Elsevier

Computers & Security

Volume 85, August 2019, Pages 51-62
Computers & Security

A fog computing based approach to DDoS mitigation in IIoT systems

https://doi.org/10.1016/j.cose.2019.04.017Get rights and content

Abstract

Distributed denial of service (DDoS) cyber-attack poses a severe threat to the industrial Internet of Things (IIoT) operation due to the security vulnerabilities resulted from increased connectivity and openness, and the large number of deployed low computation power devices. This paper applies Fog computing concept in DDoS mitigation by allocating traffic monitoring and analysis work close to local devices, and, on the other hand, coordinating and consolidating work to cloud central servers so as to achieve fast response while at low false alarm rate. The mitigation scheme consists of real-time traffic filtering via field firewall devices, which are able to reversely filter the signature botnet attack packets; offline specification based traffic analysis via virtualized network functions (VNFs) in the local servers; and centralized coordination via cloud server, which consolidates and correlates the information from the distributed local servers to make a more accurate decision. The proposed scheme is tested in an industrial control system testbed and the experiments evaluate the detection time and rate for two types of DDoS attacks and demonstrate the effectiveness of the scheme.

Introduction

Internet of Things (IoT) connects every possible device (thing) and facilities via various networks to provide efficient, reliable and secure services for all applications, from personal health trackers, weather monitoring, smart homes, to factories. IoT can be defined as "a pervasive and ubiquitous network which enables monitoring and control of the physical environment by collecting, processing, and analyzing the data generated by sensors or smart objects" (Frahim and Pignataro). For examples, IoT healthcare applications support monitoring and tracking, enable various physiological signals to be captured and analyzed in real time with integrated embedded sensors, and provide remote control to medical devices.

When IoT is applied in industrial environments, it is termed as the Industrial Internet of Things (IIoT), where industrial devices such as controllers, sensors, processors, actuators, and mechatronics are the “things” that are connected, and share intelligence with each other. The interconnectivity and openness in IIoT has drastically expanded the attack surface, as many operations are migrated from closed systems using proprietary protocols into IP-based systems, and the attack threats are extending from manipulating information in information technology (IT) domain to controlling actuation in operation technology (OT) domain, i.e., from the digital to the physical world.

IIoT system is heavily involved in real-time control and processing, and with the requirements of operation without interruption, which are the unique and special features in the industrial circumstance. Different domains have quite different security requirements. Confidentiality of information is crucial in IT, e.g., data in business and finance, in health monitoring applications, while in OT, the requirement of availability may be more crucial than that of confidentiality due to the no interruptive operation demand. The availability of IIoT systems is prone to distributed denial of service (DDoS) attack, as a large number of electronic devices in the field control areas, such as sensors, actuators, controllers, especially those devices, which have limited computation power, and are distributed largely in locations with weak security protection. Those devices are vulnerable to being compromised. The DDoS attack exploits the compromised devices to send attack traffic that consumes system or network resources, resulting in the system unavailable for its normal operation.

Various security measures, such as the cryptographic methods, e.g., encryption key enabled data confidentiality, data and user authentication, data integrity, access control and firewall approaches could protect the system from various types of attacks. However, DDoS attack is a notable example that an attacker could still manage to launch successfully against the system.

DDoS attack, in the manner of sending high volume traffic or holding up server resources, consumes network bandwidth and processing power, and blocks network service to legitimate users. The existing defending approaches with fixed functionality and computation capacity deployed at fixed locations have apparent limitations in mitigating DDoS attacks. Cloud computing has flexible computation capabilities but the Cloud-based DDoS defense approach cannot sufficiently fulfill real-time operation requirements. The goal of the paper is to develop a distributed scheme to mitigate DDoS attack by detecting and blocking the attack near the attacking sources in the IIoT environment. There are challenges in developing DDoS mitigation methods in distributed and coordinated manner in order to effectively overcome the drawbacks of existing mitigation solutions including low detection efficiency, high false alert rate, long time delay, and high computation power and cost. These challenges are critical to the IIoT system, as IIoT has specific constraints on real time application and computation resource.

The main contribution of this work is to apply Fog computing approach (Chiang and Zhang, 2016) in the IIoT environment to mitigate DDoS attack by allocating computation capacity closer to operation process and distributing the workload in the system through a three-level mitigation architecture in order to deliver faster and more accurate attack detection. In the field control level, Firewall is applied to reversely filter the attack packets based on known attack traffic signatures. In the local control level, servers are exploited to examine the traffic via instantiating virtual network functions (VNFs) to perform specification based traffic detection, and in Cloud level a central server correlates and consolidates the information from multiple locations and sources to make more accurate detection decision.

In the following, the background knowledge of the IIoT system and the existing work on DDoS mitigation are discussed in Section II. Design and operation procedures of our DDoS mitigation scheme are described in Section III. Section IV presents its implementation and test, and conclusion is drawn in Section V to summarize the proposed algorithm.

Section snippets

Background and related work

In this section, the evolution of IIoT system as well as its specific features are presented via outlining the relations between IoT (IT) and IIoT (OT). The IIoT's security vulnerabilities due to the openness and connectivity are explained, and existing works on mitigating DDoS attacks are briefly surveyed.

Design of DDoS mitigation scheme

Isolated mitigation approaches, such as firewalls and intrusion detection system deployed in fixed location, could not mitigate the DDoS attack effectively, and the approach of diverting traffic to the Cloud for processing is not suitable for IIoT system due to the large volume of traffic to be transmitted and delayed detection. It is well recognized that at the victim side it is easy to detect the DDoS attack but is inefficient to mitigate it due to the accumulated large attack traffic volume,

Experiment imeplementation

We implement the scheme on top of an existing SCADA system testbed. The testbed simulates the functionalities of Metro railway control system, which was previously used for the experiment in Zhou et al. (2017). The implementation structure is shown in Fig. 6. The testbed simulates three domains – field devices environment, fog environment, and cloud environment (a cloud server in the experiment).

Conclusion

In this work, Fog computing approach is applied in handling the DDoS mitigation in the IIoT network to address the real time response requirement and constraints in the device computation capabilities. We proposed a distributed DDoS mitigation scheme which flexibly allocates the traffic analysis work load to multiple distributed locations and assigns virtualized network computation functions based on needs. The scheme has a three level architecture, and each level performs the functions

Conflict of interest

None.

Acknowledgment

This work was supported by the A*STAR Industrial Internet of Things Research Program, under the RIE2020 IAF-PP Grant A1788a0023. The special thanks are also given to colleague Dong Li for implementing the firewall based packet filtering and Snort rule-based attack packet detection in the experiments. We also thank the anonymous reviewers for their constructive comments.

Luying Zhou received the B.S. and M.S. degrees in Automatic Control in 1982 and 1985, respectively, from South China University of Technology, and the Ph.D. degree in Systems Engineering in 1990 from Xi'an Jiaotong University, China. From 1990 to 1995, he was a faculty member at South China University of Technology. He held a Postdoctoral position in SUNY at Buffalo and Syracuse University, New York from 1995 to 1998. Dr. Zhou has been a research scientist at the Institute for Infocomm

References (40)

  • M. Anagnostopoulos

    DNS amplification attack revisited

    Comput Secur

    (2013)
  • N. Goldenberg et al.

    Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems”

    Int J Crit Infrastruct Prot

    (2013)
  • Akamai; https://www.akamai.com/us/en/products/cloud-security/, online, May...
  • B. Al–Duwairi et al.

    Novel hybrid schemes employing packet marking and logging for IP traceback

    IEEE Trans Parallel Distrib Syst

    (2006)
  • P. Barford et al.

    A signal analysis of network traffic anomalies

  • R. Berthier et al.

    Specification-based intrusion detection for advanced metering infrastructures

  • K. Bhardwaj et al.

    Towards IoT-DDoS prevention using edge computing

  • E.Y.K. Chan

    Intrusion detection routers: design, implementation and evaluation using an experimental testbed

    IEEE J Sel Areas Commun

    (2006)
  • S. Cheung

    Using model-based intrusion detection for SCADA networks

  • M. Chiang et al.

    Fog and IoT: an overview of research opportunities

    IEEE Internet Things J

    (2016)
  • J. Choi

    Smart IoT monitoring framework based on oneM2M for fog computing

  • CloudFlare. https://www.cloudflare.com/ddos, online, May...
  • Secure authenticationimplementation and migration guide and demonstration report

    (2014)
  • ETSI GS NFV, “Network Functions Virtualisation (NFV): architectural Framework,” 2: V1.1.1,...
  • S.K. Fayaz et al.

    “Bohatei: flexible and elastic ddos defense

  • P. Ferguson et al.

    Network ingress filtering: defeating denial of service attacks that employ IP source address spoofing

    InternetRFC

    (2000)
  • Frahim J, Pignataro C, Apcar J, Morrow M. “Securing the Internet of Things: a proposed framework”,...
  • Github, “Snort 2.9.8.x on Ubuntu 16 LTS”, https://github.com/bensooter/Snort16OnUbuntu, online, May...
  • Github, Snort sample rules for SCADA DDoS detection, https://github.com/Z-0ne/SCADA-Rules, online, May...
  • F. Guenane et al.

    DDoS mitigation cloud-based service

  • Cited by (78)

    View all citing articles on Scopus

    Luying Zhou received the B.S. and M.S. degrees in Automatic Control in 1982 and 1985, respectively, from South China University of Technology, and the Ph.D. degree in Systems Engineering in 1990 from Xi'an Jiaotong University, China. From 1990 to 1995, he was a faculty member at South China University of Technology. He held a Postdoctoral position in SUNY at Buffalo and Syracuse University, New York from 1995 to 1998. Dr. Zhou has been a research scientist at the Institute for Infocomm Research, Singapore since 1998 and served as adjunct faculty member at Nanyang Technological University, Singapore from 2004 to 2012. Dr. Zhou has served as TPC member for conferences, including IEEE GLOBECOM and IEEE ICC, and has been on conference organizing committees, including organizing Co-Chair of IEEE ICCS 2012. He was a recipient of IEEE ICC 2012 best paper award. His research interests are in optical and wireless networks, and network security.

    Huaqun Guo is Senior Scientist and Programme Head of IIoT Security at the Institute for Infocomm Research (I2R), Agency for Science Technology and Research (A*STAR), President of International Researchers Club, and Chair of IEEE Intelligent Transportation Systems Society Singapore Chapter. Before joining I2R, she was a senior engineer at Kent Ridge Digital Labs (KRDL) and a senior research staff at National University of Singapore (NUS). She was also Chair of IEEE Singapore Women In Engineering (WIE) Affinity Group, and chair of IEEE Broadcast Technology Society Singapore Chapter. Dr. Guo obtained her B. Eng. and M. Eng. from Tianjin University, and her M. Eng and Ph.D. from the National University of Singapore (NUS) respectively. She has published more than 60 referred papers in the international conferences, journals and books. Dr. Guo has served as general chair, general co-chair, program co-chair, and TPC member for more than 30 international conferences. Her research areas include Network and Communication Security, Cyber-Physical System Security, Industrial Internet of Things (IIoT) Security, Multicast, Vehicular Network, and Communication Systems.

    Gelei Deng received the B. Eng. in electrical engineering at Singapore University of Technology and Design in 2018, where he worked as a research assistant at SUTD-MIT International Design Center. He is now with Institute for Infocomm Research (I2R), Agency for Science Technology and Research (A*STAR) as a research engineer.

    View full text