Skip to main content
SpringerLink
Log in

An Infection-Identifying and Self-Evolving System for IoT Early Defense from Multi-Step Attacks

  • Conference paper
  • First Online:
Book cover Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13555))

Included in the following conference series:

Abstract

Internet-of-Things (IoT) cyber threats such as jackware [14] and cryptomining [33] show that insecure IoT devices can be exploited by attackers with different goals. As many such attacks are multi-steps, early detection is critical. Early detection enables early attack containment and response, and prevention of malware propagation. However, it is challenging to detect early-phase attacks with both high precision and high recall as attackers typically attempt to evade the detection systems with stealthy or zero-day attacks. To enhance the security of IoT devices, we propose IoTEDef, a deep learning-based system able to identify the infection events and evolve with the identified infections. IoTEDef understands multi-step attacks based on cyber kill chains and maintains detectors for each step. When it detects anomalies related to a later stage of the kill chain, IoTEDef backtracks the log of events and analyzes these events to identify infection events. Then, IoTEDef updates its infection detector with the identified events. IoTEDef can be used for threat hunting as well as the generation of indicators of compromise and attacks. To show its feasibility, we implement a prototype of the system and evaluate it against the Mirai botnet campaign [2] and the multi-step attack that exploits the Log4j vulnerability [36] to infect the IoT devices. Our results show that the F1-score of our evolved infection detector in IoTEDef, instantiated with long short-term memory (LSTM) and the attention mechanism, increases from 0.31 to 0.87 . We also show that existing attention-based NIDSes can benefit from our approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Andrea, H.: 10 benefits of internet of things (iot) in our lives and businesses (2021). https://www.tech21century.com/internet-of-things-iot-benefits/. Accessed 13 Sep 2021

  2. Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (2017)

    Google Scholar 

  3. Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate. In: International Conference on Learning Representations (2015)

    Google Scholar 

  4. Bertino, E., Islam, N.: Botnets and internet of things security. IEEE Comput. 50(2), 76–79 (2017)

    Article  Google Scholar 

  5. Chaudhari, S., Mithal, V., Polatkan, G., Ramanath, R.: An attentive survey of attention models. ACM Trans. Intell. Syst. Technol. (TIST) 12(5), 1–32 (2021)

    Article  Google Scholar 

  6. Cho, K., Merriënboer, B.V., Bahdanau, D., Bengio, Y.: On the properties of neural machine translation: encoder-decoder approaches (2014)

    Google Scholar 

  7. Cole, E.: Threat hunting: Open season on the adversary (2016). https://de.malwarebytes.com/pdf/white-papers/Survey_Threat-Hunting-2016_Malwarebytes.pdf. Accessed 31 Jan 2022

  8. CoreSecurity: Pcapy (2014). Accessed 15 Oct 2021

    Google Scholar 

  9. Dingee, D.: Iot, not people, now the weakest link in security, January 2019. https://devops.com/iot-not-people-now-the-weakest-link-in-security/. Accessed 13 May 2021

  10. Eskandari, M., Janjua, Z.H., Vecchio, M., Antonelli, F.: Passban IDS: an intelligent anomaly-based intrusion detection system for IoT edge devices. IEEE Internet Things J. 7(8), 6882–6897 (2020)

    Article  Google Scholar 

  11. Forney, G.D.: The viterbi algorithm. Proc. IEEE 61(3), 268–278 (1973)

    Article  MathSciNet  Google Scholar 

  12. Fu, Y., Yan, Z., Cao, J., Koné, O., Cao, X.: An automata based intrusion detection method for internet of things. Mob. Inf. Syst. 2017, 1750637:1–1750637:13 (2017)

    Google Scholar 

  13. Gartner: Addressing the cyber kill chain: Full gartner research report and lookingglass perspectives (2016). Accessed 06 Mar 2021

    Google Scholar 

  14. Glassberg, J.: Jackware: a new type of ransomware could be 10 times as dangerous (2021). https://finance.yahoo.com/news/ransomware-jackware-115229732.html. Accessed 12 June 2021

  15. Gu, G., Porras, P.A., Yegneswaran, V., Fong, M.W., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: USENIX Security Symposium, vol. 7, pp. 1–16 (2007)

    Google Scholar 

  16. Guo, C., Berkhahn, F.: Entity embeddings of categorical variables. arXiv preprint arXiv:1604.06737 (2016)

  17. Haas, S., Fischer, M.: GAC: graph-based alert correlation for the detection of distributed multi-step attacks. In: Proceedings of the 33rd Annual ACM Symposium on Applied Computing, pp. 979–988 (2018)

    Google Scholar 

  18. Habibi, J., Midi, D., Mudgerikar, A., Bertino, E.: Heimdall: mitigating the internet of insecure things. IEEE Internet Things J. 4(4), 968–978 (2017)

    Article  Google Scholar 

  19. Han, X., Pasquier, T., Bates, A., Mickens, J., Seltzer, M.: Unicorn: runtime provenance-based detector for advanced persistent threats. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2020)

    Google Scholar 

  20. Hutchins, E.M., Cloppert, M.J., Amin, R.M., et al.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warfare Secur. Res. 1(1), 80 (2011)

    Google Scholar 

  21. Jallad, K.A., Aljnidi, M., Desouki, M.S.: Anomaly detection optimization using big data and deep learning to reduce false-positive. J. Big Data 7(1) (2020)

    Google Scholar 

  22. Javed, M., Paxson, V.: Detecting stealthy, distributed SSH brute-forcing. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 85–96 (2013)

    Google Scholar 

  23. Kang, H., Ahn, D., Lee, G., Yoo, J., Park, K., Kim, H.: Iot network intrusion dataset (2019). https://ieee-dataport.org/open-access/iot-network-intrusion-dataset. Accessed 06 Mar 2021

  24. Keras: Keras (2016). https://keras.io/. Accessed 15 Oct 2021

  25. Klassen, F.: AppNeta: Tcpreplay (2018). https://tcpreplay.appneta.com/. Accessed 06 Mar 2021

  26. Krebs, B.: Reaper: calm before the iot security storm?, October 2017. https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/. Accessed 05 July 2021

  27. Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, pp. 1–6 (2010)

    Google Scholar 

  28. Lashkari, A.H.: Cicflowmeter features (2018). https://github.com/ahlashkari/CICFlowMeter/blob/master/ReadMe.txt. Accessed 19 May 2022

  29. Liu, C., Liu, Y., Yan, Y., Wang, J.: An intrusion detection model with hierarchical attention mechanism. IEEE Access 8, 67542–67554 (2020)

    Article  Google Scholar 

  30. Luong, M.T., Pham, H., Manning, C.D.: Effective approaches to attention-based neural machine translation. In: The 2015 Conference on Empirical Methods in Natural Language Processing (EMNLP 2015) (2015)

    Google Scholar 

  31. Mannila, H., Toivonen, H., Verkamo, A.I.: Discovery of frequent episodes in event sequences. Data Min. Knowl. Disc. 1(3), 259–289 (1997)

    Article  Google Scholar 

  32. Martin, L.: Seven ways to apply the cyber kill chain with a threat intelligence platform (2015). lockheed martin corporation

    Google Scholar 

  33. McMillen, D., Alvarez, M.: Mirai iot botnet: mining for bitcoins?, April 2017. https://securityintelligence.com/mirai-iot-botnet-mining-for-bitcoins/. Accessed 05 July 2021

  34. Midi, D., Rullo, A., Mudgerikar, A., Bertino, E.: Kalis-a system for knowledge-driven adaptable intrusion detection for the internet of things. In: 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pp. 656–666. IEEE (2017)

    Google Scholar 

  35. Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (S &P), pp. 1137–1152. IEEE (2019)

    Google Scholar 

  36. Msehgal: Protect your iot devices from log4j 2 vulnerability (2021). https://live.paloaltonetworks.com/t5/blogs/protect-your-iot-devices-from-log4j-2-vulnerability/ba-p/453381. Accessed 14 Jan 2022

  37. Nguyen, T.D., Marchal, S., Miettinen, M., Fereidooni, H., Asokan, N., Sadeghi, A.R.: Dïot: a federated self-learning anomaly detection system for IoT. In: 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS), pp. 756–767. IEEE (2019)

    Google Scholar 

  38. Osborne, C.: This is why the mozi botnet will linger on (2021). https://www.zdnet.com/article/this-is-why-the-mozi-botnet-will-linger-on/. Accessed 27 Jan 2022

  39. Palmer, D.: This sneaky hacking group hid inside networks for 18 months without being detected (2022). https://www.zdnet.com/article/this-sneaky-hacking-group-hid-inside-networks-for-18-months-without-being-detected/. Accessed 18 May 2022

  40. Research, C.P.: Iotroop botnet: the full investigation, March 2017. https://research.checkpoint.com/2017/iotroop-botnet-full-investigation/. Accessed 05 July 2021

  41. Soleimani, M., Ghorbani, A.A.: Multi-layer episode filtering for the multi-step attack detection. Comput. Commun. 35(11), 1368–1379 (2012)

    Article  Google Scholar 

  42. Sqrrl Data, I.: A framework for cyber threat hunting (2018). https://www.threathunting.net/files/framework-for-threat-hunting-whitepaper.pdf. Accessed 31 Jan 2022

  43. Storm, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: Mitre att &ck: design and philosophy (2018). Accessed 06 Mar 2021

    Google Scholar 

  44. Sutskever, I., Vinyals, O., Le, Q.V.: Sequence to sequence learning with neural networks. In: Proceedings of the 27th International Conference on Neural Information Processing Systems, vol. 2, pp. 3104–3112 (2014)

    Google Scholar 

  45. Tang, C., Luktarhan, N., Zhao, Y.: SAAE-DNN: deep learning method on intrusion detection. Symmetry 12(10), 1695 (2020)

    Article  Google Scholar 

Download references

Acknowledgement

The work reported in this paper has been supported by Cisco Research and by NSF under grant 2112471.

Author information

Authors and Affiliations

  1. Purdue University, West Lafayette, IN, USA

    Hyunwoo Lee, Anand Mudgerikar, Ninghui Li & Elisa Bertino

  2. Cisco Research, San Jose, CA, USA

    Ashish Kundu

Authors
  1. Hyunwoo Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anand Mudgerikar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ashish Kundu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ninghui Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Elisa Bertino
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hyunwoo Lee .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

A A Dataset Generation

A A Dataset Generation

In our experiment, we use the dataset from [23]. It consists of several files that capture packets related to the Mirai botnet. In detail, it includes the ARP spoofing packets, host discovery packets, or other flooding packets. Among them, we use the following packets in our experiment:

  • Benign: these packets are normal packets exchanged between benign entities.

  • Port scanning: these packets are simple SYN packets to scan open ports at a targeted device. These packets are labeled as Reconnaissance.

  • Brute force: these packets are used to perform dictionary attacks with predefined credentials to infiltrate into a target device. We label these packets as Infection.

  • Flooding: these packets are SYN/ACK/HTTP/UDP flooding packets to cause a DoS condition to a victim. These packets are tagged as Action.

Due to the limited number of datasets, we manipulate the existing dataset to create new diverse scenarios. For example, we want to generate a dataset with a specified number of infection packets at a certain time and a number of UDP flooding packets for a particular time. To this end, we implement a data manipulation script, which works as follows:

  1. 1.

    A new scenario file is created. The starting time of the scenario is 0.

  2. 2.

    A list of files that contain interesting packets is specified with the starting time and the duration. In detail, the list consists of a number of pairs (<file name> <starting time> <duration>), which means that the packets are randomly extracted from <file name> and inserted into the new scenario file at time <starting time> for <duration>. For example, means that the packets from bruteforce.pcap are inserted into the new scenario at time 10 for 2 s.

  3. 3.

    All the packets are extracted from the files in the list and put into the new scenario file appropriately. We allow overlaps between different packets.

  4. 4.

    Finally, the IP addresses of the packets are modified to the loopback addresses.

This way, we can flexibly generate a new dataset. The dataset generation script is available at https://github.com/iotedef.

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lee, H., Mudgerikar, A., Kundu, A., Li, N., Bertino, E. (2022). An Infection-Identifying and Self-Evolving System for IoT Early Defense from Multi-Step Attacks. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17146-8_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17145-1

  • Online ISBN: 978-3-031-17146-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation