A Methodology to Design Intrusion Detection Systems (IDS) for IoT/Networking Protocols

Abstract

Over the last few decades, the Internet has grown from a network that connected two research Universities to a juggernaut that encompasses the whole world with over 4.1 billion users as of July 2018, with a growth rate of 1052% from 2000-2018 [47]. Modern internet supports a wide variety of features and services like cloud computing and storage, social networking, content services, blogs and social interactions, Online banking and shopping, etc. Alongside the development of the internet, technologies relating to sensors [1,2,3,4], wireless communications [5,6,7], and mobile computing have seen an unprecedented growth [8,9,10], which has contributed to the development of a new paradigm: Internet of Things (IoT). The core concept of IoT involves forming connected devices that can be accessed ubiquitously from anywhere. These IoT devices have sensors and some processing and programming capabilities to support smart or Intelligent operations. Smart devices include wearables like smart watches, shoes, glasses, smart phones, smart refrigerators, smart cars, etc. This fast-paced growth of the internet and IoT infrastructures and services has introduce a challenging security problem due to the exponential growth in vulnerabilities and potential exploitations by cyber attackers. There is a dire need for an effective means to secure the cyber space against any type of threats that are known or unknown. This research presents a methodology to design Anomaly Behavior based Intrusion Detection Systems (AB-IDS) to secure networking and IoT protocols. An AB-IDS has a complete understanding of the semantics of the normal behavior of its target system, consequently allowing it to detect any malicious attacks on the system that forces it to operate abnormally. This approach of monitoring and accurately characterizing the normal behavior instead of looking for specific attack signatures (as done by signature-based IDS’ [15]) allows the AB-IDS to detect new and modified attacks. Since each protocol has its own specification, it is hard to develop one AB-IDS that is able to secure all the protocols. Instead, we adopt a more granular approach that involves developing multiple micro AB-IDS’ where each one is specialized in detecting anomalous behavior in its protocol, and the results from each of these micro AB-IDS’ are aggregated to present a wholistic picture of the current operational state of the complete system. Designing of these micro intrusion detection systems is a time-consuming task that requires an in depth understanding of the protocols. To aid this research approach, in this dissertation we develop a methodology to design the micro AB-IDS’ using machine learning models. The approach methodology involves following steps: 1. Threat modelling analysis; 2. Feature selection and protocol foot printing to characterize the behavior of the protocol; and 3. Use the protocol foot printing data structures to develop machine learning models that characterize accurately the normal behavior of the protocol to be protected by the micro AB-IDS. The threat modelling provides a formal approach to model the behavior of the protocol, identify potential attack vectors that target the protocols and develop mechanisms to protect protocol operations against these attack vectors. The feature selection step involves selection of correct features that helps characterize the behavior of the protocol. This step also involves designing and using different innovative data structures that help capture/represent the behavior of the protocol. In our research we concluded that Observation flows (OF) and n-grams are powerful data structures that can be used to characterize the behavior of the protocols. The last step involves developing machine learning models using the features obtained in Step 2 to differentiate the normal behavior of the machine learning model from the abnormal. We have evaluated our approach by designing micro intrusion detect systems to detect attacks on the Wi-Fi protocol, the DNS protocol and the HTML protocol. The experimental results show that the IDS’ designed using this approach have a very high accuracy with very low false positives and false negatives for new and modified attacks.