Stepping out of the MUD: Contextual threat information for IoT devices with manufacturer-provided behavior profiles

Zangrandi, Luca Morgese; Ede, Thijs van; Booij, Tim M.; Sciancalepore, Savio; Allodi, Luca; Continella, Andrea

doi:10.1145/3564625.3564644

Cited by 7 publications

(5 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this section, we show how to enable shared experimentation through the FedLab. Specifically, we rely on MUDscope, an IoT network intrusion detection approach [18]. MUDscope first captures anomalous traffic affecting an IoT device in a network environment by leveraging the device's Manufacturer Usage Description (MUD) profile-a manufacturer-provided networking whitelist defined according to the MUD IETF specification [19].…”

Section: B Enabling Shared Experimentation Through the Fedlabmentioning

confidence: 99%

“…In each experiment, we recorded the local traffic received by the IoT devices at both locations through the default sniff Bundle Box functionality. Then, the recorded traces were processed with MUDscope from [18]. As shown in Fig.…”

Section: B Enabling Shared Experimentation Through the Fedlabmentioning

confidence: 99%

“…Figure 8. of the results from[18], showing the signature fluctuations over one of the metrics used to detect network anomalies, namely, (clusters_balance), for two attacked devices (blue and orange lines) and two non-attacked devices (green and red lines). The matrices below the figures show the respective correlation values.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Federated Lab (FedLab): An Open-source Distributed Platform for Internet of Things (IoT) Research and Experimentation

Meijer,

Petrucci,

Schotsman

et al. 2022

2022 IEEE 8th World Forum on Internet of Things (WF-IoT)

View full text Add to dashboard Cite

This paper introduces the Federated Lab (in short, FedLab), a virtual platform enabling shared research and experimentation on Internet of Things (IoT) devices, protocols, and functionalities in a network of geographically-distributed peers. In a nutshell, the FedLab allows multiple peers to share heterogeneous IoT hardware (devices) and software functionalities (capabilities) with a set of authenticated partners, easing the design of geographically-distributed experiments and providing a platform that enables joint research. The FedLab is conceived with ease of deployment and use in mind, focuses on compatibilityby-design, and it is easily deployable on multiple host operating systems as a plug-and-play tool. Besides motivating the design of the FedLab and its requirements, the paper also provides two use cases of the FedLab for the IoT Security research domain, demonstrating the potential of the FedLab to enable actual joint research. Finally, we release the source code of the components of the FedLab as open-source, to foster its independent adoption, deployment, and extension by the research community.

show abstract

Section: B Enabling Shared Experimentation Through the Fedlabmentioning

confidence: 99%

Section: B Enabling Shared Experimentation Through the Fedlabmentioning

confidence: 99%

See 1 more Smart Citation

Federated Lab (FedLab): An Open-source Distributed Platform for Internet of Things (IoT) Research and Experimentation

Meijer,

Petrucci,

Schotsman

et al. 2022

2022 IEEE 8th World Forum on Internet of Things (WF-IoT)

View full text Add to dashboard Cite

show abstract

“…Our IoC detection is based on regular expressions for various IoCs. Unfortunately, to the best of our knowledge, no ground-truth dataset of IoCs occurring in natural text exists apart from the reports that we labeled manually 10 . Hence, to evaluate the performance of our regular expressions and compare them with Chain-Smith, we use the 50 reports from the ChainSmith dataset for which we manually extracted all IoC examples as ground truth.…”

Section: Tokenizationmentioning

confidence: 99%

“…Similar to sequencing events, we performed a 10-fold search for the hidden dimension of the Context Builder, and evaluated whether the threshold for a correctly predicted event reached at least 0.2. Here, we searched powers of 2, 2 1 , 2 2 , 2 3 , ...2 10 and found an optimal value for 2 7 = 128. The same search over the 𝛿 values of 0.0 to 1.0 with steps of 0.1 yielded an optimal value of 0.1.…”

Section: The Context Buildermentioning

confidence: 99%

Comprehending security events: context-based identification and explanation

van Ede

View full text Add to dashboard Cite

With the increased sophistication of cyber attacks, organizations are under constant threat of data breaches, disruption of business processes and reputation loss. As preventive measures are not infallible, organizations have started to more closely monitor their devices and network infrastructure for malicious activity. By swift detection of an attack at an early stage, organizations can take mitigating actions limiting the impact to their organization. This detection can be done internally or is outsourced to a Security Operations Center (SOC). The SOC deploys automated detectors that monitor devices and network traffic for suspicious events, which are subsequently sent to the SOC. Here, security operators manually analyze these events, verify whether they constitute an attack and, if required, take action.Analyzing security events is not straightforward and requires highly skilled operators. We identified three major challenges that operators face during analysis:

show abstract