an automata based intrusion detection method for internet of ...as “instance cameras,”...

Research ArticleAn Automata Based Intrusion Detection Method forInternet of Things

Yulong Fu1 Zheng Yan23 Jin Cao1 Ousmane Koneacute4 and Xuefei Cao1

1School of Cyber Engineering Xidian University Xian China2Aalto University Espoo Finland3The State Key Lab of ISN Xidian University Xian China4University of Pau and Academy of Bordeaux Mont-de-Marsan France

Correspondence should be addressed to Yulong Fu ylfuxidianeducn

Received 25 January 2017 Revised 12 March 2017 Accepted 28 March 2017 Published 2 May 2017

Academic Editor Jing Zhao

Copyright copy 2017 Yulong Fu et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Internet of Things (IoT) transforms network communication to Machine-to-Machine (M2M) basis and provides open access andnew services to citizens and companies It extends the border of Internet and will be developed as one part of the future 5Gnetworks However as the resources of IoTrsquos front devices are constrained many security mechanisms are hard to be implementedto protect the IoT networks Intrusion detection system (IDS) is an efficient technique that can be used to detect the attackerswhen cryptography is broken and it can be used to enforce the security of IoT networks In this article we analyzed the intrusiondetection requirements of IoT networks and then proposed a uniform intrusion detection method for the vast heterogeneous IoTnetworks based on an automata model The proposed method can detect and report the possible IoT attacks with three types jam-attack false-attack and reply-attack automatically We also design an experiment to verify the proposed IDS method and examinethe attack of RADIUS application

1 Introduction

Due to the rapidly advancing technologies of network com-munication the Internet is going to connect everythingfrom everywhere New concept of Internet of Things (IoT)appears and is associated with the future Internet of 5GIoT connects a large number of heterogeneous devices suchas ldquoinstance camerasrdquo ldquowireless sensor networkrdquo (WSN)ldquosmart metersrdquo and ldquovehiclesrdquo while providing open accessto a variety of data generated by such devices to providenew services to citizens and companies [1] However asthe resources of IoTrsquos front devices are constrained manysecurity mechanisms are hard to be implemented to protectthe IoT networks Some lightweight encryption methodsare considered as the core technology to build the securitymechanism of IoT [2] but considering the increments of thehackerrsquos computation ability (the usage of Cloud ComputingDistributed Computing Quantum computation etc) thoselightweight cryptography methods are going to be crushed in

the foreseeable future Other kinds of security enforcementmethods such as intrusion detection system should beconsidered to protect the IoT networks [3]

Intrusion detection system (IDS) is an efficient techniqueto detect attackers when cryptography is broken [4] It candetect malicious activities or policy violations by monitoringthe network traffics or system actives [5] IDS is normally astand-by device or third-part software which will not inquiremany changes to the current system It is suitable for theresource constrained or inherited systems to protect theirnetwork security

Many recent works have noticed the security problem ofIoT system and a number of intrusion detectionmethods areproposed and developed such as [4 6ndash10] However mostof the proposed methods are still limited to data mining andcan only give an intrusion view of WSN MANET Zigbeeor other subnets of IoT and a uniform intrusion detectionmethod for the whole IoT networks is rarely discussedMeanwhile as the network packets digging and statistic

HindawiMobile Information SystemsVolume 2017 Article ID 1750637 13 pageshttpsdoiorg10115520171750637

2 Mobile Information Systems

feature training usually require many computation resourcessuch methods are hard to be implemented in some cases ofIoT environments

In this article we present an automata based intrusiondetectionmethod for the networks of Internet ofThings Ourmethod uses an extension of Labelled Transition Systems topropose a uniform description of IoT systems and can detectthe intrusions of IoT networks The used automata modelcan describe the combination of heterogeneous networkswith terms and graphs and the proposed IDS structureand algorithm can detect the intrusions by comparing theabstracted actions flows which can solve the aforementionedproblems

Paper Contribution By using automata theory many com-plicated problems can be described and solved In thisarticle we use an extension of Input Output LabelledTransition System to solve the uniform description prob-lem of the heterogeneous IoT networks and proposea corresponding intrusion detection mechanism for IoTnetwork To achieve this purpose a set of proceduresincluding collected data grouping packet data transla-tion anomaly data detection and intrusion classificationare designed and proposed Comparing with the exist-ing methods the benefits of our work can be listed asbelow

(1) To our knowledge this is the first time of usingautomata theory to model and detect the intrusionsof IoT networks By using the proposed automatamethods we can map the IoT system to an abstractspace where a uniform security evaluation structurecan be built

(2) We defined and proposed a set of intrusion detectionmechanisms by using the proposed automatamethod

(3) We developed a GUI tools to automatically analyzeand graphically present the abstract action flows andto detect the possible intrusions

(4) We also analyzed and classified the detected intru-sions and three kinds of attacks including replay-attack jam-attack and fake-attack can be distin-guished in our method

The following sections are organized as below In Sec-tion 2 the background problem description and relatedworks of developing the IDS system over IoT are discussedIn Section 3 the entire approach of the automata basedintrusion detection method will be described In Section 4to illustrate the use of the proposed IDS methods wepresent an example of using the proposed method to ana-lyze a simplified IoT system and the results demonstratethe correctness of our method And finally in Section 5we conclude this work and discuss some possible futureworks

2 Background Problems and Related Works

21 Internet of Things and Its Security

211 Internet of Things IoT is the network of things withclear element identification embedded with software intel-ligence sensors and ubiquitous connectivity to the Internet[11] IoT enables things or objects to exchange informa-tion with the manufacturer operator and other connecteddevices utilizing the telecommunications infrastructure ofthe Internet It allows physical objects to be sensed (byproviding the specific information such as the RFID tags andQR code) and controlled remotely across the Internet IoTwill create opportunities for more direct integration betweenthe physical world and computer-based systems resultingin improved efficiency accuracy and economic benefit forexample monitoring and controlling things by experts suchas telemedicine and searching for things (keys passports)directly that search engines do not provide today

Normally three basic elements should be included by anIoT system the unique identity per thing (eg IP address)the ability to communicate between things (eg wirelesscommunications) and the ability to sense specific informa-tion about the things (sensors) [11]Therefore for an IP basedsystem the IoT gateway is a good solution to form the IoTnetworks The IEEE 80215 Task Group 4 has defined thepersonal area network (PAN) coordinator to take in chargeof the network domain The PAN allocates local addressesand acts as a gateway to other domains or networks [12]IEEE 802154 also defined two types of IoT devices the full-function device (FFD) which implements all of the functionsof the communication stack and allows it to communicatewith any other device in the network and the reduced-function devices (RFDs) which are meant to be extremelysimple devices with very modest resource and communica-tion capabilities Hence RFDs can only communicate withFFDs and can never act as PAN coordinators

212 IoT Security Attacks Considering the specific featuresof IoT networks we found that the following three kindsof attack scenarios likely happen in the real world and areimportant to be studied

(i) Attack Scenario 1 For a given IoT network such as the onepresented in Figure 1 an authorized user User1 may want tocontrol the specific device in the IoT The user needs to usethe IoT networks to find the right device and to communicatewith the device For some security reason the IoT device hasto verify the authentication of User1 During this processa cryptography method is normally needed to verify theauthentication and to protect against the malicious attacksHowever a malicious user User2 may be able to listen thecommunication between User1 and the corresponding IoTdevice User2 may fake himself as User1 and create a replay-attack to the IoT system To solve such problem the RFDmay ask FFD or PAN to help him to verify the authenticationof the user and record the passed IDs of the user A groupauthentication protocol and cryptography functions can helpRFD to protect itself from such kind of attack However

Mobile Information Systems 3

PANInternet User1 (Auth)

FFD

RFD

RFD

RFD FFD

RFD FFD

FFD RFD

User2 (Hacker)

Figure 1 Attack scenario 1

PAN Internet User1 (Auth)

FFD

RFD RFD RFD

RFD

RFD

FFD

FFD

FFD RFD-i


the FFD is also a resource constrained device and thecommunication delay and calculation consuming will be toomuch for him to hold

(ii) Attack Scenario 2 As most of the IoT networks arenot closed a malicious device may be able to presentits willingness to join the IoT networks For example inFigure 2 a powerful device RFD-119894 (such devices can listen thecommunication channel of IoT devices) which is controlledby an attacker may want to join the IoT network Suchpowerful device can detect the communication informationon the IoT networks and can execute many kinds of attackssuch asDoSDDoS to the corresponding FFDor PAN Simplyusing the cryptography methods on IoT device will be hardto defense this kind of attacks

(iii) Attack Scenario 3 Because the structure of IoT networksis dynamic some authorized IoT device may be captured bythe attacker The attacker then can modify some functionsor inject some virus and trojans to such device Then theattacker can put such compromised devices to rejoint theIoT networks (see Figure 3) Because the device will bestill recognized by the IoT system it will pass the securityverification of IoT networkThis kind of attack is also difficultto be protected through the cryptography methods

Aswe can see by simply using the cryptographymethodssome kinds of attack are hard to be detected in IoT networksAlthough the usage of some complex security protocols maybe able to achieve the security goals of IoT they are hard to beimplemented on the resource constrained IoT devices Otherways of defensing the security of the system such as the usageof intrusion detection system should be considered for IoTnetwork security

22 Intrusion Detection System The concept of intrusiondetection was first proposed by Anderson in the year of 1980[13] and is introduced to network system byHeberlein in 1990[14] After 2 decades of developing the researches on IDS arebecoming mature and have helped the industries to protecttheir system security for many years An IDS may be eitherhost or network-based [15] A host based IDS analyzes eventsmainly related toOS information while a network-based IDSanalyzes network related events such as traffic volume IPaddresses and service ports Meanwhile according to theway of detecting the intrusion two main categories of IDSare usually discussed misuse IDS and anomaly IDS Theformer uses the traces or templates of the known attackswhile the latter builds profiles of nonanomalous behaviors ofcomputer systemrsquos active subjects For example IDIOT [16]


InternetPAN User1 (Auth)

FFD

FFD

FFD

FFD

RFD

RFD RFD RFD

RFD


and STAT [17] use patterns of well-known attacks or weakspots in the system to match and identify known intrusionsThemain advantage ofmisuse IDS is that it can accurately andefficiently detect instances of known attacks The principaldisadvantage is that it lacks the ability to detect the trulyinnovative attacks On the other hand anomaly IDS [18] doesnot require prior knowledge of intrusion and can thus detectnew intrusions But it may not be able to describe what theattack is and may have a high false positive rate

An IDS normally contained four major componentsEvent Monitor Event Database Event Analyzer and Res-ponse Unit [19] The Event Monitor is responsible fordetecting the system or environment actives and convertsthem as some specific formats and store them in the EventDatabase The Event Analyzer retrieves the modeled activesfrom the Event Database and analyzes them in order to detectthe intrusions Once the unusual actives are detected theResponse Unit produces reports to a management station towarn a risk IDS focuses on detecting and preventing theintrusive activities which were not detected by conventionalsystem security mechanisms For some inherited systemsbecause of some historical or economic reasons some pow-erful security mechanisms are hard to be deployed Howeverthe IDS can be used to solve this problem because it needsnothing to change the target system

23 Existing Intrusion Detection Works on IoT NetworksIn recent years along with the development of Internetof Things Intelligent Hardware and Virtual Reality theintrusion detection method under IoT has become a trendin the development of information technology However theresearches on such problem are still in its infancy As IoT canbe thought of as a vast heterogeneous network most of theexisting works began to study the components of IoT to find asuitable intrusion detection method In [1] based on the useof Game Theory Sedjelmaci et al proposed a hybrid intru-sion detection method which mixed the usage of signatureand anomaly ways for IoT intrusion detection By creatingthe game model of intruder and normal user the NashEquilibrium Value was calculated and was used to decidewhen to use the intrusion detection method of anomaly

In [20] J Chen and C Chen proposed a real-time patternmatching system for IoT devices by using the Complex EventProcessing (CEP)The advantage of thismethod is that it usesthe features of the events flows to judge the intrusions whichcan reduce the false alarm rate comparingwith the traditionalintrusion detection methods Although this method willincrease the consumption of system computing resources itcan obviously reduce the feedback delay of the IDS systemIn [7] Nadeem and Howarth summarized the intrusiondetectionmethods forMANET which is one kind of networkstructure of the IoT By analyzing and comparing the attackmethods and detection algorithms of MANET this paperanalyzes the existing CRADS GIDP and other intrusiondetection frameworks for MANET

Although these existing methods can solve the intrusiondetection problems of IoT from different levels a uniformintrusion detection method is still needed to give an entireintrusion view of the IoT networks As what have beenpointed by Gendreau and Moorman in their survey of [10]the research of intrusion detection system for IoT systemshould focus on solving the problems of ldquolacking completeinteroperability between different IoT partsrdquo

3 An Automata Based Intrusion DetectionApproach for IoT Security

In order to give a complete intrusion view for the differentcases of IoT networks a uniform intrusion detection methodis required In this article by using the proposed automatamodel we can project the different cases of IoT to an abstractalgebra space where a uniform security evaluation structurecan be built Meanwhile in the real word of IoT systemby adopting a data collector and analyzing the transmittingpackets the real-time actions flows of the IoTnetworks can beachieved and translated into the formal format of automataThen by comparing the real-time action flows with theanomaly or standard libraries we can detect the intrusionsof IoT quickly and solve the aforementioned problems

31 The Automata Model A finite automata (or finite statemachine) [21] can present the network system with a finite


number of states and transitions where the states representthe current status of the device and the transitions representthe active actions between different states The current statechanges only if it receives the corresponding actions AnInputOutput Labelled Transition System (IOLTS) [22] is aspecial case of automata which emphasizes the input andoutput interactions of the system An IOLTS system canbe presented as a 4-tuple algebra set ⟨119878 119871 119879 1199040⟩ where 119878represents a countable nonempty set of states 119871 representsa countable set of labels 119879 represents the set of transitionrelations 119879 sube 119878 times (119871 cup 120591) times 119878 (here 120591 represents an internalaction of the system that will not be achieved from outside)and 1199040 is the initial state Notice that 119871 contains two subsetsinput label 119871119868 and output label 119871O (119871 Icap119871O = 0 119871 Icup119871O = 119871)If 119904 isin 119878 then we denote In(119904) and Out(119904) to represent the setof input and output labels of state 119904 A transition is denotedas 119904119894

119897997888rarr 119904119895 where 119904119894 119904119895 isin 119878 and 119897 isin 119871 The symbol or representing 119897 is an output label or input label respectivelyIOLTS can be used to describe an interactive system andcan present the system with a graphic view However asthe IoT networks contain multiple components an extensionof IOLTS the Glued-IOLTS [23] is needed to present thenetworked system

In a Glued-IOLTS in order to describe the communica-tion medium between different components a normal state119904 isin 119878 of IOTS(119871) is defined as the following two levels

(i) higher_level state 119904119894_119906 which connects to the envi-ronment or other states of the same component

(ii) lower_level state 119904119894_119897 which connects to the states ofother components

And then the communication medium can be definedby such transition which begins from the lower_level stateof one component and ends with the lower_level of initialstate of another component If we use 119878119894 and 119871 119894 to denotethe states and labels in IOTS(119871 119894) and 119878119895 and 119871119895 to denotethe state and labels in IOTS(119871119895) then if exist119897 isin 119871 119894 exist119904119894 isin 119878119894119897 isin Out(119904119894) and exist119904119895 isin 119878119895 119897 isin 119871119895 119897 isin In(119904119895) The transitionof the common medium between IOTS(119871 119894) and IOTS(119871119895)is presented as 119904119894_119897

119897997888rarr 1199040_119897 We use 119878medium and 119879medium todenote the states and transitions in the medium and we givethe definition of Glued-IOLTS as below

Definition 1 (Glued-IOLTS) A Glued-IOLTS represents a setof IOLTS ⟨119878119894 119871 119894 119879119894 1199041198940⟩ (119894 = 1 119899) and a medium 119872which is still a 4-tuple system ⟨119878glu 119871glu 119879glu 119904glu0⟩ where

(i) 119878glu = ⟨1198781 cup 1198782 cup sdot sdot sdot cup 119878119899 cup 119878119872⟩(ii) 119871glu = ⟨1198711 cup 1198712 cup sdot sdot sdot cup 119871119899⟩(iii) 119904glu0 = ⟨1199041_0 1199042_0 119904119899_0⟩ is the initial state(iv) 119879glu sub 119878glu times 119871glu times 119878glu

119879glu = (1199041 1199042 119904119894 119904119898)120572997888rarr (1199041 1199042 1199041015840119894 119904119898) | (119904119894 120572 1199041015840119894) isin 119879119894 cup 119879119872

119879119872 = (119904119894119897 120583 119904119895119897) | 119894 = 119895 120583 isin Out (119904119894119897) cap In (119904119895119897)

(1)

0

1

2

3

0

1

2

3

0

2

0

1

ask

rpl

cfm

ask

rpl

cfm

initiator responder

ask

cfm

rpl

Figure 4 Glued-IOLTS of NSPK

Example 2 TheNeedham-Shroeder Public Key (NSPK) pro-tocol [24] is an asymmetric cryptography based authenti-cation protocol which defines the handshakes between twoparticipations the initiator 119894 and the responder 119903 The briefprotocol narrations can be presented with the three-messageexchanging as below

Msg 1 (Ask) 119894 rarr 119903 119899119894 119894pk119903

Msg 2 (Rpl) 119903 rarr 119894 119899119894 119899119903pk119894

Msg 3 (Cfm) 119894 rarr 119903 119899119903pk119903

A networked security system implementing the NSPKprotocol can be described and modeled with the Glued-IOLTS and the result is presented in Figure 4

32 Intrusion Detection Approaches of IoT Networks Al-though the proposed automatamodel can be used to describethe communications of an IoT system and can make thecomparison of different subnets of IoT become possibleto adopt this model into an intrusion detection system aset of cooperated devices and some existing approaches arealso needed Just like the general IDS system the proposedautomata based IDS of IoT networks also consist of fourmajor components Event Monitor Event Database EventAnalyzer and Response Unit A general view of the proposedIDS can be presented in Figure 5 In this article althoughthe four components are developed in our system ourdescription will mainly focus on the Event Analyzer andResponse Unit

321 Event Monitor For the purpose of collecting the datatraffics through the IoT network a network collector (thecomponent labelled with C in Figure 5) should be imple-mented on the PAN coordinator or other IoT gateways tomonitor the network traffic Such collector will be embeddedsoftware or hardware to obtain the received and sent packetsthrough the network deviceThe collector needs to record thetransmitting data into digital files and send the files to the IDSEvent Analyzer


PAN

Internet

User

RFD

RFD

RFD

FFD

FFD

C

Standard ProtocolLibrary

Network Structure Learning

Intrusion Detection Phase 1

Action FlowsAbstraction

Abnormal Action Library

Intrusion results


Normal Action Library

Cloud

IDS Event Analyzer

IDS Event Database

IoT network

Figure 5 IDS structure

322 Event Database In our method the network eventis described as the abstract action flows and such networkactions are described with transitions of the proposed Glued-IOLTSmodelThree databases should be implemented in ourIDS Standard Protocol Library Abnormal Action Libraryand Normal Action Libraries are requiredThe Standard Pro-tocol Libraries store the description of the standard protocolsthroughGlued-IOLTSTheNormalAction Libraries store thepossible action flows which are created from the StandardProtocol Libraries The Abnormal Action Libraries store therecognized anomaly actions flows for the systemThese threedatabases should be stored on the cloud and can be visiteddirectly by the Event Analyzer

323 Event Analyzer The IDS Event Analyzer is an impor-tant part of our IDS system It contains three basic modelsNetwork Structure Learning Model Action Flows Abstrac-tion Model and Intrusion Detection Model

(i) Network Structure Learning Model In our method thecollected packet data should be sent to this model first tomake the IDS system get a general view of the networktopologies As the IoT devices can be distinguished with theunique ID by analyzing the collected information of the datapackets such as the source IP destination IP port numbertimestamp and protocol type we can distinguish the IoTdevices from the others For example because the IoT devicesare usually connected to the same IoT gateway the first threefields of the IPv4 address of such devices will be the sameIn this case by counting the frequency of each IPv4 field wecan achieve the IP segment of the IoT devices These uniqueIDs of the IoT devices will be recorded and sent to the ActionFlows Abstraction Model

(ii) Action Flows Abstraction The collected real-time packetsfrom IoT also need to be sent to the Action Flows AbstractionModel Through this model the packets will be allocatedaccording to the device belonging session ID timestampsand protocol types which are recognized through the aidsof Network Structure Learning Model and the StandardProtocol Library Through the information detected thenetwork traffics can be classified into message sequencesHowever if the IoT serves multiple customers differentsessions may happen in parallel which may make the mes-sages become hard to be distinguished In this article weassume that the network connections from different serviceshappen sequently then by using one selected window size119873 by comparing the other detected information such asIP address protocol type and info (see Figure 6) we canallocate the packets to be the message sequence The selectedwindow size119873 relates to the efficiency of the Event AnalyzerThe greater the value of 119873 is selected the more accuratethe sequence detection is But at the same time it alsomeans more memory and computing times consuming Wesuggest 119873 should be considered bigger than the amount ofmessages which happened during one session of the protocolspecification and less than the whole detectedmessages spaceof the Event Monitor

After we can allocate the packets to be message weneed to translate these messages to abstract action flowsTo do this the help from the Standard Protocol Library isneeded From the results of the message allocation togetherwith the protocol type information of each packet we canknow the main protocol type of such selected message Thenafter we get the protocol type of the selected message wecan search for the basic formal action primitives from theStandard Protocol Library And by comparing with the Infoinformation of each packet we can represent the packets


N = 2 sec

Figure 6 Example of selecting119873 = 2 sec

to be the automata primitives Then the abstracted actionsequences can be achieved For example the selectedmessagein Figure 7 can be translated as [FIN ACK ACK + FINACK ACK PSH ACK UPDATE SYN] through theprocesses presented in Figure 7

(iii) Intrusion Detection The result of the Action FlowsAbstraction Model will be the list of automata transitionsequence of the target system Such transition sequences arethen taken as the input to the intrusion verification part Inour method we have two phases of intrusion verification

Intrusion Detection Phase 1 The results of Action FlowsAbstraction Model are used to be checked with an AbnormalAction Library which is stored in the Event Databases Thislibrary is a predefined database that is stored on the cloudnext to the IoT system (Fog Computing [11]) If the transitionsequence matches with the one stored in the AbnormalAction Library we remark such message as an intrusion andoutput it as the result of the intrusion detection system If theinput sequence does not match any stored sequences in theAbnormal Action Library the action flows go to the secondphase of the intrusion detection

Intrusion Detection Phase 2 In the second phase of intrusionan anomaly detection method will be used to check theintrusion In this phase a Normal Action Library will beused to check whether the input transition sequence is anormal one The Normal Action Library is generated fromthe Standard Protocol Library by using the techniques ofFuzzing [25] and Robustness Testing [26] If the comparingresults show that the input sequence is abnormal we takesuch message as a suspected one and ask for a manualverification from the experts to avoid the false positive If thesuspected transition sequence is confirmed as intrusion bythe experts we then record such message into the AbnormalAction Library and use it for the next time of intrusion

detection The method of verifying transition sequences inthe Normal Action Library is to find the walk in the Glued-IOLTS graph of the library During the verification processwe may need to adapt some past transitions into the detectedsequence to complete the walk in Glued-IOLTS for thedetailed algorithm please check [27] After doing this ifthe transition sequence can find the corresponding walk itmeans the detected messages traffics are normal messagesOtherwise message traffic contains some possible attacks tothe system

324 Response Unit The Response Unit produces reports toa management station to warn an intrusion risk to the IoTnetworks In the report the following three types of attacksare going to be classified which correspond to the attackscenarios presented in Section 2

(i) Replay-attack this attack corresponds to the afore-mentioned attack scenario 1 In this kind of attackscenario the attacker can listen the communicationbetween an authenticated user and the IoT devicethen the attacker uses the transition which happenedto attack the system This kind of attacks can bedistinguished by our IDS because the correspondedtransition sequence can not be found in the normallibrary The walk will stop at an inopportune transi-tion and also this transition can be found in the pasttransitions

(ii) Jam-attack this attack corresponds to the aforemen-tioned attack scenario 2 In this kind of attackthe powerful attacker can detect the communicationinformation on the IoT networks and can executeattacks such as DoSDDoS to the corresponding FFDor PAN to block the communication channel In thiscase on our IDS system after translating the collectedmessages into automata transition sequences the


Pro_type=Mode (Item_type)=TCP


ACK ACK SYN SYN FIN FIN PSH PSH ACK+FIN ACK+SYN UPDATE UPDATE

Primitives

[FIN ACK ACK+FIN ACK ACK PSH ACK UPDATE SYN]

Abstract action flow

Glued-IOLTS of TCP Protocol

Search for Glued-IOLTS of TCP Protocol

Collected data

ACK

ACK

ACK ACK

ACK

FIN

FIN

ACK+FIN

ACK+FIN

ACK+FIN

Time out

Time out

ACK+FIN

FIN

FIN

FIN

FIN

ACK

SYN+ACK

SYN+ACK

SYN

SYN

Responder

Initiator

0

0

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9

Figure 7 Example of translating abstract action flow

correspondingwalk can be found in theGlued-IOLTSgraph but the end state of this walkwill not be the endstate of the transitionmachine It is a partial sequenceof Glued-IOLTS

(iii) Fake-attack this attack corresponds to the aforemen-tioned attack scenario 3 In this kind of attack thecompromised IoT devices may modify the transmit-ting message and inject some malicious codes to themessage and send it to the receiver This kind ofattack may contain many strategies of modificationbut here we only consider the modifications whichcauses the changes on the automata primitives (themodel transition label will change) If a sequencecontains the fake-attack the verification cannot findthe corresponding walk in the Glued-IOLTS Butthe fake actions may happen at the transition whichmakes the walk stopped or may happen before

In order to detect those attacks automatically we proposean algorithm in Algorithm 1 The inputs to the algorithm areone of the modeled label sequences (119897ids) which is detected by

the IDS monitors and the glued transition system (119879sys) Firstof all the algorithm searches for the transitions in 119879sys whichhave the same label as the first label of 119897ids and record theresults in a transition list of 119905_temp Then for each transition119905119894 in 119905_temp the algorithm compares the label of the nexttransition of 119905119894 and the next label of 119897ids Remove 119905119894 from119905_temp If the transition with the same label can be foundrecord it in 119905_temp Backup this 119905_temp as 119905_temp_bacRepeat the process until the end of 119897ids or the 119905_temp is emptyDuring the loop the algorithm records the past labels of 119897idsin 119897pass The algorithm will stop if it checks all of the items in119897ids or 119879sys When it stops if it found all labels of 119897ids in 119879syswe go to check the final state of the walk in 119879sys If the finialstate is an ldquoendrdquo state 119897ids is secure Otherwise 119897ids containsjam-attack If the algorithm stops when comparing 119897119899 of 119897idswith result of the 119905_tempbeing empty then for each transition119905119895 in 119905_temp_bac compare the label of the next transitionof 119905119895 and the passed label 119897119894 in 119897pass If 119897119894 is the same as thelabel of the next transition of 119905119895 record the next transitionof 119905119895 in 119905_temp backup 119905_temp to 119905_temp_bac record 119897119894 in119897pass Then compare 119897119899 with the next transitions of 119905_temp


InputLabel Array 119897ids one transition sequence detected by IDSTransition Array 119879sys the transition system of the protocolOutputsecure fake-attack jam-attack replay-attackBeginTransition Array 119905_tempTransition Array 119905_nextLabel Array 119897_passString resultint flag=0 Search 119897ids[0] in 119879sys and record the results in 119905_tempFor each transition 119905119894 in 119905_temp

record the next transition of 119905119894 in 119905_nextrecord 119897ids[0] in 119897_passFor (int 119894 = 1 119894 lt 119897idslength 119894++)flag++If (119905_tempisnotempty)record the next transition of 119905119894 in 119905_next119905_temp_bac=119905_tempremove 119905119894 from 119905_tempSearch 119897ids[119894] in 119905_next and record the results in 119905_temprecord 119897ids[119894] in 119897_pass elseFor each 119897119896 in 119897_passSearch 119897119896 in 119905_next and record the results in 119905_tempIf (119905_tempisnotempty)continue

If (119897ids[119894] in 119897_pass)

result=ldquoreplay-attackrdquoreturn result

elseresult=ldquofake-attackrdquoreturn result

If(flag==119897idslength)If(119905119894nexState()getStatusequals(ldquoendrdquo))result=ldquosecurerdquoreturn result

elseresult=ldquojam-attackrdquoreturn resultresult=ldquosecurerdquo

End

Algorithm 1 Algorithm for intrusion detection

If 119897119899 can be found in the next transition record 119897119899 in 119897pass andmove to the next label of 119897ids Otherwise reconsider the passedlabels until the end of 119897pass If after considering the labels of119897pass 119897119899 still cannot be found in the transition sequence then119897ids must contain some modifications The algorithm returnsldquofake-attackrdquoMeanwhile if 119897pass contains 119897119899 then 119897ids containsa replay and the algorithm returns ldquoreplay-attackrdquo

4 An Experiment over a Tested IoT System

In order to verify the proposed intrusion detection methodwe design a IoT experiment environment like Figure 8In the tested environment we use two Raspberry Pi 3 asthe reduced-function device an Android Phone (HUAWEIMate 9) as a full-function device and a wireless router


typeRADIUSsourcec0 a8 01 84destc0 a8 01 0atime161609data01 00 00 14 74 68 69 73 20 69 73 20 63 6c 69 65 6e 74 20 31categorysendtypeRADIUSsourcec0 a8 01 0adestc0 a8 01 84time161612data0b 00 00 3c 4e 61 73 74 6f 63 6c 69 65 6e 74 63 68 61 6c 6c 12 1e69 6e 70 75 74 20 75 73 65 72 6e 61 6d 65 20 61 6e 64 20 70 61 73 7377 61 72 64 73 18 0a 33 32 37 36 39 34 33 30categoryreceivetypeRADIUSsourcec0 a8 01 84destc0 a8 01 0atime161712data01 00 00 3a 74 68 69 73 20 69 73 20 63 6c 69 65 6e 74 20 31 01 08 7975 6c 6f 6e 67 02 12 0d be 70 8d 93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 0406 c0 a8 01 84 05 06 00 00 12 0ccategorysend

Box 1 An example of IDS1 records traffics

RFD1 RFD2

FFD

PAN

Server

Figure 8 Experiment IoT networks

(OpenWrt router) to be the IoT gateway (PAN coordinator)The router is connected with a server and on the server weuseMySQL to build three database tables Standard_ProtocolAbnormal_table and Normal_table which are correspond-ing to the three databases in our IDS methods We use portmirroring on the router (a plug-in is needed to be installedon the OpenWrT router) and mirror the packets of WANto the connected server We install Wireshark [28] on theserver side to collect and analyze the forwarded transmittingpackets from IoT gateway In our experiment the RADIUSapplications are taken as the services executed on the testedIoT networks [29] The RADIUS protocol is an applicationlayer protocol which transmits data through UDP traffics Ituses the port number 1812 or 1645 to communicate So whenthe monitor (Wireshark) obtains the IP traffics by checking

the port number of theUDPmessages the RADIUSmessagescan be distinguished

For the simplicity of the experiment we make the FFDsand RFDs only execute the RADIUS applications we installthe FreeRADIUS [30] on the server and the RADIUS client(NTRadPing [31]) on the client side (RFD1 RFD2 and FFD)to construct an experiment environment We take the FFDdevice as an attacker and send the RADIUS requests as weneed Because the IoT gateway mirrored all of the WANports packets to the server the Wireshark can record thesentreceived data of each of the IoT devices analyze themand restore them For better understanding we select severalpackets and write them as the format of Box 1

The IDS Event Analyzer in this experiment is anapplication we developed with Java It can concatenate


Wc1 Wc2 Wc3 Wc4 Wc5 Lc1 Lc2 Lc3 R1 S1

xxxxAc_req_w1

Ac_req_w1Ac_req_n_w1


Ac_accept_n_w1Ac_accept_w1

Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2


Ac_req_n_w2Ac_accept_n_w2


Ac_accept_w2xxxx

xxxxAc_req_n

Ac_req_l1Ac_req_n_l1

helliphellip

Figure 9 Message concatenation

Figure 10 GUI of IDS

the IDS detected messages as sequences model thosemessage sequences and implement our algorithm to detectthe possible intrusion (see Figure 10) As the networktraffics happen sequently the detected traffic data fromdifferent IoT devices may happen as Figure 9 where Wc1Wc2 and Wc3 represented the RFD1 RFD2 and FFDof Figure 9 respectively R1 represents the router and S1

represents the server For example we choose a windowsize of 1 sec and found three modeled message sequencesxxxx Ac_req_w1 Ac_req_w1 Ac_req_w1_n Ac_req_n_w1 Ac_accept_n_w1 Ac_accept_n_w1 Ac_accept_w1Ac_accept_w1 xxxx xxxx Ac_req_w2 Ac_req_w2Ac_req_w2 Ac_req_w2 Ac_req_n_w2 Ac_accept_n_w2 Ac_accept_w2 Ac_accept_w2 xxxx and xxxxAc_req_l1 In this case the first transition sequence is anormal connection sent from the client Wc1 to the serverThe second sequence is a connection from Wc2 to Wc3 (thisis maybe because the Wc3 declares himself as a NAS server)thenWc3 forwards the request of Wc2 to the real server Thissequence contains a replay-attack And the third sequence isnot a complete sequence If the IDS only verifies the signatureof the message it will not find the problem of the secondtransition sequence In our IDS approach we only need tosearch this transition trace in the corresponding reachablegraph which is a nonanomalous profile of the target system

The proposed Java tools will visit the Standard_Protocoltable (the Standard Protocol Library) on MySQL databaseand the nonanomalous profile of RADIUS protocol can bepresented as the Glued-IOLTS of Figure 11 In this selectedexperiment the verified traffics contain two RADIUS ses-sions and after the ldquomessage concatenation and classifica-tionrdquo two different message sequences are obtained (theyare listed in the bottom-left of Figure 11) Then through


Figure 11 IDS verification panel

the algorithm proposed the program can verify the detectedtraffics automaticallyThe verification results of each detectedsequence are presented in the bottom-right of Figure 11(which identified that the first sequence is normal and thesecond sequence contains ldquoreplay-attackrdquo and an alarm willbe triggered when verifying the second message traffics)

5 Advances of the Proposed Method

The proposed intrusion detection method uses automatatransitions to describe the network traffic flows and can mapthe different subnets of IoT to the same algebra space Inthis case different types of IoT such as WSN MANET andZigbee can be described and compared with the same IDSmethod Meanwhile the way of using transition and graphicalso makes the Standard Library Anomaly Action Libraryand Normal Action Library become easy to be implementedHowever because in the process of finding abnormal actionflows the algorithmwe used is a state based algorithm whichmay cause the ldquostate space explosionrdquo problem the complicityof the analyzed system should not be too much high In factas the IoT devices are resources contained the complexity ofthe IoT system is normally simple and our IDS methods willbe fine for the IoT intrusion detection

6 Conclusion

Internet of Things is an important part of the future 5G andthe security of IoT will relate to many important scenariosof the future 5G and has become the core requirement ofthe network development However as the resources of IoTdevices are constrained many security mechanisms are hardto be implemented to protect the security of IoT networksIn this article based on the automata theory we proposeda uniform intrusion detection method for the vast hetero-geneous IoT networks Our method uses an extension ofLabelledTransition Systems to propose a uniformdescriptionof IoT systems and can detect the intrusions by comparing theabstracted actions flowsWe designed the intrusion detectionapproach built the Event Databases and implemented the

Event Analyzer to achieve the IDS approaches The resultof the proposed IDS detects three types of IoT attacksjam-attack false-attack and reply-attack We also design anexperiment environment to verify the proposed IDS methodand examine the attack of RADIUS application in this article

For the future work we plan to continue enrich datetypes in our Standard Protocol Library and to improve thefuzzy method to make the creating of Normal Action Librarybecome more efficient and accurate Another line of ourfuture research is to develop the suitable method to describeand evaluate the contents of the translating packets

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is sponsored by the National Key RampD Program ofChina (Grant 2016YFB0800700) theNSFC (Grants 61602359and 61402354) the China Postdoctoral Science FoundationFunded Project (no 2015M582618) the 111 project (GrantB16037) and the Fundamental Research Funds for the Cen-tral Universities (JB150115 and JB161508)

References

[1] H Sedjelmaci S M Senouci and M Al-Bahri ldquoA lightweightanomaly detection technique for low-resource IoT devicesa game-theoretic methodologyrdquo in Proceedings of the IEEEInternational Conference on Communications (ICC rsquo16) pp 1ndash6IEEE Kuala Lumpur Malaysia May 2016

[2] N Boggs W Wang S Mathur B Coskun and C PincockldquoDiscovery of emergent malicious campaigns in cellular net-worksrdquo in Proceedings of the 29th Annual Computer SecurityApplications Conference (ACSAC rsquo13) pp 29ndash38 New OrleansLa USA December 2013

[3] C XWang X Gao X You et al ldquoCellular architecture and keytechnologies for 5g wireless communication networksrdquo IEEECommunications Magazine vol 5 no 2 pp 122ndash130 2014

[4] B Arrington L Barnett R Rufus and A Esterline ldquoBehavioralmodeling intrusion detection system (BMIDS) using internet ofthings (IoT) behavior-based anomaly detection via immunity-inspired algorithmsrdquo in Proceedings of the 25th InternationalConference onComputer Communication andNetworks (ICCCNrsquo16) pp 1ndash6 Waikoloa Hawaii USA August 2016

[5] A R Baker and J Esler Snort IntrusionDetection andPreventionToolkit AndrewWilliams Norwich NY USA 1st edition 2007

[6] C Liu J Yang Y Zhang R Chen and J Zeng ldquoResearch onimmunitybased intrusion detection technology for the internetof thingsrdquo in Proceedings of the 7th International Conference onNatural Computation (ICNC rsquo11) Shanghai China 2011

[7] A Nadeem and M P Howarth ldquoA survey of manet intrusiondetection amp prevention approaches for network layer attacksrdquoIEEE Communications Surveys and Tutorials vol 15 no 4 pp2027ndash2045 2013

[8] Z Yan R Kantola G Shi and P Zhang ldquoUnwanted contentcontrol via trust management in pervasive social networkingrdquoin Proceedings of the 12th IEEE International Conference on


Trust Security and Privacy in Computing and Communications(TrustCom rsquo13) pp 202ndash209 Melbourne Australia July 2013

[9] C Modi D Patel B Borisaniya H Patel A Patel and MRajarajan ldquoA survey of intrusion detection techniques in cloudrdquoJournal of Network and Computer Applications vol 36 no 1 pp42ndash57 2013

[10] A A Gendreau and M Moorman ldquoSurvey of intrusion detec-tion systems towards an end to end secure internet of thingsrdquo inProceedings of the IEEE 4th International Conference on FutureInternet of Things and Cloud (FiCloud rsquo16) pp 84ndash90 ViennaAustria August 2016

[11] A Rayes and S Samer Internet ofThingsmdashFromHype to RealitySpringer International Publishing Cham Switzerland 2017

[12] Z Hanzalek and P Jurcık ldquoEnergy efficient scheduling forcluster-tree wireless sensor networks with time-bounded dataflows application to IEEE 802154ZigBeerdquo IEEE Transactionson Industrial Informatics vol 6 no 3 pp 438ndash450 2010

[13] J P Anderson ldquoComputer security threat monitoring and sur-veillancerdquo Tech Rep 1980

[14] L T Heberlein ldquoA network security monitorrdquo in Proceedings ofthe IEEE Computer Society Symposium Research in Security andPrivacy pp 296ndash303 Oakland Calif USA 1990

[15] P Garcıa-Teodoro J Dıaz-Verdejo G Macia-Fernandez and EVazquez ldquoAnomaly-based network intrusion detection tech-niques systems and challengesrdquo Computers and Security vol28 no 1-2 pp 18ndash28 2009

[16] S Kumar and EH Spafford ldquoA software architecture to supportmisuse intrusion detectionrdquo in Proceedings of the 18th NationalInformation Security Conference pp 194ndash204 Baltimore MdUSA October 1995

[17] K Ilgun R A Kemmerer and P A Porras ldquoState transitionanalysis a rule-based intrusion detection approachrdquo IEEETransactions on Software Engineering vol 21 no 3 pp 181ndash1991995

[18] T Lunt A Tamaru F Gilham et al ldquoA real-time intrusiondetection expert system (ides)-final technical reportrdquo Techni-cal Report Computer Science Laboratory SRI InternationalMenlo Park Calif USA 1992

[19] S Staniford-Chen B Tung P Porras et al ldquoThe commonintrusion detection framework-data formatsrdquo Internet draftdraft-staniford-cidf-dataformats-00txt 1998

[20] J Chen and C Chen ldquoDesign of complex event-processing IDSin internet of thingsrdquo inProceedings of the 6th International Con-ference on Measuring Technology and Mechatronics Automation(ICMTMA rsquo14) pp 226ndash229 January 2014

[21] D Lee and M Yannakakis ldquoPrinciples and methods of testingfinite statemachinesmdasha surveyrdquo Proceedings of the IEEE vol 84no 8 pp 1090ndash1123 1996

[22] J Tretmans ldquoConformance testing with labelled transition sys-tems implementation relations and test generationrdquo ComputerNetworks vol 29 no 1 pp 49ndash79 1996

[23] Y Fu and O Kone ldquoSecurity and robustness by protocoltestingrdquo IEEE Systems Journal vol 8 no 3 pp 699ndash707 2014

[24] G Lowe ldquoBreaking and fixing the Needham-Schroeder Public-Key Protocol using FDRrdquo in Tools and Algorithms for theConstruction and Analysis of Systems vol 1055 of Lecture Notesin Computer Science pp 147ndash166 Springer Berlin Germany1996

[25] P Tsankov M T Dashti and D Basin ldquoSECFUZZ fuzz-testingsecurity protocolsrdquo in Proceedings of the 7th InternationalWorkshop on Automation of Software Test (AST rsquo12) pp 1ndash7Zurich Switzarland June 2012

[26] B Lei X Li Z Liu CMorisset andV Stolz ldquoRobustness testingfor software componentsrdquo Science of Computer Programmingvol 75 no 10 pp 879ndash897 2010

[27] Y Fu and O Kone ldquoValidation of security protocol implemen-tations from security objectivesrdquo Computers and Security vol36 pp 27ndash39 2013

[28] Wireshark ldquoWireshark network protocol analyzerrdquo 2017 httpwwwwiresharkorg

[29] C Rigney S Willens and A Rubens ldquoRemote authenticationdial in user service (radius)rdquo Tech Rep RFC2865 The InternetSociety Reston Va USA 2000

[30] FreeRADIUS ldquoFreeradius-the worldrsquos most popular radiusserverrdquo 2017 httpfreeradiusorg

[31] mastersoft ldquoNtradping-radius test utilityrdquo 2017 httpwwwmastersoft-groupcom

Submit your manuscripts athttpswwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



feature training usually require many computation resourcessuch methods are hard to be implemented in some cases ofIoT environments

In this article we present an automata based intrusiondetectionmethod for the networks of Internet ofThings Ourmethod uses an extension of Labelled Transition Systems topropose a uniform description of IoT systems and can detectthe intrusions of IoT networks The used automata modelcan describe the combination of heterogeneous networkswith terms and graphs and the proposed IDS structureand algorithm can detect the intrusions by comparing theabstracted actions flows which can solve the aforementionedproblems

Paper Contribution By using automata theory many com-plicated problems can be described and solved In thisarticle we use an extension of Input Output LabelledTransition System to solve the uniform description prob-lem of the heterogeneous IoT networks and proposea corresponding intrusion detection mechanism for IoTnetwork To achieve this purpose a set of proceduresincluding collected data grouping packet data transla-tion anomaly data detection and intrusion classificationare designed and proposed Comparing with the exist-ing methods the benefits of our work can be listed asbelow

(1) To our knowledge this is the first time of usingautomata theory to model and detect the intrusionsof IoT networks By using the proposed automatamethods we can map the IoT system to an abstractspace where a uniform security evaluation structurecan be built

(2) We defined and proposed a set of intrusion detectionmechanisms by using the proposed automatamethod

(3) We developed a GUI tools to automatically analyzeand graphically present the abstract action flows andto detect the possible intrusions

(4) We also analyzed and classified the detected intru-sions and three kinds of attacks including replay-attack jam-attack and fake-attack can be distin-guished in our method

The following sections are organized as below In Sec-tion 2 the background problem description and relatedworks of developing the IDS system over IoT are discussedIn Section 3 the entire approach of the automata basedintrusion detection method will be described In Section 4to illustrate the use of the proposed IDS methods wepresent an example of using the proposed method to ana-lyze a simplified IoT system and the results demonstratethe correctness of our method And finally in Section 5we conclude this work and discuss some possible futureworks

2 Background Problems and Related Works

21 Internet of Things and Its Security

211 Internet of Things IoT is the network of things withclear element identification embedded with software intel-ligence sensors and ubiquitous connectivity to the Internet[11] IoT enables things or objects to exchange informa-tion with the manufacturer operator and other connecteddevices utilizing the telecommunications infrastructure ofthe Internet It allows physical objects to be sensed (byproviding the specific information such as the RFID tags andQR code) and controlled remotely across the Internet IoTwill create opportunities for more direct integration betweenthe physical world and computer-based systems resultingin improved efficiency accuracy and economic benefit forexample monitoring and controlling things by experts suchas telemedicine and searching for things (keys passports)directly that search engines do not provide today

Normally three basic elements should be included by anIoT system the unique identity per thing (eg IP address)the ability to communicate between things (eg wirelesscommunications) and the ability to sense specific informa-tion about the things (sensors) [11]Therefore for an IP basedsystem the IoT gateway is a good solution to form the IoTnetworks The IEEE 80215 Task Group 4 has defined thepersonal area network (PAN) coordinator to take in chargeof the network domain The PAN allocates local addressesand acts as a gateway to other domains or networks [12]IEEE 802154 also defined two types of IoT devices the full-function device (FFD) which implements all of the functionsof the communication stack and allows it to communicatewith any other device in the network and the reduced-function devices (RFDs) which are meant to be extremelysimple devices with very modest resource and communica-tion capabilities Hence RFDs can only communicate withFFDs and can never act as PAN coordinators

212 IoT Security Attacks Considering the specific featuresof IoT networks we found that the following three kindsof attack scenarios likely happen in the real world and areimportant to be studied

(i) Attack Scenario 1 For a given IoT network such as the onepresented in Figure 1 an authorized user User1 may want tocontrol the specific device in the IoT The user needs to usethe IoT networks to find the right device and to communicatewith the device For some security reason the IoT device hasto verify the authentication of User1 During this processa cryptography method is normally needed to verify theauthentication and to protect against the malicious attacksHowever a malicious user User2 may be able to listen thecommunication between User1 and the corresponding IoTdevice User2 may fake himself as User1 and create a replay-attack to the IoT system To solve such problem the RFDmay ask FFD or PAN to help him to verify the authenticationof the user and record the passed IDs of the user A groupauthentication protocol and cryptography functions can helpRFD to protect itself from such kind of attack However



FFD

RFD

RFD

RFD FFD

RFD FFD

FFD RFD

User2 (Hacker)



FFD

RFD RFD RFD

RFD

RFD

FFD

FFD

FFD RFD-i









FFD

FFD

FFD

FFD

RFD

RFD RFD RFD

RFD




















119879glu = (1199041 1199042 119904119894 119904119898)120572997888rarr (1199041 1199042 1199041015840119894 119904119898) | (119904119894 120572 1199041015840119894) isin 119879119894 cup 119879119872

119879119872 = (119904119894119897 120583 119904119895119897) | 119894 = 119895 120583 isin Out (119904119894119897) cap In (119904119895119897)

(1)

0

1

2

3

0

1

2

3

0

2

0

1

ask

rpl

cfm

ask

rpl

cfm

initiator responder

ask

cfm

rpl



Msg 1 (Ask) 119894 rarr 119903 119899119894 119894pk119903

Msg 2 (Rpl) 119903 rarr 119894 119899119894 119899119903pk119894

Msg 3 (Cfm) 119894 rarr 119903 119899119903pk119903





PAN

Internet

User

RFD

RFD

RFD

FFD

FFD

C






Intrusion results



Cloud

IDS Event Analyzer

IDS Event Database

IoT network








N = 2 sec














Primitives





Collected data

ACK

ACK

ACK ACK

ACK

FIN

FIN

ACK+FIN

ACK+FIN

ACK+FIN

Time out

Time out

ACK+FIN

FIN

FIN

FIN

FIN

ACK

SYN+ACK

SYN+ACK

SYN

SYN

Responder

Initiator

0

0

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9









If (119897ids[119894] in 119897_pass)





End








RFD1 RFD2

FFD

PAN

Server








xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in





FFD

RFD

RFD

RFD FFD

RFD FFD

FFD RFD

User2 (Hacker)



FFD

RFD RFD RFD

RFD

RFD

FFD

FFD

FFD RFD-i









FFD

FFD

FFD

FFD

RFD

RFD RFD RFD

RFD




















119879glu = (1199041 1199042 119904119894 119904119898)120572997888rarr (1199041 1199042 1199041015840119894 119904119898) | (119904119894 120572 1199041015840119894) isin 119879119894 cup 119879119872

119879119872 = (119904119894119897 120583 119904119895119897) | 119894 = 119895 120583 isin Out (119904119894119897) cap In (119904119895119897)

(1)

0

1

2

3

0

1

2

3

0

2

0

1

ask

rpl

cfm

ask

rpl

cfm

initiator responder

ask

cfm

rpl



Msg 1 (Ask) 119894 rarr 119903 119899119894 119894pk119903

Msg 2 (Rpl) 119903 rarr 119894 119899119894 119899119903pk119894

Msg 3 (Cfm) 119894 rarr 119903 119899119903pk119903





PAN

Internet

User

RFD

RFD

RFD

FFD

FFD

C






Intrusion results



Cloud

IDS Event Analyzer

IDS Event Database

IoT network








N = 2 sec














Primitives





Collected data

ACK

ACK

ACK ACK

ACK

FIN

FIN

ACK+FIN

ACK+FIN

ACK+FIN

Time out

Time out

ACK+FIN

FIN

FIN

FIN

FIN

ACK

SYN+ACK

SYN+ACK

SYN

SYN

Responder

Initiator

0

0

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9









If (119897ids[119894] in 119897_pass)





End








RFD1 RFD2

FFD

PAN

Server








xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in





FFD

FFD

FFD

FFD

RFD

RFD RFD RFD

RFD




















119879glu = (1199041 1199042 119904119894 119904119898)120572997888rarr (1199041 1199042 1199041015840119894 119904119898) | (119904119894 120572 1199041015840119894) isin 119879119894 cup 119879119872

119879119872 = (119904119894119897 120583 119904119895119897) | 119894 = 119895 120583 isin Out (119904119894119897) cap In (119904119895119897)

(1)

0

1

2

3

0

1

2

3

0

2

0

1

ask

rpl

cfm

ask

rpl

cfm

initiator responder

ask

cfm

rpl



Msg 1 (Ask) 119894 rarr 119903 119899119894 119894pk119903

Msg 2 (Rpl) 119903 rarr 119894 119899119894 119899119903pk119894

Msg 3 (Cfm) 119894 rarr 119903 119899119903pk119903





PAN

Internet

User

RFD

RFD

RFD

FFD

FFD

C






Intrusion results



Cloud

IDS Event Analyzer

IDS Event Database

IoT network








N = 2 sec














Primitives





Collected data

ACK

ACK

ACK ACK

ACK

FIN

FIN

ACK+FIN

ACK+FIN

ACK+FIN

Time out

Time out

ACK+FIN

FIN

FIN

FIN

FIN

ACK

SYN+ACK

SYN+ACK

SYN

SYN

Responder

Initiator

0

0

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9









If (119897ids[119894] in 119897_pass)





End








RFD1 RFD2

FFD

PAN

Server








xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in













119879glu = (1199041 1199042 119904119894 119904119898)120572997888rarr (1199041 1199042 1199041015840119894 119904119898) | (119904119894 120572 1199041015840119894) isin 119879119894 cup 119879119872

119879119872 = (119904119894119897 120583 119904119895119897) | 119894 = 119895 120583 isin Out (119904119894119897) cap In (119904119895119897)

(1)

0

1

2

3

0

1

2

3

0

2

0

1

ask

rpl

cfm

ask

rpl

cfm

initiator responder

ask

cfm

rpl



Msg 1 (Ask) 119894 rarr 119903 119899119894 119894pk119903

Msg 2 (Rpl) 119903 rarr 119894 119899119894 119899119903pk119894

Msg 3 (Cfm) 119894 rarr 119903 119899119903pk119903





PAN

Internet

User

RFD

RFD

RFD

FFD

FFD

C






Intrusion results



Cloud

IDS Event Analyzer

IDS Event Database

IoT network








N = 2 sec














Primitives





Collected data

ACK

ACK

ACK ACK

ACK

FIN

FIN

ACK+FIN

ACK+FIN

ACK+FIN

Time out

Time out

ACK+FIN

FIN

FIN

FIN

FIN

ACK

SYN+ACK

SYN+ACK

SYN

SYN

Responder

Initiator

0

0

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9









If (119897ids[119894] in 119897_pass)





End








RFD1 RFD2

FFD

PAN

Server








xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in




PAN

Internet

User

RFD

RFD

RFD

FFD

FFD

C






Intrusion results



Cloud

IDS Event Analyzer

IDS Event Database

IoT network








N = 2 sec














Primitives





Collected data

ACK

ACK

ACK ACK

ACK

FIN

FIN

ACK+FIN

ACK+FIN

ACK+FIN

Time out

Time out

ACK+FIN

FIN

FIN

FIN

FIN

ACK

SYN+ACK

SYN+ACK

SYN

SYN

Responder

Initiator

0

0

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9









If (119897ids[119894] in 119897_pass)





End








RFD1 RFD2

FFD

PAN

Server








xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in




N = 2 sec














Primitives





Collected data

ACK

ACK

ACK ACK

ACK

FIN

FIN

ACK+FIN

ACK+FIN

ACK+FIN

Time out

Time out

ACK+FIN

FIN

FIN

FIN

FIN

ACK

SYN+ACK

SYN+ACK

SYN

SYN

Responder

Initiator

0

0

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9









If (119897ids[119894] in 119897_pass)





End








RFD1 RFD2

FFD

PAN

Server








xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in







Primitives





Collected data

ACK

ACK

ACK ACK

ACK

FIN

FIN

ACK+FIN

ACK+FIN

ACK+FIN

Time out

Time out

ACK+FIN

FIN

FIN

FIN

FIN

ACK

SYN+ACK

SYN+ACK

SYN

SYN

Responder

Initiator

0

0

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9









If (119897ids[119894] in 119897_pass)





End








RFD1 RFD2

FFD

PAN

Server








xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in






If (119897ids[119894] in 119897_pass)





End








RFD1 RFD2

FFD

PAN

Server








xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in






RFD1 RFD2

FFD

PAN

Server








xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in





xxxxAc_req_w1




Ac_accept_w1xxxx

xxxxAc_req_w2

Ac_req_w2Ac_req_w2




Ac_accept_w2xxxx

xxxxAc_req_n


helliphellip











6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in








6 Conclusion






Acknowledgments


References









































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in



































Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in



an automata based intrusion detection method for internet of ...as “instance cameras,”...

Documents