bolt-on network layer security for iot · 2020-07-07 · idea2: combine fsm inference (rpni) with...
TRANSCRIPT
![Page 1: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/1.jpg)
Bolt-on network layer security for IoT
Vyas Sekar
1
![Page 2: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/2.jpg)
Context for work: Assume IoT unfixable
Multi-stage CyberPhysical Privacy leaks
![Page 3: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/3.jpg)
What can we do?• Measure
• Learn
• Adapt
3
![Page 4: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/4.jpg)
Current and ongoing work• Measure– C3P0: Understanding vulnerabilities in connected 3D
printer deployments– CANVAS: A nmap for your car
• Learn – RADIO: Modeling “normal” behaviors – Tackling “blackboxes” in the real world with ML
• Adapt– A lightweight, trusted gateway for IoT– LEAF: Crowdsourcing
4
![Page 5: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/5.jpg)
C3P0: Connected 3D Printer Observer
5
Intranet
02468
No Data
Protect
ion
Denial
of Serv
ice
Unused
Service
s
Known A
ttacks
Inputs
Crash
App
On Inte
rnet
Sam
pled
3D
Prin
ters
Vu
lner
able
Security Issue
0
2
4
6
No AssumedVulnerabilities
Phishing E-mailAttack on PC
Hacked IIoT AllNorm
alize
d At
tack
Pat
hs
(per
Prin
ter,
per
Devic
e)
Vulnerability Scenarios
Deployment A (local) Deployment A (remote)Deployment B (local) Deployment B (remote)Deployment C (local) Deployment C (remote)
Individual 3D Printers
3D Printers Deployments
![Page 6: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/6.jpg)
CANvas: An nmap for your car
6
1. Identify ECUs2. Identify message
sender3. Identify message
receiver(s)
Source mapping
Destination mapping
Timestamped traffic log
Physical bus Source map
Destination map
Found an unexpectedECU in a 2009 Prius
ECU installed during apast vehicle modification
![Page 7: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/7.jpg)
Current and ongoing work• Measure– C3P0: Understanding vulnerabilities in connected 3D
printer deployments– CANVAS: A nmap for your car
• Learn – RADIO: Modeling “normal” behaviors – Tackling “blackboxes” in the real world with ML
• Adapt– A lightweight, trusted gateway for IoT– LEAF: Crowdsourcing
7
![Page 8: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/8.jpg)
RADIO: Modeling “normal” behaviors
8
“normal” behaviorse.g., login, video recording …
LearningCamera’s
network traces
Challenge 1: No abstraction for modeling IoT behaviors- Protocol spec too coarse-grained
Challenge 2: Historical traces can be polluted
Idea1: A precise FSM-based abstraction to capture key IoT-behavior characteristics
Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution
![Page 9: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/9.jpg)
9
• Example 1: generating protocol-compliant packets• Use cases:
• Approach:
Tackling “blackboxes” in the real world with ML
Black-box System
crashFuzzing
Analysts
Black-box System PacketsFormat?Protocol Reverse
EngineeringAnalysts
Packets GAN MorePackets
![Page 10: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/10.jpg)
10
• Example 2: identifying attack inputs• Use cases:
• Approach:
Tackling “blackboxes” in the real world with ML
��������� ��� ���
�����
�������#�$� ��
�� ����� ����� �
�� ����� ������ � "� ������ �������� �!�
����� � "� ����� �!������ �!�
������
![Page 11: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/11.jpg)
Automated Model Inference
11
Config
Key Results: 1) Reduces FP and FN of network verification 2) Enables finding potential attacks against firewalls
Finite State MachineModel = NF(config)
Automatically infer a behavior model of network functionsfrom black-box observations
StatefulNF
Alembic: Active Learning-based Inference
![Page 12: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/12.jpg)
Current and ongoing work• Measure– C3P0: Understanding vulnerabilities in connected 3D
printer deployments– CANVAS: A nmap for your car
• Learn – RADIO: Modeling “normal” behaviors – Tackling “blackboxes” in the real world with ML
• Adapt– LEAF: Crowdsourcing – A lightweight, trusted gateway for IoT
12
![Page 13: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/13.jpg)
Lightweight, Trusted Gateway
13
Home RouterIoT
Non-IoT
• Low-cost• Scalable• Trusted
0
500
1000
1500
2000
0 10 20 30 40 50Mem
ory
Utili
zed
(MB)
Number of Simultaneous IDSes
Baseline IDS Optimized IDS
0
0.5
1
1.5
2
2.5
No SecurityFunction
Static Packet Tag CryptographicPacket Tag
Med
ian
Late
ncy
(mse
c)
Configuration
Runtime Latency ImpactWired Wireless
![Page 14: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/14.jpg)
LEAF: Crowdsourcing
14
IoT Security Gateway
IoT Security Gateway
IoT Security Gateway
Our goal: learning context-based policies for smart homes
Strawman 1: using single-home data
Strawman 2: using all-home dataData sparsity
Diversity/Privacy
Our idea: applying federated multi-task learning
Federated: transfer model para than raw data
Provide privacy
Multi-task: customized model learned from all data
Address data sparsity/diversity
![Page 15: Bolt-on network layer security for IoT · 2020-07-07 · Idea2: combine FSM inference (RPNI) with outlier detection (RANSAC) to address pollution . 9 •Example1:generatingprotocol-compliantpackets](https://reader034.vdocument.in/reader034/viewer/2022050207/5f5a6b6f06e1037743015952/html5/thumbnails/15.jpg)
Conclusions• Grand Challenge: IoT devices with unfixable flaws
• Pragmatic “bolt-on” network security – Measure– Learn – Adapt
• Early successes across domains and use cases
• Many open directions!
15