Skip to main content
SpringerLink
Log in

ProvIoT : Detecting Stealthy Attacks in IoT through Federated Edge-Cloud Security

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14585))

Included in the following conference series:

Abstract

Internet of Things (IoT) devices have increased drastically in complexity and prevalence within the last decade. Alongside the proliferation of IoT devices and applications, attacks targeting them have gained popularity. Recent large-scale attacks such as Mirai and VPNFilter highlight the lack of comprehensive defenses for IoT devices. Existing security solutions are inadequate against skilled adversaries with sophisticated and stealthy attacks against IoT devices. Powerful provenance-based intrusion detection systems have been successfully deployed in resource-rich servers and desktops to identify advanced stealthy attacks. However, IoT devices lack the memory, storage, and computing resources to directly apply these provenance analysis techniques on the device.

This paper presents ProvIoT, a novel federated edge-cloud security framework that enables on-device syscall-level behavioral anomaly detection in IoT devices. ProvIoT applies federated learning techniques to overcome data and privacy limitations while minimizing network overhead. Infrequent on-device training of the local model requires less than 10% CPU overhead; syncing with the global models requires sending and receiving \(\sim \)2MB over the network. During normal offline operation, ProvIoT periodically incurs less than 10% CPU overhead and less than 65MB memory usage for data summarization and anomaly detection. Our evaluation shows that ProvIoT detects fileless malware and stealthy APT attacks with an average F1 score of 0.97 in heterogeneous real-world IoT applications. ProvIoT is a step towards extending provenance analysis to resource-constrained IoT devices, beginning with well-resourced IoT devices such as the RaspberryPi, Jetson Nano, and Google TPU.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Insteon hub 2242–222 - lack of web and API authentication (2013). https://www.exploit-db.com/exploits/27284. Accessed 26 May 2023

  2. Apple watch ram size comparison chart: how much ram does apple watch have? (2015). https://www.knowyourmobile.com/wearable-technology/apple-watch-ram-size/. Accessed 26 May 2023

  3. Google nest - support (2015). https://support.google.com/googlenest/answer/9230098. Accessed 26 May 2023

  4. Auditing security events (2017). https://goo.gl/FkaDCa

  5. Google home mini teardown, comparison to echo dot, and giving technology a voice (2017). https://tinyurl.com/ykbay2fu. Accessed 26 May 2023

  6. Google Assistant, your own personal Google (2018). https://assistant.google.com/

  7. Motion (2018). https://motion-project.github.io/

  8. Raspberry Pi - Teach, Learn, and Make with Raspberry Pi (2018). https://www.raspberrypi.org

  9. Gensim: Topic modelling for humans (2019). https://radimrehurek.com/gensim/index.html

  10. Tinyml foundation (2019). https://www.tinyml.org/. Accessed 25 May 2023

  11. Inside amazon’s ring alarm system (2020). https://tinyurl.com/yck5jm4m. Accessed 26 May 2023

  12. Cyber kill chain® | lockheed martin (2021). https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html. Accessed 24 Jul 2021

  13. Process injection: Ptrace system calls, sub-technique t1055.008 - enterprise | mitre att &ck® (2021). https://attack.mitre.org/techniques/T1055/008/. Accessed 23 Jul 2021

  14. Cloud-based data platform for cybersecurity, it operations and devops | splunk (2022). https://www.splunk.com/. Accessed 23 Jul 2021

  15. Iot is a gold mine for hackers using fileless malware for cyberattacks - techrepublic (2022). https://tek.io/30dBnIU. Accessed 23 Jul 2021

  16. Smart refrigerator with family hub (2022). https://tinyurl.com/4kz6z6z5. Accessed 26 May 2023

  17. Acar, A., Aksu, H., Uluagac, A.S., Conti, M.: A survey on homomorphic encryption schemes: Theory and implementation. ACM Comput. Surv. 51(4), 1–35 (2018). https://doi.org/10.1145/3214303

    Article  Google Scholar 

  18. Acar, A., et al.: Peek-a-boo: I see your smart home activities, even encrypted! In: Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 207–218. WiSec 2020, Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3395351.3399421

  19. Ahmad, A., Lee, S., Peinado, M.: HARDLOG: practical tamper-proof system auditing using a novel audit device. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 1791–1807 (2022)

    Google Scholar 

  20. Alrawi, O., et al.: The circle of life: a large-scale study of the IoT malware lifecycle. In: USENIX Security Symposium, pp. 3505–3522 (2021)

    Google Scholar 

  21. Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110. USENIX Association, Vancouver, BC (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis

  22. Armis Security: Blueborne: Bluetooth exposes android, linux, windows and iOS devices to airborne attacks (2017). https://www.armis.com/research/blueborne/

  23. Babun, L., Celik, Z.B., McDaniel, P., Uluagac, S.: Real-time analysis of privacy-(un)aware IoT applications. Proc. Priv. Enhancing Technol. 2021, 145–166 (2021). https://doi.org/10.2478/popets-2021-0009

    Article  Google Scholar 

  24. Bahşi, H., Nõmm, S., La Torre, F.B.: Dimensionality reduction for machine learning based IoT botnet detection. In: 2018 15th International Conference on Control, Automation, Robotics and Vision (ICARCV), pp. 1857–1862. IEEE (2018)

    Google Scholar 

  25. Bansal, A., Kandikuppa, A., Chen, C.Y., Hasan, M., Bates, A., Mohan, S.: Towards efficient auditing for real-time systems. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol. 13556, pp. 614–634. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17143-7_30

  26. Barr-Smith, F., Ugarte-Pedrero, X., Graziano, M., Spolaor, R., Martinovic, I.: Survivalism: systematic analysis of windows malware living-off-the-land. In: IEEE symposium on security and privacy (SP). In: IEEE Symposium on Security and Privacy (SP), pp. 1557–1574 (2021). https://doi.org/10.1109/sp40001.2021.00047

  27. Bonawitz, K., et al.: Towards federated learning at scale: system design. arXiv.org (2019)

  28. Bostani, H., Sheikhan, M.: Hybrid of anomaly-based and specification-based IDS for internet of things using unsupervised OPF based on MapReduce approach. Comput. Commun. 98, 52–71 (2017)

    Article  Google Scholar 

  29. Chaudhary, A., Mittal, H., Arora, A.: Anomaly detection using graph neural networks. In: 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), pp. 346–350 (2019). https://doi.org/10.1109/COMITCon.2019.8862186

  30. Chawathe, S.S.: Monitoring IoT networks for botnet activity. In: 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA), pp. 1–8. IEEE (2018)

    Google Scholar 

  31. Chen, J., et al.: Iotfuzzer: Discovering memory corruptions in IoT through app-based fuzzing. In: NDSS (2018)

    Google Scholar 

  32. Cosson, A., Sikder, A.K., Babun, L., Celik, Z.B., McDaniel, P., Uluagac, A.S.: Sentinel: a robust intrusion detection system for IoT networks using kernel-level system information. In: Proceedings of the International Conference on Internet-of-Things Design and Implementation, pp. 53–66 (2021)

    Google Scholar 

  33. Costin, A., Zaddach, J.: IoT Malware: comprehensive survey, analysis framework and case studies. BlackHat Briefings (2019). https://bit.ly/3DFrCBA

  34. Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding Linux malware. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 161–175. IEEE (2018)

    Google Scholar 

  35. CrowdStrkie: Endpoint Detection and Response (EDR), Tech. rep., CrowdStrkie (2020)

    Google Scholar 

  36. Cybersecurity, A.: Malware using new Ezuri memory loader | at &t alien labs (2021). https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader. Accessed 23 Jul 2021

  37. Ding, F., et al.: DeepPower: non-intrusive and deep learning-based detection of IoT Malware using power side channels. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 33–46 (2020)

    Google Scholar 

  38. Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: IEEE S &P (2016)

    Google Scholar 

  39. Google: Edge TPU - run inference at the edge | google cloud (2021). https://cloud.google.com/edge-tpu. Accessed 23 Jul 2021

  40. Google: Intro to autoencoders (2021). https://www.tensorflow.org/tutorials/generative/autoencoder

  41. Han, X., et al.: \(\{\)SIGL\(\}\): Securing software installations through deep graph learning. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 2345–2362 (2021)

    Google Scholar 

  42. Harpaz, O.: FritzFrog: a new generation of peer-to-peer botnets - guardicore (2020). https://bit.ly/3mJzyeq. Accessed 23 Jul 2021

  43. Hassan, W.U., et al.: NoDoze: combatting threat alert fatigue with automated provenance triage. In: NDSS (2019)

    Google Scholar 

  44. Jia, Y.J., et al.: ContexIoT: towards providing contextual integrity to appified IoT platforms. In: NDSS (2017)

    Google Scholar 

  45. King, S.T., Chen, P.M.: Backtracking intrusions. ACM SIGOPS Oper. Syst. Rev. 37, 223–236 (2003). https://doi.org/10.1145/945445.945467

    Article  Google Scholar 

  46. Kipf, T.N., Welling, M.: Variational graph auto-encoders. arXiv preprint arXiv:1611.07308 (2016)

  47. Kodi | Open source home theater software (2018). https://kodi.tv/

  48. Kumar, A., Lim, T.J.: Early detection of mirai-like IoT bots in large-scale networks through sub-sampled packet traffic analysis. arXiv preprint arXiv:1901.04805 (2019)

  49. Lamport, L., Shostak, R., Pease, M.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401 (1982). https://doi.org/10.1145/357172.357176

    Article  Google Scholar 

  50. Le, Q., Mikolov, T.: Distributed representations of sentences and documents. In: International Conference on Machine Learning, pp. 1188–1196 (2014)

    Google Scholar 

  51. Li, Z., Chen, Q.A., Yang, R., Chen, Y., Ruan, W.: Threat detection and investigation with system-level provenance graphs: a survey. Comput. Secur. 106, 102282 (2021)

    Article  Google Scholar 

  52. Lin, J., Zhu, L., Chen, W.M., Wang, W.C., Gan, C., Han, S.: On-device training under 256KB memory. In: Advances in Neural Information Processing Systems, vol. 35, pp. 2941–2295 (2022)

    Google Scholar 

  53. Liu, Y., et al.: Towards a timely causality analysis for enterprise security. In: NDSS (2018)

    Google Scholar 

  54. Matsumoto, M., Oguchi, M.: Speeding up encryption on IoT devices using homomorphic encryption. In: 2021 IEEE International Conference on Smart Computing (SMARTCOMP), pp. 270–275 (2021). https://doi.org/10.1109/SMARTCOMP52413.2021.00059

  55. McMahan, B., Moore, E., Ramage, D., Hampson, S., y Arcas, B.A.: Communication-efficient learning of deep networks from decentralized data. In: Artificial Intelligence and Statistics, pp. 1273–1282. PMLR (2017)

    Google Scholar 

  56. Meidan, Y., et al.: N-Baiot: network-based detection of IoT botnet attacks using deep autoencoders. arXiv preprint arXiv:1805.03409 (2018)

  57. metasploit: metasploit (2021). https://www.metasploit.com/. Accessed 29 Nov 2021

  58. Mirai Attacks (2016). https://goo.gl/QVv89r

  59. MITRE: Mitre att &ck® (2023). https://attack.mitre.org/. Accessed 23 Jul 2021

  60. Mothukuri, V., Khare, P., Parizi, R.M., Pouriyeh, S., Dehghantanha, A., Srivastava, G.: Federated-learning-based anomaly detection for IoT security attacks. IEEE Internet Things J. 9(4), 2545–2554 (2021)

    Article  Google Scholar 

  61. Mukherjee, K.: ProvIoT: detecting stealthy attacks in IoT through federated edge-cloud security (2023). https://github.com/syssec-utd/proviot

  62. Mukherjee, K., et al.: Evading provenance-based ML detectors with adversarial system actions. In: USENIX Security Symposium (SEC) (2023)

    Google Scholar 

  63. Nguyen, T.D., Marchal, S., Miettinen, M., Dang, M.H., Asokan, N., Sadeghi, A.R.: Diot: a crowdsourced self-learning approach for detecting compromised IoT devices. arXiv preprint arXiv:1804.07474 (2018)

  64. Nõmm, S., Bahşi, H.: Unsupervised anomaly based botnet detection in IoT networks. In: 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 1048–1053. IEEE (2018)

    Google Scholar 

  65. NVIDIA: Nvidia jetson nano developer kit | nvidia developer (2022). https://developer.nvidia.com/embedded/jetson-nano-developer-kit. Accessed 23 Jul 2021

  66. Ozcelik, M., Chalabianloo, N., Gur, G.: Software-defined edge defense against IoT-based DDOs. In: 2017 IEEE International Conference on Computer and Information Technology (CIT), pp. 308–313. IEEE (2017)

    Google Scholar 

  67. Pan, S., Hu, R., Long, G., Jiang, J., Yao, L., Zhang, C.: Adversarially regularized graph autoencoder for graph embedding. arXiv preprint arXiv:1802.04407 (2019)

  68. Raza, S., Wallgren, L., Voigt, T.: Svelte: real-time intrusion detection in the internet of things. Ad Hoc Netw. 11(8), 2661–2674 (2013)

    Article  Google Scholar 

  69. Rieger, P., Chilese, M., Mohamed, R., Miettinen, M., Fereidooni, H., Sadeghi, A.R.: Argus: context-based detection of stealthy IoT infiltration attacks. arXiv preprint arXiv:2302.07589 (2023)

  70. Shafi, M., et al.: 5G: a tutorial overview of standards, trials, challenges, deployment, and practice. IEEE J. Sel. Areas Commun. 35(6), 1201–1221 (2017). https://doi.org/10.1109/JSAC.2017.2692307

    Article  Google Scholar 

  71. Shahid, O., Mothukuri, V., Pouriyeh, S., Parizi, R.M., Shahriar, H.: Detecting network attacks using federated learning for IoT devices. In: 2021 IEEE 29th International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2021)

    Google Scholar 

  72. Sikder, A.K., Aksu, H., Uluagac, A.S.: 6thSense: a context-aware sensor-based attack detector for smart devices. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 397–414. USENIX Association, Vancouver, BC (2017). https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/sikder

  73. Sikder, A.K., Aksu, H., Uluagac, A.S.: A context-aware framework for detecting sensor-based threats on smart devices. IEEE Trans. Mob. Comput. 19(2), 245–261 (2020). https://doi.org/10.1109/TMC.2019.2893253

    Article  Google Scholar 

  74. Sikder, A.K., Petracca, G., Aksu, H., Jaeger, T., Uluagac, A.S.: A survey on sensor-based threats and attacks to smart devices and applications. IEEE Commun. Surv. Tutorials 23, 1125–1159 (2021). https://doi.org/10.1109/COMST.2021.3064507

    Article  Google Scholar 

  75. Sivaraman, V., Gharakheili, H.H., Vishwanath, A., Boreli, R., Mehani, O.: Network-level security and privacy control for smart-home IoT devices. In: WiMob, pp. 163–167 (2015)

    Google Scholar 

  76. Team, D.: Deep graph library: easy deep learning on graphs (2022). https://www.dgl.ai/. Accessed 21 Sep 2021

  77. Team, K.: Keras: the Python deep learning API (2021). https://keras.io/

  78. Trend Micro: Brickerbot malware permanently bricks IoT devices (2017). https://tinyurl.com/2wc4vw5b

  79. Introducing Arm TrustZone (2018). https://developer.arm.com/technologies/trustzone

  80. VPNFilter (2018). https://blog.talosintelligence.com/2018/05/VPNFilter.html

  81. Wang, J., et al.: IoT-praetor: undesired behaviors detection for IoT devices. IEEE Internet Things J. 8(2), 927–940 (2020)

    Article  MathSciNet  Google Scholar 

  82. Wang, Q., et al.: You are what you do: Hunting stealthy malware via data provenance analysis. In: NDSS (2020)

    Google Scholar 

  83. Williams, M.: A new philips hue security patch keeps hackers from taking control of your network (2019). https://tinyurl.com/yejh839k

  84. Ying, R., Lou, Z., You, J., Wen, C., Canedo, A., Leskovec, J.: Neural subgraph matching. CoRR abs/2007.03092 (2020), https://arxiv.org/abs/2007.03092

  85. Zeek (2021). https://zeek.org/

  86. Critical flaw identified in Zigbee smart home devices (2015). https://goo.gl/BFBa1X

Download references

Acknowledgments

We thank the anonymous reviewers for their helpful feedback.

Author information

Authors and Affiliations

  1. The University of Texas at Dallas, Richardson, TX, USA

    Kunal Mukherjee, Joshua Wiedemeier, James Wei & Kangkook Jee

  2. University of Illinois at Urbana-Champaign, Champaign, IL, USA

    Qi Wang

  3. Stellar Cyber, San Jose, CA, USA

    Junpei Kamimura, Zhichun Li & Xiao Yu

  4. University of Central Oklahoma, Edmond, OK, USA

    John Junghwan Rhee

  5. NEC Labs America Inc., Princeton, NJ, USA

    Lu-An Tang

  6. Shanghai Jiao Tong University, Shanghai, China

    Jiaping Gui

Authors
  1. Kunal Mukherjee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joshua Wiedemeier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Qi Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Junpei Kamimura
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. John Junghwan Rhee
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. James Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Zhichun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Xiao Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Lu-An Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  10. Jiaping Gui
    View author publications

    You can also search for this author in PubMed Google Scholar

  11. Kangkook Jee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kangkook Jee .

Editor information

Editors and Affiliations

  1. New York University Abu Dhabi, Abu Dhabi, United Arab Emirates

    Christina Pöpper

  2. Radboud University Nijmegen, Nijmegen, The Netherlands

    Lejla Batina

A Appendix

A Appendix

1.1 A.1 IoT Workload.

The Table 2 shows the typical usage for the IoT applications. Typical usage for media center (e.g.,  kodi [47]) is to browse different streams to find playable and downloadable content. kodi was used to download different medias from the wed along with browsing different steams. A voice assistant such as Google Assistant [6] was used for answering common questions such as “what is the weather like?”. An IP camera (e.g.,  motion [7]) was used to stream our lab setting from our home. We used a network attached storage unit to access files from remote locations as well as to modify the files. Finally, we used a network security monitoring tool (e.g.,  zeek [85]) to sniff and inspect at the network traffic that was generated in our lab environment.

Table 2. The IoT applications chosen for evaluation as well as their usage examples.
Full size table
Table 3. Number of vertices and edges used to create a benign profile for IoT applications and system programs
Full size table
Table 4. Number of vertices and edges used to create IoT Malware and APT attack profile
Full size table

1.2 A.2 Dataset Statistics.

This section contains the data set details shown in Tables 3 and 4. In Table 3 the benign dataset is represented where we experimented with five commonly used IoT programs [33] and twenty prevalent Linux system programs [53]. Table 4 shows the malicious data set which consists of two parts: four IoT malware which impersonated the twenty Linux system programs and APT kill chain scenarios conducted using the five IoT programs.

Table 5. APT TTPs for cyber-killchain stages
Full size table

1.3 A.3 APT Scenarios

The advanced Persistent Threat (APT) scenario was established in our malicious testbed by loading APT kill-chain components using fileless wrapper (Table 5). The APT attack vectors were coordinated to comprise the end-to-end attack campaign referring to MITRE ATT &CK framework.

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mukherjee, K. et al. (2024). ProvIoT : Detecting Stealthy Attacks in IoT through Federated Edge-Cloud Security. In: Pöpper, C., Batina, L. (eds) Applied Cryptography and Network Security. ACNS 2024. Lecture Notes in Computer Science, vol 14585. Springer, Cham. https://doi.org/10.1007/978-3-031-54776-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54776-8_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54775-1

  • Online ISBN: 978-3-031-54776-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation