Collaborative detection framework for security attacks on the Internet of things

Department of Computer Science and Information Engineering

College of Engineering

National Chung Cheng University

Doctoral dissertation

Collaborative detection framework for security

attacks on the Internet of Things

Nguyen Van Linh

Advisor: Prof. Po-Ching Lin, Ph.D.

Co-advisor: Prof. Ren-Hung Hwang, Ph.D.

Taiwan, R.O.C, Fall 2019

博碩士論文電子檔案上網授權書

（本聯請隨論文繳回學校圖書館，供國家圖書館做為授權管理用） ID:106CCU00392111

本授權書所授權之論文為授權人在 國立中正 大學(學院) 資訊工程研究所 系所 _______ 組 108

學年度第 一 學期取得 博 士學位之論文。

論文題目： Collaborative detection framework for security attacks on the Internet

of Things

指導教授： 林柏青,Po-Ching Lin

茲同意將授權人擁有著作權之上列論文全文 ( 含摘要 ) ，提供讀者基於個人非營利性質之線上

檢索、閱覽、下載或列印，此項授權係非專屬、無償授權國家圖書館及本人畢業學校之圖書

館，不限地域、時間與次數，以微縮、光碟或數位化方式將上列論文進行重製，並同意公開傳

輸數位檔案。

校內外立即開放

□ 校內立即開放，校外於 年 月 日後開放

□ 校內於 年 月 日；校外於 年 月 日後開放

□ 其他

授權人：阮文齡

簽 名： _____________________ 日期： ______年 ______月 ______日

Acknowledgements

The road to scientific research has never been a flat one, especially to me. After three

years of fighting for my dream, being a cybersecurity scientist, finally, I also have a chance

to express my sincere gratitude to the people who have given me passion and strength

in this fight. I would like to sincerely express the deepest appreciation to my beloved

supervisors, Prof. Po-Ching Lin and Prof. Ren-Hung Hwang, who both have encouraged

me to surpass the critical points of this research. I could not have imagined, without

their valuable assistance and timely encouragement, whether I was on the right track. To

me, their insightful comments, tough questions, and particularly thoughtful reviews have

certainly motivated me a lot to finish this extremely hard work on time.

I’d like to sincerely thank National Chung Cheng University (CCU) for offering me a full

scholarship. Also, the precious and constant sponsorship from Prof.Lin and Prof.Hwang,

Department of Computer Science and Information Engineering (CSIE@CCU), and Taiwan

Information Security Center in National Sun Yat-sen University (TWISC@NSYSU) is

extremely vital for my research and living in Taiwan.

Also, a thank you to my professors at CCU/NSYSU who taught me great courses or

worked with me in meaningful projects. A thank you to Ms. Huang and Ms. Chen who

have given me exciting Chinese courses, that certainly helped me to forget all tiredness

at work and keep fighting. I would like to thank the staff of CSIE@CCU for their great

support in the document procedure. Thank all members of Network and System Security

Lab, my beloved friends in CCU, Karate club, and Badminton team who are always

willing to encourage and cheer with me at the memorable time of my Ph.D. journey.

Finally, thanks to my parents, my darling, and all my friends for their unconditional

support and patience during the courses of this work. Last but not least, I would like to

thank my life partner, Lan-Huong, for her constant encouragement, sacrifices and endless

love in me, that motivated me a lot to firmly pursue the doctoral program till the end. I

believe that, without the encouragement and supports, I could never be strong enough to

overcome the difficulties and finish this research successfully.

i

Abstract

A connected world of Internet of Things (IoT) has become a visible reality closer than ever

and that is now being fueled by the appearance of 5G and beyond 5G (B5G) connectivity

technologies. However, besides bringing up the hope of a better life for the human being

through promising applications, at the same time, the complicated structure of IoT and

the diversity of the stakeholders in accessing the networks also raises grave concerns that

our life may be extremely vulnerable than ever with daily threats of security attacks,

disinformation, and privacy violation. The objective of the research presented in this

dissertation is to detect the attacks targeting the network availability (e.g., the volume

attacks) and data authenticity (e.g., data forgery dissemination attacks) in the perception

layer and the network layer of IoT networks. Further, our research targets to exclude

responsible attackers, misbehavior nodes and unreliable stakeholders from active network

participation or even mitigate the magnitude of such attacks significantly at the edge of

the networks in a timely fashion.

While most existing solutions in the context of security detection in IoT are based on data￾driven learning and plausibility checks on the traffic near the victim or a single network

hop, we propose in this dissertation a collaborative security defense framework, so-called

TrioSys, which primarily relies on three main approaches. First, the system evaluates the

behavior of traffic/nodes based on learning cooperatively accumulated information, e.g.,

traffic request distribution targeting a specific address over a time interval, and fusing the

trustworthiness of post-detection results from multiple layer trusted engines such as the

edge-based(regional)/cloud-based (global) detection systems. Second, by largely targeting

at filtering malicious traffic/bogus messages directly at/near the source/nodes/edge, our

system provides an extremely effect protection approach with low latency response to

the attacks, particularly before their malicious traffic have a chance to pour into the

networks or affect to the decision of the unsuspecting nodes such as the control system of

an autonomous vehicle. Finally, in each specific case of the application deployment, i.e.,

in IoT eMBB or IoT uRRLC, we propose a proper strategy to implement the detection

mechanisms for the platform. For example, in the autonomous driving case (IoT uRRLC),

we propose a novel method to exploit passive source localization techniques from physical

signals of multi-array beamforming antennas in V2X-supported vehicles and motion

prediction to verify the truthfulness of the claimed GPS location in V2X messages without

ii

requiring the availability of many dedicated anchors or a strong assumption of the honest

majority rule as in conventional approaches.

In summary, this work has been developed that consists of two main contributions: (1)

TrioSys, a robust and effective platform for detecting and filtering the attacks in IoT,

particularly compatible with 5G applications and network models; (2) a novel near-source

detection for DDoS defense in IoT eMBB slice and two physical signal-driven verification

schemes for V2X (i.e., IoT uRLLC). Also, besides our comprehensive survey on the

state-of-the-art attacks against network availability/data authenticity and countermeasure

approaches, our findings on relevant security issues can certainly provide useful suggestions

for future work.

Keywords – Internet of Things Security, 5G/B5G Security, Distributed Denial-of-service

defense, Misbehavior Detection in 5G V2X

iii

Overview of publication

The following articles are peer-reviewed and accepted publications with results included

in/achieved during this dissertation:

Journal Papers

1. Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “Multi-array relative

positioning for verifying the truthfulness of V2X messages,” IEEE Communication

Letter, Vol. 23 , No. 10, pp. 1704-1707, Oct. 2019.

2. Van-Linh Nguyen, Po-Ching Lin, and Ren-Hung Hwang, “Energy depletion attacks

in Low Power Wireless networks,” IEEE Access, Vol.7, Apr. 2019.

3. Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “MECPASS: Distributed

Denial of Service Defense Architecture for Mobile Networks,” IEEE Network, Vol

32, No 1, pp. 118-124, Jan.-Feb. 2018.

4. Van-Linh Nguyen, Po-Ching Lin, and Ren-Hung Hwang, “Web Attacks: beating

monetisation attempts,” Network Security Journal (Elsevier), No.5, pp. 1-20, May

2019.

5. Ren-Hung Hwang, Min-Chun Peng, Van-Linh Nguyen, and Yu-Lun Chang, “An

LSTM-Based Deep Learning Approach for Classifying Malicious Traffic at the Packet

Level,” Applied Sciences, Vol. 9, No. 16, pp.3414-3428 , Aug. 2019.

6. Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “Enhancing misbehavior

detection in 5G Vehicle-to-Vehicle communications,” submitted to IEEE Transactions

on Vehicular Technology (major revision).

7. Ren-Hung Hwang, Min-Chun Peng, Chien-Wei Huang, Po-Ching Lin and

Van-Linh Nguyen, “PartPack: An unsupervised deep learning model for early

anomaly detection in network traffic,” submitted in Aug. 2019 to IEEE Transactions

on Emerging Topics in Computational Intelligence.

Conference Papers

1. Ren-Hung Hwang, Van-Linh Nguyen, and Po-Ching Lin, “StateFit: A security

framework for SDN programmable data plane model,” The 15th International

Symposium on Pervasive Systems, Algorithms and Networks (ISPAN), Yichang,

iv

China, Oct 2018.

2. Po-Ching Lin, Ping-Chung Li, and Van-Linh Nguyen,“Inferring OpenFlow rules by

active probing in software-defined networks,” The 19th International Conference on

Advanced Communications Technology (ICACT), Pyongchang, South Korea, Jan.

2017.

3. Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “Physical signal-driven

fusion for V2X misbehavior detection,” IEEE Vehicular Networking Conference, Los

Angeles, USA, 2019.

Projects that I have contributions on

1. Po-Ching Lin and Van-Linh Nguyen “Security protection system for V2X in 5G

networks,” a three-year granted MOST project, 2019/08/01 - 2022/07/31.

v

vi

Contents

Acknowledgements i

Abstract ii

List of Figures ix

List of Tables xii

Acronyms xiii

1 Introduction 1

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 The featured security attacks on IoT . . . . . . . . . . . . . . . . . . . . 3

1.3 The collaborative security defense approach . . . . . . . . . . . . . . . . 5

1.4 Problem statement, challenges and our research position . . . . . . . . . 6

1.5 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1.6 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.7 Structure of the Dissertation . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Background 13

2.1 Internet of Things and existing security issues: A glance . . . . . . . . . 13

2.2 Enabling technologies promoting the changes to IoT security research . . 16

2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3 TrioSys: A collaborative security attack detection system for IoT 25

3.1 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2 Assumption and Adversary model . . . . . . . . . . . . . . . . . . . . . . 27

3.2.1 Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.2.2 Adversary model . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.3 Generic architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.4 System description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.5 Detection and filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3.6 Data sharing and update management . . . . . . . . . . . . . . . . . . . 37

3.7 Data fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

4 TrioSys implementation for enhanced mobile broadband networks 41

4.1 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4.1.1 Overview of DDoS attacks . . . . . . . . . . . . . . . . . . . . . . . 41

vii

4.1.2 State-of-the-art DDoS defense . . . . . . . . . . . . . . . . . . . . 44

4.2 TrioSys for filtering DDoS attacks . . . . . . . . . . . . . . . . . . . . . . 47

4.2.1 Local detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.2.2 The central detectors . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.3 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.3.1 Simulated traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.3.2 Performance evaluation . . . . . . . . . . . . . . . . . . . . . . . . 57

4.4 System core and filtering rule updates . . . . . . . . . . . . . . . . . . . . . 61

4.4.1 Proposal model for updating security rules . . . . . . . . . . . . . 62

4.4.2 Performance evaluation . . . . . . . . . . . . . . . . . . . . . . . . 66

4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

5 TrioSys implementation for ultra reliable low latency networks 71

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

5.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

5.3 Assumption and Attack model . . . . . . . . . . . . . . . . . . . . . . . . 76

5.3.1 Vehicle configuration & source information . . . . . . . . . . . . . 77

5.3.2 Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

5.3.3 Attack model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

5.4 System model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

5.5 TrioSys for detecting location forgery attacks . . . . . . . . . . . . . . . . 84

5.5.1 Verifying the truthfulness of V2X messages . . . . . . . . . . . . . 84

5.5.2 Calibration methods to improve the detection precision . . . . . . 90

5.5.3 Vehicle maneuver prediction for misbehavior detection . . . . . . 94

5.5.4 Assistive signal-based verification . . . . . . . . . . . . . . . . . . . 101

5.6 Evaluation results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

5.6.1 Overall performance . . . . . . . . . . . . . . . . . . . . . . . . . 105

5.6.2 System parameter influence . . . . . . . . . . . . . . . . . . . . . 107

5.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

6 Conclusion & future work 119

6.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

6.2 Research discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

6.3 Challenges and Future work . . . . . . . . . . . . . . . . . . . . . . . . . 124

Appendices 129

Illustration of 5G Authentication and 5G beamforming analysis 131

References 131

Author information 145

viii

List of Figures

1.2.1 The overview of IoT Attack types. At our most motivation on the practical

attacks, without a loss of generality, we address two typical types of

attacks in this work: (1) DDoS attacks in cellular networks; (2) false data

dissemination attacks in V2X . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4.1 The general network model and the security attacks. From the

communication perspective, this model also reveals a common scheme:

IoT devices are supposed to connect to the Internet through a cellular

infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1.1 IoT conceptual architecture and layer classification by the coverage and

relevant business sectors. Low-power wireless networks support connectivity

for massive IoT constrained devices with the communication range at 10-

50km and latency > 1s at best. IoT uRLLC offers the connectivity to

high-end applications such as V2X or remote surgery that often require a

very low latency ( < 1s). . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.1.2 A glance of IoT devices. The IoT devices can be categorized into two types:

the constrained or unconstrained ones. The constraints may refer to energy,

computation and cost. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.1.3 The relationship of low-power personal networks (LPAN)/low-power

wide area networks (LPWAN) and IP-based protocol stacks (Internet

domain). Most protocols in both domains are changed to satisfy the energy

consumption requirement and the simplicity of LPW devices. . . . . . . . 17

2.2.1 The architecture of 5G network and the position of our proposal (bold/red

text). Our system primarily located at MEC (5G LA/DN). . . . . . . . . 18

2.2.2 The abstract of multi-access edge computing system [23] and the position

of our proposal (bold/red color). Our system accommodates in MEC VNFs. 19

2.2.3 The abstract of SECaaS-based security architecture with the support of

SDN and the programmable model. We structure major detection and

filtering engines as configurable components embedded into programmable

facilities such as switches/MEC-based servers. . . . . . . . . . . . . . . . 22

3.2.1 The position of the attacks in the structure of three layers (Things/Devices,

Edge and Cloud). Most of the broadcast false data come from the

Things/Devices layer or physical/MAClayer, while the spoofing and volume

attacks such as DoS/DDoS target the network layer or application layer. 29

ix

3.3.1 Structure of the TrioSys system, in which D-TrioSys means the detector

is embedded in the device; M-TrioSys denotes the detector deployed at

MEC-based servers; C-TrioSys is the detector located at the cloud center.

In practice, the core and cloud can belong to a layer, e.g., regional data

center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.4.1 Illustration of the collaboration in the connection of TrioSys instances.

M-TrioSys and C-TrioSys for different applications can be located on the

same server but support a chain of different detection engines, according to

the traffic classification in the slices. . . . . . . . . . . . . . . . . . . . . . 34

4.1.1 Illustration of the DDoS attacks targeting to exceed the network bandwidth

of the perimeter networks near the remote server (victim). . . . . . . . . 42

4.1.2 Classification of the DDoS defense mechanisms based on their deployment

location. The closer the defense is to the target, the more accurately the

defense can detect the attack traffic but the less they satisfy the ultimate

goal of DDoS defense. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.1.3 The conceptual MEC architecture, in which MEC servers collect the raw

data streams from registered IoT and mobile devices, classify them into

different groups on the basis of the data type. . . . . . . . . . . . . . . . 48

4.2.1 The architecture of MECPASS DDoS defense system, where the local nodes

are M-TrioSys detectors and the central nodes are C-TrioSys. The anti￾spoofing and anti-DDoS are sequentially grouped into a chain of detection

engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.2.2 The illustration of the anti-spoofing mechanism, in which the TEID value

must be the same in both the GTP-C packets and the GTP-U packets. . 50

4.2.3 The illustration of the ON/OFF model. ON cycle means packet transmission

exists for an interval of time (Ton), after which the element is idle for another

time interval (Tof f ); this alternation of communication and idleness repeats

over time (per Tobservation). . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.2.4 The central nodes handle handover process, where they will fuse the data

from the location nodes’ aggregation for further analysis. . . . . . . . . . 55

4.3.1 The simulated traffic with three scenarios: (1) UDP spoofing packets; (2)

high-rate (TCP sending bytes > 100kB per 10s) and low-rate (TCP sending

bytes ∼ 30kB per 10s); (3) benign traffic (using ON-OFF model). . . . . 57

4.3.2 The evaluation results of the system in various attack cases. . . . . . . . 59

4.4.1 The proposed architecture for updating the DDoS detection engines, namely

StateFit, and the work flow of the system. . . . . . . . . . . . . . . . . . 63

4.4.2 The system log of the testing workflow. . . . . . . . . . . . . . . . . . . . 68

4.4.3 Latency of consistent updates in ONOS 1.11 [84]. . . . . . . . . . . . . . 69

5.1.1 Flow chart of the verification model, in which we only verify the authorized

messages signed by legitimate identities, i.e., to reduce the computation

overhead for validating unnecessary messages. . . . . . . . . . . . . . . . 73

x

5.3.1 The illustration of the attack cases and consequences in V2V

communications. Two attackers (Tx1, Tx2) and many benign vehicles are

on two roads (Road 1, Road 2). An attacker (Tx1) broadcasts BSM/CAM

to claim it is braking (marker 1) or suddenly stops (marker 4), but in fact,

it stops at the side of LANE 2 of Road 1. Another attacker (Tx2) on Road 2

broadcasts that it is moving to the street junction at high speed (90km/h),

but it actually stops at the roadside. . . . . . . . . . . . . . . . . . . . . 80

5.4.1 Geometric model of 2D multi-array antenna configuration and the

illustration of a false location claim (the spot at the right side) of the

attacker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

5.5.1 Performance results of the proposal in various conditions: a) selection of α

b) distance between Tx-Rx (α = 5) c) noise variance d) number of vehicles

under verification (exchange data with the Rx). . . . . . . . . . . . . . . 88

5.5.2 The abstract architecture of the TrioSys-based misbehavior detection

system: (1) Path prediction on vehicle (leader); (2) Platoon control plan

on MEC-based system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

5.5.3 Illustration of the vehicle movement behaviors: the vehicle is supposed to

keep constant velocity at the straight road segment (first segment), turn at

the bend and change the speed (second segment), and then accelerate after

moving into the straight area (third segment). In practice, depending to

the road condition, the motion model of the vehicle may vary. By applying

the motion model to our prediction, we can estimate the next location of

the vehicle (state k) from the state of the previous step, i.e., k − 1 ( as the

coordinate illustration at the top left of the figure). . . . . . . . . . . . . 97

5.5.4 Illustration of the threat zone in front of the Rx. Depending on the Tx’s

location, the priority of the system can be at three levels: Emergency,

PotentialThreat, InNotice. . . . . . . . . . . . . . . . . . . . . . . . . . . 100

5.6.1 Performance of this work in various conditions: a) ROC curve of false data

detection b) Accuracy of the system with variances of the distance between

Tx-Rx. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

5.6.2 Performance of the system for different threshold value of α (a) and Motion

model probabilities (b) for the prediction according to the road shape (as

illustrated in Fig. 5.5.3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

5.6.3 The estimation performance with two motion model selections (CV and

IMM) in the prediction compared to the threshold to report the attack.

The combination of UKF and IMM gives higher accuracy than that of UKF

and CV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

5.6.4 A comparison of the average error of UKF and EKF with the

position/velocity/acceleration estimation. . . . . . . . . . . . . . . . . . . 110

5.6.5 Performance of this work in various conditions: a) Accuracy of the system

in various cases of fading inference (Rician factor κ = 10 and κ =100) b)

Detection delay for multiple vehicle verification where the system can track

hundreds of vehicles (although it is not common) with a low latency, e.g.,

200ms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

5.6.6 A comparison of the performance of multi-array localization-based

verification (MLV) [98] and our trajectory-based verification (TRV). . . . 115

xi

5.6.7 A comparison of the performance of multi-array localization-based

verification (MLV) [98] and our trajectory-based verification (TRV) in

the case of receiving multiple vehicles. . . . . . . . . . . . . . . . . . . . 116

A.1 The same usage of uplink TEID in control data and uplink packets in

the initial stage of 5G authentication reinforces our theory to verify the

spoofing sources in 5G networks. . . . . . . . . . . . . . . . . . . . . . . . . 131

A.2 Channel beamspace in 5G with multiple path interference existence. . . . 132

xii