Clear as MUD

Hamza, Ayyoob; Ranathunga, Dinesha; Gharakheili, Hassan Habibi; Roughan, Matthew; Sivaraman, Vijay

doi:10.1145/3229565.3229566

Cited by 83 publications

(12 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Digital evidence, similar to physical evidence, seized at a crime scene or following a security incident, is relevant during digital forensic investigations [67]. The majority of the primary studies have researched a subset of an IR process, predominantly focusing on the "detection and analysis" phase (Figure 10) of an incident utilising different approaches including profile detection, behavioural anomaly, system monitoring or audit analysis [47,48,65,99,100,103,104,108,120,123,124,127]. Whilst incidents' detection is a reactive activity by nature, it is a key enabler for subsequent digital forensic processes, which cannot occur without detection and identification of an incident.…”

Section: Discussionmentioning

confidence: 99%

Cyber Resilience and Incident Response in Smart Cities: A Systematic Literature Review

et al. 2020

View full text Add to dashboard Cite

The world is experiencing a rapid growth of smart cities accelerated by Industry 4.0, including the Internet of Things (IoT), and enhanced by the application of emerging innovative technologies which in turn create highly fragile and complex cyber–physical–natural ecosystems. This paper systematically identifies peer-reviewed literature and explicitly investigates empirical primary studies that address cyber resilience and digital forensic incident response (DFIR) aspects of cyber–physical systems (CPSs) in smart cities. Our findings show that CPSs addressing cyber resilience and support for modern DFIR are a recent paradigm. Most of the primary studies are focused on a subset of the incident response process, the “detection and analysis” phase whilst attempts to address other parts of the DFIR process remain limited. Further analysis shows that research focused on smart healthcare and smart citizen were addressed only by a small number of primary studies. Additionally, our findings identify a lack of available real CPS-generated datasets limiting the experiments to mostly testbed type environments or in some cases authors relied on simulation software. Therefore, contributing this systematic literature review (SLR), we used a search protocol providing an evidence-based summary of the key themes and main focus domains investigating cyber resilience and DFIR addressed by CPS frameworks and systems. This SLR also provides scientific evidence of the gaps in the literature for possible future directions for research within the CPS cybersecurity realm. In total, 600 papers were surveyed from which 52 primary studies were included and analysed.

show abstract

Section: Discussionmentioning

confidence: 99%

Cyber Resilience and Incident Response in Smart Cities: A Systematic Literature Review

et al. 2020

View full text Add to dashboard Cite

show abstract

“…IoT device manufacturers have not yet provided MUD profiles for their devices. But, we released the MUD profiles (automatically generated from packet traces) for 28 consumer IoT devices [30] -in this paper, we use a subset of those profiles corresponding to devices that we experiment with.…”

Section: Mud Profilementioning

confidence: 99%

Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity

Hamza

Gharakheili

Benson

et al. 2019

Proceedings of the 2019 ACM Symposium on SDN Research

Self Cite

148

View full text Add to dashboard Cite

Smart homes, enterprises, and cities equipped with IoT devices are increasingly becoming target of an escalating number of sophisticated new cyber-attacks. Anomaly-based detection methods are promising in finding new attacks, but there are certain practical challenges like false-positive alarms, hard to explain, and difficult to scale cost-effectively. The IETF recent standard called Manufacturer Usage Description (MUD) seems promising to limit the attack surface on IoT devices by formally specifying their intended network behavior (whitelisting). In this paper, we use SDN to enforce and monitor the expected behaviors (compliant with MUD profile) of each IoT device, and train one-class classifier models to detect volumetric attacks such as DoS, reflective TCP/UDP/ICMP flooding, and ARP spoofing on IoT devices.Our first contribution develops a multi-level inferencing model to dynamically detect anomalous patterns in network activity of MUDcompliant traffic flows via SDN telemetry, followed by packet inspection of anomalous flows. This provides enhanced fine-grained visibility into distributed and direct attacks, allowing us to precisely isolate volumetric attacks with microflow (5-tuple) resolution. For our second contribution, we collect traffic traces (benign and a variety of volumetric attacks) from network behavior of IoT devices in our lab, generate labeled datasets, and make them available to the public. Our third contribution prototypes a full working system (modules are released as open-source), demonstrates its efficacy in detecting volumetric attacks on several consumer IoT devices with high accuracy while maintaining low false positives, and provides insights into cost and performance of our system. Our last contribution demonstrates how our models scale in environments with a large number of connected IoTs (with datasets collected from a network of IP cameras in our university campus) by considering various training strategies (per device unit versus per device type), and balancing the accuracy of prediction against the cost of models in terms of size and training time.

show abstract

“…Several approaches to automated MUD file generation 544 currently exist. These include one devised by a researcher at the University of Twente [8], and an open-source tool created by the University of New South Wales (UNSW) called MUDgee [9]. The MUDgee tool takes a single network traffic capture file and generates a MUD file based on the observed network behavior.…”

Section: Mud-pdmentioning

confidence: 99%

Methodology for Characterizing Network Behavior of Internet of Things Devices

Watrobski¹,

Klosterman²,

Barker³

et al. 2020

Preprint

View full text Add to dashboard Cite

This white paper describes an approach to determining and documenting the device types and communication behaviors of Internet of Things (IoT) devices connected to a network. From this identification and documentation, files based on the Manufacturer Usage Description (MUD) specification can be created and used by manufacturers and network administrators to manage access to and from those devices. The paper also describes the current state of implementation of the approach and proposals for future development.

show abstract

Clear as MUD

Cited by 83 publications

References 9 publications

Cyber Resilience and Incident Response in Smart Cities: A Systematic Literature Review

Cyber Resilience and Incident Response in Smart Cities: A Systematic Literature Review

Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity

Methodology for Characterizing Network Behavior of Internet of Things Devices

Contact Info

Product

Resources

About