Rootkit Detection on Embedded IoT Devices

IoT systems are subject to cyber attacks, including infecting embedded IoT devices with rootkits. Rootkits are malicious software that typically run with elevated privileges, which makes their detection challenging. In this paper, we address this challenge: we propose a rootkit detection approach for embedded IoT devices that takes advantage of a trusted execution environment (TEE), which is often supported on popular IoT platforms, such as ARM based embedded boards. The TEE provides an isolated environment for our rootkit detection algorithms, and prevents the rootkit from interfering with their execution even if the rootkit has root privileges on the untrusted part of the IoT device. Our rootkit detection algorithms identify modifications made by the rootkit to the code of the operating system kernel, to system programs, and to data influencing the control flow (e.g., hooking system calls), as well as inconsistencies created by the rootkit in certain kernel data structures (e.g., those responsible to handle process related information). We also propose algorithms to detect rootkit components in the persistent storage of the device. Besides describing our approach and algorithms in details, we also report on a prototype implementation and on the evaluation of our design and implementation, which is based on testing our prototype with rootkits that we developed for this purpose.

Download Full-text

A consistency-guaranteed approach for Internet of Things software refactoring

International Journal of Distributed Sensor Networks ◽

10.1177/1550147720901680 ◽

2020 ◽

Vol 16 (1) ◽

pp. 155014772090168

Author(s):

Yang Zhang ◽

Shixin Sun ◽

Dongwen Zhang ◽

Jing Qiu ◽

Zhihong Tian

Keyword(s):

Internet Of Things ◽

Flow Analysis ◽

Control Flow ◽

Data Flow Analysis ◽

Detection Algorithms ◽

Software Refactoring ◽

Detection Approach ◽

Before And After ◽

Code Changes ◽

The Internet Of Things

The software architecture of Internet of Things defines the component model and interconnection topology of Internet of Things systems. Refactoring is a systematic practice of improving a software structure without altering its external behaviors. When the Internet of Things software is refactored, it is necessary to detect the correctness of Internet of Things software to ensure its security. To this end, this article proposes a novel refactoring correction detection approach to ensure software security. Control flow analysis and data flow analysis are used to detect code changes before and after refactoring, and synchronization dependency analysis is used to detect changes in synchronization dependency. Three detection algorithms are designed to detect refactoring correctness. Four real-world benchmark applications are used to evaluate our approach. The experimental results show that our proposed approach can ensure correctness of Internet of Things software refactoring.

Download Full-text

SDN-Enabled Hybrid DL-Driven Framework for the Detection of Emerging Cyber Threats in IoT

Electronics ◽

10.3390/electronics10080918 ◽

2021 ◽

Vol 10 (8) ◽

pp. 918

Author(s):

Danish Javeed ◽

Tianhan Gao ◽

Muhammad Taimoor Khan

Keyword(s):

False Positive Rate ◽

Cyber Attacks ◽

Testing Time ◽

Detection Algorithms ◽

Cyber Threats ◽

Efficient Detection ◽

Positive Rate ◽

To Come ◽

Iot Devices ◽

The One

The Internet of Things (IoT) has proven to be a billion-dollar industry. Despite offering numerous benefits, the prevalent nature of IoT makes it vulnerable and a possible target for the development of cyber-attacks. The diversity of the IoT, on the one hand, leads to the benefits of the integration of devices into a smart ecosystem, but the heterogeneous nature of the IoT makes it difficult to come up with a single security solution. However, the centralized intelligence and programmability of software-defined networks (SDNs) have made it possible to compose a single and effective security solution to cope with cyber threats and attacks. We present an SDN-enabled architecture leveraging hybrid deep learning detection algorithms for the efficient detection of cyber threats and attacks while considering the resource-constrained IoT devices so that no burden is placed on them. We use a state-of-the-art dataset, CICDDoS 2019, to train our algorithm. The results evaluated by this algorithm achieve high accuracy with a minimal false positive rate (FPR) and testing time. We also perform 10-fold cross-validation, proving our results to be unbiased, and compare our results with current benchmark algorithms.

Download Full-text

Comparison of Novelty Detection Methods for Detection of Various Rotary Machinery Faults

Sensors ◽

10.3390/s21103536 ◽

2021 ◽

Vol 21 (10) ◽

pp. 3536

Author(s):

Jakub Górski ◽

Adam Jabłoński ◽

Mateusz Heesch ◽

Michał Dziendzikowski ◽

Ziemowit Dworakowski

Keyword(s):

Novelty Detection ◽

Feature Space ◽

Detection Methods ◽

Data Sets ◽

Similar Distribution ◽

Detection Algorithms ◽

Rotary Machinery ◽

Detection Approach ◽

Input Reconstruction ◽

Quantitative Indicators

Condition monitoring is an indispensable element related to the operation of rotating machinery. In this article, the monitoring system for the parallel gearbox was proposed. The novelty detection approach is used to develop the condition assessment support system, which requires data collection for a healthy structure. The measured signals were processed to extract quantitative indicators sensitive to the type of damage occurring in this type of structure. The indicator’s values were used for the development of four different novelty detection algorithms. Presented novelty detection models operate on three principles: feature space distance, probability distribution, and input reconstruction. One of the distance-based models is adaptive, adjusting to new data flowing in the form of a stream. The authors test the developed algorithms on experimental and simulation data with a similar distribution, using the training set consisting mainly of samples generated by the simulator. Presented in the article results demonstrate the effectiveness of the trained models on both data sets.

Download Full-text

State-of-the-Art Software-Based Remote Attestation: Opportunities and Open Issues for Internet of Things

Sensors ◽

10.3390/s21051598 ◽

2021 ◽

Vol 21 (5) ◽

pp. 1598

Author(s):

Sigurd Frej Joel Jørgensen Ankergård ◽

Edlira Dushku ◽

Nicola Dragoni

Keyword(s):

Internet Of Things ◽

Smart Cities ◽

Cyber Attacks ◽

Resource Constrained ◽

Remote Attestation ◽

Comprehensive Overview ◽

Research Issues ◽

Advantages And Disadvantages ◽

Iot Devices ◽

Specialized Hardware

The Internet of Things (IoT) ecosystem comprises billions of heterogeneous Internet-connected devices which are revolutionizing many domains, such as healthcare, transportation, smart cities, to mention only a few. Along with the unprecedented new opportunities, the IoT revolution is creating an enormous attack surface for potential sophisticated cyber attacks. In this context, Remote Attestation (RA) has gained wide interest as an important security technique to remotely detect adversarial presence and assure the legitimate state of an IoT device. While many RA approaches proposed in the literature make different assumptions regarding the architecture of IoT devices and adversary capabilities, most typical RA schemes rely on minimal Root of Trust by leveraging hardware that guarantees code and memory isolation. However, the presence of a specialized hardware is not always a realistic assumption, for instance, in the context of legacy IoT devices and resource-constrained IoT devices. In this paper, we survey and analyze existing software-based RA schemes (i.e., RA schemes not relying on specialized hardware components) through the lens of IoT. In particular, we provide a comprehensive overview of their design characteristics and security capabilities, analyzing their advantages and disadvantages. Finally, we discuss the opportunities that these RA schemes bring in attesting legacy and resource-constrained IoT devices, along with open research issues.

Download Full-text

Cyber Security Aspects of Virtualization in Cloud Computing Environments

Research Anthology on Privatizing and Securing Data ◽

10.4018/978-1-7998-8954-0.ch080 ◽

2021 ◽

pp. 1658-1671

Author(s):

Darshan Mansukhbhai Tank ◽

Akshai Aggarwal ◽

Nirbhay Kumar Chaubey

Keyword(s):

Cloud Computing ◽

Cyber Security ◽

Attack Detection ◽

Cyber Attacks ◽

Point Of View ◽

Cyber Attack ◽

Computing Environment ◽

Cloud Computing Environment ◽

Detection Approach ◽

Detection Response

Cybercrime continues to emerge, with new threats surfacing every year. Every business, regardless of its size, is a potential target of cyber-attack. Cybersecurity in today's connected world is a key component of any establishment. Amidst known security threats in a virtualization environment, side-channel attacks (SCA) target most impressionable data and computations. SCA is flattering major security interests that need to be inspected from a new point of view. As a part of cybersecurity aspects, secured implementation of virtualization infrastructure is very much essential to ensure the overall security of the cloud computing environment. We require the most effective tools for threat detection, response, and reporting to safeguard business and customers from cyber-attacks. The objective of this chapter is to explore virtualization aspects of cybersecurity threats and solutions in the cloud computing environment. The authors also discuss the design of their novel ‘Flush+Flush' cache attack detection approach in a virtualized environment.

Download Full-text

Towards Near-Real-Time Intrusion Detection for IoT Devices using Supervised Learning and Apache Spark

Electronics ◽

10.3390/electronics9030444 ◽

2020 ◽

Vol 9 (3) ◽

pp. 444 ◽

Cited By ~ 1

Author(s):

Valerio Morfino ◽

Salvatore Rampone

Keyword(s):

Machine Learning ◽

Random Forest ◽

Learning Algorithms ◽

Hybrid Approach ◽

Cyber Attacks ◽

Machine Learning Algorithms ◽

Apache Spark ◽

Identification Accuracy ◽

Supervised Machine Learning ◽

Iot Devices

In the fields of Internet of Things (IoT) infrastructures, attack and anomaly detection are rising concerns. With the increased use of IoT infrastructure in every domain, threats and attacks in these infrastructures are also growing proportionally. In this paper the performances of several machine learning algorithms in identifying cyber-attacks (namely SYN-DOS attacks) to IoT systems are compared both in terms of application performances, and in training/application times. We use supervised machine learning algorithms included in the MLlib library of Apache Spark, a fast and general engine for big data processing. We show the implementation details and the performance of those algorithms on public datasets using a training set of up to 2 million instances. We adopt a Cloud environment, emphasizing the importance of the scalability and of the elasticity of use. Results show that all the Spark algorithms used result in a very good identification accuracy (>99%). Overall, one of them, Random Forest, achieves an accuracy of 1. We also report a very short training time (23.22 sec for Decision Tree with 2 million rows). The experiments also show a very low application time (0.13 sec for over than 600,000 instances for Random Forest) using Apache Spark in the Cloud. Furthermore, the explicit model generated by Random Forest is very easy-to-implement using high- or low-level programming languages. In light of the results obtained, both in terms of computation times and identification performance, a hybrid approach for the detection of SYN-DOS cyber-attacks on IoT devices is proposed: the application of an explicit Random Forest model, implemented directly on the IoT device, along with a second level analysis (training) performed in the Cloud.

Download Full-text

Cyber Security Aspects of Virtualization in Cloud Computing Environments

Quantum Cryptography and the Future of Cyber Security - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-2253-0.ch013 ◽

2020 ◽

pp. 283-299 ◽

Cited By ~ 1

Author(s):

Darshan Mansukhbhai Tank ◽

Akshai Aggarwal ◽

Nirbhay Kumar Chaubey

Keyword(s):

Cloud Computing ◽

Cyber Security ◽

Attack Detection ◽

Cyber Attacks ◽

Point Of View ◽

Cyber Attack ◽

Computing Environment ◽

Cloud Computing Environment ◽

Detection Approach ◽

Detection Response

Download Full-text

A Durable Hybrid RAM Disk with a Rapid Resilience for Sustainable IoT Devices

Sensors ◽

10.3390/s20082159 ◽

2020 ◽

Vol 20 (8) ◽

pp. 2159 ◽

Cited By ~ 1

Author(s):

Sung Hoon Baek ◽

Ki-Woong Park

Keyword(s):

Storage System ◽

Random Access ◽

Solid State Drive ◽

Storage Devices ◽

Disk Storage ◽

Block Level ◽

Iot Platforms ◽

Iot Devices ◽

Time Required ◽

Time Critical

Flash-based storage is considered to be a de facto storage module for sustainable Internet of things (IoT) platforms under a harsh environment due to its relatively fast speed and operational stability compared to disk storage. Although their performance is considerably faster than disk-based mechanical storage devices, the read and write latency still could not catch up with that of Random-access memory (RAM). Therefore, RAM could be used as storage devices or systems for time-critical IoT applications. Despite such advantages of RAM, a RAM-based storage system has limitations in its use for sustainable IoT devices due to its nature of volatile storage. As a remedy to this problem, this paper presents a durable hybrid RAM disk enhanced with a new read interface. The proposed durable hybrid RAM disk is designed for sustainable IoT devices that require not only high read/write performance but also data durability. It includes two performance improvement schemes: rapid resilience with a fast initialization and direct byte read (DBR). The rapid resilience with a fast initialization shortens the long booting time required to initialize the durable hybrid RAM disk. The new read interface, DBR, enables the durable hybrid RAM disk to bypass the disk cache, which is an overhead in RAM-based storages. DBR performs byte–range I/O, whereas direct I/O requires block-range I/O; therefore, it provides a more efficient interface than direct I/O. The presented schemes and device were implemented in the Linux kernel. Experimental evaluations were performed using various benchmarks at the block level till the file level. In workloads where reads and writes were mixed, the durable hybrid RAM disk showed 15 times better performance than that of Solid-state drive (SSD) itself.

Download Full-text

A Lightweight Perceptron-Based Intrusion Detection System for Fog Computing

Applied Sciences ◽

10.3390/app9010178 ◽

2019 ◽

Vol 9 (1) ◽

pp. 178 ◽

Cited By ~ 16

Author(s):

Belal Sudqi Khater ◽

Ainuddin Wahid Bin Abdul Wahab ◽

Mohd Yamani Idna Bin Idris ◽

Mohammed Abdulla Hussain ◽

Ashraf Ahmed Ibrahim

Keyword(s):

Intrusion Detection ◽

Detection System ◽

Fog Computing ◽

Raspberry Pi ◽

Space Representation ◽

Location Awareness ◽

Resource Limitations ◽

System Calls ◽

Iot Devices ◽

Hidden Layer

Fog computing is a paradigm that extends cloud computing and services to the edge of the network in order to address the inherent problems of the cloud, such as latency and lack of mobility support and location-awareness. The fog is a decentralized platform capable of operating and processing data locally and can be installed in heterogeneous hardware which makes it ideal for Internet of Things (IoT) applications. Intrusion Detection Systems (IDSs) are an integral part of any security system for fog and IoT networks to ensure the quality of service. Due to the resource limitations of fog and IoT devices, lightweight IDS is highly desirable. In this paper, we present a lightweight IDS based on a vector space representation using a Multilayer Perceptron (MLP) model. We evaluated the presented IDS against the Australian Defense Force Academy Linux Dataset (ADFA-LD) and Australian Defense Force Academy Windows Dataset (ADFA-WD), which are new generation system calls datasets that contain exploits and attacks on various applications. The simulation shows that by using a single hidden layer and a small number of nodes, we are able to achieve a 94% Accuracy, 95% Recall, and 92% F1-Measure in ADFA-LD and 74% Accuracy, 74% Recall, and 74% F1-Measure in ADFA-WD. The performance is evaluated using a Raspberry Pi.

Download Full-text

Taint Graph of System Call Arguments for Intrusion Detection in Mobile Intelatrac

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.546-547.1101 ◽

2012 ◽

Vol 546-547 ◽

pp. 1101-1106

Author(s):

Dan Nie ◽

Yu Hui Wang

Keyword(s):

Intrusion Detection ◽

Control Flow ◽

System Call ◽

Mobile Telecommunication ◽

Control Data ◽

Critical Data ◽

Buffer Overflows ◽

System Calls ◽

Flow Information ◽

Behavior Profile

The intended data-flow in a vulnerable program is subject to be subverted by attacks which exploit buffer overflows or format string vulnerabilities to write data to unintended location. In Mobile Telecommunication it is especially important on data safety. These attacks can be classified into two types: control-flow-attacks exploit buffer overflows or other vulnerabilities to overwrite a return address, a function pointer, or some other piece of control-data; non-control-data attacks exploit similar vulnerabilities to overwrite security critical data without subverting the intended control-flow in the program. The control-flow attacks are well studied and widely used, so there are several typical approaches to prevent them, which monitor the sequence of system calls emitted by the application being monitored and utilize control-flow information of the system calls for intrusion detection. However, the non-control-data attacks are rare for the reason that they rely on specific semantics of the target applications, and there are only few works that defend them to some extent. In order to prevent non-control-data attacks, we leverage dynamic taint technique to track the instruction level relationship between different system call arguments and construct taint graph which can represent behavior profile of a benign program in this paper..

Download Full-text