Despite the advantages that the Internet of Things (IoT) will bring to our daily life, the increasing interconnectivity, as well as the amount and sensitivity of data, make IoT devices an attractive target for attackers. To address this issue, the recent Manufacturer Usage Description (MUD) standard has been proposed to describe network access control policies in the manufacturing phase to protect the device during its operation by restricting its communications. In this paper, we define an architecture and process to obtain and enforce the MUD restrictions during the bootstrapping of a device. Furthermore, we extend the MUD model with a flexible policy language to express additional aspects, such as data privacy, channel protection, and resource authorization. For the enforcement of such enriched behavioral profiles, we make use of Software Defined Networking (SDN) techniques, as well as an attribute-based access control approach by using authorization credentials and encryption techniques. These techniques are used to protect devices' data, which are shared through a blockchain platform. The resulting approach was implemented and evaluated in a real scenario, and is intended to reduce the attack surface of IoT deployments by restricting devices' communication before they join a certain network.

中文翻译：

---

在基于DLT / SDN的IoT系统中定义和执行安全配置文件的安全体系结构。

尽管物联网（IoT）将给我们的日常生活带来好处，但不断增强的互连性以及数据的数量和敏感性使IoT设备成为攻击者的诱人目标。为了解决此问题，最近提出了制造商使用说明（MUD）标准，以描述制造阶段的网络访问控制策略，以通过限制其通信来保护设备在其运行期间。在本文中，我们定义了一种体系结构和过程，可在设备引导过程中获得并强制执行MUD限制。此外，我们使用灵活的策略语言扩展了MUD模型，以表达其他方面，例如数据隐私，通道保护和资源授权。为了实施这种丰富的行为模式，我们使用软件定义网络（SDN）技术以及通过使用授权凭证和加密技术的基于属性的访问控制方法。这些技术用于保护通过区块链平台共享的设备数据。由此产生的方法是在实际场景中实施和评估的，旨在通过限制设备在加入特定网络之前的通信来减少IoT部署的攻击面。