Abstract
Internet-of-Things (IoT) cyber threats such as jackware [14] and cryptomining [33] show that insecure IoT devices can be exploited by attackers with different goals. As many such attacks are multi-steps, early detection is critical. Early detection enables early attack containment and response, and prevention of malware propagation. However, it is challenging to detect early-phase attacks with both high precision and high recall as attackers typically attempt to evade the detection systems with stealthy or zero-day attacks. To enhance the security of IoT devices, we propose IoTEDef, a deep learning-based system able to identify the infection events and evolve with the identified infections. IoTEDef understands multi-step attacks based on cyber kill chains and maintains detectors for each step. When it detects anomalies related to a later stage of the kill chain, IoTEDef backtracks the log of events and analyzes these events to identify infection events. Then, IoTEDef updates its infection detector with the identified events. IoTEDef can be used for threat hunting as well as the generation of indicators of compromise and attacks. To show its feasibility, we implement a prototype of the system and evaluate it against the Mirai botnet campaign [2] and the multi-step attack that exploits the Log4j vulnerability [36] to infect the IoT devices. Our results show that the F1-score of our evolved infection detector in IoTEDef, instantiated with long short-term memory (LSTM) and the attention mechanism, increases from 0.31 to 0.87 . We also show that existing attention-based NIDSes can benefit from our approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Andrea, H.: 10 benefits of internet of things (iot) in our lives and businesses (2021). https://www.tech21century.com/internet-of-things-iot-benefits/. Accessed 13 Sep 2021
Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (2017)
Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate. In: International Conference on Learning Representations (2015)
Bertino, E., Islam, N.: Botnets and internet of things security. IEEE Comput. 50(2), 76–79 (2017)
Chaudhari, S., Mithal, V., Polatkan, G., Ramanath, R.: An attentive survey of attention models. ACM Trans. Intell. Syst. Technol. (TIST) 12(5), 1–32 (2021)
Cho, K., Merriënboer, B.V., Bahdanau, D., Bengio, Y.: On the properties of neural machine translation: encoder-decoder approaches (2014)
Cole, E.: Threat hunting: Open season on the adversary (2016). https://de.malwarebytes.com/pdf/white-papers/Survey_Threat-Hunting-2016_Malwarebytes.pdf. Accessed 31 Jan 2022
CoreSecurity: Pcapy (2014). Accessed 15 Oct 2021
Dingee, D.: Iot, not people, now the weakest link in security, January 2019. https://devops.com/iot-not-people-now-the-weakest-link-in-security/. Accessed 13 May 2021
Eskandari, M., Janjua, Z.H., Vecchio, M., Antonelli, F.: Passban IDS: an intelligent anomaly-based intrusion detection system for IoT edge devices. IEEE Internet Things J. 7(8), 6882–6897 (2020)
Forney, G.D.: The viterbi algorithm. Proc. IEEE 61(3), 268–278 (1973)
Fu, Y., Yan, Z., Cao, J., Koné, O., Cao, X.: An automata based intrusion detection method for internet of things. Mob. Inf. Syst. 2017, 1750637:1–1750637:13 (2017)
Gartner: Addressing the cyber kill chain: Full gartner research report and lookingglass perspectives (2016). Accessed 06 Mar 2021
Glassberg, J.: Jackware: a new type of ransomware could be 10 times as dangerous (2021). https://finance.yahoo.com/news/ransomware-jackware-115229732.html. Accessed 12 June 2021
Gu, G., Porras, P.A., Yegneswaran, V., Fong, M.W., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: USENIX Security Symposium, vol. 7, pp. 1–16 (2007)
Guo, C., Berkhahn, F.: Entity embeddings of categorical variables. arXiv preprint arXiv:1604.06737 (2016)
Haas, S., Fischer, M.: GAC: graph-based alert correlation for the detection of distributed multi-step attacks. In: Proceedings of the 33rd Annual ACM Symposium on Applied Computing, pp. 979–988 (2018)
Habibi, J., Midi, D., Mudgerikar, A., Bertino, E.: Heimdall: mitigating the internet of insecure things. IEEE Internet Things J. 4(4), 968–978 (2017)
Han, X., Pasquier, T., Bates, A., Mickens, J., Seltzer, M.: Unicorn: runtime provenance-based detector for advanced persistent threats. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2020)
Hutchins, E.M., Cloppert, M.J., Amin, R.M., et al.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warfare Secur. Res. 1(1), 80 (2011)
Jallad, K.A., Aljnidi, M., Desouki, M.S.: Anomaly detection optimization using big data and deep learning to reduce false-positive. J. Big Data 7(1) (2020)
Javed, M., Paxson, V.: Detecting stealthy, distributed SSH brute-forcing. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 85–96 (2013)
Kang, H., Ahn, D., Lee, G., Yoo, J., Park, K., Kim, H.: Iot network intrusion dataset (2019). https://ieee-dataport.org/open-access/iot-network-intrusion-dataset. Accessed 06 Mar 2021
Keras: Keras (2016). https://keras.io/. Accessed 15 Oct 2021
Klassen, F.: AppNeta: Tcpreplay (2018). https://tcpreplay.appneta.com/. Accessed 06 Mar 2021
Krebs, B.: Reaper: calm before the iot security storm?, October 2017. https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/. Accessed 05 July 2021
Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, pp. 1–6 (2010)
Lashkari, A.H.: Cicflowmeter features (2018). https://github.com/ahlashkari/CICFlowMeter/blob/master/ReadMe.txt. Accessed 19 May 2022
Liu, C., Liu, Y., Yan, Y., Wang, J.: An intrusion detection model with hierarchical attention mechanism. IEEE Access 8, 67542–67554 (2020)
Luong, M.T., Pham, H., Manning, C.D.: Effective approaches to attention-based neural machine translation. In: The 2015 Conference on Empirical Methods in Natural Language Processing (EMNLP 2015) (2015)
Mannila, H., Toivonen, H., Verkamo, A.I.: Discovery of frequent episodes in event sequences. Data Min. Knowl. Disc. 1(3), 259–289 (1997)
Martin, L.: Seven ways to apply the cyber kill chain with a threat intelligence platform (2015). lockheed martin corporation
McMillen, D., Alvarez, M.: Mirai iot botnet: mining for bitcoins?, April 2017. https://securityintelligence.com/mirai-iot-botnet-mining-for-bitcoins/. Accessed 05 July 2021
Midi, D., Rullo, A., Mudgerikar, A., Bertino, E.: Kalis-a system for knowledge-driven adaptable intrusion detection for the internet of things. In: 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pp. 656–666. IEEE (2017)
Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (S &P), pp. 1137–1152. IEEE (2019)
Msehgal: Protect your iot devices from log4j 2 vulnerability (2021). https://live.paloaltonetworks.com/t5/blogs/protect-your-iot-devices-from-log4j-2-vulnerability/ba-p/453381. Accessed 14 Jan 2022
Nguyen, T.D., Marchal, S., Miettinen, M., Fereidooni, H., Asokan, N., Sadeghi, A.R.: Dïot: a federated self-learning anomaly detection system for IoT. In: 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS), pp. 756–767. IEEE (2019)
Osborne, C.: This is why the mozi botnet will linger on (2021). https://www.zdnet.com/article/this-is-why-the-mozi-botnet-will-linger-on/. Accessed 27 Jan 2022
Palmer, D.: This sneaky hacking group hid inside networks for 18 months without being detected (2022). https://www.zdnet.com/article/this-sneaky-hacking-group-hid-inside-networks-for-18-months-without-being-detected/. Accessed 18 May 2022
Research, C.P.: Iotroop botnet: the full investigation, March 2017. https://research.checkpoint.com/2017/iotroop-botnet-full-investigation/. Accessed 05 July 2021
Soleimani, M., Ghorbani, A.A.: Multi-layer episode filtering for the multi-step attack detection. Comput. Commun. 35(11), 1368–1379 (2012)
Sqrrl Data, I.: A framework for cyber threat hunting (2018). https://www.threathunting.net/files/framework-for-threat-hunting-whitepaper.pdf. Accessed 31 Jan 2022
Storm, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: Mitre att &ck: design and philosophy (2018). Accessed 06 Mar 2021
Sutskever, I., Vinyals, O., Le, Q.V.: Sequence to sequence learning with neural networks. In: Proceedings of the 27th International Conference on Neural Information Processing Systems, vol. 2, pp. 3104–3112 (2014)
Tang, C., Luktarhan, N., Zhao, Y.: SAAE-DNN: deep learning method on intrusion detection. Symmetry 12(10), 1695 (2020)
Acknowledgement
The work reported in this paper has been supported by Cisco Research and by NSF under grant 2112471.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A A Dataset Generation
A A Dataset Generation
In our experiment, we use the dataset from [23]. It consists of several files that capture packets related to the Mirai botnet. In detail, it includes the ARP spoofing packets, host discovery packets, or other flooding packets. Among them, we use the following packets in our experiment:
-
Benign: these packets are normal packets exchanged between benign entities.
-
Port scanning: these packets are simple SYN packets to scan open ports at a targeted device. These packets are labeled as Reconnaissance.
-
Brute force: these packets are used to perform dictionary attacks with predefined credentials to infiltrate into a target device. We label these packets as Infection.
-
Flooding: these packets are SYN/ACK/HTTP/UDP flooding packets to cause a DoS condition to a victim. These packets are tagged as Action.
Due to the limited number of datasets, we manipulate the existing dataset to create new diverse scenarios. For example, we want to generate a dataset with a specified number of infection packets at a certain time and a number of UDP flooding packets for a particular time. To this end, we implement a data manipulation script, which works as follows:
-
1.
A new scenario file is created. The starting time of the scenario is 0.
-
2.
A list of files that contain interesting packets is specified with the starting time and the duration. In detail, the list consists of a number of pairs (<file name> <starting time> <duration>), which means that the packets are randomly extracted from <file name> and inserted into the new scenario file at time <starting time> for <duration>. For example, means that the packets from bruteforce.pcap are inserted into the new scenario at time 10 for 2 s.
-
3.
All the packets are extracted from the files in the list and put into the new scenario file appropriately. We allow overlaps between different packets.
-
4.
Finally, the IP addresses of the packets are modified to the loopback addresses.
This way, we can flexibly generate a new dataset. The dataset generation script is available at https://github.com/iotedef.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lee, H., Mudgerikar, A., Kundu, A., Li, N., Bertino, E. (2022). An Infection-Identifying and Self-Evolving System for IoT Early Defense from Multi-Step Attacks. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_27
Download citation
DOI: https://doi.org/10.1007/978-3-031-17146-8_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17145-1
Online ISBN: 978-3-031-17146-8
eBook Packages: Computer ScienceComputer Science (R0)