A Haystack Full of Needles

Saidi, Said Jawad; Mandalari, Anna Maria; Kolcun, Roman; Haddadi, Hamed; Dubois, Daniel J.; Choffnes, David; Smaragdakis, Georgios; Feldmann, Anja

doi:10.1145/3419394.3423650

Cited by 36 publications

(16 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Data exfiltration: IoT devices typically communicate with a number of remote servers maintained by their manufacturer, cloud providers (e.g., Amazon AWS), common services like time synchronization (e.g., ntp.org), or third-party services (e.g., doubleclick.net) for other services like advertising [35]. As highlighted by [33,35,36], many IoT devices often interact with third-party platforms, enabling those platforms to collect large-scale user data used for tracking and/or advertisement purposes [35]. Work in [35] developed a system to automatically identify "nonessential" network communications of IoT devices so that blocking them would not affect the normal operation of devices.…”

Section: Iot Asset Risk Assessmentmentioning

confidence: 99%

“…The authors used regular expression matching to label the training dataset by obtaining the device model and vendor from the headers of application protocols like HTTP and SSDP. Some other works [12,36,[43][44][45][46] also focused on determining the make and model of IoT devices from their network traffic. However, they differ from each other in terms of traffic features, visibility levels, and inference models used that will be further explained in §2.3, §2.4, and §2.5.…”

Section: Iot Asset Identificationmentioning

confidence: 99%

“…There are different ways of passive measurement: (1) Some works like [51,52,54,55,62,63] programmed SDN (softwaredefined-networking) switches by specific flow rules to periodically measure the statistics of network activities (packet and byte counters) across inserted flow rules. (2) Works in [16,36,64] used flow exporting agents like IPFIX [65] and NetFlow [66] (installed on network switches/routers) to collect aggregate statistics (total packet/byte count, average payload size, and average inter-arrival time) of unique IP flows.…”

Section: Passive Measurementmentioning

confidence: 99%

Section: Partial Visibilitymentioning

confidence: 99%

“…Few works like [14,16,36,44,64] developed their prediction methods to infer from partially visible traffic. Works in [16,36,64] We note that IPFIX and NetFlow data records are relatively coarse-grained as they report statistical measures of an aggregate of packets. Other works like [14,44] inspect individual obfuscated packets (i.e., post-NAT) to extract headers and/or payload for inferencing purposes; however, they neither rely on device identities nor local traffic.…”

Section: Partial Visibilitymentioning

confidence: 99%

See 4 more Smart Citations

Progressive Monitoring of IoT Networks Using SDN and Cost-Effective Traffic Signatures

Pashamokhtari

Gharakheili

Sivaraman

2020

2020 Workshop on Emerging Technologies for Security in IoT (ETSecIoT)

View full text Add to dashboard Cite

The Internet has recently witnessed unprecedented growth of a class of connected assets called the Internet of Things (IoT). Due to relatively immature manufacturing processes and limited computing resources, IoTs have inadequate devicelevel security measures, exposing the Internet to various cyber risks. Therefore, network-level security has been considered a practical and scalable approach for securing IoTs, but this cannot be employed without discovering the connected devices and characterizing their behavior. Prior research leveraged predictable patterns in IoT network traffic to develop inference models. However, they fall short of expectations in addressing practical challenges, preventing them from being deployed in production settings. This thesis identifies four practical challenges and develops techniques to address them which can help secure businesses and protect user privacy against growing cyber threats.My first contribution balances prediction gains against computing costs of traffic features for IoT traffic classification and monitoring. I develop a method to find the best set of specialized models for multi-view classification that can reach an average accuracy of 99%, i.e., a similar accuracy compared to existing works but reducing the cost by a factor of 6. I develop a hierarchy of one-class models per asset class, each at certain granularity, to progressively monitor IoT traffic. My second contribution addresses the challenges of measurement costs and data quality. I develop an inference method that uses stochastic and deterministic modeling to predict IoT devices in home networks from opaque and coarse-grained IPFIX flow data. Evaluations show that false positive rates can be reduced by 75% compared to related work without significantly affecting true positives. My third contribution focuses on the challenge of concept drifts by analyzing over six million flow records collected from 12 real home networks. I develop several inference strategies and compare their performance under concept drift, particularly when labeled data is unavailable in the testing phase. Finally, my fourth contribution studies the resilience of machine learning models against adversarial attacks with a specific focus on decision tree-based models. I develop methods to quantify the vulnerability of a given decision tree-based model against data-driven adversarial attacks and refine vulnerable decision trees, making them robust against 92% of adversarial attacks. i List of PublicationsDuring the course of my Ph.D. candidature, a number of publications have been made based on the work presented here and are listed below for reference.

show abstract