data conformity evaluation: a novel approach for iot security · range, throughput, and delay. at...
TRANSCRIPT
Data Conformity Evaluation: A Novel Approach forIoT Security
Enrico Giulio Maria VerzegnassiDept. of Computer, Control, and Management Engineering
“Sapienza” University of RomeRome, 00184, Italy
Konstantinos TountasElectrical and Computer Engineering & Computer Science
Florida Atlantic UniversityBoca Raton, FL, 33431, USA
Dimitris A. PadosElectrical and Computer Engineering & Computer Science
Florida Atlantic UniversityBoca Raton, FL, 33431, USA
Francesca CuomoDept. of Information, Elec. and Telecom. Engineering (DIET)
“Sapienza” University of RomeRome, 00184, Italy
Abstract—We consider the problem of attack detection for IoTnetworks based only on passively collected network parameters.For the first time in the literature, we develop a blind attackdetection method based on data conformity evaluation. Networkparameters collected passively, are converted to their conformityvalues through iterative projections on refined L1-norm tensorsubspaces. We demonstrate our algorithmic development in acase study for a simulated star topology network. Type of attack,affected devices, as well as, attack time frame can be easilyidentified.
Index Terms—Internet of Things, security, L1-norm, dataconformity, tensors, tensor decomposition, principal-component-analysis.
I. INTRODUCTION
A growing number of diverse physical devices are beingconnected to the Internet at an unprecedented rate realizing theidea of Internet of Things (IoT). IoT enabled physical objectsmay sense the environment, and perform tasks together bycommunicating with each other to coordinate decisions [1].An IoT network is not a simple wireless sensor network;it is a dense integration of the virtual and the real worldwhere communication between devices and humans takesplace. In a sense, it can be considered as an interwovenmedium of heterogeneous networks of different sizes makingup a large global network. Applications such as transportation,healthcare, industrial automation, and smart homes are justsome domains which IoT networks will enable or enhance[2]. IoT shifts from functionality to connectivity and data-driven decision making. New requirements and constraints areintroduced on the network, on the physical communicationchannel, on the end device hardware and software capabilities[3]. End devices are tailored to their assigned tasks to havethe lowest possible size, cost and energy consumption [4].
The work of D. A. Pados was supported by the Schmidt Family Foundation,Boca Raton, FL.
As a consequence, frequently the hardware has low resourcesin terms of computation power, memory, battery, transmissionrange, throughput, and delay. At the same time, for continuoussecure IoT operations key requirements are fault-tolerance,self-healing against compromised nodes and attacks, energyefficiency, scalability, and flexibility for heterogeneous net-work formation over a wide area [4].
This new heterogeneous networking environment createssignificant challenges in applying known security schemesto the IoT [2], [4]. Most of the state-of-the-art securityschemes are tailored to common networking standards andarchitectures, in contrast with the goals defined in [5]. Onthe contrary, a single IoT network could comprise of smallersub-networks utilizing different networking architectures andstandards, as well as end devices with different computation,communications, and security capabilities and requirements.
Recently the research community started investigating theuse of intrusion detection systems (IDS) for the IoT net-works, in order to tackle some of the security challengesand successfully identify attacks and affected nodes in widewireless networks. Specifically, a complete analysis of an IDSfor WSNs is presented in [1]. The authors utilize the OSImodel and geographical attack propagation to classify attacks.In [6], the authors analyze different IDS technologies andprovide useful guidelines for potential IDS applications inWSNs. Descriptions of different WSN attacks are presentedin [4], where the authors provide detailed discussion aboutthe general concept of WSN security and its challenges.
Machine learning techniques such as principal componentanalysis (PCA) for intrusion detection are introduced in [7].The authors present a dimensionality reduction and clas-sification system designed to detect malicious activity andintrusions. Moreover, the work in [8] utilizes machine learningideas to capture global knowledge of the traffic patterns in thewireless networks in order to identify intrusion attacks.
In this paper, we present for the first time in the literature978-1-5386-4980-0/19/$31.00 © 2019 IEEE
Fig. 1: Typical network architectures.
a blind tool for attack detection based on network parameterconformity evaluation. The system utilizes only end devices’network parameters passively collected by the base station(BS) or by dedicated devices and calculates how conformingthe parameters across the end devices are in time. Conformityis calculated iteratively by successive projections of the dataseton carefully calculated subspaces that capture the relationshipbetween devices, network parameters, and time. Attacks onend devices result in changes in the network parameters,translating to low data conformity of these devices at thespecific time intervals. The proposed solution does not requireedge device collaboration for attack detection and works inde-pendently of the IoT network architecture and implementation.
The rest of this paper is organized as follows. Section IIdiscuses security concerns in different IoT network architec-tures and network parameters that may want to include in ourdataset. Section III describes the proposed data conformityevaluation algorithm. Performance evaluation of the algorithmon simulated network data is presented in Section IV. A fewconcluding remarks are drawn in Section V.
II. PROBLEM STATEMENT
IoT security solutions should preserve user privacy, con-fidentiality, data integrity, availability, and non-repudiation.However, active edge device collaboration for security pur-poses is challenging as it leads to increased energy consump-tion, software and hardware resources, and maintenance re-quirements. Moreover, the solutions should be agnostic to thenetwork architecture and edge device type. Different networktopologies are presented at Fig. 1. In a typical star topology,the BS serves as the sink where all edge devices report to.Hence, the BS is able to gather data regarding the devices’state and features, such as received signal strength (RSS) andpacket delivery ratio (PDR), organically, without the need ofexplicit edge device collaboration. This may enable anomalydetection based only on parameters gathered locally. In otherend device topologies, such as mesh or tree networks, it ischallenging for an edge device to obtain such information.
In a network where the edge devices communicate directlyto each other, collecting RSS and PDR values for eachindividual link is difficult without external help. To solvethis problem, researchers assume the presence of specializeddevices (agents) collecting data from the network [9]. Typi-cally, these agents are devices with high hardware capabilitiesable to gather and report network parameters, which due
to the device geographical separation and the nature of thenetwork’s architecture would not have been possible to obtainotherwise. Two types of agents are considered, passive andactive. Passive agents are not part of the IoT network and areable to only acquire data about their nearby environment andend devices without interacting with the rest of the network.Active agents are able to communicate with the rest of thenetwork, request and exchange information and are consideredas “super” powerful edge nodes.
Different attacks affect different network parameters in adifferent way depending on the attacker’s goal and the IoTnetwork architecture and topology. In our studies, we considerparameters that an agent or a BS is able to obtain and calculatethrough normal network operation. These parameters includePDR (the number of packets delivered over a specific timeinterval), RSS (the average received signal strength over atime interval), the number of different recipients’ addresses,the distance between the agent/BS and the edge device, andthe edge devices’ latitude and longitude. Edge device batteryconsumption is another important parameter affected by manyattacks, however, a passive agent is not usually able to retrieveit, and therefore an active agent should be considered.
Next, we present two important attacks on an IoT networkthat can be identified through the aforementioned parameters.• Jamming attack: The main goal of this attack is to
disrupt the communication of the end devices close tothe attacker. The jamming attack can be divided intofour types [10]: constant, random, deceptive and reactive.The signal disruption involves all the devices close to thejammer and the effect for the victims is a substantialdecrease in the number of packets delivered while theRSS at the BS or the agent remains relatively high.Identification of a jamming attack can be carried out fromthe PDR, RSS, percentage of attacked victims, and thedistance between victims values.
• Sybil: In such an attack, a single node forges multipleidentities delivering packets with wrong information anddeceiving the intended receiver. Demirbas et al. [11] showhow it is possible to detect the Sybil attack by using mul-tiple “agents” collecting RSS data of the affected nodes.In fact, if two or more nodes are uniquely identified,and/or located at the same point, they are consideredforged, thus a Sybil attack can be detected [11], [12].The device’s location can be estimated through RSS,message delay (time-of-flight), or angle-of-arrival (AOA)localization techniques [13].
III. DATA CONFORMITY EVALUATION ALGORITHM
For our dataset, we define the tensor X ∈ RD×L×N wherethe columns correspond to end devices, rows to the parameters,and the third dimension to time. The goal of the algorithm is toconvert the original data tensor X to a tensor W ∈ RD×L×Nwhich contains the conformity value of each tensor element inthe [0, 1] range (Fig. 2). A security analyst, human or machine,can then analyze the W tensor and infer which devices areaffected by different attacks at different time instances.
0.01
0.02
0
0.01
0.05
0
0.02
0.03
0.01
0.02
0
0.01
0.01
0.02
0.01
0.01
0.02
0.01
0.3
0.05
0.01
0.02
0
0.01
0.05
0
0.02
0.03
0.01
0.02
0
0.01
0.01
0.02
0.01
0.01
0.02
0.01
0.3
0.05
-90
-81
-95
-78
5
8
10
3
15
20
4
37
-80.5
-65.3
34.5
10.4
-30.1
4.2
-70.3
45.1
-90
-81
-95
-78
5
8
10
3
15
20
4
37
-80.5
-65.3
34.5
10.4
-30.1
4.2
-70.3
45.1Parameters
Devices
Time
Parameters
Devices
Time
-90
-81
-95
-78
5
8
10
3
15
20
4
37
-80.5
-65.3
34.5
10.4
-30.1
4.2
-70.3
45.1
0.01
0.02
0
0.01
0.05
0
0.02
0.03
0.01
0.02
0
0.01
0.01
0.02
0.01
0.01
0.02
0.01
0.3
0.05
Data Conformity
Evaluation
Fig. 2: The original dataset is converted to element-by-elementconformity values. The lower the value the less conforming theelement.
Next, we describe how we calculate the conformity of thedata through iterative L1-norm tensor decompositions. Withoutloss of generality, we present the developed methodology withrespect to the first mode of our tensor dataset X(1) ∈ RD×LN .First, we calculate R1 principal components of the first modeX(1) denoted as Q
(1)1 ∈ RD×R1 by solving the following
optimization problem
Q(1)1 = argmax
Q∈RD×R,
QTQ=IR
∥∥∥XT(1)Q
∥∥∥1. (1)
The optimization problem in Eq. (1) calculates robust sub-spaces by explicit L1-norm projection maximization. Theresulting principal components are called L1-norm principalcomponents, which have been proven to be extremely resistantto misbehaving data [14]. We utilize this property to calculatethe conformity of our data by defining the L2-norm distancebetween each column of X(1) and the calculated subspaceQ
(1)1 as
d(1)1,i =
∥∥∥(ID −Q1QT1
) [X(1)
]:,i
∥∥∥−12, i = 1, 2, . . . , LN.
(2)We expect small d(1)1,i values if d(1)1,i is an “outlier” and large
if it is a nominal data column. Therefore, the conformity ofeach data column of X(1) can be measured as the L2-normdistance from the calculated subspace, i.e.,
w(1)1 =
[d(1)1,1 d
(1)1,2 . . . d
(1)1,LN
]TLN×1
. (3)
The vector w1 is then converted to a tensor, where eachcolumn i is weighted by the same coefficient d1,i, i =1, 2, . . . , LN .
W(1)1 = tensorization
(w
(1)1 ◦ 1D×LN
)(4)
where the “tensorization” operation converts the mode-n ma-trix back to the original tensor form. After calculating thetensors W(1)
1 , we repeat the same process for the two other
modes to obtain W(1)2 and W(1)
3 . Then, we combine in anadditive fashion to form the final data conformity tensor
W(1) = α1W(1)1 + α2W(1)
2 + α3W(1)3 (5)
where αk ∈ R+, k = 1, 2, 3,∑k αk = 1 are weights
corresponding to the prescribed importance of each dimensionof the dataset (for example α1 = α2 = α3 = 1
3 , if all treatedequal). The weight tensor W(1) is then normalized
W(1) =W(1)∥∥W(1)
∥∥1
. (6)
The final weight tensor W(1) contains the data conformityvalue of each individual element enabling element-wise con-formity evaluation of the data. Then the L1-norm subspace ofthe first mode may be refined by
Q(1)1 = argmax
Q∈RD×R1 ,
QTQ=IR1
∥∥∥QT(X(1) ◦ W
(1)(1)
)∥∥∥1, (7)
where ◦ is the element-wise (Hadamard) product. The sameholds true for the other modes. The data conformity values canbe iteratively refined until numerical convergence of the dataconformity tensor W(l) is observed. In Table I, we presentthe complete pseudo-code of the algorithm for a tensor X ∈RI1×I2×I3 .
Algorithm 1 Data conformity evaluation through L1-normtensor decomposition
Input: X ∈ RI1×I2×I3 , ranks R1, R2, R3 ∈ Z+, and weightsα1, α2, α3 > 0
Output: W1: for k = 1, 2, 3 do2: Q
(0)k = argmax
Q∈RIk×Rk ,
QTQ=IRk
∥∥QTX(k)
∥∥1
3: Mk =∏3i=1,i6=k Ii
4: end for, l = 05: while convergence criterion is not met do6: for k = 1, 2, 3 do
7: d(l)k,ik
=
∥∥∥∥(IIk −Q(l−1)k Q
(l−1)k
T)[
X(k)
]:,ik
∥∥∥∥−12
,∀ik =
1, 2, . . . ,Mk
8: w(l)k =
[d(l)k,1 d
(l)k,2 . . . d
(l)k,Mk
]TMk×1
9: W(l)k ← tensorizationk
(w
(l)k ◦ 1Ik×Mk
)10: end for11: W(l) =
∑3k=1 αkW(l)
k∥∥∥∑3k=1 αkW(l)
k
∥∥∥1
12: for k = 1, 2, 3 do13: Q
(l)k = argmax
Q∈RIk×Rk ,
QTQ=IRk
∥∥∥QT(X(k) ◦ W
(l)(k)
)∥∥∥1
14: end for, l = l + 115: end whileTABLE I: Data conformity evaluation through L1-norm tensordecomposition
Fig. 3: Simulated network: Three end devices located outside,and three nodes located inside buildings.
Fig. 4: (a) PDR conformity values across devices. (b) Param-eter conformity across time for attacked device 4. The redcircles indicate the non-conforming parts of the dataset.
IV. CASE STUDY
For testing our algorithm, we choose two attacks which aremost relevant for IoT networks, namely constant jamming andsybil. The simulated network comprises of six end devicesand a BS in a star topology shown in Fig. 3. Three of thedevices are located inside buildings and the rest are locatedoutside in known locations. The devices utilize the LoRaWANprotocol and LoRa physical layer. They are programmed tosent at least two packets to the base station every minute. Thesampling of the devices’ state is done passively by the basestation every minute. For calculation of the RSS parameterwe utilize the well known Friis transmission equation [15]assuming that each device and the BS are equipped witha single omnidirectional antenna and are transmitting at the900 MHz frequency band.
A. Detection of Constant Jamming Attack
Fig. 4-(a) depicts the calculated PDR conformity across allend devices. We observe that between the 20 − 40th slabsend devices 1 and 4 are affected by an attack, as their PDRconformity indications are much larger compared to the rest.Fig. 4-(b) depicts the conformity of all parameters of enddevice 4. It is clear that the device is affected by an attack,as all parameters have a high conformity, while PDR has lowconformity.
B. Detection of Sybil Attack
During the Sybil attack an attacker forges messages of arandom victim for a period of 20 minutes (or 20 slabs).This results in the BS to misinterpret the received packets,and assign them to the attackers location. The parameterslatitude, longitude, distance, RSS are affected by this attack.In Fig. 5-(a) depicts the longitude conformity value across all
Fig. 5: (a) Distance conformity across edge devices. (b)Parameter conformity across time for attacked device 2. Thered circles indicate the non-conforming parts of the dataset.
devices. It is clear that device 2 is under attack as the longitudeconformity is higher compared to the rest. Moreover, on thesame time interval, the distance parameters is non-conformingas well, which means that the node is under the Sybil attack(Fig. 5-(b)).
V. CONCLUSIONS
We considered the problem of attack detection for IoT net-works based only on passively collected network parameters.For the first time in the literature, we developed a blindattack detection method based on data conformity evaluation.Network parameters collected passively, are converted to theirconformity values through iterative projections on refinedL1-norm tensor subspaces. We demonstrated our algorithmicdevelopment in a case study for a simulated star topologynetwork. Type of attack, affected devices, as well as, attacktime frame can be easily identified.
REFERENCES
[1] V. Garcia-Font, C. Garrigues, and H. Rifa-Pous, “Attack classificationschema for smart city WSNs“, Sensors, vol. 17, Apr. 2017.
[2] L. Atzori, A. Iera, and G. Morabito, The Internet of Things: A survey,Comput. Netw., vol. 54, no. 15, pp. 27872805, 2010.
[3] D. Mocrii, Y. Chen, P. Musilek, “IoT-based smart homes: A review ofsystem architecture, software, communications, privacy and security”,Journal of Internet of Things, vol. 1-2, pp. 81-98, Sept. 2018.
[4] K, Tamil, D. Sridharan, “Security Vulnerabilities In Wireless SensorNetworks: A Survey”, Journal of Information Assurance and Security,vol. 5, pp. 31-44, 2010.
[5] M. Chernyshev, Z. Baig, O. Bello and S. Zeadally, ”Internet of Things(IoT): Research, Simulators, and Testbeds,” in IEEE Internet of ThingsJournal, vol. 5, no. 3, pp. 1637-1647, June 2018.
[6] O. Can, O. K. Sahingoz, “A survey of intrusion detection systems inwireless sensor networks”, IEEE Communications Surveys Tutorials, vol.16, issue 1, pp. 266-282, May 2013.
[7] H. H. Pajouh, R. Javidan, R. Khaymi, A. Dehghantanha, and K. R Choo,“A Two-layer Dimension Reduction and Two-tier Classification Modelfor Anomaly-Based Intrusion Detection in IoT Backbone Networks”,IEEE Transactions on Emerging Topics in Computing, Nov. 2016.
[8] S. Suthaharan, “Big Data Classification: Problems and Challenges inNetwork Intrusion Prediction with Machine Learning“, PerformanceEvaluation Review, vol. 41, issue 4, pp. 70-73, 2014.
[9] T. Bhattasali, R. Chaki, and S. Sanyal, “Sleep Deprivation AttackDetection in Wireless Sensor Network”, arXiv preprint arXiv:1203.0231.
[10] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The Feasibility of Launch-ing and Detecting Jamming Attacks in Wireless Networks”, Proceedingsof the 6th ACM international symposium on Mobile ad hoc networkingand computing (MobiHoc), pp. 46-57, Urbana-Champaign, IL, USA,May 25 - 27, 2005.
[11] M. Demirbas and Y. Song, ”An RSSI-based Scheme for Sybil AttackDetection in Wireless Sensor Networks,” Proc. of the 2006 InternationalSymposium on a World of Wireless, Mobile and Multimedia Networks,pp. 564-570, 2006.
[12] S. T. Patel, and N. H. Mistry, “A Review: Sybil attack detectiontechniques in WSN”, In Proc. 4th Int. Conf. on Electronics andCommunication Systems (ICECS), Coimbatore, India, 24-25 Feb. 2017.
[13] P Sarigiannidis, E Karapistoli, and A. A. Economides, “Detecting
Sybil attacks in wireless sensor networks using UWB ranging-basedinformation”, Expert Systems with Applications, vol. 42, issue 21, pp.7560-7572, Nov. 2015.
[14] P. P. Markopoulos, S. Kundu, S. Chamadia, and D. A. Pados, “EfficientL1-norm principal-component analysis via bit flipping”, IEEE Trans. onSignal Processing, vol. 65, pp. 4252-4264, Aug. 2017.
[15] H.T. Friis, “A Note on a Simple Transmission Formula’, Proceedings ofthe IRE, vol. 34 , issue 5, pp. 254-256, May 1946.