Hids by Signature For Embedded Devices in Iot Networks
Hids by Signature For Embedded Devices in Iot Networks
Hids by Signature For Embedded Devices in Iot Networks
networks
Bruno V. Dutra∗ , João F. de Alencastro† , Francisco L. de Caldas Filho‡ , Lucas M. C. e Martins§ ,
Rafael T. de Sousa Júnior¶ and Robson de Oliveira Albuquerquek
National Science and Technology Institute on Cyber Security, Electrical Engineering Department,
University of Brası́lia (UnB), P.O. Box 4466, Brası́lia–DF, Brazil, CEP 70910-900
Email: brunovdutr@gmail.com∗ , joao.alencastro@gmail.com† , francisco.lopes@redes.unb.br‡ ,
lucas.martins@redes.unb.br§ , rafael.desousa@redes.unb.br¶ and robson@redes.unb.brk
Abstract—Cybersecurity in Internet of Things (IoT) has be- as explained above, and through them establish control over
come a major concern due to its characteristics. One possible way the device, without its knowledge. The second step consists
to protect IoT devices is to enhance smart devices with intrusion in manipulating the devices: the attackers must be able to
detection capabilities considering its limited resources. With such
assumptions in mind, this paper describes the development of a orchestrate the devices they control to perform as a unit and
host-based intrusion detection system by signature for IoT smart achieve a specific objective [5]. Usually manipulating devices
devices. The signatures remain in a central controller on the occurs in a disseminated and coordinated way by a single
cloud, which is periodically consulted by the hosts. The use malicious agent.
of the proposed system may prevent IoT devices with known Given the high vulnerability exposed above that IoT devices
vulnerabilities to join botnets, taking actions in the system defined
by the administrator. In addition, the proposed system is also able currently have, these are being targeted by malwares that use
to notify the IoT controller about potential failures. BotNet, the most famous being the Mirai BotNet malware.
Index Terms—HIDS, smart devices, HIDS controller, HIDS Facing the seriousness of this problem, this paper presents a
rules, IoT, sensors, IoT vulnerabilities, Mirai. Host-Based Intrusion Detection System (HIDS) by signature
with the function of detecting attacks and vulnerabilities in an
I. I NTRODUCTION IoT network instance.
Since the first definition of the term, in 1999 by Kevin Within IoT architectures, there is no pattern for the process-
Ashton [1], Internet of Things (IoT) has been largely seen ing power of devices. Sensors that often have basic functions
with an enormous potential of growth and development of such as temperature, humidity, light, which are widely used in
new technologies. The IoT has the purpose of expanding the agricultural applications, have very limited processing power,
limits of the traditional computing, which uses desktops and which makes it a challenge to develop safety means for them
conventional computers, to a new environment where common [6]. Other devices, which are capable of having a UNIX-like
objects, like toasters and sensors, will be interconnected to operating system such as Raspberry Pi, are also used in IoT
exchange data and be remotely controlled. As described in instances and have a higher processing power. This article will
[2], the new computational revolution will be given by the propose a security system for these devices.
connection between objects to create smart environments. Besides this introduction, the paper is organized as follows:
Nowadays IoT has had an impressive growth. According in Section II, we present a literature review about security
to [3], some projections estimate that by 2020 the number of in IoT and, in Section III, we present the related works. In
devices connected to IoT instances will grow exponentially to Section IV, we present the proposed HIDS for IoT devices
50 billions. and, in Section V, we highlight the proposed HIDS life cycle.
This growth and popularization of IoT instances in the In Section VI, we present the testing methodology and the
society has brought with it a cybersecurity threat through results. Finally, in Section VII, we present our conclusions
BotNets. The Cisco’s Annual Cybersecurity Report in 2018 and our suggestions for future work.
classified the problem as imminent and pointed out the in-
creasing scope and intensity of Distributed Denial of Service II. S TATE OF THE A RT
(DDoS) attacks [4]. These attacks are taking advantage of low This paper focus on security issues in IoT domain. To
security devices that are being implemented with no concerns discuss that, we present the academic and industry view
about basic security, like default passwords, and causing a of some concepts that are useful for understating the paper
huge vulnerability to BotNets like Mirai, which uses this kind content.
of devices to perform DDoS attacks.
An attack performed by BotNets is defined by two main A. IoT Architecture
steps. The first step consists in taking control of devices by IoT solutions are being used and projected to be used
the attackers: they will execute a search for vulnerable devices, in several domains like agriculture, transportation, logistics,
which are often IoT devices with basic security vulnerabilities, industry, smart grid, home automation, surveillance, health
care and personal assistance [2]. Each one of these domains trace and verify information relative to logs registers, events,
has its own characteristics, but we point out two common file systems, permissions, among others. Stenven R. Snapp
issues they have: heterogeneity of technologies and a large et al. [10] specifies tagged objects, that are thought to be
number of entities in the solution. There’s a lot of technol- interesting in the intrusion detection matter. Any file, device or
ogy heterogeneity and entities because it’s supposed to be a process can be tagged, that way it can be distinguished easily
ubiquitous solution and, to achieve this, the devices need to be and verified frequently.
cheaper, smaller and more abundant than conventional ones. D. Wagner et al. [11] shows a different approach, where in-
We can see IoT architecture as a layered architecture trusions are detected by anomalies based on processes system
composed by devices, network connectivity, middleware and calls normal behaviour. For instance, if an e-mail application
applications. Devices layer has all sorts of devices acting as client starts to open and write files, create sockets and listen to
sensors and/or actuators, including the smart devices. Network different ports in which they are not supposed to, it is possible
connectivity layer embraces the network infrastructure to make that this client was infected.
possible the devices to connect to the middleware. Middleware
layer corresponds to a software or a set of software that D. Botnets
supports devices activities, for instance, by providing storage There are several ways to invade computing systems, one of
and processing capabilities. Applications layer is composed by the most successful methods yet invented are the botnets, also
services and applications that interact with data and actions called zombie nets. A botnet is a network of computing devices
provided by the devices. that are explored without their owner acknowledgment. Once
the devices are invaded, malicious scripts and codes can be
B. UIoT Middleware executed, accomplishing multiple routines. One of them is
The UIoT Middleware was proposed in [7] to “control and to send continuous TCP, UDP or ICMP requests to a victim
notify the current state of generic devices”. It evolved to be server in order to overwhelm the listener, and stop it from
a cloud-based IoT middleware that is capable to store large functioning correctly, the basic idea of a DDoS attack. Botnets
amounts of data and process it for the connected IoT devices. can also be used to collect sensitive data and personal identities
It is composed by a set of components such as the cloud-based or to distract organizations from real attacks.
UIoT Gateway, that handles all requests the devices makes The life cycle of a typical botnet consists on:
to the middleware; the Data Interface Management System
(DIMS), that is the API interface for all data handled by the
middleware; the User Interface Management System (UIMS),
that is the user-friendly interface for the middleware’s data and
operations.
As an authentication mechanism, the middleware demands a
registration before the new device is able to interact with other
devices or the middleware. As described in [8], it uses a self-
registration model in which the device must ask its registration
to the middleware, using a set of REST APIs. To successfully
accomplish the self-registration process, the device should say
its identification data and its services. When the middleware
validates the given registration data, the device is able to send
data to the middleware, as well to consume its data.
Some IoT devices are resource-constrained in terms of
power, memory, processing and/or networking so that, for
instance, they communicate only in non-TCP/IP protocol.
Another issue that prevents certain IoT devices from integrat-
ing with an IoT network is called “silo solutions” in which
the device is only capable of communicating with hardware
and software from the same manufacturer [9]. As in [8], Figure 1. Life cycle of a Botnet. [12]
the UIoT Gateway acts like a semantic gateway, translating
communications from the devices to the middleware.
E. Botnets: Entry Vulnerabilities
C. Host-Based IDS 1) Vulnerabilities in conventional systems: Traditional op-
Host based Intrusion Detection Systems were the first type erating systems have a list of known vulnerabilities that are
of IDS’s to be conceived. They usually run only within the the first to be explored by an attacker, those include:
target host with the task of monitoring and analyzing its files • Known vulnerabilities of default TCP ports, such as 135,
and processes, therefore the network traffic addressed to the 139 or 593;
host is not taken into account. One of its main function is to • Backdoors left behind by a Trojan previously installed;
• Default passwords; operating system will have to submit to a central controller
• Configuration files in unsecured locations; that will aid in rule distribution and incident control. Each
• Database related vulnerabilities; instance of distributed HIDS will have some features of a
• Default routes and directories; conventional HIDS, so it will have mechanisms to audit all
2) Vulnerabilities in IoT systems: With an IoT system the topics mentioned in the previous subsection and once rules
environment in mind, some of the vulnerabilities known, as are configured, they will be able to perform actions on events
presented by [13], are quoted below: detected in the audit.
• Authentication and/or insufficient authorization;
Finally, HIDS on hosts (sensors with higher processing
• Denial of Service Attacks in the Internet of Things;
capacity) will be specifically configured to detect if the device
• Eavesdropping in the Internet of Things;
is being controlled and/or if it is part of a botnet. So its audit
• Node Capture in the Internet of Things;
will focus on basic specific vulnerabilities of IoT networks.
• Physical Security of the Sensors;
The HIDS agent will still be able to perform response actions
on the device. Such actions include closing connections,
F. HIDS: Prevention Methods generating reports and setting actions.
A Host-Based Intrusion Detection System (HIDS) works
III. RELATED WORK
with information collected from inside a computational device,
this allows the HIDS to perform daily routine activities to There are numerous studies on intrusion detection systems
determine which processes and users might be involved in in resource constrained devices. However, most are concerned
some kind of attack. As discussed in [14] an HIDS is used with studying how traditional network IDS’s operate on an
to check and maintain securely host’s system and its network embedded device such as a Raspberry Pi.
activities if a system has been attacked or not. One interesting work is [16], which looks at how a tradi-
Still according to the [14] Host-based IDS utilize the audit tional IDS acts on a Raspberry Pi while observing the use of
data, incoming traffic, logs produced by the applications to CPU and RAM in a resource-constrained device. In this sense,
detect malicious activities, to prevent intruder‘s activities and the analysis of an already established intrusion detection tool
to trace the attacks. Therefore, most of the existing audit in a Raspberry Pi is similar to the one proposed here, since it
mechanisms are implemented in the host operating system. requires a greater management of resource use.
Another relevant study was [17] which attempts to analyze
G. HIDS: Audit which traditional IDS running on a Raspberry Pi has the best
Keeping audit-trails and analysing them can reveal a lot of management in resource usage versus packet capture rate for
information about events that might have occurred, such as: vulnerability analysis.
1) Improper changes in the system’s configuration files; In [5], the authors relate the growth of botnet networks
2) Connection attempts that are inconsistent or reiterated with the increase of IoT devices that have security holes
(like Brute-force); and are included in botnets networks such as Mirai, but in
3) Illegal application processes creation, or the removal of their work the referenced authors do not propose any security
the legitimate ones; mechanisms to mitigate such attacks.
4) Sudden scarcity of resources, e.g. of memory and pro- Different from the one proposed in the works mentioned
cessing; previously in [18], it is proposed an analysis of intrusion
5) Abnormal increase of disk usage; detection methods for IoT in a general context. Considering a
6) Irregular attempts to address connections; wide variety of devices used in IoT.
The majority of IDS implementation in IoT is based on
H. HIDS IoT using detection tools already established in devices usually
An HIDS has a fundamental role in the discovery of used in this context and managing the resources used. The
vulnerabilities in conventional networks, because they alert proposal here, however, was based on the creation of a custom
the administrator to possible attacks, helping them understand host-based intrusion detection system for the IoT context with
where the vulnerabilities come from. There are numerous a set of rules intended for common Iot vulnerabilities.
implementations of HIDS applications for traditional network
IV. P ROPOSAL
devices, for instance: OSSEC, Tripwire, AIDE and Prelude
Hybrid IDS. However, according to [15], IoT needs a robust This paper presents the development of a signature-based
IDS that can detect new attacks and that is, simultaneously, HIDS for smarts devices that will try to connect to the IoT
light weight to run on. network. This HIDS will be composed of some well-defined
This HIDS will have a distributed behavior to publish the entities (Figure 2) that aim to detect attacks and vulnerabilities
rules that were created in the network and to report to the in smart devices connected to a given IoT network. These
controller occurrences of detected attacks in its audits. Thus, entities are described below:
each computational system that hosts the cited HIDS will be 1) HIDS Agents in smart devices;
part of a “web of trust”, consisting in all host devices that have 2) Communication API between HIDS Controller and
a distributed HIDS agent. Each instance of HIDS in your host HIDS Agent;
3) HIDS Controller;
4) Rules;
5) Events Reports;
A. HIDS Agent
The HIDS Agent is an application that runs on the IoT smart
device. This application performs the tests provided in the
rules registered in the local database and compare the output
of these tests with the expected output. If the output is different
from the expected output, the action foreseen in the rule will
be executed and an event report will be generated and sent to
the HIDS Controller. To test the rules in the local database,
the HIDS Agent will use the functions described below:
1) Threat Scan: This function of the HIDS application
reads each of the rules present in the local database and
performs a case test for each of them. The case test consists
of verifying if the output obtained by executing the rule code
is equal to the standard output expected that is set by the
controller during the registration of the rule. Once the output
generated by executing the rule code is different from the one
in the output field, the action foreseen in the rule will be
executed and an event report will be generated and sent to
the HIDS Controller by the communication API.
2) Enable Self Analysis: Enables the Threat Scan to be
done automatically and periodically.
3) Disable Self Analysis: Disables the Threat Scan.
4) Update Rules: This function makes a request to update
rules to the HIDS Controller through the communication API.
Thus, the request is sent from the HIDS Agent to the HIDS
Controller which validates if it is valid and responds with
the most updated set of rules in the format described in
Figure 3. Once the instance receives the updated rules, the
HIDS application will check whether rules have been updated,
added, or removed from the it previous rule set, and will persist
the data in the local rule database.
5) Set the time between the rules updates: Rule updating
can be initiated using the CLI, but the HIDS application
predicts that rule update requests are made automatically and
periodically. This function allows you to set the time between
update requests. If it is not explicitly configured the default
time associated with the instance will be 15 minutes.
6) Show Rules: Show the existing rules in the local rules
database.
7) Show settings: Shows the settings of the HIDS applica-
tion, such as the request period of updated rules, communica-
tion API configurations, etc.
B. Communication API
This component is responsible for the communication of
the HIDS Agent present in the Smart Device with the HIDS
Controller allocated in the midleware IoT, according to the ar-
chitecture proposed in Figure 2. The communication between Figure 2. Logical architecture of the proposed implementation.
the mentioned entities occurs via HTTP protocol with POST
method in a standard JSON file, as shown in the Figure 3.
Table I of the functions of the HIDS Controller are described below:
L IST OF AVAILABLE COMMANDS 1) Registration of new rules: Registers the rules in a remote
Name Description CLI Command database. This function is responsible for sending the updated
scan threats Checks for threats accord- python manage rules to all smart devices associated with the HIDS Controller.
ing to rules specified in scan 2) Definition of Assumptions: Defines the default output of
the rules database.
enable auto scan Enables scanning periodi- python manage the rules. The output is used in the tests performed in the
cally for threat detection. enable auto scan HIDS Agents to verify threats and vulnerabilities.
disable auto scan Disables scanning period- python 3) Event Report Analysis: Analyzes the event reports that
ically for threat detection. manage dis-
able auto scan arrive at the controller from the HIDS Agents associated with
update Updates periodically the python manage it.
database of threats rules. update 4) Threat Treatment: Based on the event report, it performs
set update rules period Changes the time in which python manage
the HIDS rules is update. set update time
some action to remove the reported vulnerabilities.
show rules Shows all available rules. python manage
show all rules
show info Displays HIDS configura- python manage
tion information. info
D. Rules
A rule is a series of information that assists the HIDS Agent
in taking some previously defined actions. In the abstraction
defined here the rule has 6 main fields:
Figure 4. JSON to send event reports to the HIDS Controller. • Name: Rule name;
• Id: Uniquely Identifies a rule;
• Date: Date of creation;
C. HIDS Controller • Assumption: Value taken as true for a given condition or
The responsible entity for managing the HIDS Agents, characteristic of the system;
logging and updating rules, defining rules premises, analyzing • Test Case: Code that finds the characteristic or condition
event reports, and providing the data visualization for the to be tested and returns it for verification;
control. In addition, it is the entity that will communicate • Action: In case the value find in the Test Case is different
directly with the IoT Gateway to define the personalized from the value found in the Assumption, the Action
assumptions and report the findings. The rules registered in defined here must be taken.
the controller can be done directly in the application running The registered rules are designed to end certain anomalies
on the server (Figure 5) or indirectly via the Web API. Some commonly found in IoT systems. For simplification of appli-
cation these rules are classified in different contexts described transparently executes the application on the smart device that
below: wants to send data to the cloud application that will handle
1) Network; the received data. These steps consist of:
2) Resources; 1) Register the HIDS Agent on the HIDS Controller;
3) Known vulnerabilities; 2) Download HIDS source code;
1) Network: HIDS Agents communicate with the gate- 3) Request updated rules to the HIDS Controller;
way through a traditional network infrastructure. Traditional 4) Validate the HIDS Agent request and respond with the
networks have a number of well-known vulnerabilities and updated rules;
attacks. Such vulnerabilities can serve as a way in for a 5) Update the local rules database;
malicious agent to take control of the smart device that 6) Run case test for each local database rule;
has the HIDS Agent. Thus, rules were developed to detect 7) Perform the actions provided in the rules;
vulnerabilities and attacks related to the network context, 8) Send Event Report;
Among some examples of rules implemented in this context 9) Handle event report received;
we can mention: A. Register the HIDS Agent on the HIDS Controller
1) Port Scan Detection; Once Smart Device wishes to enter the IoT network to send
2) DDoS attacks Detection; data from its monitoring to the application in the cloud. A
3) DNS attacks Detection; self-registration process described in the II section is required.
2) Resources: The use of resources such as processing, Once this process is completed the smart device will be
memory and disk space is of great importance to smart devices. registered in the HIDS Controller as an associated smart
Thus, these resources can be the target of attacks that aim to device.
disable or reduce these resources for legitimate applications.
To detect such attacks, the rules of this context have been B. Download HIDS source code
created. Among some examples of rules implemented in this The process of self-registration of the HIDS Agent in the
context we can mention: controller is finished. The Smart Device downloads the HIDS
1) Processes with excessive memory use; application source code and starts the installation process. At
2) Processes with excessive processing usage; this point the Smart Device is already running an instance of
3) Processes with excessive usage of HD memory; HIDS and can be accepted as a valid device in the IoT network
4) High temperature; that it is part of.
3) Known vulnerabilities: This context provides for the C. Request updated rules to the HIDS Controller
creation of rules for classic vulnerabilities in the IoT environ- In this step, the HIDS Agent sends to the controller, using
ment as well as good practices for configuring smarts devices. the communication API, a request to update rules.
Among some examples of rules implemented in this context
we can mention: D. Validate the HIDS Agent request and respond with the
1) Default passwords; updated rules
2) Standard Open ports; The HIDS Controller will validate the requesting HIDS
3) Configuration files in standard and unprotected directo- Agent based on its identification that is previously registered
ries; during the self-registration process. Thus, the instance is
validated and shortly after the HIDS Controller will respond
E. Event Report with the set of updated rules taken from the remote database.
An Event Report is a set of information that are sent to
E. Update the local rules database
the HIDS Controller. This set of information is sent at the
moment a vulnerability is detected by the rules. In Figure 4 Once the updated rules have been received in the HIDS
the information is shown and it will be detailed next: Agent, the local rules database is updated.
1) instance id; Identifier of the HIDS Agent; F. Run case test for each local database rule
2) instance ip; IP address of the HIDS Agent; Once the local rules database is updated, each rule is tested
3) instance mac; MAC address of the HIDS Agent; to determine if the output found is different from the output
4) rule id; Identifier of the rule that detected the vulnera- expected by the rule.
bility;
5) output rule; Output found by the rule; G. Perform the actions provided in the rules
6) occur time; Hour the vulnerability was found; For each rule that fails on the tests run, the HIDS Agent
will execute the action provided in the rule.
V. L IFE C YCLE OF A HIDS
For the detection and treatment of vulnerabilities/attacks it is H. Send Event Report
necessary that the application of HIDS operate on some well For each rule that fails the tests run, an event report is
defined steps as shown in Figure 6. This sequence of steps generated and sent to the associated HIDS Controller.
Figure 6. Application lifecycle from the standpoint of the HIDS Agent on the Smart Device.
R EFERENCES
[1] K. Ashton. That ‘Internet of Things’ Thing. Accessed: Apr 05, 2019.
[Online]. Available: https://www.rfidjournal.com/articles/view?4986
[2] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of things
(iot): A vision, architectural elements, and future directions,” Future
generation computer systems, vol. 29, no. 7, pp. 1645–1660, 2013.
[3] A. L. Albertin and R. M. Albertin, “A internet das coisas irá muito além
as coisas,” GV-executivo, vol. 16, no. 2, pp. 12–17, 2017.
[4] “Annual CyberSecurity Cisco,” Cisco 2018, Tech. Rep.,
2018. [Online]. Available: https://www.cisco.com/c/dam/m/digital/elq-
cmcglobal/witb/acr2018/acr2018final.pdf
[5] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT:
Mirai and other botnets,” Computer, vol. 50, no. 7, pp. 80–84, 2017.
[6] C. L. C. H. H. M. Lee TH., Wen CH., “A lightweight intrusion
detection scheme based on energy consumption analysis in 6LowPAN,”
in Advanced Technologies, Embedded and Multimedia for Human-
centric Computing. Lecture Notes in Electrical Engineering, vol. 260,
2014.
[7] H. G. C. Ferreira, “Arquitetura de Middleware para Internet das Coisas,”
Master’s Thesis, Universidade de Brası́lia, Brası́lia, DF, Brazil, 2014.
[8] F. L. d. Caldas Filho, L. M. C. e. Martins, I. P. Araújo, F. L. L. d.
Mendonça, J. P. C. L. da Costa, and R. T. de Sousa Júnior, “Design
and Evaluation of a Semantic Gateway Prototype for IoT Networks,” in
Companion Proceedings of the10th International Conference on Utility
and Cloud Computing, ser. UCC ’17 Companion. Austin, Texas, USA:
ACM, Dec 2017, pp. 195–201.
[9] C. F. C. Ribeiro, F. L. d. Caldas, L. M. C. e Martins, C. J. B. Abbas,
and R. T. de Sousa Júnior, “Protocolos de Redundância de Gateway
Aplicados em Redes IoT,” in Anais do XXXVI Simpósio Brasileiro de
Telecomunicações e Processamento de Sinais (SBrT 2018), Campina
Grande, PB, Brazil, sep 2018, pp. 1065–1069.