CRII: OAC: Inferring, Attributing, Mitigating and Analyzing the Malicious Orchestration of Internet-scale Exploited IoT Devices: A Network Telescope Approach

CRII：OAC：推断、归因、减轻和分析互联网规模被利用物联网设备的恶意编排：网络望远镜方法

• 批准号: 1755179
• 负责人: Elias Bou-Harb
• 金额: $ 17.5万
• 依托单位: Florida Atlantic University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-03-01 至 2019-11-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1755179&HistoricalAwards=false
• 关键词: CRII; OAC; Inferring; Attributing; Mitigating

Despite the benefits provided by the widespread adoption and deployment of diverse Internet-enabled devices such as phones and smart home components in consumer markets and critical infrastructure - the so called Internet of Things (IoT) devices, security concerns are rising as such devices also introduce new vulnerabilities that could be leveraged by attackers to launch disrupting cyber-attacks. The objective of this project is to enable exploration of the inherent insecurity of the IoT paradigm by exploring innovative data analytics as applied to raw cyber security data. Insights gained will allow detection, characterization and attribution of Internet-scale compromised IoT devices, coupled with their malicious activities, in near real-time. Several technical challenges impede addressing IoT security at large, including, the excessive diversity of IoT devices in addition to their Internet-wide deployment, the lack of IoT-relevant data and the shortage of IoT-specific actionable attack signatures. In this context, this project serves NSF's mission to promote the progress of science by aiming to generate a first-of-a-kind, large-scale analysis of the magnitude of compromised IoT devices. The project also promotes cyber security research and training for minorities, given that it will be executed within the boundaries of a designated Hispanic-serving institution. Moreover, the project will contribute to operational cyber security by developing a real-time capability for storing and sharing IoT-relevant threat information.The project will draw-upon macroscopic, large-scale passive measurement data collected in real-time from a network telescope to highlight the severity of the insecurity of the IoT paradigm. Network telescopes, most commonly known as darknets, constitute a set of routable, allocated yet unused IP addresses. The project will design and develop real-time algorithms that are capable of inferring Internet-scale exploited IoT devices by exploring darknet data. Furthermore, the project will investigate formal correlation approaches rooted in stochastic data structures between IoT-relevant passive measurements and malware samples to aid in the attribution and thus the remediation objective. The project will further explore the orchestration behavior of seemingly independent IoT activities, which operate within well-coordinated IoT botnets. To this end, the project will innovate time series analytics based upon trigonometric interpolation techniques, recursive optimal stochastic estimators, and bitmap matching algorithms to infer such IoT botnets by employing passive measurements.  The project will also (1) develop a unique cyberinfrastructure for IoT cyber threat indexing by automating the proposed algorithms, techniques and methods, (2) generate IoT-specific signatures by employing piecewise hashing techniques, and (3) create access methods based on an API mechanism and a front-end service facilitated by Elasticsearch to allow the sharing of IoT-centric empirical data, threat intelligence and signatures.  This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

尽管消费市场和关键基础设施（即所谓的物联网 (IoT) 设备）中广泛采用和部署各种支持互联网的设备（例如手机和智能家居组件）带来了诸多好处，但由于此类设备还引入该项目的目标是通过探索应用于原始网络安全数据的创新数据分析来探索物联网固有的不安全性。 、表征和近乎实时地对互联网规模受损的物联网设备及其恶意活动进行归因，有几个技术挑战阻碍了解决整个物联网安全问题，包括物联网设备的过度多样性以及其在互联网范围内的部署、缺乏安全性等。在此背景下，该项目旨在对物联网进行史无前例的大规模分析，从而服务于 NSF 促进科学进步的使命。物联网设备受损的规模。该项目还促进少数族裔的网络安全研究和培训，因为该项目将在指定的西班牙裔服务机构的范围内执行。此外，该项目将通过开发实时存储和共享功能，为运营网络安全做出贡献。物联网相关威胁信息。该项目将利用从网络望远镜实时收集的宏观、大规模被动测量数据，以突出物联网网络望远镜（通常称为暗网）不安全的严重性。构成一组可路由的，该项目将设计和开发实时算法，能够通过探索暗网数据来推断互联网规模的被利用的物联网设备。此外，该项目还将研究植根于物联网相关的随机数据结构的正式关联方法。该项目将进一步探索看似独立的物联网活动的编排行为，这些活动在协调良好的物联网僵尸网络中运行。为此，该项目将进行创新。基于三角插值技术、递归最优随机估计器和位图匹配算法的时间序列分析，通过采用被动测量来推断此类物联网僵尸网络​该项目还将 (1) 通过自动化所提出的算法来开发用于物联网网络威胁索引的独特网络基础设施。 、技术和方法，(2)通过采用分段散列技术生成物联网特定签名，以及(3)创建基于API机制和促进的前端服务的访问方法由 Elasticsearch 授予，允许共享以物联网为中心的经验数据、威胁情报和签名。​​该奖项反映了 NSF 的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Theoretic derivations of scan detection operating on darknet traffic

对暗网流量进行扫描检测的理论推导

• 发表时间: 2019-01
• 期刊: Computer communications
• 影响因子: 6
• 作者: Safaei Pour, Morteza;Bou
• 通讯作者: Bou

A first empirical look on internet-scale exploitations of IoT devices

对物联网设备的互联网规模利用的首次实证研究

• DOI: 10.1109/pimrc.2017.8292628
• 发表时间: 2017-10
• 期刊: and Mobile Radio Communications (PIMRC
• 作者: Galluscio, Mario;Neshenko, Nataliia;Bou;Huang, Yongliang;Ghani, Nasir;Crichigno, Jorge;Kaddoum, Georges
• 通讯作者: Kaddoum, Georges

Implications of Theoretic Derivations on Empirical Passive Measurements for Effective Cyber Threat Intelligence Generation

理论推导对有效生成网络威胁情报的实证被动测量的影响

• DOI: 10.1109/icc.2018.8422720
• 发表时间: 2018-05
• 期刊: IEEE International Conference on Communications (ICC
• 作者: Pour, Morteza Safaei;Bou
• 通讯作者: Bou

Inferring, Characterizing, and Investigating Internet-Scale Malicious IoT Device Activities: A Network Telescope Perspective

推断、表征和调查互联网规模的恶意物联网设备活动：网络望远镜视角

• DOI: 10.1109/dsn.2018.00064
• 发表时间: 2018-06
• 期刊: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN
• 作者: Torabi, Sadegh;Bou;Assi, Chadi;Galluscio, Mario;Boukhtouta, Amine;Debbabi, Mourad
• 通讯作者: Debbabi, Mourad

Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-scale IoT Exploitations

揭秘物联网安全：对物联网漏洞的详尽调查以及对互联网规模物联网利用的初步实证研究

• 发表时间: 2019-01
• 期刊: IEEE Communications surveys and tutorials
• 作者: Nataliia Neshenko; Elias Bou
• 通讯作者: Elias Bou