IoT development continues and we need a security solution that “learns” along with it –

IoT development continues and we need a security solution that "learns" along with it - Cybersecurity

The Internet of Things has not yet reached cruising speed. But, in all this excitement, users and manufacturers have bought or invested in it with enthusiasm, without really taking security into account. The story is unfortunately known.

We are still at the beginning of our understanding of IoT: what we want to do with it, what level of confidentiality to expect, where to place regulatory limits and how to secure it. We do not yet have all the answers to these questions and getting them is a race against time.

The stake goes beyond simple data theft. Attackers can now leverage the functionality of IoT to develop their crimes.

Problems have arisen with robotic vacuums that scan the architecture of the house to determine the area to be cleaned. It would be a nice feature if they weren’t using a combination user name password by default, which allows any enemy to turn the device into a remote spy device. This is just one example among many. In recent research by Kumar et al. “All things considered: an analysis of IoT devices on home networks”, the researchers identified that in 11 different geographic locations and in a population distributed in 15.5 million households, there were 83 million IoT devices.

The graph below shows the distribution of the various types of IoT devices for each geographic region studied.

A screenshot of a cell phone

Description automatically generated

Source: Kumar, Deepak et al. “All things considered: an analysis of IoT devices on home networks”. 28th Security Symposium {USENIX} ({USENIX} Security 19). 2019.

It seems like people are waking up to these threats. Regional and national regulations are appearing all over the world. California law SB-327 came into effect on January 1, 2020. It requires manufacturers to address the common problem of default passwords by requiring that connected devices have unique passwords that can be changed by users. The Japanese government is also planning to regulate the IoT. The UK government has recently implemented a certification system that will label devices that meet the Secure By Design standard. This move could make security a competitive differentiator when businesses and individuals purchase IoT devices. The Finnish government recently announced that it would adopt similar measures. It also appears that market forces will now help control the security of the IoT.

It will probably take some time before you feel the full power of this regulation. Let us hope that the sector takes responsible measures and continues to strengthen the security of IoT devices. Perhaps we should be asking ourselves how to eliminate these inevitable vulnerabilities from our worries?

We are still figuring out what to expect from IoT. What data will we let him collect and with what level of autonomy will he be able to use the data collected? It’s from this perspective that it makes sense to adopt safety practices that can learn and grow with him.

Artificial intelligence could help. With AI we are starting not only to stop threats, but to anticipate them. In the case of IoT, we can build technologies that, in addition to detecting malicious and infected IoT devices within a given network, will be able to accurately predict which devices will be malicious in the future or in danger of compromise. The table below ranks the IoT security methods based on machine learning.

AttacksSecurity techniquesMachine learning techniquesPerformances
DDoSSafe unloading of IoTC access control Artificial neural networkMultivariate correlation analysisQ-learningDetection accuracy Root mean error
InterferenceSecure IoT downloadQ-learning DQN Energy consumption SINR
SpoofingAuthenticationQ-learningDyna-QSVMDNNDistributedFrank-WolfeAggregate incremental gradient Average error rate Detection accuracy Classification accuracy False alarm rate Missed detection rate
IntrusionAccess controlSupport vector machine Naive BayesK-NN Artificial neural network Classification accuracy False alarm rate Detection rate Root mean error
MalwareMalware detection Access controlQ / Dyna-Q / PDS Decision tree forest K-nearest neighbors Classification accuracy False positive rate True positive rate Detection accuracy Detection latency
Illegal listeningAuthenticationQ-learning Non parametric Bayesian Proximity rate Confidential data rate

Source: Xiao, Liang and others “IoT security techniques based on machine learning” (2018).

By collecting data from various devices acquired over time, it is possible to identify patterns. All of the factors that contribute to device vulnerability – legacy operating systems, default passwords, vulnerable libraries, lack of authentication, encryption, and signature – can be assessed. These factors alone do not guarantee that a device will be compromised, but with the amount of data collected over time, we can predict that it is likely that this device will be attacked.

This is certainly what the attackers thought. When Mirai struck in 2016, he brought down a large DNS service provider, Rutgers University and even an entire country in Liberia with DDoS attacks that overshadowed the invasive power of all that had previously been recorded. This record has been achieved by connecting an army of fragile IP cameras and home routers together in some of the most powerful botnets ever. This was done with the rather paltry method of guessing the password of targeted devices from a tiny library of commonly used information. Once the device was enslaved, other equally vulnerable devices were searched nearby.

Such devices are easy prey for a cybercriminal. A study by the SANS Institute in 2017 shows that two minutes are enough for a device to be attacked, once connected to the Internet.

In order for an AI engine derived from machine learning algorithms to learn what will or will not be malicious, large amounts of data will have to be acquired over time. AI will literally have to learn with the development of IoT. As we solve old problems and develop new ones, AI will learn from its use.

The attention of professionals should be focused on the development of AI-based approaches, pattern recognition and classification of the consumption of network data that analyze the behavior of different IoT devices in different environments.

When it comes to IoT, as with any technology, we need to keep evolving our thinking around security. One aspect to look at is AI.

By Avesta Hojjati, Head of R&D at DigiCert.

IoT development continues and we need a security solution that "learns" along with it -
Rate article