CNS Core: Small: BehavIoT: Modeling and Controlling Internet of Things Behavior Using Netowork-Inferred State Machines

CNS 核心：小型：BehavIoT：使用网络推断状态机建模和控制物联网行为

• 批准号: 1909020
• 负责人: David Choffnes
• 金额: $ 49.86万
• 依托单位: Northeastern University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2022-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1909020&HistoricalAwards=false
• 关键词: CNS; Core; Small; BehavIoT; Modeling

An increasing number of smart interconnected objects, known as the Internet of Things (IoT), are becoming affordable, popular, and rich in functionality. While these devices enabled a wide range of societal benefits including health, safety, accessibility and sustainability, they also present important security, privacy, and management challenges due to the large set of diverse services they offer. The fundamental problem that opens the door to such behavior is that IoT systems are traditionally closed systems that provide consumers and investigators with little-to-no information about whether a device (or set of devices) is behaving in ways that might violate expectations such as privacy, security, and correctness. To address this problem, this project will investigate how to automatically determine when IoT systems compromise privacy, security and correctness, and how to mitigate such problems. The key idea is to focus on information gleaned from the network traffic that such devices generate, since network traffic is the common platform that all such IoT systems ultimately rely upon. Specifically, the project will develop technology that models the behavior of an IoT system from its network traffic, then use these models to identify unexpected behavior. To mitigate unexpected behavior, the project will identify in-network strategies such as isolating, changing, and/or blocking such traffic. By understanding and modeling device behavior and addressing unexpected behavior from IoT devices, this project has the potential to improve safety and security for users. Further, by raising awareness of new and existing threats, our proposed work can encourage device manufacturers to improve the privacy, security, and correctness of their deployments.The goal of this project is to explore the extent to which network-inferred behavioral analysis of IoT deployments, combined with control over the network traffic they generate, can identify and mitigate misbehavior in IoT systems. Our key insight is that IoT devices are particularly amenable to state-machine analysis, as they tend to have a limited set of functionality (i.e., states such as "camera recording", "microphone listening", etc.) that is triggered by a limited set of events. To address the fact that one cannot rely on source code to build such models via static analysis, this project will instead treat IoT devices as black boxes and inferring state-machine models that describe their behavior using the one externally observable signal all IoT devices generate: net- work traffic. After building such inferred state machines (and their transition probabilities), the project will analyze their evolution over time to identify misbehaviors -- when a device transitions between states in unexpected or unwanted ways (e.g., due to compromise, data exfiltration, or misconfiguration). To provide coverage of a wide range of misbehaviors, the project will (i) detect behaviors that never before encountered by relying on unsupervised classification techniques; (ii) consider the behavior of the system as a whole by combining in our model the behavior of individual IoT devices, thus capturing the cause of any emergent global system behavior; (iii) produce a system-wide behavior model that is easy to understand and analyze in practice, such as a state machine in which states represents changes in the behavior of individual IoT devices, and transitions show temporal dependencies expressed as probabilities. Finally, the project will employ middleboxes to actually use state machine models as a way to protect a whole IoT system from both individual and global misbehavior. An advantage to this approach is that it is naturally platform-independent by relying on the common denominator in IoT systems, i.e., Internet traffic; further, an in-network solution can be immediately deployed (e.g., in a home or enterprise gateway) for broad impact.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

越来越多的智能互联对象（称为物联网 (IoT)）变得价格实惠、流行且功能丰富。虽然这些设备带来了广泛的社会效益，包括健康、安全、可访问性和可持续性，但由于它们提供大量多样化的服务，它们也带来了重要的安全、隐私和管理挑战。导致此类行为的根本问题是，物联网系统传统上是封闭的系统，它向消费者和调查人员提供很少甚至没有关于设备（或一组设备）的行为方式是否可能违反预期的信息，例如隐私、安全性和正确性。为了解决这个问题，该项目将研究如何自动确定物联网系统何时损害隐私、安全性和正确性，以及如何缓解此类问题。关键思想是关注从此类设备生成的网络流量中收集的信息，因为网络流量是所有此类物联网系统最终依赖的通用平台。具体来说，该项目将开发技术，根据物联网系统的网络流量对物联网系统的行为进行建模，然后使用这些模型来识别意外行为。为了减少意外行为，该项目将确定网络内策略，例如隔离、更改和/或阻止此类流量。通过理解和建模设备行为以及解决物联网设备的意外行为，该项目有可能提高用户的安全性。此外，通过提高对新威胁和现有威胁的认识，我们提出的工作可以鼓励设备制造商提高其部署的隐私性、安全性和正确性。该项目的目标是探索物联网网络推断行为分析的程度部署与对其生成的网络流量的控制相结合，可以识别并减少物联网系统中的不当行为。我们的主要见解是，物联网设备特别适合状态机分析，因为它们往往具有一组有限的功能（即“摄像头录音”、“麦克风监听”等状态），这些功能是由有限的事件集。为了解决无法依靠源代码通过静态分析构建此类模型的事实，该项目将把物联网设备视为黑匣子，并使用所有物联网设备生成的一个外部可观察信号来推断状态机模型来描述其行为：网络流量。在构建此类推断的状态机（及其转换概率）后，该项目将分析其随时间的演变，以识别不当行为——当设备以意外或不需要的方式在状态之间转换时（例如，由于妥协、数据泄露或配置错误） 。为了覆盖广泛的不当行为，该项目将 (i) 依靠无监督分类技术检测以前从未遇到过的行为； (ii) 通过在我们的模型中结合各个物联网设备的行为来考虑整个系统的行为，从而捕获任何突发的全局系统行为的原因； (iii) 生成一个在实践中易于理解和分析的系统范围的行为模型，例如状态机，其中状态表示各个物联网设备行为的变化，而转换则显示以概率表示的时间依赖性。最后，该项目将采用中间盒来实际使用状态机模型，作为保护整个物联网系统免受个人和全球不当行为影响的一种方式。 这种方法的一个优点是，它依赖于物联网系统的共同点，即互联网流量，自然而然地独立于平台；此外，网络内解决方案可以立即部署（例如，在家庭或企业网关中）以产生广泛影响。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优点和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

FlowPrint：加密网络流量的半监督移动应用指纹识别

• DOI: 10.14722/ndss.2020.24412
• 发表时间: 2020-02-24
• 期刊: Proceedings 2020 Network and Distributed System Security Symposium
• 作者: T. V. Ede;Riccardo Bortolameotti;Andrea Continella;Jingjing Ren;Daniel J. Dubois;Martina Lindorfer;D. Ch
• 通讯作者: D. Ch

Blocking Without Breaking: Identification and Mitigation of Non-Essential IoT Traffic

阻塞而不中断：非必要物联网流量的识别和缓解

• DOI: 10.2478/popets-2021-0075
• 发表时间: 2021-07
• 期刊: Proceedings on Privacy Enhancing Technologies
• 作者: Mandalari, Anna Maria;Dubois, Daniel J.;Kolcun, Roman;Paracha, Muhammad Talha;Haddadi, Hamed;Choffnes, David
• 通讯作者: Choffnes, David

IoTLS: understanding TLS usage in consumer IoT devices

IoTLS：了解消费者物联网设备中的 TLS 使用情况

• DOI: 10.1145/3487552.3487830
• 发表时间: 2021-11-02
• 期刊: Proceedings of the 21st ACM Internet Measurement Conference
• 作者: Muhammad Talha Paracha;Daniel J. Dubois;Narseo Vallina;D. Choffnes
• 通讯作者: D. Choffnes

A Haystack Full of Needles: Scalable Detection of IoT Devices in the Wild

大海捞针：野外物联网设备的可扩展检测

• DOI: 10.1145/3419394.3423650
• 发表时间: 2020-09-03
• 期刊: Proceedings of the ACM Internet Measurement Conference
• 作者: Said Jawad Saidi;A. M;alari;alari;Roman Kolcun;H. Haddadi;Daniel J. Dubois;D. Choffnes;Georgios Smaragdakis;A. Feldmann
• 通讯作者: A. Feldmann

Detecting consumer IoT devices through the lens of an ISP

通过 ISP 的视角检测消费者物联网设备

• DOI: 10.1145/3472305.3472885
• 发表时间: 2021-01
• 期刊: ANRW '21: Proceedings of the Applied Networking Research Workshop
• 作者: Saidi, Said Jawad;Mandalari, Anna Maria;Haddadi, Hamed;Dubois, Daniel J.;Choffnes, David;Smaragdakis, Georgios;Feldmann, Anja
• 通讯作者: Feldmann, Anja