From International Journal of Information Management Authors：ANAND MUDGERIKAR, PUNEET SHARMA, ELISA BERTINO (2020)

1. Edge-Based Intrusion
Detection for IoT devices
From International Journal of Information Management
Authors：ANAND MUDGERIKAR, PUNEET SHARMA,
ELISA BERTINO (2020)
Presenter：CHEN, YOU-SHENG 2021/12/02

2. 2 / 44
JCR For Journal of Management Information Systems
JIF=14.098

3. 3 / 44
Vocabularies 1/4
P. English Chinese
18:1 Intrusion 侵入
18:1 Malware 惡意軟體
18:1 New evolving forms of
attacks
新的攻擊發展形式
18:1 Anomalous behavior 異常行為
18:1 Overhead 經常費用
18:1 Sophisticated 複雜
18:1 Test-bed 試驗台
18:1 Evident 明顯
18:1 Been compromised 被破壞
18:2 Infection 感染
P. English Chinese
18:2 Benign 良性
18:2 Intuitively 直覺
18:2 Periodic 定期
18:2 Indicative 象徵
18:3 The rest of …的其餘部分
18:3 Credential hijacking 裝置憑證擷取攻擊
18:3 Vulnerabilities 漏洞
18:3 Proceed directly 直接進行
18:3 Ransom attacks 勒索攻擊
18:3 Fingerprinting 指紋識別

4. 4 / 44
Vocabularies 2/4
P. English Chinese
18:4 propagate 擴大
18:4 workload 工作負載
18:4 novel 新穎
18:5 Fine grained 細粒度的
18:5 PWM (Process White
Listing Module)
白名單程序模組
18:5 PBM (Process Behavior
Module)
程序行為模組
18:5 SBM (System-call
Behavior Module)
系統呼叫行為模組
18:5 spawn 產出(生育)
18:5 Masquerade 偽裝
P. English Chinese
18:6 Serves as 作為
18:6 Unary classifiers 一元分類器
18:7 endianess 位元組順序
18:7 assimilator 吸收者
18:7 distinguish 辨別
18:8 Operate as desired 根據需要操作
18:8 malfunctioning 故障
18:8 Hash chain 雜湊鏈
18:9 Naïve Bayes 單純貝式分類
18:9 Logistic Regression 羅吉斯回歸

5. 5 / 44
Vocabularies 3/4
P. English Chinese
18:9 Distributed nature 分佈性質
18:9 Constrained nature 約束性質
18:9 Feasible 可行的
18:9 OSes 操作系統
18:9 Perception 感知器
18:9 Attributed to 歸因於
18:9 Employ 利用
18:10 Fair assumption 合理假設
18:10 Time-critical 時序要求嚴格的
18:10 Smart-grids 智慧電網
18:10 Detrimental 有害
P. English Chinese
18:11 Weed out 淘汰
18:11 Cloud repository 雲端儲存庫
18:11 Extensively 廣泛地
18:12 Little/big endian 小端/大端
18:12 Accelerometer 加速度感測器
18:13 Obfuscation 模糊
18:13 Deception 欺騙
18:13 Very aggressive 咄咄逼人
18:14 Flagged 被標記
18:14 Evade 逃脫

6. 6 / 44
Vocabularies 4/4
P. English Chinese
18:17 Denser 密集
18:17 Non-negligible 可觀的
18:17 Incur 招受
18:17 Conversely 相反地
18:17 Versatile 多功能
18:17 Provenance 起源
18:17 Provenance propagation 出處傳播
18:17 Pruning 修剪
18:17 Implicit 無縫
18:17 By contrast 相比之下

7. 7 / 44
CONTENTS
1. INTRODUCTION
2. BACKGROUND
3. DESIGN
4. IMPLEMENTATION DETAILS
5. EVALUATION
6. RELATED WORK
7. CONCLUSIONS AND FUTUREWORK

8. 8
1. INTRODUCTION
/ 44

9. INTRODUCTION
▪ With the growing use of IoT devices, the security issue is
a primary concern
▪ More sophisticated IoT malware and harder to detect
9 / 44
2016 Miral
2017 Hajime
2017 BrickerBot
2017 IoT Reaper
2018 Hakai
Pic1. Mirai-Style DDoS Attack

10. INTRODUCTION
▪ System-level-anomaly-based detection in such IDSes is not
practical as a traditional computer system runs a number of
different kinds of applications, is not the case with IoT devices
▪ We achieving comprehensive security for IoT devices and
systems requires combining different layers of security
techniques and systems
▪ Propose E-Spion, it could monitor and analyze system data
from device profiles that are later used for anomaly detection
10 / 44

11. 11
2. BACKGROUND
/ 44

12. BACKGROUND- IoT Attacks
▪ Most of the IoT attacks comprise of three operation stages
12 / 44
Injection
• Gaining control
• Entry: credential,
password,
vulnerabilities …
Infection
• Attacker prepares
• Using: bot master,
download malware,
stopping security services
…
Attack
• Target something
attacker want
• Example: DDoS,
ransom attacks,
bitcoin mining …
File-less attacks

13. BACKGROUND- Fileless Attacks
▪ Does not involve downloading any malware/rootkits
▪ They can be classified into 8 categories
13 / 44
Changes the
password
Removes
certain config
files
Stops certain
system
processes
Retrieves
system
information
Steals user
information
Launches
network
attacks
Collecting
device/user
data
Sets up port
forwarding

14. BACKGROUND- IoT Security architecture
▪ The IoT security solutions and services can be broadly classified
into 2 categories
14 / 44
Centralized-cloud-based
• Pros : Flexibility in deployment, Lower infrastructure costs,
Performance benefits and a centralized point of control
• Cons : Not scalable, low-latency requirements, user privacy concerns
Distributed-edge-based
• Follow the fog computing paradigm
• The main workload of the IDS is performed at the edge device

15. 15
3. DESIGN
/ 44

16. DESIGN- Overview
16 / 44
Fig1. Architecture of E-Spion
▪ Our system,
called E-Spion
▪ Proposes a novel
device-edge split
architecture with
2 components
▪ All 3 modules are
managed by a
module manager

17. DESIGN- Anomaly detection engine
17 / 44
▪ Our device 3-layered behavior profile is built in 3 layers using 3
types of device logs then organized into 3 detection modules
PWM (Process White Listing Module)
• Running process names
• White-listing-based, Least expensive module, Detect simple malware
PBM (Process Behavior Module)
• Running process parameters / Extract 8 metrics
• Monitors various parameters, More expensive, More fine-grained detection
SBM (System-call Behavior Module)
• System calls made by these processes / 34(Call) ∗ 4(Time unit) = 136 metrics
• Most expensive module, most effective and fine-grained detection strategy

18. DESIGN- Anomaly detection engine
18 / 44
▪ PBM From running process parameters to extract 8 metrics

19. DESIGN- Anomaly detection engine
19 / 44
▪ SBM From System calls made by these processes /
34(Call) ∗ 4(Time unit) = 136 metrics
(Only list metrics #9 before)

20. DESIGN- Lift cycle of a device
20 / 44
▪ For the purpose of our IDS system, a device in the network goes
through the following 4 phases
Initialization
• Edge-server create a key pair
and upload to the device(SSH)
• Client side create and maintain
hash chains for log
authentication, and transfer logs
to the edge
Learning
• Edge-server build a single 3-
layered baseline profile for the
device
PBM / PWM logs→Dataset
• Combined with pre-recorded
malicious data

21. DESIGN- Lift cycle of a device
21 / 44
Operation
• Require both benign and
malicious labeled logs in our
training set
• Ran a portion of the IoT
malware samples and collected
the device logs
• Able to distinguish between
malicious and benign logs
Anomaly Detection
• Hash-chain-verifier first checks
the integrity of the logs
Fail the integrity check or no
logs are received
→ IDS raise an alert
• PWM / PBM / SBM modules
start working

22. DESIGN- Hash chain verifier
22 / 44
▪ Use the SHA256sum utility to compute the SHA-256
one-way hashes of the logs
▪ First commit logs to server
Log hash = hash (device 3 kind of log)
hash chain = hash( Log hash + Nonce[From server] )
▪ When first transfer received
▫ Match Authentication hash value, if not then raise an alert
▫ Delete First commit nonce from device (Server had been saved)
▫ After first commit, compute hash chain way will change to
hash chain = hash( previous Log hash + Log hash )

23. DESIGN- Hash chain verifier
23 / 44

24. 24
4. IMPLEMENTATION
DETAILS
/ 44

25. IMPLEMENTATION- Deployability
25 / 44
▪ Resource constrained nature of IoT devices, make sure that
deployment of the system is feasible for all IoT devices as goal
▪ 71.3% of all IoT devices run some version of Linux as their
operating system and “Linux is becoming the standard OS for all
gateway and resource constrained devices” according to the 2017 IoT
developer survey
▪ Build our client side (SysMon) modules using common system
▪ IoT device emulations using Firmadyne in order to make the device
modules scalable and easy to deploy

26. IMPLEMENTATION- Choice of classifiers
26 / 44

27. IMPLEMENTATION- Timing/Interval choice
27 / 44
▪ The window size is too high, then the detection time of the attack
will also be higher
▫ Lower window size results in higher communication overhead
▫ Should be small enough to detect these attacks in real-time
▫ Window size of 20, 50, 100, 500, and 1,000 seconds
▪ The larger interval size, the higher chance the attacker has of
evading the system
▫ Lower interval results in a higher computational overhead
▫ It depends on the system requirements, we leave the choice of
the optimal values
▫ Interval of 2, 10, and 20 seconds

28. IMPLEMENTATION- Distributed nature of logs
28 / 44
▪ We assume that the device functions benignly until the end of the
learning phase because real world scenarios where devices are
compromised as soon as they connect to the network or are
compromised in production
▪ We added some additional functionality in our current prototype to
move further towards a fog computing paradigm
▫ Logs enable one to compare behaviors of the same devices in
different networks
▫ Detect anomalous behavior during the learning stage
▫ Fail-check in case of devices behaving maliciously during the
learning phase

29. 29
5. EVALUATION
/ 44
Goal of our host-based system is detecting
the compromised host/device during the
injection or infection stage

30. EVALUATION- IoT malware
30 / 44
▪ The malware samples were collected from IoTPOT, VirusTotal, and
OpenMalware
Total
3973(100%)
Learning
795(20%)
Testing
3178(80%)

31. EVALUATION- Test-bed
31 / 44
▪ Using 4 webcams, 5 raspberry
pi devices, 3 HPE GL10 IoT
gateways, and
1 Aruba PoE Switch
▪ Check – Restore – Next one

32. IMPLEMENTATION- Efficiency and Analysis
32 / 44
PWM (Process White Listing Module)
• Detection rate of 79.09% (FP=0%)
• 20.91% of the malware spawn no new processes but rather manipulate or
masquerade as a benign process
PBM (Process Behavior Module)
• Detection rate of 97.02% (FP=2.97%)
• Able to capture malware masquerading as benign processes
SBM (System-call Behavior Module)
• Detection rate of 100% (FP=0%)
• Malicious processes use a typical combination of system calls

33. IMPLEMENTATION- Efficiency and Analysis
33 / 44
Fig. 5. Comparison between malicious vs baseline PBM log
samples over time according to (a) CPU usage
(usrcpu, syscpu), (b) Memory Usage (vgrow, rgrow), and (c)
Disk Usage (wrdsk, rddsk).

34. BACKGROUND- Against Fileliss Attacks
▪ Our system is able to effectively detect all 8 types of the
attacks in our evaluation testbed
34 / 44
Changes the
password
Removes
certain config
files
Stops certain
system
processes
Retrieves
system
information
Steals user
information
Launches
network
attacks
Collecting
device/user
data
Sets up port
forwarding
(Evade on PWM)

35. BACKGROUND- Overhead Analysis
35 / 44

36. 36
6. RELATED WORK
/ 44

37. RELATED WORK- Centralized IDS
37 / 44
▪ Centralized IDS placement approach and generally monitor traffic
passing through the border routers
▪ Is not enough to detect attacks involving just the nodes of the IoT
network
2009
Eung Jun Cho, Jin Ho Kim, and
Choong Seon Hong
Attack model and detection scheme for Botnet
2017
Javid Habibi, Daniele Midi,
Anand Mudgerikar, and Elisa
Bertino
Heimdall: Mitigating the Internet of insecure
things
2013
LinusWallgren, Shahid Raza,
and Thiemo Voigt
Routing attacks and countermeasures in the RPL-
based Internet of Things

38. RELATED WORK- Centralized IDS
38 / 44
▪ Centralized IDS placement with lightweight distributed placement
strategies where each node is responsible for monitoring and
analyzing its packet payloads, energy consumption …
▪ Impose a non-negligible computation overhead
2015
Christian Cervantes, Diego
Poplade, Michele Nogueira,
and Aldri Santos
Detection of sinkhole attacks for
supporting secure routing on 6LoWPAN for Internet of
Things
2014
Tsung-Han Lee, Chih-HaoWen,
Lin-Huang Chang, Hung-Shiou
Chiang, and Ming-Chun Hsieh
A lightweight intrusion detection scheme based on
energy consumption analysis in 6LowPAN
2014
Doohwan Oh, Deokho Kim,
and Won Woo Ro
A malicious pattern detection engine for embedded
security systems in the Internet of Things

39. RELATED WORK- Hybrid IDS
39 / 44
▪ Most recent IDSes are hybrid approaches which combine centralized
and distributed approaches
▪ Designed with a flexible placement strategy
Our system also uses a hybrid placement strategy
2015
Pavan Pongle and Gurunath
Chavan
Real time intrusion and wormhole attack detection in
Internet of Things
2013
Shahid Raza, Linus Wallgren,
and Thiemo Voigt
SVELTE: Real-time intrusion detection in the Internet
of Things
2016
Nanda Kumar Thanigaivelan,
Ethiopia Nigussie, Rajeev Kumar
Kanth, Seppo Virtanen, and Jouni
Isoaho
Distributed internal anomaly detection system for
Internet-of-Things

40. RELATED WORK
40 / 44
▪ Most existing IDSes for IoT devices and embedded devices
(signature-based detection schemes)
▪ Cannot detect attacks for which the signature is unavailable /
the attack signatures/rule list becomes very large and complicated
2013
Prabhakaran Kasinathan, Gianfranco
Costamagna, Hussein Khaleel, Claudio
Pastrone, and Maurizio A. Spirito
An IDS framework for Internet of Things empowered
by 6LoWPAN.
2011
Caiming Liu, Jin Yang, Run Chen, Yan
Zhang, and Jinquan Zeng
Research on immunity-based intrusion detection
technology for the Internet of Things
2014
Doohwan Oh, Deokho Kim, and Won
Woo Ro.
A malicious pattern detection engine for embedded
security systems in the Internet of Things

41. RELATED WORK
41 / 44
▪ Most existing IDSes for IoT devices and embedded devices
(anomaly-based detection schemes)
▪ Our system are different because focuses on building device profiles
using system information gained from the running processes and
system calls rather than network information
2009 Eung Jun Cho, Jin Ho Kim, and Choong Seon Hong
Attack model and detection scheme for Botnet on
6LoWPAN.
2017
Javid Habibi, Daniele Midi, Anand Mudgerikar, and Elisa
Bertino Heimdall: Mitigating the Internet of insecure things
2014
Tsung-Han Lee, Chih-HaoWen, Lin-Huang Chang,
Hung-Shiou Chiang, and Ming-Chun Hsieh
A lightweight intrusion detection scheme based on
energy consumption analysis in 6LowPAN
2015 Pavan Pongle and Gurunath Chavan
Real time intrusion and wormhole attack detection in
Internet of Things
2016
Nanda Kumar Thanigaivelan, Ethiopia Nigussie, Rajeev
Kumar Kanth, Seppo Virtanen, and Jouni Isoaho
Distributed internal anomaly detection system for
Internet-of-Things

42. We aim to build a hybrid
lightweight IDS system which
is able to detect anomalous
behavior in terms of system
level information from
running processes and
system calls.
42
“
/ 44

43. 43
7. CONCLUSIONS
AND FUTUREWORK
/ 44

44. IMPLEMENTATION- Distributed nature of logs
44 / 44
▪ Proposed a system-level IDS E-Spion tailored for IoT devices.
It builds a 3-layered baseline profile
▪ Tested our system with a comprehensive set of 3,973 IoT malware
samples and 8 types of file-less attacks
▪ Detection rate of over 78%, 97%, and 99% for our 3 layers of detection
▪ We intend to broaden our device logs by including network logs of the
device by integrating our system with network-based IDSs

45. THANKS !
/ 44
45

46. Resource
▪ Edge-Based Intrusion Detection for IoT devices(2020) Vol. 11, No. 4, Article
18./ANAND MUDGERIKAR, PUNEET SHARMA, ELISA BERTINO /
Download form SCI-Hub [doi.org/10.1145/3382159]
▪ PPT template- Technology Pixels Presentation Template from
https://www.slidescarnival.com/mowbray-free-presentation-
template/1932#preview
▪ P7. Microsoft Stock images (royalty-free images)
▪ P9. Pic1. Mirai-Style DDoS Attack from https://www.imperva.com/blog/how-to-
identify-a-mirai-style-ddos-attack/
▪ P12,14 Microsoft Bing images (CC images)
46 / 44

47. Extended learning
▪ New rapidly-growing IoT Botnet – REAPER
https://success.trendmicro.com/solution/1118928-new-rapidly-growing-iot-
botnet-reaper
▪ 入侵偵測與預防系統簡介與應用_蕭翔之 講師
http://itcproject1.npust.edu.tw/ISMS/Lecture/資安技術/入侵偵測與預防系統簡
介與應用.pdf
▪ 雲計算之上還有霧計算!? 霧計算(fog computing)的入門和用例
https://medium.com/it-digital-互聯網/雲計算之上還有霧計算-霧計算的入門-
fog-computing-3eab52996c71
▪ 區塊鏈運作原理大剖析：5大關鍵技術
https://www.ithome.com.tw/news/105374
▪ Big-Endian 與 Little-Endian 的差異與判斷程式碼
https://blog.gtwang.org/programming/difference-between-big-endian-and-
little-endian-implementation-in-c/
47 / 44