iot flows lightweight policy enforcement of information
play

IoT-Flows: Lightweight Policy Enforcement of Information Flows in - PowerPoint PPT Presentation

Jun 26, 2023 •213 likes •455 views

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos Augusto Suruagy Monteiro Centro de Informtica - UFPE IoT-Flows: US Subteam (PIs) Prof. Atul Prakash (UMich) Expert on security and IoT Prof. Darko

  1. IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures José Augusto Suruagy Monteiro Centro de Informática - UFPE

  2. IoT-Flows: US Subteam (PIs) Prof. Atul Prakash (UMich) Expert on security and IoT Prof. Darko Marinov (UIUC) Expert on software testing

  3. IoT-Flows: BR Subteam (PIs) Prof. José A. Suruagy – Expert on network monitoring and architectures Prof. Paulo Gonçalves – Expert on wireless threats Prof. Marcelo d’Amorim – Expert on program analysis Prof. Kiev Gama – Expert on adaptive middleware for IoT

  4. Problem: IoT devices security • Hardware limitations make IoT devices vulnerable to exploitation, for example, in launching DDoS attacks • IoT devices in homes are also vulnerable to attacks, which could lead to loss of privacy, data theft, financial losses, and even physical harm • Security issues with IoT systems are a significant concern in many other domains, e.g., autonomous cars or industrial systems

  5. Proposed Solution: Cross-Layer Defense We propose to explore a novel approach of cross-layer • defense in which we: Monitor the IoT device’s network in a distributed manner; • Combine information from all network TCP/IP layers; • Use this information applying Complex Event Processing (CEP) • rules to detect network attacks; Enforce actions such as blocking flows or generating alerts • once an attack is detected.

  6. IoT-Flows: Initial Steps Understanding the IoT Context • Initial focus on Smart Homes • Overall message: Manufacturers lack security concerns when developing IoT apps • Publications: • Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d'Amorim, Atul Prakash. Beware of the App! On the Vulnerability Surface of Smart Devices through their Companion Apps. CoRR, 2019. • Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d'Amorim, Atul Prakash. A Study of Vulnerability Analysis of Popular Smart Devices Through Their Companion Apps. SafeThings, 2019 (Pending publication)

  7. IoT-Flows: Initial Steps What can we do to help IoT apps become more secure? •We extended a framework used to develop secure IoT apps for the Android platform ( FlowFence ) •The extended framework enables fine-grained control of sensitive UI data on the app •Publication: – Davino Mauro Junior, Kiev Gama, Atul Prakash: Securing IoT Apps with Fine-grained Control of Information Flows. SBSeg, 2018.

  8. IoT-Flows: Current Work IoT-Flows: Security Network System for IoT •Enable distributed network monitoring of IoT devices using a multi-layer approach •Detect traditional Security attacks using IoT devices e.g., ARP Spoofing, SYN flood, etc. • •Extensible platform with user-friendly interface via app •Publication: – Davino Mauro Junior, Walber Rodrigues, Kiev Gama, José A. Suruagy, Paulo André da S. Gonçalves: Towards a Multilayer Strategy Against Attacks on IoT Environments. SERP4IoT, 2019 (Pending publication).

  9. MAPE-K Usage of autonomous computing principles •MAPE-K architecture blueprint was originally introduced by IBM •Designed with autonomic computing in mind •Largely used on self-* systems (e.g., self-managing, self- adaptive) •Ideal for event-based systems https://www-03.ibm.com/autonomic/pdfs/AC%20Blueprint%20White%20Paper%20V7.pdf

  10. Original MAPE-K Components Analyze Plan Monitor Execute Knowledge Managed Resource

  11. Our Architecture CEP Pattern Analyzer API App Flow Execute Flow Flow Monitors Alerter Monitors Monitors Router ... Network Traffic from IoT devices

  12. Our Architecture CEP Pattern Analyzer API Aggregate and filter traffic data. Generate events to App be analyzed. Flow Execute Flow Flow Monitors Alerter Monitors Monitors Router ... Network Traffic from IoT devices

  13. Monitoring • Two types of Monitoring: – Monitoring surrounding WLANs traffic – Monitoring Ethernet traffic • Network packets are collected and mapped to a common structure – Structure is shared among architecture components, e.g., the CEP Analyzer – Structure resembles a Network packet

  14. Our Architecture Computes on CEP Pattern generated events Analyzer API looking for anomalies App Flow Execute Flow Flow Monitors Alerter Monitors Monitors Router ... Network Traffic from IoT devices

  15. Analyzer • Based on Complex Event Processing (CEP) • Analyzes network data coming from the monitors which were mapped to events • Rules ( patterns ) are applied to these events – Detect preconfigured attacks – Once detected, each pattern maps an enforcement action – Enforcement action is requested by the analyzer and disconnects a device from the network, generates an alert, etc.

  16. Our Architecture CEP Pattern Extensible Analyzer API Patterns (rules) configured by the app App Flow Execute Flow Flow Monitors Alerter Monitors Monitors Router ... Network Traffic from IoT devices

  17. Pattern API • Restful (REST) API • Maintains Patterns ( Rules ) that identify an attack • Rules are based on packet information – Ex: A rule to detect a SYN flood attack would involve checking if the count of captured network packets with the SYNFlag activated surpass a given threshold • Every rule has 1..N predefined enforcement actions – Ex: Once a SYN flood attack is detected, one of the enforcement actions involves disconnecting the attacker's device from the network

  18. Our Architecture CEP Pattern Analyzer API Execute the action, e.g., App block a request Flow Execute Flow Flow Monitors Alerter Monitors Monitors Router ... Network Traffic from IoT devices

  19. Execute • Different enforcement actions can be performed once a suspicious behavior is detected – Generate an alert sending an email or SMS to the user – Request the router to disconnect a compromised device from the local network – Block the IoT device from making requests to unwanted endpoints, e.g., in a DDoS attack

  20. Our Architecture CEP Pattern Analyzer API App Flow Execute Flow Flow Monitors Alerter Monitors Monitors Router ... Network Traffic from IoT devices

  21. App • Includes creation and management of rules even by non- specialist users • Enables configuration of enforcement actions upon the rules – Ex: Send a SMS once a suspicious behavior is detected • Enables visualization of recent activities involving the system – Ex: Recent rules matched by the Analyzer

  22. Attacks we already tackle • SYN Flood • ARP Spoofing • DeAuthorization • Slowloris • Black Nurse • … More to come

  23. Work in progress • Development of the mobile application for generating patterns/policies • App should be user-friendly to non-specialist IT users • Evaluation of platform against state-of-the-art solutions • Ex: Traditional network Intrusion Detection Systems (IDS) • Tests generation to evaluate platform capabilities • Tests should emulate both traditional and new IoT attacks • Evaluate how to use AI tools to generate new patterns automatically • Ideally, these patterns would match new attacks, e.g., learning from network traffic monitoring

  24. Obrigado! José Augusto Suruagy Monteiro suruagy@cin.ufpe.br

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1.

Its time to Think Lightweight! www.thinklightweight.com TO D A Y S TO P IC S 1. About Think Lightweight 2. What are Lightweight Structures? 3. Industry Applications 4. Product Line Review 5. Think Lightweight Component

832 views • 43 slides
Agenda Provisions Policy Punishable Acts Penalties Penalties Enforcement Issues Status

Agenda Provisions Policy Punishable Acts Penalties Penalties Enforcement Issues Status

Agenda Provisions Policy Punishable Acts Penalties Penalties Enforcement Issues Status SEC. 2. Declaration of Policy. The State recognizes the vital role of information and communications industries such as content production,

406 views • 22 slides
Planning Enforcement Adrian Duffield Head of Planning 1 The planning process Enforcement

Planning Enforcement Adrian Duffield Head of Planning 1 The planning process Enforcement

Planning Enforcement Adrian Duffield Head of Planning 1 The planning process Enforcement Policy Applications 2 National Planning Policy NPPF Paragraph 207 Important in maintaining public confidence in planning system Discretionary

171 views • 14 slides
AUTOMATED TRAFFIC ENFORCEMENT April 15, 2019 Overview Updated information on approved

AUTOMATED TRAFFIC ENFORCEMENT April 15, 2019 Overview Updated information on approved

AUTOMATED TRAFFIC ENFORCEMENT April 15, 2019 Overview Updated information on approved motions and recommendations. Further information on revenue allocation. Introduce Council Policy. Updated Information Failure to Stop AJSG

437 views • 19 slides
Enforcement Policy Presented by Cris Carrigan David Boyers, & Dr. Matthew Buffleben State

Enforcement Policy Presented by Cris Carrigan David Boyers, & Dr. Matthew Buffleben State

2017 Update: Enforcement Policy Presented by Cris Carrigan David Boyers, & Dr. Matthew Buffleben State Water Resources Control Board Office of Enforcement February 7, 2017 Board Meeting Item 5 2017 Enforcement Policy Highlights

570 views • 20 slides
FPPC Enforcement Retrospective & Prospective Policy Meeting November 22, 2019 2019

FPPC Enforcement Retrospective & Prospective Policy Meeting November 22, 2019 2019

FPPC Enforcement Retrospective & Prospective Policy Meeting November 22, 2019 2019 Enforcement Trends Resource Allocation 2019/2020 Penalties 2019/2020 Streamline/WL Discussion Program Roadblocks to Enforcement Legislative Proposals

633 views • 39 slides
Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked

Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked

Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked Environment Brandon Pollet Brandon Pollet Enterprise Security Group Enterprise Security Group Center for Information Security Center for

671 views • 28 slides
Distributed Privacy Policy Enforcement David Chadwick, Kaniz Fatema University of Kent Scenario

Distributed Privacy Policy Enforcement David Chadwick, Kaniz Fatema University of Kent Scenario

Distributed Privacy Policy Enforcement David Chadwick, Kaniz Fatema University of Kent Scenario A Subject submits some personal identifying information (PII) along with her privacy policy to a service provider (SP) An SP user

429 views • 18 slides
Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules

Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules

Deriving Enforcement Mechanisms from Policies Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules Helge Janicke, Antonio Cau, Fran cois Siewe, Enforcement Hussein Zedan Summary Software

550 views • 16 slides
The Irish Waste Management Conference Waste policy and enforcement: update Alison Fanagan 28

The Irish Waste Management Conference Waste policy and enforcement: update Alison Fanagan 28

The Irish Waste Management Conference Waste policy and enforcement: update Alison Fanagan 28 November 2019 M-47824253-1 Introduction Waste policy Waste enforcement 2012 A resource opportunity: up for review What are Irelands

400 views • 28 slides
GAMING POLICY AND ENFORCEMENT BRANCH SAM MACLEOD, ASSISTANT DEPUTY MINISTER AND GENERAL MANAGER

GAMING POLICY AND ENFORCEMENT BRANCH SAM MACLEOD, ASSISTANT DEPUTY MINISTER AND GENERAL MANAGER

GAMING POLICY AND ENFORCEMENT BRANCH SAM MACLEOD, ASSISTANT DEPUTY MINISTER AND GENERAL MANAGER German Report Implementation: Addressing Money Laundering in BCs Casinos Presentation for UBCM GAMING POLICY AND ENFORCEMENT BRANCH (GPEB)

830 views • 11 slides
Enforcement Policy for the Processing of Penalty Charge Notices Civil Parking Enforcement

Enforcement Policy for the Processing of Penalty Charge Notices Civil Parking Enforcement

Civil Parking Enforcement Policy for the Processing of Penalty Charge Notices Civil Parking Enforcement Guidance for the processing of Penalty Charge Notices in the County of Staffordshire June 2007 Revised February 2008 Introduction In

828 views • 64 slides
ENFORCEMENT INTEGRATED INFORMATION SYSTEM IN LITHUANIA INTEGRATED ELECTRONIC SERVICES

ENFORCEMENT INTEGRATED INFORMATION SYSTEM IN LITHUANIA INTEGRATED ELECTRONIC SERVICES

ENFORCEMENT INTEGRATED INFORMATION SYSTEM IN LITHUANIA INTEGRATED ELECTRONIC SERVICES ENFORCEMENT OFFICERS CASH RESTRICTION INFORMATION SYSTEM INFORMATION SYSTEM (PLAIS) (AIS) VARIOUS PROPERTY REGISTERS ASSET SEIZURE REGISTER (TAAR)

360 views • 14 slides
The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will

The lightweight beam for Heavyweight applications The impact of this lightweight steel beam will revolutionise the international high-rise construction industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight

417 views • 12 slides
in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order

in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order

Monitoring of enforcement in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order Ordering enforcement Authorities court notary public Enforcement order certificate of enforcement

540 views • 12 slides
The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept

The lightweight beam for Heavyweight applications The impact of this lightweight beam concept will revolutionise the aviation industry Tony Zaccarini and Dr Patrick OBrien The lightweight beam for Heavyweight applications Patent Applied For

479 views • 12 slides
Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation Antoni is in Ops and wants to help CIA

458 views • 31 slides
Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr

Applying F(I)MEA Technique for SDN/OpenFlow Security Analysis Green Kim greenkim@konkuk.ac.kr Contents 1. Introduction 1.1 Motivation 1.2 Related Works Analysis 1.2.1 OpenFlow: A Security Analysis 1.2.2 OpenFlow Vulnerability Assessment

345 views • 30 slides
Evaluation of SDN Controller and Its Impact on Information-Centric Networking (ICN) Overview, Use

Evaluation of SDN Controller and Its Impact on Information-Centric Networking (ICN) Overview, Use

Evaluation of SDN Controller and Its Impact on Information-Centric Networking (ICN) Overview, Use Cases and Performance Evaluation Karim Md Monjurul 27-12-2018 School of Computer Science, Beijing Institute of Technology Table of contents 1.

560 views • 45 slides
Deeply Programmable Network (DPN) and Advanced Network Virtualization Aki Nakao The University

Deeply Programmable Network (DPN) and Advanced Network Virtualization Aki Nakao The University

Deeply Programmable Network (DPN) and Advanced Network Virtualization Aki Nakao The University of Tokyo 2012/11/27 1 OpenFlow SDN OpenFlow Controller Fixed Data Plane Fixed Control Plane (OpenFlow API) Flow Pattern Match

626 views • 23 slides
IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer Sc. & Engg. LOGO Indian Institute of Technology Guwahati Agenda Outline Motivation for IPv6 Brief comparision between IPv6 and IPv4

290 views • 25 slides
In-Zone Power Distribution for the Next Generation Integrated Power System Generation Integrated

In-Zone Power Distribution for the Next Generation Integrated Power System Generation Integrated

In-Zone Power Distribution for the Next Generation Integrated Power System Generation Integrated Power System ASNE Advanced Naval Propulsion Symposium 2008 December 15-16 2008 Arlington, VA CAPT Norbert Doerry Technical Director, Future

487 views • 17 slides
Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

Cybersecurity research and education: Helping meet the high demand for cybersecurity experts

West Virginia University Cybersecurity research and education: Helping meet the high demand for cybersecurity experts Katerina Goseva-Popstojanova Professor Lane Department of Computer Science and Electrical Engineering (LCSEE) West

538 views • 21 slides
Investigative Research for an IP Peering Service for NetherLight Assessor: Cees de Laat

Investigative Research for an IP Peering Service for NetherLight Assessor: Cees de Laat

Investigative Research for an IP Peering Service for NetherLight Assessor: Cees de Laat Supervisors: Research Project 2 #100 Gerben van Malenstein Arnold Buntsma Migiel de Vos Mar Badias Sim Max Mudde NetherLight: open lightpath

633 views • 25 slides

More recommend