Lightweight collaborative anomaly detection for the IoT using blockchain
Introduction
The Internet of Things (IoT) is the next evolution of the Internet [30] where devices, of any kind and size, will exchange and share data autonomously among themselves. By exchanging data, each device can improve their decision-making processes. IoT devices are ubiquitous in our daily lives and critical infrastructure. For example, air conditioners, irrigation systems, refrigerators, and railway sensors [59] have been connected to the Internet in order to provide services and share information with the relevant controllers. Due to the benefits of connecting devices to the Internet, massive quantities of IoT devices have been developed and deployed. This has led leading experts to believe that by 2020 there will be more than 20 billion devices connected to the Internet [18].
While the potential for IoT devices is vast, their success depends on how well we can secure these devices. However, IoTs are diverse and have limited resources. Therefore, securing them is a difficult challenge which has taken a central stage in both industry and academia. One significant security concern with IoTs is that many manufactures do not invest in the security of these devices during their development. Furthermore, discovered vulnerabilities are seldom patched by the manufacture [52]. These vulnerabilities enable attackers to exploit the IoT devices for nefarious purposes [53] which endanger the users’ security and privacy.
There are various security tools for detecting attacks on embedded devices. One such tool is an intrusion detection system (IDS). An anomaly-based IDSs learn the normal behavior of a network or host, and detect when the behavior deviates from the norm. In this way, these systems have the potential to detect new threats without being explicit programmed to do so (e.g., via remote updates). Aside from being able to detect novel ‘zero-day’ attacks, this approach is desirable because there is vertically no maintenance required.
In order to prepare an anomaly-based IDS (or any anomaly detection model), the system must collect and learn from normal observations acquired during a time-limited “training phase”. A fundamental assumption is that the observations obtained during the training phase are both benign and capture all of the device’s possible behaviors. This assumption might hold true in some systems. However, when considering the IoT environment, this assumption is challenging for the following reasons:
- 1.
Model Generality It is possible to train the anomaly detection model safely in a lab environment. However, it is difficult to simulate all the possible deployments and interactions with the device. This is because some logic may be dependent on one or more environmental sensors, human interaction, and event based triggers. This approach is also costly and required additional resources. Alternatively, the model can be trained on-site during the deployment itself. However, the model will not be available for execution (detection of threats) until the training phase is complete. Furthermore, it is questionable whether the trained model will capture benign yet rare behaviors. For example, the behavior of the motion detection logic of a smart camera or the response generated by a smoke detector while sensing a fire. These rare but legitimate behaviors will generate false alarms during regular execution.
- 2.
Adversarial Attacks Although training on-site is a more natural approach to learning the normal behavior of an IoT device, the model must assume that all observation during the training-phase are benign. This approach exposes the model to malicious observations, thus enabling an attacker to exploit the device to evade detection or cause some other adverse effect.
To overcome these challenges, the IoT devices can collaborate and train an anomaly detection model together. Consider the following scenario:
Assume that all IoT devices of the same type simultaneously begin training an anomaly detection model, based on their own locally observed behaviors. The devices then share their models with other devices of the same type. Finally, each device merges the received models, into a single model by filtering out potentially malicious behaviors. Finally, each device uses the combined model as it’s own local anomaly detection model. As a result, the devices (1) collectively obtain an anomaly detection model which captures a much wider scope of all possible benign behaviors, and (2) are able to significantly limit adversarial attacks during the training phase. The latter point is because the initial training phase is much shorter (scaled according to the number of devices), and rare behaviors unseen by the majority are filtered out.
Using concept, we present a lightweight, scalable framework which utilizes the blockchain concept to perform distributed and collaborative anomaly detection on devices with limited resources.
A blockchain is an innovative protocol for a distributed database, which is implemented as a chain of blocks and managed by the majority of participants in the network [61]. Each block contains a list of records and a hash value of the previous block and is accepted into the chain if it satisfies a specific criteria (e.g., bitcoin’s proof-of-work criterion [43]). The framework uses the blockchain’s concept to define a collaboration protocol which enables devices to autonomously train a trusted anomaly detection model incrementally. The protocol uses self-attestation and consensus among the IoT devices to protect the integrity of the trained model. In our blockchain, a record in a block is a model trained on a specific device, and a block in the chain represents a potential anomaly detection model which has been verified by a significant mass/majority of devices in the system. By using the blockchain as a secured distributed ledger, we ensure that the devices (1) are using the latest validated anomaly detection model, and (2) can continuously contribute to each other’s model with newly observed benign behaviors.
Furthermore, in this paper we also propose a novel approach for performing anomaly detection on a local device using an Extensible Markov Model (EMM) [10]. The EMM tracks a program’s jump sequences between regions on the application’s memory space. The EMM can be incrementally updated and merged with other models, and therefore can be trained with real-world observations across multiple devices in parallel. Although there are many other methods for modeling sequences, we chose the EMM model because:
- 1.
The update and prediction procedures have a complexity of . This is critical considering that many IoT devices have weak processors.
- 2.
Our collaborative framework requires a model which can be merged with other models efficiently. Moreover, to filter out malicious transitions during the combine step, we needed an efficient and clear algorithm for comparing learned behaviors between different models. The process of comparing and combining other discrete transitional anomaly detection models can be complex or simply has not been defined.
- 3.
In our evaluations, we found that the EMM performs better than other algorithms in our anomaly detection task.
We evaluate both the framework and the anomaly detection model on our own IoT emulation platform, involving 48 Raspberry Pis. We simulate several different IoT devices to assert that the evaluation results do not depend on the IoT device’s functionality. Moreover, we exploit real vulnerabilities in order to evaluate our method’s capability in detecting actual attacks. From our evaluations, we found that our method is capable in creating strong anomaly detection models in a short period of time, which are resistant to adversarial attacks. To encourage further research and development, the reader may download our data sets and source code from GitHub.1 We have also published a blockchain simulator for our protocol to help the reader understand and implement the work in this paper.2
In summary, this paper’s contributions are:
- •
A method for detecting code execution attacks by modeling memory jumps sequences — We define and evaluate a novel approach to efficiently detect abnormal control-flows at a set granularity. The approach is efficient because we track the program counter’s flow between regions of memory, and not actual memory addresses or system calls. As a result, the model is compact (has relatively few states) and is suitable for devices with limited resources (IoT devices).
- •
A method for enabling safe distributed and collaborative model training on IoTs — We outline a novel framework and protocol which uses the concept of blockchain to collaboratively train an anomaly detection model. The method is decentralized, reduces train time, false positives, and is robust against potential adversarial attacks during the initial training phase.
The rest of the paper is organized as follows. In Section 2, we review related work, and discuss how the proposed method overcomes their limitations. In Sections 3 The anomaly detection model, 4 The framework, we present introduce our novel host-based anomaly detection algorithm and the framework for applying the algorithm in the collaborative distributed setting using the blockchain. In Section 5, we evaluate the proposed method on several different applications and use-cases, and discuss our insights. In Section 6 we analyze the framework’s security. In Section 7, we provide a discussion on the security and challenges of implementing the proposed framework. Finally, in Section 8 we present a summary and conclusion.
Section snippets
Related works
The primary aspects of this work relate to both Intrusion Detection and IoT Security. Therefore, in this section we will discuss recent works from both fields, and the limitations of these approaches.
The anomaly detection model
In this section, we present a novel method for efficiently modeling an application’s control-flow, and then detecting abnormal patterns with the trained model. The method is applied locally and continuously on a single IoT device. Later, in Section 4, we will present the proposed framework for enabling the decentralized collaborative training of the anomaly detection model.
The framework
In this section, we present the proposed framework and protocol. The framework enables distributed devices to safely and autonomously train anomaly detection models (Section 3), by utilizing concepts from the block chain protocol.
First we will provide an overview and intuition of the framework 4.1. Then we will present the terminology which we use to describe the blockchain protocol 4.2. Finally, we will present the protocol and discuss its operation 4.3. Later in Section 7, we will discuss the
System evaluation
In this section, evaluate the proposed collaboration framework: the experiment testbed, parameters, results, and observations. A video demo of the framework is available online.6
Security analysis
In this section we will discuss the security coverage of the agents and potential attacks against the framework.
Discussion
In this section, we discuss the assumptions and design considerations of framework.
Conclusion
The number IoT devices is steadily increasing. However, manufacturers seldom patch older models and unintentionally write vulnerable code. As a result, large numbers of IoT devices are being exploited on a daily basis. Due to the scale of the problem, a generic stand-alone method for monitoring and protecting these devices is necessary. In this paper, we introduced a blockchain-based solution for autonomous collaborative anomaly detection among a large number of IoT devices.
To detect the
CRediT authorship contribution statement
Yisroel Mirsky: Conceptualization, Methodology, Software, Formal analysis, Writing - original draft, Writing - review & editing, Visualization, Supervision. Tomer Golomb: Methodology, Software, Validation, Writing - original draft. Yuval Elovici: Conceptualization, Project administration, Funding acquisition.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Yisroel Mirsky is a post doctoral fellow in the Institute for Information Security & Privacy at Georgia Tech (Georgia Institute of Technology). He received his PhD from Ben-Gurion University in 2018 where he is still affiliated as a security researcher. His main research interests include online anomaly detection, adversarial machine learning, isolated network security, and blockchain. Yisroel has published his research in some of the best cyber security conferences: USENIX, NDSS, Euro S&P,
References (73)
- et al.
D-SCIDS: Distributed soft computing intrusion detection system
J. Netw. Comput. Appl.
(2007) - et al.
A survey of network anomaly detection techniques
J. Netw. Comput. Appl.
(2016) - et al.
PTAS: Privacy-preserving thin-client authentication scheme in blockchain-based PKI
Future Gener. Comput. Syst.
(2019) - et al.
An anomaly detection system based on variable N-gram features and one-class SVM
Inf. Softw. Technol.
(2017) - et al.
Probabilistic suffix models for API sequence analysis of Windows XP applications
Pattern Recognit.
(2008) - et al.
SVELTE: Real-time intrusion detection in the Internet of Things
Ad Hoc Netw.
(2013) - et al.
Host-based intrusion detection using dynamic and static behavioral models
Pattern Recognit.
(2003) - et al.
C-FLAT: control-flow attestation for embedded systems software
- et al.
Internet X. 509 Public Key Infrastructure Certificate Management Protocol (CMP)Tech. Rep.
(2005) An overview of anomaly detection techniques: Existing solutions and latest technological trends
Comput. Netw.
(2007)
Inside the numbers: 100 billion ARM-based chips - processors blog - processors - arm community
Trustzone for cortex-M – Arm
Behavioral modeling intrusion detection system (BMIDS) using Internet of Things (IoT) behavior-based anomaly detection via immunity-inspired algorithms
Extended Markov models
Jump-oriented programming: a new class of code-reuse attack
Mongoose
Anomaly detection for discrete sequences: A survey
IEEE Trans. Knowl. Data Eng.
Host based intrusion detection system with combined cnn/rnn model
A novel secure architecture for the internet of things
Buffer Overflow Attacks: Detect, Exploit, Prevent
The matter of heartbleed
Gartner: 21 Billion IoT devices to invade by 2020
InformationWeek
Modeling system calls for intrusion detection with dynamic window sizes
Discovery overview ethereum/devp2p Wiki Github
A sense of self for unix processes
Hmms (hidden markov models) based on anomaly intrusion detection method
A multi-layer model for anomaly intrusion detection using program sequences of system calls
Intrusion detection using sequences of system calls
J. Comput. Secur.
A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection
IEEE Netw.
Rolling DICE: Lightweight remote attestation for COTS IoT hardware
Future internet: the internet of things architecture, possible applications and key challenges
LSTM-Based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems
Intrusion detection via system call traces
IEEE Softw.
Cited by (38)
Energy aware Clustered blockchain data for IoT: An end-to-end lightweight secure & Enroute filtering approach
2023, Computer CommunicationsIoT anomaly detection methods and applications: A survey
2022, Internet of Things (Netherlands)Citation Excerpt :The framework detects IoT abnormalities by dynamically observing packet and flow level traffic instances that pass through SDN switches and system metrics. In the scalable framework by Mirsky et al. [73], a distributed and collaborative anomaly detection algorithm is created using the concept of blockchain. The method uses a probabilistic model called a Markov chain (MC) to simulate sequences efficiently.
Review on intrusion detection system for IoT/IIoT -brief study
2024, Multimedia Tools and ApplicationsAnomaly Detection in Cloud Using Hexabullus Optimisation-Enabled Fuzzy Classifier with Smart Contract-Enabled Secure Communication
2024, Journal of Information and Knowledge Management
Yisroel Mirsky is a post doctoral fellow in the Institute for Information Security & Privacy at Georgia Tech (Georgia Institute of Technology). He received his PhD from Ben-Gurion University in 2018 where he is still affiliated as a security researcher. His main research interests include online anomaly detection, adversarial machine learning, isolated network security, and blockchain. Yisroel has published his research in some of the best cyber security conferences: USENIX, NDSS, Euro S&P, Black Hat, DEF CON, CSF, AISec, etc. His research has also been featured in many well-known media outlets (Popular Science, Scientific American, Wired, Wall Street Journal, Forbes, BBC…). One of Yisroel’s recent publications exposed a vulnerability in the USA’s 911 emergency services infrastructure. The research was shared with the US Department of Homeland Security and subsequently published in the Washington Post.
Tomer Golomb is an M.Sc. student in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev. His research focuses on blockchain and IoT security.
Prof. Yuval Elovici is the director of the Telekom Innovation Laboratories at Ben-Gurion University of the Negev (BGU), head of BGU Cyber Security Research Center, and a Professor in the Department of Software and Information Systems Engineering at BGU. He holds B.Sc. and M.Sc. degrees in Computer and Electrical Engineering from BGU and a Ph.D. in Information Systems from Tel-Aviv University. His primary research interests are computer and network security, cyber security, web intelligence, information warfare, social network analysis, and machine learning.