Unlike to the incumbent service providers, market entrants usually try to explore new niches offering highly specialized services. In turn, existing providers try to increase their incomes through expanding the range of delivered services [3, 4]. In consequence, they often decide to enter new markets such as maintenance for Smart Home systems. For this purpose ISPs build alliances with smart device manufacturers to enrich their offer and open new distribution channel for high-tech products. Figure 1 illustrates the basic business model of the service provider who maintains the platform for Smart Home management.
This model assumes that the service provider cooperates with the smart device manufacturer who is responsible not only for supplying devices but also for commissioning the software both for smart devices and management services offered by the service provider. In turn, the service provider assures hardware distribution among customers (uses its own sales channels, or makes use of a network of distributors). Moreover, the service provider takes over the responsibility for secure service delivery. It includes exposing of secure Application Programming Interfaces (APIs), monitoring of user activity and controlling the packet traffic between the user premise and the provider’s servers.
The service provider maintaining the platform for Smart Home management is usually able to detect some anomalies in behavior of these systems through traffic/event analysis. But in some cases the service provider may engage an external entity (company) for deeper security analysis, because security expertise level required in the analytics for detecting advanced threats can be beyond the capabilities of service providers. For such reasons, many companies are turning to external managed security solutions so that they can count on experts doing the monitoring and advanced security analytics. Some companies conducting security analytics are even exposing APIs to enable such sharing for their clients. Obviously, such sharing encompasses only relevant data and is done only with the selected partners, and ensuring that each partner’s access is appropriately restricted.Footnote 1 This approach is also economically justified, because not every operator has the necessary resources to maintain their own high skilled Computer Emergency Response Team (CERT). The presented model follows an generic communication Back-End Data-Sharing Model presented in RFC 7452 . This generalized model assumes that IoT devices upload data only to a single application service provider , however, users often want to be able to analyze data in combination with data from other sources. Hence, the desire for granting access to the uploaded Smart Home data to third parties arises. Such method of combining web data is known as mashup and therefore might be applied to the smart object context. To move the popularity of web tools to IoT ground, typically a RESTful API design together with the proper authentication and authorization technologies are reused.
General classification of IDS
The conventional security countermeasures like user authentication, data encryption, and security network tools (firewalls, Network Address Translations/NATs) act as first line of defense against external threats. The problem arises when an unauthorized user compromises these countermeasures and is able to use smart devices connected to HAN in unnoticed way. Since many of HAN connected devices use radio transmission, the potential attacker may easily harm or misuse the smart objects and that way influence Smart Home systems (e.g., heating, monitoring, etc.). Therefore, in addition to traditional protection methods, there should be used also security tools which provide protection against both external and internal attacks. One of the potential solution known mainly from enterprise IT systems is an IDS. It aims to detect the intrusions (or anomalies) in real time by protecting nodes from inside and outside threats.
Basically, there are two data sources for IDS—monitored network traffic and data describing events on individual machines connected to the network, including data derived from:
tracing systems (system tools which let trace all system calls made by other processes),
tools for checking file integrity checksums and registry entries,
audit system, (system tool which generates log entries to record information about the events that are happening on OS based on pre-configured rules).
Common criteria for classification of IDS solutions include the data collecting mechanisms to enable intrusion analysis. In that case we distinguish between: host-based (HIDS) and network-based (NIDS) intrusion detection systems. In the first case, the raw data collection is based on system/application logs. This category of IDS is also known as Log-based Intrusion Detection Systems (i.e., OSSEC.Footnote 2) The second approach assumes that network traffic is treated as the source of events which may trigger intrusion detection processes (i.e., Snort,Footnote 3 SuricataFootnote 4). For this reason, NIDS is designed to monitor all traffic between network entities and capture suspicious events.
The method used to detect attack by IDS system is an another criteria for classification. Essentially, there are three basic methods used for an inspection: (i) based on signature detection which attempts to detect abnormal behavior matching the observed behavior against pre-defined attack patterns, (ii) anomaly based, which identifies malicious activities by analyzing the events (firstly, it defines the normal behavior of the network, then, if any activity differs from normal behavior, it is marked as an intrusion), (iii) hybrid IDS, which is a combination of both anomaly-based and signature-based approaches. Moreover, this classification is extended in  to the case of an cross layer IDS (iv), which has the capability to monitor and detect intrusions at multiple OSI layers by analysis of exchanged data across different layers.
Further classification criteria are related to the IDS architecture (e.g., monolithic, hierarchical, distributed, agent-based), the area where these systems are applied (e.g., enterprise networks, Industrial Control System (ICS), wireless networks, etc.) and possible reaction (passive, active).
IDS for Internet of Things
The broadcast nature of radio communication within the HAN makes is susceptible to various security threats typical for Wireless Sensor Networks (WSNs) . For this reason, further analysis of HAN suitable IDS is focused on solutions adopted for WSNs. In this context, efforts of researchers concentrate mainly on limitations of smart devices which make the implementation of full functionality of IDS difficult. In particular, theoretical work and simulations in this area are carried out to: (i) distribute attack detection tasks between smart devices, (ii) decrease computational complexity of detection algorithms, and (iii) limit the set of attacks which are detectable by the IDSs based on smart devices.
In the first research area we have given particular attention to separate less computational complex tasks performed by constraint nodes (i.e., traffic/events monitoring and reporting) from more complex (i.e., analysis and attack detection) and performed by advanced devices. For this purpose IDS might operate in cooperative cluster mode . It means that every node monitors its neighbors and surrounding nodes activities and operation; in case of any malicious activity detection, the cluster head is informed.
In paper  authors have proposed solution based on mobile agents (software modules) which are responsible for anomaly detection in wireless Smart Home sensor networks. This approach assumes that the mobile agent may be installed on each sensor node using a middleware. Middleware used for launching the mobile agent, can also be used for variety of other tasks. The authors mention here mainly the maintenance tasks such as: updating node’s firmware, network management, checking, status of the node, etc. According to the authors, anomalies are detected by IDS modules located on so called Cluster Heads (CHs) which play a role of data aggregators and data forwarder to base station in WSN. For that reason, the CHs should provide sufficient processing power for all the assumed tasks. The Cluster Head performs analysis of the data received from sensors/actuators. The anomalous reading triggers anomaly agent in CH which checks if the suspicious node has been compromised. It is accomplished using the mobile agent launched on victim’s node.
According to the authors, this approach eliminates the need of installing IDS (anomaly detection) software on each sensor node. This results in moving the responsibility of tracking and alerting onto nodes which have more powerful resources. On the other hand, these nodes might not be able to receive anomalous readings and consequently they will not launch the mobile agent.
A similar IDS approach based on mobile agent concept was proposed in . However, unlike the concept presented in , where the mobile agent tasks were focused mainly on data collection and reporting to the WSN cluster heads, this solution provides specific task-oriented mobile agents. Namely, it defines following different agents responsible for performing strictly assigned tasks: Collector Agent, Misuse Detection Agent, Anomaly Detection Agent, and Alert Agent. Two of them play the crucial role as IDS components—the Misuse Detection Agent, which detects known attacks in network on the traffic data received from the Collector Agent, and the Anomaly Detection Agent which is used to detect the attacks on basis of anomaly detection algorithm. In case of an attack detection, the both detection agents trigger the Alert Agent which propagates this information.
The second research area concentrates mainly on adjusting the IDS algorithms to constrained nodes properties. These works were published in several papers. The exemplary research results were presented in , where authors described modifications of the anomaly based IDS exploiting genetic k-means algorithm. Authors have improved algorithm efficiency and increased attack detection rate compared to basic algorithm. Also results described in  present algorithms, optimized for cluster based WSNs. In that case, authors adopted machine learning approach based on selected supervised learning model—support vector machine (SVM). It was exploited for data analysis and misuse detection in a distributed environment. The learning algorithm is used to drive SVM to distinguish between normal and malicious patterns. It is designed to operate in cluster based WSNs, where all nodes monitor their neighbors.
The third research area shows that the majority of the existing intrusion detection solutions are capable of handling only a few security attacks. Particularly, the signature-based IDS solutions make use of this assumption, since they consume more resources for computations as compared to anomaly-based IDS. In this context, authors of  enumerate list of security threats typical for IoT and specifically WSNs, and among the following: Sinkhole Attack, Wormhole Attack: Selective Forwarding Attack, Sybil Attack, Hello Flood Attack, and the Denial of Service (DOS) Attack. Following this list, several IDS examples are described in the literature. Specifically, authors of  proposed an IDS detecting black hole attacks in WSNs. In this proposal, sensor node and base station are exchanging control packets containing the node id and number of packets sent to the cluster head. This information is propagated to the base station which additionally monitors all passing traffic. According to the authors, this approach decreases energy consumption of nodes. Another proposed IDS concept, described in , aims at detecting Sybil node attack in WSN. In their work, authors proposed two stage method for solving this problem. Namely, the first stage is that cluster head polls slave nodes for their identities and position data. Received data are stored in the table maintained by the cluster head. In the second stage, all authorized nodes reply to the cluster head with their identities and current position data including the Sybil node. Finally, the cluster head matches received and stored data to discover the Sybil node. The authors claimed that proposed system improves the energy efficiency and it detects the Sybil node with reasonable accuracy. In this context, it is worth to note that energy efficiency and securing data transmission is a new challenging area in IoT applications. Several research efforts have been published in [17, 18]. In a hybrid approach joining signature- and anomaly-based methods, a good example is a conceptual IDS called SVELTE described in details in . Authors decided that the monitoring part (which is computationally lightweight) is to be implemented into resource-constrained nodes. The resource demanding functionality is placed onto the Border Router (BR) which is an edge node connecting 6LoWPAN network with the Internet (acts as a technology gateway). The basic IDS functionality of SVELTE aims to detect attacks targeted to the routing mechanisms, in particular spoofed or altered information, sinkhole, and selective forwarding attacks
As devices in IoT are resource-constrained and anomaly-based IDS requires computationally intensive operations, placement of IDS modules in a IoT network becomes a critical issue. In this context, SVELTE described in  follows this approach and proposes the lightweight monitoring functionality to be implemented into constrained nodes. More resource demanding IDS processes are performed by the Border Router (BR) of the 6LoWPAN network.
A generalized approach for separating the network monitoring part and the detection part is known as Cooperative Autonomous Attack Detection and was described in . The proposed idea introduces a multi-hierarchy monitoring environment for capturing packets and performing flow statistics. It assumes that this functionality is spread through the network but it builds up one detection system that analyzes data monitored at different points of the network. Furthermore, an output of the detection system can become an input of other detection system by exporting aggregated monitoring data.
An similar approach was proposed in  however authors have emphasized that this solution has been adjusted to grid networks specificity. Smart Grid Distributed Intrusion Detection System (SGDIDS) is a hierarchical and distributed IDS dedicated for smart grids. It divides monitored network into three layers: HAN, Neighborhood Area Network (NAN), and Wide Area Network (WAN). Each of them includes dedicated nodes with Analysis modules (AM) responsible for packet flow analysis. These modules use classification techniques such as Support Vector Machines (SVM) and Artificial Immune System (AIS) to inspect network traffic to efficiently classify malicious events. According to the authors, achieved results suggest that the proposed approach employing both techniques can considerably improve detection effectiveness.
Intrusion detection in cloud systems
A cloud infrastructure operated by the service provider extensively uses virtualization techniques which enables much more flexible resource utilization and is able to serve much more users at that same time. Moreover, all components of the cloud infrastructure run through standard Internet protocols. These may encourage potential attackers to violate security of provided services. That is the reason, why extremely different challenges are faced by the service provider that secures its infrastructure. First, it has to take into account more network-oriented groups of threats, which are aimed at disrupting network operations. According to , cloud computing platforms might suffer from attacks such as IP spoofing, Address Resolution Protocol spoofing, Routing Information Protocol attack, DNS poisoning, Flooding, Denial of Service (DoS), Distributed Denial of Service (DDoS), etc. Service providers deploy different security solutions across their networks but in case of datacenters the general approach is similar to enterprise networks. It assumes that the first line of defense is built up from firewalls which prevent outside attacks. Providing the cloud based services requires also that service provider ensures the proper set of security countermeasures against insider attacks. For this purpose it deploys highly efficient IDSs and intrusion prevention systems (IPSs) which, in turn, are used to mitigate these attacks. Also the integration of IoT and cloud computing technologies raises new challenges for securing virtual assets and data coming from smart devices. Current trends in this area have been described in .
Generally, there are similar classification criteria to those used for HAN, but the scale of solutions must be proportional to the scale of data being processed and the traffic being handled. For this reason, research on cloud-oriented IDS solutions is focused mainly on efficiency and accuracy. For this purpose new methods are being developed to detect attacks, when analysis is based on huge amounts of data. In this context, authors of  extend the basic IDS classification by adding the: Artificial neural network based IDS (ANN), Fuzzy logic based IDS, Association rule based IDS, Support Vector Machine (SVM) based IDS, and Genetic algorithm (GA) based IDS. The above mentioned IDS types are strictly related to techniques used for high volume data analysis for attack detection purposes.
The high volume data analysis and packet traffic is a primary driver for distribution of data processing. It aims to accelerate computations on live traffic data. For that purpose, an distributed IDS model plays an important role. This concept assumes that Distributed IDS (DIDS) consists of several IDS instances and often of both types host- and network based IDSs distributed in the operator’s network. All of them are able to communicate with each other and with a dedicated server responsible for aggregated data analysis and decision making. Each IDS instance collects data (and performs initial analysis or aggregation, depending on the concept), and then sends it to the central server. The IDS instance that collects data is often known as a probe or sensor. An exemplary solution following this approach is described in , where authors proposed that IDS instances located in different regions of the provider’s network are able independently to detect attacks and “warn” proper network devices operating in other regions.
Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD)  is an example of an another distributed network IDS that encompasses both monitoring and analysis components. This approach assumes that computation related to traffic analysis is spread throughout monitoring network nodes. Each node encompasses analysis component which uses both signature-based and Bayesian methods to detect intrusions. Completely another approach was adopted by originators of Dshield service.Footnote 5 They proposed centralized community-based firewall log correlation system which accepts logs from NIDS and firewalls around the Internet, aggregates them and then reports summaries on detected intrusions and possible attack activity. Information about detected attacks is available to network administrators in order to give them the ability to reconfigure and tune their security infrastructure.
An another approach assumes that IDS instances run not only on dedicated machines but also use hypervisor layer (a hypervisor is a platform to run VMs) for monitoring and analyzing communications between VMs, between hypervisor and VM and within the hypervisor based virtual networks. The so-called VM introspection based IDS (VMI-IDS) architecture was described for the first time in . It should be noted that attack detection might be performed by applications residing on VM or at the host machine layer—as a hypervisor-based IDS.