Securing Smart Cities using LSTM algorithm and lightweight containers against botnet attacks

Highlights

• Secure device management using Deep Learning and a lightweight operating system.

• Deep Learning detects abnormal traffic and update SDN flow table.

• Lightweight operating system revokes device API and blocks inter-device communication.

• Evaluation of the proposed framework demonstrates a practical working environment.

Abstract

Smart Cities contains millions of IoT sensors supporting critical applications such as Smart Transport, Buildings, Intelligent Vehicles, and Logistics. A central administrator appointed by the government manages and maintains the security of each node. Smart City relies upon millions of sensors that are heterogeneous and do not support standard security architecture. Different manufacturers have weak protection protocols for their products and do not update their firmware upon newly identified operating systems’ vulnerabilities. Adversaries using brute force methods exploit the lack of inbuilt security systems on IoT devices to grow their bot network. Smart cities require a standard framework combining soft computing and Deep Learning (DL) for device fleet management and complete control of sensor operating systems for absolute security. This paper presents a real-world application for IoT fleet management security using a lightweight container-based botnet detection (C-BotDet) framework. Using a three-phase approach, the framework using Artificial Intelligence detects compromised IoT devices sending malicious traffic on the network. Balena Cloud revokes API keys and prevents a compromised device from infecting other devices to form a more giant botnet. VPN (Virtual Private Network) prevents inter-device communication and routes all malicious traffic through an external server. The framework quickly updates the standard Linux-based operating system IoT device fleet without relying on different manufacturers to update their system security individually. The simulation and analysis of the C-BotDet framework are presented in a practical working environment to demonstrate its implementation feasibility.

Introduction

Modern smart cities, abundant with millions of cyber–physical sensor devices, support various intelligent applications for providing optimized services to their citizens. IoT devices’ growing market size and global adoption are expected to reach USD 385.7 billion in smart cities [1]. The heterogeneity of sensors increases as the city acquires and adopts devices from different manufacturers. Vendors implement separate operating systems and use distinct programming languages, protocols, and access control functions explicitly built for IoT due to their resource constraints [2]. Implementing different operating systems presents a significant challenge for a smart city administrator to manage and remove infected malware and address the system software’s security vulnerability [3]. An adversary with knowledge of millions of devices’ weaknesses can repeatedly inject malicious scripts in the future. A city administrator is required to address the vulnerabilities and update the firmware on several sensor machines in the least amount of time without relying on vendors.

Botnet-based DDoS attacks using IoT devices are widely termed as a significant concern in existing networks. In 5G-based systems, cyberattacks such as DDoS are expected to grow due to millions of IoT devices implementing weak security protocols connected to the same network. Attack parameters diversify and allow more opportunities and attack scenarios for an attacker to disrupt the new network slicing protocol in fifth-generation network technology. DDoS-based attacks remain the topmost concern for security researchers [4]. Containing Flood based attacks requires differentiating between legitimate and malicious network traffic [5]. The inclusion of virtualization technologies in modern 5G networks, such as SDN (Software Defined Networking), NFV, and network slicing, has made existing solutions to secure physical infrastructure obsolete. Virtualization technology enables separate and isolated multi-tenant network slices and opens new research challenges in securing against cyberattacks [6]. SDN-based switches and controllers play an important role in monitoring network traffic flowing from devices to the network slice [7]. However, controllers and switches do not provide adequate security against DDoS attacks, nor do they detect botnet activity in DDoS attacks.

Non-legacy IoT devices have low computational and battery power, and as such, they do not support secure encryption-based solutions [8], [9]. Manufacturers sell these machines without any form of security protocols in place, and there is no government policy support to enforce security standards [10]. Devices such as baby monitors, thermometers, security cameras, and lighting systems are installed all around us in our homes, universities, office buildings, and shopping centers with passwords such as “password” and usernames such as “admin123”. Using the brute force method, an attacker can control these devices and inject them with malicious scripts [11], [12]. These infected devices are known as bots and collectively form a botnet. Attackers communicate with these infected devices using Command and Control servers to update and give orders to them. It is challenging to secure these devices due to their heterogeneity [13]. It is impossible to issue a quick firmware update and patch security vulnerabilities in all thousands of IoT devices operated by different manufacturers. 5G technology used by IoT, coupled with unsecured IoT devices, poses more significant threats than LTE services due to the possibility of a much larger volume of attacks [14], [15].

Containers are lightweight solutions to run multiple applications as quickly and efficiently as possible [16], [17]. Containers share a standard operating system kernel, and only the operating system is virtualized. Unlike virtual machines that run the operating system and the physical resources, containers consume fewer resources. A container-based application needs only seconds to initialize, whereas a virtual machine requires minutes to operate [18]. A container-based application can be small, as only a few megabytes. In contrast, a virtual machine that virtualizes the hardware resources wastes resources in running lightweight applications [19]. IoT devices are heterogeneous, and different manufacturers often do not update their devices once they have been sold [20], [21]. Containerized solutions such as the lightweight Balena Operating System (OS) are explicitly created for IoT devices [22], [23], [24]. Container-based operating systems are termed light images. As such, these image registries can be set up in multiple locations for specific IoT device types and update more efficiently. Since device types are heterogeneous, they require separate configurations if updated via traditional methods [25], [26], [27]. Containers do not require any unique configurations if the device’s operating system operates on Linux-based distributions with a container runtime [28], [29], [30].

The motivation for this research is to present a novel framework that enables a smart city administrator to effectively manage and provide security to the IoT device fleet from botnet-based attacks. There are open research challenges in recent studies [31], [32], [33], [34], [35], [36], [37], [38], [39], [40] that require a new comprehensive and practical approach to protect embedded devices in a smart city from botnet attacks,

• Several recent research focuses on attack detection methods using deep packet and TCP header inspection for IoT devices from botnet attacks. However, the prevention of continual growth of botnet activity in large-scale intelligent applications with thousands of sensors deployed is not addressed with a practical solution. The bot network continues to infect several devices using their IP addresses and grows the Bot network. Detection and identification of compromised machines are the first step in securing but do not contain the continual sharing of malicious scripts to other sensors.

• Heterogeneity in IoT devices grows due to vendors adopting different operating systems in sensors. The lack of uniformity or standard firmware impedes Botnet’s immediate prevention. A unified firmware architecture allows Smart City administrators to take quick preventive actions by updating the firmware and prevent future botnet growth. Existing studies do not address the heterogeneity in sensor operating systems that allow the infected device network to grow.

The significance of this work is to address the existing challenges in securing Smart Cities and present a practical and feasible method to protect connected sensor devices. We present them in this paper as follows,

• A Cloud-based Container OS is deployed to monitor all connected devices in a Smart City. The OS requires each device to be registered with the network and provided an Access Key which authenticates the device as validated. The Key is essential to the OS and, upon its revocation, renders the device inactive and breaks the control an attacker has with the device immediately.

• Heterogeneity based on different OS manufacturers deployed in IoT devices is resolved by using a standard lightweight container-based OS that is lightweight compared to virtual machines. The new OS enables an administrator to develop and push forward a single firmware update standard for each device that resolves all identified software vulnerabilities. Devices from different manufacturers implement a standard operating system managed by the central smart city administrator and are not required to issue timely firmware updates to patch critical software vulnerabilities.

Existing research focuses either only on detecting DDoS attacks on servers or on detecting botnet activity on IoT devices. However, that is only one protocol in providing security to network servers. Complete protection of the network firstly requires detecting malicious activity emerging from devices and then updating network rules to block all incoming attack traffic. Secondly, upon the discovery of botnet activity, it is essential to prevent its growth. A smart city administrator secures IoT devices connected to the network and shields them from other infected machines. As an immediate step, a security administrator should have the ability to break the infected device’s communication with the botnet command and control server. Thirdly, all identified vulnerabilities in the device applications are updated by the administrator to prevent future security failures. There is a need for a framework that provides overall security to all the network components. These components include the network traffic flow and all connected devices communicating with the network server.

This paper aims to contribute to the botnet detection research for IoT fleet management systems. The proposed framework, called C-BotDet, undergoes three phases to detect anomalous traffic. The first phase, Detection, analyzes traffic collected from SDN switches and informs the SDN controller to update its network policy by blocking all IP addresses with malicious traffic. The second phase, Isolate, protects other safe IoT devices from becoming part of the botnet network by blocking all traffic from all compromised devices with other vulnerable devices. In the third and final phase, Update, the infected devices are updated to remove the security vulnerabilities found in the machines.

The main contributions of this work are:

• The framework’s main objective overview is to provide the smart city administrator a secure device management system using DL and a universal lightweight container operating system for streamlined device firmware updates.

• The three-phase approach to detect Botnet is a significant contribution to IoT device fleet management security. The framework provides complete protection to millions of devices by identifying the abnormal traffic using Long Short-Term Memory (LSTM) based Soft Computing Intelligence and update the SDN flow table to block all malicious incoming traffic to the server.

• The framework relies on a lightweight virtual container-based operating system called Balena OS, an IoT device management platform. It presents a real-world application for securing devices in Smart Cities. Using Balena OS, we revoke device API and block all inter-device communication, preventing the Botnet’s growth.

• Traffic from infected devices is routed using OpenVPN service, which prevents the device from inter-device communication and communicating with both the victim and the botnet command and control server.

• The framework is evaluated using a simulation-based environment to show the feasibility of the proposed C-BotDet framework in a practical working environment to secure compromised IoT devices and protect the Device fleet application from botnet attacks.

• Comparison with other DL models, CNN and AutoEncoder, demonstrate increased Accuracy, Precision, and Recall in the LSTM model.

• Recent studies are compared to Precision and Recall to illustrate the LSTM model’s lower false detections and a higher number of actual positives correctly identified.

The remainder of this paper is structured as follows. Section 2 briefly reviews related work. In Section 3, we describe the overview and methodology of our proposed C-BotDet framework. A practical implementation of the framework is presented in Section 4. The last section concludes the paper.