Towards blockchain-enabled single character frequency-based exclusive signature matching in IoT-assisted smart cities

Abstract

With the increasing viability of Internet of Things (IoT), more devices are expected to be connected in a smart city environment. It can provide many benefits for people’s daily life, but is also susceptible to many security threats in practice. Intrusion detection systems (IDSs), especially signature-based IDSs, are one of the most commonly adopted security mechanisms to safeguard various network environments like IoT-assisted smart city against cyber attacks. The process of signature matching is a key limiting factor for a signature-based IDS, and the exclusive signature matching (ESM) was designed based on the observation that most network packets would not match any IDS signatures. However, exclusive signature matching like the single character frequency-based ESM may be vulnerable to some attacks in a hostile environment. To mitigate this issue, in this work, we propose a blockchain-enabled single character frequency-based ESM, which can build a verifiable database of malicious payloads via blockchains. In the evaluation, we investigate the performance of our approach under flooding and character padding attacks in both a simulated and a real IoT network environment. The results demonstrate the effectiveness of our approach in enhancing the robustness of single character frequency-based ESM against malicious traffic.

Introduction

With the rapidly growing number of digital devices, Internet of Things (IoT) enables these devices to be connected with each other as well as with the Internet [19]. The IoT environment involves different kinds of devices like smart sensors that can be remotely monitored and controlled. According to a report from Gartner [10], the IoT market would grow to 5.8 billion endpoints by the end of 2020, compared with an expectation of 4.8 billion IoT devices in use by 2019, resulting in a 21% increase. In addition, Statista research estimated that the global market for end-user solutions especially IoT connected electronic devices is expected to grow to 212 billion U.S. dollars in size by the end of 2019, and finally reach around 1.6 trillion by the year of 2025 [11].

The IoT can provide many benefits to people’s daily life, and it is also important to help construct smart cities. In particular, smart cities can deploy various IoT devices like connected sensors to help collect and analyze data, and improve infrastructure, e.g., public utilities and services. For example, Daintree Networks released a survey, indicating that almost 60% of building managers in the U.S. are familiar with the IoT, and 43% of them believe the IoT would shape how they operate their buildings in the next two to three years [15]. Therefore, there is an increasing trend of developing IoT-assisted smart cities, by leveraging the connection capability and intelligent technologies.

However, IoT is facing many security threats at present, making IoT-assisted smart cities vulnerable as well. According to a survey performed by i-SCOOP with over 100 IoT leaders, security threat ranks top 2 among all major IoT concerns [18]. It is easily imagined that an attacker has a chance to remotely control your front door and enter your home if your IoT controller has been compromised. Symantec’s Threat Report also reported that the overall IoT attacks around the world still remained very high in practice [48].

To defend IoT and smart cities against attacks, intrusion detection systems (IDSs) are a basic and essential security solution to help identify a variety of computer and network attacks such as worms, Trojans, DoS attacks, etc. Generally, an IDS can be classified into two categories: signature-based IDS and anomaly-based IDS. The former like Snort [41] detects an attack mainly through comparing current local or network events with its stored signatures and patterns. This kind of detection is also known as misuse detection and rule-based detection. The latter like Bro [38] attempts to figure out an intrusion by identifying a great deviation between current event and the predefined normal profiles, which is mainly used to model the normal behavior of protected assets for a period of time.

In practice, in comparison with anomaly-based approaches, signature-based detection often has a wider adoption due to its lower false alarm rate [44]. While the process of signature matching (or called string matching) is a big bottleneck, in which the workload is at least linear to the size of the target string [40]. For example, Snort is a lightweight signature-based IDS, which has the ability to perform real-time traffic analysis, content matching and packet logging on Internet Protocol (IP) networks [41], [43], [45]. It often spends abut 30 percent of its total processing power in conducting signature matching, whereas the CPU burden would be significantly increased to over 80 percent when deployed in a intensive web-traffic environment [6], [7]. This will cause Snort to drop many packets, which may cause many security risks and severely degrade the whole security level of a network.

In an IoT-assisted smart city environment, a distributed orcollaborative IDS (DIDS/CIDS) [22] can be implemented to provide better protection over a single IDS, in which there could be a set of detectors to exchange required information and data. In such environment, the detection effectiveness will be limited by the expensive signature matching. Hence there is a need to adopt a more efficient signature matching process.

Motivation. In the literature, Markatos et al. [29] first proposed an exclusion-based signature matching algorithm called ExB, in which the basic idea is to check whether an input string contains all fixed-size bit-strings of a signature. Then Meng et al. [32] extended this idea and proposed exclusive signature matching (ESM). They particularly developed a scheme of single character frequency-based ESM, which consists of four statistical tables and uses a decision algorithm to output a single character with the purpose of finding a mismatch. However, its performance may be greatly degraded under a hostile environment, i.e., an attacker can launch a character padding attack [31] by padding required characters into a forged packet.

Contributions. In recent years, blockchain technology has been widely studied in various areas especially IoT [8], [9], [42]. The use of blockchains can allow untrusted entities connecting with each other in a verifiable manner without the need of a trusted centralized entity. Due to this merit, many studies have tried to combine it with intrusion detection [23], [49]. Motivated by this, in this work, we try to combine blockchain technology with single character frequency-based ESM under IoT environments like IoT-assisted smart city. Our approach can help protect the process of signature matching in hostile environments, i.e., under character padding attack, by applying blockchains to incrementally building a verifiable database of malicious payloads. Our contributions of this work can be summarized as follows.

• We first design a prototype on how to implement the single character frequency-based ESM in practice, and detail our blockchain-enabled single character frequency-based ESM, by integrating with blockchain technology.

• The effectiveness of ESM is heavily based on the observation (named as PackSig observation) that the majority of network packets would not match any IDS signatures. We validate this observation in different network environments.

• We evaluate the performance of our approach under two hostile environments, where an attacker can launch flooding attack and character padding attack to degrade the effectiveness of ESM. The results indicate that our approach can help enhance the robustness of single character frequency-based ESM under adversarial scenarios.

Roadmap. The rest of this paper is organized as follows. Section 2 introduces related studies on signature matching improvement in intrusion detection, as well as blockchain background and its applications in DIDS/CIDS. Section 3 presents the background of single character frequency-based ESM and the prototype, and introduces our proposed blockchain-enabled approach. Section 4 validates the PackSig observation under both a simulated and a real network environment. Section 5 evaluates the performance of our approach under flooding attack and character padding attack in two distributed environments. Section 6 discusses some limitations and challenges. We conclude our work and present an outlook to future work in Section 7.