Lightweight collaborative anomaly detection for the IoT using blockchain

doi:10.1016/j.jpdc.2020.06.008

Journal of Parallel and Distributed Computing

Volume 145, November 2020, Pages 75-97

https://doi.org/10.1016/j.jpdc.2020.06.008 Get rights and content

Highlights

•
Efficient software exploit detection can be performed on IoT devices by modeling the application’s control-flow over regions of memory. The additional overhead of using the proposed method is negligible (6% CPU and 0.8% memory of a Raspberry Pi 3B).
•
The modeling (training) of an anomaly detection model can be performed across numerous devices in parallel using an Extensible Markov chain. Safe collaboration requires both self-attestation and abnormality-filtration when sharing and merging knowledge among participants.
•
Using a blockchain protocol, IoT devices can collaborate with each other on forming a single trusted and robust anomaly detection model.
•
Collaborative training, using the proposed framework, significantly reduces the train-time, lowers the false positive rate, and makes the overall process resistant to adversarial poising attacks.
•
Deadlocks in p2p blockchain sharing/collaboration can be prevented through a direct messaging protocol, proven in this paper.

Abstract

Due to their rapid growth and deployment, the Internet of things (IoT) have become a central aspect of our daily lives. Unfortunately, IoT devices tend to have many vulnerabilities which can be exploited by an attacker. Unsupervised techniques, such as anomaly detection, can be used to secure these devices in a plug-and-protect manner. However, anomaly detection models must be trained for a long time in order to capture all benign behaviors. Furthermore, the anomaly detection model is vulnerable to adversarial attacks since, during the training phase, all observations are assumed to be benign. In this paper, we propose (1) a novel approach for anomaly detection and (2) a lightweight framework that utilizes the blockchain to ensemble an anomaly detection model in a distributed environment. Blockchain framework incrementally updates a trusted anomaly detection model via self-attestation and consensus among the IoT devices. We evaluate our method on a distributed IoT simulation platform, which consists of 48 Raspberry Pis. The simulation demonstrates how the approach can enhance the security of each device and the security of the network as a whole.

Introduction

The Internet of Things (IoT) is the next evolution of the Internet [30] where devices, of any kind and size, will exchange and share data autonomously among themselves. By exchanging data, each device can improve their decision-making processes. IoT devices are ubiquitous in our daily lives and critical infrastructure. For example, air conditioners, irrigation systems, refrigerators, and railway sensors [59] have been connected to the Internet in order to provide services and share information with the relevant controllers. Due to the benefits of connecting devices to the Internet, massive quantities of IoT devices have been developed and deployed. This has led leading experts to believe that by 2020 there will be more than 20 billion devices connected to the Internet [18].

While the potential for IoT devices is vast, their success depends on how well we can secure these devices. However, IoTs are diverse and have limited resources. Therefore, securing them is a difficult challenge which has taken a central stage in both industry and academia. One significant security concern with IoTs is that many manufactures do not invest in the security of these devices during their development. Furthermore, discovered vulnerabilities are seldom patched by the manufacture [52]. These vulnerabilities enable attackers to exploit the IoT devices for nefarious purposes [53] which endanger the users’ security and privacy.

There are various security tools for detecting attacks on embedded devices. One such tool is an intrusion detection system (IDS). An anomaly-based IDSs learn the normal behavior of a network or host, and detect when the behavior deviates from the norm. In this way, these systems have the potential to detect new threats without being explicit programmed to do so (e.g., via remote updates). Aside from being able to detect novel ‘zero-day’ attacks, this approach is desirable because there is vertically no maintenance required.

In order to prepare an anomaly-based IDS (or any anomaly detection model), the system must collect and learn from normal observations acquired during a time-limited “training phase”. A fundamental assumption is that the observations obtained during the training phase are both benign and capture all of the device’s possible behaviors. This assumption might hold true in some systems. However, when considering the IoT environment, this assumption is challenging for the following reasons:

1.
Model Generality It is possible to train the anomaly detection model safely in a lab environment. However, it is difficult to simulate all the possible deployments and interactions with the device. This is because some logic may be dependent on one or more environmental sensors, human interaction, and event based triggers. This approach is also costly and required additional resources. Alternatively, the model can be trained on-site during the deployment itself. However, the model will not be available for execution (detection of threats) until the training phase is complete. Furthermore, it is questionable whether the trained model will capture benign yet rare behaviors. For example, the behavior of the motion detection logic of a smart camera or the response generated by a smoke detector while sensing a fire. These rare but legitimate behaviors will generate false alarms during regular execution.
2.
Adversarial Attacks Although training on-site is a more natural approach to learning the normal behavior of an IoT device, the model must assume that all observation during the training-phase are benign. This approach exposes the model to malicious observations, thus enabling an attacker to exploit the device to evade detection or cause some other adverse effect.

To overcome these challenges, the IoT devices can collaborate and train an anomaly detection model together. Consider the following scenario:

Assume that all IoT devices of the same type simultaneously begin training an anomaly detection model, based on their own locally observed behaviors. The devices then share their models with other devices of the same type. Finally, each device merges the received models, into a single model by filtering out potentially malicious behaviors. Finally, each device uses the combined model as it’s own local anomaly detection model. As a result, the devices (1) collectively obtain an anomaly detection model which captures a much wider scope of all possible benign behaviors, and (2) are able to significantly limit adversarial attacks during the training phase. The latter point is because the initial training phase is much shorter (scaled according to the number of devices), and rare behaviors unseen by the majority are filtered out.

Using concept, we present a lightweight, scalable framework which utilizes the blockchain concept to perform distributed and collaborative anomaly detection on devices with limited resources.

A blockchain is an innovative protocol for a distributed database, which is implemented as a chain of blocks and managed by the majority of participants in the network [61]. Each block contains a list of records and a hash value of the previous block and is accepted into the chain if it satisfies a specific criteria (e.g., bitcoin’s proof-of-work criterion [43]). The framework uses the blockchain’s concept to define a collaboration protocol which enables devices to autonomously train a trusted anomaly detection model incrementally. The protocol uses self-attestation and consensus among the IoT devices to protect the integrity of the trained model. In our blockchain, a record in a block is a model trained on a specific device, and a block in the chain represents a potential anomaly detection model which has been verified by a significant mass/majority of devices in the system. By using the blockchain as a secured distributed ledger, we ensure that the devices (1) are using the latest validated anomaly detection model, and (2) can continuously contribute to each other’s model with newly observed benign behaviors.

Furthermore, in this paper we also propose a novel approach for performing anomaly detection on a local device using an Extensible Markov Model (EMM) [10]. The EMM tracks a program’s jump sequences between regions on the application’s memory space. The EMM can be incrementally updated and merged with other models, and therefore can be trained with real-world observations across multiple devices in parallel. Although there are many other methods for modeling sequences, we chose the EMM model because:

1.
The update and prediction procedures have a complexity of $O (1)$ . This is critical considering that many IoT devices have weak processors.
2.
Our collaborative framework requires a model which can be merged with other models efficiently. Moreover, to filter out malicious transitions during the combine step, we needed an efficient and clear algorithm for comparing learned behaviors between different models. The process of comparing and combining other discrete transitional anomaly detection models can be complex or simply has not been defined.
3.
In our evaluations, we found that the EMM performs better than other algorithms in our anomaly detection task.

We evaluate both the framework and the anomaly detection model on our own IoT emulation platform, involving 48 Raspberry Pis. We simulate several different IoT devices to assert that the evaluation results do not depend on the IoT device’s functionality. Moreover, we exploit real vulnerabilities in order to evaluate our method’s capability in detecting actual attacks. From our evaluations, we found that our method is capable in creating strong anomaly detection models in a short period of time, which are resistant to adversarial attacks. To encourage further research and development, the reader may download our data sets and source code from GitHub.¹ We have also published a blockchain simulator for our protocol to help the reader understand and implement the work in this paper.²

In summary, this paper’s contributions are:

•
A method for detecting code execution attacks by modeling memory jumps sequences — We define and evaluate a novel approach to efficiently detect abnormal control-flows at a set granularity. The approach is efficient because we track the program counter’s flow between regions of memory, and not actual memory addresses or system calls. As a result, the model is compact (has relatively few states) and is suitable for devices with limited resources (IoT devices).
•
A method for enabling safe distributed and collaborative model training on IoTs — We outline a novel framework and protocol which uses the concept of blockchain to collaboratively train an anomaly detection model. The method is decentralized, reduces train time, false positives, and is robust against potential adversarial attacks during the initial training phase.

The rest of the paper is organized as follows. In Section 2, we review related work, and discuss how the proposed method overcomes their limitations. In Sections 3 The anomaly detection model, 4 The framework, we present introduce our novel host-based anomaly detection algorithm and the framework for applying the algorithm in the collaborative distributed setting using the blockchain. In Section 5, we evaluate the proposed method on several different applications and use-cases, and discuss our insights. In Section 6 we analyze the framework’s security. In Section 7, we provide a discussion on the security and challenges of implementing the proposed framework. Finally, in Section 8 we present a summary and conclusion.

Section snippets

Related works

The primary aspects of this work relate to both Intrusion Detection and IoT Security. Therefore, in this section we will discuss recent works from both fields, and the limitations of these approaches.

The anomaly detection model

In this section, we present a novel method for efficiently modeling an application’s control-flow, and then detecting abnormal patterns with the trained model. The method is applied locally and continuously on a single IoT device. Later, in Section 4, we will present the proposed framework for enabling the decentralized collaborative training of the anomaly detection model.

The framework

In this section, we present the proposed framework and protocol. The framework enables distributed devices to safely and autonomously train anomaly detection models (Section 3), by utilizing concepts from the block chain protocol.

First we will provide an overview and intuition of the framework 4.1. Then we will present the terminology which we use to describe the blockchain protocol 4.2. Finally, we will present the protocol and discuss its operation 4.3. Later in Section 7, we will discuss the

System evaluation

In this section, evaluate the proposed collaboration framework: the experiment testbed, parameters, results, and observations. A video demo of the framework is available online.⁶

Security analysis

In this section we will discuss the security coverage of the agents and potential attacks against the framework.

Discussion

In this section, we discuss the assumptions and design considerations of framework.

Conclusion

The number IoT devices is steadily increasing. However, manufacturers seldom patch older models and unintentionally write vulnerable code. As a result, large numbers of IoT devices are being exploited on a daily basis. Due to the scale of the problem, a generic stand-alone method for monitoring and protecting these devices is necessary. In this paper, we introduced a blockchain-based solution for autonomous collaborative anomaly detection among a large number of IoT devices.

To detect the

CRediT authorship contribution statement

Yisroel Mirsky: Conceptualization, Methodology, Software, Formal analysis, Writing - original draft, Writing - review & editing, Visualization, Supervision. Tomer Golomb: Methodology, Software, Validation, Writing - original draft. Yuval Elovici: Conceptualization, Project administration, Funding acquisition.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (73)

AbrahamA. et al.
D-SCIDS: Distributed soft computing intrusion detection system
J. Netw. Comput. Appl.
(2007)
AhmedM. et al.
A survey of network anomaly detection techniques
J. Netw. Comput. Appl.
(2016)
JiangW. et al.
PTAS: Privacy-preserving thin-client authentication scheme in blockchain-based PKI
Future Gener. Comput. Syst.
(2019)
KhreichW. et al.
An anomaly detection system based on variable N-gram features and one-class SVM
Inf. Softw. Technol.
(2017)
MazeroffG. et al.
Probabilistic suffix models for API sequence analysis of Windows XP applications
Pattern Recognit.
(2008)
RazaS. et al.
SVELTE: Real-time intrusion detection in the Internet of Things
Ad Hoc Netw.
(2013)
YeungD.-Y. et al.
Host-based intrusion detection using dynamic and static behavioral models
Pattern Recognit.
(2003)
AberaT. et al.
C-FLAT: control-flow attestation for embedded systems software
AdamsC. et al.
Internet X. 509 Public Key Infrastructure Certificate Management Protocol (CMP)Tech. Rep.
(2005)
An overview of anomaly detection techniques: Existing solutions and latest technological trends
Comput. Netw.
(2007)

M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J.A. Halderman, L....

ARMM.

Inside the numbers: 100 billion ARM-based chips - processors blog - processors - arm community

(2017)

ARMM.

Trustzone for cortex-M – Arm

(2019)

ArringtonB. et al.

Behavioral modeling intrusion detection system (BMIDS) using Internet of Things (IoT) behavior-based anomaly detection via immunity-inspired algorithms

BhatU.N.

Extended Markov models

BletschT. et al.

Jump-oriented programming: a new class of code-reuse attack

cesantaT.

Mongoose

(2010)

ChandolaV. et al.

Anomaly detection for discrete sequences: A survey

IEEE Trans. Knowl. Data Eng.

(2010)

ChawlaA. et al.

Host based intrusion detection system with combined cnn/rnn model

ChenD. et al.

A novel secure architecture for the internet of things

DeckardJ.

Buffer Overflow Attacks: Detect, Exploit, Prevent

(2005)

DurumericZ. et al.

The matter of heartbleed

EddyN.

Gartner: 21 Billion IoT devices to invade by 2020

InformationWeek

(2015)

S. El Sherei, Return to...

EskinE. et al.

Modeling system calls for intrusion detection with dynamic window sizes

EthereumE.

Discovery overview ethereum/devp2p Wiki Github

(2019)

ForrestS. et al.

A sense of self for unix processes

GaoB. et al.

Hmms (hidden markov models) based on anomaly intrusion detection method

HoangX.D. et al.

A multi-layer model for anomaly intrusion detection using program sequences of system calls

HofmeyrS.A. et al.

Intrusion detection using sequences of system calls

J. Comput. Secur.

(1998)

HuJ. et al.

A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection

IEEE Netw.

(2009)

R. Huuck, IoT: The internet of threats and static program analysis defense, in: EmbeddedWorld 2015: Exibition &...

JägerL. et al.

Rolling DICE: Lightweight remote attestation for COTS IoT hardware

KhanR. et al.

Future internet: the internet of things architecture, possible applications and key challenges

KimG. et al.

LSTM-Based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems

(2016)

KosoresowA.P. et al.

Intrusion detection via system call traces

IEEE Softw.

(1997)

Cited by (38)

Honey-block: Edge assisted ensemble learning model for intrusion detection and prevention using defense mechanism in IoT
2024, Computer Communications
The Internet of Things (IoT) has gained popularity with interconnected devices and diverse network applications, leading to increased vulnerability of sensitive data to security threats. Many researchers have focused on intrusion detection without considering prevention mechanisms. To overcome these issues, we propose the honeypot and blockchain-based intrusion detection and prevention (HB-IDP) model, in which edge computing is introduced to reduce the latency during communication. Initially, three-fold authentication is performed for entities (users, devices, and gateway) to ensure legitimacy using the camellia encryption algorithm (CEA), which provides secret keys. The proposed datasets (i.e., UNSW-NB15 and BoT-IoT) are pre-processed at the gateway using min–max normalization to reduce redundancy and complexity during feature extraction and classification. Signature-based intrusion detection is performed on the pre-processed data, with known attacks classified into three classes (normal, malicious, and suspicious) using the improved isolation forest (IIF) algorithm. Suspicious data are forwarded for anomaly detection to the edge level; here, a honeypot is deployed to attract the attacker’s patterns. Ensemble learning technique, including multi-layer perceptron (MLP), general adversarial network (GAN), and lightweight convolutional neural Network (LCNN), is applied to classify suspicious packet behaviors. Once intrusions are detected, the proposed work prevents future intrusions by generating reports, which are then encrypted by the CEA algorithm and provided to legitimate users. All transactions (i.e., key generation, report generation, and attacker patterns) are stored in the blockchain. The HB-IDP model’s performance and effectiveness were evaluated using network simulator 3.26 (NS-3.26), showcasing its superiority over existing approaches.
Models used to characterise blockchain features. A systematic literature review and bibliometric analysis
2023, Technovation
Blockchain has emerged as an innovative technology with potential to transform business management, through operational efficiency improvements. Nevertheless, several performance and vulnerability issues have been identified for the different typologies supporting the wide range of blockchain-based applications currently implemented in different domains.
A variety of analytical and empirical models are being used to evaluate the issues associated with the different blockchain typologies, enabling systematic analyses of the corresponding efficiency impact, and technical or economic threats.
A thorough systematic literature review of these models has been performed, followed by a detailed assessment on the way these models have been employed, and the target parameters and applications evaluated (336 research selected and analysed). We propose a co-classification of these models, allowing us to identify which ones are employed to a greater extent to address the different blockchain issues in scientific research. In a second step, a bibliometric analysis on the selected research is conducted, offering a complementary overview of the status of and trends in blockchain modelling, including the most prolific authors and leading contributing countries to the topic.
The main outcome and contribution of the paper is the provision of a broad overview on how blockchain issues have been analytically tackled, through the synthesis and meta-analysis of the models used in the scientific literature since the inception of blockchain technology. The results have two main direct applications, firstly supporting novel vulnerability and performance analyses of existing blockchain applications by providing historical information on the models used so far, as well as the key parameters and typology of the blockchain-based applications evaluated. Secondly, in the implementation of new applications, by allowing the recognition of key issues identified that are associated with the different blockchain typologies and to determine the most suitable models to analyse the weaknesses and risks of the alternative designs under evaluation for these new implementations.
Energy aware Clustered blockchain data for IoT: An end-to-end lightweight secure & Enroute filtering approach
2023, Computer Communications
Internet of things (IoT) include smart homes, smart buildings and smart factories, in which all the devices are connected over the internet through wireless network for data transmission or sharing. IoT faces many security challenges due to sharing the data in an open source. Security and energy are the most focusing challenges in IoT due to its resource constrained nature. IoT devices have low energy that is wasted by the attackers, and the data also gets hacked by the attacker, which leads to poor security. This paper proposed CLIENT (Clustered blockchain IoT with En-route) to provide energy efficient and secure communication. For that, this research proposed five processes. Such as Chaotic map based Elgamal authentication, credit score based clustering, capuchin search optimization based packets routing, signature based Enroute filtering and deep leaning based anomaly packet detection. First process is Chaotic Map based Elgamal Authentication, in which chaotic map is used in Elgamal key generation. Second process is Credit score based clustering which minimizes the complexity and overhead during packet transmission. Third process is Capuchin search optimization based packets routing which is used to select optimal route from cluster member to cluster head (CH). Fourth process is signature based Enroute filtering which used to detect and drop false report from the network. Edwards signature based digital signature algorithm (EdDSA) is used for verification purpose. And final process is deep learning based anomaly packets detection, this process used Katz centrality based feed forward small world neural network (FFSWNN) for packet classification (normal or malicious). All the transactions are stored in blockchain to enhance security. The proposed system implemented by using NS3. The result shows that proposed system achieves superior performance compared to existing works in terms of energy consumption, packet loss rate, end to end delay, routing overhead and network life time, precision, recall, accuracy, false alarm rate, encryption time, decryption time and security strength.
IoT anomaly detection methods and applications: A survey
2022, Internet of Things (Netherlands)
Citation Excerpt :
The framework detects IoT abnormalities by dynamically observing packet and flow level traffic instances that pass through SDN switches and system metrics. In the scalable framework by Mirsky et al. [73], a distributed and collaborative anomaly detection algorithm is created using the concept of blockchain. The method uses a probabilistic model called a Markov chain (MC) to simulate sequences efficiently.
Ongoing research on anomaly detection for the Internet of Things (IoT) is a rapidly expanding field. This growth necessitates an examination of application trends and current gaps. The vast majority of those publications are in areas such as network and infrastructure security, sensor monitoring, smart home, and smart city applications and are extending into even more sectors. Recent advancements in the field have increased the necessity to study the many IoT anomaly detection applications. This paper begins with a summary of the detection methods and applications, accompanied by a discussion of the categorization of IoT anomaly detection algorithms. We then discuss the current publications to identify distinct application domains, examining papers chosen based on our search criteria. The survey considers 64 papers among recent publications published between January 2019 and July 2021. In recent publications, we observed a shortage of IoT anomaly detection methodologies, for example, when dealing with the integration of systems with various sensors, data and concept drifts, and data augmentation where there is a shortage of Ground Truth data. Finally, we discuss the present such challenges and offer new perspectives where further research is required.
Review on intrusion detection system for IoT/IIoT -brief study
2024, Multimedia Tools and Applications
Anomaly Detection in Cloud Using Hexabullus Optimisation-Enabled Fuzzy Classifier with Smart Contract-Enabled Secure Communication
2024, Journal of Information and Knowledge Management

View all citing articles on Scopus

Yisroel Mirsky is a post doctoral fellow in the Institute for Information Security & Privacy at Georgia Tech (Georgia Institute of Technology). He received his PhD from Ben-Gurion University in 2018 where he is still affiliated as a security researcher. His main research interests include online anomaly detection, adversarial machine learning, isolated network security, and blockchain. Yisroel has published his research in some of the best cyber security conferences: USENIX, NDSS, Euro S&P, Black Hat, DEF CON, CSF, AISec, etc. His research has also been featured in many well-known media outlets (Popular Science, Scientific American, Wired, Wall Street Journal, Forbes, BBC…). One of Yisroel’s recent publications exposed a vulnerability in the USA’s 911 emergency services infrastructure. The research was shared with the US Department of Homeland Security and subsequently published in the Washington Post.

Tomer Golomb is an M.Sc. student in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev. His research focuses on blockchain and IoT security.

Prof. Yuval Elovici is the director of the Telekom Innovation Laboratories at Ben-Gurion University of the Negev (BGU), head of BGU Cyber Security Research Center, and a Professor in the Department of Software and Information Systems Engineering at BGU. He holds B.Sc. and M.Sc. degrees in Computer and Electrical Engineering from BGU and a Ph.D. in Information Systems from Tel-Aviv University. His primary research interests are computer and network security, cyber security, web intelligence, information warfare, social network analysis, and machine learning.

View full text