Stepping out of the MUD : Contextual threat information for IoT devices with manufacturer-provided behavior profiles
conference paper
Besides coming with unprecedented benefits, the Internet of Things
(IoT) suffers deficits in security measures, leading to attacks increasing
every year. In particular, network environments such as smart
homes lack managed security capabilities to detect IoT-related attacks;
IoT devices hosted therein are thus more easily targeted by
threats. As such, context awareness of IoT infections is hard to
achieve, preventing prompt response. In this work, we propose
MUDscope, an approach to monitor malicious network activities
affecting IoT systems in real-world consumer environments. We
leverage the recent Manufacturer Usage Description (MUD) specification,
which defines networking allow-lists for IoT devices in
MUD profiles, to reflect consistent and necessarily-anomalous activities
from smart things. Our approach characterizes this traffic
and extracts signatures for given attacks. By analyzing attack signatures
for multiple devices, we gather insights into emerging attack
patterns.We evaluate our approach on both an existing dataset and
a new, openly available dataset created for this research. We show
that MUDscope detects several attacks targeting IoT devices with
an F1-score of 95.77% and correctly identifies signatures for specific
attacks with an F1-score of 87.72%.
(IoT) suffers deficits in security measures, leading to attacks increasing
every year. In particular, network environments such as smart
homes lack managed security capabilities to detect IoT-related attacks;
IoT devices hosted therein are thus more easily targeted by
threats. As such, context awareness of IoT infections is hard to
achieve, preventing prompt response. In this work, we propose
MUDscope, an approach to monitor malicious network activities
affecting IoT systems in real-world consumer environments. We
leverage the recent Manufacturer Usage Description (MUD) specification,
which defines networking allow-lists for IoT devices in
MUD profiles, to reflect consistent and necessarily-anomalous activities
from smart things. Our approach characterizes this traffic
and extracts signatures for given attacks. By analyzing attack signatures
for multiple devices, we gather insights into emerging attack
patterns.We evaluate our approach on both an existing dataset and
a new, openly available dataset created for this research. We show
that MUDscope detects several attacks targeting IoT devices with
an F1-score of 95.77% and correctly identifies signatures for specific
attacks with an F1-score of 87.72%.
TNO Identifier
985275
Source title
ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference
Files
To receive the publication files, please send an e-mail request to TNO Repository.