João Miguel Coimbra Barros da Silva Attack and Intrusion Detection on the IoT Dissertation Report Master in Informatics Engineering advised by Prof. Doutor António Jorge da Costa Granjal and presented to the Department of Informatics Engineering of the Faculty of Sciences and Technology of the University of Coimbra January 2018 Acknowledgements I would like to thank to my supervisor, Prof. Doutor Jorge Granjal, who guided me through this thesis and for always giving me precious suggestions. Special gratitude to Prof. Doutor Nuno Louren¸co,whose experience in machine learning was very helpful. To all my family and friends, thank you for always being there for me, and for putting up with me on my most grumpy moments. \The best way out is always through" by Robert Frost i Abstract Nowadays, the Internet of Things (IoT) has a big impact on our way of living, making security a huge concern. In many cases, standard techniques like firewalls are unable to prevent intrusions, and thus, Intrusion Detection Systems (Intrusion Detection System (IDS)s) are required, either for detecting external or internal breaches of security. Currently, for the IoT, there are no ready-to-use IDS solutions based on pattern recognition. The main goal of this work is to develop an Anomaly-based IDS for the IoT, operating at the Constrained Application Protocol (CoAP). The new Anomaly-based IDS, AnIDS, is presented along with the architecture, software libraries, platforms, scenario and performance evaluation. Client CoAP level misbehaviors are programmed in Con- tiki, and features are calculated with Wireshark, a packet dissector. These features are pre-processed by standardization and the feature extraction algorithms Principal Component Analysis (PCA) and Lin- ear Discriminant Analysis (LDA). The resulting data is processed using Support Vector Machine (SVM), a machine learning algorithm based on the Scikit-Learn package, in order to train a classifier. This classifier is evaluated with the plotting of Confusion Matrices and Receiving Operator Characteristic (ROC) Curves. AnIDS allows to detect the signs of an intrusion, by cross checking the normal behavior, known a priori of the nodes, with a known data pattern of intrusion. AnIDS is also able to identify the type of misbehavior present on a node based on a priori data patterns of the specific intrusion. The Client CoAP misbehavior implemented are: implicit Denial of Service (DoS), repeatedly Acknowledgement (ACK) sending, wrong URI requesting, and invalid CoAP content accept option requesting. Results demonstrate that AnIDS can obtain an F Measure and a Recall scores of ∼ 98%, demonstrating that the system is capable to distinguish between the normal and the intruder behavior. As CoAP is the most disseminated open source application protocol on the IoT, AnIDS can have a significant impact on IoT security. Keywords| IoT, 6LoWPAN, CoAP, Machine Learning, IDS iii Resumo Na civiliza¸c~aoatual, a Internet das Coisas (IoT) rege a nossa forma de viver, tornando a seguran¸cadesses aparelhos uma preocupa¸c~ao.Em muitos casos, t´ecnicasstandard como as firewalls s~aoinsuficientes, exigindo o recurso a Sistemas de Dete¸c~aode Intrus~oes(IDS) de forma a identificar intrus~oesexternas e internas. Atualmente, para a IoT, n~aose encontram IDSs baseados em reconhecimento de padr~oesque estejam dispon´ıveis. O objetivo desta tese ´edesenvolver um novo IDS baseado em anoma- lias para a IoT, que opere ao n´ıvel da camada protocolar de aplica¸c~ao, CoAP (constrained application protocol). E´ apresentado um novo IDS, AnIDS, sendo descrita a sua arquitetura, bibliotecas de software, plataforma, cen´arioe as t´ecnicas usadas para a avalia¸c~aoda performance. Os comportamentos err´oneosde clientes CoAP s~aoprogramados em Contiki, e as caracter´ısticas(features) s~ao calculadas via Wireshark. Estas caracter´ısticass~aopr´e-processadas com standardiza¸c~ao,para m´edia0 e desvio padr~ao1, e s~aoaplica- dos os algoritmos de extra¸c~aode features PCA e LDA. Os dados resultantes permitem treinar o algoritmo de classifica¸c~aoSVM, pre- sente na biblioteca Scikit-Learn. O classificador ´eavaliado atrav´es do c´alculode matrizes de confus~aoe curvas ROC. O AnIDS permite detetar sinais de intrus~oescruzando dados car- acter´ısticos de comportamento normal com dados de n´oscom um padr~aoconhecido de intrus~ao.O AnIDS tamb´em´ecapaz de identi- ficar o tipo de comportamento err´oneopresente num n´obaseando-se em padr~oesde dados de intrus~oesespec´ıficas,previamente conheci- das. Implementam-se os seguintes comportamentos err´oneos: DoS impl´ıcito,envio constante de ACKs, pedidos a URIs inv´alidose pe- didos com a flag de CoAP accept n~aosuportada. Os resultados obtidos para os indicadores F Measure e Recall de ∼ 98%, demonstram que o AnIDS pode distinguir com elevado grau de certeza o comportamento normal do comportamento err´oneo.Dado que o CoAP ´eo protocolo aberto mais disseminado da IoT, o AnIDS poder´ater um grande impacto na seguran¸canos dispositivos da IoT. Plavras Chave| IoT, 6LoWPAN, CoAP, Machine Learning, IDS v vi Contents 1 Introduction 1 1.1 Context . .1 1.2 Research Goals . .1 1.3 Document Structure . .2 2 State of the Art 3 2.1 Basic Concepts . .3 2.2 Protocols on the IoT and their Security . .3 2.2.1 IEEE 802.15.4-2011 . .4 2.2.2 IETF 6LoWPAN . .5 2.2.3 IETF RPL . .5 2.2.4 Constrained Application Protocol (CoAP) . .6 2.3 IoT Operating Systems . .8 2.4 Intrusion Detection on the Internet . 16 2.4.1 IDS Methodologies . 16 2.5 Intrusions and Detection Systems on the IoT . 19 2.5.1 Denial of Service Detection . 20 2.5.2 Hybrid IDS . 22 2.5.3 Anomaly-based IDS . 24 2.5.4 Wormhole Attack Detection Solution . 25 2.5.5 A Deep Packet Inspection (DPI) based Solution . 26 2.5.6 An IDPM Solution . 27 2.6 Conclusions . 27 3 System Architecture and Methodologies 29 3.1 Architecture . 29 3.2 Misbehavior to be detected . 30 3.3 Model Learning and Detection Methodology . 31 4 Implementation and Evaluation Strategy 35 4.1 Implementation Strategy . 35 4.2 Implementing and Automating the Experiments . 37 4.3 Previous Approaches . 39 4.4 Final Product Characteristics . 41 4.5 Evaluation Strategy of the IDS . 41 5 Results and Analysis 43 5.1 Multi-Class Problem Approach . 43 5.2 Binary Class Problem Approach . 53 6 Conclusion and Future Work 59 vii viii Acronyms 6BR 6LoWPAN Border Router. ACK Acknowledgement. BLE Bluetooth Low Energy. CoAP Constrained Application Protocol. DoS Denial of Service. GTS Guaranteed Time Slots. IDS Intrusion Detection System. IEEE Institute of Electrical and Electronics Engineers. IETF International Engineering Task Force. IoT Internet of Things. IPv6 Internet Protocol version 6. KNN K-Nearest Neighbours. LDA Linear Discriminant Analysis. LQI Link Quality Indication. MAC Media Access Control. ND Neighbour Discovery. OS Operating System. PCA Principal Component Analysis. rbf Radial Basis Function. ROC Receiving Operator Characteristic. RPL Routing Protocol for Low Power and Lossy Networks. SCP Secure Copy. SM Security Manager. SSH Secure Shell. SVD Singular Value Decomposition. SVM Support Vector Machine. UART Universal asynchronous receiver/transmitter. ix x List of Figures 2.1 Pros and Cons of IDS Methodologies . 16 2.2 IDS Taxonomy . 18 2.3 Intrusion Taxonomy by Protocolar Layer . 19 2.4 DoS Detection Architecture . 21 2.5 SVELTE Energy overhead . 23 2.6 SVELTE Memory Overhead . 23 2.7 RIDES Architecture . 24 2.8 Solution against Botnet . 25 2.9 WIDS architectural scheme . 25 2.10 Pongle architectural scheme for detecting wormhole attacks . 26 3.1 High Level Architecture of the proposed solution . 30 3.2 Probing Scheme for the proposed solution . 31 3.3 Learning Methodology Approach chosen . 33 4.1 Developed GUI for tuning the Detection Module of the IDS . 36 4.2 Steps used for connecting the local computer to the IoT-LAB server and for launching the experiments. 37 4.3 Decision Tree of IDS's expected cost . 42 5.1 Multi-Class problem - PCA with auto solver, 3 Components and Data Whitening . 44 5.2 Multi-Class problem - Grid Search SVM with linear Kernel, One vs. Rest decision function shape, 30 iterations, and scoring criterion of accuracy, Confusion Matrix 5.2a and ROC Curves 5.2b . 44 5.3 Multi-Class problem - Grid Search SVM with: RBF Kernel, One vs. Rest decision function shape, 30 iterations and scoring criterion of Weighted F - Measure, Confusion Matrix 5.3a and ROC Curves 5.3b . 45 5.4 Multi-Class problem - Grid Search SVM with: polynomial Kernel, One vs. Rest decision function shape, 30 iterations and scoring criterion of Weighted F Measure, confusion Matrix 5.4a and ROC Curves 5.4b . 45 5.5 Multi-Class problem - Grid Search SVM with: sigmoidal Kernel, One vs. Rest decision function shape, 30 iterations, and a scoring criterion of accu- racy, confusion Matrix 5.5a and ROC Curves 5.5b . 45 5.6 Multi-Class problem - Grid Search SVM with: linear Kernel, One vs. Rest decision function shape, 30 iterations, and scoring criterion of Weighted F Measure, confusion Matrix 5.6a and ROC Curves 5.6b . 46 5.7 Multi-Class problem - Grid Search SVM with: rbf Kernel, One vs. Rest decision function shape, 30 iterations and scoring criterion of Weighted F - Measure, Confusion Matrix 5.7a and ROC Curves 5.7b . 47 xi 5.8 Multi-Class problem - Grid Search SVM with: polynomial Kernel, One vs. Rest decision function shape, 30 iterations and scoring criterion of Weighted F Measure, confusion Matrix 5.8a and ROC Curves 5.8b . 47 5.9 Multi-Class problem - Grid Search SVM with: sigmoidal Kernel, One vs. Rest decision function shape, 30 iterations, and a scoring criterion of Weighted F Measure, confusion Matrix 5.9a and ROC Curves 5.9b.