Air Force Institute of Technology AFIT Scholar Theses and Dissertations Student Graduate Works 3-22-2019 A Blockchain-Based Anomalous Detection System for Internet of Things Devices Joshua K. Mosby Follow this and additional works at: https://scholar.afit.edu/etd Part of the Digital Communications and Networking Commons, and the Information Security Commons Recommended Citation Mosby, Joshua K., "A Blockchain-Based Anomalous Detection System for Internet of Things Devices" (2019). Theses and Dissertations. 2275. https://scholar.afit.edu/etd/2275 This Thesis is brought to you for free and open access by the Student Graduate Works at AFIT Scholar. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of AFIT Scholar. For more information, please contact [email protected]. A BLOCKCHAIN-BASED ANOMALOUS DETECTION SYSTEM FOR INTERNET OF THINGS DEVICES THESIS Joshua K. Mosby, Captain, USAF AFIT-ENG-MS-19-M-047 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio DISTRIBUTION STATEMENT A. APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government. This material is declared a work of the U.S. Government and is not subject to copyright protection in the United States. AFIT-ENG-MS-19-M-047 A BLOCKCHAIN-BASED ANOMALOUS DETECTION SYSTEM FOR INTERNET OF THINGS DEVICES THESIS Presented to the Faculty Department of Electrical and Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science in Cyber Operations Joshua K. Mosby, BS Captain, USAF March 2019 DISTRIBUTION STATEMENT A. APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. AFIT-ENG-MS-19-M-047 A BLOCKCHAIN-BASED ANOMALOUS DETECTION SYSTEM FOR INTERNET OF THINGS DEVICES Joshua K. Mosby, BS Captain, USAF Committee Membership: Barry E. Mullins, Ph.D., P.E. Chair Scott R. Graham, Ph.D. Member Timothy H. Lacey, Ph.D, CISSP Member AFIT-ENG-MS-19-M-047 Abstract The Internet of Things (IoT) represents a new paradigm in computing. The ability to connect everyday devices to the Internet has created a global grid of sensors, generating data that is used to boost productivity in every industry. The IoT has even entered homes, improving quality of life through smart home automation. While it provides these benefits, the IoT is under attack. Long characterized by a lack of security, particularly in terms of authentication and integrity, the IoT has become a favorite target of hackers. The last three years has witnessed the birth of the botnet, delivering never-before-seen denial of service attacks. Traditional cyber security countermeasures are either inapplicable or ineffective, leaving the IoT without adequate protection. IoT devices are often lightly defended and always online, making them an attractive target. However, many device owners do not realize they have been compromised, particularly when devices lack a user interface. This creates a need for an intrusion detection system: a way to alert device users to abnormal, potentially-malicious behavior. Low computing resources on IoT devices leads many researchers to segregate vulnerable devices and set up defenses on the network boundary. If devices cannot be segregated, this approach is ineffective. A device-centric security solution provides flexibility and be applicable to a larger number of scenarios. This thesis describes an anomalous-based intrusion detection system that operates directly on IoT devices. In this approach, an agent on each node compares the node's behavior to that of its peers. If these values are not in alignment, the agent generates an iv alert. Communication amongst nodes occurs using a distributed average consensus Blockchain. A new block is generated when the majority of nodes agree on a set of values. This becomes the new standard for agents on all nodes to compare against. Nodes continually communicate to reach consensus and generate new blocks, allowing this standard to flex and evolve over time. To determine the effectiveness of this detection system, an experiment is conducted. Three different code samples simulating common IoT malware are deployed against a testbed of 12 Raspberry Pi devices, which emulate IoT devices. Increasing numbers of hosts are infected until two-thirds of the network is compromised, and the detection rate is recorded for each trial. The detection system is effective at detecting malware infections, catching at least one malicious node in every trial. 52% of trials catch all infected nodes, achieving perfect detection. The average trial detection percentage is 82%. There are differences in the detection rate for the different malware types, with two above 90% and the third at 60%. This suggests that additional tailoring of the system, as well as some changes to the alert threshold, could further increase effectiveness. This research presents a low-resource, scalable anomaly detection system that is effective at detecting malware infections. This research provides insights into how Blockchain technology can be used to improve IoT security. It also deploys security mechanisms directly to IoT devices and, by comparing nodes to their peers, turns the multitude of Internet of Things devices into an asset rather than a liability. v Acknowledgments I would like to express my sincere appreciation to my faculty advisor, Dr. Barry Mullins, for his guidance and support throughout the course of this thesis effort. I would like to thank my sponsor for both the support and latitude provided to me in this endeavor. I would also like to thank my wife for her love and support during my studies. Joshua K. Mosby vi Table of Contents Page Abstract .............................................................................................................................. iv Table of Contents .............................................................................................................. vii List of Figures ......................................................................................................................x List of Tables ................................................................................................................... xiii List of Acronyms ............................................................................................................. xiv I. Introduction ....................................................................................................................1 1.1 Background...........................................................................................................1 1.2 Problem Statement................................................................................................2 1.3 Research Goals and Hypothesis ...........................................................................2 1.4 Approach ..............................................................................................................2 1.5 Assumptions/Limitations ......................................................................................3 1.6 Research Contributions ........................................................................................3 1.7 Thesis Overview ...................................................................................................4 II. Background and Related Research ................................................................................5 2.1 Chapter Overview .................................................................................................5 2.2.1 Symmetric vs Asymmetric ........................................................................ 5 2.2.2 Public Key Cryptography .......................................................................... 6 2.2.3 Digital Signatures ...................................................................................... 7 2.2.4 Hashing ...................................................................................................... 8 2.3 Distributed Systems ..............................................................................................9 2.3.1 Overview ................................................................................................... 9 2.3.2 Consensus ................................................................................................ 10 2.4 Blockchain ..........................................................................................................12 2.4.1 Overview ................................................................................................. 12 2.4.2 Bitcoin ..................................................................................................... 13 2.4.3 Other Common Blockchains ................................................................... 15 2.5 Internet of Things ...............................................................................................17 2.5.1 Overview ................................................................................................. 17 2.5.2 Security Risks .......................................................................................... 19 2.5.3 Security Countermeasures ......................................................................