and a Novel Solution: Machine Emulation Detection Algorithm 43 3.1 Threat Model.................................. 43 3.2 Real-Life Scenarios: Worst Cases....................... 45 3.2.1 Open Networks............................. 46 3.2.2 Closed Networks............................ 47 3.3 Virtualisation and Emulation Detection................... 48 3.3.1 CPU and Memory Tests........................ 49 3.3.2 Architecture-based Timing Tests................... 49 3.3.3 Remote Tests.............................. 50 3.3.4 Fingerprinting Tests.......................... 50 3.4 Solution and Algorithm Design........................ 51 3.4.1 Characterisation Algorithm...................... 53 3.4.2 Machine Emulation Detection Algorithm.............. 57 3.5 Results and Discussion............................. 60 3.5.1 Comparison with Other Techniques.................. 62 3.6 Summary.................................... 64 4 A Classification Approach to Detecting Forged Embedded Machines 65 4.1 Background and Motivation.......................... 65 4.2 Classification-based Algorithm........................ 67 4.2.1 Initial Dataset............................. 68 4.2.2 Feature Extraction........................... 69 4.2.3 Feature Selection............................ 71 4.2.4 Classification.............................. 71 4.2.5 Performance Evaluation........................ 73 4.2.6 Overall Evaluation........................... 75 4.3 Simulation and Results............................. 77 4.3.1 Comparison with MEDA....................... 84 4.4 Summary.................................... 84 5 Attack and Defence in Behavioural Tests 87 5.1 Threat Model.................................. 87 5.2 Fake Timing Attack.............................. 88 5.3 Detection Model................................ 91 5.4 Simulations, Results and Comparison with Other Algorithms....... 92 5.5 Classification of Unknown Devices...................... 97 5.6 Applicability of the Proposed Solution.................... 98 5.6.1 Architectural Reference Models.................... 98 5.6.2 Implementation Feasibility...................... 100 5.6.3 Real-Life Scenarios: Applicability................... 102 5.7 Summary.................................... 102 6 Conclusions and Future Work 105 6.1 Conclusions................................... 105 viii 6.2 Contributions and Findings.......................... 106 6.2.1 Introduction, Background and Related Work............ 106 6.2.2 A New Threat and a Novel Solution: Machine Emulation Detec- tion Algorithm............................. 107 6.2.3 A Classification Approach to Detecting Illegitimate Embedded Machines................................ 107 6.2.4 Attack and Defence in Behavioural Tests.............. 107 6.3 Future Work.................................. 108 6.4 Summary.................................... 109 A Appendices 111 A.1 Characterisation Algorithm.......................... 111 A.2 Characterisation Algorithm Outputs..................... 115 A.3 Machine Emulation Detection Algorithm................... 117 A.4 Classification-based Algorithm........................ 121 A.5 Architecture-based Timing Test on Raspberry Pi 2 model B........ 125 A.6 Architecture-based Timing Test: QEMU patch............... 127 B Appendices 129 B.1 Performance Results from MEDA, k-NN and RF.............. 129 B.2 Performance Results from k-NN and RF without the Normalisation Step. 134 B.3 Cumulative Frequency Histograms for Timestamp Features used to Detect FTA....................................... 136 Bibliography 139 ix Illustrations List of Figures 1.1 Trend of top attack news against things and the IoT infrastructure. Attacks against embedded things are highlighted. Attacks related to both things and the IoT infrastructure are shown. In 2013, things and the IoT infrastruc- ture were attacked for the first time and at the same time, while in 2015, compromised embedded things were used to attack the IoT infrastructure..8 2.1 Forecast of connected Internet of Things (IoT) devices............. 17 2.2 Social Internet of Things (SIoT) architecture................... 20 2.3 Types of relationship in the SIoT paradigm................... 21 2.4 Virtual Continuum in the IoT architecture.................... 22 2.5 Fog Computing in the Internet of Everything (IoE) system........... 23 2.6 An Man-in-the-Middle (MITM) attack against Rivest-Shamir-Adleman (RSA). 27 2.7 Summary of information security and trust triads, showing CIA and